In future aircraft generations, a new equipment will come into being: the air traffic service unit or ATSU. It is the object of this air traffic service unit, as described in "AIM-FABS The Airbus Interoperable Modular Future Air Navigation System" (Salon du Bourget, May 1997, Aerospatiale), to manage links between certain aircraft equipment (such as the flight management system (FMS), the central maintenance computer (CMC), the flight warning system (FWS) . . . ) and the ground/board communication means (such as satellite communication (SatCom), the HF data link (HFDL), the aircraft communication addressing and reporting system (ACARS) . . . ).
The special feature of the air traffic service unit is that is has been designed as a conventional computer with an operating system, whereon applications are run. Thus, the conventional architecture represented in FIG. 1 can be recognized.
The operating system 10 manages input/output 11, software 12 and hardware 13 resource use, application 14 chaining and timing: A1 . . . An.
Software resources correspond to sub-routines that can be used by the applications and/or the operating system (communication management, libraries, . . . ).
Hardware resources include memories, busses, registers, a processor, a coprocessor, . . . .
Applications are programs each performing a functionality of the aircraft system, e.g. controller/pilot data link communication (CPDLC).
The job of the air traffic service unit is to increase the aircraft's operational capacities by automating pilot-controller exchanges through the use of data communication networks.
The air traffic service unit supports the basis of the communication and surveillance activities comprised in the general FANS-CNS/ATM concept within the ATIMS system.
The main functions provided by the air traffic service unit are:
management of the crew/controller dialog (CPDLC/AFN); PA1 automatic dependent surveillance (ADS); PA1 aircraft operating functions (AOC), e.g. flight plan modification, maintenance reports, . . . ; PA1 use of the ACARS network before implementing the ATN network; PA1 ACARS routing. PA1 a system 20 giving access to the ACARS air/ground sub-network; PA1 avionics systems 21, such as: PA1 display units (MCDU1, MCDU2, MCDU3, . . . ); PA1 a data link control and display unit 22. PA1 basic functions providing the functional part of this computer; PA1 system management functions that have no impact on the functional part of the computer. They are to perform the conventional services of any onboard aircraft computer (maintenance, surveillance, etc.). PA1 Air traffic service applications or ATC grouping: PA1 Airline operational communication or AOC applications. PA1 make the various development phases (completion, debugging and support) as independent as possible; PA1 make the hardware platform "transparent" for the software; PA1 ensure processing capacity for each process (CPU time); PA1 ensure non-disturbance of an ATC application by an AOC application. PA1 a modular software design; PA1 a centralized platform concept; PA1 high level interfaces between this centralized platform and the applications; PA1 an application separation. PA1 configuring filters certain features of which can be set by means of a "superuser" process, of the air traffic service unit; PA1 filtering system calls that have to be filtered; PA1 recording system call execution rejects in a specific area; PA1 at the demand of the superuser process of the air traffic service unit, supplying the data stored on system call rejects.
In relation to security objectives, the classification of the functions provided by the air traffic service unit requires no particular architecture.
As depicted in FIG. 2, the environment of the air traffic unit is composed of:
flight management system (FMS), PA2 electronic flight instrument system/electronic centralized aircraft monitoring (EFIS/ECAM), PA2 central maintenance computer (CMC), PA2 flight warning system (FWS), PA2 printer, PA2 multi-purpose disk drive unit (MDDU), PA2 clock; PA2 air traffic management services (ATMS). Such applications support and initialize board/ground and ground/board information exchange, with controller/pilot data link communication (CPDLC) and air traffic facility notification (AFN) being included; PA2 the surveillance application (ADS) allowing in particular to specify the aircraft's position continuously; PA2 flight information services.
FIG. 3 illustrates the software structure of the air traffic service unit with independent software and corresponding load relationships.
FIG. 4 illustrates the functions of the air traffic service unit with their positions for the applications and for the software platform.
The computer of the air traffic service unit consists of two function categories:
Among the basic functions, applications can be found. The term "application" refers to an air/ground data link communication protocol and its onboard integration. Each application has the ability required for sequencing the different processes required.
These applications comprise:
When the air traffic service unit is delivered, the client airline can implement its own applications, which it has developed in-house or has had developed by a third party. This possibility is very interesting commercially, as such applications enable said airline to use for its own purposes certain data available at aircraft level, which does not relate to aircraft operation as such, but to its use as a commercial tool (duration of certain parts of the flight, fuel consumption, . . . ). These applications, called AOC, are not known to the manufacturer of the air traffic service unit.
The air traffic service unit must be able to accommodate such AOC applications developed by third parties on behalf of airline companies. The constraints associated with such a demand result in a sign-on structure allowing to:
The manufacturer of the air traffic service unit must certify the equipment with various official institutions, wherein certifying means: to know, check and ensure the operation of the whole system in all possible operating modes, including defective modes or when certain components are defective. This procedure is known and under control.
Certification has two functions: one purely administrative function corresponding to an approval of use on commercial aircraft, and above all, one security insurance function. Certification makes it possible to ensure that the operation or malfunction of an equipment will have no unacceptable consequences. The admissible malfunction level varies depending on the equipment's functional role in the aircraft: thus, the equipment managing the passengers' individual reading lamps are not subject to the same constraints as a flight command computer. The document entitled "Software Considerations In Airborne Systems And Equipment Certification" (D0-178B/ED-12B, RTCA Inc., December 1992, pp. 28, 60, 69, and 71) illustrates the fact that the software as a whole of an onboard equipment is involved in certification.
Thus, an equipment is obtained, the operation of which is certified (known, checked and guaranteed), whereon an unknown AOC application can be run. Obviously, the new system is not the one that has been certified. To certify it, the certification procedure would have to be redone for the system manufactured, improved by the AOC application(s). Such a procedure would be far too expensive. Moreover, the commercial advantage of offering an airline the possibility of implementing its own applications would be lost.
To minimize the certification procedures for each development, the air traffic service unit implements:
In order to concentrate the detailed integration/validation and qualification only on the modified/added application, the reduced method is the result of a modification impact analysis when new software (except for AOC applications) is added.
Of course, an initial certification of the air traffic service unit covers all aspects, but the certification of a development of this air traffic service unit must not concentrate on the new modified parts.
It is the object of the invention, in the specific case of AOC applications, not to require any certification, the software of such applications being placed at level E (minimum failure criticality level in relation to the aircraft), and therefore to combine both requirements: certifying the equipment as a whole (i.e. including AOC applications) and allowing airlines to implement their own applications.
Disclosure of the Invention
This invention relates to a method for implementing an air traffic service unit (ATSU) managing links between certain aircraft equipment and the ground/board communication means, and its operating system (OS) managing input/output, the use of software and hardware resources, chaining and timing of applications that are programs carrying out aircraft system functionalities, and wherein memory partitioning mechanisms and CPU partitioning mechanisms are used, said method being characterized by filtering the operating system calls from airline operational communication or AOC applications so as to prevent said applications from disturbing the operation of said air traffic service unit.
Advantageously, filtering is done by the Hook method. This filtering only lets through authorized system calls.
In an advantageous embodiment, system call control software allows: