Abstract: Air Traffic Management (ATM) incorporates demanding decision-making processes that combine information of diverse characteristics. ATM challenges aviators and airspace controllers with unprecedented workloads to maintain safety and cross-checking of multi-source information, including data from Unmanned Aerial Vehicles (UAVs). The challenge for future ATM Decision-Support Systems (DSS) is not only autonomous and reliable complex decision-making with minimal human intervention but also dealing with UAV ATM (UTM). This paper proposes the implementation of Ontologies for NextGen Avionics Systems (ONAS) for UTM. ONAS presents an operation framework and an ontology-based tool to support decision making in advanced ATM/UTM systems. The proposed ONAS approach includes a cognitive ATM/UTM architecture for avionics analytics. An ontological database captures information related to weather, flights, and airspace. Inference over the ontology is provided by a reasoner. The decision-making process is underpinned by the concept of Situation AWareness (SAW) as well as Situation Assessment (SA). The SAW approach proposed is intended to be initially used in civil aviation. A case study is presented based on different scenarios for an ATM/UTM system. The scenarios represent flight situations where the decisions made are supported by the proposed ONAS approach.

Abstract: Integrated Modular Avionics (IMA) as successor of conventional avionics have many advantages with respect to flexibility, re-usabilty and standardisation. Systems based on IMA consist of a generic hardware platform with a standardised hardware- and software interface and dedicated functions for module management. Due to the many possibilities with respect to hard- and software, creating an IMA architecture that fulfils requirements like redundancy, weight and costs is a comprehensive task. Tools exist that support this design step. On the other hand, if the platform and architecture is chosen, a configuration defines how system applications are integrated on the selected IMA modules and is an important aspect of the IMA development and integration process. Again, tools exist that support this design step for the various IMA module types. The challenge is to consequently re-use information of architecture definitions for configuration engineering. In the present design- and development process, configuration documents are created inefficiently from scratch. This is time-consuming, prone to errors due to misinterpretation and hard to trace and to maintain. In this work, to bridge this gap between early architecting and configuration engineering, formal transformation methods were investigated and developed. These implement an automated transformation of relevant architecture into configuration data and vice versa.

Abstract: The reliability problems of modern aircraft avionics, the influence of failures on the human-operator, the lack of information on the piloting quality during equipment failures, which is supplied to the pilot, are considered in the given article.

Abstract: Using integrated sensors carried onboard a quadrotor unmanned aerial vehicle (UAV) can be used to wind field estimation through intelligent dynamic analysis, UAV control, and sensor management. The data from UAV on-board sensors such as GPS and inertial measurement units are utilized such that no dedicated sensors (i.e., pitot tube) for wind characterization are necessary. Using the estimated ground weather conditions, the UAV performance provides a means for rapid wind field estimation. The motivation is to develop an agile and low-cost atmospheric measurements system for energy harvest and realtime mission support. The advantage of UAV versus weather balloons is the agility of the UAV to operate in constrained environments and complex terrain. The wind profile is calculated by applying algorithms that relates the attitude of the aircraft to the local wind speed and direction, sparing the payloads of external devices like multi-hole tubes. Several existing wind field estimation algorithms are evaluated and compared with the proposed Kalman Filter dynamic behavior fusion using data obtained from the wind sensors as well. Error analysis and the reasons of errors are discussed in the estimation process. The proposed UAV-based on-board avionics system can be used to improve positioning accuracy and flight stability in the spatially varying, turbulent wind circumstances.

Abstract: This paper details the way a realistic complex avionics system can be designed in an efficient way using a Model Based System Engineering tool, involving several hundreds of data and ARINC 429 and ARINC 664-P7 messages. The SCADE System Avionics Package comes with the following answers: - User friendly and fully customizable interface thanks to the support of Domain Specific Languages - Clean separation of the Functional, Software and Hardware layers, all relations maintained in a consistent way - Templates for immediate use of standard avionics protocols (ARINC 429, ARINC 664-P7, CAN provided) - Automated generation of all ICDs through powerful “hierarchical tables” that gather information from the model These means are built on top original features that are detailed in this paper; the design of an aircraft Braking System with a COM-MON architecture, 9 sub-systems, 12 partitions, 4 CPU, 2 Switch Cabinet, Dual A/B ARINC 664-P7 network, 14 Virtual Links (VL) that is first presented has demonstrated the efficiency of the tool support.

Abstract: —The paper describes the reconfiguration approach implemented in the DREAMS middleware to cope with failures and how the concepts are tested on an avionic demonstrator. 1

Abstract: Capella is a system engineering public domain tool which has been recently released by THALES. It is a model based systems engineering tool that implements the Architecture Analysis & Design Integrated Approach (ARCADIA) framework. This paper proposes a process specification, design and optimization of a distributed avionics system. Capella is used as a design tool for Distributed Integrated Modular Avionics (DIMA). The DIMA architecture has interesting power, weight and cost metrics which are highly demanded by aerospace industry. The main challenges faced by DIMA system architects are related to functions allocation and device physical allocation. This problem refers to the system functions translation into tasks and further hardware allocation. These problems are hard to solve manually due to the high number of functions in modern systems. The design and development of DIMA systems can be dramatically improved using optimization techniques. Moreover, allocation strategies based on different figure of merit can be evaluated at a smaller cost. In this paper we develop a simplified DIMA model using the Capella tool and the framework ARCADIA. The model is extended using viewpoints for specifying additional system constraints. Model parameters are extracted to specify a binary integer problem for the system allocation process automation. Different cost functions are evaluated for a simple study case.

Abstract: Avionics networks rely on a set of stringent reliability and safety requirements. In existing deployments, most of these networks are based on a wired technology, which supports these requirements. Furthermore, this technology simplifies the security management of the network since certain assumptions can be safely made, including the inability of an attacker to access the network, and the fact that it is almost impossible for an attacker to introduce a node into the network. The proposal for Avionics Wireless Networks (AWNs, currently under consideration by multiple aerospace working groups, promises a reduction in the complexity of electrical wiring harness design and fabrication, a reduction in the total weight of wires, increased customization possibilities, and the capacity to monitor otherwise inaccessible moving or rotating aircraft parts such as landing gear and some sections of the aircraft engines. While providing these benefits, the AWN must ensure that it provides levels of safety that are at minimum equivalent to those offered by the wired equivalent. In this paper, we propose a secure and trusted channel protocol that satisfies the stated security and operational requirements for an AWN protocol. There are three main objectives for this protocol. First, the protocol has to provide the assurance that all communicating entities can trust each other, and can trust their internal (secure) software and hardware states. Second, the protocol has to establish a fair key exchange between all communicating entities so as to provide a secure channel. Finally, the third objective is to be efficient for both the initial start-up of the network and when resuming a session after a cold and/or warm restart of a node. The proposed protocol is implemented within a demo AWN, and performance measurements are presented based on this implementation. In addition, we formally verify our proposed protocol using CasperFDR.

Abstract: Switched Ethernet is a technology that is profoundly reshaping automotive communication architectures as it did in other application domains such as avionics with the use of AFDX backbones. Early stage timing verification of critical embedded networks typically relies on simulation and worst-case schedulability analysis. When the modeling power of schedulability analysis is not sufficient, there are typically two options: either make pessimistic assumptions or ignore what cannot be modeled. Both options are unsatisfactory because they are either inefficient in terms of resource usage or potentially unsafe. To overcome those issues, we believe it is a good practice to use simulation models, which can be more realistic, along with schedulability analysis. The two basic questions that we aim to study here is what can we expect from simulation, and how to use it properly? This empirical study explores these questions on realistic case-studies and provides methodological guidelines for the use of simulation in the design of switched Ethernet networks. A broader objective of the study is to compare the outcomes of schedulability analyses and simulation, and conclude about the scope of usability of simulation in the desi gn of critical Ethernet networks. 1 C o n t e x t a n d o b j e c t i v e s o f t h e s t u d y Ethernet is meant in vehicles not only for the support of infotainment applications but also to transmit time-sensitive data used for the real-time control of the vehicle and ADAS functions. In such use-cases, the temporal behavior of the communication architecture must be carefully validat ed. Early stage timing verification of critical embedded networks typically relies on simulation and worst-case schedulability analysis, which basically consists in building a mathematical model of the worst possible situations that can be encountered at run-time. When the modeling capabilities of schedulability analysis is not sufficient, which given the complexity of today's architectures is in our experience in many practical situations the case (see [Na13,Na14] and § 2.4), there are typically two possibilities. The first option is to make pessimistic assumptions (e.g., modeling aperiodic frames as periodic ones), which is not always possible because for instance it may result in overloaded resources (e.g., link utilization larger than 100%). The second option is to ignore what cannot be modeled (e.g., ignoring transmission errors, aperiodic traffic, etc). Both options are unsatisfactory because they are either inefficient in terms of resource usage or potentially unsafe. In addition, it can happen that schedulability analysis tools provide wrong results, most often because the analysis' assumptions are not met by the actual implementation, or possibly because of numerical issues in the implementation (e.g., if floating point arithmetic is used), or simply because the analysis is flawed (see for instance [Da07]).

Abstract: The design of a Control Maintenance system (CMs) for an airborne platform deeply deals with the mission, the on-board systems interfaces and the identification of their behaviour in operation. This paper describes how the Model Based Systems Engineering (MBSE) was applied to an industrial test case to perform the functional design of an innovative CMs to be integrated with the aircraft Fuel system (Fs). The impact of different approaches applied when modelling the two systems and their integration through the SysML was investigated. As the IBM Rational Rhapsody® tool was used, the Harmony® methodology was applied to the CMs, while a MBSE customized approach was implemented for the Fs, even to cope with some differences in coupling an avionic system to a physical one.

Abstract: The avionics standard AFDX has been introduced to provide high speed communication for new generation aircraft. However, this switched network is deployed in a full redundant way, which leads to significant quantities of wires. To overcome this limitation, a new avionic communication network, called AeroRing, is proposed in this paper to decrease the wiring weight, while guaranteeing the required performance and safety levels. AeroRing is based on a Gigabit Ethernet technologyand implements a daisy-chain wiring scheme on a Full Duplex ring topology. First, the main features of such a proposal, and particularly the QoS and robustness management, are detailed. Then, numerical results of some Performance Indicators (PI) are illustrated to highlight its ability to guarantee the avionics requirements.

Abstract: Interval Management is a suite of ADS-B-enabled applications that allows the air traffic controller to instruct a flight crew to achieve and maintain a desired spacing relative to another aircraft. The flight crew, assisted by automation, manages the speed of their aircraft to deliver more precise inter-aircraft spacing than is otherwise possible, which increases traffic throughput at the same or higher levels of safety. Interval Management has evolved from a long history of research and is now seen as a core NextGen capability. With avionics standards recently published, completion of an Investment Analysis Readiness Decision by the FAA, and multiple flight tests planned, Interval Management will soon be part of everyday use in the National Airspace System. Second generation, Advanced Interval Management capabilities are being planned to provide a wider range of operations and improved performance and benefits. This paper briefly reviews the evolution of Interval Management and describes current development and deployment plans. It also reviews concepts under development as the next generation of applications.

Abstract: — In this paper, avionics system and control scenario of small hybrid Vertical Take-Off and Landing (VTOL) UAV will be presented. The UAV configuration is a hybrid-UAV configuration combining feature of rotary-wing UAV and fixed-wing UAV. There are two topics that will be discussed in this paper. First, avionics system of the UAV including its power system and its peripherals interfacing. Second, control system design of the UAV including flight scenario when the UAV is on transition mode/stage. Rotary-wing UAV configuration has advantages such as easy-and-s table when take-off and landing. Rotary-wing UAV also does not need special area to do take-off and landing. While Fixed-wing UAV configuration has advantages such as high maneuverability and high endurance. This hybrid UAV is designed to obtain all of this advantages. Keywords — VTOL, hybrid UAV, avionics system, control system.

Abstract: The design solutions to improve the reliability of onboard radio-electronic systems, consisting of several printed circuit units, are proposed. It is suggested to use several circuit boards, connected by nonlinear damping devices. A model of the three node system, each of which focuses a mass portion of the PCB and mounted components, and is connected by elastic links, is given. The analysis model is designed. It is shown, that the forced oscillations of the boards are extinguished with the damping device of the central node of the mounting. It is due to the fact, that some of the energy radiated by a more active oscillating board with a greater amplitude, will be repaid by the board vibrating at the same time with a lower amplitude. It will ultimately prevent the possibility of oscillations of any board at a frequency close to the resonant one. The proposed approach provides the increased reliability of onboard radio-electronic systems under the conditions of vibrational dynamic loading. A modification of the damping systems in the form of guide rollers, as well as the execution of the floating connectors on the housing of the radio-electronic unit, and the preload of the board package with elastic pad straps to the connectors, are proposed. It will ultimately reduce the mechanical impact on the radio-electronic components of the boards. Mathematical modeling of onboard radio-electronic systems structures, which confirm the validity of the theoretical calculations and design solutions, is carried out.

Abstract: Avionics networks rely on a set of stringent reliability and safety requirements. In existing deployments, these networks are based on a wired technology, which supports these requirements. Furthermore, this technology simplifies the security management of the network since certain assumptions can be safely made, including the inability of an attacker to access the network, and the fact that it is almost impossible for an attacker to introduce a node into the network. The proposal for Avionics Wireless Networks (AWNs), currently under development by multiple aerospace working groups, promises a reduction in the complexity of electrical wiring harness design and fabrication, a reduction in the total weight of wires, increased customization possibilities, and the capacity to monitor otherwise inaccessible moving or rotating aircraft parts such as landing gear and some sections of the aircraft engines. While providing these benefits, the AWN must ensure that it provides levels of safety that are at minimum equivalent to those offered by the wired equivalent. In this paper, we propose a secure and trusted channel protocol that satisfies the stated security and operational requirements for an AWN protocol. There are three main objectives for this protocol. First, the protocol has to provide the assurance that all communicating entities can trust each other, and can trust their internal (secure) software and hardware states. Second, the protocol has to establish a fair key exchange between all communicating entities so as to provide a secure channel. Finally, the third objective is to be efficient for both the initial start-up of the network and when resuming a session after a cold and/or warm restart of a node. The proposed protocol is implemented and performance measurements are presented based on this implementation. In addition, we formally verify our proposed protocol using CasperFDR.

Abstract: A multifunction avionics server provide for the execution of both certified and uncertified applications in data-serving capacities in which one certified application provides near real-time transmission of flight data recorder type of data. By combining these functions, improved aircraft monitoring is obtained without significant cost or weight penalties.

Abstract: The notion of Integrated Modular Avionics (IMA) refers to inter-connected pieces of avionics equipment supported by a wired technology, with stringent reliability and safety requirements. If the inter-connecting wires are physically secured so that a malicious user cannot access them directly, then this enforces (at least partially) the security of the network. However, substituting the wired network with a wireless network — which in this context is referred to as an Avionics Wireless Network (AWN) — brings a number of new challenges related to assurance, reliability, and security. The AWN thus has to ensure that it provides at least the required security and safety levels offered by the equivalent wired network. Providing a wired-equivalent security for a communication channel requires the setting up of a strong, secure (encrypted) channel between the entities that are connected to the AWN. In this paper, we propose three approaches to establish such a secure channel based on (i) pre-shared keys, (ii) trusted key distribution, and (iii) key-sharing protocols. For each of these approaches, we present at least two representative protocol variants. These protocols are then implemented as part of a demo AWN and they are then compared based on performance measurements. Most importantly, we have evaluated these protocols based on security and operational requirements that we define in this paper for an AWN.

Abstract: Considering the transformation in roles of existing air traffic management technologies, future flight operations and flight deck systems will need additional avionics and operational procedures that involve adaptive algorithms and advanced decision support tools. The main purpose of this article is to provide a theoretical framework for tactical 4D-trajectory planning and conflict resolution of an aircraft equipped with novel automation tools. The proposed 4D-trajectory-planning method uses recent algorithmic advances in both probabilistic and deterministic methods to fully benefit from both approaches. We have constructed an aircraft performance model based on Base of Aircraft Data 4 with high-level hybrid flight template automatons and low-level flight maneuver automatons. This multi-modal flight trajectory approach is utilized to generate cost-efficient local trajectory segments instead of solving complex trajectory-generation problems globally. The proposed sampling-based trajectory planning algorith...

Abstract: Modern aviation data suggest that there are more than 400,000 no fault found (NFF) cases per year, where a false alarm is given and no fault is detected after investigation. The NFF cost was estimated to be over $2Bn per year in 2013. The existence of the NFF phenomenon has a negative impact upon avionics systems safety, availability and life cycle cost. Therefore, it is important to reduce the negative impact of NFF events. Intermittent failures are the leading causes of NFF events in avionics systems. In this study, we consider a line replaceable unit (LRU) subject to permanent and intermittent failures with an arbitrary law of failure time distribution. We assume that LRU is continuously tested and both types of failures are automatically detected by the built-in test equipment (BITE). When the LRU is rejected, the replacement is carried out. Dismantled LRUs are directed to repair facilities for re-testing, and if necessary, repairing. A mathematical model is developed to determine the LRU availability and the mean time between unscheduled removals (MTBUR). Different variants of avionics maintenance management are considered for warranty and post-warranty period. MTBUR, total expected cost (TEC), and availability of redundant systems are determined for each variant of warranty and post-warranty avionics maintenance management. Numerical examples demonstrate the efficiency of each variant of avionics maintenance management. It is shown that excellent economic efficiency has the variant of post-warranty maintenance with automatic test equipment (ATE) and intermittent fault detector (IFD).

Abstract: Real-time embedded systems are present in various application domains such as automotive, aeronautical, space, and telecommunications. Avionics systems (i.e., aviation electronics) represent a specialized class for the aerospace branch. It is a fact that avionics are getting more and more complex considering functionality and design and also using an increased number of digital computer resources. Besides the safety-critical aspect, performance and power consumption have also to be taken into consideration for new designs. Therefore, it is needed to adopt new system capabilities like runtime reconfiguration. In this context, modern system-on-chip (SoC) composed by heterogeneous hardware (i.e., microcontroller and field-programmable gate arrays — FPGA) can figure as an alternative solution. Then, reconfiguration is allowed to take place in runtime, which makes FPGA-based devices interesting for future avionics systems design. Considering this scenario, we introduce in this paper a runtime reconfiguration design implemented using a SoC. Basically, two different areas comprise the SoC hardware architecture: a hard processor area and a reconfigurable area. The former has the authority to manage which configuration will be programmed/used in a given time. The developed design enables both full and partial reconfiguration. In the research work results, we show how different kinds of configuration bitstream modes (i.e., and/or, scrub, scrub clear/set) and data compression impact the system's performance and power consumption. For instance, one full reconfiguration bitstream with no data compression takes ∼29 ms to complete with average power consumption of ∼42 mW. On the other hand, a given partial reconfiguration (and/or mode) takes ∼2.73 ms to complete with ∼22 mW average power consumption. Finally, our proposed design opens up the possibility to optimize a system towards adaptability to comply with real-time constraints changing regarding performance and power consumption.

Abstract: This paper presents a new approach in satellite platform design. While traditionally the design of technology demonstration- or scientific missions is driven by the requirements of the payload, the focus of our approach lies on using avionics technologies developed by the German Aerospace Center (DLR) as the core components of the satellite bus. These components will then drive the design of the Small Satellite Technology Platform, in short S2TEP. This methodology change towards a technology-driven approach results from the long-term goals identified for future in-house space missions, as there are a cost effective platform design, a shorter development time, short-term design adaptions and the ability to carry out own research and development activities which lead to a deeper design understanding. The accomplishment of these goals also requires a change within the satellite's model philosophy, a new development process and a flexible and highly autonomous ground segment. The first instantiation of the S2TEP platform will be a satellite in the micro-satellite class. During this project the needed avionics technologies will be further developed up to a Technology Readiness Level (TRL) mature enough to be integrated in the flight model for the first mission. By separating mission- and bus-development it is ensured that the payload does not influence the bus design too much. Though, a reference mission will be designed to set an interface to and an envelope for possible payloads. The DLR avionics technologies to be used for the S2TEP core avionics consist of the Onboard Computer (OBC), the Power Condition and Distribution Unit (PCDU) and the Transceiver-unit. All of these components are designed taking scalability into account - concentrating not only on performance parameters but also on quality aspects, like the migration path for all used electronic parts towards space qualification. Taking the OBC as an example, the scalability up to the next higher class of satellites will be presented within this paper.

Abstract: Avionics implementation with less cables will clearly improve the efficiency of aircraft while reducing weight and maintenance costs. To fulfill these emerging needs, an innovative avionics communication architecture, based on Gigabit Full Duplex Ethernet ring, is proposed in this paper. To adapt this COTS technology to safety-critical avionics, an adequate tuning process of the communication protocol and the choice of reliability mechanisms to achieve timely and reliable communications are first detailed. Then, efficient timing analyses of such a proposal based on Network Calculus are conducted, accounting the impact of a ring topology and the specified reliability mechanisms. Third, these general analyses are illustrated in the case of a realistic avionic application, to replace the AFDX backup network with AeroRing, to reduce wires, while guaranteeing timely communications.

Abstract: Many interactional issues with Flight Management Systems (FMS) in modern flight decks have been reported. Avionics designers are seeking for ways to reduce cognitive load of pilots with the aim to reduce the potential for human error. Academic research showed that touch screen interfaces reduce cognitive effort and provide an intuitive way of interaction. A new way of interaction to manipulate radio frequencies of avionics systems is presented in this paper. A usability experiment simulating departures and approaches to airports was used to evaluate the interface and compare it with the current system (FMS). In addition, interviews with pilots were conducted to find out their personal impressions and to reveal problem areas of the interface. Analyses of task completion time and error rates showed that the touch interface is significantly faster and less prone to user input errors than the conventional input method (via physical or virtual keypad). Potential problem areas were identified and an improved interface is suggested.

Abstract: The development of distributed and fault tolerant avionics systems from the first drafts to the finalization of the certification process is complex, resource intensive (financial and man power) and involves high risks. Therefore, implementations like fly-by-wire systems are usually limited to the FAR25 (CS25) domain. Previous research at the Institute of Aircraft Systems at University of Stuttgart was focused on the development of an avionics platform and a tool suite for a cost-efficient development process for class 23 and class 25 aircraft. Now, the aim is to extend the platform idea towards certification. In doing so, the generation of the specification documentation and testing activities shall be automated while avoiding tool qualification where feasible. This paper presents an approach for the documentation generation and provides an outline to interface with the testing activities.

Abstract: We model avionics self-adaptive software as a multi-agent system using the BDI (Belief Desire Intention) model of agency. Such a model sufficiently represents several properties of avionics self-adaptive software. We illustrate formal verification of functional requirements related to safety of such software using Boolean predicate abstractions and model checking. Our proposed approach is illustrated using a case study involving BDI model of a flight management system with a proto-type involving appropriate tools.

Abstract: Safety critical software systems are defined to be those systems that should unanticipated failure occur, there could be the harm to life or property. All software life-cycle development methodologies place emphasis on the requirements elicitation and analysis, as this is the most crucial phase of the development life-cycle. This is because many system failures have their genesis at the point of requirements definition and analysis. Avionic software system development is an important and expanding area of work. There are universally established specifications for software development in avionics, which have been recently updated. The work that is presented in this paper, describes a research effort for defining a model-based software development life-cycle for avionic software system development that is based on a universally accepted specification standard, and focused on the requirements capture and modeling phase of the life-cycle.

Abstract: The invention provides a utility aircraft airborne electronic system based on a unified processing platform, comprising a flight display, a unified processing platform, an atmosphere navigation attitude acquisition unit, an operation control panel and a unified network bus which are interconnected, wherein the unified processing platform comprises a power supply module (PSM), a public processing module (CPM), a universal interface module (IOM), a radio frequency interface module (RFM), an audio frequency interface module (AUDIO) and an actuation control module (ACM), wherein the PSM inputs an airborne +28V DC normal power source and a +24V DC emergency power source which are then converted to a +12V DC power source required for the internal modules of the platform, the atmosphere navigation attitude acquisition unit and the operation control panel. The utility aircraft airborne electronic system based on the unified processing platform, provided by the invention, can further improve the system safety, can flexibly adapt to requirements of aircrafts of different types, and can realize function integration of different fields, such as utility aircraft avionics, flight control, flight management and air control.