Unsettled Topics Concerning Airworthiness Cybersecurity Regulation EPR2020013

The certification process of the Boeing 787, starting in 2005, marked a watershed for airworthiness regulation. The “Dreamliner,” the first true “flying data center,” could no longer be certified for airworthiness ignoring “sabotage,” like the classic safety regulation for commercial passenger aircraft. Its extensive application of data networks, including enhanced external digital communication, forced the Federal Aviation Administration (FAA), for the first time, to set “Special Conditions” for cybersecurity.

In the 15 years that ensued, airworthiness regulation followed suit, and all key rule-, regulation-, and standard-making organizations weighed in to establish a new airworthiness cybersecurity superset of legislation, regulation, and standardization. The resulting International Civil Aviation Organization (ICAO) resolutions, US and European Union (EU) legislations, FAA and European Aviation Safety Agency (EASA) regulations, and the DO-326/ED-202 set of standards are already the de-facto, and soon becoming the official, standards for legislation, regulation, and best practices, with the FAA already mandating it to a constantly growing extent for a few years now—and EASA adopting the set in its entirety in July 2020. This emerging superset of documents is now carefully studied by all relevant actors—including industry, regulators, and academia—as the aviation ecosystem moves forward with DO-326/ED-202 set training, gap analysis, and even with certification itself.

This report suggests a deeper analysis of these sets of regulatory documents and their effects on the aviation sector as they gradually become the law of the land, starting with their expected effects on the aviation ecosystem, the issues they pose to supply chains, and the challenges they present to the airworthiness certification process itself. Then, this report examines the major DO-326/ED-202 set gaps, inherent dilemmas, and methodological uncertainties. For each such unsettled domain, six aspects are reviewed. Finally, practical solution-seeking processes are proposed, and some specific potential frameworks and solutions are pointed out whenever applicable. It is the intention of this report that these insights and observations would assist regulators, applicants, and standard makers through, at least, the 2020s with accommodating this new regulation and start adjusting it to emerging realities.

NOTE: SAE EDGE™ Research Reports are intended to identify and illuminate key issues in emerging, but still unsettled, technologies of interest to the mobility industry. The goal of SAE EDGE™ Research Reports is to stimulate discussion and work in the hope of promoting and speeding resolution of identified issues. SAE EDGE™ Research Reports are not intended to resolve the challenges they identify or close any topic to further scrutiny.