9/13/07

8900.1 CHG 0

Volume 6  Surveillance

chapter 11  other surveillance

Section 19  Monitor Approved Avionics Software Changes

6-2616  PROGRAM TRACKING AND REPORTING SUBSYSTEM (PTRS) ACTIVITY CODES. Avionics: 5414/5416

6-2617  OBJECTIVE. This task provides guidance for the control and monitoring of avionics air carrier software changes to line replaceable units (LRUs).

6-2618  GENERAL.

A.     Definition. Partitioned System: A hardware/software system that is designed to separate safety related functions from other functions. This ensures that no action in a non‑safety related function can cause a failure in a safety related function.

B.     Postcertification Software Changes. Postcertification software changes can be required when the following occurs:

·        System functional capability changes.

·        Design errors are discovered during service.

1)      When making a postcertification software change, care must be taken as even the smallest change can lead to “secondary errors” in the software. Secondary errors are errors that were not present or whose effects were not detected when the system was first certificated.

2)      Because only changes to safety related software will be treated as a major alteration, it is necessary to predetermine what software will be affected by the change.

3)      Most current system designs use a software program which is not partitioned. Use of a non‑partitioned system makes it necessary to determine if the proposed changes affect safe aircraft operation by evaluating the functions performed by the system. Public address systems, passenger entertainment, and galleys are examples of systems which do not affect safety.

4)      Care must be taken to ensure that partitioning actually exists, especially when implemented in software. When partitioning does exist, changes may be made to non‑safety related software without Federal Aviation Administration (FAA) approval of the methods used for verification and validation.

C.     Design Changes. If an air carrier wishes to design changes to the object code (software) of a line replaceable unit, it must establish and comply with a software verification and validation program equivalent to that described by RTCA/DO‑178A, Software Considerations in Airborne Systems and Equipment Certification.

1)      A software verification and validation program is not necessary if the air carrier only wishes to modify line replaceable units by incorporating software which has been previously approved by the FAA.

2)      The level of sophistication and effort needed for original design changes made to the resident software differs from that needed for the incorporation of a pre‑approved software change. A pre‑approved software change can be accomplished by:

·        Installing a new memory device which contains the approved object code, or

·        Loading the approved object code into a programmable device contained within the line replaceable unit.

D.    Maintenance Program. The principal avionics inspector has responsibility for the approval of the operator’s avionics maintenance program. The maintenance program must provide for the proper maintenance/inspection of all avionics equipment and components, including complete systems.

1)      Changes to the software which performs functions affecting the safe operation of the aircraft should be treated as major alterations. All other software changes should be treated as minor alterations.

2)      The operator must establish that partitioning exists prior to making changes to software which does not affect safety when such software is contained in a system which does affect safety.

3)      When a software change has been previously approved, an operator may modify equipment by incorporating the software change, even when the software change is related to aircraft safety.

6-2619  COORDINATION REQUIREMENTS. This task requires coordination with the operator, Aircraft Certification Office (ACO), and the manufacturer.

6-2620  REFERENCES, FORMS, AND JOB AIDS.

A.     References.

·        Title 14 CFR parts 21, 43, 91, and 121/135.

·        Volume 4 (this order), Chapter 9, Section 1, Perform Field Approval of Major Repairs and Major Alterations.

·        Advisory Circular 20‑121, Airworthiness Approval of Airborne Loran‑C Navigation Systems for Use in the U.S. National Airspace System (NAS), as amended.

·        RTCA DO‑178A, Software Considerations in Airborne Systems and Equipment Certification.

B.     Forms. FAA Form 337, Major Repairs and Alterations

C.     Job Aids. None.

6-2621  PROCEDURES.

A.     Review the Operator’s Manual. Review applicable manuals, including the operator’s maintenance manual, to ensure the following:

1)      The manufacturer’s service bulletin describing the change is FAA approved.

2)      The manufacturer’s recommended Automatic Test Equipment (ATE)/approved equivalent/manual test equipment and test data are current and capable of performing the required tests.

3)      Procedures are described for transferring the software from the medium provided by the manufacturer to the line replaceable unit memory devices.

4)      Procedures are described for checks ensuring that no errors are introduced by the transfer when memory devices are reprogrammed.

5)      The manual clearly states that avionics software changes performing functions that affect the safe operation of the aircraft will be limited to the following:

·        Those described in the avionics manufacturer’s FAA‑approved service bulletins

·        Those for which the operator has obtained FAA approval

6)      Controls exist to prevent unauthorized software changes and that changes are performed in accordance with the procedures described therein.

7)      Any change to software is reflected in an appropriate revision to the identification of the line replaceable unit in accordance with the criteria of RTCA Document No. DO‑178A.

B.     Review the Training Records. Ensure that the operator’s training records list those persons:

·        Trained in the procedures, tools, and testing necessary to incorporate the new software

·        Qualified to make the inspections when the work is completed and the units are returned to service

NOTE: Factory training may be necessary before using new procedures and tools to incorporate software, depending on the complexity of the tasks involved.

C.     Approve Operator Designed Software Changes Requiring FAA Engineering Assistance.

1)      For changes that affect aircraft safety, contact the appropriate Aircraft Certification Office (ACO) and request engineering review and approval of the verification and validation methods to be used by the operator during the design and test of the new software.

2)      For changes that do not affect aircraft safety in a system which has been partitioned, accomplish the following:

·        Contact the appropriate aircraft certification office and request verification to confirm that partitioning exists.

·        Ensure that the software changes will not affect the functions which affect aircraft safety.

6-2622  TASK OUTCOMES.

A.     PTRS. Close the PTRS.

B.     Task Completion. Completion of this task will result in coordinating the approval or the denial of the proposed change with FAA Engineering.

6-2623  FUTURE ACTIVITIES. None.

RESERVED. Paragraphs 6‑2624 through 6‑2640.