SYNOPSIS OF 2007 FAA NATIONAL SOFTWARE CONFERENCE New Orleans Louisiana JUL 24 – 26, 2007 By M. P. Kress Associate Technical Fellow Boeing Commercial Airplanes Foreword: This year’s event covered over 50 papers outlining the advancement of processes, methodologies and regulations within the FAA for airborne software. In addition, complex electronic hardware, aeronautical data bases and software security are addressed. Such topics have not been addressed in any depth previously. The complete proceedings are on CD and are available from the author. This synopsis summarizes some of these papers deemed most relevant to the certification, configuration control and conformity processes for airborne software for commercial aircraft. Welcome and FAA Management Remarks Susan Cabler Assistant Mgr – FAA Aircraft Engineering Div AIR-100 Ms. Cabler had a 14-year career with the USAF as an instructor pilot for Lockheed C141B, flying strategic and tactical airlift missions to more than 55 countries and during the first Persian Gulf War. She has been in her current position since January 2003 and is responsible for supporting development standardized application and implementation of cross-FAR part regulations and policy regarding engineering certification processes. AIR -100 is also the Aircraft Certification Services lead office for the introduction of new aviation and National Airspace System (CNS) technologies, such as electronic flight bag, satellitebased navigation, TCAS and datalink. Susan opened by welcoming an overflow crowd of nearly 300 DERs, safety, system and software engineers and quality practitioners. She discussed the new ODA (Organization Designation Authorization) program and upcoming changes within the FAA. An NPRM came out Jan 21, 04 leading to a phase-out of DAS, DOA, SFAR, and ODAR by November 2009. Inherently governmental functions such as establishing the cert basis, levels of safety requirements, rule-making, AD’s, exemptions, special conditions, surveillance and oversight will be retained. Order 8100.15 covers the ODA program. The designations TC, PC, TSOA, STC, MRA, and PMA will not change; however, the focus will be more on organizations and less on individuals. The FAA is committed to appoint existing delegated organizations by Nov 09. Other applicants will be prioritized based on workload and benefit to the FAA.. Susan talked about Safety Management, emphasizing that it needs to be optimized and data-driven. She mentioned the importance of Quality Management Systems, notably the ISO 9001 based systems as a “very strong framework for safety management.” Safety management balances cost vs. risk. She showed graphs showing the cyclic behavior of safety within the “bankruptcy” and “catastrophe” regions of the graphs. She postulated that risk management is not standardized today and appealed to all to move in that direction. Her upcoming assignments include work on the newly- minted Unmanned Aircraft Program Office which has been tasked by the Associate Administrator of Aviation Safety to develop the standards, regulations, and policy to safely integrate Unmanned Aircraft Systems into the NAS. Author Note: I informed Susan of the work of the AAQG/IAQG on AS9115, the new International software quality management system standard. I appealed to her for FAA support. She will look into it. Policy and Guidance Status – The 5-Year Plan Barbara Lingberg AIR 120 Barbara Lingberg is a computer engineer in AIR-120 of the FAA’s Aircraft Certification Service. She is the technical lead of the Software and Complex Electronic Hardware (CEH) Team, sponsor of the FAA’s Software and Digital Systems Research Program , chair of the Certification Authorities Software Team (CAST) and Designated Federal Official to RTCA/SC-205 that is revising DO-178B. She holds a BS in Mathematics and MS in Software Systems Engineering from George Mason University. Barbara provided an overview of the FAA’s 5 year (FY08FY12) plan for CEH. She also presented an overview of the Software and Digital Systems (SDS) and Research Engineering and Development (RE&D) programs. She announced that a new document is being developed for Integrated Modular Avionics (IMA) – DO-297. An advisory Circular is being developed as well. She talked briefly about AC 20-156 on Data Network Evaluation which will govern 36 criteria in 7 categories. She mentioned the formation of SC-216 on On-Board Network Security & Integrity Assurance. A new Order 8110.CEH is in work on Complex Electronic Hardware. A comment was made from the floor that it has taken over 7 years to get this guidance out. She further discussed the preparation of an Interim Order 8110.XX to cover a growing collection of Issue Papers on topics such as: Oversight of suppliers, Problems with SPR’s (Software Problem Reports) surfacing late the program, without proper classification as to safety impact, Aeronautical data bases, AC-20-153; DO-200A, Software development kits, COTS when used in Level A and B applications. Updating of 8110.49 is not the preferred option at this time. RTCA/SC-205 Committee to revise DO-178B Jim Krodel Pratt Whitney – Jet Engines Jim is a Fellow member of the Control Systems Verification and Validation group at Pratt Whitney Jet Engines. He was formerly with United Technologies Research Center and has over 30 years experience in the aviation software domain. Jim has authored several papers on real time operating systems and integrated modular avionics. He currently is the chair of RTCA/DO Special Committee 205 rewriting DO-178B. Jim gave a brief overview of the topics being worked by SC205. The main objectives of the committee are to correct known problems and make the document easier to use, and to addresses new issues. Among these issues are modelbased development and test, object oriented, Formal Methods, and an Issues list over 200 items long. The first draft is due Jan 2008. A schedule of milestones was presented culminating with the intent to deliver 178C by December 1, 2008. When released, it will likely include an interface spec and a series of supplements for each specialty topic. Work is also being done on related publications DO248, Clarifications to 178B and DO- 278, Guidance for Communication Navigation Systems/Air Traffic Management (CNS/ATM). The next near term meetings are Sept 10-14 in Vienna Austria followed by Jan 14-18 in Vancouver B.C. EUROCAE – WG-72 Aeronautical Systems Security Dr. Daniel Johnson Honeywell Aerospace Electronic Systems Dr. Johnson is a Staff Research Scientist with Honeywell Aerospace Electronic Systems. He has over 20 years of experience in systems engineering design and development of reliable advanced planning, scheduling, and maintenance software for industrial and avionics systems. He is currently responsible for network security design and certification oversight for the Crew Information System and Maintenance System for the Boeing 787. Daniel represents Honeywell in the EUROCAE WG-72 (Aeronautical Systems Security) activity. He is also co-chair of RTCA/SC-216 on the same topic. The high level objectives of WG-72 are 1. Provide methodology and guidelines to tackle data security issues throughout the life cycle. 2. Set the standards for Means of Compliance 3. Define Security Issues 4. Establish links with other similarly assigned groups – (ATA, ARINC SEC, RTCA; ED-79/ARP 4754 working groups; US DOT/Volpe National Transportation System Center- Center for Cyber Protection) The document is planned with 5 Modules: 1. Airworthiness/Groundworthiness 2. Risk Analysis Methodology 3. Evaluation 4. Security Control/Detection/Reaction/Recovery 5. Security Reference Model Some of the detailed objectives are: Identify the information assets in the Air Transport System Classify security and safety impacts of each asset. Establish asset ranking system Perform asset ranking Use ARINC report 811 as a reference. Daniel presented the targets for WG-72 for mid 2007. 02-1 To set the standards for means of compliance with regard to forthcoming Safety regulations update (when security issues overlap with safety regulations.) 02-2 To provide means of compliance with regard to other existing regulations (e.g., US: CALEA, EU, ETSI) Regulations related to safety/security countermeasures (e.g. cryptography.) The Security Reference Model (module 5) is described as an aircraft-centric model with the following stakeholders: aircraft manufacturer, airline, airport, ANSP, Gov’t agencies; service providers. The objectives of SC-216 are similar: To form a consensus and document guidance for a network security assurance program and acceptable means of compliance for safe, secure and efficient airspace operations. To provide resources and coordination for security related issues and solutions with all RTCA special committees. To coordinate with other groups and organizations (e.g., ARINC NISS, ATA DSWG, SAE, ICAO) including recommendations for modifications to standards and materials. The target for final deliverables from SC-216 is December 2009. Tool Qualification SC-205 Perspective Leanna Rierson Digital Safety Consulting Leanna is known to most of us as the former software and aviation National Resource Specialist for the FAA. She has nearly 20 years experience in the software and aviation industry. She has held positions at NCR and Cessna Aircraft and has served on numerous Special Committees of RTCA. She has a Masters degree in software engineering from Rochester Institute of Technology and a Bachelor’s degree in electrical engineering from Wichita State. Leanna began by identifying a number of issues not handled properly by 178B: Only addresses development and verification tools. Criteria difficult to apply Some objectives don’t make sense for tools Tool reuse is difficult Difficult to qualify COTS tools Current criteria only oriented toward airborne software. Accordingly, Clause 12.2 of 178B is being reworked to call for five levels of tool qualification to parallel the airborne levels. The fifth level is equivalent to the current verification tool criteria. The new clause will look like this: 1. Introduction 2. Purpose 3. Tool qualification levels 4. Tool qualification planning process 5. Tool development processes 6. Tool verification processes 7. Tool configuration management process 8. Tool quality assurance process 9. Tool qualification liaison process 10. Tool qualification data 11. Additional considerations. Additional considerations will address multi-function tools, previously developed tools, COTS tools, tool service history, reuse of tool’s life cycle data, and changes to previously developed tools. A tool qualification document will be presented to the plenary in Sept 2007. Section 12.2 rewrite will be presented in January 2008. Target completion is set for mid 2008 Document Integration (DO-178B/D0-278 Alternatives) SC205 Perspective. Tom Ferrell Ferrell and Associates, Consulting Inc. Tom has held senior technical positions at SAIC, Iridium and Boeing. Tom has been either a company or consulting DER for 17 years. He has worked a wide range of civil aircraft projects ranging from the 777 primary displays to Cessna Mustang generator controls. He has a Bachelor’s Degree in Electrical Engineering and a Masters degree in Information Technology. Tom is chair of SG1 within SC205. One of the objectives is to combine RTCA/DO-178B (Airborne Software), RTCA/DO-248 (Clarifications to 178B), and RTCA/DO-278 (CNS/ATM). A number of Annex’s are planned: Introductory Material Annex A - Objectives Annex B&C - Domain specific annexes Annex D – Acronyms and Glossary Document Usability – Electronic Publication Traceability Terminology is being harmonized to be domain independent. Document will have the same look and feel as other DO’s. The group anticipates that tools and model-based development will be the first material brought forward.. A major concern item is the different levels given in 178 B and 278. Five variations are currently being considered ranging from the existing tables in 178B to two completely independent sets of tables in domain annexes. Another objective of this group is to scrub/consolidate DO-248B CAST Papers Public Issue Papers FAA Order 8110.49 The group is further looking into alternative formats including an electronic version with hyperlinks. Also CDROM and web-based delivery formats are being discussed. Although the progress to date has been minimal, Issue papers will still be accepted through August 13, 2007. The next plenary will be held Sept 10-14 in Vienna Austria. Best Practices in Outsourcing Airborne Software Development Data Integrity Policy for Aeronautical Data Brad Miller AIR-130 Leanna Rierson and Stephen Ward. Brad Miller is an aerospace engineer with the Avionic Systems Branch, AIR-130. He is on the Navigation Systems Team and worked projects concerning Aeronautical data bases, RNP Vertical Flight, RVSM, Electronic Flight Bags, ISO 9000 and others. He is responsible for AC-20-153, AC 20-159, AC20-176, TSO-C165 and FAA Order 8110.55. He has previously worked for General Electric and in the military as a Navy pilot. He is a graduate of Vanderbilt University and hails from Nashville Tennessee. Leanna’s bio is given earlier. Stephen Ward is a Principle Engineer in the Program Certification Support group in the Avionics Certification department at Rockwell Collins. He has worked in software development since 1970 in both military and commercial projects. He has been a DER since 1993, He has a BA in Physics and Master of Engineering in Systems Engineering from Iowa State University. Leanna began by citing some the reasons for increased outsourcing. Outsourcing allows you to focus on what you do best. obtain expertise, skills and technology not otherwise available to you. Increase flexibility. Improve quality. Reduce investment in fixed assets. Reduce labor costs. She pointed out that the U.S. is graduating only 75,000 engineers annually compared with much larger numbers off shore. If you decide to out-source, you need to decide who will be the applicant, what credit you want to take for outsourced work. You will need to show approval criteria for your source, develop a monitoring, auditing and reporting system. You may need a liaison person to serve as translator. If you out-source, you must show compliance of your life cycle documentation. Have early discussions with your supplier. Make sure they have good plans and are following them. Be certain you complete periodic reviews, and SOI audits both on site and through data reviews. Provide training as necessary. Typical areas requiring training include: DO-178B Low level requirements Robustness testing MCDC testing Data and control coupling analysis Structural coverage Some common pitfalls are: Believing the marketing pitches SOW unclear Roles ambiguously defined Lack of detail in the plans Communication issues Lack of DER visibility/involvement. Lack of understanding certification RTCA/DO-200A covers aeronautical data (navigation, terrain obstacle, airport runway maps and others), however prior to AC 20-153 there was no guidance for approval and control of aeronautical data. For government supplied data, supplied through Aeronautical Information Publication, (AIP), the state government is responsible for the correctness and integrity of the data. This includes navigation data supplied and updated every 28 day AIRAC (Aeronautical Information Regulation and Control) cycle. This data can be assumed correct without further approval. Terrain/obstacle, airport and other data, not received this way must be approved. Brad discussed two methods of approval leading to Letters of Approval (LOA). The first two involved the approval of the data itself,; the 3rd addressed the processes by which the data is created/ modified. Option 1 - The data comes through Flight Standards (AFS). This option does not provide data integrity. Option 2- Put the data through the approved Type Design process and Certification (TSO C-151b) This method is very cumbersome. Option 3 – Verify the processes by which the data was created/modified per AS 20-153. DO-272 addresses Airport Maps while DO-276 deals with terrain. FAA Order 8110.55 deals with how to evaluate and accept processes for Aeronautical data base suppliers. There will be two types of LOA’s Type 1 – Approval of the data without demonstrating compatibility with the target system. Type -2 Approval including demonstration of compatibility with the target hardware. DO-200A was created to address navigation, flight planning, terrain awareness, flight simulators and other applications. Processes that implement DO-200A processes are verified per AC 20-153. For other than state provided AIP data, applicants must demonstrate throughout the data life cycle from creation, loading, updating, initiation, etc., that the data meets the Data Quality Requirements (DQR) of the appropriate DO’s. Such data quality requirements include accuracy, precision, assurance level, format, timeliness, completeness, traceability, etc. About the author: Mr. Kress is an Associate Technical Fellow for the Boeing Commercial Airplane Group in Seattle. He is a Senior Member of ASQ and is a past chair of ASQ’s Software Division. He is a Boeing Enterprise software process improvement facilitator and inter-divisional focal for software quality standards. He works with suppliers of aviation software to promote reliable processes for software development and maintenance. Mr. Kress holds a BSEE, and CQE, CSQE certifications and is a Registered Professional Engineer. He is an RABQSA Registered Aerospace Industry Experience Auditor and a Fellow member of ASQ. He has over 32 years experience in military and commercial avionics systems. He has served on numerous industry advisory and regulatory groups including AIA, AEA, RTCA, FAA, ARINC, AAQG, IAQG and ISO. He is a member of the U.S. Technical Advisory Group to ISO/IEC SC7 TC176 and is the chair of AAQG Projects 19, and 60 - Deliverable Software Quality System Requirements. Michael P. Kress Associate Technical Fellow Boeing michael.p.kress@boeing.com 425 717-7038