What if avionics computers could be taken from the shelf and configure themselves after being installed? What if system function development could restrict to the pure function and safety is for free? Wouldn’t this enable advanced automation and comfort for vehicles where complex safety-critical digital functions are unaffordable today, i.e. CS-23, personal air vehicles, drones or even cars? This is the long-term vision of a research group in Stuttgart, Germany, pursued as so-called plug&fly avionics.

Standardization of avionics reduced development cost, weight and volume. The most popular representative is integrated modular avionics (IMA). Although being very successful and de-factor standard for modern avionics systems, there are some open challenges. There seems to be a research necessity for taming design freedoms, qualification effort and configuration complexity.

The dream is developing advanced automating systems functions, which can be challenging enough, and getting safety, qualification, integration and configuration for free. It is not clear if these desires will ever be fully achievable, but it is a long-term research topic at the Institute of Aircraft Systems (ILS) at the University of Stuttgart, Germany, addressed under “plug&fly avionics.”

On the road to plug&fly, many issues concerning technology and qualification have to be solved. For some issues, the solutions were already proposed, for instance with the flexible avionics platform approach, the adaptive avionics platform or computer-aided avionics architecture optimization. For other issues, the concepts are evaluated right now.

This article summarizes the current research and its results at the ILS and shows how this shall lead to plug&fly avionics. An intermediate result is the open avionics architecture model (OAAM).

Challenges in Avionics Research

A major motivation for research is that the time and money necessary for the development of safety-critical digital systems must often be multiplied by a factor of 100 compared to the development of the pure non-safety-critical desired function. This causes functions as fly by wire, which are state-of-the art for decades in civil aviation, to be still almost unavailable in general aviation. In the focus of our research are model-driven approaches for the planning, development, integration and testing of avionics systems in order to reduce the effort and to make advanced safety-critical digital systems available where they are unaffordable today.

Computer-Aided Avionics System Optimization

A state-of-the-art civil aircraft’s avionics system has approximately 4,000 functions, 100 standardized avionics computers as well as 2,000 sensors and actuators. The numbers are increasing with every aircraft generation, such that designing the system manually and stating its optimal is hardly possible. However, many of the design tasks during avionics system design can be formulated as combinatorial optimization problems. The challenge is to find mathematical representations that allow for an efficient solving of problems of the size of real architectures and the incorporation of multiple and contradicting design objectives. One such a method was developed based on a domain-specific model for avionics architectures and the seamless transformation in multi-objective optimization problems. Handled problems are, for instance, function allocation, network topology optimization and device sizing. Investigations on real vehicles revealed a hidden improvement potential of up to 30%.

Model-Driven Automated Instantiation of safety-Critical Systems (Flexible Avionics Platform Approach)

Modern aircraft’s avionics host approximately 50 systems, which all require redundancy and failure management to achieve the required safety. There is, however, almost no reuse of the so-called system management part. System management covers signal rectification, fault-detection and redundancy management. As a simplification, the flexible avionics platform approach was developed. This approach comprises generic avionics hardware, a safety-critical middleware and a model-driven and highly automated development process. The specification of the avionics system is created with a formal model, from which the implementation, configuration and tests are derived by model-transformations. System functions are specified simplex-minded, i.e. without redundancies. Necessary redundancies, voting and monitoring are added automatically. This significantly reduces the development effort. It enabled to equip two general aviation aircraft with fly-by-wire systems. Both operate with a permit to fly. Ongoing research aims at the automated generation of tests and qualification documents in the so-called AAA process, targeting a DAL A qualification of the platform.

Self-Configuring Avionics (Adaptive Avionics Platform)

Integrating an avionics system composed of standardized computers requires usually millions of configuration parameters that specialize the modules and bus systems at its certain positions. Creating and qualifying the configuration parameters allocates a significant portion of the time and budget of the development process. This is true for IMA systems, where we have redundant system structures and a highly concurrent configuration process, but even more for cabin systems, where we have a large number of variants of the system even within the same aircraft type. Moreover, the cabin system undergoes frequent changes and updates. These configuration challenges are addressed with self-configuring avionics. The adaptive avionics platform is composed of modules that detect their connection topology and connected peripherals while a configuration supervisor is attached. The modules use a formal knowledge model to maintain the information. With the information from the knowledge model, drivers, applications and communications are automatically instantiated. After the removal of the configuration supervisor, the system behaves like a statically configured avionics system. It has, however, some inherent fault tolerances. An adaptive cabin management system (ACMS) was built to establish its normal operation with almost no human configuration approximately two minutes after the self-configuration process is started [10].

The Future: Plug&Fly Avionics

Plug&fly avionics is the concept of an avionics platform that is completely self-organizing in terms of configuration, failure management and qualification. As depicted in Figure 1, it is composed of modules that dynamically detect the connection topology, capabilities and actual resource consumption. This information is managed in a common platform consciousness. The consciousness is complete in the sense that it allows for reliable decisions on function allocation, redundant instantiations and reconfigurations. Besides the topology, this requires information about hardware reliabilities, latencies and synchronicity. Functions for a plug&fly system need to be defined differently. A function shall be composed of prequalified blocks and include information about failure conditions, max occurrence probabilities and failure propagation. Like with the flexible platform approach, a simplex-minded definition of the system function shall be sufficient, i.e. the pure function without redundancy or failure management. Safety is managed by the platform by deriving the appropriate system-management and redundancy. Current research aims at technical foundations of plug&fly, i.e. topology detection, self-organization algorithms and formal consciousness modeling. A first result is the open avionics architecture model (OAAM), which is designed to be the plug&fly consciousness and function definition language.

The Open Avionics Architecture Model (OAAM)

The challenge was to derive a formal model, which is rigid enough to allow for computer processing, but is generic enough to represent all current avionics technologies, as well as future technologies, such as optics or wireless communication. The result is the open avionics architecture model (OAAM) visualized in Figure 2. OAAM holds the avionics architecture in terms of software, hardware and physical installation (anatomy). Moreover, it includes all information necessary to decide if an avionics architecture is valid. This includes resource information as well as safety and performance restrictions. It is generic since the basic architecture building blocks are defined within the model, i.e. the resources, capabilities and inner composition of any hardware or connection type is defined generically within OAAM. The nine layers of OAAM respect the traditional development process. Since they are almost independent, they allow for in concurrent development of the avionics system definition. Therefore, OAAM is viable for being used online as the plug&fly consciousness, but also for offline avionics architecture planning and optimization. OAAM is based on the Eclipse Modeling Framework and the meta-modeling language ECORE. Only modeling concepts are used that result in deterministic structures, which allow for an integration in safety-critical embedded system. The model and the Eclipse framework of OAAM (Figure 3) are available as open source under www.oaam.de.

Conclusion

Model-driven approaches can simplify the development process of safety-critical digital avionics systems. The flexible platform, the adaptive platform and architecture optimization achieved signification simplifications, but the ultimate goal is plug&fly avionics. With the OAAM, a first step was made in the direction of a realization. However, it is expected that more than a decade passes until we see plug&fly in the air. One of the biggest challenges is the safe, trustworthy and qualified operation of a plug&fly system. The traditional certification process can only be applied to the initial setup. For all later self-organizations qualified self-verification methods and acceptable means of compliance have to be developed. AVS