|
Setting an Interagency HCS Research Agenda
Released May 1998 |
 
|
|
|
|
|||
 |
|
|---|---|
|
|
|
|
|
3. Agency HCS-Related Research Program Overviews
|
Agency HCS-Related Research Program Overviews |
|
|
|
|
3.1 Federal Aviation Administration
|
Federal Aviation Administration An overview of the Federal Aviation Administration's (FAA) far-reaching (10-20 years) research plan was presented to stimulate the workshop participants' thinking about future HCS research. The National Airspace System (NAS) is highly complex and probably the largest system of systems in the world. The overview began with a description of the role of high confidence in air traffic control and the activities taking place in a NAS working group. Results from HCS research are expected to help meet many user needs including more airspace flight capacity, improved procedural efficiency, shorter travel times, increased safety. It was noted that introducing new technical capabilities can introduce vulnerabilities (e.g., GPS susceptibility to jamming). Such new technical capabilities, when provided with open systems using commercial-off-the-shelf (COTS) software, almost certainly will introduce vulnerabilities. These vulnerabilities, if exploited, will likely possess operational impacts such as lost time, wasted fuel, or decreased safety margins. Thus, there is a need to introduce security services into the NAS as well as incorporating the traditional architectural alternatives such as redundant systems (e.g., Wide Area Augmentation Systems backup technology to GPS). The FAA NAS working group has on-going work in architectural approaches that focus on both safety-critical portions of systems and reducing costs. They are working on testing and verification of software integrity, and streamlining software aspects of certification to achieve faster certification at reduced costs with higher confidence in system safety. The current certification takes at least 3 years and is process intensive. The FAA would like the process to become more product oriented and needs future high confidence research to address shortened product evaluation times (e.g., three to four months). In the information security (INFOSEC) area, the FAA needs future research to develop and mature a strategy for securing a system of multiply interconnected systems. Their work is categorized under four broad areas: (1) policy application, (2) INFOSEC implementation, (3) intrusion detection, and (4) standards. Two of these areas were addressed in more detail.
|
|
|
|
|
3.2 Federal Railroad Administration
|
Federal Railroad Administration The FRA's viewpoint of HCS focuses on the need for positive train control (PTC) to enforce train movement and speed limits and to reduce the probability of collisions. Existing railroad signal systems are extremely reliable, but most still permit one person to make a mistake that causes an accident (e.g., less than 5 percent of today's railroads have any automated enforcement of signal indications). PTC leaves people in the loop, but intervenes in an automated fashion if the people (e.g., engineers, dispatchers) do not respond properly. PTC would use differential GPS and dead reckoning to determine the location of trains and maintenance-of-way equipment. Published and unpublished industry studies have shown that with PTC, the probability of collisions and overspeed accidents would be lowered by a factor of 100 and the annual rate of return on the investment would be 30 percent. In 1993, however, railroad company Chief Executive Officers terminated the industry's PTC program. Possible reasons for this termination may include: concerns about government regulation, decisions to invest in mergers rather than technology, concerns about the estimated capital investment costs ($3-$4 billion for all U.S. railroads), fears of liability from acknowledging that PTC is safer than current train control systems, and uncertainties about the effectiveness of the technology. In 1994, the FRA submitted a report on PTC to Congress that indicated FRA would initiate a regulatory process for PTC in FY 1997. The collaborative rule making has begun, but is moving very slowly. FRA has a $20 million research budget, all devoted to safety-related projects. When FRA requested additional money last year to pursue PTC, the Office of Management and Budget (OMB) denied their request. This HCS effort may assist in getting some funding to further pursue PTC. |
|
|
|
|
3.3 Federal Transit Administration
|
Federal Transit Administration The FTA is one of the nine operating administrations or agencies of the U.S. Department of Transportation and carries out the Federal mandate to improve public mass transportation. FTA is the principal source of Federal financial assistance for the planning, development, and improvement of public transportation systems. The Office of Research, Demonstration and Innovation of the FTA, in consultation with other government agencies and the transit industry, initiates projects aimed at improving mobility, economic growth and trade, safety and security, and human and natural environment. Activities include research, testing, evaluation and documentation, deployment, standards/architecture development, and mainstreaming/implementation. Because the research budget is small, FTA acts as a catalyst and driving force to leverage small research investments for enhanced results in identified priority areas. At present, rail transit agencies are looking for a reliable and cost-effective solution to improve train throughput, using existing infrastructure, and to concurrently obtain improved safety of several orders of magnitude. Communication-Based Train Control systems that use modern communications, control, and computer technologies, offer a viable solution. As with other processor-based systems for safety-critical, real-time applications, there is a pressing need to develop methodology for safety verification and validation that is relevant to the application. Techniques such as numerical assurance, checked-redundancy, N-version programming, and diversity and self-checking are being considered. FTA is also supporting development of standards through the Institute of Electrical and Electronic Engineers, a standards developing organization to promote commonality in functionality, operations, and interoperability. |
|
|
|
|
3.4 Food and Drug Administration
|
Food and Drug Administration The FDA is not a research funding organization. With respect to HCS, there is a $2 million budget that supports one of the five FDA centers looking at product approval issues. This center is concerned with software in two areas: production of products and process control. FDA deals with a wide range of manufacturers (median size is 50 employees, and none of the companies shares information) and a wide range of user expertise (doctors in a hospital to patients at home), which leads to user interface problems. Since the FDA does not have much money for research, they focus on supportive efforts (e.g., education, guidance, and standards). Given the pressure to use COTS software, the FDA is interested in research on how to validate COTS software. There is concern about near-term solutions because verification is currently left to the vendor of each product. It would be helpful to have evaluation methods to run existing products through a standard test suite. Legally, the FDA can only regulate products marketed commercially -- they cannot regulate what doctors privately develop and use as part of their practice of medicine within their own offices. |
|
|
|
|
3.5 National Library of Medicine
|
National Library of Medicine The National Institutes of Health (NIH), of which NLM is a part, is most interested in research on issues related to High End Computing and Communications (HECC) and the Next Generation Internet (NGI). Medicine and health care are more probabilistic than high confidence. NIH is not developing HCS technology, but uses high confidence systems and pushes them to the limit. The greatest need within NIH and the practice of medicine is for confidentiality, integrity, and availability of health records. The greatest security threat is insiders. Their goal is to achieve 100 percent availability with appropriate access control -- they cannot "fail safe" because a lack of information could mean that a patient dies. They also need reliable computation systems (e.g., for image and sound enhancement) and control systems (e.g., for telemedicine and telesurgery). Current technology research funding goes toward demonstrating technologies that are given to NIH. A small amount of HCS-related research is addressing wide area networking for hospitals to integrate their functions. |
|
|
|
|
3.6 Department of Treasury
|
Department of Treasury The Department of Treasury is a very diverse organization with diverse missions supported by systems that must survive in all kinds of environments and be trusted. They have $1.8 billion for information systems research -- $1.2 billion goes to the Social Security Administration, and there are no direct funds for HCS. Treasury conducts red teams and tries to require vendors to use the Capability Maturity Model for software development. They have to accommodate a variety of technologies and user capabilities when they deliver services to customers (e.g., many do not have access to a computer, bank account, or even a telephone). Treasury's problem areas include engineering process integration, requirements definition, user/customer interface, and programming tools and techniques. Treasury has big legacy programs that continue to work on a quagmire of technologies, but they are trying to look out beyond ten years to a whole interface and interoperability. Their most important requirement is security/safety of the services they provide. They have some pilot projects with banks (e.g., smart cards), and they are always looking to improve security for physical and electronic transactions while keeping an audit trail of accountability. They are wary of partnerships in industry where products become co-dependent, tying organizations to particular products. |
|
|
|
|
3.7 Secret Service
|
Secret Service The two primary goals of the Secret Service are to be the premier law enforcement agency and to protect financial transactions. The Secret Service gets involved in a wide variety of research (e.g., behavioral, engraving/printing, chem/bio). They have a pressing need to facilitate communication between different groups (e.g., Secret Service, Park Police, city police, ambulance). Within the National Performance Review (NPR) Information Technology Objectives, ITO-4 contains a research project looking at a wireless infrastructure for all law enforcement and public safety communities. One particular concern within this wireless communications infrastructure is being able to reserve part of the communications spectrum for law enforcement. |
|
|
|
|
3.8 National Aeronautics and Space Administration
|
National Aeronautics and Space Administration NASA provided a program overview at the last HCS Workshop. Updating that overview, there was brief mention of an evolving NASA program to develop a safe, robust, secure datalink to assure free-flight avionics systems. It was noted that there will be a workshop at the end of April at NASA-Ames to define the program. The update focused primarily on aeronautics (rather than on space). There is an Aviation Safety Investment Strategy Team (ASIST) that consists of over 200 industry representatives plus some government people. Four of the primary investment areas that were identified by the ASIST subteam on Flight Critical Systems and Information Integrity (FCSII) were discussed:
|
|
|
|
|
3.9 Department of Energy
|
Department of Energy DoE also provided a program overview at the last HCS Workshop. Updating that overview, the discussion focused on DoE's "open" side (as opposed to the "dark" or defense side), where they do a lot of work with international groups and universities. Two projects that are currently on going at DoE were described:
|
|
|
|
|
3.10 Nuclear Regulatory Commission
|
Nuclear Regulatory Commission The NRC update of its previous overview began with an explanation of NRC's standard plan for reviewing software, which focuses mostly on process but is also looking at the product. There is a new regulation (NUREG/CR 6463), available at www.nrc.gov, that identifies computer language features not advisable to use in high confidence systems. The NRC believes they will achieve a high payoff by looking at hazards from a system view. The next phase of this research will be to decompose system requirements into system, component, and human parts. They are also doing research in software reliability metrics -- they have found that different metrics have different benefits at different times during development. There will be a metrics conference in Bethesda, MD, in November 1998. Other NRC HCS research efforts include working with the University of Virginia on modeling and simulation, addressing sampling rates of digital systems, and looking at various tools to evaluate products. Risk-based, performance-based evaluation is a new research area being pursued by the NRC because no one knows how to prove high reliability. (e.g., 10-9). |
|
|
|
|
3.11 National Institute of Standards and Technology
|
National Institute of Standards and Technology The NIST update began by noting that until recently, NIST activities have been driven by the Brooks Act. Now, NIST is trying to work with industry to make products better through measurement and test of software. Approximately $2.5 million is devoted to this effort, which has three thrusts:
|
|
|
|
|
3.12 National Institutes of Health |
National Institutes of Health The NIH representative noted in his update that a Presidential Commission on quality in the health care industry has also documented the shock statements he previously provided at the August 1997 workshop. Having compared standards with research budgets -- standards groups are using standards to drive research being performed by companies in that area -- the NIH representative recommended research be focused on the critical portions of real-world systems. These sorts of workshops help to diffuse HCS research, which is vital to the NIH community. It was noted in the update that the medical informatics community wants no regulation on their work, but wants heavy regulation on anything from outside their community. Also mentioned, was a 30-year old study on uncertainties and the need to focus on them. |
|
|
|
|
|
|
|
|
|
|
|