Home' RTCA Documents for Review : DO-356A Contents 24
© RTCA, 2018
lower have external untrusted services connectivity and have connectivity to
Major or higher assets.
TYPE DESIGN CHANGES AND STC CONSIDERATIONS
The Supplemental Type Certificate (STC) applicant can find the applicable aircraft
certification basis in the TCDS (Type‐Certificate Data Sheet). TCDS are publicly
available on aviation authority web sites.
Every change to the Type Design (post‐TC modification), initiated or not by STC, must
comply with the applicable certification basis described in the relevant TCDS or through
other means, e.g . relevant installation manual, maintenance manual, or AFMS.
If security considerations are part of the certification basis (e.g., through a new security
paragraph to be incorporated in EASA CS‐25 / 14 CFR Part 25 or a Security Special
Condition), then the STC applicant must produce evidence that the security level of the
aircraft is not compromised.
This principle excludes any security demonstration during the STC approval process on
a legacy aircraft for which security is not part of its certification basis, except if the
Authority levies a CRI or IP, or special conditions (e.g., FAA Policy Statement PS-AIR-
21.16-02, FAA AC 120-76 or EASA AMC 20-25 for EFB).
Prior to every modification to the type cert basis, the applicant must determine that the
interrelationships between this modification and any other previous modifications and/
or technical adaptations will not introduce any adverse effect upon the security and
airworthiness of the product. The type cert basis may be an original TC plus one or
more other STCs.
If by this analysis it is determined that the change does not impact any existing systems
or interfaces, the scope of the classification of the change to type design can be limited
to the modified or newly installed components. Otherwise, the impact to the interfacing
systems needs to also be considered, and the classification of the change to type design
must also consider those interfacing systems.
The following cases should be considered:
1. The STC applicant justifies that the system/function is completely isolated from
the aircraft systems within the security perimeter (no dataflow) or only able to
receive data from the aircraft systems within the security perimeter (unidirectional
dataflow) and cannot interfere with aircraft systems within the security perimeter.
2. The STC applicant justifies that the change remains outside the security
perimeter already certified by the TC holder with unchanged logical and physical
interface. Examples include adding connectivity or other passenger systems
outside the security perimeter.
3. If not covered by 1) or 2), e.g., the STC applicant installs or modifies a
system/function which is able to send data to the aircraft system, or changes the
aircraft systems interfaces (logical or physical), or creates a new access point
(e.g., new or increased connectivity, new Field Loadable Software (FLS)
On a case‐by‐case basis, the STC applicant obtains a data package from
the OEM or an involvement of the OEM through a specific arrangement.
Based on this data package or outcomes of the OEM involvement, the STC
applicant should provide evidence using an acceptable process compatible
with the existing type cert basis (such as those processes described in ED‐
202A / DO‐326A) that the aircraft security level is or remains acceptable
when embodying the STC change.
b. Without OEM (TC holder) involvement or without OEM data, the STC
applicant justifies that the aircraft systems are protected (including from
threats propagation) via a security risk assessment to be approved by the
relevant airworthiness authority. The security risk assessment should be
completed using acceptable processes and methods compatible with the
existing type cert basis (such as those processes in ED‐202A / DO‐326A).
Additional information for the comparability of risk assessments can be
found in ED‐201.
Links Archive Navigation Previous Page Next Page