Language selection

Government of Canada / Gouvernement du Canada

Search

Annex F: Operational Evaluation at the Fleet Level

1. Introduction

1.1 This annex provides details of the evaluation process at the Fleet level that is required prior to the operational phase-in of EFB hardware and/or software on CAF aircraft. The evaluation is focused on operational aspects that may be affected by the incorporation of EFB into flight operations. The results of this evaluation will be used to support the RCAF FOM requirements defined in reference 3.2.i.

1.2 Clarification on the responsibilities associated with the various operational entities is provided in reference 3.2.i.

1.3 The scope of the evaluation may be greater than that provided below, depending on the actual implementation. However, as a minimum, the items listed below should be considered. An associated checklist is contained in Annex G and can be customized as required.

2. EFB Administrator

2.1 An EFB Administrator (EFBA), responsible for ensuring ongoing compliance with the items in this Appendix and providing support in day-to-day EFB operations, should be designated.

2.2 The EFBA should be suitably qualified and trained to carry out this role. The EFBA should be provided with adequate resources to carry out the duties of the position, including the authority to act on behalf of the Fleet/Wing in matters within the EFBA designated purview.

3. Crew Procedures

3.1 Clear limitations and crew procedures should be provided and documented for all phases of flight. A system description and operating philosophy should be included.

3.2 Procedures should:

  1. be properly integrated with existing Standard Operating Procedures (SOPs);
  2. contain suitable crew crosschecks for verifying safety critical data;
  3. mitigate and/or control any additional workload associated with the EFB;
  4. provide contingency procedures for total or partial EFB failure;
  5. cover system reboots, lock-ups and recovery from incorrect crew actions;
  6. include a requirement to verify the revision status of software;
  7. include a requirement to verify that software applications and information contained in the EFB intended for operational use are current and up-to-date; and
  8. ensure the EFB transmit functionality is disabled during classified communications.

4. Operational Risk Analysis

4.1 An operational risk analysis should be conducted to determine appropriate procedures to eliminate, reduce, or control risks associated with identified failures in the EFB system. The analysis should ensure that the EFB system achieves at least the same level of accessibility, usability and reliability (e.g., may drive requirement for more than one EFB) as the system it replaces (e.g., paper charts)

4.2 The operational risk analysis should consider:

  1. total and partial failures of the EFB;
  2. where applicable, the impact of utilizing an EFB outside of the OEM environmental specifications, due to probable aircraft system failure conditions;
  3. loss of data;
  4. corrupt/erroneous outputs;
  5. failure of batteries, causing fire; and

Note: There is currently no published DND/CAF operational guidance on addressing Lithium battery fires. Therefore, Fleets are advised to consider current civil aviation direction on Lithium battery fires where/when applicable and practical. This direction is contained in the FAA SAFO document at regulatory reference 3.2.j.

  1. MEL dispatch condition.

5. Training Program

5.1 A suitable training program for ground staff and crew members should be established. Once it is established, the training program should be evaluated to determine that:

  1. the program is fully documented;
  2. the training methodology matches the level of knowledge and experience of the participants;
  3. adequate resources have been assigned to deliver the training;
  4. adequate EFB and/or EFB simulation equipment has been provided;
  5. Human Factors and cockpit resource management are included in the training;
  6. the training material matches both the EFB equipment status and the published procedures;
  7. the training program incorporates training for system changes and upgrades; and
  8. if applicable, the training program maintains crew proficiency in non-EFB (e.g., paper charts) procedures.

6. Hardware Management Procedures

6.1 Documented procedures for the control of hardware and component stocks covering removal, repair, replacement, re-installation and maintenance should be established.

7. Software and Management Procedures

7.1 Documented procedures for the control of installed software should be established. These procedures should include:

  1. a clear definition of who has access rights to install or modify software;
  2. adequate controls to prevent user corruption of operating systems and software; and
  3. adequate security measures to prevent malware and unauthorized user access.

8. Data Management Procedures

8.1 Documented data management procedures should be established. These procedures should:

  1. interface satisfactorily with procedures used by external data providers;
  2. define access rights for users and administrators; and
  3. provide adequate controls to prevent user corruption of data.

9. Security Procedures

9.1 In general, civilian aircraft operators are currently required to demonstrate that adequate security measures are in place to obtain suitability of operations approval on a case-by-case basis. The safety effect on aircraft operations will vary based on the hosted software applications and intended EFB functionality. Guidance on aircraft cybersecurity is provided in the ADSM (regulatory reference 3.2.h).

9.2 The required level of EFB security depends on the criticality of the hosted functionality. For instance, an EFB that only holds a list of fuel prices may require less security than an EFB used for performance calculations.

9.3 A plan should be developed to demonstrate that adequate security measures are in place to prevent unauthorized modifications to the EFB operating system, its specific hosted applications, and any of the databases or data links required to enable its hosted applications. This includes an assessment of potential threats and hazards to the EFB, and the development of methods to address these. This plan should be reviewed and updated on a regular basis.

9.4 An approved configuration for EFBs should be maintained. This configuration should be reviewed and updated regularly, and upon discovery of any vulnerabilities or flaws affecting the EFB hardware, operating system or applications. This configuration should, at a minimum, include:

  1. a list of approved applications, with version numbers;
  2. a list of approved settings for any approved applications, where applicable;
  3. a list of hardware settings, i.e., physical switch and button positions; and
  4. a list of operating system settings.

9.5 Adequate procedural security measures should be implemented in instances where technical measures are not appropriate or suitable. A non-exhaustive list includes:

  1. physical security, e.g., use of locked storage containers;
  2. asset tracking, e.g., sign-in/sign-out of EFB by authorized users; and
  3. other security aspects to be controlled procedurally rather than technically, e.g., use of USB ports, use of physical media.

9.6 The EFB system shall have no adverse impact upon any aircraft system, including but not limited to flight control systems, navigation, maintenance-related systems, and mission systems not required for safe flight.

9.7 Appropriate procedures shall be established to permit the EFBA to determine whether an unsafe condition exists following attempted access to systems and networks by unauthorized sources.

10. Use of Own-ship Position

10.1 EFB Own-ship Functionality

  1. Mounting evidence suggests that, when an enroute diversion occurs, the use of EFBs for situational awareness contributes to reducing pilot workload, thereby increasing safety.
  2. Own-ship functionality should only be used for strategic purposes (e.g., situational awareness) contributing to flight crew decision-making and is not to be used as a tool for surface manoeuvring or airborne manoeuvring/navigation.
  3. EFB applications may display an EFB own-ship symbol for both in-flight and surface use. The risk of providing misleading position to flight crew during operations should be minimized.

10.2 EFB Own-Ship Position Requirements

  1. Positional Awareness. EFB own-ship position is limited to serve as an aid to positional awareness.
  2. Position Source Selection. It is recommended to use position data from an installed Global Navigation Satellite System (GNSS) source. Position data from a portable GNSS source is acceptable, provided it supports the application requirements and it works as intended in the aircraft environment.
  3. Own-ship Directionality. Change own-ship symbol to a non-directional (e.g., circular) depiction when track or heading is not available or cannot be calculated based on GNSS data.
  4. Own-ship GNSS Data Stream. Remove own-ship symbol if the GNSS data stream stops. This will guard against a "frozen" own-ship condition caused by position source signal or power loss and removal should occur in a timely manner.
  5. Own-ship Surface Use Accuracy. For airport map applications, the applicant should choose a database with an accuracy of five meters or less. For airports where such data is not currently available, a database accuracy of 30 meters can still be operationally useful. If the database accuracy exceeds 30 meters, EFB own-ship position should not be displayed.

Note: Applicants should contact their EFB airport map application provider to obtain the accuracy of their database. This information is usually found in documentation supporting the EFB airport map application.

  1. Map Zoom. The application will need to indicate the current level of zoom on the display. The design should ensure the zoom level is compatible with the position accuracy of the own-ship symbol.

10.3 Training Requirements for Use of Own-Ship Position

10.3.1 Training to use EFB own-ship position on EFB applications should emphasize the limitations of this supplemental tool for use by the flight crew. Training should include the following:

  1. EFB own-ship position is for positional awareness only. Crews may not use EFB own-ship position to maneuver the aircraft.
  2. The flight crew’s reference for maneuvering the aircraft on the ground is visual identification of the airport, taxiway, and runway signage and markings.
  3. The flight crew’s reference for maneuvering the aircraft in the air is the installed primary flight and navigational displays. When a conflict occurs between the primary flight navigation displays and the EFB, the flight crews must utilize the primary displays.
  4. Reporting positioning or database errors when visual checks reveal display discrepancies.

10.4 Fleet EFB Standard Operating Procedure shall include the following statement:

“This EFB is not certified as a navigation system. The TAA has not assessed the EFB for performance or reliability of the platform hardware or software (including GPS functionality).”

Top of page

Back to TAA Advisory 2012-01

Page details

Date modified: