2021 TSO Workshop: Question & Answers

General Notes:
1) This document contains two sections. Section A contains questions sent by e-mail from
Industry participants prior to the workshop, and their answers. Section B contains deferred
questions posed via chat during the workshop, not addressed verbally during the specific topic’s
time frame and the corresponding answers reviewed by the Certification Authorities.

2) Questions that were raised and fully answered verbally during the meeting are not captured.

3) Questions were organized into groups related to specific subjects.

Section A: Questions received from Industry prior to the workshop

Group 1: SOC-ARC:

 Question A-1.1:

From: General Aviation Manufacturers Association (GAMA)

Each of the recommendations and objectives identified in the "SOC ARC TSO
Subcommittee Report 2020 TSO Transformation" materially improve how article
certification occurs. What is the status of, and when will each of the 15 specific TSO
authorization process change recommendations be implemented in FAA policy? Or are
regular updates on the progress of those recommendations in process and readily
available to industry?

Creation of new TSOs, if industry standards are not yet available, needs to occur more
quickly to support healthy product innovation. SOC ARC TSO subcommittee
recommendation 4.2.1.12 takes an important first step; however the additional
overhead associated with special projects and the follow on delegation suggested in that
recommendation are unlikely to significantly change how new and novel technology is
processed at the article level. Are alternative methods of proposing, drafting, and
approving TSO functional standards being considered?

Answer:

See the FAA presentation on Day 1 of the Workshop.

Group 2: Software and Airborne Electronic Hardware:

 Question A-2.1:

From: General Aviation Manufacturers Association (GAMA)

EASA AMC 20-152A and AMC 20-189 were released in July of 2020, causing a disconnect
in the guidance between EASA and FAA related to airborne electronic hardware
development assurance and management of open problem reports. Industry would like
to request an update on the planned release date for FAA AC 20-152A and AC 20-189.

Answer:

FAA: AC 20-152A and 00-72 are still in review and currently we do not have an estimate
when they will be released.

In the meantime, applicants can use the streamlined issue paper process (AIR600-18-
AIR-6C0-DM119) to reference the proposed AC 20-152A/00-72 in the certification plan.
We are also encouraging applicants to refer to AMC 20-152A because that has the final
text. This work-around should help us to stay harmonized with EASA.

The same is true of the multicore processor AC 20-193. That AC is being held up because
it has an objective that references an objective in AC20-152A. We can also apply the
streamlined IP policy for MCPs, so we have a work-around for that one too.

As for AC 20-189, it is in the final stages of processing and we expect it to be published

soon.

Group 3: Cyber Security

 Question A-3.1:

From: General Aviation Manufacturers Association (GAMA)

How will the pending system and aircraft security certifications from the regulatory
agencies consider article level security assurance data and how it can be used to support
new aircraft security certifications? Both the portability of article level security assurance
data approvals and data reuse at the aircraft level are important in maintaining the
value of TSO approvals.

Answer:

FAA: DO-356A (Appendix A for security assurance objectives) may be used by applicants
as a means to satisfy cybersecurity requirements at the article level based on the article's
SAL. Regardless, the TSO article's installation must still be evaluated at the aircraft level,
and DO-326A is an acceptable means of evaluation. FAA Policy Statement PS-AIR-21.16-
02 Rev 2 also provides guidance for establishing special conditions during TC/STC
projects to address ASISP vulnerabilities at the aircraft level. Additionally, the FAA is in
 the process of revising the TSO template to ensure the inclusion of cybersecurity
requirements in each TSO in the future.

EASA: EASA AMC-20 has been updated in July 2020 to create and release AMC 20-42
dealing with Airworthiness information security risk assessment. CS-ETSO subpart A
section 2.6 is referencing this AMC 20-42, the applicant should evaluate and anticipate
if the intended installation of the ETSOA article will require security protection.

 Question A-3.2:

From: General Aviation Manufacturers Association (GAMA)

Are TSO updates planned to address the NAS ecosystem security aspects of
interoperability requirements for communication, navigation, and surveillance (CNS)
TSOs (e.g. wireless functions: transponder, TCAS, ADS-B)?

Answers:

FAA: Some CNS TSO MOPS requirements specifically include NAS operating security
requirements (e-connects: wireless, blue tooth, etc.). For example, TSO-C159 NGSS
equipment addresses security requirements with respect to installation functions and
related threats. We are working to develop a consistent and standard approach to
address cybersecurity at the TSO/article level, however the overall NAS ecosystem
security aspects must be evaluated at the aircraft operational level.

 Question A-3.3

From: General Aviation Manufacturers Association (GAMA)

The long timelines required to certify and field updated software presents a significant
challenge to efficiently mitigate discovered field security vulnerabilities, in order to
address this what new mechanisms or processes are being considered to allow security
vulnerabilities identified at the TSO and/or aircraft level to be addressed with field
updates very quickly?

Answer:

ANAC: ANAC does not have a "fast track" procedure in place specifically for approving
changes related to information security vulnerabilities. This kind of change should follow
today the normal change process under TSO and aircraft levels. Depending on the extent
of the change, it may be possible to classify it as a minor change both at the article and
the aircraft levels, which would be in fact the quicker way to approve the change
(without having a direct ANAC involvement before approval) and make it available to
the field. If for some reason, the change is classified as major, it is also possible that the
applicant requests prioritization of its application due to the risk posed to the field, and
ANAC will obviously take this into consideration and pursue to reduce the time spent
during the approval process. It is important to emphasize that any change has a risk of
introducing an unintended behavior or could simply not be effective enough to
adequately mitigate the vulnerability identified. These are the main reasons why we
need to be careful while considering a "fast track" specifically for this kind of change.
Also, ANAC is not sure why such request from GAMA would have sufficient arguments
 to be specific to security vulnerabilities once we may also have a safety issue identified
that could be as urgent to have a correction implemented as a security one. Anyway,
our assessment is that any movement towards having a special procedure for allowing
a quicker approval in place will require rulemaking process, which is not planned at this
time.

EASA: EASA concurs with ANAC’s response.

FAA: FAA concurs with ANAC position. Field updated software for any operational flight
software (OFP) may require approval of major design changes (ref. CFR Sec. 21.619) and
performance of a Change Impact Assessment (CIA).

Group 4: Safety Management System

 Question A-4.1

From: General Aviation Manufacturers Association (GAMA)

How will the pending SMS compliance requirements from the regulatory agencies being
drafted at the aircraft level be structured with respect to the possible impact on article
level design, development, and certification processes, and will they all be structured in
a way that the article level processes and approvals support strong data portability and
reuse at the aircraft level?

Answer:

ANAC: SMS will still require rulemaking for implementing it to the design organizations.
Therefore, it is not possible to have an objective and definitive answer to this question
at this moment. ANAC is part of the Technical Working Group (TWG) working on the SM-
0001 standard that we consider will be followed once rulemaking is processed.

EASA: EASA is currently working on possible evolutions of Part 21 to include SMS, at this
stage, there is no information if it will affect subpart O.

FAA: The FAA is currently involved in rulemaking on this process and is not at liberty to
discuss it.
Section B: Questions raised during the workshop
The list below is a record of questions posed in the Chat section of the Teams meeting that were
not addressed verbally during the specific topic’s time frame.
NOTE: Although they were answered later, ANAC decided to keep the responses in this file.

Group B-1: Non-(E)TSO functions (Anne Sénéchal (EASA) / Doug Law (FAA))

 Question B-1.1

From Daniel Arroyo (ZIM Aircraft Seating):

In EASA´s Workshop September 2018 there was a point for discussion, this was "Please
clarify EASA´s position and direction on utilization of AC 21-49 for ETSO applications".
Answer was "EASA is reviewing proposals for the use of the guidance of the AC on a
case-by-case basis". Do EASA plan to create/release further guidance on this matter?

Answer:

EASA: Currently there is no rulemaking task from EASA side to create/release similar
guidance material. As mentioned during the workshop, the installer is the ultimate
responsible for the installation of integrated seat. In the EASA system, provisions of
21.A.239(c) and 21.A.243(b) addressing "control of design subcontractors" apply for a
DOA designing the seat installation, and such requirements are fulfilled through
procedures that depend from each and every DOA.

 Question B-1.2

From Marcelo Almeida Silva (Independent Consultant):

It was said that NTF has to have the same DAL of the TSO function. Is that statement
valid for IMA systems, where partitioning is applied to isolate different functions
installed within the same article?

FAA: In the FAA policy it states that the DAL for a NTF may not exceed the DAL specified
in the TSO for the article or the DAL used based on how the article will be used.
However, if properly partitioned, the NTF may have a lower DAL than the rest of the
article. The NTF must still pass any environmental, software or AEH requirements
prescribed in the TSO(s).