The processing of erroneous information by the user can be harmful or even dangerous in the operation of the aircraft, insofar as the analysis and processing of the erroneous information defines at least some of the maintenance operations that are performed on the aircraft.
The flight data coming from an on-board avionics system is generally transferred to scrutinizing means on the ground after each flight or mission. It is therefore appropriate to devise safety mechanisms that guarantee the integrity of the flight data while it is being transferred to the ground and while it is being scrutinized.
At present, it is known that each item of flight data, e.g. an indication that a threshold for temperature or for a rotor speed of rotation has been exceeded, is confirmed by the pilot or a crew member prior to being transferred electronically to the scrutinizing means on the ground.
Nevertheless, checking in this way is not without drawbacks. Even if all of the flight data is confirmed, the transfer operation may corrupt some of the flight data before it reaches the scrutinizing means on the ground. Flight data may also be corrupted directly in the scrutinizing means on the ground, to which said data is transferred for analysis purposes.
According to the applicable aviation standards, equipment that is used in general to constitute avionics systems and scrutinizing means on the ground is developed in application of design assurance levels (DAL), A, B, C, D, or E that are defined on the basis of potential effects on flight safety, having the following degrees of criticality: catastrophic, dangerous, major, minor, and no effect, respectively. Catastrophic criticality corresponding to DAL A is the highest and no effect criticality corresponding to DAL E is the lowest.
Each level reflects a quality of design involving greater or lesser ability to accommodate potential equipment failures. A given level thus guarantees that the equipment was designed in application of more or less severe design rules and that the design took greater or lesser account of failure modes for the components of the equipment.
The same applies to the software loaded into such equipment and that manages the flight data. These various design assurance levels (DAL) are themselves known and are therefore not described in greater detail.
Furthermore, it is generally a requirement for the equipment and/or software of avionics systems used for providing functions that are the most critical in terms of flight safety, to demonstrate that no single breakdown can lead to events or repercussions that are potentially catastrophic for the aircraft and its occupants. Reference can be made to the following standards: CS 25, CS 27, CS 29, and FAR 25, FAR 27, FAR 29.
The flight data relating to the most recent mission of an aircraft comprises a set of event records suitable for helping in defining and anticipating maintenance operations, and in particular data delivered by a so-called health and usage monitoring system (HUMS) that monitors the health of parts of the aircraft and their use. The HUMS comprises both the on-board avionics system for recording the flight data and a station on the ground used by the maintenance operator in order to process said data.
The on-board avionics system preferably makes use of two distinct computers, one delivering flight data relating to the health of the equipment of the aircraft, the other delivering data relating to the use of the equipment of the aircraft.
The present invention may be applied in particular to both of those types of flight data, and also to any type of data that is useful for analysis on the ground.
On-board avionics systems contribute to critical functions and they are generally designed so as to guarantee safety, which means using a design assurance level that may be as high as DAL A, and where appropriate involving design or structural precautions that guarantee that no single fault can lead to events having potentially catastrophic repercussions on the aircraft or its occupants.
The flight data is thus associated with functions having flight safety levels that are varied. Data is then distinguished as a function of its nature. Some flight data referred to as “safety impact” data is associated with functions presenting catastrophic, dangerous, or major criticality, i.e. a design assurance level DAL A, DAL B, or DAL C. Such data, if erroneous, can lead to effects that endanger the safety of the aircraft or of the occupants of the aircraft.
Other flight data, referred to as “having no recognized effect on safety” is associated with functions presenting minor or no effect criticality and a design assurance level DAL D or DAL E. If erroneous, this flight data might lead to effects having consequences that are less severe.
In the description below, the term “standard product” should be understood as meaning a product that is sold in quantity without being developed to comply with aviation regulations and in which potential modifications to characteristics, e.g. concerning its components or its performance, cannot be controlled by the user, and specifically by a helicopter manufacturer. Such products or equipment are referred to as being commercial off-the-shelf (COTS).
The scrutinizing means on the ground are generally constituted by an application developed by a manufacturer and computing resources such as a COTS monitoring computer on the ground, e.g. a computer operating with a WINDOWS® environment.
The application is generally developed to a DAL D level and the computing resources are COTS, which means that they present a DAL E level.
Using COTS computer resources also means that it is not possible to demonstrate the absence of any single breakdown that could lead to harmful effects. Under such conditions, it is not possible to guarantee that information or data with a safety impact remains exact while being processed on the ground.
As a result, under such conditions, it is not possible to guarantee the integrity of so-called “safety impact” data presenting catastrophic, dangerous, or major criticality up to and during processing on the ground.
For example, document US 2002/033946 discloses a data transfer method, in particular concerning the operation and/or the maintenance of a removable modular appliance. The method described enables digital images to be recorded, but it does not specify that it comprises digital data having a safety impact and digital data having no recognized effect on safety. The data is recorded for subsequent verification in order to observe possible changes in said data over time. That document does make provision for recording additional data relating to complementary information, but it does not have the function of avoiding corruption of data collected during transfer thereof.