Software Management Control (5.13) PDF

Summary

This document provides learning objectives and classifications of different types of aircraft software. It discusses software management control. The document is part of a training program and contains technical information regarding software types in an aircraft.

Full Transcript

Software Management Control (5.13)
Learning Objectives
5.13.1.1 Describe the restrictions that apply to software management and control (Level
2).
5.13.1.2 Describe the airworthiness requirements for software management and control
(Level 2).
5.13.1.3 Describe the possible catastrophic effects of unapproved changes to software
programs (Level 2).

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 32 of 172
CASA Part 66 - Training Materials Only
 Classification of Aircraft Software Systems
Software Use
Software is used in aircraft systems to provide the programming information required by the
computers. It is used by all computer-based systems on the aircraft and includes the following:

Engine control systems
Bleed air control systems
Power generation and control systems
Fire protection systems
Aircraft instrument displays.

Modern aircraft rely heavily on computer software

It is also used to control the aircraft’s navigation and flight management systems. These systems
require continuous software updates as navigational requirements of the aircraft constantly change.

These changes can be a result of:

Airline flight route changes
Air traffic control changes
Changes in the position of waypoints.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 33 of 172
CASA Part 66 - Training Materials Only
 Software is also used by the aircraft’s Built-In Test Equipment (BITE) to communicate with the other
systems to test and identify problems associated with the aircraft.

A Multifunction Control Display Unit (MCDU) is programmed with
software that communicates with multiple systems to update or
input data, test and identify faults

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 34 of 172
CASA Part 66 - Training Materials Only
 Software Control
Each aircraft equipment and system requiring software is assigned a Software Level which relates to
the severity of the effect of possible software errors within the equipment or system on aircraft
safety, crew and/or passengers.

Software levels are assigned in accordance with the criteria defined in DO-178C Software
Considerations in Airborne Systems and Equipment Certification. This document is jointly prepared
by the Radio Technical Commission for Aeronautics (RTCA) safety critical working group RTCA SC-
167 and the European Organisation for Civil Aviation Equipment EUROCAE WG-12.

Airbourne Software and Data
YES Is the airbourne software or data included in the aircraft design, NO
Airbourne Software OR required for aircraft production, OR required for ight operations, Airbourne Support
OR required for maintenance operations? Data
A/C suppot data
YES NO IFE les
Is the software controlled at the aircraft level?
A/L duty free store
Hotels list
Aircraft Controlled Software (ACS) Hardware Controlled Software (HCS) Connexions
(AOC convenience items)
YES NO
Field Loadable Software (FLS) Is the software loadable?
or Loadable Software Part (LSP)
Aircraft Controlled Loadable Resident Software (RS)
Software Part (ACLSP) or Pre-loaded Software
(CASR 21)
YES Included in the NO
aircraft type design?
(CASR 21) YES NO
Is an ADB
Loadable Software Aircraft Part YES
(LSAP) Aeronautical Database (ADB) Required for ight operations?
NO (CASR 21)
YES NO
(CASR 175 ) Required for maintenance?
Flight Operations Software (FOS)
YES Instructions for Continued NO
Electronic Flight Book (EFB)
Nav Charts, Airworthiness? Uncategorised
Supplier Controlled User Modi able User Certi ed
Software (SCS) Software (UCS) Software (UCS) Airport maps (CASR 21)
Technical Publications Maintenance Operations
OPS, OSS AMI, ASO Cabin database (TechPubs) Software (MOS)
CDB
AMM, TSM FIM

Aviation Australia
Aviation software management

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 35 of 172
CASA Part 66 - Training Materials Only
 Software Levels
Software is assigned a level (A, B, C, D or E) based on its potential to cause safety-related failures
identified by a system safety assessment. The software must also be designed to meet strict
specifications (probability of failure) based on its assigned level.

Aviation Australia
Flight software design assurance levels and acceptable probabilities
of failure

Most of the software used is treated in the same manner as an aircraft component for the purposes of
certification, major defect investigation and aircraft component control procedures.

The five levels of certification and some examples of the systems controlled by software are provided
as follows.

Level A - Catastrophic
Software whose failure would cause or contribute to a catastrophic failure of the aircraft.

This includes software managing systems such as:

Flight control computer
Fly-by-wire
Full authority digital engine control
Flight displays
Air data systems

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 36 of 172
CASA Part 66 - Training Materials Only
 Level B - Hazardous
Software whose failure would cause or contribute to a hazardous/severe failure condition.

This includes software managing systems such as:

Autopilot
Autothrottle
Ice protection
Standby flight displays
Instrument landing system
Landing gear control

Level C - Major
Software whose failure would cause or contribute to a major failure condition.

This includes software managing systems such as:

Navigation systems (such as GPS)
Yaw damper
Environmental control systems

Level D - Minor
Software whose failure would cause or contribute to a minor failure condition.

This includes software managing systems such as:

Flight data recorder
Data acquisition system
Cabin lighting

Level E - No Effect
Software whose failure would have no effect on the aircraft or on pilot workload.

This includes software managing systems such as:

In-flight entertainment

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 37 of 172
CASA Part 66 - Training Materials Only
 Software Types
There are two main types of aircraft software:

Field-Loadable Software (FLS)
Preloaded or Resident Software.

Airbourne Software and Data
YES Is the airbourne software or data included in the aircraft design, NO
Airbourne Software OR required for aircraft production, OR required for ight operations, Airbourne Support
OR required for maintenance operations? Data
A/C suppot data
YES NO IFE les
Is the software controlled at the aircraft level?
A/L duty free store
Hotels list
Aircraft Controlled Software (ACS) Hardware Controlled Software (HCS) Connexions
(AOC convenience items)
YES NO
Field Loadable Software (FLS) Is the software loadable?
or Loadable Software Part (LSP)
Aircraft Controlled Loadable Resident Software (RS)
Software Part (ACLSP) or Pre-loaded Software
(CASR 21)
YES Included in the NO
aircraft type design?
(CASR 21) YES NO
Is an ADB
Loadable Software Aircraft Part YES
(LSAP) Aeronautical Database (ADB) Required for ight operations?
NO (CASR 21)
YES NO
(CASR 175 ) Required for maintenance?
Flight Operations Software (FOS)
YES Instructions for Continued NO
Electronic Flight Book (EFB)
Nav Charts, Airworthiness? Uncategorised
Supplier Controlled User Modi able User Certi ed
Software (SCS) Software (UCS) Software (UCS) Airport maps (CASR 21)
Technical Publications Maintenance Operations
OPS, OSS AMI, ASO Cabin database (TechPubs) Software (MOS)
CDB
AMM, TSM FIM

Aviation Australia
Aviation software management

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 38 of 172
CASA Part 66 - Training Materials Only
 Field-Loadable Software (FLS)
Field-loadable software is used specifically to describe the software rather than the medium
containing it. FLS is software, including data tables, which can be loaded on an aircraft by
maintenance personnel without removing the system or equipment from its installation.

Characteristics of FLS include the following:

It has its own unique part number.
It may be an aircraft part.
The part number is verifiable on the aircraft by electronically accessing the target hardware
memory.
It does not change the target hardware part number.
It can be uploaded regardless of the current software state and will not prevent a previous
version from overwriting it.

Portable FLS loader

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 39 of 172
CASA Part 66 - Training Materials Only
 Preloaded or Resident Software
Preloaded software cannot be changed without physically removing the system or components of the
system from the aircraft. Updates to the software or programming cannot be changed on the aircraft
and require the unit to be removed and sent to a workshop environment for reprogramming.

The reasons for using preloaded software are that some aircraft components or computers may not
have software changes for long periods of time and loadable software is not an option as the
component is in an inaccessible area or an area of high contamination.

Additionally, the manufacturer of the software may not want the information to be released, so the
original software will be preloaded by the manufacturer and any upgrade to it will be undertaken by
the manufacturer.

FADEC LRU containing pre-loaded software

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 40 of 172
CASA Part 66 - Training Materials Only
 Explanation of Software Terms
Loadable Software Aircraft Part
A Loadable Software Aircraft Part (LSAP) is software that is considered part of the aircraft approved
design and therefore an aircraft part. A LSAP requires release documentation (EASA Form 1, FAA
8130-3), or an equivalent designated in agreement with the regulatory authority.

FAA diagram
LSAP loading and management

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 41 of 172
CASA Part 66 - Training Materials Only
 Non-Loadable Software Aircraft Part or Aeronautical
Database
Field-loadable software which is not part of the certified aircraft configuration is defined as a Non-
LSAP part or an Aeronautical Database (ADB). These parts are commonly used for applications such
as navigation, flight planning and terrain awareness.

As they are not part of the aircraft Type Certificate, they may be routinely updated without a formal
modification approval or Supplemental Type Certificate (STC) being required. It is still critical,
however, that they are subject to rigorous configuration control.

Aviation Australia
Non-LSAP Aeronautical database version details presented on a
CDU

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 42 of 172
CASA Part 66 - Training Materials Only
 Databases
There are two significant types of databases: those which are aircraft parts (LSAP) and those which
are Aeronautical Databases. The distinction between the two does not lie in the technologies and
loading methods used, but in their regulatory status:

Model/Engine Database (MEDB) is LSAP software that defines a customised performance
database for the navigation system. The performance database includes performance values
such as fuel flow, drag factor, manoeuvre margin, minimum cruise time and minimum rate of
climb.
Aeronautical Database (ADB) is not classified as an aircraft part and is sometimes referred to
as a non-LSAP. An ADB may be managed using methods developed for LSAP. An example of an
ADB is the Navigation Database (NDB), which provides navigation and route information for
the Flight Management System (FMS) so that it can accomplish navigation tasks. In most cases
the NDB is replaced every 28 days and contains two different databases, the current database
and the previous NDB.

Aviation Australia
FLS classifications including databases

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 43 of 172
CASA Part 66 - Training Materials Only
 Operator Modifiable Software
Operator-Modifiable Software (OMS) consists of User-Modifiable Software (UMS) and User-
Certifiable Software (UCS). OMS permits operators to modify a system function to suit preferred
operational procedures, existing operational infrastructure or local conditions. This can be achieved
by providing a UMS partition within the executable software, within which the modified software is
installed using the appropriate ground-based tools. The resulting software can then be loaded onto
the aircraft as a separate software part for the equipment concerned.

User Modifiable Software
UMS is software intended for modification by the aircraft operator without review by the
certification authority, the aircraft manufacturer or the equipment manufacturer.

Modifications by the user may include modifications to data and/or executable code. Target hardware
for UMS includes:

Aircraft Communication and Reporting System (ACARS)
Aircraft Condition Monitoring System (ACMS)
Satellite Communications (SATCOM)
In-Flight Entertainment System (IFE).

Aviation Australia
FLS classifications including databases

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 44 of 172
CASA Part 66 - Training Materials Only
 User-Certifiable Software
User-Certifiable Software (UCS) is software that an operator or its designated party chooses to
modify in accordance with approved guidelines. A change to UCS requires certification acceptable to
the operator’s regulatory authority.

Supplier Controlled Software
Operational Program Software
Operational Program Software (OPS) is software that contains the program instructions for a Line-
Replaceable Unit (LRU). Each version of OPS has a unique software part number.

Aviation Australia
Types of field loadable software

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 45 of 172
CASA Part 66 - Training Materials Only
 Operational Program Configuration
Operational Program Configuration (OPC) is software that determines the function of the LRU. It is a
special purpose database that enables or disables optional functions of the OPS. It eliminates the
requirement for pin programming of the LRU.

Aviation Australia
MCDU software version

Aircraft Configuration List
An Aircraft Configuration List (ACL) is a list of modules, including LRUs, which use LSAPs applicable
to a specific aircraft. This list may be contained in a drawing supplied by the Type Certificate Holder,
in a Service Bulletin, in a Service Information Letter, in an Illustrated Parts Catalogue (IPC) or as part
of a separate tracking system.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 46 of 172
CASA Part 66 - Training Materials Only
 Software Media
Software media is the means of transporting and distributing software for installation in the user
equipment. The software media comes in many forms, including discs (floppy and CD-ROM), memory
cards, tapes (mostly obsolescent) and via the internet. A single software medium may contain
numerous LSAPs or Aeronautical Databases.

FLS USB Stick

Software Version
The software version is the specific software item at a designated revision status. Within software
versions, it is common for there to be a major and a minor version designation. Minor version
designations usually reflect only minor changes to the software. Software version designation is
often seen in the format A.BB, where A is the major version designation and BB is the minor version
designation.

Aviation Australia
Software part number version identification

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 47 of 172
CASA Part 66 - Training Materials Only
 Target Hardware
Target hardware identifies the hardware, such as LRUs or modules, for the purpose of loading new
FLS.

Target hardware for databases include:

Enhanced Ground Proximity Warning System (EGPWS)
Flight Control Computer (FCC)
Flight Management Computer (FMC).

The databases are used by the appropriate system to accomplish aircraft navigational and
manoeuvring tasks.

Aviation Australia
Flight control computer

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 48 of 172
CASA Part 66 - Training Materials Only
 Target Hardware for LSAP
The following list includes target hardware for LSAP:

Display Electronics Unit (DEU)
Flight Management Computer (FMC)
Flight Control Computer (FCC)
Digital Flight Data Acquisition Unit (DFDAU)
Digital Flight Data Acquisition Management Unit (DFDAMU)
Auxiliary Power Unit (APU) and Electronic Control Unit (ECU)
Electronic Engine Control (EEC).

Display Electronics Unit (DEU)

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 49 of 172
CASA Part 66 - Training Materials Only
 Digital Flight Data Acquisition Unit (DFDAU)

Sourcing Software
Software updates such as NDB, TDB and MEDB should be acquired from a source that is acceptable
to the Target Hardware Manufacturer and accompanying documentation and Transport Storage
Media containing the modified software should clearly identify this. The Transport Storage Media
should also be annotated with the originator identification and quality/conformity markings. The
responsibility for obtaining appropriate documentation confirming the authenticity, performance
specification and accuracy of the software rests with the operator. It is also recommended that a
‘confidence’ check of the received navigation/performance data be accomplished to ensure that the
changes made satisfy their intended use.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 50 of 172
CASA Part 66 - Training Materials Only
 Software Data Loading
Data Loaders
As with all computer systems, a means to load software and data updates is a necessity. To facilitate
this, a software or data loader is required. Data loaders facilitate software loading to any
programmable computer system except those whose software is stored on ROM, PROM and
EPROM. For example, the FMC program is likely able to be reloaded using a data loader, but a FCC
program is more likely to have a BIOS-type software program. This means it is less likely to become
corrupted and cannot be erroneously modified or corrupted using a data loader. To change a ROM
program, a computer chip within the computer must be physically replaced or reprogrammed.

Data loaders will be linked to the FMC system or connected to a data bus coupler. Data loaders may
be portable, allowing them to be taken to the aircraft and plugged in, or in the most up-to-date
systems they may be integrated into the avionics system. Loading information is similar to loading
software onto your home computer. If several programmable computers are incorporated into the
avionics system, you may be required to select the computer intended to receive the software.

Correct software loads and software configurations are critical to aircraft operations. A software
mismatch or glitch as a result of incorrect loading procedures could cause a disastrous sequence of
events, so it is imperative that maintenance manuals are strictly followed when loading software, and
that software and system functional and confidence checks are performed following software
loading.

Data loaders

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 51 of 172
CASA Part 66 - Training Materials Only
 Data loaders are referred to as:

ADLs (airborne data loaders)
PDLs (portable data loaders)
Portable Maintenance Access Terminals (PMATs) which can also provide data loading and
fault-recording capability.

Portable Maintenance Access Terminal (PMAT)

The software data loader is used to download loadable software into the aircraft’s systems. It
provides a high-speed data transfer capability to the aircraft. A data loader normally uses one of two
media to transfer information into the aircraft, either a standard 3.5-in. disc (1.44 MB) or a CD-ROM
(700+ MB). The disc is the most common method of software transfer as it has more than enough
storage for the data required.

The data loader can be permanently fitted to the aircraft or it can be an external device fitted only
when new software is required.

In an internal data loader, information can be downloaded by placing the media format (usually a disc)
into the unit and following the loading procedures as defined by the systems operating manual. At the
completion of the process, the disc is removed. In some other systems, the disc may be left and the
system directly reads from the disc.

This type is not very common and is mainly used by in-flight entertainment systems.

An external device is usually connected via a high-speed data connection cable (an umbilical cord
cable). This is usually done for software associated with the FMC. The process of downloading the
information is carried out via the FMC.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 52 of 172
CASA Part 66 - Training Materials Only
 Aviation Australia
Correct software loading is extremely important

FLS Loading and Certification
FLS is loaded into the target hardware using a PDL, ADL or off-aircraft data loader (workshop). After
loading, the software should be verified on-board using the established processes and procedures
detailed in the maintenance manual or associated approved maintenance or modification data.

Any FLS loading should be recorded in the Aircraft Configuration List (ACL), and a copy kept on board
the aircraft with a further copy also kept in the operator's aircraft maintenance records system. After
any loading of LSAP, a Certificate of Release to Service must be issued by an appropriately authorised
Line/Base Maintenance Certifying Staff.

FLS loading and certification

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 53 of 172
CASA Part 66 - Training Materials Only
 Electronic Distribution of Software
Electronic Distribution of Software (EDS) is a process whereby FLS is moved from the producer or
supplier to a remote site (generally the operator) without the use of physical media.

EDS is increasingly being utilised to transfer FLS from the supplier to an operator. The obvious
advantages of this are speed of distribution and removal of the need for physical transport media.
This should be accomplished to a standard acceptable to the regulatory authority. It is also
recommended that a ‘confidence’ check of the received navigation/performance data be
accomplished to ensure that the changes made satisfy their intended use.

Electronic distribution of software

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 54 of 172
CASA Part 66 - Training Materials Only
 Field-Loadable Software Procurement and Documentation
LSAP, databases and UMS are first delivered with the new aircraft and contained in the target
hardware and in media sets in binders or storage bins. It must be realised, however, that the part
number of target hardware does not necessarily indicate the loaded software part number when
replacing affected LRUs.

LSAP – Procured LSAP must be obtained from an approved source using the part number specified
and be accompanied by a JAA Form 1 or FAA 8130-3. These can typically be found in documents such
as the IPC, Service Bulletin, Service Letter or Approved Modification.

Updating the A380 navigation with flash drives

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 55 of 172
CASA Part 66 - Training Materials Only
 FLS Storage Media Handling
In order to ensure FLS and storage media reliability, storage media should be sealed in dust- and lint-
free material in a closed box, should be clearly labelled as containing software media and the
following should be avoided:

Moisture, dust or airborne contaminants
Magnetic fields
Direct sunlight for prolonged periods
Rate of temperature change greater than 20 °C/hr
Temperature outside the range of -20 to +50 °C
X-ray
Magnetic or electromagnetic source.

FLS storage media handling

FLS and storage media known to contain defects should not be used and should be placed in
quarantine for suitable disposal.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 56 of 172
CASA Part 66 - Training Materials Only
 Replication of FLS
If LSAP copies are to be made, this should be accomplished using the aircraft Type Design
Organisation-approved FLS storage media replication process. This replication should be recorded in
an Aircraft Software Replication Register and be traceable to the original source from which copies
were made. This is to ensure that this activity can be audited. A copy of the accepted release
documentation, as appropriate, should accompany all LSAP storage media containing software copy.

Duplicating data

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 57 of 172
CASA Part 66 - Training Materials Only
 Procedures
It is essential that operators have appropriate procedures in place such that at any time it is possible
to determine the equipment and software configuration of each aircraft in their fleet.

Operators involved in the procurement, modification and embodiment of FLS shall produce a
documented procedure within their company procedures, Maintenance Management Exposition
(MME) or equivalent that describes their means of compliance with this notice. The procedure should
cover the complete cycle, from procurement specification, distribution methodology (for example,
EDS, media type and so on) and receipt inspection/assessment through to embodiment, subsequent
testing and release to service. This process must also be included in the internal audit program.

Maintenance management exposition

Case Study
Changing aircraft software can result in changes to the operating characteristics of the aircraft.

Areas of the aircraft that can be affected by changing software include:

Engine systems
Navigational systems
Flight control systems.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 58 of 172
CASA Part 66 - Training Materials Only
 Air New Zealand Flight 901 - Mt Erebus Disaster
The following example highlights the possible catastrophic effects of unapproved changes to aircraft
software.

On 28 November 1979, Air New Zealand Flight 901 left Auckland Airport. On board were 237
passengers and 20 crew members bound for Antarctica. The plan gave co-ordinates for the trip to
Antarctica and across McMurdo Sound which, when entered into the computerised navigation
system, would be flown automatically by the plane.

That morning, Collins and Cassin entered the series of latitude and longitude co-ordinates into the
aircraft computer. Unknown to them, two of the coordinates had been changed earlier that morning,
and when entered, shifted the flight path of the aircraft 45 km to the east.

At 12:45 p.m., Collins advised McMurdo Centre he was descending farther, to 2000 ft. At this point
he locked onto the computerised navigational system, but Flight 901 was not where the crew thought
it was. The change in the two co-ordinates had put it on a path not across the flat ground of McMurdo
Sound, but across Lewis Sound and towards the 12 300-ft-high active volcano Mount Erebus.

The air was clear, and beneath the cloud layer the whiteness of the ice blended with the whiteness of
the mountain, with no contrast to show the upwards slope of the land – a whiteout.

At 12:49 p.m., the deck altitude device began to blare a warning, but there was no time for Collins to
save the situation from disaster. Just 6 seconds later, Flight 901 hit the side of Mount Erebus and
disintegrated.

Air New Zealand Flight 901 crash site

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 59 of 172
CASA Part 66 - Training Materials Only
 This shows the catastrophic effects of loading an unapproved NDB into an aircraft.

2022-07-22 B1-05b Digital Techniques / Electronic Instrument Systems Page 60 of 172
CASA Part 66 - Training Materials Only