More drama but likely not a significant issue. New software flaw requires FAA intervention to avoid KC-46 schedule slip
https://www.flightglobal.com/news/artic ... id-447827/
A newly-discovered software flaw could trigger another schedule delay for the Boeing KC-46A Pegasus unless the US Federal Aviation Administration approves a temporary waiver from certification requirements.In a document submitted to the FAA on 26 March, Boeing requests a time-limited exemption from the FAA’s supplemental type certification criteria for the 767-2C, the commercial aircraft model on which the KC-46A is derived.
If approved, the exemption would expire after 30 June next year, but by then Boeing plans to deliver a permanent fix for the software problem. Meanwhile, Boeing has proposed using a third crew member in the cockpit to mitigate any hazard from the problem while the exemption is in effect. A “delay of FAA action on this petition” would put off the supplemental type certification of the 767-2C and “its entry into service”, Boeing says in the document. The FAA responded to Boeing’s petition 19 days later, but did not immediately approve the exemption. Instead, Paul Siegmund, manager of the FAA’s airplane and flight crew interface section, asked Boeing to provide more details.
After Boeing provides those details, the FAA will publish Boeing’s petition in the Federal Register for a 20-day comment period.Despite the need for an exemption, Boeing isn’t concerned about the impact on the schedule for the KC-46A. “We are working this in concert with the USAF and are confident the FAA will grant an exemption,” Boeing tells FlightGlobal.
Boeing informed the USAF programme office of the new problem in February, the USAF says.
Since then, “the programme office has been working with Boeing to ascertain impacts and potential options” the air force adds, noting any extra costs caused by schedule delays are Boeing’s responsibility. The software flaw affects the aircraft only when the KC-46A is on-loading fuel in-flight into the centre fuel tank.
In Boeing’s view, the problem is highly unlikely to cause a safety hazard. As fuel is onloaded into the tank, three separate functions embedded in a fuel flow controller must fail at the same time and continuously. If they do, however, an overpressure could develop in the centre fuel tank with catastrophic results, Boeing says. But that discovery alone wouldn’t force Boeing to petition the FAA for an exemption. The certification problem for the 767-2C is based on a small detail. All three software functions that could fail operate on a single processor, according to Boeing.
The FAA’s certification rules mandate that such an aircraft use an automatic and independent system for monitoring fuel onloading to prevent an overpressure condition, Boeing’s document says.
Boeing now plans to develop, certificate and deploy such an automated monitoring system within a year. Until then, Boeing will require that the USAF assign a third crew member to monitor the fuel gauges when the aircraft is onloading fuel, according to the document.
The USAF accepts Boeing’s proposed mitigation as “manageable in the short-term”, the service tells FlightGlobal, adding, “the Air Force understands the timeline Boeing has presented to incorporate the necessary changes to remove the [proposed exemption]”.