GENERAL TECHNICAL FIELD AND PRIOR ART
The present invention relates to remotely-operated systems such as
airborne or earth–borne drones.
Remotely-operated systems are equipped with data links which are
either internal data links that the remote–5 operator totally controls, or data
links which are external relatively to the remote–operator (SATCOM for
example).
In the case of an external data link, the integrity of the link is not
controlled.
10 To date, only the use of an internal data link gives the remote–
operator the possibility of guaranteeing the integrity of the information
transmitted to the remotely-operated vehicle and of certifying the whole of
the system.
This certification nevertheless requires the deployment of significant
15 means and may prove to be of a prohibitive cost.
In particular, the remotely–operated systems are called to fulfill
their mission in an increasingly automated way by resorting to potentially
highly scalable navigation algorithms not necessarily deterministic (or for
which convergence will not be able to be demonstrated) based on multi–
20 sensor information.
As for the ground operator interfaces, they are complex and
potentially heterogeneous (in the majority of cases, these
interfaces/supports cannot be certified).
A general purpose of the invention is to solve these problems and to
25 propose an architecture allowing certification of the monitoring and control
chain at a low cost.
In particular, the remote–operator which has the actual control of
the operated vehicle has to check the safety parameters of the flight and
in particular
30 - have the control of the trajectory of the vehicle (not leaving the
area thereof),
3
- have the control of the fallout area in the case of an engine
failure or of a “crash” (of course any uncontrolled “crash” should
be avoided in order not to risk any accidents on the forbidden
areas such as highly populated areas and allowing, in the case of
difficulties, optimization of a 5 landing on more favorable areas
should be allowed),
- permanently monitoring the condition of the different sub–
assemblies involved in the safety of the flight (energy,
motorization, control links, navigation, …).
10
GENERAL PRESENTATION OF THE INVENTION
For this purpose, the invention proposes a remotely-operated
system including:
- at least one interface on the ground from which an operator may
15 control a remotely-operated vehicle,
- at least one mission assembly in said vehicle,
- a data link between said interface and said mission assembly,
characterized in that it includes on the ground and in the vehicle safety
checking systems adapted for signing and/or authenticating critical
20 data and/or commands exchanged between the ground and the
vehicle, and/or for checking the integrity of these data, and in that one
of the safety checking systems in the vehicle is adapted for checking
whether the remotely-operated vehicle is maintained in a safety
coverage predefined by the ground and for triggering a predetermined
25 action when this is not the case.
The authentication and the signature of the data give the possibility
of providing the remote–operator with means for guaranteeing the
received commands on–board and the information used for making a
decision (airplane position, condition of the critical sub–assemblies).
30 Checking the integrity gives the possibility of guaranteeing that the
orders emitted by the remote–operator, like the pieces of information
which he/she receives, have not been modified by the transmission chain.
4
Thus, it is possible to use both on the ground and on–board the
vehicle, interfaces and mission assemblies with a low criticality level, at
the same time as mission interfaces and assemblies with a higher
criticality level.
In a possible alternative 5 of the invention, an independent safety
data link chain is provided in order to allow triggering of a predetermined
safety action from the ground.
Still in another alternative, the safety checking system of the vehicle
is adapted for receiving a series of simple orders from the air traffic
10 control.
PRESENTATION OF THE FIGURES
Other features and advantages of the invention will further emerge
from the description which follows, which is purely illustrative and non–
15 limiting, and should be read with reference to the appended figures
wherein:
- Fig. 1 illustrates a block diagram of a possible application of the
invention;
- Figs. 2 and 3 illustrate two other possible embodiments of the
20 invention.
DESCRIPTION OF ONE OR SEVERAL EMBODIMENTS
The architecture illustrated in Fig. 1 includes a ground part 1 and a
part 2 on the remotely-operated vehicle.
25 On the ground, the architecture comprises at least one interface 3
from which an operator may control the remotely-operated vehicle, a
concentrator 4 giving the possibility of ensuring the data link with the
vehicle, as well as an interface 5 which is of a higher criticality level (DAL
or “Development Assurance Level”) than the interface 3 and the
30 concentrator 4.
5
A safety control system 6 is provided on the ground. This system is
also of a high criticality level and has the following functions:
- it signs the critical commands emitted by either one of the
interfaces 3 and 5 intended for on–board the vehicle (ciphering
5 application);
- it checks the integrity of the state data regularly received from
on–board (position, status of the piece of equipment, etc.). The
checking of integrity is accomplished both spatially and
temporally. The condition received from on–board is then
10 classified by the system according to three states: functional,
degraded, non–functional;
- it checks the consistency between the command emitted towards
on–board and the command return which is transmitted from
on–board by the critical assembly of the latter;
15 - it regularly transmits on–board requests for authentication
(application of a challenge function);
- it copies the instructions emitted by the mission interface 5
intended for on–board in order to control the latter (short safety
loop).
20 A similar architecture is also provided on–board the vehicle. The
latter integrates for this purpose one or several mission assemblies 7 of a
low criticality level, one or several mission assemblies 8 with a high
criticality level, a concentrator 9 giving the possibility of ensuring the link
with the ground, and a safety system 10.
25 This safety checking system 10 is also with a high criticality level
and applies the following controls:
- it broadcasts towards the critical assembly 8 the command from
the ground after decoding;
- it checks the integrity of this command before its broadcasting
30 towards the critical assembly 8;
- it regularly emits authentication requests (challenge) intended
for the interfaces 3 and 5 on the ground;
6
- it checks the time validity of the commands from the ground
(ageing);
- it emits to the ground acknowledgments of instructions from the
remotely-operated critical assembly 8;
- it signs the 5 controls and statuses issued from the remotelyoperated
critical assembly 8.
It will be noted here that the components and the algorithms signing
the commands from the ground and signing the controls from on–board
are identical.
10 Highly secured keys and robust mathematical algorithms are used
for ensuring that the probability of receiving erroneous orders/states
without being able to detect them is very low (less than a level equivalent
to the function which it serves).
The casings of the different processing units used have an accurate
15 internal clock reset on a same time base. The clock of these casings is
selected to be robust towards loss of reference.
Moreover, the safety system 10 of the vehicle is capable of checking
whether the vehicle is maintained in a safety coverage (three–dimensional
area, critical status …) predefined by the ground.
20 The remotely-operated vehicle comprises a navigation system,
including a satellite positioning receiver (for example of the GPS type),
and an inertial central unit.
The remotely-operated vehicle also comprises a configured
processing module for determining, from position signals generated by the
25 navigation system and by the inertial central unit, instantaneous position
data of the vehicle. The position data of the vehicle include data
representative of the instantaneous space coordinates of the vehicle
(latitude, longitude and altitude), as well as possibly a protective radius.
The protective radius defines a volume around the position defined by the
30 instantaneous coordinates, in which the vehicle is found, taking into
account uncertainties related to the measurement.
The position data of the vehicle are transmitted by the processing
module to the safety checking system 10.
7
The safety checking system 10 compares the position data which it
receives from the processing module with data representative of the
defined safety coverage and transmitted by the ground.
In the case when the commands from on–board or the states of the
critical sub–assembly 8 are not compliant 5 with this safety coverage, the
system 10 triggers a predetermined action (isolation of the outer
commands and/or applications of safety rules, for example).
The data representative of the safety coverage may comprise
ranges of latitude, longitude and altitude, in which the remotely-operated
10 vehicle has to be positioned.
According to a first possibility, the protective radius is calculated by
the processing module located on–board the vehicle.
In this case, the protective radius is transmitted by the processing
module to the safety checking system 10 on–board the vehicle with the
15 position data.
The position data, including the protective radius, are transmitted by
the safety checking system 10 located on–board to the safety checking
system 6 located on the ground.
In return, the safety checking system 6 located on the ground
20 transmits to the safety checking system 10 located on–board, the data
representative of the safety coverage, in order to allow the safety
checking system 10 located on–board to check whether the remote–
controlled vehicle is maintained in the safety coverage.
The safety coverage may be determined on the ground from position
25 data transmitted by the safety checking system 10 located on–board. The
position data of the vehicle and the representative data of the safety
coverage exchanged between the ground and the vehicle are signed by
the emitter control system and authenticated by the receiver control
system.
30 According to a second possibility, the protective radius is calculated
by a processing module located on the ground.
This second possibility may in particular be useful if the calculation
of the protective radius has to take into account the fact that one or two
8
GNSS satellites may have failed. This calculation requires the use of a
complex processing system, including a large filter bank which may
advantageously be moved to the ground, wherein the available means do
not have the same limitations as those on–board the vehicle and which
may allow the processing of se 5 veral vehicles at a time.
In this case, the space coordinates of the vehicle are transmitted by
the safety checking system 10 located on–board to the safety checking
system 6 located on the ground.
The processing module located on the ground calculates the
10 protective radius depending on the instantaneous space coordinates of the
vehicle (latitude, longitude and altitude, GNSS distance data to the
different visible satellites), as well as the representative data of the
protective coverage.
The safety checking system 6 located on the ground transmits to the
15 safety checking system 10 located on–board, the representative data of
the protective radius and of the safety coverage, in order to allow the
safety checking system 10 located on–board to check whether the
remote–controlled vehicle is maintained in the safety coverage.
The position data of the vehicle and the representative data of the
20 protective radius and of the safety coverage exchanged between the
ground and the vehicle are signed by the emitter control system and
authenticated by the receiver control system.
In still another alternative (Fig. 2 –dedicated emergency chain of the
system), the system 10 is capable of receiving a simple order (discrete
25 type from a chain 11 for linking independent safety data). In this case, the
system triggers a predetermined action (e.g.: isolation of the outer
commands and/or applications of safety rules).
Also in a third alternative (Fig. 3 – control taken by the air traffic
control), in the case of a loss of control (either involuntary or voluntary),
30 of the control station, the safety system of the vehicle is capable of
receiving a series of simple orders from the air traffic control (station ATC
13) via a “VHF” link (station 12).
9
The authenticity of these commands is checked by a signature
mechanism on the basis of keys exchanged between the ATC and the
remote–operator beforehand.

I/We Claim:
1. A remotely-operated system including:
- at least one first interface on the ground (3) from which an operator may
control 5 a remotely-operated vehicle,
- one second interface on the ground (5) having a higher criticality level
than the first interface on the ground (3),
- at least one mission assembly (7, 8) in said vehicle,
- a data link between said interface (3, 5) and said mission assembly (7,
10 8),
the system including on the ground and in the vehicle safety checking
systems (6, 10) adapted for signing and/or authenticating critical data
and/or commands exchanged between the ground and the vehicle, and/or
for checking the integrity of these data, the safety checking system (6) on
15 the ground being adapted for checking the consistency between the
emitted command data intended for on–board the vehicle and a command
return which is transmitted from on–board the vehicle by a remotelyoperated
critical assembly (8) and one of the safety checking systems
(10) in the vehicle is adapted for checking whether the remotely-operated
20 vehicle is maintained in a safety coverage predefined by the ground and
for triggering a predetermined action when this is not the case.
2. The system according to claim 1, characterized in that the safety
checking system (6) on the ground is adapted for signing the critical
25 commands emitted by either one of the interfaces (3, 5) intended for on–
board the vehicle and for checking the integrity of the state data received
from on–board.
3. The system according to one of the preceding claims, characterized in
30 that the safety checking system (6) on the ground is adapted for copying
and controlling emitted command data intended for on–board by a mission
operator interface of high criticality (5).
ARTICLE 34 AMENDED CLAIMS
11
4. The system according to one of the preceding claims, characterized in
that the safety checking system (10) on–board the vehicle is adapted for
authenticating the command data intended for a remotely-operated
assembly of high criticality (8) on–board the vehicle and for checking their
5 integrity.
5. The system according to one of the preceding claims, characterized in
that the safety checking system (10) on–board the vehicle is adapted for
checking the temporal validity of the commands from the ground.
10
6. The system according to one of the preceding claims, characterized in
that the safety checking system (10) on–board the vehicle is adapted for
emitting to the ground acknowledgments of instructions from a critical
assembly (8) on–board the remotely-operated vehicle.
15
7. The system according to one of the preceding claims, characterized in
that the safety checking system (10) on–board the vehicle is adapted for
signing the controls and statuses issued from a critical assembly (8) on–
board the remotely-operated vehicle.
20
8. The system according to one of the preceding claims, characterized in
that a safety checking system (6) on the ground (respectively on–board
the vehicle) is adapted for regularly transmitting to on–board (respectively
to the ground) authentication requests.
25
9. The system according to one of the preceding claims, characterized in
that it further includes an independent safety data link chain (11) in order
to allow triggering of a predetermined safety action from the ground.
30
12
10. The system according to one of the preceding claims, characterized in
that the safety checking system of the vehicle (10) is adapted for
receiving a series of simple orders from the air traffic control (13).