SYNOPSIS OF

advertisement
SYNOPSIS OF
2007 FAA NATIONAL SOFTWARE
CONFERENCE
New Orleans Louisiana
JUL 24 – 26, 2007
By
M. P. Kress
Associate Technical Fellow
Boeing Commercial Airplanes
Foreword:
This year’s event covered over 50 papers outlining the
advancement of processes, methodologies and regulations
within the FAA for airborne software. In addition, complex
electronic hardware, aeronautical data bases and software
security are addressed. Such topics have not been
addressed in any depth previously. The complete
proceedings are on CD and are available from the author.
This synopsis summarizes some of these papers deemed most
relevant to the certification, configuration control and
conformity processes for airborne software for commercial
aircraft.
Welcome and FAA Management Remarks
Susan Cabler
Assistant Mgr – FAA Aircraft Engineering Div
AIR-100
Ms. Cabler had a 14-year career with the USAF as an
instructor pilot for Lockheed C141B, flying strategic and
tactical airlift missions to more than 55 countries and during
the first Persian Gulf War. She has been in her current
position since January 2003 and is responsible for
supporting development standardized application and
implementation of cross-FAR part regulations and policy
regarding engineering certification processes. AIR -100 is
also the Aircraft Certification Services lead office for the
introduction of new aviation and National Airspace System
(CNS) technologies, such as electronic flight bag, satellitebased navigation, TCAS and datalink.
Susan opened by welcoming an overflow crowd of nearly
300 DERs, safety, system and software engineers and
quality practitioners. She discussed the new ODA
(Organization Designation Authorization) program and
upcoming changes within the FAA. An NPRM came out
Jan 21, 04 leading to a phase-out of DAS, DOA, SFAR, and
ODAR by November 2009. Inherently governmental
functions such as establishing the cert basis, levels of safety
requirements, rule-making, AD’s, exemptions, special
conditions, surveillance and oversight will be retained.
Order 8100.15 covers the ODA program. The designations
TC, PC, TSOA, STC, MRA, and PMA will not change;
however, the focus will be more on organizations and less on
individuals. The FAA is committed to appoint existing
delegated organizations by Nov 09. Other applicants will be
prioritized based on workload and benefit to the FAA..
Susan talked about Safety Management, emphasizing that it
needs to be optimized and data-driven. She mentioned the
importance of Quality Management Systems, notably the
ISO 9001 based systems as a “very strong framework for
safety management.” Safety management balances cost vs.
risk. She showed graphs showing the cyclic behavior of
safety within the “bankruptcy” and “catastrophe” regions of
the graphs. She postulated that risk management is not
standardized today and appealed to all to move in that
direction. Her upcoming assignments include work on the
newly- minted Unmanned Aircraft Program Office which
has been tasked by the Associate Administrator of Aviation
Safety to develop the standards, regulations, and policy to
safely integrate Unmanned Aircraft Systems into the NAS.
Author Note: I informed Susan of the work of the
AAQG/IAQG on AS9115, the new International software
quality management system standard. I appealed to her for
FAA support. She will look into it.
Policy and Guidance Status – The 5-Year Plan
Barbara Lingberg
AIR 120
Barbara Lingberg is a computer engineer in AIR-120 of the
FAA’s Aircraft Certification Service. She is the technical
lead of the Software and Complex Electronic Hardware
(CEH) Team, sponsor of the FAA’s Software and Digital
Systems Research Program , chair of the Certification
Authorities Software Team (CAST) and Designated Federal
Official to RTCA/SC-205 that is revising DO-178B. She
holds a BS in Mathematics and MS in Software Systems
Engineering from George Mason University.
Barbara provided an overview of the FAA’s 5 year (FY08FY12) plan for CEH. She also presented an overview of the
Software and Digital Systems (SDS) and Research
Engineering and Development (RE&D) programs. She
announced that a new document is being developed for
Integrated Modular Avionics (IMA) – DO-297. An advisory
Circular is being developed as well. She talked briefly
about AC 20-156 on Data Network Evaluation which will
govern 36 criteria in 7 categories. She mentioned the
formation of SC-216 on On-Board Network Security &
Integrity Assurance. A new Order 8110.CEH is in work on
Complex Electronic Hardware. A comment was made from
the floor that it has taken over 7 years to get this guidance
out. She further discussed the preparation of an Interim
Order 8110.XX to cover a growing collection of Issue
Papers on topics such as:





Oversight of suppliers,
Problems with SPR’s (Software Problem Reports)
surfacing late the program, without proper
classification as to safety impact,
Aeronautical data bases, AC-20-153; DO-200A,
Software development kits,
COTS when used in Level A and B applications.
Updating of 8110.49 is not the preferred option at this time.
RTCA/SC-205 Committee to revise DO-178B
Jim Krodel
Pratt Whitney – Jet Engines
Jim is a Fellow member of the Control Systems Verification
and Validation group at Pratt Whitney Jet Engines. He was
formerly with United Technologies Research Center and has
over 30 years experience in the aviation software domain.
Jim has authored several papers on real time operating
systems and integrated modular avionics. He currently is
the chair of RTCA/DO Special Committee 205 rewriting
DO-178B.
Jim gave a brief overview of the topics being worked by
SC205. The main objectives of the committee are to correct
known problems and make the document easier to use, and
to addresses new issues. Among these issues are modelbased development and test, object oriented, Formal
Methods, and an Issues list over 200 items long. The first
draft is due Jan 2008. A schedule of milestones was
presented culminating with the intent to deliver 178C by
December 1, 2008. When released, it will likely include an
interface spec and a series of supplements for each specialty
topic. Work is also being done on related publications DO248, Clarifications to 178B and DO- 278, Guidance for
Communication Navigation Systems/Air Traffic
Management (CNS/ATM). The next near term meetings are
Sept 10-14 in Vienna Austria followed by Jan 14-18 in
Vancouver B.C.
EUROCAE – WG-72 Aeronautical Systems Security
Dr. Daniel Johnson
Honeywell Aerospace Electronic Systems
Dr. Johnson is a Staff Research Scientist with Honeywell
Aerospace Electronic Systems. He has over 20 years of
experience in systems engineering design and development
of reliable advanced planning, scheduling, and maintenance
software for industrial and avionics systems. He is currently
responsible for network security design and certification
oversight for the Crew Information System and Maintenance
System for the Boeing 787. Daniel represents Honeywell in
the EUROCAE WG-72 (Aeronautical Systems Security)
activity. He is also co-chair of RTCA/SC-216 on the same
topic.
The high level objectives of WG-72 are
1. Provide methodology and guidelines to tackle data
security issues throughout the life cycle.
2. Set the standards for Means of Compliance
3. Define Security Issues
4. Establish links with other similarly assigned groups –
(ATA, ARINC SEC, RTCA; ED-79/ARP 4754 working
groups; US DOT/Volpe National Transportation System
Center- Center for Cyber Protection)
The document is planned with 5 Modules:
1. Airworthiness/Groundworthiness
2. Risk Analysis Methodology
3. Evaluation
4. Security Control/Detection/Reaction/Recovery
5. Security Reference Model
Some of the detailed objectives are:
Identify the information assets in the Air Transport System
Classify security and safety impacts of each asset.
Establish asset ranking system
Perform asset ranking
Use ARINC report 811 as a reference.
Daniel presented the targets for WG-72 for mid 2007.
02-1 To set the standards for means of compliance with
regard to forthcoming Safety regulations update (when
security issues overlap with safety regulations.)
02-2 To provide means of compliance with regard to other
existing regulations (e.g., US: CALEA, EU, ETSI)
Regulations related to safety/security countermeasures (e.g.
cryptography.)
The Security Reference Model (module 5) is described as an
aircraft-centric model with the following stakeholders:
aircraft manufacturer, airline, airport, ANSP, Gov’t
agencies; service providers.
The objectives of SC-216 are similar:
To form a consensus and document guidance for a network
security assurance program and acceptable means of
compliance for safe, secure and efficient airspace operations.
To provide resources and coordination for security related
issues and solutions with all RTCA special committees.
To coordinate with other groups and organizations (e.g.,
ARINC NISS, ATA DSWG, SAE, ICAO) including
recommendations for modifications to standards and
materials. The target for final deliverables from SC-216 is
December 2009.
Tool Qualification SC-205 Perspective
Leanna Rierson
Digital Safety Consulting
Leanna is known to most of us as the former software and
aviation National Resource Specialist for the FAA. She has
nearly 20 years experience in the software and aviation
industry. She has held positions at NCR and Cessna Aircraft
and has served on numerous Special Committees of RTCA.
She has a Masters degree in software engineering from
Rochester Institute of Technology and a Bachelor’s degree
in electrical engineering from Wichita State.
Leanna began by identifying a number of issues not handled
properly by 178B:
Only addresses development and verification tools.
Criteria difficult to apply
Some objectives don’t make sense for tools
Tool reuse is difficult
Difficult to qualify COTS tools
Current criteria only oriented toward airborne software.
Accordingly, Clause 12.2 of 178B is being reworked to call
for five levels of tool qualification to parallel the airborne
levels. The fifth level is equivalent to the current
verification tool criteria. The new clause will look like this:
1. Introduction
2. Purpose
3. Tool qualification levels
4. Tool qualification planning process
5. Tool development processes
6. Tool verification processes
7. Tool configuration management process
8. Tool quality assurance process
9. Tool qualification liaison process
10. Tool qualification data
11. Additional considerations.
Additional considerations will address multi-function tools,
previously developed tools, COTS tools, tool service history,
reuse of tool’s life cycle data, and changes to previously
developed tools.
A tool qualification document will be presented to the
plenary in Sept 2007. Section 12.2 rewrite will be presented
in January 2008. Target completion is set for mid 2008
Document Integration (DO-178B/D0-278 Alternatives)
SC205 Perspective.
Tom Ferrell
Ferrell and Associates, Consulting Inc.
Tom has held senior technical positions at SAIC, Iridium
and Boeing. Tom has been either a company or consulting
DER for 17 years. He has worked a wide range of civil
aircraft projects ranging from the 777 primary displays to
Cessna Mustang generator controls. He has a Bachelor’s
Degree in Electrical Engineering and a Masters degree in
Information Technology.
Tom is chair of SG1 within SC205. One of the objectives is
to combine RTCA/DO-178B (Airborne Software),
RTCA/DO-248 (Clarifications to 178B), and RTCA/DO-278
(CNS/ATM). A number of Annex’s are planned:
Introductory Material
Annex A - Objectives
Annex B&C - Domain specific annexes
Annex D – Acronyms and Glossary
Document Usability – Electronic Publication
Traceability
Terminology is being harmonized to be domain independent.
Document will have the same look and feel as other DO’s.
The group anticipates that tools and model-based
development will be the first material brought forward.. A
major concern item is the different levels given in 178 B and
278. Five variations are currently being considered ranging
from the existing tables in 178B to two completely
independent sets of tables in domain annexes.
Another objective of this group is to scrub/consolidate
DO-248B
CAST Papers
Public Issue Papers
FAA Order 8110.49
The group is further looking into alternative formats
including an electronic version with hyperlinks. Also CDROM and web-based delivery formats are being discussed.
Although the progress to date has been minimal, Issue
papers will still be accepted through August 13, 2007. The
next plenary will be held Sept 10-14 in Vienna Austria.
Best Practices in Outsourcing Airborne Software
Development
Data Integrity Policy for Aeronautical Data
Brad Miller AIR-130
Leanna Rierson and Stephen Ward.
Brad Miller is an aerospace engineer with the Avionic
Systems Branch, AIR-130. He is on the Navigation Systems
Team and worked projects concerning Aeronautical data
bases, RNP Vertical Flight, RVSM, Electronic Flight Bags,
ISO 9000 and others. He is responsible for AC-20-153, AC
20-159, AC20-176, TSO-C165 and FAA Order 8110.55. He
has previously worked for General Electric and in the
military as a Navy pilot. He is a graduate of Vanderbilt
University and hails from Nashville Tennessee.
Leanna’s bio is given earlier. Stephen Ward is a Principle
Engineer in the Program Certification Support group in the
Avionics Certification department at Rockwell Collins. He
has worked in software development since 1970 in both
military and commercial projects. He has been a DER since
1993, He has a BA in Physics and Master of Engineering in
Systems Engineering from Iowa State University.
Leanna began by citing some the reasons for increased
outsourcing. Outsourcing allows you to
focus on what you do best.
obtain expertise, skills and technology not otherwise
available to you.
Increase flexibility.
Improve quality.
Reduce investment in fixed assets.
Reduce labor costs.
She pointed out that the U.S. is graduating only 75,000
engineers annually compared with much larger numbers off
shore. If you decide to out-source, you need to decide who
will be the applicant, what credit you want to take for
outsourced work. You will need to show approval criteria
for your source, develop a monitoring, auditing and
reporting system. You may need a liaison person to serve as
translator. If you out-source, you must show compliance of
your life cycle documentation.
Have early discussions with your supplier. Make sure they
have good plans and are following them. Be certain you
complete periodic reviews, and SOI audits both on site and
through data reviews. Provide training as necessary.
Typical areas requiring training include:
DO-178B
Low level requirements
Robustness testing
MCDC testing
Data and control coupling analysis
Structural coverage
Some common pitfalls are:
Believing the marketing pitches
SOW unclear
Roles ambiguously defined
Lack of detail in the plans
Communication issues
Lack of DER visibility/involvement.
Lack of understanding certification
RTCA/DO-200A covers aeronautical data (navigation,
terrain obstacle, airport runway maps and others), however
prior to AC 20-153 there was no guidance for approval and
control of aeronautical data. For government supplied data,
supplied through Aeronautical Information Publication,
(AIP), the state government is responsible for the
correctness and integrity of the data. This includes
navigation data supplied and updated every 28 day AIRAC
(Aeronautical Information Regulation and Control) cycle.
This data can be assumed correct without further approval.
Terrain/obstacle, airport and other data, not received this
way must be approved.
Brad discussed two methods of approval leading to Letters
of Approval (LOA). The first two involved the approval of
the data itself,; the 3rd addressed the processes by which the
data is created/ modified.
Option 1 - The data comes through Flight Standards (AFS).
This option does not provide data integrity.
Option 2- Put the data through the approved Type Design
process and Certification (TSO C-151b) This method is
very cumbersome.
Option 3 – Verify the processes by which the data was
created/modified per AS 20-153.
DO-272 addresses Airport Maps while DO-276 deals with
terrain. FAA Order 8110.55 deals with how to evaluate and
accept processes for Aeronautical data base suppliers.
There will be two types of LOA’s
Type 1 – Approval of the data without demonstrating
compatibility with the target system.
Type -2 Approval including demonstration of compatibility
with the target hardware.
DO-200A was created to address navigation, flight planning,
terrain awareness, flight simulators and other applications.
Processes that implement DO-200A processes are verified
per AC 20-153. For other than state provided AIP data,
applicants must demonstrate throughout the data life cycle
from creation, loading, updating, initiation, etc., that the data
meets the Data Quality Requirements (DQR) of the
appropriate DO’s. Such data quality requirements include
accuracy, precision, assurance level, format, timeliness,
completeness, traceability, etc.
About the author:
Mr. Kress is an Associate Technical Fellow for the Boeing
Commercial Airplane Group in Seattle. He is a Senior
Member of ASQ and is a past chair of ASQ’s Software
Division. He is a Boeing Enterprise software process
improvement facilitator and inter-divisional focal for
software quality standards. He works with suppliers of
aviation software to promote reliable processes for software
development and maintenance. Mr. Kress holds a BSEE,
and CQE, CSQE certifications and is a Registered
Professional Engineer. He is an RABQSA Registered
Aerospace Industry Experience Auditor and a Fellow
member of ASQ. He has over 32 years experience in
military and commercial avionics systems. He has served on
numerous industry advisory and regulatory groups including
AIA, AEA, RTCA, FAA, ARINC, AAQG, IAQG and ISO.
He is a member of the U.S. Technical Advisory Group to
ISO/IEC SC7 TC176 and is the chair of AAQG Projects 19,
and 60 - Deliverable Software Quality System
Requirements.
Michael P. Kress
Associate Technical Fellow
Boeing
michael.p.kress@boeing.com
425 717-7038
Download