Protecting MRO Data Exchange

Maintenance organizations exchange information via paper, electronic messaging or some combination of the two. Electronic exchanges can be fully automated—often broadly designated as electronic data interchange (EDI)—or through other interfaces. Whatever the medium, it is necessary to protect the data, ensuring that only authorized employees are permitted to access and change it.

DataExchange251Some organizations prefer paper. They may be reluctant to switch to some electronic means of communicating documents because of the cost and difficulty of implementation or simply because of inertia—why change something that works?

Paper has drawbacks, to be sure. It deteriorates over time, so that at some point it is no longer useful as a work record. And written signatures are often illegible scrawls. What’s more, paper records can be time-consuming and expensive to compile and track over long periods of time.

But shifting to an electronic system for keeping and transferring important compliance and logistics documents raises new concerns. Everyone thinks of hacking, but civilian MROs’ security concerns are typically of a different order. MROs are repositories of aviation safety data and they must prove to their customers and the regulators that they have performed each repair, overhaul, and modification safely and correctly and that they have documented each task in the required manner. So their information security regime would stress the integrity and availability of the data through mechanisms such as passwords, biometrics, electronic signatures, or full digital signatures. They may also encrypt data for confidentiality. Since no particular method of electronic document exchange or security technology has been mandated, however, the choice is essentially a business decision.

Security Technologies
Full digital signatures can provide a robust method of message authentication that allows electronic documents to be “signed” by a known user and provides confidence that the information has not been tampered with. The FAA has endorsed the use of this technology and the Air Transport Association (ATA) e-Business organization—under the aegis of the trade group, Airlines for America (A4A), has developed standards for automated transactions that include the technology. Some providers of software and services also say they can support full digital signatures if their customers require it.

But because of the expense of implementing full digital signatures, a common alternative technology known as electronic signatures is more widely used in the aviation maintenance world. It might involve the use of a day/time stamp and the entry of an employee identification number to link an employee to a document. Maintenance organizations also can encrypt the data in transit. Many enterprise resource planning (ERP) systems provide encryption among their security options.

Adoption of full digital signature technology is lagging in the airline industry because there is no FAA mandate for such security, says Peter White, manager for supply chain technologies with consultant Capgemini and a former chairman of the ATA e-Business program. And the airframers have been more concerned about protecting the integrity of information in aircraft systems, he says, so there has been less of a focus on securing the exchange of maintenance data between ground-based systems. Companies also have been more concerned with securing data at rest in a database than with data in transit in many cases, he says.

Electronic Release-to-Service Forms: Digital Signatures or Not?
FAA Order 8130.21 addresses the use of electronic release-to-service forms. It recommends that organizations choosing the ATA Chapter 16 standards for automated exchange of return-to-service forms use full digital signature technology.

Leave a Reply