EUROCAE ED-202A PDF

The guidance of this document adds to current guidance for aircraft certification to handle the threat of intentional unauthorized electronic interaction to aircraft safety. It adds data requirements and compliance objectives, as organized by generic activities for aircraft development and certification, to handle the threat of unauthorized interaction to aircraft safety and is intended to be used in conjunction with other applicable guidance material, including ED-79A / SAE ARP4754A, ED-12C / DO-178C, and ED-80 / DO-254 and with the advisory material associated with FAA AMJ25.1309 and EASA AMC25.1309, in the context of Part 25, CS-25, and JAA JAR- 25. Tailoring of this guidance may allow it to be applicable in other contexts such as CS-23, CS-27, CS-29, CS-E, Part 23, Part 27, Part 29, and Part 33. For a discussion of the history of ED-202A / DO-326A and the differences from the original ED-202 / DO-326, please see Appendix E: "Background of the DO-326/ ED-202 Document". This guidance material is for equipment manufacturers, aircraft manufacturers, and anyone else who is applying for an initial Type Certificate (TC), and afterwards ( e.g. for Design Approval Holders (DAH)), Supplemental Type Certificate (STC), Amended Type Certificate (ATC) or changes to Type Certification for installation and continued airworthiness for aircraft systems.

Special caution is recommended when applying this guidance to developments or operations already in place. This guidance is designed to be implemented across the full life cycle of an aircraft from design, through operations, to disposal. As such, it should first be applied to the design stage before its use in subsequent stages of the life cycle. If objectives are applied to aircraft which were not previously subject to these objectives during all stages of its life cycle, then it should be borne in mind that some aspects of the objectives will not be applicable. These aspects should be described and dealt with separately. For existing or aircraft in development, alternate processes are acceptable which may utilize some or all of processes of this document. Intentional unauthorized electronic interaction (also known as "unauthorized interaction" within the scope of this document) is defined as human-initiated actions with the potential to affect the aircraft due to unauthorized access, use, disclosure, denial, disruption, modification, or destruction of electronic information or electronic aircraft system interfaces. This definition includes the effects of malware on infected devices and the logical effects of external systems on aircraft systems, but does not include physical attacks or electromagnetic jamming.

Certification Context: Airworthiness security is the protection of the airworthiness of an aircraft from unauthorized interaction.

While the airworthiness certification process addresses failures and errors, this guidance extends this to address intentional unauthorized electronic interaction with aircraft systems resulting in safety effect. Just as failures and errors are treated as manageable risks to aircraft safety by the airworthiness certification process, the threat of Unauthorized Interaction is treated equally through the airworthiness security activities. In this context airworthiness security activities do not directly address the interfaces, policies, and procedures of external systems. However, aircraft systems may depend upon external systems to perform their functions and so the dependencies of airworthiness security on external systems are included in the considerations. To address these considerations, the applicant documents the assumptions about external factors as part of the Airworthiness Security Process.

Product Lifecycle Context: This document provides guidance in addressing the Airworthiness Security during the Aircraft product life cycle from project initiation until the aircraft Type Certificate is issued for the aircraft type design, including afterwards the issuance of STCs and ATCs. In addition, it includes the handover of information about the type design that is necessary to ensure continuing airworthiness with respect to unauthorized interaction. For the other stages of the product life cycle (operation, support, maintenance, administration, and disposal) guidance may be found in a companion document ED-204 / DO-355 "Information Security Guidance for Continuing Airworthiness".

Those aspects of information security that have no safety effect are not in the scope of this document.

PURPOSE

This document is a resource for Airworthiness Authorities (AA) and the aviation industry for certification when the development or modification of aircraft systems and the effects of intentional unauthorized electronic interaction can affect aircraft safety. It deals with the activities that need to be performed in support of the airworthiness process when it comes to the threat of intentional unauthorized electronic interaction (the "What"). A forthcoming companion document will suggest methods and considerations (the "How"). The document ED-204/DO-355 "Information Security Guidance for Continuing Airworthiness" addresses airworthiness security for continued airworthiness.