Risk Simulation and Security Boundary Assessment of Avionics Systems Using Digital Twin Techniques

Modern avionics increasingly depend on frequent software updates, making it necessary to understand how fleet-wide OTA rollouts affect operational risk. This study builds a digital-twin model that links onboard software states, air–ground communication, and maintenance timing, and uses three years of operational data containing 7.2×108 logs to test 32 OTA strategies. The simulations show that single-shot updates create the highest exposure, while batch updates with fixed thresholds reduce exposure but remain sensitive to short link disturbances. A combined strategy that uses batch updates, dynamic thresholds, and delayed rollback produces the best performance, lowering potential exposure by 48.3% without affecting mission completion. Module-level analysis based on importance sampling identifies the communication link and the update agent as the main contributors to the remaining risk and supports the construction of safety limit curves. These results demonstrate that software-centered digital twins can give practical guidance for OTA planning and fleet management. The study also notes limits related to human actions, fleet diversity and simplified security events, which should be addressed in future work.