Electronic Documents - Are Invading the Aerospace Industry and are more trustworthy than Paper Documents
(Part two of a two-part article on electronic forms – this article discusses the technology used in implementing, creating, receiving and managing eForms, specifically electronic FAA Form 8130-3s from a non-technical perspective.)
To recap the first part of this two-part article that ran in the May/June 2011 issue of D.O.M.: eForms are better than paper documents. They are verifiable, tamper-resistant and much more trustworthy. You can actually use data eForm data, as opposed to information which is essentially trapped on a static paper form, stuffed in a drawer, in a far-off room containing hundreds of filing cabinets or thousands of archived boxes. (Your applications and databases can make use of it for other purposes, such as trending, reporting, analysis and basically unlocking elements of information contained in each block of a form, including the comments.) Scanning paper forms into PDF files results in electronic paper, which may be better than paper alone but does not approach the value of a true eForm (since you cannot really capture the text contained in a PDF to be usable by most applications).
We introduced the concept of digital identities and signatures in the last article, as well as the concept of how this information is organized and transmitted via extensible markup language (XML) documents. The remainder of this article will concentrate on providing a rather nontechnical overview of these concepts, so you will be able to guide your IT staff (or vendors) better in either defining or procuring a solution for moving from paper 8130-3s to their eForm equivalents.
How Regulatory Requirements and Technical Standards Come Together
It is important to note that that the process of using an eForm is essentially the same as the paper form, albeit with a few extra caveats and rules, so the paper process is a subset of the electronic process. As the diagram below illustrates, three sets of guidelines come together to define the use of electronic documents for this particular use:
Each of the three sets of input below provides input to complete the framework needed to create a compliant e8130-3:
1. FAA: provides the regulatory procedures for defining data content within the form and how it is to be used
2. Air Transport Association (ATA): provides industry-specific guidelines on how the data format is structured and defined (adhering to rules specified by the FAA)
3. World Wide Web Consortium (W3C): provides generic guidelines on XML and PKI by which all industries tailor the ‘superset’ of rules to their specific industry needs.
As readers of this magazine, you are no doubt well acquainted with how FAA guidance and procedures are part of the industry, so we lets delve into other parts of this.
What is a Data Record? What Do I Need to Know About It?
The ATA industry team, in coordination with the FAA, has already done a lot of the heavy lifting to define the rules and make them happen on this. Besides defining all of the key rules in how electronic 8130-3 forms are handled and managed, one of the most important aspects of their efforts was defining the data structure of the information so that software developers can design applications to meet this challenge. Shown below is a generic example of a XML excerpt:
XML was designed so that can be read and understood easily. This type of data structure uses a globally-accepted general purpose set of W3C standards that the ATA refine for aviation industry use. XML is an outgrowth of HTML (used to display web pages) and SGML (used to display documents) and is used in transferring data between applications and Web sites. XML is quite readable and anyone can decipher the information contained within a typical XML message quickly and match it with a printed FAA 8130-3 form, as illustrated below:
The top part of the illustration is an excerpt from a XML file, with a FAA 8130-3 paper form shown in the middle, and the cognizant ATA Spec 2000 section that defines this shown on the bottom. A software developer can use the ATA specification as a map to guide development of a solution to handle or create e8130-3s (and Teardown Report and C of Cs). As you can see, the mapping between each of these is easily readable.
Why Do I Need to Know About This?
Why is this important to someone who needs to manage airworthiness forms? While most personnel who handle aircraft parts, repair process and parts management may not ever need to be concerned with such details, it is important to demand that your software solutions providers adhere to the proper industry solutions for applications you may consider to handle eForms. Once you have an understanding of how the underlying technology works, you are more likely accept its use (and stop killing trees by using paper forms).
Many vendors will look to provide generic electronic record solutions which will NOT meet the needs of most aviation companies, so understanding what XML is and why you need to require the use of industry-compliant solutions will make you a better customer of such services. XML is the key mechanism to transferring such data with all of your trading partners properly. This should provide you with enough background on how such eForm data is defined, help you appreciate why digital data can be extracted from documents you receive from customers or suppliers, and be useful to your organization since other applications can now extract this for use elsewhere.
Securing Your Documents (and your Digital Identity)
The next issue to be aware of is the digital identities based upon public key infrastructure (PKI) technology that secure these XML-based eForms. PKI is used globally in online transactions. (Like that little ‘lock’ that shows up in the lower-left side of your browser when you are on an eCommerce or financial Web site — that uses a form of PKI to encrypt your session and protect it from prying eyes). A PKI provider assigns a unique ‘digital certificate’ to a person or an organization to establish their unique digital identity. These PKI solution providers conform to global standards for issuing these certificates. They maintain the integrity of these credentials by requiring their customers meet certain criteria to establish their identity prior to certificate issues.
Below are some common reasons for the use of digital identities to create unique digital signatures to eForms:
Authentication: Electronic documents with digital signatures applied to them can have the source of the document authenticated. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that user sent the message. This removes any doubt as to the originator of the document and essentially eliminates forged documents.
Integrity: If a document is signed digitally, any change to the document after it has been signed will invalidate the signature. There is no feasible way to modify a document and its digital signature to create an altered document with a valid signature that matches the previous one.
Non-repudiation: This is a key aspect of digital signatures, in that an entity that has signed a document cannot deny having signed it at a later time.
It is important to know the key points to make use of this properly.
1. Digital certificate: A unique digital identification that a trusted third party assigns to an individual or organization. There are two key components of this:
a. Private key: This is a unique key assigned to you and is used to create digital signatures that only you can originate. (No one else has this key, so only you could have signed a message or a document.)
b. Public key: You or your PKI solution provider (or certification authority) distribute this publicly, so there can be many copies. Recipients of your digitally signed messages/documents use this to verify the authenticity of a digital signature that you had made in order to ensure that it came from you (using your private key).
2. Digital signature: The owner of a digital certificate uses this to “sign” electronic files digitally. A digital signature is an encrypted string of data based on a complex mathematical algorithm.
The diagram below illustrates a generic process of signing a document/file/eForm digitally. The next diagram illustrates someone who validates this signed document:
The flow of the illustrated processes demonstrates how a software application will use someone’s unique private digital certificate (key) to lock a document by creating a digital signature. PKI-enabled software will use an algorithm with the date, time, file and the signer’s digital identity (key), to lock the document. On the receiving end, it will validate a signed document.
Software applications handle almost all of the heavy lifting here, but you need to be aware of what it means to not only digitally sign an eForm, but to receive one properly as well.
Most aircraft maintenance staff will never have to write software code, but new information technologies will continue to change our jobs. The advent of smarter and more wide-ranging applications, combined with the need to come to grips with how modern aircraft, engines and avionics will transfer ever-increasing amounts of data bi-directionally, will affect how we handle this data. New commercial and business aircraft will require the use of digitally-signed data sets and paperwork more (so someone can trace who handles what data and when), and the data formats are using XML-defined files (with PKI-based digital signatures) increasingly.
Aircraft and associated ground systems are moving away from closed systems with proprietary data formats, toward a more open, standards-based means of data sharing. There are many positives from such a move, but it requires an evolution in how aircraft and support systems are managed, interfaced with and secured. The better you understand this, the better you will handle this evolution of the industry, and be part of the future of it.
John Pawlicki is CEO and principal of OPM Research, as well as currently working with Virtual Security International (VSI), where he consults to the DOT’s Volpe Center, handling various technology and cyber security projects. He managed and deployed various products over the years, including the launch of CertiPath (with world’s first commercial PKI bridge). John has also been part of industry efforts at the ATA and other related groups, notably involved in the effort to define and allow the use of electronic FAA 8130-3 forms. He recently completed his writing of the ‘Aerospace Marketplaces Report,’ which analyzed third-party sites which support the trading of aircraft parts (OPMResearch.com).