All new apps must run under NT,
Navy CIO Ann Miller says.
The Navys systems chief has begun an investigation into the computer failure that
left the Aegis cruiser USS Yorktown dead in the water for several hours last fall.
Navy chief information officer Ann Miller is conducting a detailed inquiry of the
incident. The Yorktown is the Navys test bed for its Smart Ship program, which seeks
to reduce crew workloads and operating costs by using shipboard PC systems running under
Microsoft Windows NT.
On Sept. 21, 1997, the Yorktown experienced what the Navy called an engineering
LAN casualty [GCN, July 13, Page 1]. A systems
administrator fed bad data into the ships Remote Database Manager, which caused a
buffer overflow when the software tried to divide by zero. The overflow crashed computers
on the LAN and caused the Yorktown to lose control of its propulsion system, Navy
The Navy CIO Office is trying to determine whether the crash was caused by the software
application, NT or some other problem.
So far, it doesnt seem like its an NT issue but a basic programming
problem, said deputy CIO Ron Turner, who is in charge of the inquiry.
The Navys Pacific and Atlantic fleets in March 1997 selected NT 4.0 as the
standard operating system for the Navys Information Technology for the 21st Century
Miller recently issued servicewide guidance directing that all new applications must
run on PCs under NT.
The Navy has demonstrated its continued faith in our products by its recent
announcement that Phase 2 of its Smart Ship program awarded to Litton Integrated Systems
Corp. and the AN/UYQ-70 tactical display workstation contract awarded to Lockheed Martin
Corp. will both be built on Windows NT, said Edmund Muth, Microsofts group
product manager in Redmond, Wash.
Microsoft officials strongly deny that NT caused the Yorktowns systems to fail.
The responsibility for ensuring ship operations doesnt rest with the OS but with
Yorktowns system administrators and software programmers, who should have
safeguarded the application from propagating the errors, company officials said.
The Yorktowns Standard Monitoring Control System administrator entered zero in
the data field for the Remote Database Manager program, causing the buffer overflow, Navy
officials said. Administrators are now aware of the problem of entering zero in the
database and are trained to bypass a bad data field and change the value if such a problem
occurs again, Navy officials said.
Between July 1995 and June 1997, the Yorktown lost propulsion power to buffer overflows
twice while using the new Smart Ship technology, said Capt. Richard Rushton, commanding
officer of the Yorktown at the time of the failures. But in each incidence the Yorktown
crew knew what caused the failure and quickly restored systems, Rushton said.
Because the ships new propulsion control system was developed quickly, his
programmers knew there were inherent risks, Rushton said.
We pushed the envelope and knew that events such as what happened in September of
last year were possible, he said.
The Yorktown is equipped with two FFG-7 emergency power units in the event of a
propulsion system failure, he said.
NT is essential to future ship system designs such as the Smart Ship program, Rushton
said. The Yorktown uses dual 200-MHz Pentium Pro PCs from Intergraph Corp. of Huntsville,
Ala., to run NT 4.0 over a high-speed, fiber-optic LAN linked to an Intergraph Pentium Pro
NT was never the cause of any problem on the ship, Rushton said. The
problems were all in programs, database and code within the individual pieces of software
that we were using.
But some Navy officials are concerned that NT does not have the capability to protect
the network from crashing when applications fail.
Using Windows NT, which is known to have some failure modes, on a warship is
similar to hoping that luck will be in our favor, wrote Anthony DiGiorgio, an
engineer with the Atlantic Fleet Technical Support Center, in a June 1998 article titled
The Smart Ship is Not The Answer.
The article appeared in the U.S. Naval Institutes Proceedings magazine and is
posted on the Web at http://www.usni.org/Proceedings/digiorgio.htm. n
It took two days of pierside maintenance to resolve the [Yorktown] problem, and
there have been similar failures in the past when the ship has had to be towed into
port, DiGiorgio noted.
Rushton denied that the Yorktown ever had to be towed into port; it returned to port
using emergency power in the September incident, he said.
The Yorktown should not be held to the standard of a production-level system
because the data-field safeguards found in production-level systems were not installed in
the Yorktown intentionally, Rushton said.
Those were things we accepted and we did what I consider to be a reasonable risk
analysis, Rushton said. If it appeared to compromise the safety of the crew,
we didnt do it.