(19)
(11)EP 3 304 289 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
08.11.2023 Bulletin 2023/45

(21)Application number: 16727791.2

(22)Date of filing:  01.06.2016
(51)International Patent Classification (IPC): 
G06F 9/445(2018.01)
G06F 11/14(2006.01)
(52)Cooperative Patent Classification (CPC):
G06F 9/445; G06F 11/1479
(86)International application number:
PCT/GB2016/051595
(87)International publication number:
WO 2016/193712 (08.12.2016 Gazette  2016/49)

(54)

SAFE AIRCRAFT AVIONICS SYSTEM INTERFACE

SICHERE SCHNITTSTELLE FÜR FLUGZEUGAVIONIKSYSTEM

INTERFACE SÛR POUR UN SYSTÈME D'AVIONIQUE


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 02.06.2015 GB 201509506
02.06.2015 EP 15275145

(43)Date of publication of application:
11.04.2018 Bulletin 2018/15

(73)Proprietor: BAE Systems PLC
London SW1Y 5AD (GB)

(72)Inventor:
  • AMOR, James, Richard
    Preston Lancashire PR4 1AX (GB)

(74)Representative: BAE SYSTEMS plc Group IP Department 
Warwick House P.O. Box 87 Farnborough Aerospace Centre
Farnborough Hampshire GU14 6YU
Farnborough Hampshire GU14 6YU (GB)


(56)References cited: : 
EP-A1- 2 166 455
US-A1- 2011 295 448
EP-A2- 2 819 317
  
  • HAVELUND KLAUS ED - HAI JIN ET AL: "Runtime Verification of C Programs", 10 June 2008 (2008-06-10), GRID AND COOPERATIVE COMPUTING - GCC 2004 : THIRD INTERNATIONAL CONFERENCE, WUHAN, CHINA, OCTOBER 21 - 24, 2004 IN: LECTURE NOTES IN COMPUTER SCIENCE , ISSN 0302-9743 ; VOL. 3251; [LECTURE NOTES IN COMPUTER SCIENCE , ISSN 1611-3349], SPRINGER VERLAG,, XP047306227, ISSN: 0302-9743 ISBN: 978-3-642-36699-4 sections 1, 2 (first paragraph), 3.2, 3.4
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

FIELD OF THE INVENTION



[0001] The present invention relates to aircraft avionics system and interfaces therewith.

BACKGROUND



[0002] Aircraft avionics systems include sensors, communication systems, and navigation systems that may be used during the operation of the aircraft (e.g. inflight), and for maintenance of the aircraft. Typically aircraft avionics systems are closed systems which do not permit operators from using non-integrated electronics to communicate with the avionics system. For example, an aircraft avionics system may be qualified with respect to stringent reliability, safety and security regulations.

[0003] Many aircraft operators would like to use non-qualified, commercially available computing devices, such as tablet computers, to interface with the aircraft avionics system.

[0004] EP2166455A1 discloses a method of testing components and systems on an aircraft for maintenance purposes using an external device wherein requests from the external device to the secure avionics of the aircraft are filtered according to pre-determined criteria to protect the aircraft.

SUMMARY OF THE INVENTION



[0005] In a first aspect, there is provided an apparatus according to claim 1.

[0006] The interface module is further configured to, responsive to determining that the certain function does not satisfies at least one of the test criteria that correspond to the certain function, prevent the function request from being sent to the aircraft avionics system

[0007] The interface module is further configured to, responsive to determining that the certain function does not satisfy at least one of the test criteria that correspond to the certain function, close (i.e. sever) a communication link between the interface module and the entity remote from the aircraft avionics system.

[0008] The interface module may be further configured to, responsive to determining that the certain function does correspond to at least one of the test criteria, prevent the function request from being sent to the aircraft avionics system.

[0009] The aircraft avionics system may be configured to perform the certain function specified in the function request output by the interface module, thereby generating an avionics system output. The interface module may be configured to output, for use by the entity remote from the aircraft avionics system, the avionics system output.

[0010] The interface module may be further configured to establish a communications link with the entity that is remote from the avionics system. The interface module may be further configured to perform a handshaking process with the entity that is remote from the avionics system including acquiring one or more connection criteria for the entity. The interface module may be further configured to, while the communication link between the interface module and the entity is established (i.e. continuously or intermittently for the duration of the link), test communications between the interface module and the entity against the one or more connection criteria for the entity. The interface module may be further configured to, responsive to determining that the communications between the interface module and the entity satisfy all of the connection criteria for the entity, maintain the communication link between the interface module and the entity.

[0011] The interface module may be further configured to, responsive to determining that the communications between the interface module and the entity do not satisfy at least one of the connection criteria for the entity, prevent communications from the entity from being sent to the aircraft avionics system.

[0012] The interface module may be further configured to, responsive to determining that the communications between the interface module and the entity do not satisfy at least one of the connection criteria for the entity, close the communication link between the interface module and the entity.

[0013] The handshaking process between the interface module and the entity may include the interface module providing information that specifies the one or more functions performable by the aircraft avionics system for use by the entity.

[0014] In a further aspect, the present invention provides a system comprising an aircraft according to any preceding aspect, and the entity remote from the aircraft avionics system. The entity is configured to send, to the interface module, the function request for the avionics system to perform the certain function.

[0015] The entity may be remote from the aircraft.

[0016] The entity may be a computer selected from the group of computers consisting of a mobile communication device, a desktop personal computer, a laptop computer, a tablet computer, a mobile station, a wireless phone, a smartphone, a netbook, and dedicated aircraft computing hardware.

[0017] In a further aspect, the present invention provides a data communication method according to claim 15.

[0018] In a further aspect not forming part of the invention, there is provided a program or plurality of programs arranged such that when executed by a computer system or one or more processors it/they cause the computer system or the one or more processors to operate in accordance with the method of the preceding aspect.

[0019] In a further aspect not forming part of the invention, there is provided a machine readable storage medium storing a program or at least one of the plurality of programs according the preceding aspect.

BRIEF DESCRIPTION OF THE DRAWINGS



[0020] 

Figure 1 is a schematic illustration (not to scale) of a system comprising an aircraft avionics system and interface thereto; and

Figure 2 is a process flow chart showing certain steps of a method of communication implemented by the system.


DETAILED DESCRIPTION



[0021] Figure 1 is a schematic illustration (not to scale) of a system 100 in which an embodiment of an aircraft avionics system and interface thereto is shown.

[0022] The system 100 comprises an aircraft 102, a tablet computer 104, and a human user 106.

[0023] The aircraft 102 may be any appropriate type of aircraft. The aircraft 102 comprises an aircraft avionics system 108 and a first interface module 110.

[0024] In this embodiment, the aircraft avionics system 108 comprises inter alia multiple sensors, communications systems, and navigation systems, which are hereinafter collectively referred to as "avionics modules" and are indicated in Figure 1 by a plurality of boxes and the reference numeral 111. The avionics modules 111 may be operatively connected together. The aircraft avionics system 108 is implemented in hardware and software that has been qualified with respect to one or more predetermined reliability, safety, and/or security standards.

[0025] The aircraft avionics system 108 is coupled to the first interface module 110 such that signals may be sent between the aircraft avionics system 108 and the first interface module 110. For example, as described in more detail later, in operation one or more avionics modules 111 of the aircraft avionics system 108 provide data to the first interface module 110. Also, the first interface module 110 may send control signals or instruction signals to one or more of the avionics modules 111 of the aircraft avionics system 108.

[0026] In this embodiment, in addition to being connected to the aircraft avionics system 108, the first interface module 110 is connected to the tablet computer 104 such that information may be sent between the first interface module 110 and the tablet computer 104.

[0027] The first interface module 110 acts as a partition, i.e. a gateway or firewall, between the aircraft avionics system 108 and the tablet 104.

[0028] The first interface module 110 may be provided as software running in one or more processors located on board the aircraft 102, for example on one or more of the avionics modules 111. In this embodiment, the first interface module 110 is implemented in hardware and software that has been qualified with respect to the same one or more predetermined reliability, safety, and/or security standards to which the avionics system conforms.

[0029] The first interface module 110 comprises a first database 112, a second database 113, and a third database 114.

[0030] The first database 112 comprises a list of functions or operations performable by the aircraft avionics system 108. For example, a function listed in the first database 112 may specify an operation that may be performed by a single avionics module 111, or cooperatively by a group of avionic modules 111. For example, the first database may include a route planning function for determining a route for the aircraft 102 between two specified waypoints. This route planning function may be performable by one or more avionics modules 111 of the aircraft avionics system 108 including, for example, a navigation system, an orientation sensor, a speed sensor, and an altitude sensor.

[0031] The second data base 113 comprises, for each of the functions listed in the first database 112, one or more criteria, each of which is hereinafter referred to as a "function criterion". The function criteria will be described in more detail later below with reference to Figure 2. Each function criterion for a function specifies how that function is to be used. For example, a function criterion for a particular function may specify that that function may not be called or requested more frequently than once per second.

[0032] The third data base 114 comprises, for each device or other module connected to the first interface module 110, one or more criteria, each of which is hereinafter referred to as a "connection criterion". In this embodiment, the third database 114 includes one or more connection criteria for the tablet computer 104. Also, in some embodiments, the third database 114 includes one or more connection criteria for one or more of the avionics modules 111. The connection criteria will be described in more detail later below with reference to Figure 2. Each connection criterion for a device connected to the first interface module 110 is a criterion that is to be fulfilled in order for that connection between the first interface module 110 and the connecting device to remain established. Each connection criterion for a device connected to the first interface module 110 is a criterion that is to be fulfilled by that connecting device, the first interface 110, and/or the connection between the first interface 110 and that connecting device. For example, a connection criterion for a device connected to the first interface module 110 may specify that a health status message must be received by the first interface module 110 from the connecting device 104 every 250ms in order for the connection between the first interface module 110 and that connecting device to be maintained. Thus the connection is tested continuously or intermittently for the duration of the connection.

[0033] The tablet computer 104 comprises a second interface module 116 and a touchscreen display 118.

[0034] In this embodiment, the second interface module 116 is coupled to the first interface module 110, via a wired or wireless communications link, such that signals may be sent between the interface modules 110, 116. The connection between the first and second interface modules 110, 116 is hereinafter referred to as the "communications link" and is indicated in Figure 1 by the reference numeral 120. The communications link 120 may be any appropriate type of communications link including, but not limited to, a WiFi link, a Bluetooth link, an Ethernet link (which may, for example, utilise the Internet Protocol), and a serial link.

[0035] In addition to being connected to the first interface module 110. The second interface module 116 is connected to the touch screen display 118 such that signals may be sent between the second interface module 116 and the touch screen display 118.

[0036] The second interface module 116 may be provided as software running in one or more processors located in the tablet computer 104.

[0037] The second interface module 116 is configured to process information received from the first interface module 110, and display that processed information to the user 106 on the touchscreen display 118.

[0038] The touchscreen display 118 is configured to display information received from the second interface module 116 to the user 106. The touchscreen display 118 is further configured to receive a user input from the user 106, for example, as a touch gesture. The touchscreen display 118 is configured to send a signal corresponding to the received user input to the second interface module 116. Thus, the user 106 may input requests, instructions, and/or other information into the tablet computer 104.

[0039] Apparatus, including the interface modules 110, 116, for implementing the above arrangement, and performing the method steps to be described later below, may be provided by configuring or adapting any suitable apparatus, for example one or more computers or other processing apparatus or processors, and/or providing additional modules. The apparatus may comprise a computer, a network of computers, or one or more processors, for implementing instructions and using data, including instructions and data in the form of a computer program or plurality of computer programs stored in or on a machine readable storage medium such as computer memory, a computer disk, ROM, PROM etc., or any combination of these or other storage media.

[0040] Figure 2 is a process flow chart showing certain steps of a method of communication implemented by the system 100.

[0041] At step s2, the second interface module 116 connects to the first interface module 110. The user 106 may operate the tablet computer 104 using the touchscreen display 118 to cause the second interface module 116 to connect with to the first interface module 110. Thus, the communications link 120 is established. In some embodiments, the communication link 120 is established automatically at system start-up, for example, without input from the user 106.

[0042] At step s4, the first and second interface modules 110, 116 perform a hand-shaking process via the communications link 120.

[0043] In this embodiment, the handshaking process is an automated process of negotiation between the first and second interface modules 110, 116 that dynamically sets parameters of the communications link 120 established between those two entities. The handshaking process between the first and second interface modules 110, 116 may include the determination of the latest version of communication software that is common to both the first and second interface modules 110, 116. The communication parameters set for the communication link 120 by the handshaking process may be dependent upon the latest version of communication software that is common to both the first and second interface modules 110, 116.

[0044] In this embodiment, the handshaking process between the first and second interface module 110, 116 includes setting the connection criteria for the tablet computer 104. The connection criteria for the tablet computer 104 established by the handshaking process are stored in the third database 114 of the first interface module 110. The connection criteria for the tablet computer 104 are criteria that must be fulfilled in order for the communication link 120 between the first interface module 110 and the second interface module 120 to remain established.

[0045] The handshaking process may set communication parameters including, but not limited to, information transfer rate, encoding, and any other protocol or hardware features. The connection criteria may, for example, be criteria for one or more of the communication parameters.

[0046] In this embodiment, throughout the performance of the remainder of the process of Figure 2, i.e. during the performance of steps s6 to s24, the connection criteria for the tablet computer 104 that are set during the handshaking process of step s4 and stored in the third database 114 are tested by the first interface module 110 to ensure that each of those connection criteria is satisfied. For example, for a connection criterion that specifies that a health status message must be received by the first interface module 110 from the tablet computer 104 at least every 250ms, the first interface module 110 will test every 250ms whether or not a new health status message has been received by the first interface module 110 from the tablet computer 104.

[0047] In this embodiment, if all connection criteria for the tablet computer 104 stored within the third database 114 are satisfied, then the first interface module 110 maintains the communication link 120. However, if at any point during the performance of steps s6 to s24, the first interface module 110 determines that one or more of the connection criteria for the tablet computer 104 is not satisfied, the first interface module 110 blocks the communication between the tablet computer 104 and the aircraft avionics system 108. In particular, the first interface module 110 prevents signals being sent from the tablet 104 to the aircraft avionics module 108 and vice versa.

[0048] By determining that one or more connection criteria for the tablet computer 104 are not satisfied, the first interface module 110 determines that there is a risk that operation of the tablet computer 104 may cause one or more of the avionics modules 111 to operate outside of the one or more predetermined reliability, safety, and/or security standards to which the avionics system 108 currently conforms. Thus, by preventing signals being sent between the aircraft avionics system 108 and the tablet computer 104, the first interface module 110 minimises or eliminates a chance of the aircraft avionics system 108 being operated outside of its declared clearances.

[0049] In some embodiments, in response to the first interface module 110 determining that one or more connection criteria for the tablet computer 104 are not satisfied, the first interface module 110 severs (i.e. breaks or closes) the communication link 120. Thus, all communication between the aircraft avionics system 108 and the tablet computer 104 is stopped until, for example, a reset process is performed and the handshaking process is re-performed. An interval may be imposed by the system between severing the communication link 120 and initiating the reset process and re-performing the handshaking process.

[0050] At step s6, the second interface module 116 sends a request for data items to the first interface module 110 via the communication link 120.

[0051] In this embodiment, the request for data items is sent responsive to the completion of the handshaking process between the interface modules 110, 116. However, in other embodiments, the sending of the request for data items is triggered in a different way, for example, in some embodiments the user 106 inputs, using the touchscreen display 118, a list of data items, and the second interface module sends a request for those listed data items to the first interface module 110.

[0052] At step s8, the first interface module 110 acquires the requested data items from the aircraft avionics system 108, and sends those data items to the second interface module 116 via the communications link 120. In some embodiments, the transmission of data items from the aircraft avionics system 108 to the second interface module 116 is a continuous process. For example, the data items may be continuously transmitted at a requested rate until a request to stop is transmitted from the tablet computer 104 to the aircraft avionics system 108.

[0053] Output of data items by the avionics modules 111 of the aircraft avionics system 108 is normal operation of those avionics modules 111. Streaming of the data items from the first interface module 110 to the second interface module 116 is independent of and separate to the operation of the aircraft avionics system 108. Thus, the sending (e.g. streaming) of data items from the avionics system 108 to the tablet computer 104 is performed in a way that maintains the conformity of the aircraft avionics system 108 with the one or more predetermined reliability, safety, and/or security standards.

[0054] At step s10, the second interface module 116 process the received data items and displays, on the touchscreen display 118, the processed data items to the user 106.

[0055] At step s11, the second interface module 116 acquires the list of the functions or operations performable by the aircraft avionics system 108, and displays, on the touchscreen display 118, those functions to the user 106. In other words, the touchscreen display 118 displays to the user 106 the functions that are stored in the first database 112. In some embodiments, the list of functions is stored in a memory of the tablet 104 and is acquired by the second interface module 116 from that local memory. In some embodiments, the second interface module 116 acquires the list of functions from an entity remote from the tablet computer 104, for example by downloading the list of functions from the first interface module 110 using the communications link 120, or from a remote server via the Internet. In some embodiments, a different interface is displayed on the touchscreen display 118 instead of or in addition to the list of functions, for example an interface that utilises the underlying functions may be displayed.

[0056] At step s12, based on the displayed data items, the user 106 selects, using the touchscreen display 118, a function to be performed by the aircraft avionics system 108. For example, the user 106 may, based on displayed navigation data, select that the aircraft avionics system 108 calculate a waypoint for the aircraft 102, which may be for performance by a navigation system of the aircraft 102. The second interface module 116 generates a function request corresponding to the function selected by the user 106.

[0057] At step s14, the second interface module 116 sends the function request to the first interface module 110 via the communication link 120.

[0058] At step s16, the first interface module 110 determines whether or not the received function request satisfies each of the function criteria corresponding to that selected function that are stored within the second data base 113. For example, if a function criterion for the selected function specifies that the selected function may not be called or requested more frequently than once per second, the first interface module 110 checks that the selected function has not been previously requested in the previous second.

[0059] If, at step s16, the first interface module 110 determines that each of the function criteria corresponding to the requested function is satisfied by the received function request, the process of Figure 2 proceeds to steps s18.

[0060] If, at step s16, the first interface module 110 determines that at least one of the function criteria corresponding to the requested function is not satisfied by the received function request, the process of Figure 2 proceeds to steps s24. Step s24 will be described in more detail later below after a description of steps s18 to s22.

[0061] In this embodiment, if the first interface module 110 determines that the received function request corresponds to an unrecognised function, i.e. to a function for which there are no corresponding function criteria stored in the second database 113, the process of Figure 2 proceeds to steps s24.

[0062] Thus, the first interface module 110 checks whether or not the performing of the requested function by the avionics system 108 would cause one or more of the avionics modules 111 to operate outside of the one or more predetermined reliability, safety, and/or security standards to which the aircraft avionics system 108 conforms.

[0063] At step s18, responsive to determining that all function criteria corresponding to the requested function are satisfied by the received function request, the first interface module 110 forwards the received function request to the avionics system 108. Thus, only functions that do not cause any of the avionics modules 111 to operate outside of the one or more predetermined reliability, safety, and/or security standards are requested.

[0064] At step s19, the aircraft avionics system 108 performs the requested function.

[0065] In some embodiments, the first interface module 110 does not relay the function request to the aircraft avionics system 108 and instead may control the aircraft avionics system 108 to perform the requested function.

[0066] At step s20, an output of the aircraft avionics system 108 resulting from the aircraft avionics system 108 performing the requested function is sent from the aircraft avionics system to the second interface module 116 of the tablet computer 104 via the first interface module 110 and the communications link 120.

[0067] In some embodiments, the output of the aircraft avionics system 108 is data computed by performing the requested function. In some embodiments, the output of the aircraft avionics system 108 is an acknowledgment that the requested function has been received and/or performed. In some embodiments, the aircraft avionics system 108 does not produce an output when it performs the requested function.

[0068] The performing of the requested function by the avionics modules 111 of the aircraft avionics system 108 tends to be normal operation of those avionics modules 111, as ensured by the testing of the function request against the function criteria. The sending of the function output from the first interface module 110 to the second interface module 116 is independent of and separate to the operation of the aircraft avionics system 108. Thus, the sending of the function output from the aircraft avionics system 108 to the tablet computer 104 is performed in a way that maintains the conformity of the aircraft avionics system 108 with the one or more predetermined reliability, safety, and/or security standards.

[0069] At step s22, the second interface module 116 process the received function output and displays, on the touchscreen display 118, the function output to the user 106.

[0070] After step s22, the process of Figure 2 ends. In some embodiments, the process may return to a previous step, for example, step s10.

[0071] Returning to the case where, at step s16, the first interface module 110 determines that one or more function criteria corresponding to the requested function are not satisfied by the received function request, at step s24, the first interface module 110 blocks the communication between the tablet computer 104 and the aircraft avionics system 108. In particular, the first interface module 110 prevents the function request from being sent to the aircraft avionics system 108.

[0072] By determining that one or more function criteria corresponding to the requested function are not satisfied by the received function request, the first interface module 110 determines that there is a risk that requesting the aircraft avionics system 108 to perform the requested function may cause one or more of the avionics modules 111 to operate outside of the one or more predetermined reliability, safety, and/or security standards to which the avionics system 108 currently conforms. Thus, by preventing the aircraft avionics system 108 from receiving function requests that do not satisfy all relevant function criteria, the first interface module 110 minimises or eliminates a chance of the aircraft avionics system 108 being operated outside of its declared clearances.

[0073] In some embodiments, in response to the first interface module 110 determining that one or more function criteria corresponding to the requested function are not satisfied by the received function request, the first interface module 110 severs (i.e. breaks or closes) the communication link 120. Thus, all communication between the aircraft avionics system 108 and the tablet computer 104 is stopped until, for example, a reset process is performed and the handshaking process is re-performed. This severing of the communication link 120 may be performed instead of or in addition to the first interface module 110 blocking the communication between the tablet computer 104 and the aircraft avionics system 108.

[0074] After step s24, the process of Figure 2 ends.

[0075] Thus, a method of communication implemented by the system 100 is provided.

[0076] The above described system advantageously tends to provide that aircraft operators may use commercially available tablet computers to receive data from the aircraft avionics system, and send function requests or other data to the aircraft avionics system, without requiring the tablet computers to be certified devices, i.e. without requiring that the tablet computers have been qualified with respect to the same one or more predetermined reliability, safety, and/or security standards to which the aircraft avionics system conforms.

[0077] Advantageously, the signals from an uncertified source that may cause the avionics system to operate outside of its qualification tend to be prevented from being sent to the aircraft avionics system. Thus, the integrity of the aircraft avionics system tends to be maintained.

[0078] The above described system advantageously tends to avoid having to qualify the tablet computer, or another device that connects to the first interface module, with respect to the one or more predetermined reliability, safety, and/or security standards to which the aircraft avionics system conforms. Furthermore, end-to-end integration testing, for example when the tablet computer software or the first interface module software is modified, tends to be avoided. The aircraft avionics system is advantageously independent of the interface modules.

[0079] Advantageously, the function criteria stored in the first interface module may be easily modified to account for modifications to the aircraft avionics system.

[0080] The above described system is advantageously useable for both inflight operations as well as maintenance functions. For example, the system can be used for storing flight log data, pilot reports, aircraft fault isolation applications, aircraft troubleshooting, moving map applications, and administrative communications functions. In some embodiments, the tablet computer may be inside an aircraft (e.g. in the aircraft cockpit), for example, while the aircraft is inflight to control the aircraft.

[0081] Advantageously, the agility of the tablet computer tends to be maintained, while also allowing operation of the tablet computer with the aircraft avionics system. Thus, the tablet computer is free to perform software updates and include new software without having to undergo qualification with respect to the avionics system certification. The first interface module screens communications between the avionics system and the tablet computer.

[0082] The function criteria used by the first interface device are dependent upon the avionics modules present in the aircraft avionics system. Thus, in effect, the first interface device is "aware" of the system composition of the aircraft avionics system. The rules and criteria enforced by the first interface module are based on the operation and capabilities of the aircraft avionics system. If an avionics module is changed for a different avionics module, updated, or removed from the aircraft avionics system, the function criteria and/or the connection criteria implemented by the first interface device may be updated accordingly. This tends not to require changes to be made to the software of the tablet computer. Thus, the system is advantageously flexible.

[0083] Advantageously, the tablet computer only communicates directly with the first interface module. Thus, the tablet computer is effectively "blind" to the aircraft avionics system. Thus, the tablet computer, including the second interface module, may be used to communicate with multiple different aircraft, each of which may include aircraft avionics systems having different compositions, and different first interface devices implementing different sets of rules/criteria.

[0084] Advantageously, the first interface module may perform functions involving multiple avionics modules, thereby leveraging additional capability from the avionics modules.

[0085] It should be noted that certain of the process steps depicted in the flowchart of Figure 2 and described above may be omitted or such process steps may be performed in differing order to that presented above and shown in Figure 2. Furthermore, although all the process steps have, for convenience and ease of understanding, been depicted as discrete temporally-sequential steps, nevertheless some of the process steps may in fact be performed simultaneously or at least overlapping to some extent temporally.

[0086] In the above embodiments, the first interface module controls data flow to and from the aircraft avionics system. However, in other embodiments, the first interface module controls data flow to and/or from a different system instead of or in addition to the aircraft avionics system such as a different aircraft subsystem, for example, an aircraft propulsion system.

[0087] In the above embodiments, a single tablet computer is connected to the aircraft and data is passed between the aircraft and that tablet computer. However, in other embodiments, multiple tablet computers are used, either simultaneously or in series. In some embodiments, a different device is used instead of or in addition to one or more of the tablet computers. Preferably portable (e.g. hand-held) communication devices are used. Any appropriate type of computer may be used. Examples of devices that may be used instead of or in addition to a tablet computer include, but are not limited to, a desktop personal computer, a laptop computer, a tablet computer, a mobile station, a wireless phone, a smartphone, a netbook, etc.

[0088] In the above embodiments, the entity or device (which for example is a single tablet computer), is wholly contained within, or wholly on board the aircraft. In particular the entity or device is within the cockpit of the plane and accessible and operable by the pilot.

[0089] Typically the entity or device, once in the cockpit will form a communications link with only the systems onboard or within the aircraft. For instance, the entity may communicate with only the on-board avionics systems.

[0090] In the above embodiments, at step s6, the second interface module sends a request for data items to the first interface module via the communication link. In some embodiments, the first interface module tests these requests for data against one or more of the stored criteria. The first interface module may permit the data requests if all relevant criteria are satisfied. Also, the first interface module may block the requests and/or sever the communication link if one or more of the relevant criteria are not met by the data requests.


Claims

1. An aircraft (102) comprising:

an aircraft avionics system (108) qualified with respect to one or more predetermined reliability, safety, and/or security standards, and configured to perform one or more functions; and

an interface module (110) qualified with respect to the one or more predetermined reliability, safety, and/or security standards;
the interface module (110) further comprising a first (112) and second (113) database; and configured to:

store in the first database, a list of functions performable by the aircraft avionics system; and,

store in the second database, for each function, respective one or more function criteria, the function criteria specifying how the function is to be used;

wherein the interface module is further configured while the aircraft is in flight to;

receive, from a non-qualified entity (104) remote from the aircraft avionics system (108), a function request for the aircraft avionics system (108) to perform a certain function;

test the certain function against the list of functions of the first database and the function criteria of the second database ; and,

responsive to determining that the certain function satisfies all of the function criteria that correspond to the certain function, outputting the function request for use by the aircraft avionics system (108),

wherein the interface module (110) is further configured to, responsive to determining that the certain function does not satisfy at least one of the test criteria that correspond to the certain function, close a communication link (120) between the interface module (110) and the non-qualified entity (104) remote from the aircraft avionics system (108).


 
2. An aircraft (102) according to claim 1, wherein the interface module (110) is further configured to, responsive to determining that the certain function does not satisfy at least one of the criteria that correspond to the certain function, prevent the function request from being sent to the aircraft avionics system (108).
 
3. An aircraft (102) according to claim 1 or claim 2, wherein the interface module (110) is further configured to, responsive to determining that the certain function does correspond to at least one of the criteria, prevent the function request from being sent to the aircraft avionics system (108).
 
4. An aircraft (102) according to any of claims 1 to 3, wherein:

the aircraft avionics system (108) is configured to perform the certain function specified in the function request output by the interface module (110), thereby generating an avionics system output; and

the interface module is configured to output, for use by the non-qualified entity (104) remote from the aircraft avionics system, the avionics system output.


 
5. An aircraft (102) according to any of claims 1 to 4, wherein the interface module (110) is further configured to:

establish a communications link (120) with the non-qualified entity (104) that is remote from the aircraft avionics system;

perform a handshaking process with the non-qualified entity that is remote from the aircraft avionics system (108) including acquiring one or more connection criteria for the non-qualified entity;

while the communication link between the interface module and the non-qualified entity is established, test communications between the interface module and the non-qualified entity against the one or more connection criteria for the non-qualified entity; and

responsive to determining that the communications between the interface module and the non-qualified entity satisfy all of the connection criteria for the non-qualified entity , maintain the communication link between the interface module and the non-qualified entity .


 
6. An aircraft (102) according to claim 5, wherein the interface module (110) is further configured to, responsive to determining that the communications between the interface module and the non-qualified entity (104) do not satisfy at least one of the connection criteria for the non-qualified entity, prevent communications from the non-qualified entity from being sent to the aircraft avionics system (108).
 
7. An aircraft (102) according to claim 5 or 6, wherein the interface module (110) is further configured to, responsive to determining that the communications between the interface module and the non-qualified entity do not satisfy at least one of the connection criteria for the non-qualified entity, close the communication link (120) between the interface module and the non-qualified entity .
 
8. An aircraft (102) according to claim 7 wherein the interface module (110) is further configured to, responsive to closing the communication link (120) between the interface module and the non-qualified entity (104), re-performing the handshaking process.
 
9. An aircraft (102) according to any of claims 5 to 8, wherein the handshaking process between the interface module (110) and the non-qualified entity (104) includes the interface module providing information that specifies the one or more functions performable by the aircraft avionics system (108) for use by the non-qualified entity .
 
10. An aircraft (102) according to any of the preceding claims wherein the non-qualified entity (104) is wholly contained within or wholly on board the aircraft.
 
11. A system comprising:

an aircraft (102) according to any of claims 1 to 10; and

a non-qualified entity (104) remote from the aircraft avionics system (108) ; wherein:
the non-qualified entity is configured to send, to the interface module (110), the function request for the aircraft avionics system to perform the certain function.


 
12. A system according to claim 11, the aircraft (102) comprising a cockpit for accommodating at least one pilot, wherein the non-qualified entity (104) is a man-portable device for operation within the cockpit by the pilot.
 
13. A system according to claim 11 or 12, wherein the non-qualified entity (104) is remote from the aircraft (102).
 
14. A system according to claim 11, 12 or 13, wherein the non-qualified entity (104) is a computer selected from the group of computers consisting of a mobile communication device, a desktop personal computer, a laptop computer, a tablet computer, a mobile station, a wireless phone, a smartphone and a netbook.
 
15. A data communication method performed by an aircraft (102), the aircraft comprising an aircraft avionics system (108) qualified with respect to one or more predetermined reliability, safety, and/or security standards, and configured to perform one or more functions, and an interface module (110) qualified with respect to the one or more predetermined reliability, safety, and/or security standards, operatively coupled to the aircraft avionics system, the interface module further comprising a first (112) and second (113) database; the method comprising:

storing in the first database (112), a list of functions performable by the aircraft avionics system ; and,

storing in the second database (113), for each function, respective one or more function criteria; and,

while the aircraft is flying;

receiving, by the interface module (110) , from a non-qualified entity (104) remote from the aircraft avionics system (108), a function request for the aircraft avionics system to perform a certain function;

testing, by the interface module (110), the certain function against the list of functions of the first database (112) and the function criteria of the second database (113); and,

responsive to determining that the certain function satisfies all of the function criteria that correspond to the certain function, outputting, by the interface module (110), the function request for use by the aircraft avionics system; and, responsive to determining that the certain function does not satisfy at least one of the function criteria that correspond to the certain function, close a communication link (120) between the interface module (110) and the non-qualified entity (104) remote from the aircraft avionics system (108).


 


Ansprüche

1. Luftfahrzeug (102), umfassend:

ein Luftfahrzeugavioniksystem (108), das in Bezug auf eine oder mehrere vorbestimmte Zuverlässigkeits-, Sicherheits- und/oder Sicherungsstandards qualifiziert und konfiguriert ist, um eine oder mehrere Funktionen durchzuführen; und

ein Schnittstellenmodul (110), das in Bezug auf die eine oder die mehreren vorbestimmten Zuverlässigkeit-, Sicherheits- und/oder Sicherungsstandards qualifiziert ist;

das Schnittstellenmodul (110) ferner umfassend eine erste (112) und

eine zweite (113) Datenbank; und während das Luftfahrzeug im Flug ist konfiguriert ist zum:

Speichern einer Liste von Funktionen in der ersten Datenbank, die durch das Luftfahrzeugavioniksystem durchführbar sind; und,

Speichern, für jede Funktion, von jeweils einem oder mehreren Funktionskriterien in der zweiten Datenbank, wobei die Funktionskriterien angeben, wie die Funktion verwendet werden soll; und,

Empfangen, von einer nicht qualifizierten Entität (104), die von dem Luftfahrzeugavioniksystem (108) entfernt ist, einer Funktionsanforderung für das Luftfahrzeugavioniksystem (108), um eine gewisse Funktion durchzuführen;

Testen der gewissen Funktion gegen die Liste von Funktionen der ersten Datenbank und der Funktionskriterien der zweiten Datenbank; und

als Reaktion auf das Bestimmen, dass die gewisse Funktion alle Kriterien erfüllt, die der gewissen Funktion entsprechen, Ausgeben der Funktionsanforderung zur Verwendung durch das Luftfahrzeugavioniksystem (108),

wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Bestimmen, dass die gewisse Funktion mindestens eines der Kriterien, die der gewissen Funktion entsprechen, nicht erfüllt, einen Übermittlungsabschnitt (120) zwischen dem Schnittstellenmodul (110) und der nicht qualifizierten Entität (104), die von dem Luftfahrzeugavioniksystem (108) entfernt ist, zu schließen.


 
2. Luftfahrzeug (102) nach Anspruch 1, wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Bestimmen, dass die gewisse Funktion mindestens eines der Kriterien, die der gewissen Funktion entsprechen, nicht erfüllt, zu verhindern, dass die Funktionsanforderung an das Luftfahrzeugavioniksystem (108) gesendet wird.
 
3. Luftfahrzeug (102) nach Anspruch 1 oder 2, wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Bestimmen, dass die gewisse Funktion mindestens einem der Kriterien entspricht, zu verhindern, dass die Funktionsanforderung an das Luftfahrzeugavioniksystem (108) gesendet wird.
 
4. Luftfahrzeug (102) nach einem der Ansprüche 1 bis 3, wobei:

das Luftfahrzeugavioniksystem (108) konfiguriert ist, um die gewisse Funktion durchzuführen, die in der Funktionsanforderung, die durch das Schnittstellenmodul (110) ausgegeben wird, angegeben ist, wodurch eine Avioniksystemausgabe erzeugt wird; und

das Schnittstellenmodul konfiguriert ist, um zur Verwendung durch die nicht qualifizierte Entität (104), die von dem Luftfahrzeugavioniksystem entfernt ist, die Avioniksystemausgabe auszugeben.


 
5. Luftfahrzeug (102) nach einem der Ansprüche 1 bis 4, wobei das Schnittstellenmodul (110) ferner konfiguriert ist zum:

Herstellen eines Übermittlungsabschnitts (120) mit der nicht qualifizierten Entität (104), die von dem Luftfahrzeugavioniksystem entfernt ist;

Durchführen eines Quittungsaustauschprozesses mit der nicht qualifizierten Entität, die von dem Luftfahrzeugavioniksystem (108) entfernt ist, einschließlich Erfassen eines oder mehrerer Verbindungskriterien für die nicht qualifizierte Entität;

während der Übermittlungsabschnitt zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität hergestellt ist, Testen von Kommunikationen zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität gegen das eine oder die mehreren Verbindungskriterien für die nicht qualifizierte Entität;
und

als Reaktion auf das Bestimmen, dass die Kommunikationen zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität alle Verbindungskriterien für die nicht qualifizierte Entität erfüllen, Aufrechterhalten des Übermittlungsabschnitts zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität.


 
6. Luftfahrzeug (102) nach Anspruch 5, wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Bestimmen, dass die Kommunikationen zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität (104) mindestens eines der Verbindungskriterien für die nicht qualifizierte Entität nicht erfüllen, zu verhindern, dass Kommunikationen von der nicht qualifizierten Entität an das Luftfahrzeugavioniksystem (108) gesendet werden.
 
7. Luftfahrzeug (102) nach Anspruch 5 oder 6, wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Bestimmen, dass die Kommunikationen zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität mindestens eines der Verbindungskriterien für die nicht qualifizierte Entität nicht erfüllen, den Übermittlungsabschnitt (120) zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität zu schließen.
 
8. Luftfahrzeug (102) nach Anspruch 7, wobei das Schnittstellenmodul (110) ferner konfiguriert ist, um als Reaktion auf das Schließen des Übermittlungsabschnitts (120) zwischen dem Schnittstellenmodul und der nicht qualifizierten Entität (104), den Quittungsaustauschprozess erneut durchzuführen.
 
9. Luftfahrzeug (102) nach einem der Ansprüche 5 bis 8, wobei der Quittungsaustauschprozess zwischen dem Schnittstellenmodul (110) und der nicht-qualifizierten Entität (104) das Schnittstellenmodul einschließt, das Informationen bereitstellt, die die eine oder die mehreren Funktionen angeben, die durch das Luftfahrzeugavioniksystem (108) zur Verwendung durch die nicht qualifizierte Entität durchführbar sind.
 
10. Luftfahrzeug (102) nach einem der vorstehenden Ansprüche, wobei die nicht qualifizierte Entität (104) vollständig in oder vollständig an Bord des Luftfahrzeugs enthalten ist.
 
11. System, umfassend:

ein Luftfahrzeug (102) nach einem der Ansprüche 1 bis 10; und

eine nicht qualifizierte Entität (104), die von dem Luftfahrzeugavioniksystem (108) entfernt ist; wobei:
die nicht qualifizierte Entität konfiguriert ist, um die Funktionsanforderung für das Luftfahrzeugavioniksystem an das Schnittstellenmodul (110) zu senden, um die gewisse Funktion durchzuführen.


 
12. System nach Anspruch 11, das Luftfahrzeug (102) umfassend ein Cockpit zum Unterbringen mindestens eines Piloten, wobei die nicht qualifizierte Entität (104) eine tragbare Vorrichtung für einen Betrieb innerhalb des Cockpits durch den Piloten ist.
 
13. System nach Anspruch 11 oder 12, wobei die nicht qualifizierte Entität (104) von dem Luftfahrzeug (102) entfernt ist.
 
14. System nach Anspruch 11, 12 oder 13, wobei die nicht qualifizierte Entität (104) ein Computer ist, der aus der Gruppe von Computern ausgewählt ist, bestehend aus einer Mobilkommunikationsvorrichtung, einem Desktop-Personalcomputer, einem Laptop-Computer, einem Tablet-Computer, einer Mobilstation, einem drahtlosen Telefon, einem Smartphone und einem Netbook.
 
15. Datenkommunikationsverfahren, das durch ein Luftfahrzeug (102) durchgeführt wird, das Luftfahrzeug umfassend ein Luftfahrzeugavioniksystem (108), das in Bezug auf eine oder mehrere vorbestimmte Zuverlässigkeits-, Sicherheits- und/oder Sicherungsstandards qualifiziert und konfiguriert ist, um eine oder mehrere Funktionen durchzuführen, und ein Schnittstellenmodul (110), das in Bezug auf die eine oder die mehreren vorbestimmten Zuverlässigkeits-, Sicherheits- und/oder Sicherungsstandards qualifiziert ist, das mit dem Luftfahrzeugavioniksystem wirkgekoppelt sind, das Schnittstellenmodul ferner umfassend eine erste (112) und eine zweite (113) Datenbank und während das Luftfahrzeug fliegt, das Verfahren umfassend:

Speichern einer Liste von Funktionen in der ersten Datenbank (112), die durch das Luftfahrzeugavioniksystem durchführbar sind; und,

Speichern, für jede Funktion, von jeweils einem oder mehreren Funktionskriterien in der zweiten Datenbank (113); und,

Empfangen, durch das Schnittstellenmodul (110), von einer nicht qualifizierten Entität (104), die von dem Luftfahrzeugavioniksystem (108) entfernt ist, einer Funktionsanforderung für das Luftfahrzeugavioniksystem, um eine gewisse Funktion durchzuführen;

Testen, durch das Schnittstellenmodul (110), der gewissen Funktion gegen die Liste von Funktionen der ersten Datenbank (112) und die Funktionskriterien der zweiten Datenbank (113);
und,

als Reaktion auf das Bestimmen, dass die gewisse Funktion alle Funktionskriterien erfüllt, die der gewissen Funktion entsprechen, Ausgeben, durch das Schnittstellenmodul (110), der Funktionsanforderung zur Verwendung durch das Luftfahrzeugavioniksystem; und,

als Reaktion auf das Bestimmen, dass die gewisse Funktion mindestens eines der Funktionskriterien, die der gewissen Funktion entsprechen, nicht erfüllt, Schließen eines Übermittlungsabschnitts (120) zwischen dem Schnittstellenmodul (110) und der nicht qualifizierten Entität (104), die von dem Luftfahrzeugavioniksystem (108) entfernt ist.


 


Revendications

1. Aéronef (102) comprenant :

un système d'avionique de bord (108) qualifié par rapport à une ou plusieurs normes de fiabilité, de sûreté et/ou de sécurité prédéterminées, et configuré pour effectuer une ou plusieurs fonctions ; et

un module d'interface (110) qualifié par rapport à la ou aux normes de fiabilité, de sûreté et/ou de sécurité prédéterminées ;

le module d'interface (110) comprenant en outre une première (112) et

une seconde (113) base de données ; et configuré pendant que l'aéronef est en vol pour :

stocker, dans la première base de données, une liste de fonctions pouvant être effectuées par le système d'avionique de bord ; et,

stocker, dans la seconde base de données, pour chaque fonction, un ou plusieurs critères de fonction respectifs, les critères de fonction spécifiant comment la fonction doit être utilisée ; et,

recevoir, depuis une entité non qualifiée (104) distante du système d'avionique de bord (108), une demande de fonction pour que le système d'avionique de bord (108) effectue une certaine fonction ;

tester la certaine fonction par rapport à la liste des fonctions de la première base de données et aux critères de fonction de la seconde base de données ; et

en réponse à la détermination du fait que la certaine fonction satisfait tous les critères qui correspondent à la certaine fonction, délivrer en sortie la demande de fonction pour une utilisation par le système d'avionique de bord (108),

dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la détermination du fait que la certaine fonction ne satisfait pas au moins l'un parmi les critères qui correspondent à la certaine fonction, fermer une liaison de communication (120) entre le module d'interface (110) et l'entité non qualifiée (104) distante du système d'avionique de bord (108).


 
2. Aéronef (102) selon la revendication 1, dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la détermination du fait que la certaine fonction ne satisfait pas au moins l'un parmi les critères qui correspondent à la certaine fonction, empêcher la demande de fonction d'être envoyée au système d'avionique de bord (108).
 
3. Aéronef (102) selon la revendication 1 ou la revendication 2, dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la détermination du fait que la certaine fonction correspond à au moins l'un parmi les critères, empêcher la demande de fonction d'être envoyée au système d'avionique de bord (108).
 
4. Aéronef (102) selon l'une quelconque des revendications 1 à 3, dans lequel :

le système d'avionique de bord (108) est configuré pour effectuer la certaine fonction spécifiée dans la demande de fonction délivrée en sortie par le module d'interface (110), générant ainsi une sortie de système d'avionique ; et

le module d'interface est configuré pour délivrer en sortie, pour une utilisation par l'entité non qualifiée (104) distante du système d'avionique de bord, la sortie du système d'avionique.


 
5. Aéronef (102) selon l'une quelconque des revendications 1 à 4, dans lequel le module d'interface (110) est en outre configuré pour :

établir une liaison de communications (120) avec l'entité non qualifiée (104) qui est distante du système d'avionique de bord ;

effectuer un processus d'établissement de liaison avec l'entité non qualifiée qui est distante du système d'avionique de bord (108) comportant l'acquisition d'un ou plusieurs critères de connexion pour l'entité non qualifiée ;

tandis que la liaison de communication entre le module d'interface et l'entité non qualifiée est établie, tester des communications entre le module

d'interface et l'entité non qualifiée par rapport aux un ou plusieurs critères de connexion pour l'entité non qualifiée ; et

en réponse à la détermination du fait que les communications entre le module d'interface et l'entité non qualifiée satisfont tous les critères de connexion pour l'entité non qualifiée, maintenir la liaison de communication entre le module d'interface et l'entité non qualifiée.


 
6. Aéronef (102) selon la revendication 5, dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la détermination du fait que les communications entre le module d'interface et l'entité non qualifiée (104) ne satisfont pas au moins l'un parmi les critères de connexion pour l'entité non qualifiée, empêcher des communications de l'entité non qualifiée d'être envoyées au système d'avionique de bord (108).
 
7. Aéronef (102) selon la revendication 5 ou 6, dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la détermination du fait que les communications entre le module d'interface et l'entité non qualifiée ne satisfont pas au moins l'un parmi les critères de connexion pour l'entité non qualifiée, fermer la liaison de communication (120) entre le module d'interface et l'entité non qualifiée.
 
8. Aéronef (102) selon la revendication 7, dans lequel le module d'interface (110) est en outre configuré pour, en réponse à la fermeture de la liaison de communication (120) entre le module d'interface et l'entité non qualifiée (104), ré-effectuer le processus d'établissement de liaison.
 
9. Aéronef (102) selon l'une quelconque des revendications 5 à 8, dans lequel le processus d'établissement de liaison entre le module d'interface (110) et l'entité non qualifiée (104) comporte la fourniture par le module d'interface d'informations qui spécifient la ou les fonctions pouvant être effectuées par le système d'avionique de bord (108) pour une utilisation par l'entité non qualifiée.
 
10. Aéronef (102) selon l'une quelconque des revendications précédentes, dans lequel l'entité non qualifiée (104) est entièrement contenue dans l'aéronef ou entièrement à bord de celui-ci.
 
11. Système comprenant :

un aéronef (102) selon l'une quelconque des revendications 1 à 10 ; et

une entité non qualifiée (104) distante du système d'avionique de bord (108) ; dans lequel :
l'entité non qualifiée est configurée pour envoyer, au module d'interface (110), la demande de fonction pour que le système d'avionique de bord effectue la certaine fonction.


 
12. Système selon la revendication 11, l'aéronef (102) comprenant un poste de pilotage destiné à recevoir au moins un pilote, dans lequel l'entité non qualifiée (104) est un dispositif portatif pour une exploitation dans le poste de pilotage par le pilote.
 
13. Système selon la revendication 11 ou 12, dans lequel l'entité non qualifiée (104) est distante de l'aéronef (102).
 
14. Système selon la revendication 11, 12 ou 13, dans lequel l'entité non qualifiée (104) est un ordinateur choisi dans le groupe d'ordinateurs constitué d'un dispositif de communication mobile, d'un ordinateur personnel de bureau, d'un ordinateur portable, d'une tablette informatique, d'une station mobile, d'un téléphone sans fil, d'un téléphone intelligent et d'un miniportable.
 
15. Procédé de communication de données effectué par un aéronef (102), l'aéronef comprenant un système d'avionique de bord (108) qualifié par rapport à une ou plusieurs normes de fiabilité, de sûreté et/ou de sécurité prédéterminées, et configuré pour effectuer une ou plusieurs fonctions, et un module d'interface (110) qualifié par rapport à la ou aux normes de fiabilité, de sûreté et/ou de sécurité prédéterminées, couplé fonctionnellement au système d'avionique de bord, le module d'interface comprenant en outre une première (112) et une seconde (113) base de données et, pendant que l'aéronef est en vol, le procédé comprenant :

le stockage dans la première base de données (112), d'une liste de fonctions pouvant être effectuées par le système d'avionique de bord ; et,

le stockage, dans la seconde base de données (113), pour chaque fonction, d'un ou plusieurs critères de fonction respectifs ; et,

la réception, par le module d'interface (110), d'une entité non qualifiée (104) distante du système d'avionique de bord (108), d'une demande de fonction pour que le système d'avionique de bord effectue une certaine fonction ;

le test, par le module d'interface (110), de la certaine fonction par rapport à la liste de fonctions de la première base de données (112)

et aux critères de fonction de la seconde base de données (113) ; et,

en réponse à la détermination du fait que la certaine fonction satisfait tous les critères de fonction qui correspondent à la certaine fonction, le fait de délivrer en sortie, par le module d'interface (110), la demande de fonction pour une utilisation par le système d'avionique de bord ; et,

en réponse à la détermination du fait que la certaine fonction ne satisfait pas au moins l'un parmi les critères de fonction qui correspondent à la certaine fonction, la fermeture d'une liaison de communication (120) entre le module d'interface (110) et l'entité non qualifiée (104) distante du système d'avionique de bord (108).


 




Drawing











Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description