Software Management Control (5.13) for Aircraft - PDF

Here is the transcription of the pages with formatting applied. # Page 1 **Aviation AUSTRALIA** ## Software Management Control (5.13) ### Learning Objectives * 5.13.1.1 Describe the restrictions that apply to software management and control (Level 2). * 5.13.1.2 Describe the airworthiness requirements for software management and control (Level 2). * 5.13.1.3 Describe the possible catastrophic effects of unapproved changes to software programs (Level 2). # Page 2 **Aviation AUSTRALIA** ## Classification of Aircraft Software Systems ### Software Use Software is used in aircraft systems to provide the programming information required by the computers. It is used by all computer-based systems on the aircraft and includes the following: * Engine control systems * Bleed air control systems * Power generation and control systems * Fire protection systems * Aircraft instrument displays. *Image of an aircraft cockpit* Modern aircraft rely heavily on computer software It is also used to control the aircraft's navigation and flight management systems. These systems require continuous software updates as navigational requirements of the aircraft constantly change. These changes can be a result of: * Airline flight route changes * Air traffic control changes * Changes in the position of waypoints. # Page 3 **Aviation AUSTRALIA** Software is also used by the aircraft's Built-In Test Equipment (BITE) to communicate with the other systems to test and identify problems associated with the aircraft. *Image of a Multifunction Control Display Unit (MCDU)* A Multifunction Control Display Unit (MCDU) is programmed with software that communicates with multiple systems to update or input data, test and identify faults # Page 4 **Aviation AUSTRALIA** ## Software Control Each aircraft equipment and system requiring software is assigned a Software Level which relates to the severity of the effect of possible software errors within the equipment or system on aircraft safety, crew and/or passengers. Software levels are assigned in accordance with the criteria defined in DO-178C Software Considerations in Airborne Systems and Equipment Certification. This document is jointly prepared by the Radio Technical Commission for Aeronautics (RTCA) safety-critical working group RTCA SC-167 and the European Organisation for Civil Aviation Equipment EUROCAE WG-12. *Flowchart titled "Airborne Software and Data"* Aviation software management # Page 5 **Aviation AUSTRALIA** ## Software Levels Software is assigned a level (A, B, C, D or E) based on its potential to cause safety-related failures identified by a system safety assessment. The software must also be designed to meet strict specifications (probability of failure) based on its assigned level. | DAL | Danger Level | Probability of Failure | Systems Affected | | :---- | :----------------------------------------------------------------------------------- | :--------------------- | :------------------------------------------------------------------------------------------------------------------ | | A | Catastrophic: failure results in preventing the aircraft from continuing safely and/or landing | $< 1 \text{ in } 10^{-9} \text{/flight hour}$ | Flight control computers, fly by wire, full authority digital engine control, flight displays, air data systems | | B | Hazardous: failure results in serious or fatal injuries to the aircraft occupants | $< 1 \text{ in } 10^{-7} \text{/flight hour}$ | Autopilot, autothrottle, ice protection, standby flight displays, instrument landing system, landing gear control | | C | Major: failure results in discomfort or injuries to the occupants | $< 1 \text{ in } 10^{-5} \text{/flight hour}$ | Navigation systems (such as GPS), yaw damper, environmental control systems | | D | Minor: failure results in causing some inconvenience to the occupant | $< 1 \text{ in } 10^{-3} \text{/flight hour}$ | Flight data recorder, data acquisition system, cabin lighting | | E | No effect | n/a | In-flight entertainment | Flight software design assurance levels and acceptable probabilities of failure Most of the software used is treated in the same manner as an aircraft component for the purposes of certification, major defect investigation and aircraft component control procedures. The five levels of certification and some examples of the systems controlled by software are provided as follows. ### Level A - Catastrophic Software whose failure would cause or contribute to a catastrophic failure of the aircraft. This includes software managing systems such as: * Flight control computer * Fly-by-wire * Full authority digital engine control * Flight displays * Air data systems # Page 6 **Aviation AUSTRALIA** ### Level B - Hazardous Software whose failure would cause or contribute to a hazardous/severe failure condition. This includes software managing systems such as: * Autopilot * Autothrottle * Ice protection * Standby flight displays * Instrument landing system * Landing gear control ### Level C - Major Software whose failure would cause or contribute to a major failure condition. This includes software managing systems such as: * Navigation systems (such as GPS) * Yaw damper * Environmental control systems ### Level D - Minor Software whose failure would cause or contribute to a minor failure condition. This includes software managing systems such as: * Flight data recorder * Data acquisition system * Cabin lighting ### Level E - No Effect Software whose failure would have no effect on the aircraft or on pilot workload. This includes software managing systems such as: * In-flight entertainment # Page 7 **Aviation AUSTRALIA** ## Software Types There are two main types of aircraft software: * Field-Loadable Software (FLS) * Preloaded or Resident Software. *Flowchart titled "Airborne Software and Data"* Aviation software management # Page 8 **Aviation AUSTRALIA** ## Field-Loadable Software (FLS) Field-loadable software is used specifically to describe the software rather than the medium containing it. FLS is software, including data tables, which can be loaded on an aircraft by maintenance personnel without removing the system or equipment from its installation. Characteristics of FLS include the following: * It has its own unique part number. * It may be an aircraft part. * The part number is verifiable on the aircraft by electronically accessing the target hardware memory. * It does not change the target hardware part number. * It can be uploaded regardless of the current software state and will not prevent a previous version from overwriting it. *Image of a "Portable FLS Loader"* # Page 9 **Aviation AUSTRALIA** ## Preloaded or Resident Software Preloaded software cannot be changed without physically removing the system or components of the system from the aircraft. Updates to the software or programming cannot be changed on the aircraft and require the unit to be removed and sent to a workshop environment for reprogramming. The reasons for using preloaded software are that some aircraft components or computers may not have software changes for long periods of time and loadable software is not an option as the component is in an inaccessible area or an area of high contamination. Additionally, the manufacturer of the software may not want the information to be released, so the original software will be preloaded by the manufacturer and any upgrade to it will be undertaken by the manufacturer. *Image of a FADEC LRU* FADEC LRU containing pre-loaded software # Page 10 **Aviation AUSTRALIA** ## Explanation of Software Terms ### Loadable Software Aircraft Part A Loadable Software Aircraft Part (LSAP) is software that is considered part of the aircraft approved design and therefore an aircraft part. A LSAP requires release documentation (EASA Form 1, FAA 8130-3), or an equivalent designated in agreement with the regulatory authority. *Diagram of "LSAP loading and management"* LSAP loading and management # Page 11 **Aviation AUSTRALIA** ## Non-Loadable Software Aircraft Part or Aeronautical Database Field-loadable software which is not part of the certified aircraft configuration is defined as a Non-LSAP part or an Aeronautical Database (ADB). These parts are commonly used for applications such as navigation, flight planning and terrain awareness. As they are not part of the aircraft Type Certificate, they may be routinely updated without a formal modification approval or Supplemental Type Certificate (STC) being required. It is still critical, however, that they are subject to rigorous configuration control. *Image of a CDU, displaying Non-LSAP Aeronautical database version details* Non-LSAP Aeronautical database version details presented on a CDU # Page 12 **Aviation AUSTRALIA** ## Databases There are two significant types of databases: those which are aircraft parts (LSAP) and those which are Aeronautical Databases. The distinction between the two does not lie in the technologies and loading methods used, but in their regulatory status: * Model/Engine Database (MEDB) is LSAP software that defines a customised performance database for the navigation system. The performance database includes performance values such as fuel flow, drag factor, manoeuvre margin, minimum cruise time and minimum rate of climb. * Aeronautical Database (ADB) is not classified as an aircraft part and is sometimes referred to as a non-LSAP. An ADB may be managed using methods developed for LSAP. An example of an ADB is the Navigation Database (NDB), which provides navigation and route information for the Flight Management System (FMS) so that it can accomplish navigation tasks. In most cases the NDB is replaced every 28 days and contains two different databases, the current database and the previous NDB. *Diagram of"FLS classifications including databases"* FLS classifications including databases # Page 13 **Aviation AUSTRALIA** ## Operator Modifiable Software Operator-Modifiable Software (OMS) consists of User-Modifiable Software (UMS) and User-Certifiable Software (UCS). OMS permits operators to modify a system function to suit preferred operational procedures, existing operational infrastructure or local conditions. This can be achieved by providing a UMS partition within the executable software, within which the modified software is installed using the appropriate ground-based tools. The resulting software can then be loaded onto the aircraft as a separate software part for the equipment concerned. ### User Modifiable Software UMS is software intended for modification by the aircraft operator without review by the certification authority, the aircraft manufacturer or the equipment manufacturer. Modifications by the user may include modifications to data and/or executable code. Target hardware for UMS includes: * Aircraft Communication and Reporting System (ACARS) * Aircraft Condition Monitoring System (ACMS) * Satellite Communications (SATCOM) * In-Flight Entertainment System (IFE). *Diagram showing FLD classifications including database* FLS classifications including databases # Page 14 **Aviation AUSTRALIA** ## User-Certifiable Software User-Certifiable Software (UCS) is software that an operator or its designated party chooses to modify in accordance with approved guidelines. A change to UCS requires certification acceptable to the operator's regulatory authority. ## Supplier Controlled Software ### Operational Program Software Operational Program Software (OPS) is software that contains the program instructions for a Line-Replaceable Unit (LRU). Each version of OPS has a unique software part number. *Diagram titled "Types of field loadable software"* Types of field loadable software # Page 15 **Aviation AUSTRALIA** ## Operational Program Configuration Operational Program Configuration (OPC) is software that determines the function of the LRU. It is a special purpose database that enables or disables optional functions of the OPS. It eliminates the requirement for pin programming of the LRU. *Image of a MCDU screen* MCDU software version ## Aircraft Configuration List An Aircraft Configuration List (ACL) is a list of modules, including LRUs, which use LSAPs applicable to a specific aircraft. This list may be contained in a drawing supplied by the Type Certificate Holder, in a Service Bulletin, in a Service Information Letter, in an Illustrated Parts Catalogue (IPC) or as part of a separate tracking system. # Page 16 **Aviation AUSTRALIA** ## Software Media Software media is the means of transporting and distributing software for installation in the user equipment. The software media comes in many forms, including discs (floppy and CD-ROM), memory cards, tapes (mostly obsolescent) and via the internet. A single software medium may contain numerous LSAPs or Aeronautical Databases. *Image of FLS USB Stick* FLS USB Stick ## Software Version The software version is the specific software item at a designated revision status. Within software versions, it is common for there to be a major and a minor version designation. Minor version designations usually reflect only minor changes to the software. Software version designation is often seen in the format $A.BB$, where $A$ is the major version designation and $BB$ is the minor version designation. *Diagram Showing Software part number version identification* Software part number version identification # Page 17 **Aviation AUSTRALIA** ## Target Hardware Target hardware identifies the hardware, such as LRUs or modules, for the purpose of loading new FLS. Target hardware for databases include: * Enhanced Ground Proximity Warning System (EGPWS) * Flight Control Computer (FCC) * Flight Management Computer (FMC). *Image of a Flight control computer screen.* The databases are used by the appropriate system to accomplish aircraft navigational and manoeuvring tasks. # Page 18 **Aviation AUSTRALIA** ## Target Hardware for LSAP The following list includes target hardware for LSAP: * Display Electronics Unit (DEU) * Flight Management Computer (FMC) * Flight Control Computer (FCC) * Digital Flight Data Acquisition Unit (DFDAU) * Digital Flight Data Acquisition Management Unit (DFDAMU) * Auxiliary Power Unit (APU) and Electronic Control Unit (ECU) * Electronic Engine Control (EEC). *Image of Display Electronics Unit* DEU Display Electronics Unit (DEU) # Page 19 **Aviation AUSTRALIA** *Image of Digital Flight Data Acquisition Unit* DFDAU Digital Flight Data Acquisition Unit (DFDAU) ## Sourcing Software Software updates such as NDB, TDB and MEDB should be acquired from a source that is acceptable to the Target Hardware Manufacturer and accompanying documentation and Transport Storage Media containing the modified software should clearly identify this. The Transport Storage Media should also be annotated with the originator identification and quality/conformity markings. The responsibility for obtaining appropriate documentation confirming the authenticity, performance specification and accuracy of the software rests with the operator. It is also recommended that a 'confidence' check of the received navigation/performance data be accomplished to ensure that the changes made satisfy their intended use. # Page 20 **Aviation AUSTRALIA** ## Software Data Loading ### Data Loaders As with all computer systems, a means to load software and data updates is a necessity. To facilitate this, a software or data loader is required. Data loaders facilitate software loading to any programmable computer system except those whose software is stored on ROM, PROM and EPROM. For example, the FMC program is likely able to be reloaded using a data loader, but a FCC program is more likely to have a BIOS-type software program. This means it is less likely to become corrupted and cannot be erroneously modified or corrupted using a data loader. To change a ROM program, a computer chip within the computer must be physically replaced or reprogrammed. Data loaders will be linked to the FMC system or connected to a data bus coupler. Data loaders may be portable, allowing them to be taken to the aircraft and plugged in, or in the most up-to-date systems they may be integrated into the avionics system. Loading information is similar to loading software onto your home computer. If several programmable computers are incorporated into the avionics system, you may be required to select the computer intended to receive the software. Correct software loads and software configurations are critical to aircraft operations. A software mismatch or glitch as a result of incorrect loading procedures could cause a disastrous sequence of events, so it is imperative that maintenance manuals are strictly followed when loading software, and that software and system functional and confidence checks are performed following software loading. *Image of Airborne Data Loader* *Image of Portable Data Loader* # Page 21 **Aviation AUSTRALIA** Data loaders are referred to as: * ADLs (airborne data loaders) * PDLs (portable data loaders) * Portable Maintenance Access Terminals (PMATs) which can also provide data loading and fault-recording capability. *Image of Portable Maintenance Access Terminal* Portable Maintenance Access Terminal (PMAT) The software data loader is used to download loadable software into the aircraft's systems. It provides a high-speed data transfer capability to the aircraft. A data loader normally uses one of two media to transfer information into the aircraft, either a standard 3.5-in. disc (1.44 MB) or a CD-ROM (700+ MB). The disc is the most common method of software transfer as it has more than enough storage for the data required. The data loader can be permanently fitted to the aircraft or it can be an external device fitted only when new software is required. In an internal data loader, information can be downloaded by placing the media format (usually a disc) into the unit and following the loading procedures as defined by the systems operating manual. At the completion of the process, the disc is removed. In some other systems, the disc may be left and the system directly reads from the disc. This type is not very common and is mainly used by in-flight entertainment systems. An external device is usually connected via a high-speed data connection cable (an umbilical cord cable). This is usually done for software associated with the FMC. The process of downloading the information is carried out via the FMC. # Page 22 **Aviation AUSTRALIA** **CAUTION:** When loading software into an aircraft, always follow the loading procedures as defined by the operator and the Aircraft Maintenance Manual. Correct software loading is extremely important ## FLS Loading and Certification FLS is loaded into the target hardware using a PDL, ADL or off-aircraft data loader (workshop). After loading, the software should be verified on-board using the established processes and procedures detailed in the maintenance manual or associated approved maintenance or modification data. Any FLS loading should be recorded in the Aircraft Configuration List (ACL), and a copy kept on board the aircraft with a further copy also kept in the operator's aircraft maintenance records system. After any loading of LSAP, a Certificate of Release to Service must be issued by an appropriately authorised Line/Base Maintenance Certifying Staff. *Image of FLS loading device* FLS loading and certification # Page 23 **Aviation AUSTRALIA** ## Electronic Distribution of Software Electronic Distribution of Software (EDS) is a process whereby FLS is moved from the producer or supplier to a remote site (generally the operator) without the use of physical media. EDS is increasingly being utilised to transfer FLS from the supplier to an operator. The obvious advantages of this are speed of distribution and removal of the need for physical transport media. This should be accomplished to a standard acceptable to the regulatory authority. It is also recommended that a 'confidence' check of the received navigation/performance data be accomplished to ensure that the changes made satisfy their intended use. *Electronic distribution diagram* # Page 24 **Aviation AUSTRALIA** ## Field-Loadable Software Procurement and Documentation LSAP, databases and UMS are first delivered with the new aircraft and contained in the target hardware and in media sets in binders or storage bins. It must be realised, however, that the part number of target hardware does not necessarily indicate the loaded software part number when replacing affected LRUs. LSAP - Procured LSAP must be obtained from an approved source using the part number specified and be accompanied by a JAA Form 1 or FAA 8130-3. These can typically be found in documents such as the IPC, Service Bulletin, Service Letter or Approved Modification. *Image of a server with flash drives hanging from it.* Updating the A380 navigation with flash drives # Page 25 **Aviation AUSTRALIA** ## FLS Storage Media Handling In order to ensure FLS and storage media reliability, storage media should be sealed in dust- and lint-free material in a closed box, should be clearly labelled as containing software media and the following should be avoided: * Moisture, dust or airborne contaminants * Magnetic fields * Direct sunlight for prolonged periods * Rate of temperature change greater than $20 \degree C/hr$ * Temperature outside the range of -20 to +50 °C * X-ray * Magnetic or electromagnetic source. *Image of FLS storage media handling container and disc.* FLS storage media handling FLS and storage media known to contain defects should not be used and should be placed in quarantine for suitable disposal. # Page 26 **Aviation AUSTRALIA** ## Replication of FLS If LSAP copies are to be made, this should be accomplished using the aircraft Type Design Organisation-approved FLS storage media replication process. This replication should be recorded in an Aircraft Software Replication Register and be traceable to the original source from which copies were made. This is to ensure that this activity can be audited. A copy of the accepted release documentation, as appropriate, should accompany all LSAP storage media containing software copy. *Duplication data diagram.* Duplicating data # Page 27 **Aviation AUSTRALIA** ## Procedures It is essential that operators have appropriate procedures in place such that at any time it is possible to determine the equipment and software configuration of each aircraft in their fleet. Operators involved in the procurement, modification and embodiment of FLS shall produce a documented procedure within their company procedures, Maintenance Management Exposition (MME) or equivalent that describes their means of compliance with this notice. The procedure should cover the complete cycle, from procurement specification, distribution methodology (for example, EDS, media type and so on) and receipt inspection/assessment through to embodiment, subsequent testing and release to service. This process must also be included in the internal audit program. *Image of Maintenance management exposition manual.* Maintenance management exposition ## Case Study Changing aircraft software can result in changes to the operating characteristics of the aircraft. Areas of the aircraft that can be affected by changing software include: * Engine systems * Navigational systems * Flight control systems.

Software Management Control (5.13) for Aircraft - PDF

Document Details

Tags

Related

Summary

Full Transcript