Cyberfit to Fly: Managing Airborne Software

Airborne software, one of the critical domains within the Aircraft Information Security Ecosystem, consists of data or code that defines controls or is used by aircraft systems to perform specific functions. When updating software, the operator must carefully consider all potential impacts any change could have on the aircraft’s operation and safety. This discussion focuses specifically on airborne software that can affect aircraft safety, excluding non-safety-related applications.

Airborne software can be categorized based on its execution and management within the aircraft system:

• Aircraft Controlled Software (ACS) or Field Loadable Software (FLS): Software that can be updated or loaded during maintenance without removing equipment from the aircraft. It is executed and controlled by onboard systems and commonly updated as part of routine maintenance operations.

• Hardware Controlled Software: Software embedded within hardware components whose configuration is tied to the hardware part number. It is updated or modified only in specialized workshops or following component replacement.

• Firmware: A specialized type of software embedded in hardware that defines or configures the behavior of electronic components, such as Field Programmable Gate Arrays (FPGAs). Firmware operates at the hardware logic level rather than being executed by a traditional processor.

Understanding these categories is essential for applying appropriate lifecycle management and security controls tailored to each software type.

Airborne software is also classified by authority over its modification:

• Supplier Controlled Software (SCS): Developed and managed by the TC/STC holder or software developer, with changes requiring certification authority approval. Operators cannot modify this software independently.

• User Certifiable Software (UCS): Can be developed or modified by the operator but requires approval by the relevant airworthiness certification authority. This category typically applies to specialized or mission-specific software.

• User Modifiable Software (UMS): Can be developed or modified by the aircraft operator without review by the certification authorities, airframe manufacturer, or equipment vendor. Tools are usually provided so modifications can occur only within defined boundaries.

As the industry transitions from media-based to electronic software distribution, robust security practices are essential to protect software authenticity and integrity throughout its lifecycle. Traditionally, software updates were delivered using physical media such as magnetic disks, optical disks, or flash drives. Security during this media-based distribution depended heavily on strict physical controls, trusted personnel, secure environments, clear labeling, and careful packaging to prevent tampering or loss.

Today, cryptographic methods are increasingly used to authenticate the software origin and verify integrity before installation. This ensures that even if physical controls are bypassed, unauthorized or corrupted software cannot be introduced. The industry is increasingly adopting Electronic Distribution of Software (EDS), which transmits software without physical media using wired or wireless connections. Digital signatures ensure authenticity: the sender signs the software package with a private key, and the recipient verifies it with the corresponding public key.

Maintaining the confidentiality, integrity, and authenticity of airborne software throughout its reception, creation, modification, storage, and distribution, whether physically or electronically, is critical to ensuring continuing airworthiness.

Aircraft Software Configuration

When updating software, operators must consider all potential impacts. Some changes may alter the human-machine interface and require crew training or manual updates, while others may be invisible but still affect hardware part numbers or operational approvals. Even changes that do not affect the interface require strict configuration management, just like physical parts.

Software configurations often depend on the aircraft’s specific setup or serial number, so different aircraft of the same model may require different software versions. As discussed, aircraft use various software types. Some require authority certification, while others are convenience items, such as in-flight entertainment systems. Software that changes aircraft configuration must be approved under Part-21.

Most avionics software is Loadable Software Aircraft Parts (LSAPs), considered part of the approved design and identified by unique part numbers. Any code change changes this part number. LSAPs require the same configuration control and release certificates as physical parts, and their installation must be documented. Aircraft configuration management ensures that the aircraft and its installed components align with the approved design, maintenance programs, regulations, and leasing or warranty conditions. When referring to LSAPs, this involves recording, evaluating, approving, and coordinating all changes after establishing baselines. LSAPs must be serviceable, conform to design specifications, and be eligible for installation.

Software that is not part of the certified aircraft configuration (non-LSAP), commonly used for navigation, flight planning, or terrain awareness, may be updated without formal modification approval but still requires rigorous configuration control. The approved software configuration is defined by official manuals and documents from the design organization and may vary by operator and aircraft eligibility. Operators establish an authorized software configuration by reviewing applicability, eligibility, reliability, compliance, and other technical communications.

Operators and CAMOs must assess and formally record decisions on software updates, maintaining the authorized configuration at all times. When LRUs are sent for repair, documentation must specify the required software configuration to avoid unintended updates incompatible with the operator’s fleet. Installation verification ensures the correct software version is loaded and properly installed. Authorized configuration documents should be accessible to relevant staff and typically include component codes, part numbers, software versions, media part numbers, and installation instructions.

Computerized maintenance systems help track software part numbers, though some older systems may have limitations and should alert users if a software part is incompatible with an LRU.

Conclusion

Airborne software is a critical component of the Aircraft Information Security Ecosystem. Understanding its types, authority levels, and proper configuration management ensures continuing airworthiness. As software distribution moves from physical media to electronic methods, robust security practices, like cryptographic verification and rigorous configuration control, are essential to protect aircraft operations.

Ready to deepen your expertise?

Join our Information Security for Continuing Airworthiness course and master how to manage the entire aircraft information security ecosystem — from regulatory requirements to operational protection measures.