All new apps must run under NT, Navy CIO Ann Miller says.
The Navy’s systems chief has begun an investigation into the computer failure that left the Aegis cruiser USS Yorktown dead in the water for several hours last fall.
Navy chief information officer Ann Miller is conducting a detailed inquiry of the incident. The Yorktown is the Navy’s test bed for its Smart Ship program, which seeks to reduce crew workloads and operating costs by using shipboard PC systems running under Microsoft Windows NT.
On Sept. 21, 1997, the Yorktown experienced what the Navy called “an engineering LAN casualty” [GCN, July 13, Page 1]. A systems administrator fed bad data into the ship’s Remote Database Manager, which caused a buffer overflow when the software tried to divide by zero. The overflow crashed computers on the LAN and caused the Yorktown to lose control of its propulsion system, Navy officials said.
The Navy CIO Office is trying to determine whether the crash was caused by the software application, NT or some other problem.
“So far, it doesn’t seem like it’s an NT issue but a basic programming problem,” said deputy CIO Ron Turner, who is in charge of the inquiry.
The Navy’s Pacific and Atlantic fleets in March 1997 selected NT 4.0 as the standard operating system for the Navy’s Information Technology for the 21st Century initiative.
Miller recently issued servicewide guidance directing that all new applications must run on PCs under NT.
“The Navy has demonstrated its continued faith in our products by its recent announcement that Phase 2 of its Smart Ship program awarded to Litton Integrated Systems Corp. and the AN/UYQ-70 tactical display workstation contract awarded to Lockheed Martin Corp. will both be built on Windows NT,” said Edmund Muth, Microsoft’s group product manager in Redmond, Wash.
Microsoft officials strongly deny that NT caused the Yorktown’s systems to fail. The responsibility for ensuring ship operations doesn’t rest with the OS but with Yorktown’s system administrators and software programmers, who should have safeguarded the application from propagating the errors, company officials said.
The Yorktown’s Standard Monitoring Control System administrator entered zero in the data field for the Remote Database Manager program, causing the buffer overflow, Navy officials said. Administrators are now aware of the problem of entering zero in the database and are trained to bypass a bad data field and change the value if such a problem occurs again, Navy officials said.
Between July 1995 and June 1997, the Yorktown lost propulsion power to buffer overflows twice while using the new Smart Ship technology, said Capt. Richard Rushton, commanding officer of the Yorktown at the time of the failures. But in each incidence the Yorktown crew knew what caused the failure and quickly restored systems, Rushton said.
Because the ships’ new propulsion control system was developed quickly, his programmers knew there were inherent risks, Rushton said.
“We pushed the envelope and knew that events such as what happened in September of last year were possible,” he said.
The Yorktown is equipped with two FFG-7 emergency power units in the event of a propulsion system failure, he said.
NT is essential to future ship system designs such as the Smart Ship program, Rushton said. The Yorktown uses dual 200-MHz Pentium Pro PCs from Intergraph Corp. of Huntsville, Ala., to run NT 4.0 over a high-speed, fiber-optic LAN linked to an Intergraph Pentium Pro server.
“NT was never the cause of any problem on the ship,” Rushton said. “The problems were all in programs, database and code within the individual pieces of software that we were using.”
But some Navy officials are concerned that NT does not have the capability to protect the network from crashing when applications fail.
“Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor,” wrote Anthony DiGiorgio, an engineer with the Atlantic Fleet Technical Support Center, in a June 1998 article titled “The Smart Ship is Not The Answer.”
The article appeared in the U.S. Naval Institute’s Proceedings magazine and is posted on the Web at http://www.usni.org/Proceedings/digiorgio.htm. n
“It took two days of pierside maintenance to resolve the [Yorktown] problem, and there have been similar failures in the past when the ship has had to be towed into port,” DiGiorgio noted.
Rushton denied that the Yorktown ever had to be towed into port; it returned to port using emergency power in the September incident, he said.
“The Yorktown should not be held to the standard of a production-level system because the data-field safeguards found in production-level systems were not installed in the Yorktown intentionally,” Rushton said.
“Those were things we accepted and we did what I consider to be a reasonable risk analysis,” Rushton said. “If it appeared to compromise the safety of the crew, we didn’t do it.”
© 1996-2008 1105 Media, Inc. All Rights Reserved.