SYSTEM FOR REMOTELY-OPERATED SYSTEMS
20170160739 ยท 2017-06-08
Inventors
Cpc classification
G08G5/26
PHYSICS
H04W12/37
ELECTRICITY
International classification
G05D1/00
PHYSICS
Abstract
The invention relates to a remote-controlled system comprising:at least one ground interface (3), from which an operator can control a remote-controlled vehicle;at least one mission unit (7, 8) in said vehicle; anda data link between said interface (3) and said mission unit (7, 8). Said system is characterized in that it comprises, on the ground and in the vehicle, security monitoring systems (6, 10) suitable for approving and/or authenticating critical data and/or commands exchanged between the ground and the vehicle and also suitable for verifying the integrity of said data. It is thus possible to use, on the ground as on board the vehicle, interfaces and units with a low level of criticality at the same time as interfaces and units with the highest level of criticality.
Claims
1. A remotely-operated system including: at least one interface on the ground from which an operator may control a remotely-operated vehicle, one second interface on the ground having a higher criticality level than the first interface on the ground, at least one mission assembly in said vehicle, a data link between said interface and said mission assembly, the system including on the ground and in the vehicle safety checking systems adapted for signing and/or authenticating critical data and/or commands exchanged between the ground and the vehicle, and/or for checking the integrity of these data, the safety checking system on the ground being adapted for checking the consistency between the emitted command data intended for on-board the vehicle and a command return which is transmitted from on-board the vehicle by a remotely operated critical assembly and one of the safety checking systems in the vehicle is adapted for checking whether the remotely-operated vehicle is maintained in a safety coverage predefined by the ground and for triggering a predetermined action when this is not the case.
2. The system according to claim 1, wherein the safety checking system on the ground is adapted for signing the critical commands emitted by either one of the interfaces intended for on-board the vehicle and for checking the integrity of the state data received from on-board.
3. (canceled)
4. The system according to claim 1, wherein the safety checking system on the ground is adapted for copying and controlling emitted command data intended for on-board by a mission operator interface of high criticality.
5. The system according to claim 1, wherein the safety checking system on-board the vehicle is adapted for authenticating the command data intended for a remotely-operated assembly of high criticality on-board the vehicle and for checking their integrity.
6. The system according to claim 1, wherein the safety checking system on-board the vehicle is adapted for checking the temporal validity of the commands from the ground.
7. The system according to claim 1, wherein the safety checking system on-board the vehicle is adapted for emitting to the ground acknowledgments of instructions from a critical assembly on-board the remotely-operated vehicle.
8. The system according to claim 1, wherein the safety checking system on-board the vehicle is adapted for signing the controls and statuses issued from a critical assembly on-board the remotely-operated vehicle.
9. The system according to claim 1, wherein a safety checking system on the ground (respectively on-board the vehicle) is adapted for regularly transmitting to on-board (respectively to the ground) authentication requests.
10. The system according to claim 1, wherein it further includes an independent safety data link chain in order to allow triggering of a predetermined safety action from the ground.
11. The system according to claim 1, wherein the safety checking system of the vehicle is adapted for receiving a series of simple orders from the air traffic control.
Description
PRESENTATION OF THE FIGURES
[0023] Other features and advantages of the invention will further emerge from the description which follows, which is purely illustrative and non-limiting, and should be read with reference to the appended figures wherein:
[0024]
[0025]
DESCRIPTION OF ONE OR SEVERAL EMBODIMENTS
[0026] The architecture illustrated in
[0027] On the ground, the architecture comprises at least one interface 3 from which an operator may control the remotely-operated vehicle, a concentrator 4 giving the possibility of ensuring the data link with the vehicle, as well as an interface 5 which is of a higher criticality level (DAL or Development Assurance Level) than the interface 3 and the concentrator 4.
[0028] A safety control system 6 is provided on the ground. This system is also of a high criticality level and has the following functions: [0029] it signs the critical commands emitted by either one of the interfaces 3 and 5 intended for on-board the vehicle (ciphering application); [0030] it checks the integrity of the state data regularly received from on-board (position, status of the piece of equipment, etc.). The checking of integrity is accomplished both spatially and temporally. The condition received from on-board is then classified by the system according to three states: functional, degraded, non-functional; [0031] it checks the consistency between the command emitted towards on-board and the command return which is transmitted from on-board by the critical assembly of the latter; [0032] it regularly transmits on-board requests for authentication (application of a challenge function); [0033] it copies the instructions emitted by the mission interface 5 intended for on-board in order to control the latter (short safety loop).
[0034] A similar architecture is also provided on-board the vehicle. The latter integrates for this purpose one or several mission assemblies 7 of a low criticality level, one or several mission assemblies 8 with a high criticality level, a concentrator 9 giving the possibility of ensuring the link with the ground, and a safety system 10.
[0035] This safety checking system 10 is also with a high criticality level and applies the following controls: [0036] it broadcasts towards the critical assembly 8 the command from the ground after decoding; [0037] it checks the integrity of this command before its broadcasting towards the critical assembly 8; [0038] it regularly emits authentication requests (challenge) intended for the interfaces 3 and 5 on the ground; [0039] it checks the time validity of the commands from the ground (ageing); [0040] it emits to the ground acknowledgments of instructions from the remotely-operated critical assembly 8; [0041] it signs the controls and statuses issued from the remotely-operated critical assembly 8.
[0042] It will be noted here that the components and the algorithms signing the commands from the ground and signing the controls from on-board are identical.
[0043] Highly secured keys and robust mathematical algorithms are used for ensuring that the probability of receiving erroneous orders/states without being able to detect them is very low (less than a level equivalent to the function which it serves).
[0044] The casings of the different processing units used have an accurate internal clock reset on a same time base. The clock of these casings is selected to be robust towards loss of reference.
[0045] Moreover, the safety system 10 of the vehicle is capable of checking whether the vehicle is maintained in a safety coverage (three-dimensional area, critical status . . . ) predefined by the ground.
[0046] The remotely-operated vehicle comprises a navigation system, including a satellite positioning receiver (for example of the GPS type), and an inertial central unit.
[0047] The remotely-operated vehicle also comprises a configured processing module for determining, from position signals generated by the navigation system and by the inertial central unit, instantaneous position data of the vehicle. The position data of the vehicle include data representative of the instantaneous space coordinates of the vehicle (latitude, longitude and altitude), as well as possibly a protective radius. The protective radius defines a volume around the position defined by the instantaneous coordinates, in which the vehicle is found, taking into account uncertainties related to the measurement.
[0048] The position data of the vehicle are transmitted by the processing module to the safety checking system 10.
[0049] The safety checking system 10 compares the position data which it receives from the processing module with data representative of the defined safety coverage and transmitted by the ground.
[0050] In the case when the commands from on-board or the states of the critical sub-assembly 8 are not compliant with this safety coverage, the system 10 triggers a predetermined action (isolation of the outer commands and/or applications of safety rules, for example).
[0051] The data representative of the safety coverage may comprise ranges of latitude, longitude and altitude, in which the remotely-operated vehicle has to be positioned.
[0052] According to a first possibility, the protective radius is calculated by the processing module located on-board the vehicle.
[0053] In this case, the protective radius is transmitted by the processing module to the safety checking system 10 on-board the vehicle with the position data.
[0054] The position data, including the protective radius, are transmitted by the safety checking system 10 located on-board to the safety checking system 6 located on the ground.
[0055] In return, the safety checking system 6 located on the ground transmits to the safety checking system 10 located on-board, the data representative of the safety coverage, in order to allow the safety checking system 10 located on-board to check whether the remote-controlled vehicle is maintained in the safety coverage.
[0056] The safety coverage may be determined on the ground from position data transmitted by the safety checking system 10 located on-board. The position data of the vehicle and the representative data of the safety coverage exchanged between the ground and the vehicle are signed by the emitter control system and authenticated by the receiver control system.
[0057] According to a second possibility, the protective radius is calculated by a processing module located on the ground.
[0058] This second possibility may in particular be useful if the calculation of the protective radius has to take into account the fact that one or two GNSS satellites may have failed. This calculation requires the use of a complex processing system, including a large filter bank which may advantageously be moved to the ground, wherein the available means do not have the same limitations as those on-board the vehicle and which may allow the processing of several vehicles at a time.
[0059] In this case, the space coordinates of the vehicle are transmitted by the safety checking system 10 located on-board to the safety checking system 6 located on the ground.
[0060] The processing module located on the ground calculates the protective radius depending on the instantaneous space coordinates of the vehicle (latitude, longitude and altitude, GNSS distance data to the different visible satellites), as well as the representative data of the protective coverage.
[0061] The safety checking system 6 located on the ground transmits to the safety checking system 10 located on-board, the representative data of the protective radius and of the safety coverage, in order to allow the safety checking system 10 located on-board to check whether the remote-controlled vehicle is maintained in the safety coverage.
[0062] The position data of the vehicle and the representative data of the protective radius and of the safety coverage exchanged between the ground and the vehicle are signed by the emitter control system and authenticated by the receiver control system.
[0063] In still another alternative (
[0064] Also in a third alternative (
[0065] The authenticity of these commands is checked by a signature mechanism on the basis of keys exchanged between the ATC and the remote-operator beforehand.