Blog: Aviation Cyber Security
Commercial Air Transport EFB Regulation
Introduction
The Electronic Flight Bag (EFB) is a device pilots use to gather information. This includes viewing airport charts (ground and in-flight), calculating take-off and landing performance, as well as multiple other uses as detailed in our other EFB blog posts.
EFB regulation is, in a word, complicated.
It often differs from country to country, and the relevance of regulation becomes something that each airline needs to investigate individually. To help visualise some of the regulation hierarchy and help with good places to start looking, this post contains just some of the important regulatory documents.
The purpose is to help visualise how EFB regulation relationships work, rather than to identify every single item of regulation that could be relevant.
As with all regulation, by the time you’ve read this post there is a good chance it will have changed – at least somewhere in the world. However, the documents in which to find some of the most important requirements for EFB regulation will likely remain.
EASA
- Link to all Regulation above
- Use “Consolidated Versions” or “Easy Access Rules” – both have most amendments incorporated. Air Operations Regulations have amendments that are not incorporated into original document and must be viewed separately
- Easy Access Rules is a nice way of viewing documents, these include Acceptable Means of Compliance (AMC) and Guidance Material (GM). Within Easy Access Rules:
- Blue = implementing rule
- Yellow = AMC
- Green = GM
- Note: AMC and GM are non-binding. AMC = serves as a means by which requirements can be met. GM = explanatory/interpretation material
- Previously, AMC 20-25 was the only regulatory document regarding EFBs. ICAO Annex 6 transposed into EU regs in 2019 (Reg 2018/1975)
EASA
- Regulation updates are slow. ICAO introduced Annex 6 EFB guidance in 2014. In 2016 EASA made provisions to transpose this into the their framework. This was completed in Dec 2018 (Reg No 2018/1975) link
- As a result of the above, AMC 20-25 is no longer the sole EFB reg
- AMC 20-25 has recently been updated and is now AMC 20-25A, it can be found under “You might also need” (blue box) in any of these 3 sections: “Initial Airworthiness”, “Continuing Airworthiness” and “Additional Airworthiness Specifications”. Link here, current is amendment 20
- There are other annexes that discuss EFBs but are not that related to airline ops hence have not been included
- Regulations are updated continually but the master document is not, so do not look at Reg No 965/2012 as this is the original version and you would need to view all updates since it was created. Use “Consolidated Versions”, which whilst not law ARE kept up to date
- With AMCs, applicants may show compliance with requirements using other means, NAAs and organisations may propose “Alternative Means of Compliance” which are alternatives to an existing AMC. They must be accompanied by evidence of their ability to meet the intent of the IR
- GM is explanatory and interpretation material on how to achieve the requirements contained in BR, IR, AMC and CS
FAA
- Links:
- Binding/Mandatory FAA Regulation is in Part 91/121/125/135. None of these mention EFBs.
- Advisory Circulars (ACs) are neither binding nor regulatory unless the word “must” is used. These are intended to be informative in nature and describe actions or advice that the FAA expects to be implemented or followed
- Flight Standards Information Management System (FSIMS) are policy and guidance available to FAA employees
FAA
- Actual regulation does not mention EFBs per se:
- Part 91: General/corporate aviation regs and ops rules
- Part 121: Commercial air service
- Part 125: Aircraft with seating capacity of 20+ or or maximum payload capacity of 6,000lbs+
- Part 135: On-demand flight and scheduled (commuter) charter flights
- 2018 update on EFB regulations here
CAA
- SRG 1849
- CAP 1753
- Use EASA Regulation with addition of SRG 1849
- Operators are required to complete SRG1849 and send to their Flight Operations Inspector (CAA) along with their EFB Policy & Procedures Manual and a risk assessment for EFB use
- SRG1849 guides operators to appropriate sections of EASA Regulations (EU Reg 965/2012, Annex V Part SPA, Subpart M)
- Approval Process must be repeated for any change to EFB hardware or hardware OS, or the introduction of any new Type B application
- Installed EFBs should be covered by a Type Certificate (TC), changed TC or Supplemental Type Certificate (STC)
CAA
- SRG 1849 is EFB specific. CAP 1753 is Cyber Security in general.
- Essentially 4 regulations/guidance relevant: EASA, ICAO (SARPs), UK ANO, NIS
- CAA is no longer part of EASA. Some regulation will continue to refer to EU law, in these instances they relate to the laws retained. Rolling program of updates to replace these references
- EU law no longer applies to the UK and links to EU law is not necessarily an accurate description of obligations or rights under UK law
ICAO
- All regulators are members of ICAO
- ICAO is a UN agency, it is not a regulator and does not have regulatory authority
- ICAO aims to standardise air transport policy but members can (and do) have differing policies
- ICAO manuals/documents must be purchased. As of April 2021, ICAO EFB Standards and Recommended Practices (SARPs) are contained in Annex 6 (ICAO 10020):
- Part I – International Commercial Air Transport – Aeroplanes, 6.25
- Part II – International General Aviation – Aeroplanes, 2.4.17
- Part III – International Operations – Helicopters, 4.12 and 4.17
- The EFB Manual is guidance material based on ICAO EFB provisions, second edition (2018) is up to date. Link here
Conclusion
Staying up to date with the latest regulation is no easy task. The locations of the documents described above will likely remain correct, at least for a little while.
They will however be subject to updates, often frequently, therefore how different regulations interact with each other can and will change. Hopefully the information has provided at least some guidance on good places to start looking for any applicable regulation.