Aboard vehicles and particularly aircraft, various electrical and electronic devices or appliances are provided for a wide variety of purposes. For example, in modern aircraft, these appliances are connected to networks via which they can send and receive appliance-specific data. For the monitoring and control of the appliances, apparatuses are provided that are likewise connected to the respective networks and are adapted to receive data from the appliances and to transmit data to the appliances. The apparatuses may have input/output devices by means of which data delivered by the appliances, possibly after processing or conditioning by the apparatuses, can be presented or displayed for a user and by means of which data can be input and then transmitted to the appliances for the purpose of modifying appliance settings or generally for the purpose of controlling said appliances.
An example of such apparatuses in aircraft is flight attendant panels or flight attendant control devices, which frequently have a touch-sensitive screen as an input/output device and are arranged in the aircraft cabin so as to be accessible to flight attendants.
The appliances controlled by an apparatus of the type mentioned above or the appliances with which an apparatus of the type mentioned above communicates during operation are generally in very different relationships with the safety of the aircraft. For example, some appliances, such as flight instruments or sensors for flight attitude or flight speed or airspeed, may be absolutely necessary for controlling and monitoring the flight operation, which means that failure thereof or faults therein can have disastrous effects right through to crashing. On the other hand, faults on other appliances do not have any influence on safety and, as in the case of an onboard entertainment system, for example, merely result in certain restrictions on the comfort of the passengers. There may be various further increments between these two extremes. By way of example, faults on appliances for controlling or monitoring cabin lighting, cabin temperature or heating can result in restrictions on safety but without having disastrous effects. A similar thing applies at another level for appliances that keep maintenance information or information about passengers, for example.
In aviation, the five so-called DAL (DAL stands for “Design Assurance Level”) levels A to E have been defined for classifying appliances and software running thereon in respect of the safety requirements thereof and the severity of the effects of a possible failure. Level A comprises appliances whose failure has disastrous effects on the safety of the operation of the aircraft, and level E comprises appliances whose failure has no effects on the safety of the operation of the aircraft.
Even if one only considers the aircraft cabin, there are appliances associated with the cabin that are essential to cabin safety, such as various sensors and appliances for controlling the air supply or cabin communication appliances for transmitting announcements to the passengers, and appliances which are irrelevant to cabin safety, such as appliances of an onboard entertainment system, appliances for adjusting passenger seats or appliances that are part of the galley, or are less relevant, such as appliances for temperature control.
Due to the different safety requirements, it is necessary to ensure that an appliance having low safety requirements or a relatively low safety level cannot adversely affect an appliance having higher safety requirements or a higher safety level. This would be possible, however, if such appliances were connected to a shared network via which they are able to interchange data. In this connection, it is also of importance that increasingly the option is provided or at least desired for particular appliances brought aboard by passengers, such as notebooks or tablet computers, to be incorporated into an onboard network and to be able to access certain appliances, for example providing Internet access, under strict control. It must be excluded that with such passenger appliances an unauthorized access to aircraft systems can be made. In this case, it is also necessary to take into account the possibility that always exists for security gaps to be exploited by accomplished computer users.
Against this background, various networks that are separate in terms of hardware are provided for appliances having different safety requirements or different safety levels. This separation of the appliances on the basis of the safety requirements thereof is also referred to as splitting into different domains.
In order to maintain the separation of the various domains in apparatuses for controlling the appliances too, it is known practice for a plurality of data processing devices that are separate in terms of hardware to be provided in said appliances, each of said data processing devices being connected to a different one of the networks. The data processing device to which the appliances having the highest safety requirements are connected is able to communicate via unidirectional data lines with the other data processing devices, which in turn cannot communicate with one another.
All of these data processing devices have a respective own graphics processor device that the respective data processing device can use to output data on an input/output device that is shared by all data processing devices. For this purpose, the graphics processor devices of the different data processing devices are connected to a switch that respectively connects precisely one of the data processing devices to the common input/output apparatus. This data processing device then exclusively commandeers the input/output apparatus and, together therewith, operates essentially independently of the other data processing devices. In this regard, the switch is controlled exclusively by the data processing device to which the appliances having the highest safety requirements are connected, in order to ensure that this data processing device can always “take over” the input/output device in case it should be necessary.
On the one hand the described embodiment has the consequence that each data processing device must implement its own graphical user interface in order to be able to display and to manipulate data from the appliances connected thereto using the input/output device. Furthermore, although it is possible, due the unidirectional data lines, for the data processing device to which the appliances having the highest safety requirements are connected to provide, as part of the user interface implemented by said data processing device, a selection menu by means of which the user can effect changeover to one of the other data processing devices, an actually integrated and uniform graphical user interface having flexible data input options is, however, not possible. In addition, user-induced changeover or switching from one of the data processing devices to which appliances having relatively low safety requirements are connected to another data processing device using the graphical user interface is not possible on account of there being no possibilities of control of the switch or the other data processing devices. Instead, a separate changeover option needs to be provided outside the input/output device and the graphical user interfaces, which renders operation complicated and confusing for the user.
The above considerations also apply in corresponding fashion to vehicles other than aircraft.