IMPLEMENTING SYSTEM WIDE INFORMATION MANAGEMENT (SWIM) FOR ATM SYSTEMS USING A DISTRIBUTED MILS ARCHITECTURE

System Wide Information Management (SWIM) is attracting more and more interest as a design concept for Air Traffic Management (ATM). It improves data exchange between various applications in different domains such as flight data management, weather, and aeronautical information management and thereby enables new and improved services. Driven by emerging technologies, such as cloud computing and high-speed wide area networks, advanced system integration, like voice and data integration, becomes technically feasible. However, as ATM is a safety-critical technology great care must be taken, such that the information exchange remains secure and timely. This is a non-trivial design challenge, given that the producers and consumers of information, as well as the information itself, frequently reside in different domains, necessitating some form of cross domain solution. Enabling SWIM is an evolutionary change for ATM. Although many building blocks are already available, a full SWIM deployment will take time. While current functionality is based on historically grown technical restrictions, a performance-based and most efficient approach requires new paradigms to organize the commonly shared information and develop and deploy the associated changes in the different user systems and applications. We, therefore, propose MILS (Multiple Independent Layers of Safety and Security) as architecture to realize an integrated voice and data service in the context of SWIM. A MILS node implements a minimum separation kernel, which is in charge of controlling the information exchange between the applications a MILS node hosts. The minimalistic design allows the separation kernel to be exhaustively tested and formally verified. Furthermore, information exchange between applications needs to be statically configured in a whitelisting fashion. Together, the separation kernel and the static configuration, guarantee the absence of unintended information exchange. The MILS architecture scales also to distributed systems, resulting in a distributed MILS (D-MILS) architecture. This extension requires a deterministic communication platform such as TTEthernet that guarantees message delivery in a network. This paper describes how ATM voice and data services take advantage of a D-MILS architecture focusing on use cases that require a separated deployment either to achieve system separation in terms of safety requirements (e.g., main and backup system), or in order to process data in a sensitive domain that is separated from a public environment. Use cases are derived from Communication Services that represent a unique class of communications equipment that serves very special purposes in safety of life critical and security sensitive areas.