1. Patent Search
  2. Details

AIRCRAFT SYSTEM AND METHOD

20230166568 · 2023-06-01

    Inventors

    Cpc classification

    International classification

    Abstract

    A method of communicating configuration data of a tire pressure monitoring device configured to be affixed to a wheel in use. The method includes, at the tire pressure monitoring device, receiving a request to confirm configuration data, and responsive to receipt of the request to confirm configuration data, transmitting a configuration data signal which encodes the configuration data. The configuration data signal is configured to be received and understood by a human. The configuration data signal is indicative of any of an aircraft wheel location at which the tire pressure monitoring device is intended to be located, and a security code representative of security parameters of the tire pressure monitoring device

    Claims

    1. A method of communicating configuration data of a tire pressure monitoring device configured to be affixed to a wheel, the method comprising, at the tire pressure monitoring device: receiving a request to confirm the configuration data; and responsive to the receipt of the request to confirm the configuration data, transmitting a configuration data signal which encodes the configuration data; wherein the configuration data signal is configured to be received and understood by a human, and wherein the configuration data signal is indicative of any of an aircraft wheel location at which the tire pressure monitoring device is intended to be located, and a security code representative of security parameters of the tire pressure monitoring device.

    2. The method as claimed in claim 1, wherein the configuration data signal comprises a visual signal, and the visual signal is transmitted using a visual indicator of the tire pressure monitoring device.

    3. The method as claimed in claim 2, wherein the visual indicator comprises a light source, and the method further comprises selectively illuminating the light source to transmit the configuration data signal.

    4. The method as claimed in claim 3, wherein the configuration data signal comprises a number, and the selective illumination of the light source comprises encoding the number into an illumination sequence representing individual digits of the number.

    5. The method as claimed in claim 1, wherein the configuration data signal comprises an audible signal, and the audible signal is transmitted using a transducer of the tire pressure monitoring device.

    6. The method as claimed in claim 1, wherein the configuration data signal comprises a start signal indicating a start signal indicating a star of transmission, an end signal indicating an end of the transmission, and an intermediate signal indicative of configuration data stored in the tire pressure monitoring device.

    7. The method as claimed in claim 6, wherein the start signal comprises a first type of signal, the intermediate signal comprises a second type of signal, and the end signal comprises a third type of signal.

    8. The method as claimed in claim 7, wherein the first type of signal comprises a first color light, the second type of signal comprises a second color light different to the first color light, and the third type of signal comprises a third color light different to the first and second colors of light.

    9. The method as claimed in claim 1, wherein the configuration data signal comprises a plurality of sub-signals, each of the sub-signals comprising a start signal indicating a start of transmission of the sub-signal, an end signal indicating an end of transmission of the sub-signal, and an intermediate signal indicative of at least a portion of configuration data stored in the tire pressure monitoring device.

    10. The method as claimed in claim 9, wherein each sub-signal is confirmed as being received and understood by a human before a next sequential sub-signal is transmitted.

    11. The method as claimed in claim 1, wherein the method further comprises transmitting an alert indicating that the transmission of the configuration data signal is about to begin.

    12. The method as claimed in claim 1, wherein the tire pressure monitoring device comprises a trusted tire pressure monitoring device, and the method further comprises: verifying, by a human, that the configuration data of the tire pressure monitoring device matches expected configuration data, and verification by a human that the configuration data of the trusted tire pressure monitoring device matches expected configuration data takes place using an untrusted device.

    13. The method as claimed in claim 12, wherein the expected configuration data comprises a security code representative of security parameters of a further tire pressure monitoring device.

    14. The method as claimed in claim 12, wherein a request to confirm configuration data is submitted via a short-range communication protocol.

    15. The method as claimed in claim 12, wherein the method further comprises: transmitting the configuration data signal to a further trusted tire pressure monitoring device, and subsequently transmitting the configuration data signal from the further trusted tire pressure monitoring device to be received and understood by a human.

    16. A tire pressure monitoring device configured to perform the method claimed in claim 1.

    17. A tire pressure monitoring device comprising: a memory configured to store configuration data, a light source, and a processor configured to selectively illuminate the light source to transmit a signal indicative of the configuration data stored in the memory, wherein the configuration data includes any of an aircraft wheel location at which the tire pressure monitoring device is intended to be located, and a security code representative of security parameters of the tire pressure monitoring device.

    18. An aircraft comprising a tire pressure monitoring device as claimed in claim 17.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0034] Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

    [0035] FIG. 1 is a schematic view of a tire pressure monitoring device according to an example.

    [0036] FIG. 2 is a schematic illustration of a first signal indicative of configuration data of a tire pressure monitoring device;

    [0037] FIG. 3 is a schematic view illustrating a first example method of communicating configuration data of a tire pressure monitoring device;

    [0038] FIG. 4 is a schematic illustration of a second signal indicative of configuration data of a tire pressure monitoring device;

    [0039] FIGS. 5A to 5G are schematic views illustrating a display of an untrusted device used to verify the signal of FIG. 4;

    [0040] FIG. 6 is a schematic view illustrating a second example method of communicating configuration data of a tire pressure monitoring device;

    [0041] FIG. 7 is a schematic view of a first network of tire pressure monitoring devices according to an example;

    [0042] FIG. 8 is a schematic view illustrating a method of operating the network of FIG. 7;

    [0043] FIG. 9A is a schematic illustration of a third signal indicative of configuration data of a tire pressure monitoring device;

    [0044] FIGS. 9B and 9C are schematic views illustrating a display of an untrusted device used to verify a location indication in the signal of FIG. 9A;

    [0045] FIG. 10 is a schematic view illustrating an aircraft comprising the tire pressure monitoring device of FIG. 1 or the network of FIG. 7;

    [0046] FIG. 11 is a schematic illustration of a fourth signal indicative of configuration data of a tire pressure monitoring device;

    [0047] FIGS. 12A and 12B are schematic views illustrating a display of an untrusted device used to verify the signal of FIG. 11;

    [0048] FIG. 13 is a schematic illustration of a third signal indicative of configuration data of a tire pressure monitoring device;

    [0049] FIGS. 14A to 14F are schematic views illustrating a display of an untrusted device used to verify the signal of FIG. 13; and

    [0050] FIG. 15 is a schematic illustration of a second network of tire pressure monitoring devices according to an example.

    DETAILED DESCRIPTION

    [0051] A tire pressure monitoring device 10 according to an example is shown schematically in FIG. 1. The tire pressure monitoring device 10 comprises a processor 12, a memory 14, a transceiver 16, a visual indicator or display which is an LED 18 in this example, a sensor 19 and a power source 21.

    [0052] The processor 12 may be any suitable processor including single and multi-core processors, an Application Specific Integrated Circuit (ASIC) or like. The processor 12 is communicatively coupled to the transceiver 16, the LED 18, the memory 20 and the sensor 21.

    [0053] Memory 14 is a flash memory that stores configuration data 20 and also computer readable instructions for execution by the processor 12 in operation, although it will be appreciated that other types of memory may be used. The configuration data 20 can therefore be updated as required with configuration data. A reference tire pressure is stored in the configuration data 20. Additional data can also be stored in the configuration data 20, for example an aircraft identifier (such as an aircraft Tail identifier) and a wheel position. The configuration data 20 in some examples may further include a security code which is indicative of security parameters generated by the tire pressure monitoring device 10 during configuration. In some examples the security code is a numerical value, which may be generated using a hash function based on the remaining parameters of the configuration data, such as reference tire pressure, aircraft identifier and wheel location, along with any security keys of the tire pressure monitoring device 10. It will be appreciated that the hash value may be truncated to provide a security code of an appropriate length.

    [0054] Transceiver 16 is an appropriate transceiver capable of receiving a request to confirm the configuration data 20. In this embodiment, the transceiver 16 comprises a short-range radio signal transceiver operating according to the NFC protocol. It will be appreciated, however, that other communication protocols may be used, including, for example, a Bluetooth low energy (BLE) communication protocol. When the transceiver 16 receives a request to confirm the configuration data 20, the processor 12 encodes the configuration data 20 stored in the memory 14 of the tire pressure monitoring device 10, and transmits a signal 22 indicative of the configuration data 20 via the LED 18 to a user 24 observing the tire pressure monitoring device 10. Here the LED 18 is a three-colour LED which is capable of displaying red, blue, and green coloured light. Other examples may use a different number of colours of light than three and/or use other colours than red, blue, and green. In examples herein, the user 24 is a human.

    [0055] An example of the signal 22 is shown schematically in FIG. 2, where the signal encodes a reference tire pressure stored in configuration data 20 of the tire pressure monitoring device 10. Checking a reference tire pressure has been correctly stored in a tire pressure monitoring device is an important part of setup to confirm correct operation after configuration. It is possible that the configuration data is corrupted and stores an incorrect value, or an incorrect value may have been loaded in error or by a bad actor. The consequences of an incorrect reference tire pressure level in use may be severe, for example making a tire blow-out more likely if the tire is operated at too low a pressure.

    [0056] As shown in FIG. 2, the reference tire pressure of the tire pressure monitoring device 10 is 178 PSI (1.23 MPa). The signal 22 as a whole has a start signal 26 in the form of a green flash of light from the LED 18, and an end signal 28 in the form of another green flash of light from the LED. The signal 22 is split into a number of sequential sub-signals 30, with each sub-signal 30 being representative of a digit of the reference tire pressure. Each sub-signal 30 has a start signal in the form of a green flash of light from the LED 18, an end signal in the form of another green flash of light from the LED 18, and an intermediate signal in the form of a flash/a number of red flashes of light from the LED 18.

    [0057] As shown in FIG. 2, the start of the first sub-signal 30 is coincident with the start signal 26 of the overall signal 22, and the end of the last sub-signal 30 is coincident with the end signal 28 of the overall signal 22, such that the start 26 and end 28 signals resemble prolonged flashes of the LED 18. Furthermore, a flash of the LED to indicate the end of the first sub-signal 30 also functions as a start signal of the second sub-signal.

    [0058] In the signal 22, the intermediate signals of each sub-signal 30 encode and are indicative of the reference tire pressure. For example, in the first sub-signal 30, there is one flash of red light from the LED 18, indicating that the first digit of the reference tire pressure is the number “1”. In the second sub-signal 30, there are seven flashes of red light from the LED 18, indicating that the second digit of the reference tire pressure is the number “7”. In the third sub-signal 30, there are eight flashes of red light from the LED 18, indicating that the third digit of the reference tire pressure is the number “8”. Thus, the LED 18 can be used to output the signal 22 to the user 24, with the signal 22 being in a manner that is easily receivable and understandable by the user 24. The duration of each flash can be chosen depending on the length of the overall sequence and the length of flash needed to be clear to the user 24, and in the example of FIG. 2 each flash is 0.5 s long. In other examples, the colour of the flashes can be different, for example with a different colour of light being used for each digit of the reference tire pressure so that a first colour indicates “units”, a second colour indicates “tens” and a third colour indicates “hundreds”.

    [0059] Once the signal 22 is received by the user 24, the user 24 may take appropriate action to confirm that the reference tire pressure stored in the memory 14 is correct, or may take appropriate remedial action if the reference tire pressure is incorrect. In some examples, the user 24 uses an untrusted device 32, for example a mobile phone or tablet computer running an application, to verify the configuration data 20. As the user 24 can be taken to be a trusted source, and the tire pressure monitoring device 10 is itself a trusted source, the untrusted device 32 can be used to input the user’s verification of the configuration data 20. For example, the untrusted device 32 can display a prompt with an expected reference pressure. The verification can be trusted because it occurs between the user 24 (who is trusted) and tire pressure monitoring device 10 (which is trusted because of its certification to a particular DAL).

    [0060] Whilst the tire pressure monitoring device 10 is depicted in FIG. 1 as comprising an LED 18, and the signal 22 comprises flashes of the LED 18, it will be appreciated that in another embodiment the tire pressure monitoring device 10 may comprise a transducer in the form of a beeper or speaker, and that that the signal 22 may instead comprise audible noises instead of flashes of light. In other examples the signal may additionally or alternatively take the form of any of a signal displayed on an LCD screen in the form of flashing lights, pictures, or text. Similarly, other examples may display flashing lights, pictures or text on an LED matrix display.

    [0061] A method 100 of operating the tire pressure monitoring device 10 is shown schematically in FIG. 3. The method 100 comprises receiving 102 a request to confirm the configuration data 20 of the tire pressure monitoring device 10 at the transceiver 16. Responsive to the request, a configuration data signal 22 encoding the configuration data 20 is transmitted 104 by the LED 18.

    [0062] In another example, a signal 22′ takes a different form, as illustrated schematically in FIG. 4. In this instance, sub-signals 30′ are discrete signals separate from one another. This allow the signal 22′ to be split such that each sub-signal 30′ is easily recognisable and verifiable by a user. In this example, an untrusted device 32 may communicate with a tire pressure monitoring device 10, and the tire pressure monitoring device 10 may cause a sequence of discrete sub-signals 30′ to be provided in response to instructions received over the receiver from the untrusted device.

    [0063] For example, in response to a request from the user 24, submitted via the untrusted device 32, to check or determine the configuration data stored in a tire pressure monitoring device 10, a first message indicating what form a first sub-signal 30′ will take is displayed on the untrusted device 32. This first message is shown schematically in FIG. 5A. It provides data of what the reference pressure is expected to be, in this case 178 PSI (equivalent to 1.23 MPa, or 12.3 BAR), and of what signal is expected to be provided by the tire pressure monitoring device 10. In this case the signal is one red flash, indicating the digit 1, and one green flash, indicating the end of a sub-signal for that digit. The user 24 interacts with a user interface element 52 on the untrusted device 32 to cause the first sub-signal 30′ to be transmitted by the LED 18. In this case, the user interface element is a button displayed on a touch screen of the untrusted device 32 which displays the text “go”. In response to activation of the user interface element 52, such as by a tap, the untrusted device 32 transmits a signal to the tire pressure monitoring device 10 to cause it to transmit or communicate the first sub-signal 30′. Meanwhile, the untrusted device 32 displays a first verification message, allowing the user 24 to indicate that the first sub-signal 30′ has been received and understood by a user interface element 54, as shown schematically in FIG. 5B. A message is also provided to remind the user what they should have observed, in this case one red flash.

    [0064] When the user interface element 54 is activated, such as by a tap on a touch screen of the untrusted device 32, a second message indicating what form a second sub-signal 30′ will take is displayed on the untrusted device, as shown schematically in FIG. 5C. Again, this states the reference pressure and what the next signal is expected to be, in this case seven red flashes for the digit 7 followed by a green flash to indicate the end of the sub-signal. A user interface element 56 is provided which, when selected by the user, causes the tire pressure monitoring device 10 to transmit or communicate the second sub-signal 30′, in the same way as described above for FIG. 5A. Once the second sub-signal 30′ has been transmitted, a second verification message is displayed on the untrusted device 32, shown schematically in FIG. 5D. A user can confirm the second sub-signal 30′ has been observed by interacting with a user interface element 58, in the same as described above for FIG. 5B.

    [0065] Next, a third message indicating what form a third sub-signal 30′ will take is displayed on the untrusted device 32, as shown schematically in FIG. 5E. Again, this includes the reference pressure and an indication that the third sub-signal 30′ will comprise eight red flashes, corresponding to the digit 8. As discussed above with reference to FIG. 5A, the user interacts with a user interface element 60 that causes the third sub-signal 30′ to be transmitted or communicated by the LED 18. Once the third sub-signal 30′ has been transmitted, a third verification message 62 is displayed on the untrusted device, allowing the user to indicate that the third sub-signal 30′ has been received and understood, as shown schematically in FIG. 5F.

    [0066] Finally, a confirmation message is displayed on the untrusted device 32 once all sub-signals 30′ have been received, as shown schematically in FIG. 5G. Although described here with reference to three sub-signals, it will be recognised that the number of sub-signals may vary depending on the configuration data requested. Other configuration data than pressure may be indicated and alphabetical data as well as numerical data can be communicated. Other encoding schemes can also be used, for example Morse code, but a direct correlation between a numerical value and the number of flashes has the benefit of requiring no specific user knowledge and potentially more reliable to recognise.

    [0067] As discussed above with reference to FIGS. 5A to 5G, only a single user interface element is displayed to allow the user to provide positive confirmation. A timer may be associated with each screen after which a negative result may be assumed and the process terminates without confirmation. Alternatively a specific negative option, to cancel the process or to indicate that the observed sequence did not match that which was expected, can be included in the user interface to allow a user to indicate that the data has not been confirmed.

    [0068] This process allows an untrusted device to guide a user through the process because if the untrusted device attempts to mislead the user as to the configured pressure, the user, who is trusted, will notice that the signal from the tire pressure monitoring device does not match what is expected. Similarly, the use of a simple encoding where the number of flashes matches the digit, a user can identify potential false guidance on the untrusted device. If any of the observed sub-signals 30′ are noted by the user as not being received or understood, a user interface element on the untrusted device 32 may be used to indicate this, and the user 24 may be required to repeat a configuration of the tire pressure monitoring device 10 and/or conduct further analysis and/or replace the tire pressure monitoring device 10.

    [0069] The process enables the user to identify any of incorrectly entered configurations, a faulty tire pressure monitoring device 10, a faulty untrusted device 32, and a malicious application running on the untrusted device 32.

    [0070] A further example method 200 of operating a system comprising the tire pressure monitoring device 10 and the untrusted device 32 is shown schematically in FIG. 6, with the signal 22′ taking the form depicted in FIG. 4.

    [0071] The method 200 comprises submitting, at block 202, a request for configuration data from the tire pressure monitoring device using the untrusted device 32, by interacting with the user interface of the untrusted device 32. In response to the request, a start transmission option is chosen, at block 204, by interacting with the user interface of the untrusted device. The first sub-signal 30′ is transmitted at block 206, and a user is required to verify at block 208 that the first sub-signal 30′ has been correctly received by interacting with the user interface of the untrusted device 32. A start transmission option is chosen 210 for the second sub-signal 30′, again interaction with a user interface of the untrusted device 32. The second sub-signal 30′ is transmitted at block 212, and a user is required to verify at block 214 that the second sub-signal 30′ has been correctly received by interacting with the user interface of the untrusted device 32. A start transmission option is then chosen at block 216 for the third sub-signal 30′, again using a user interface of the untrusted device 32. The third sub-signal 30′ is transmitted at block 218, and a user is required to verify at block 220 that the third sub-signal 30′ has been correctly received, using the user interface of the untrusted device 32. The transmission sequence is then ended 222.

    [0072] In such a manner, the method 200 may transmit the sub-signals 30′ in a stepwise manner, with verification of each sub-signal 30′ being required before a next sub-signal in the sequence is transmitted. This can improve clarity of the signal for the user, and provide for easier verification of the configuration data in use while also reducing user error because there is less reliance on a user’s memory.

    [0073] An example of a network 300 of a first 302 and a second 304 tire pressure monitoring devices is shown schematically in FIG. 7. The first 302 and second 304 tire pressure monitoring devices have generally the same structure as the tire pressure monitoring device 10 of FIG. 1, but with differences that will now be described.

    [0074] Each of the first 302 and second 304 tire pressure monitoring devices has a processor 306, and a memory 308. The processor 306 may be any conventional processor, and the memory 308 stores respective configuration data 310,312. The first tire pressure monitoring device 302 has a receiver 314 for communicating with an untrusted device 316, a transceiver 318 for communicating with the second tire pressure monitoring device 304, and a visual indicator in the form of an LED 320. The LED 320 in this example is an LED which is capable of displaying both red, blue, and green coloured light as discussed above with reference to FIG. 1, other examples may use other types of visual indicator and other colours of light. The second tire pressure monitoring device 304 has a transceiver 322 for communicating with the transceiver 318 of the first tire pressure monitoring device 302. Two devices are shown here for clarity, but it will be appreciated that there will typically be more than two devices, with each tire having an associated tire pressure monitoring device.

    [0075] A method 400 of operating the network 300 is shown schematically in FIG. 8. The method 400 comprises receiving, at block 402, at the receiver 314 of the first tire pressure monitoring device 302, a request to confirm the configuration data 312 stored in the memory 308 of the second tire pressure monitoring device 304. The first tire pressure monitoring device 302 uses its transceiver 318 to transmit, at block 404, the request to the transceiver 322 of the second tire pressure monitoring device 304. In response to receipt of the request, the processor 306 of the second tire pressure monitoring device 304 encodes the configuration data 312 stored in the memory 308 of the second tire pressure monitoring device 304, and the processor 306 uses the transceiver 322 of the second tire pressure monitoring device 304 to transmit, at block 406, a signal representative of the configuration data 312 to the transceiver 318 of the first tire pressure monitoring device 302. The LED 320 of the first tire pressure monitoring device 302 then transmits 408 a signal 324 representative of the configuration data 312 stored in the memory 308 of the second tire pressure monitoring device 304 in manner such that the signal 324 can be received and understood by a user 24.

    [0076] Thus the configuration data 312 stored in the memory 308 of the second tire pressure monitoring device 304 can be requested at and subsequently displayed by the first tire pressure monitoring device 302. This can provide for easier and simpler operation in use, as a user can request configuration data from multiple tire pressure monitoring devices at a single tire pressure monitoring device. This can also reduce the time taken to obtain configuration data, as a user does not need to move from device to device in order to request and obtain configuration data. This can also enable an arrangement where the second tire pressure monitoring device 304 is hidden from view, for example beneath a hubcap or other components, and/or where the second tire pressure monitoring device 304 is located internally within a wheel/tire.

    [0077] In some examples, the signal communicated to the user may include additional elements to indicate which tire pressure monitoring device the configuration data applies to, for example by encoding a wheel position before or after the reference pressure. For example, where the second tire pressure monitoring device 304 is at a wheel allocated number “3”, the LED 320 of the first tire pressure monitoring device 302 may flash three times to indicate that it is the configuration data of the tire pressure monitoring device of wheel “3” that is transmitted as the signal 324.

    [0078] FIG. 9A depicts an example of a signal 324 including a location indication 350 of a tire pressure monitoring device. The location indication is an example of additional information as described above. An associated indication message and confirmation message to be displayed on the untrusted device 316 are depicted in FIGS. 9B and 9C, respectively. The indication message of FIG. 9B is displayed as a message which indicates the number of red flashes corresponding to the tire pressure monitoring device location being checked, followed by a green flash to indicate end of transmission expected be observed by the user on the LED 320. In the example of FIG. 9B, the wheel location is “3” and the message indicates that three red flashes for the location indication 350 are expected. In response to user interaction with a user interface element 352 on the untrusted device 316, the location indication 350 is communicated or transmitted by causing the LED to provide three red flashes followed by a green flash.

    [0079] Subsequent to communicating the location indication 350, the confirmation message of FIG. 9C is displayed by the untrusted device 316 which asks the user 24 to confirm that they have correctly received the location indication 350. Confirmation is provided via interaction with a user interface element 354 on the untrusted device 316. Once confirmation has taken place, an initial message similar to that of FIG. 5A may be displayed on the untrusted device 316, and the remainder of the signal 324 may take a form similar to that of the signal 22′ of FIG. 4, with the user continuing to work through the method of FIG. 6 to confirm the configuration data.

    [0080] In some examples, a unique identifier may be used to identify one or both of the first 302 and second 304 tire pressure monitoring devices and used to indicate which device(s) should communicate stored configuration information. The unique identifier can be determined by an untrusted device or entered manually into the untrusted device. For example, the unique identifier can be determined by the untrusted device by: Near Field Communication (NFC) or Radio Frequency Identification (RFID) interrogation of the tire pressure monitoring device; by reading a printed indication of the serial number, such as a barcode (one- or two-dimensional) using a camera, reading characters of a serial number using Optical Character Recognition (OCR) using a camera or the like. Manual entry may involve entering the unique identifier as printed on a device or instead providing an aircraft tail identifier and an associated wheel position for which it is desired to confirm the configuration data.

    [0081] In examples previously described, only two colours of light, red and green, have been utilised in the signals 22,22′,324,350. It will be appreciated that signals where three or more colours of light are utilised are also envisaged, for example where red, blue, and green are utilised.

    [0082] Illustrative signals 600,602,604,606,608,610 that utilise red, blue, and green to indicate device location are shown in FIG. 11. Here, for each device location, a green flash indicates start of the signal 600,602,604,606,608,610, a red flash indicates end of the signal 600,602,604,606,608,610, and blue flashes intermediate the green and red flashes indicate device location. In the example of FIG. 11, six tire pressure monitoring devices 10 are installed on an aircraft, with one at each of the left nose wheel, the right nose wheel, a first landing gear wheel, a second landing gear wheel, a third landing gear wheel, and a fourth landing gear wheel, and a different number of blue flashes is used to distinctly identify each of those locations.

    [0083] In the example of FIG. 5A, the user interface of the untrusted device 32 displays to the user 24 the expected flash sequence. In alternative examples, an aircraft maintenance manual (AMM) task card may provide to the user 24 a list of tire pressure monitoring device locations, e.g., nose left, nose right, and so on, along with an associated expected flash sequence for the LED 18 which would correctly indicate the associated tire pressure monitoring device location. Such an AMM task card may provide numerical values for expected flashes and/or may provide pictorial representations of the expected flashes such as seen in FIG. 11. It will be appreciated that the AMM task card may be provided separately to the user 24 as a physical task card, or, for example, as a display on a separate electronic device to the untrusted device 32.

    [0084] When checking the location stored in configuration data 20 of a tire pressure monitoring device 10, the user 24 submits a request for the tire pressure monitoring device 10 to display the stored location, using a user interface of the untrusted device 32. The stored location is then displayed by the LED 18. The untrusted device 32 does not tell the tire pressure monitoring device 10 which sequence to flash, but rather provides an instruction for the tire pressure monitoring device 10 to flash its sequence indicative of the stored location. An exemplary user interface 612 for starting the check is shown in FIG. 12A, with the user 24 interacting with user interface element 614 to start the check. An exemplary user interface 616 for a user 24 to verify the signal 600,602,604,606,608,610 is shown in FIG. 12B, with the user 24 interacting with user interface elements 618,620 to provide an input indicative of whether the signal 600,602,604,606,608,610 is verified or not. If the signal 600,602,604,606,608,610, here indicative of stored location of the tire pressure monitoring device 10, is not verified, then the configuration data 20 needs to be reloaded.

    [0085] As the user 24 can be taken to be a trusted source, and the tire pressure monitoring device 10 is itself a trusted source, the untrusted device 32 can be used to input the user’s verification of the configuration data 20. The verification can be trusted because it occurs between the user 24 (who is trusted) and tire pressure monitoring device 10 (which is trusted because of its certification to a particular DAL).

    [0086] Similar to the signals 600,602,604,606,608,610 of FIG. 11 that indicate device location, signals 700,702,704 that use three colours of light, i.e., red, blue, and green, to indicate reference pressure are shown in FIG. 13. As illustrated in FIG. 13, the reference pressure to be communicated is 178 PSI, and each signal 700,702,704 is used to communicate one digit of the reference pressure. The first signal 700 comprises one green flash, followed by one blue flash, followed by one red flash, to communicate that the “hundreds” digit is “1”. The second signal 702 comprises one green flash, followed by seven blue flashes, followed by one red flash, to communicate that the “tens” digit is “7”. The third signal 704 comprises one green flash, followed by eight blue flashes, followed by one red flash, to communicate that the “units” digit is “8”.

    [0087] An AMM task card can also be used when checking the reference pressure stored in the tire pressure monitoring device 10. For example, the AMM task card may provide an expected flash sequence for each signal 700,702,704 so that a user can verify the flash sequence seen relative to the AMM task card. In some examples, the user 24 may be required to complete a portion of the AMM task card to complete the expected flash sequence for the reference pressure based on the location of the tire pressure monitoring device 10 that is being checked.

    [0088] When checking the stored reference pressure of the tire pressure monitoring device 10 using the AMM task card, the user 24 submits a request for the tire pressure monitoring device 10 to display the stored reference pressure, via the LED 18, using a user interface of the untrusted device 32. The untrusted device 32 does not tell the tire pressure monitoring device 10 which sequence to flash, but rather provides an instruction for the tire pressure monitoring device 10 to flash its sequence indicative of the stored reference pressure. An exemplary user interface 706 for starting the check for the “hundreds” digit is shown in FIG. 14A, with the user 24 interacting with user interface element 708 to start the check for the “hundreds” digit. An exemplary user interface 710 for a user 24 to verify the signal 700 for the “hundreds” digit is shown in FIG. 14B, with the user 24 interacting with user interface elements 711, 712 to indicate whether the signal 700 is verified, i.e., that seen on the AMM task card, or not.

    [0089] Similarly, an exemplary user interface 714 for starting the check for the “tens” digit is shown in FIG. 14C, with the user 24 interacting with user interface element 716 to start the check for the “tens” digit. An exemplary user interface 718 for a user 24 to verify the signal 702 for the “tens” digit is shown in FIG. 14D, with the user 24 interacting with user interface elements 720, 722 to indicate whether the signal 702 is verified or not. An exemplary user interface 724 for starting the check for the “units” digit is shown in FIG. 14E, with the user 24 interacting with user interface element 726 to start the check for the “units” digit. An exemplary user interface 728 for a user to verify the signal 704 for the “units” digit is shown in FIG. 14F, with the user 24 interacting with user interface elements 730,732 to indicate whether the signal 704 is verified or not.

    [0090] A further parameter which may be communicated to the user 24 by appropriate flashing of an LED of a tire pressure monitoring device is the security code. As previously discussed, in some examples the security code is a numerical value, which may be generated using a hash function based on the remaining parameters of the configuration data 20, such as reference tire pressure, aircraft identifier and wheel location, along with any security keys of the tire pressure monitoring device 10. Such a numerical value may be communicated to the user 24.

    [0091] Communication of a security code may be of particular utility in a network of tire pressure monitoring devices, with such a network 800 illustrated schematically in FIG. 15. Here the network 800 comprises first 802 and second 804 tire pressure monitoring devices, each having substantially the same structure as the tire pressure monitoring device 10 of FIG. 1. Like reference numerals are used for the sake of clarity. The network 800 has been set-up such that the first 802 and second 804 tire pressure monitoring devices can communicate with one another securely. To do so, each of the first 802 and second 804 tire pressure monitoring devices exchange cryptographic parameters, such as cryptographic keys, such that secure communication between the first 802 and second 804 tire pressure monitoring devices is established.

    [0092] The processors 12 of the first 802 and second 804 tire pressure monitoring devices each generate a respective security code based on data that is common to the first 802 and second 804 tire pressure monitoring devices. In some examples, such common data may comprise cryptographic keys shared by the first 802 and second tire pressure monitoring devices. Security codes may be generated by taking a hash, or truncated hash, of the common data, to provide a numerical value that can be communicated to the user 24. As the security codes are generated based on common data, the security codes generated by the first 802 and second 804 tire pressure monitoring devices should be the same.

    [0093] The security codes can then be communicated to the user 24 by flashing of the respective LEDs 18 in a similar manner to that previously described. By verifying that the security codes communicated by the first 802 and second 804 tire pressure monitoring devices are the same, the user 24 can verify that correct establishment of secure communication between the first 802 and second 804 tire pressure monitoring devices has occurred because the devices all share the same data on which the security code is based. It will be appreciated that the security codes themselves can be thought of as forming part of the overall configuration data 20 of the first 802 and second 804 tire pressure monitoring devices.

    [0094] The tire pressure monitoring devices described herein may be useful for confirming safety critical configuration data with a high degree of reliability assurance. It is particularly suited for use in aircraft. An aircraft 500 comprising a respective tire pressure monitoring device 10 of FIG. 1 for each tire 502 is shown schematically in FIG. 10. The tire pressure monitoring devices can form a network as discussed above with reference to FIGS. 7 and 15 or operate independently.

    [0095] It is to be noted that the term “or” as used herein is to be interpreted to mean “and/or”, unless expressly stated otherwise.

    [0096] The above embodiments are to be understood as illustrative examples of the invention. It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.