(To be incorporated in the Airworthiness Manual Doc 9760 in the 2018 publication)
(unedited version) — Nov 2017
Notice to users:
This document presents the unedited version of text which will be incorporated in the ICAO publication Doc 9760 Airworthiness Manual. As the text content, may still be supplemented, removed, transferred or otherwise modified during the editing process, ICAO shall not be responsible whatsoever for any costs or liabilities incurred as a result of its use.
International Civil Aviation Organization
The current ICAO provisions on aircraft maintenance records do not specifically describe the format in which the maintenance records should be issued, making possible the use of both paper and electronic formats. In current practices, information pertaining to aircraft maintenance is widely recorded, certified and stored in a paper format. However, air operators, aircraft manufacturers and maintenance organizations are continuously migrating towards the use of electronic aircraft maintenance records (EAMR) and digitally supported aircraft maintenance information. Some States have already published advisory material on the use of EAMR and are already allowing air operators, aircraft manufacturers and maintenance organizations to make use of EAMR and digitally supported aircraft maintenance information.
The implementation of EAMR poses challenges such as electronic signature, security and integrity of records, and transferability from one record system to another. Clear provisions on EAMR would provide acceptable methods for the development of States' requirements and facilitate the implementation and acceptance of EAMR.
The Airworthiness Panel (AIRP) was tasked by the Air Navigation Commission (ANC) to consider developing provisions for electronic aircraft maintenance records in Annex 6, Annex 8 and /or the Airworthiness Manual – Doc 9760.
Working as tasked, the AIRP concluded with the proposals to amend Annex 6, Annex 8 and the Airworthiness Manual – Doc 9760 accordingly. The proposals were documented in the Report of AIRP/3 and Report of AIRP/4. The proposed amendments to Annex 6 and Annex 8 are expected to be adopted in March 2018 and become applicable in November 2020.
The guidance material on EAMR will be included in the next revision of the Airworthiness Manual – Doc 9760. The next edition of Doc 9760 is expected to be published in 2018. Pursuing a timely availability of the EAMR focused guidance material to all aviation stakeholders, ICAO decided to make hereby available on its website the unedited copy of the respective guidance material. In order to facilitate reader's better understanding and usability, the numbering of the paragraphs preserves the numbering system and values of existing section 7.8. (Maintenance Records), Chapter 7, Part III of Doc. 9760
7.8. MAINTENANCE RECORDS
184.108.40.206 Annex 6, Part I, 8.2 and 11.2, and Part III, 6.2 and 9.2 provide that the State of Registry be responsible for the acceptance of the air operator's maintenance control manual (MCM). The MCM should include the policies and procedures relating to maintenance records. This section covers the requirements for a maintenance records system. The State of Registry should verify that all these requirements are satisfied by the procedures in the air operator's MCM.
220.127.116.11 Annex 6, Part I, 8.4.1 and Part III, Section II, 6.4.1 require that an operator ensure that the following records are kept:
a) the total time in service (hours, calendar time and cycles, as appropriate) of the aeroplane
and all life-limited components;
b) the current status of compliance with all mandatory continuing airworthiness information;
c) appropriate details of modifications and repairs;
d) the time in service (hours, calendar time and cycles, as appropriate) since the last overhaul
of the aeroplane or its components subject to a mandatory overhaul life;
e) the current status of the aeroplane's compliance with the maintenance programme; and
f) the detailed maintenance records to show that all requirements for the signing of a
maintenance release have been met.
18.104.22.168 Annex 6, Part I, 8.4.2 and Part III, Section II, 6.4.2 provide that the records of 22.214.171.124 a) to e) above be kept for a minimum period of 90 days after the unit to which they refer has been permanently withdrawn from service, and the records of 126.96.36.199 f) above for a minimum period of one year after the signing of the maintenance release. 1.1.4 Annex 6, Part I, 8.4.3 and Part III, Section II, 6.4.3 provide that in the event of a temporary change of operator, the records be made available to the new operator. In the event of any permanent change of operator the records should be transferred to the new operator.
188.8.131.52 Maintenance records should give an overall picture of the maintenance status of the aircraft. The level of detail, content, form and support media of maintenance records should be acceptable to the Civil Aviation Authority (CAA).
184.108.40.206 Operators should ensure that complete records associated with maintenance release by approved maintenance organization (AMO) are received so that the required records can be retained. In all cases, an AMO should record details of all work carried out.
220.127.116.11 When acceptable by the CAA, operators may arrange for a maintenance organization to retain maintenance records on their behalf. Operators are responsible for the transfer, preservation and availability of the records. Operators should ensure the AMO maintains the records in compliance with the MCM and ensures the maintenance records are returned to the air operator upon their request. The CAA must have access to any maintenance records, whether kept by an air operator or an AMO.
18.104.22.168 The air operator is responsible for ensuring a detailed description on maintenance record-keeping is included in the MCM. The AMO is responsible for ensuring a description on the completion of maintenance records is included in the maintenance organization procedures manual to show that the requirements for the issuance of a maintenance release have been met.
22.214.171.124 The use of electronic recordkeeping system to generate, process, store and archive aircraft records should be eligible for implementation by the operator, with the acceptance of the CAA, to address all and any of the requirements regarding maintenance records specified by this manual. Such acceptance by the CAA should consider, based on the applicable state laws, the criteria referenced in Attachment B to this chapter.
7.8.3 Contents of records
126.96.36.199 Maintenance records are important documents that show if the aircraft is being maintained properly. The records should clearly indicate the status of applicable mandatory continuing airworthiness instructions, or if the aircraft is current with its maintenance programme requirements. Maintenance records can show if the aircraft has received all its required overhauls or any component has reached its life limits. A thorough review of the maintenance records will help to determine if the aircraft's Certificate of Airworthiness is valid.
188.8.131.52 Maintenance personnel should make entries in the maintenance records to indicate a description of the work performed including a reference to the approved data used. The maintenance record entries should provide enough information to demonstrate that compliance to the airworthiness requirements has been met. A maintenance release should be completed and signed to certify that the maintenance work performed has been completed satisfactorily and in accordance with approved data.
184.108.40.206 The operator and AMO should develop detailed procedures in their manuals that address the form, content and information criteria necessary for completion and retention of the maintenance records.
220.127.116.11 When entering information in the maintenance record it is often necessary to include the following, as applicable:
a) the date;
b) the identification of the aircraft or component to include make, model and, where applicable,
registration and serial number;
c) the aircraft or component time since new, time since overhaul and, if applicable, cycles
since new and cycles since overhaul;
d) the same information in c) is required for life-limited components, where applicable;
e) complete details of the work performed; and
f) the maintenance release, together with the name and identification (license or authorization
number) of the certifying personnel.
18.104.22.168 Maintenance records and maintenance release record entries should contain a description of the work performed in enough detail to show that the requirements for the issuance of a maintenance release have been met. Annex 6, Part I, Chapter 8, and Annex 6, Part III, Section II, Chapter 6, require that the following records be kept:
a) maintenance records:
i) the total time in service (hours, calendar time, and cycles, as appropriate) of the
aircraft and all life-limited components;
ii) current status of compliance with all mandatory continuing airworthiness
iii) appropriate details of modifications and repairs;
iv) the time in service (hours, calendar time and cycles, as appropriate) since the last
overhaul of the aircraft and its component subject to a mandatory overhaul life;
v) current status of the aircraft's compliance with the maintenance programme; and
vi) detailed maintenance records to show all requirements for signing a maintenance r
release have been met;
b) maintenance release:
i) basic details of the work carried out including detailed reference of the approved
ii) date such maintenance was completed;
iii) when applicable, the identity of the AMO; and
iv) the identity of the person or persons signing the release.
22.214.171.124 Appropriately certificated persons in accordance with Annex 1 should accomplish the requirements contained in MCAI and are required to record compliance in the maintenance record. The air operator should ensure that maintenance personnel make appropriate entries in the maintenance records.
126.96.36.199 The maintenance records showing compliance with MCAI should include:
a) MCAI information (number and title), including revision or amendment numbers;
b) where the MCAI is generally applicable to the aircraft or component type but is not
applicable to the particular aircraft or component being maintained, this should be identified
in the maintenance record accordingly with an authorized signature;
c) the date when MCAI was accomplished;
d) for a multi-part instruction, which parts have been accomplished. If the entire MCAI was
accomplished reference the entire instruction by title;
e) the method of accomplishment of the instruction together with the inspection result,
f) if the MCAI requires recurring action, an indication of the next recurring action interval; and
g) certification by licensed personnel, in accordance with Annex 1, for the accomplishment of
.8.3.8 Appropriate details of modifications and repairs should include records identifying any modification or repair, along with a reference to the approved data used and a description of the work performed with maintenance release information. Major modification and major repairs should be recorded in a form and manner as prescribed by the CAA.
188.8.131.52 Records about aircraft or component inspection status found during inspections should include information about defects or unairworthy conditions, details of faults and any subsequent rectification, the total time in service as appropriate and the state of maintenance when it enters the AMO's facilities.
184.108.40.206 When operators wish to take advantage of modular design (e.g. modular assembled gas turbines where a specification of a true total time in service is not relevant), the total time in service and maintenance records for each module are to be maintained. The maintenance records as specified are to be kept with the module and should show compliance with any mandatory requirements pertaining to that module.
220.127.116.11 The maintenance records required in Annex 6 should be kept in a form and manner acceptable to the State of Registry and the State of the Operator.
18.104.22.168 If a paper system is applied, legible entry should be made, and the record should remain legible throughout the required retention period, irrespective of the medium.
22.214.171.124 If a computer based system is implemented, the electronic solution adopted should ensure that all corresponding EAMR are generated, processed, used, stored and archived following the guidelines set forth in Attachment B to this chapter. The software and hardware used should support specific procedures acceptable to the CAA with respect to:
a) protection of the records by electronic means against loss, destruction or tampering to the
equivalent extent of that provided to paper records;
b) backup of EAMR (e.g. backup system robustness and reliability; timing and frequency of
backup completion; segregation from source records; data loss and recovery);
c) user identification, authentication and authorization to access the EAMR, scope of access,
control of access and traceability of all operations concerning any individual record; and
d) security and integrity of EAMR.
126.96.36.199 If optical or other high-density storage of maintenance records is used, the records should be as legible as the original record and remain so over the required retention period.
188.8.131.52 Maintenance records should be kept in such a way that they are protected from hazards such as fire, flood, theft or alteration. Computer backup disks, tapes and other storage mediums should be safely stored in a different location.
184.108.40.206 Records should be structured or stored in such a way as to facilitate auditing.
7.9 MAINTENANCE RELEASE
220.127.116.11 Annex 6 provides that a maintenance release should be completed and signed to certify that the maintenance work performed has been completed satisfactorily. This should be done in accordance with the approved data and the procedures described in the maintenance organization's procedures manual or under an equivalent system.
18.104.22.168 It also provides that the MCM include a description of the procedures for preparing the maintenance release and the circumstances under which the release is to be signed.
22.214.171.124 The implementation of an electronic maintenance release acceptable by the CAA, should consider the criteria referenced in Attachment B to this chapter. The electronic maintenance release form should be accessible in "edit mode" only at the location where the aeronautical product is being released. Access to the document from any other location should be "read only".
7.9.2 Requirements of maintenance release
A maintenance release is a certification which includes:
a) details of the maintenance carried out including detailed reference of the approved data
used. Where appropriate, a statement that all items required to be inspected were
inspected by a qualified person who determined that the work was satisfactorily completed;
b) the date such maintenance was completed and the total flight hours and cycles;
c) when applicable, the identity of the AMO; and
d) the identity and authorization of the person signing the release.
Attachment B to Chapter 7
GUIDANCE FOR ACCEPTANCE OF ELECTRONIC AIRCRAFT MAINTENANCE RECORDS (EAMR)
1. Purpose and scope
The purpose of this attachment is to provide guidance to CAAs seeking to establish and develop their national regulations in the field of EAMR. In proceeding to use the guidance hereby provided, the CAAs should note the following:
Note1: The Contracting States should develop State regulations and practices that enable and encourage the airworthiness activities of the air operators, design organizations, production organizations and maintenance organizations to use and rely on EAMR.
Note 2: The guidelines constituting this attachment list the elements that should be considered by CAAs in setting their regulations for acceptance and usage of EAMR. This list is not intended by any means to be limitative nor should it be considered as exhaustive.
Note 3: In developing their specific regulatory framework per individual State law, the CAAs should be strongly considering the common baseline set forth by the following or equivalent reference standards: "Air Transport Association (ATA) Spec 2000 e-business Specification", "ATA iSpec 2200 Information Standards for Aviation Maintenance", "ATA Spec 2300 Data Exchange Standard for Flight Operations", "ATA Spec 2500 Aircraft Transfer Records", "ATA Spec 42 Aviation Industry Standards for Digital Information Security", "S1000D International Specification for Technical Publications Using a Common Source Database", "ARINC-811 Commercial Aircraft Information Security Concepts of Operation and Process Framework", RTCA/EUROCAE documents DO-355/ED-204 "Information Security Guidance for Continuing Airworthiness".
Note 4: The designation of "EAMR" should be understood as referring also to records of engines, propellers and components .
2.1 The information pertaining to aircraft maintenance is often recorded, certified and stored in a paper format. The accepted paper based practice capabilities are challenged and limited in supporting real time accurate and complete records when faced with the increase of information amount and complexity associated with modern aircraft operation and maintenance. The CAAs should consider the approval and oversight of EAMR processes and procedures to be implemented by air operators, aircraft manufacturers and maintenance organizations.
2.2 An electronic recordkeeping system should be a system of record processing in which records are entered, electronically endorsed, stored, and retrieved electronically by a computer system rather than in the traditional "hard copy" or paper form.
2.3 Any electronic record keeping system and the EAMR it generates, processes and stores should be described in the operator's MCM and be acceptable to the CAA and meet the requirements set forth by the CAA for the operator's maintenance and operational activity. This should include unrestricted CAA access for auditing and the capability of the organization to provide paper copies of needed records if required by the CAA.
2.4 The EAMR generated, processed and stored per CAA requirements, should be considered as original documents. Use of a complete electronic recordkeeping system should be acceptable to the CAA. EAMR signed electronically should be considered equivalent to aircraft maintenance record authenticated with non-electronic signatures. Any printout of EAMR required by the CAA (see above provision 2.3) should have a watermark displayed on the page background stating "PRINTED FROM ELECTRONIC FILE".
2.5 The exchange of EAMR documents between aviation organizations, under the same or different CAA oversight responsibility, should be accomplished on a voluntary basis where both the issuer and receiver should agree on the electronic transfer of the EAMR.
2.6 The paper based aircraft maintenance records should continue to be acceptable to the CAA if the air operator, aircraft manufacturer or maintenance organization adopts the traditional paper based system. Notwithstanding the capability stipulated in provision 2.3 above, the CAA should not require that a dual system be implemented if the organization adopted an EAMR system in agreement with provision 2.4. A combination of electronic and paper based maintenance record keeping should be acceptable to the CAA if the air operator, maintenance organization or aircraft manufacturer adopts the traditional paper based system as a backup system in case of situations where a full electronic record can't be created.
2.7 The adoption of the EAMR system should be conditional to providing to all system users the adequate training that includes security awareness and policy and procedures relevant to the system adopted. The assurance of its implementation is, thus, as important to an EAMR system as the architecture itself. The CAA should validate, before acceptance of the EAMR system, not only the technical capabilities of the proposed EAMR system but also the organizational readiness to adopt the EAMR system.
3. Identification, authentication and authorization
3.1 The basis of any electronic record and its related electronic signature identity management system is trust. Whether it is about identifying an aircraft, a crew member, a mechanic, a component, or a ground station entity, the organisation will have to be able to trust that, when the entity presents a digital credential, the respective credential was issued to that entity. To facilitate the establishment of this trust, requirements and procedures should be specified enabling and ensuring verification of the identity of the various parties that are involved in the issuance of a credential. The credential should be the basis of establishing the identity of an electronic record system user.
3.2 The electronic record system should perform the user's identity authentication. This should consist in means by which the system validates an authorized user's identity. These means may include, but are not limited to, a password, a personal identification number (PIN), a cryptographic key, or a badge swipe, all in correlation with the implemented solution and processes.
3.3 The level of identity assurance and authentication should be commensurate to the class of activity for which the electronic record system is authorizing the user's access.
3.4 The user's identity assurance should comprise both initial and continuing (i.e. periodic) procedures the user has to comply with.
3.5 The organization to which the user belongs at the time of interacting with the EAMR should be responsible for the correlation between the management of the user's identity and the user's scope of authorization.
4. Electronic signature
Note: The use of the wording "electronic signature" is intended here to capture broad and diverse categories of solutions which, although may be differently identified in the expert field of digital security in accordance with their technological features and capabilities, are all in compliance with provisions 4.3, 4.4 and 4.5. The inaccuracy generated by non-differentiation between categories such as electronic signature, digital signature, advanced electronic signature, secure electronic signature or digital electronic signature is considered irrelevant for these guidelines as long as compliance with 4.3, 4.4 and 4.5 is ensured by the solution adopted. The considerations presented in this section 4 are entirely valid for aviation applications highlighted in other ICAO publications (see provision 8.2.2 of Doc 10020 - Manual on Electronic Flight Bag, and provision 5.3.10 and Appendix 1 to Chapter 5 of Doc 9859 - Safety Management Manual).
4.1 The handwritten signature is universally accepted because it has certain qualities and attributes that should be preserved in any electronic signature. For an acceptable electronic signature, the purpose is identical to that of a handwritten signature, and therefore, an electronic signature should possess those qualities and attributes that guarantee a handwritten signature's authenticity.
4.2 Electronic recordkeeping systems may be used to generate aircraft records (e.g., maintenance task cards, aircraft maintenance records, dispatch releases, flight releases, airworthiness releases, and flight test reports) for which there is a need to be able to properly authenticate the user with an electronic signature.
4.3 The electronic signature is the online equivalent of a handwritten signature. It is an electronic sound, symbol, visible mark or process attached to or logically associated with a record and executed or adopted by an individual with the intent to sign the record. It electronically identifies and authenticates an individual entering, verifying, or auditing computer-based records. The electronic signature should provide a secure authentication of the signatory and should be linked to the data for which the signature was created in such a way that any subsequent change of the data is detectable.
4.4 There are several attributes that an electronic signature should possess:
Uniqueness, which is the feature by which the electronic signature should identify a specific individual and only that individual, and should be difficult to duplicate. An acceptable method of proving the uniqueness of a signature is by using an identification and authentication procedure that validates the identity of the signatory. Acceptable means of identification and authentication include the use of separate and unrelated identification and authentication codes. These codes could be encoded onto badges, cards, cryptographic keys, or other objects. Systems using PIN or passwords could also be an acceptable method of ensuring uniqueness. A computer entry used as a signature should have restricted access that is limited by an authentication code that is changed periodically. Additionally, a system could use physical characteristics, such as a fingerprint, handprint, or voice pattern, as a method of identification and authorization.
Significance, which is the feature by which an individual using an electronic signature should take deliberate and recognizable action to affix his or her signature. Acceptable, deliberate actions for creating a digital electronic signature include: badge swipes, signing an electronic document with a stylus, typing specific keystrokes or using a digital signature.
Scope, which is the feature by which the scope of information being affirmed with an electronic signature should be clear to the signatory and to subsequent readers of the record, record entry, or document. The electronic record should accurately reflect the information being affirmed by signatory and the signatory should be fully aware of what he or she is signing.
Security, which is the feature by which an electronic system that produces signatures should restrict other individuals from affixing another individual's signature to a record, record entry, document, or alter the content without trace. To this effect, a corresponding policy and management structure should support the computer hardware and software that delivers the information. The system should contain restrictions and procedures to prohibit the use of an individual's electronic signature when the individual leaves or terminates employment. This should be done immediately upon notification of the change in employment status.
Non-repudiation, which is the feature by which an electronic signature should prevent a signatory from denying that he or she affixed a signature to a specific record, record entry, or document.
Traceability, which is the feature by which an electronic signature should provide positive traceability to the individual who signed a record, record entry, or any other document.
4.5 The electronic signature solution adopted should adhere to validated requirements and industry standards regarding: the strength of the user/system identification credential employed in creating signatures, the proof-of-possession algorithm for identification credentials, the cryptographic algorithm for protection of data and alternatives that may provide similar protection if the previously enumerated are deemed impractical.
4.6 The EAMR are essentially linked in most cases to the date and time information regarding the moment in which they were created, modified, signed-off. Such information should be appropriately addressed by the time stamping capability of the electronic record keeping system.
5. Security and integrity
5.1 A corresponding policy and management structure should support the computer hardware and computer software that delivers the information. Appropriate physical security and EAMR back-up procedures should be established for current, operational, stored and archived records.
5.2 The electronic system should protect confidential information.
5.3 The electronic system should ensure that the information is not altered by operating any unauthorized changes to the EAMR.
5.4 Procedures should be established allowing the organization to correct documents that were electronically signed in error. The original entry should be superseded anytime a correction related to that entry is made. (The original entry should be voided but remain in place. Reference to a new entry should be made and electronically signed and dated). It should be clearly identified that the original entry has been superseded by another entry.
5.5 Procedures should be established to describe how the operator will ensure that the computerized records are transmitted in accordance with the appropriate regulatory requirements to customers or to another operator, or to the CAA.
5.6 Procedures should be established for reviewing the computerized personal identification codes system to ensure that the system will not permit password duplication.
5.7 Procedures should be established for auditing the computer system periodically to ensure the integrity of the system. A record of the audit should be completed and retained on file as part of the operator's record retention requirements. This audit may be supported by system automatic self- testing.
5.8 Procedures should be established for non-recurring audits of the computer system if the integrity of the system is suspect.
5.9 Audit procedures should be established to ensure the integrity of each computerized workstation. If the workstations are server-based and contain no inherent attributes that enable or disable access, there is no need for each workstation to be audited. The procedures should be applicable to both fixed (e.g. desktop computers) and mobile equipment (e.g. laptops, tablets, PMATs etc.).
5.10 An information security assessment process should be established for the electronic record system to determine how effectively each entity being assessed (e.g., host, network, procedure, person) meets specific security objectives. The effective implementation of such established process should employ password cracking and security penetration testing procedures.
6. Archiving and transferability
6.1 In addition to physical safety of the archives, specific procedures for archiving electronically signed documents should be established. A means of safely archiving electronically signed documents should be part of any electronic signature computer software. This will provide for and adequately support the retention, access and future authentication of EAMR.
6.2 Procedures should be established to ensure that all EAMR representing aircraft maintenance records referred to in Chapter 6 of Part IV of this manual would be made available at aircraft transfer and should support the Export Certificate of Airworthiness. These procedures should also detail any electronic transfer specifics if applicable in order to visualise and process the data.