By Paul Hart, CTO, Curtiss-Wright Defense Solutions
Last March, I had the pleasure of introducing Dietmar Freese, a software and electronic hardware certification expert working for the European Union Aviation Safety Agency (EASA) at the Avionics Electronics Europe conference in Munich, Germany. At the conference, Mr. Freese gave an update on the latest EASA regulations for cybersecurity. In addition to discussing the DO-326A Airworthiness Security Process Specification, Mr. Freese also shared an update on future EASA regulations for flight recorders.
On the cybersecurity front, EASA has issued a new notice of proposed amendment (NPA) related to an earlier RTCA document, DO-326A, which came out in 2014. Because DO-326A wasn’t tied to any regulation, it hasn’t been widely implemented since its introduction. Recent incidents have increased a focus on DO-326A, including an incident last year, during which an airline passenger on board a major international carrier, unwisely thought it would be funny to rename his iPhone’s personal wi-fi hot-spot account, “Bomb Onboard.” During the flight, when the other passengers sought the aircraft’s available wi-fi address, they were understandably frightened to find the prankster’s message. In this case, the crew had to divert the aircraft to address the confusion. When the media got wind of the story, pressure was put on aviation regulators to respond.
That unfortunate incident helped to revive interest and awareness of DO-326A, and EASA has now decided to make it mandatory for avionics vendors to implement the specification. EASA is using a route to fast-track the mandate through legislation and it’s now expected that, within the next three or four months, all new avionics developments will be required to perform a DO-326A cybersecurity assessment.
The DO-326A cybersecurity assessment entails seven steps, which branch into 39 security objectives, and comprise a total of 62 activities -- all of which will have to be carried out by the avionics vendor. For the most part, EASA is focused on avionics that connect with the outside world. On today’s aircraft, there are typically three wi-fi systems: the cabin wi-fi, the cockpit wi-fi, and the maintenance wi-fi. Of these three, EASA’s main concern resides with the maintenance wi-fi, which has become more important as the trend toward “zero-touch” aircraft maintenance increases.
In the zero-touch approach, after the aircraft lands, wi-fi links log onto the platform’s maintenance network to download data about how it’s been flown. This data, which is available for Big Data analysis, helps to further the move away from fixed interval maintenance schedules and enabling carriers to leverage the many benefits of condition-based maintenance and performance-based logistics. The concern from the cybersecurity protection for the maintenance wi-fi network and the connected avionics must be robust enough to prevent the maintenance data from being intercepted, corrupted, or interfered with by a malicious attacker.
Mr. Freese also discussed recent trends that are driving next-generation Cockpit Voice Recorders (CVR) and Flight Data Recorders (FDR), commonly known by the vernacular “black box.” One of these trends is the move toward longer CVR record times. One of the issues driving this trend is the increased interest in incident investigation, separate from the traditional attention paid to accident investigations.
International Civil Aviation Organization (ICAO) Annex 13 covers Aircraft Accident and Incident Investigation and requires national airworthiness authorities and accident investigation agencies to investigate incidents as well as accidents. Whenever an incident occurs (even things like a tire burst) an incident report must be written and submitted. Afterward, the national airworthiness authority will determine if that incident requires a Mandatory Occurrence Report (MOR). There is a classification of severity for incidents, and if one leads to an MOR, the aviation authority wants to be informed wants to know. A similar approach for incident reports is followed by EASA, the FAA, and Transport Canada.
A good example of an incident that will rise to the attention of the aviation authorities after an MRO is the case of a runway incursion in which a pilot pulls onto a specific runway because he thought he was cleared for takeoff, without knowing that another aircraft hadn’t yet cleared that runway. In this hypothetical example, the pilot was specifically told by air traffic control (ATC) to use the still occupied runway. For such cases, EASA isn’t necessarily focused on the context of the flight data parameters; instead, EASA is interested in the flight voice communications in the context of how the aircraft was maneuvered.
In the real world, it’s often the case that the aircraft involved in the runway incursion will depart soon after and become airborne for some number of hours. By the time the aircraft returns to ground the cockpit voice data is likely to have been overwritten. It’s also likely, that by the time the airplane returns to ground, the MOR will not have yet been submitted, since it might take a day or two to complete. While the FAA still retains the two-hour CVR recording standard, EASA has moved to longer recording durations. In 2017, EASA announced that by Jan. 1, 2019, all CVRs with a 30-minute recording duration have to be upgraded with units that support two hours of voice; older CVRs that used magnetic tape have to be upgraded with solid-state recorders; and all aircraft weighing 59,500 pounds or greater built after Jan.1, 2021 must have both a 25 hour CVR and a “robust and automatic means to accurately determine” the location of an accident.
For aviation incidents, one of the issues driving the desire for increased CVR recording time is that, for investigatory reasons, EASA wants more comprehensive access to communications between the pilots and ATC, as well as access to the conversations that take place between the pilots in the cockpit. As soon as a flight lands following an incident, EASA wants the flight cockpit voice recorder pulled off the aircraft and put into quarantine. That’s because the CVR has become the subject of an ICAO Annex 13 Incident investigation.
New rules have also been introduced by EASA that relate to the so-called “sterile cockpit” concept, which the FAA introduced years ago. Under sterile cockpit rules, below 10,000 feet, conversation in the cockpit must only be about the flight itself. Even casual comments, such as how pretty the view is, are banned. Not surprisingly, there is backlash and opposition from pilot organizations about having CVRs pulled so that all conversation, both professional and social, is reviewable. But in the case of an incident that results in an MOR, where there’s a dispute for example about runway clearance or a misunderstanding about ATC instruction, EASA sees good reason for this policy.
While the FAA is not currently pursuing the same 25-hour CVR policy, airframe manufacturers like Boeing and Airbus, who make aircraft for the international market, have to take into consideration the highest common denominator in regards to international aviation regulations. Consider the implications of a U.S. aircraft designer choosing to carry on with a two-hour CVR for the U.S.-only market. When that aircraft comes off lease, the owner will be limited in who they can offer the platform to next If they want to be able to sell the aircraft to any airline in the world, the CVR will have to be upgraded for the highest common regulatory denominator.
A few other trends of interest involve beacons, crash recorder deep-sea pressure, and an increased need for cockpit video recording. Aircraft beacon regulations have undergone several changes in recent years. Partly as a result of accidents such as Air France 447, beacon battery life requirements have increased from 30 days to 90 days. Since the lower the ultrasonic frequency, the longer the transmission length, a new mandate has emerged for aircraft beacon operating frequencies. Currently, regulations mandate that a beacon ping at 37.5 KHz.
Now, as of January 2019, another lower frequency beacon, operating at 8.8 KHz, must be connected to the airframe. This will enable the pinging source to be located at a greater distance, and since the beacon is connected to the airframe, the assumption is that once the airframe is located underwater, the black box will be nearby and easier to locate. In addition, black boxes must now be able to survive 20,000 feet of deep sea pressure. Recent accidents are also likely to increase a call for more extensive use of crash-protected cockpit video recording, as the issue of pilot training and procedures increasingly rises to the fore.
About Curtiss-Wright Corporation
Curtiss-Wright Corp. is a global company that delivers highly engineered, critical function products and services to the commercial, industrial, defense, and energy markets. Building on the heritage of Glenn Curtiss and the Wright brothers, Curtiss-Wright has a long tradition of providing reliable solutions through trusted customer relationships. The company employs approximately 9,000 people worldwide. For more information, visit www.curtisswright.com.
An example of next-generation CVRs is provided by Curtiss-Wright’s Fortress™ recorders, the newest range of flight data recorders on the market, which includes combination Cockpit Voice Recorders (CVR) and Flight Data Recorders (FDR). These highly functional units deliver longer recording time, supporting the recently introduced EUROCAE classes 4, 5 and 6 Cockpit Voice Recorders (CVR) and surpass the requirements of the upcoming 2021 EASA minimum 25-hour CVR mandate. In February 2019, EASA granted European Technical Standard Order (ETSO) approval for the Fortress family, making them the industry’s first black boxes to meet the demanding requirements of EUROCAE ED-112A. The EASA certifications include ETSO-C123c, ETSO-C124c, ETSO-C176a and ETSO-C177a.
Also that same month, Curtiss-Wright and Honeywell announced a partnership to use real-time connectivity to reinvent the CVR and FDR solutions for the commercial airline, cargo transport and business jet markets. The companies signed an agreement to develop the next generation of mandate-compliant voice and data recorders. As part of the new agreement, Curtiss-Wright will be the exclusive supplier for Honeywell’s next-generation recorders for the Air Transport and Business Aviation markets.
For more information on the DO-326A Airworthiness Security Process Specification:
- https://www.easa.europa.eu/sites/default/files/dfu/ToR RMT.0648 Issue 1.pdf
- https://www.easa.europa.eu/sites/default/files/dfu/ToR RMT.0720.pdf
About the author
Paul Hart, Chief Technology Officer, joined Curtiss-Wright in 1982 as a graduate engineer and has worked for 18 years in the flight recorder business. He also worked for Thales for 2.5 years in helicopter flight management and was responsible for the mission systems group at Cobham Aviation Services for 7 years. In 2011, Hart re-joined Curtiss-Wright as the Director of Avionics Engineering and transitioned to the Avionics CTO.
Bookmark http://www.sae.org/news to keep pace with the latest aerospace technology news & information.
Learn about AeroPaks to access 8,000+ SAE aerospace standards, specifications, recommended practices, and resource documents available in SAE MOBILUS.
Subscribe to SAE MOBILUS for access to more than 200,000 resources, including aerospace standards, technical papers, eBooks, magazines, and video.
Visit SAE International's Knowledge Hubs -- access points to the best industry resources, training, and current news -- designed to provide everything you need to know about emerging mobility technologies.