The present invention relates to an aircraft control system. Modern aircraft, in particular transport airplanes, comprise a control system making it possible to drive the various functions of the said aircraft: flight controls, flight management of FMS (“Flight Management System”) type, FWS (“Flight Warning System”) alerts management, downloading of data, etc. This control system generally comprises a set of computers which may equally well be computers dedicated to the various functions, and then named LRU (“Line Replaceable Unit”), or generic computers into which the various functions are programmed. These generic computers constitute an integrated modular avionics architecture termed IMA (“Integrated Modular Avionics”). For airworthiness reasons, certifying authorities require that the various functions implemented in aircraft have a quality assurance level sufficient to guarantee the safety of the aircraft. This quality assurance level is generally called DAL (“Design Assurance Level”). The regulatory requirements relating to the DAL level of the various functions of an aircraft are expressed in the document Eurocae ED-79A/SAE ARP 4754A. This document defines five levels of quality assurance for the functions of an aircraft, respectively named DAL-A, DAL-B, DAL-C, DAL-D and DAL-E in descending order of requirements. The DAL-A level corresponds to functions whose failure would have a catastrophic impact for the aircraft; the DAL-B level corresponds to functions whose failure would have a dangerous impact for the aircraft; the DAL-C level corresponds to functions whose failure would have a major impact for the aircraft; the DAL-D level corresponds to functions whose failure would have a minor impact for the aircraft; the DAL-E level corresponds to functions whose failure would not have any consequence for the safety of the aircraft. Thus, for example, the aircraft's flight controls correspond to a DAL-A level function; by contrast, the functions relating to the entertainment of the passengers are of DAL-E level.
The quality assurance level necessary for a function of the aircraft involves requirements relating to the quality assurance level of the various systems (computers, electrical power supplies, communication networks, etc.) used to implement this function. These quality assurance level requirements of the said systems are defined, as a function of the quality assurance level necessary for the said function, in the document Eurocae ED-79A/SAE ARP 4754A, both as regards the hardware aspect and as regards the software aspect of the said systems. Accordingly, this document defines several levels of quality assurance for the systems, these levels being likewise named DAL-A, DAL-B, DAL-C, DAL-D and DAL-E in descending order of requirements. The standards DO-254 on the one hand and DO-178B (or DO-178C) on the other hand, specify development constraints to be complied with as a function of the quality assurance level necessary for a system, respectively for the hardware aspect and for the software aspect of the said system.
The critical functions for the flight of the aircraft (DAL-A functions) must thus be implemented by DAL-A certified systems. Moreover, certain functions, such as the flight controls, are generally implemented in a dissimilar manner on various DAL-A systems so as to avoid common breakdown modes. By contrast, the functions not exhibiting any criticality for the flight of the aircraft (DAL-E functions) can be implemented by DAL-E systems. The DAL-E level generally corresponds to systems available off the shelf commercially, sometimes called COTS (“Components Off The Shelf”).
DAL-A certified systems must form the subject of a lengthy and expensive development process so as to comply with the necessary level of requirements. As a result of this, for example, the electronic components used must be tested for several years before they can be implemented in a DAL-A system. Moreover, these components are chosen from ranges of components able to withstand severe environmental conditions, both in regard to operating temperature and to vibrations. Moreover, the lifetime of an aircraft is generally several tens of years. Moreover, one and the same type of aircraft is also manufactured, in general, for several tens of years. Consequently, more than 50 or 60 years may elapse between the design of a type of aircraft and the cessation of operational use of the last aircraft of this type. Such a duration is incompatible with the duration of commercialization of the electronic components used, which is generally less than about ten years in the best cases. This compels the manufacturers of the said systems to stock the necessary components in sufficient number to ensure both the maintenance and the manufacture of the systems for new aircraft over a period of several tens of years.