Army Airworthiness I
I began exploring these technical and legal issues way back
while working the T700 engine control software: Enhanced Digital Electronic
Engine Control Unit (EDECU). Discussing
the issue with Dr. Willie Fitzpatrick, my supervisor at the time, he bragged to
me of his reputation of not disapproving software and said he never disapproved
any software. I brought up the issue of
integrity. His position was if he didn't
do it then they would find someone who would.
As I stated in an earlier post, when no longer my supervisor, Willie
(DB4) reviewed the Software Accomplishment Summary (SAS) for the EDECU software
which I had disapproved twice to be subsequently kicked off the program by Phil
Howard. Willie's only documented review
comment being that it would be nice if it stated what the system impacts of the
software changes were. I rest my
case.
The T700 engine is FAA certified. Primarily working with Mr. Hill + Mr. Tenney
of AED , we finally persuaded management
there was an issue with the Application Software (AS) of the engine (control
software). It took me about a year of
arguing with Willie with him initially saying, "I don't care about the
AS." Finally the Army writes the
first Airworthiness Impact Statement (AWIS) for software, EVER, based on this work. Afterwards General Electric (GE) the T700
Prime goes right back to what it had been doing for the last 20 years, approved
by the FAA, with the Army accepting it again?
Requirements traceability, required by DO-178B could not and was not
done for the AS and didn't exist.
Why? Because the AS (control
software) is the requirements. This
problem of model generated software is only now starting to kind of sort of be
addressed by DO-178 Revision C. So after
being kicked off the engine software I was assigned to the Common Avionics
Architecture System (CAAS) software for the CH-47, a year and a half later!
I started reviewing the CAAS documentation supplied by
Clarence Clark, SED Lead for the CH-47 Chinook software. Not only finding that the documentation
explicitly states CAAS was not in compliant with DO-178B although
contracted! But also that the firmware
was none compliant and not even contracted to DO-254. As I maintained the Army never ever addresses
firmware... ever. Not even safety
critical firmware e.g. the EDECU safety critical firmware. I email Clarence, going through my chain of
command! I have record copies of all my
emails related to the events documented in this blog. His reply finally was you need to go ask
"management." So I provided
the write-up below delineating the issues to my Army management chain: Clarence
Clark (Lead), Phil Howard (Supervisor) and Bill Craig (SED Director). Never received a reply. NEVER EVER, but a few months later Army
Regulation 70-62 (9+ years old) was changed deleting the requirement sighted in
the write-up. I inquired with Phil after
sending it (before the Reg. change) in a meeting with him for my
mid-point. He says how do you know
that? I said because the documentation
says so. He says, "I'll investigate." I emailed him afterwards inquiring
documenting it and his meeting statement.
Never heard back from him but then Phil doesn't answers email I send
him. Later when I would email him (S3I First
Line Supervisor) and Susan Davis (S3I Second Line Supervisor); Susan was the
only person to responded. I later
contacted the Inspector General, who referred it back to AED ,
the organization guilty of the violations.
Then contacted two Senators who never followed up with any
response. All of which is posted. So it ain't like I haven't tried!
Technical Write-up emailed to Clarence Clark (Lead), Phil
Howard (Supervisor) and Bill Craig (SED Director).
__________________________________________________________
Technical Comments to CH-47F v9.4 Common Avionics
Architecture System (CAAS) System Documentation.
Review of the system documents for the CH-47F v9.4 Common
Avionics Architecture System (CAAS) has disclosed several disturbing and
potentially dangerous system engineering deficiencies which actually violates
Army and Federal Regulations governing system airworthiness and safety.
1.0 Army
Regulation 70-62, Airworthiness Qualification of Aircraft Systems, states that
the Army is to ensure maximum degree of safety is applied through the practical
application of systems safety engineering.
The maximum degree of safety would be difficult to define but the
minimum degree of safety is clearly defined for systems that operate within
civil airspace for CONUS and NONCONUS by Federal regulations governing
airworthiness and safety. Since Army
aviation systems operate within foreign and US Civil airspaces for which the
airworthiness and safety engineering requirements are clearly defined and
represents the minimum airworthiness and safety engineering requirements for
nonmilitary airspace this would equally represent the same for military systems
within those airspaces. If the system in
question does not meet Federal or Army regulation then it should only operate
within designated restricted and military airspace but as will be clearly shown
is not the case. If the system does not
meet the Federal regulations and would be disapproved by the FAA (Federal
Aviation Administration) then it does not meet the minimum system requirements
for airworthiness and safety within public airspace much less the maximum
degree of safety to which the Army is actually tasked to provide by
regulation. This open negligence to
proper airworthiness and safety certification potentially endangering both Army
equipment and personnel as well as civilians and public property.
2.0 Software:
CH-47F software documentation explicitly states that the CAAS software does not
meet DO-178 (or equivalent). Federal
regulation requires avionic software to be comply with DO-178 or equivalent,
representing the industrial standard for avionic software. EUROCAE ED-12 is the European equivalent to
DO-178 to which CAAS software equally does not meet since it does not comply
with DO-178. Thus CAAS software does not
meet the minimum airworthiness or safety requirements and is in violation of
Army and Federal regulations for usage in civil or military airspace as stated
by its own documentation.
a. The
failure of the software to meet DO-178 actually exacerbates and hides major
system issues. The CAAS documentation
states the Design Assurance Level (DAL )
assigned to the software and used for certification are not equivalent to
DO-178. Specifically it states, “No
compliance with Do-178B development should be inferred.” CAAS has nine (9) DSL
Level A assigned software components of twenty (20) but in actuality the DAL
levels are unknown and undefined due to the noncompliance to DO-178B. This equally applies to all 20 software
components of CAAS "labeled" as various DALs. So not only is none of the software compliant
to DO-178 but false and unknown DALs are specified and used for software and
system certification. Faulty and
misguided engineering actually increasing risk and representing far less than
the minimum safely level required for civilian airspace let alone the maximum
which the Army is tasked to provide by AR-70-62.
3.0 Hardware/Firmware:
CH-47F hardware/firmware airworthiness oversight appears to be in a worse state
than the software. System documentation
states that firmware is not address because they have no requirement to. Hardware/firmware airworthiness certification
is required just as it is for software by Federal and European regulation and
is just as essential. DO-254 (or
equivalent) is specified for hardware/firmware airworthiness
certification. EUROCAE ED-80 is the
European equivalent to DO-254 which CAAS equally does not meet. CAAS documentation states that “if this
CH-47F CAAS Program were required to comply with DO-254” acknowledging and
stating CAAS hardware/firmware does not compliant with DO-254. Since CAAS does not address hardware or
firmware certification in accordance
with DO-254 it once again fails to even achieve the minimum safety or
airworthiness oversight specified by Federal regulation for either US or
Foreign civil airspace certification much less the maximum as tasked by Army
Regulation.
a. Equivalent
and parallel problems exist as explained above for the software but are even
more prevalent with hardware/firmware and with the same hidden dangers. Thirteen Complex Devices are identified
within CAAS, all labeled DAL A or B, but
since DO-254 compliance is not required nor achieved for CAAS the DAL
assignments are meaningless and actually present additional unknown risks to
system certification. CAAS
hardware/firmware fails to achieve the minimum level of safety or airworthiness
oversight necessary for civil or military airspace (domestic or foreign) or the
maximum as tasked by AR-70-62.
4.0 CAAS
Contract: It should be noted that the author was unable to obtain the CAAS
contract even after numerous requests.
If DO-178 and/or DO-255 are specified in the contract then the
contractor is definitely in violation since neither are in compliance as stated
by contractor documentation. On the
other hand if DO-178 and/or DO-255 are not specified by the contract then this
would point to intentional omission by the Army and would raise the question of
adequate and lawful oversight of airworthiness and safety certification by the
Army. Confirming the habitual failure of
the Army to even achieve the minimum safety or airworthiness oversight
requirements specified by regulation for either US or Foreign certification for
civil airspace much less the maximum as tasked.
5.0 Disapproval
is recommend since the system is noncompliance with both DO-178 and
DO-254. Subsequent improper engineering
oversight has actually increased system risks as explained. How can it be legal and equally moral for the
Army to knowingly certify deficient systems which clearly state they violate
Army and Federal regulation as airworthy in civil airspace? The Army must instead at least meet the
minimum requirements as implied by Army Regulation and explicitly defined by
Federal regulation since the system should be expected to safely operate in
civil airspace where the expectation level is defined but the Army knowingly
fails to achieve. Why shouldn't all
citizens expect the Army to provide the same airworthiness safety as required
for commercial systems operating in the same airspace instead of knowingly
developing and fielding systems which actually violate airworthiness and safety requirements. The Army appears to have completely lost
sight that the safety goal is the maximum, while totally failing to even
achieve the minimum and actually achieving worse: undefined and unknown states
of system software, hardware and firmware through bad engineering.
6.0 If the Army
can not or will not meet the
"minimum" which is clearly the Federally legislated airworthiness and safety regulations, that
all commercial equipment meet every day, and in the "process"
actually undermines airworthiness and safety through bad or "broken"
engineering then the Army should not be allowed to fly unrestrictive in all
airspaces potentially endangering both Army equipment, personnel, civilians and
public property both foreign and domestic clearly in violation of Army
regulation which states to ensure a maximum degree of safety.
D
Computer
Engineer
Software
Engineering Directorate
CH-47F CAAS AMS
Documents:
9.4 Spec Tree Rev 1
FHA A040-01 FHA 143-0305-204A
FPS LL SRD A008-01
FPSLG 964-8425-07A
ICD CVDR A001-01c 946-3188-204D
PSSA A041-01 PSSA 143-0330-204A
SSA A041-01 SSA 143-0330-204A
SSDD A007-01 SSDD
143-0226-204A
Comments
Post a Comment