[go: up one dir, main page]

GB2628526A - System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS) - Google Patents

System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS) Download PDF

Info

Publication number
GB2628526A
GB2628526A GB2303033.1A GB202303033A GB2628526A GB 2628526 A GB2628526 A GB 2628526A GB 202303033 A GB202303033 A GB 202303033A GB 2628526 A GB2628526 A GB 2628526A
Authority
GB
United Kingdom
Prior art keywords
uas
safe
module
output
flight
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB2303033.1A
Other versions
GB202303033D0 (en
Inventor
Thomas Allsopp Christopher
Daren Carroll Stephan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Frazer Nash Consultancy Ltd
Original Assignee
Frazer Nash Consultancy Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Frazer Nash Consultancy Ltd filed Critical Frazer Nash Consultancy Ltd
Priority to GB2303033.1A priority Critical patent/GB2628526A/en
Publication of GB202303033D0 publication Critical patent/GB202303033D0/en
Priority to PCT/EP2024/055270 priority patent/WO2024180190A1/en
Priority to AU2024230315A priority patent/AU2024230315A1/en
Publication of GB2628526A publication Critical patent/GB2628526A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/20Arrangements for acquiring, generating, sharing or displaying traffic information
    • G08G5/21Arrangements for acquiring, generating, sharing or displaying traffic information located onboard the aircraft
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/20Arrangements for acquiring, generating, sharing or displaying traffic information
    • G08G5/26Transmission of traffic-related information between aircraft and ground stations
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/30Flight plan management
    • G08G5/34Flight plan management for flight plan modification
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/50Navigation or guidance aids
    • G08G5/53Navigation or guidance aids for cruising
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/50Navigation or guidance aids
    • G08G5/55Navigation or guidance aids for a single aircraft
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B64AIRCRAFT; AVIATION; COSMONAUTICS
    • B64DEQUIPMENT FOR FITTING IN OR TO AIRCRAFT; FLIGHT SUITS; PARACHUTES; ARRANGEMENT OR MOUNTING OF POWER PLANTS OR PROPULSION TRANSMISSIONS IN AIRCRAFT
    • B64D17/00Parachutes
    • B64D17/80Parachutes in association with aircraft, e.g. for braking thereof
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/50Navigation or guidance aids
    • G08G5/57Navigation or guidance aids for unmanned aircraft
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/50Navigation or guidance aids
    • G08G5/58Navigation or guidance aids for emergency situations, e.g. hijacking or bird strikes
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/50Navigation or guidance aids
    • G08G5/59Navigation or guidance aids in accordance with predefined flight zones, e.g. to avoid prohibited zones

Landscapes

  • Engineering & Computer Science (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Control Of Position, Course, Altitude, Or Attitude Of Moving Bodies (AREA)

Abstract

A system 100 comprising monitor/limiter 104 and safe flight termination subsystem 106 may be mounted on (Fig.3) – or incorporated into (Fig.2) - an unmanned aerial system (UAS). Loss of communication detection module 110 sends a first output with a value of “SAFE” when an assured messaging output signal is received from assured messaging module 108. Remote flight termination module 112 sends a second “SAFE” output when a remote flight termination message is not received from the messaging module. Position and altitude geofencing modules 114, 116 send respective third and fourth “SAFE” outputs if expected times until the UAS reaches a geofence boundary exceed respective minimum safe times. Flight termination module 118 receives the outputs and, when any does not have a value of “SAFE, sends a fifth output with a value of “TERMINATE FLIGHT”, e.g. to open a relay 132, 132’ to isolate the propulsion components (204, 206, Fig.2-3) from their power source. Initiate safe outcome module 120 may send a sixth output with a value of “SAFE OUTCOME” in response to the fifth output, e.g. to launch a ballistic parachute.

Description

SYSTEM AND APPARATUS FOR ASSURED LIMITATION OF FLIGHT OPERATIONS
OF UNMANNED AERIAL SYSTEMS (UAS)
TECHNICAL FIELD
[0001] This disclosure relates to systems and apparatus for limiting the flight operations of unmanned (i.e., uncrewed) aerial systems (UAS). Embodiments are provided for assuring flight operations of an attached UAS are limited to approved parameters.
BACKGROUND
[0002] The potential of unmanned aerial systems, also known as uncrewed air systems or unmanned aerial vehicles (collectively referred to herein as UAS) for helping society and industry is vast. As technologies continue to develop, and UAS' range, speed, capacity, and reliability continue to improve, the utility of UAS will only become greater. New use cases for UAS are continuously being identified and realised: from package delivery to journalism, infrastructure inspection to disaster search and rescue. So great is this growth, that projections indicate that by 2030, the UK alone may employ -76,000 UAS across industry, providing net cost savings of -£16 billion to the UK economy.
100031 To realise this potential, it is vital that UAS operate safely and predictably, so as to avoid posing a risk to life of the people around them. Accordingly, a significant obstacle to the widespread adoption of UAS is making sure they are safe, and can be proven to be safe in a manner acceptable to the relevant regulators.
[0004] Currently, civil UAS operations in the UK are conducted with an operator, in Visual Line of Sight (VLOS) of the UAS, responsible for ensuring operating in accordance with the guidance provided by CAP 722: Unmanned Aircraft System Operations in UK Airspace Guidance. For operations Beyond Visual Line of Sight (BVLOS), the UAS no longer has the protection provided by the remote pilot to stay with a prescribed height and location envelope and to avoid obstacles or other aircraft, making accidents such as mid-air collisions with other aircraft a risk.
100051 Given the challenges of implementing and demonstrating an equivalent or superior alternative means of providing 'sense and avoid', UAS BVLOS operations in the UK are most commonly conducted in segregated airspace, which is typically provided by a Temporary Danger Area (TDA). This is not a practical or sustainable model for long-term or repeated use, particularly as the number of UAS increases and their usage becomes more routine.
[0006] Furthermore, for more advanced UAS operations -those employing advanced technologies, such as autonomous or Artificial Intelligence (AI) flight modes -there is a further challenge in that the certification principles for such UAS have not been developed yet, making them difficult or impossible to certify and deploy.
[0007] Previous systems relevant to control and limiting of UAS are disclosed in U.S. Patent Application Publication No. US2020/0202720 Al to Thurling et al. and U.S. Patent Application Publication No. US2015/0254988 Al to Wang et al. [0008] As we move towards a future where autonomous or AI-controlled BVLOS operation is considered routine, a requirement therefore exists to enforce on the UAS the safety functionality previously placed upon the operator, without mandating the need for operation exclusively in segregated airspace.
SUMMARY
[0009] In one aspect, an apparatus for assured limitation of flight operations of unmanned aerial systems (UAS) comprises a chassis configured for attachment to a UAS; a monitor subsystem carried by the chassis and a safe flight termination subsystem carried by the chassis. The monitor subsystem includes an assured messaging module configured to receive a message from a Ground Control Station (GCS) and determine when the message is received as intended and provide an assured messaging output signal only when the message is received as intended. The assured messaging module also determines when the message is a remote flight termination message and provides a flight termination output signal only when the message is the remote flight termination message. The monitor subsystem further includes a loss of communications detection module operatively attached to the assured messaging module to receive the assured messaging output signal and configured to provide a first output having a value of "SAFE" when the received assured messaging output signal is received. The monitor subsystem further includes a remote flight termination module operatively attached to the assured messaging module to receive the remote flight termination message and configured to provide a second output having a value of "SAFE" when the received remote flight termination message is not received. The monitor subsystem further includes a position geofencing module including a predetermined position geofence and operatively attached to a position sensor to receive position signals and configured to determine a current position, heading and horizontal speed from the position signals and provide a third output having a value of "SAFE" when the position is predicted to remain within the predetermined position geofence. The monitor subsystem further includes an altitude fencing module including a predetermined altitude fence and operatively attached to an altitude sensor to receive altitude signals and configured to determine a current altitude and rate of climb/descent from the altitude signals and provide a fourth output having a value of "SAFE" when the altitude is predicted to remain within the predetermined altitude fence. The safe flight termination subsystem includes a terminate flight module operatively connected to the monitor subsystem to receive the first, second, third and fourth outputs and configured to provide a fifth output having a value of "FLIGHT TERMINATION" when any of the received first, second, third and fourth outputs does not have a value of "SAFE". The fifth output is routed to at least one of the following: a flight termination device carried by the chassis and configured to terminate the flight of the attached UAS when the received fifth output has a value of "FLIGHT TERMINATION"; and a flight termination port carried by the chassis and configured for operable connection of the fifth output to an external flight termination device of the attached UAS, wherein the external flight termination device is configured to terminate the flight of the attached UAS when the received fifth output has a value of "FLIGHT TERMINATION". An initiate safe outcome module is operatively connected to the terminate flight module to receive the fifth output and configured to provide a sixth output having a value of "SAFE OUTCOME" when the received fifth output has a value of "FLIGHT TERMINATION'', the sixth output being routed to a safe outcome control port carried by the chassis and configured for operable connection of the sixth output to an external safe outcome device of the attached UAS, wherein the external safe outcome device is configured to initiate a safe outcome when the received sixth output has a value of "SAFE OUTCOME".
100101 In one embodiment, the apparatus further comprises a power system including a power inlet port on the chassis configured to receive propulsion power from a propulsion power system of an attached UAS, a power outlet port on the chassis configured to deliver the propulsion power to a propulsion system of the attached UAS and a propulsion power line connected between the power inlet port and the power outlet port for carrying the propulsion power. The flight limitation device is an electrical relay operatively connected into the propulsion power line to selectively isolate the propulsion power system of the attached UAS from the propulsion system of the attached UAS when the received fifth output has a value of "FLIGHT TERMINATION.
100111 In another aspect, the sensor suite 105 of the AFLA 100 is configured to receive offboard sensor inputs including position information of the UAS determined by offboard sources, i.e., sources located entirely offboard both the AFLA and attached UAS. Such offboard sources can include, but are not limited to, a trusted external sensor able to track the position of the UAS through ground based radars, ground based cameras or ground based acoustic sensors. The offboard sensor inputs can be received via the assured messaging port 142 to ensure security and reliability of the signals, and then transferred via the processor 140 to the sensor suite 105. After extracting the position information of the UAS from the received offboard sensor inputs, the sensor suite 105 can use the extracted position information either alone, or with other sensor information from the sensor suite itself and/or received from the external sensor port 115 to determine the position of the AFLA and any attached UAS.
100121 In yet another aspect, an apparatus for assured limitation of flight operations of unmanned aerial systems (UAS) is mountable on a UAS including a safe outcome system. The apparatus comprises a monitor subsystem including an assured messaging module. The module is configured to receive a message from a Ground Control Station (GCS) and determine when the message is received as intended, send an assured messaging output signal only when the message is received as intended, determine when the message is a remote flight termination message, and send a flight termination output signal only when the message is the remote flight termination message. A loss of communications detection module is operatively attached to the assured messaging module to receive the assured messaging output signal, and configured to send a first output having a value of "SAFE" when the received assured messaging output signal is received. A remote flight termination module is operatively attached to the assured messaging module to receive the remote flight termination message, and configured to send a second output having a value of "SAFE" when the received remote flight termination message is not received. A position geofencing module includes a current position geofence defining one or more geofence boundary, the module operatively connected to at least one position sensor to receive successive position signals from the at least one position sensor, each respective successive position signal being indicative of the position of the UAS at a respective successive time. The position geofencing module is further configured to determine a current position, heading and horizontal speed of the UAS using the received successive position signals, determine an expected time Texp(P) until the UAS reaches the current position geofence boundary from the current position at the current heading and horizontal speed; and send a third output having a value of "SAFE" when the time Texp(P) is greater that a minimum position safe time Tmin(P). An altitude fencing module includes a current fence defining one or more altitude boundary, the module operatively connected to at least one altitude sensor to receive successive altitude signals from the at least one altitude sensor, each respective successive altitude signal being indicative of the altitude of the UAS at a respective successive time. The altitude fencing module is further configured to determine a current altitude and rate of climb or descent of the UAS using the received successive altitude signal, determine an expected time Texp(A) until the UAS reaches the current altitude fence boundary from the current altitude at the current rate of climb or descent; and send a fourth output having a value of "SAFE" when the time Texp(A) is greater that a minimum altitude safe time Tmin(A). The apparatus further comprises a safe flight termination subsystem, the safe flight termination subsystem including a terminate flight module operatively connected to the monitor subsystem to receive the first, second, third and fourth outputs and configured to send a fifth output having a value of "FLIGHT TERMINATION" when any of the received first, second, third and fourth outputs does not have a value of "SAFE". An initiate safe outcome module is operatively connected to the terminate flight module to receive the fifth output and configured to send a sixth output having a value of "SAFE OUTCOME" when the received fifth output has a value of "FLIGHT TERMINATION".
10013] In one embodiment, the fifth output sent by the terminate flight module is routed to at least one of the following: a flight termination device configured to terminate the flight of an attached UAS when the received fifth output has a value of "FLIGHT TERMINATION"; and a flight termination port configured for operable connection of the fifth output to an external flight termination device of the attached UAS. The external flight termination device is configured to terminate the flight of the attached UAS when the received fifth output has a value of "FLIGHT TERMINATION".
10014] In another embodiment, the sixth output sent by the initiate safe outcome module is routed to a safe outcome control port configured for operable connection of the sixth output to an external safe outcome device of an attached UAS that is configured to initiate a safe outcome when the sixth output has a value of -SAFE OUTCOME".
10015] In yet another embodiment, the apparatus further comprises a power system including a power inlet port configured to receive electric propulsion power from a propulsion power system of an attached UAS, a power outlet port configured to deliver the electric propulsion power to a propulsion system of the attached UAS, and a propulsion power line connected between the power inlet port and the power outlet port for carrying the electric propulsion power. A flight limitation device is operatively connected into the propulsion power line to selectively isolate the propulsion system of the attached UAS from the propulsion power system of the attached UAS to prevent a flow of electrical power therebetween when the received fifth output has a value of "FLIGHT TERMINATION-.
100161 In still another embodiment, the flight limitation device further comprises an electrical relay configured to automatically enter a safe state when no value is received from the fifth output. The safe state of the electrical relay isolates the propulsion system of the attached UAS from the propulsion power system of the attached UAS to prevent a flow of electrical power therebetween.
[0017] In a further embodiment, the position geofencing module is further configured to determine a current values of Texp(P) and Tmin(P) and send to an external data port, a position geofencing advisory signal indicative of at least one of: a current value of Texp(P); and a current relative value (ratio) between Texp(P) and Tmin(P). The external data port is configured for operative connection to an attached UAS to make the position geofencing advisory signal available to the attached UAS, whereby position geofencing advisory function is implemented.
[0018] In a yet further embodiment, the value of Tmin(P) used by the position geofencing module can be programmed with different values for different geographical areas.
[0019] In another embodiment, the value of Tmin(P) used by the position geofencing module can be programmed with different values for different sections of a flight path.
[0020] In still another embodiment, the value of Tmin(P) used by the position geofencing module can be changed by receiving assured messages from a GCS.
[0021] In a further embodiment, the at least one position sensor is an offboard sensor able to track the position of the UAS comprising one of a ground based radar, a ground based camera and a ground based acoustic sensor. Sensor inputs from the offboard sensor are received by the assured messaging module, sent to the position geofencing module, and used to determine the current position of the UAS.
[0022] In a yet further embodiment, the altitude fencing module is further configured to determine a current values of Texp(A) and Tmin(A), send to an external data port, an altitude geofence advisory signal indicative of at least one of a current value of Texp(A) and a current relative value (ratio) between Texp(A) and Tmin(A). The external data port is configured for operative connection to an attached UAS to make an altitude fence advisory signal available to the attached UAS, whereby an altitude fence advisory function is implemented.
100231 In a still further embodiment, the apparatus further includes a chassis supporting the monitoring subsystem and safe flight termination system for mounting on the UAS.
100241 In another embodiment, the apparatus further includes an enclosure for enclosing the monitoring subsystem and safe flight termination system for mounting on the UAS.
100251 In still another aspect, a system for assured limitation of flight operations of unmanned aerial systems is incorporated into a UAS including a safe outcome system. The system comprises a loss of communications detection module operatively attached to an assured messaging module and configured to send a first output having a value of "SAFE" when an assured messaging output signal is received from the assured messaging module. A remote flight termination module is operatively attached to the assured messaging module and configured to send a second output having a value of "SAFE" when a remote flight termination message is not received the assured messaging module. A position geofencing module is operatively connected to at least one position sensor to receive successive position signals from the at least one position sensor and configured to determine an expected time Texp(P) until the UAS reaches a current position geofence boundary from a current position at a current heading and horizontal speed using the successive position signals, and to send a third output having a value of "SAFE" when the time Texp(P) is greater that a minimum position safe time Tmin(P). An altitude fencing module is operatively connected to at least one altitude sensor to receive successive altitude signals from the at least one altitude sensor and configured to determine an expected time Texp(A) until the UAS reaches a current altitude fence boundary from the current altitude at a current rate of climb or descent, and to send a fourth output having a value of "SAFE" when the time Texp(A) is greater that a minimum altitude safe time Tmin(A). A terminate flight module is operatively connected to receive the first, second, third and fourth outputs and configured to send a fifth output having a value of "FLIGHT TERMINATION" when any of the received first, second, third and fourth outputs does not have a value of "SAFE".
[0026] In one embodiment, the system further comprises an initiate safe outcome module operatively connected to receive the fifth output and configured to send a sixth output having a value of "SAFE OUTCOME" when the received fifth output has a value of "FLIGHT TERMINATION".
DESCRIPTION OF THE DRAWINGS
[0027] For a more complete understanding, reference is now made to the following description taken in conjunction with the accompanying Drawings in which: [0028] FIG. I shows a block diagram of an assured flight limitation apparatus in accordance with one aspect; [0029] FIG. 2 shows the AFLA of FIG. 1 attached to a first UAS in accordance with one embodiment; and 100301 FIG. 3 shows the AFLA of FIG. 1 attached to a second UAS in accordance with another embodiment.
DETAILED DESCRIPTION
[0031] Referring now to the drawings, wherein like reference numbers are used herein to designate like elements throughout, the various views and embodiments of apparatus for assured limitation of flight operations of unmanned aerial system (UAS) are illustrated and described, and other possible embodiments are described. The figures are not necessarily drawn to scale, and in some instances the drawings have been exaggerated and/or simplified in places for illustrative purposes only. One of ordinary skill in the art will appreciate the many possible applications and variations based on the following examples of possible embodiments.
[0032] Referring to FIG. 1, there is illustrated an assured flight limitation apparatus ("AFLA") in accordance with one aspect. The AFLA 100 comprises a chassis 102 configured for attachment to an Unmanned Aerial System (UAS) and mounting or housing various AFLA components and subsystems including, but not limit to, a monitor/limiter subsystem 104 and a safe flight termination subsystem 106.
[0033] The chassis 102 can comprise any type of structure for mounting, supporting or holding the various other components of the AFLA 100 in operational relationship and allowing connection of the AFLA to a UAS. The chassis 102 can include, but is not limited to, a chassis, frame, substrate, circuit board, housing, box, case or enclosure, all of which are hereby referred to as "chassis." In some embodiments, the chassis 102 can fully or partially enclose the components of the AFLA 100, whereas in other embodiments some or all of the AFLA components may be exposed on the surface of the chassis.
100341 In some other embodiments, the AFLA 100 does not include a physical chassis, but rather includes a virtual chassis 102' comprising dedicated space provided on or within the attached UAS for mounting, supporting or holding the various other components of the AFLA 100 in operational relationship. In such cases where the AFLA 100 includes a virtual chassis 102', the AFLA may be considered an assured flight limitation system ("AFLS") rather than an apparatus. Aside from using a virtual chassis 102' instead of a physical chassis 102, the structure, function and operation of the AFLS will be substantially identical to that of the AFLA 100 as herein described unless otherwise noted.
[0035] The monitor/limiter subsystem 104 uses a suite of sensors 105 to perceive and measure the state and context of the OAS's operations. In some embodiments, the sensors of the sensor suite 105 are disposed internally within the system enclosure 102; however, in other embodiments, some or all of the sensors comprising the sensor suite can be external sensors 105' disposed outside the system enclosure and connected to the internal sensor suite 105 via an external sensor data link 107. The data link 107 can be a hard wired link or a wireless link. The sensors 105 and 105' of the monitor/limiter subsystem 104 can include, but are not limited to, sensors for airspeed, heading, position, altitude, attitude, inertia, and ground station connectivity. The monitor/limiter subsystem 104 uses the output from the sensor suite 105 as the input to a series of assured function modules 108, 110, 112, 114 and 116, which are used to compare the sensed instantaneous UAS state to a set of approved parameters, which can be termed a Safe Operating Envelope ("SOE"). When any of the assured function modules of the monitor/limiter subsystem 104 indicate a breach (or predicted breach) of the SOE, the relevant assured function module activates the safe flight termination subsystem 106, bringing the UAS to a safe state.
[0036] In some embodiments, the sensor suite 105 of the AFLA 100 is configured to receive offboard sensor inputs including position information of the UAS determined by offboard sources, i.e., sources located entirely offboard both the AFLA and attached UAS. Such offboard sources can include, but are not limited to, trusted external sensors able to track the position of the UAS through ground based radars, ground based cameras or ground based acoustic sensors. In some embodiments, the offboard sensor inputs can be received via the assured messaging port 142 to ensure security and reliability of the signals, and then transferred via the processor 140 to the sensor suite 105. In some embodiments, the offboard sensor signals can be received via the digital data port 141 and then transferred via the processor 140 to the sensor suite 105. In some embodiments, the offboard sensor signals can be received by the sensor suit 105 directly via the external sensor port 115 or the external sensor data link 107. After extracting the position information of the UAS from the received offboard sensor inputs, the sensor suite 105 can use the extracted position information either alone, or with other sensor information from the sensor suite itself and/or received from the external sensor port 115 to determine the position of the AFLA and any attached UAS.
[0037] In some embodiments, the chassis or enclosure 102 is configured to surround the other elements of the AFLA 100, thereby producing an enclosed "black box" device that can be installed inside or outside a UAS at the discretion of the UAS developer or operator. In some embodiments, the AFLA 100 is removably attachable to the UAS, whereas in other embodiments, the AFLA is permanently affixed to the UAS. In still other embodiments, the chassis or enclosure 102 is an open circuit board device for mounting inside the UAS. In still other embodiments, the chassis or enclosure 102 is a "virtual" design so that UAS integrators can embed the AFLA 100 components directly into the UAS (but still retaining the operation function described herein).
[0038] The AFLA 100 may further include an electrical power system 122 mounted on, or housed within, the chassis or enclosure 102 and operatively connected to the subsystems 104, 106 via system power lines (denoted by arrows 124 and 126 in FIG. 1) to provide electrical power management functions and electrical power distribution to the AFLA. In some embodiments, the power system 122 can comprise self-contained batteries 208 (FIG. 2) such that its operation is independent of any electrical input from an attached UAS. In other embodiments, the power system 122 can be configured to include a power inlet port 128 for receiving electrical power from an attached UAS. In such embodiments it is preferred for the power system 122 to include Uninterruptible Power Supply ("UPS") circuitry such that the power supply can continue to supply power to the AFLA for a predetermined minimum period after power from the attached UAS is lost.
[0039] In some embodiments, the power system 122 of the AFLA 100 further includes a propulsion power line 130, a flight termination device 132 and a power outlet port 134. In such embodiments, electrical power from an attached UAS's power system en route to the UAS's propulsion system is received via the AFLA's power system 122, routed through the propulsion power line 130 and the flight termination device 132, and then routed back to the UAS via the power outlet port 134, whereupon it can be further routed to the UAS's propulsion system. In some such embodiments, the power system 122 includes only the power inlet port 128 to supply power to the subsystem lines 124, 126 and the propulsion power line 130. In other embodiments, the power system 122 uses the power inlet port 128 to supply power to the subsystem lines 124, 126 and further includes a dedicated propulsion power inlet port 131 to supply power to the propulsion power line 130. When both power inlet port 128 and propulsion power inlet port 131 are present, the operating parameters (e.g., voltage) of the two ports can be the same or different. For example, in some embodiments, the power system 122 can receive electric power having a first voltage at the inlet port 128 from a first source (e.g., a first battery or first power circuit) on the UAS to power the subsystem lines 124, 126, and can receive electric power having a second voltage at the propulsion power inlet port 131 from a second source (e.g., a second battery or second power circuit on the UAS to power the propulsion system of the UAS. The first voltage and the second voltage can be the same in some embodiments and different in other embodiments. For example in some embodiments the second voltage is relatively higher than the first voltage to allow the propulsion system circuits to operate at a higher voltage than the control system circuits.
[0040] When the assured function modules of the AFLA 100 detect a breach of the SOE, the flight termination device 132 can be activated by the terminate flight module 118 of the safe flight termination subsystem 106 to isolate the UAS's propulsion system from receiving further electrical power from the propulsion power line 130, thereby bringing the UAS to a safe state (e.g., without propulsion). In the context of this disclosure, the term "activating" the flight termination device 132 refers to putting the flight termination device in a state to block electrical flow between the propulsion power line 130 and the power outlet port 134, regardless of whether putting the flight termination device in such state requires starting a signal, stopping a signal, sending a different signal, supplying power, or stopping power (as the particular embodiment requires) via the flight termination output line 146 to the flight termination device. In some embodiments, the flight termination device 132 can be a relay activated by the terminate flight module 118. In a preferred embodiment, the flight termination device 132 is a "fail open" type relay that ensures propulsion power to the UAS is cut in case of power failure of the AFLA 100 as well as when activated by the terminate flight module 118.
[0041] In other embodiments of the AFLA 100, propulsion power for the UAS's propulsion system is not routed through the AFLA. Instead, the safe flight termination subsystem 106 is configured to include a terminate flight outlet 136, which is operatively connected to the terminate flight module 118. When the assured function modules detect a breach of the SOE, the terminate flight module 118 can then send an electrical signal to the terminate flight outlet 136 to activate an external fight termination device 132' (i.e., external to the AFLA). This embodiment of AFLA 100 is for use with a UAS having an external flight termination device 132' installed on the UAS itself For example, the attached UAS could have a relay 132' installed directly in the propulsion power lines of the attached UAS, and the terminate flight outlet 136 of the AFLA can be connected to the relay such that the electrical signal from the terminate flight module 118 activate the external relay to isolate the UAS's propulsion system from receiving further electrical power, thereby bringing the UAS to a safe state.
[0042] The AFLA 100 may further include one or more processors 140 mounted on, or housed within, the chassis or enclosure 102 and operatively connected the monitor/limiter subsystem 104, the safe flight termination subsystem 106 and other modules of the AFLA. In one embodiment, the processor 140 can be, but is not limited to, one or more microprocessors, microcontrollers, controllers or single board computers in addition to associated memory, communications interfaces, operating system and other components necessary for functioning of the processor(s). In still further embodiments, two or more of the processors 140 can be configured to operate in parallel to increase the reliability of the assured function modules and fault-tolerance of the AFLA 100.
[0043] A digital data port 141 can be provided to allow the exchange of digital information between the processor 140 and UAS or external systems. In preferred embodiments, the digital data port 141 is bidirectional; however, in other embodiments the data port can be unidirectional. In some embodiments, the digital data port 141 can be used for programming the processor 140 from an external source to input or update the operating software of the AFLA 100. In some embodiments, the digital data port 141 can be used to input mission data to the processor 140, such mission data including, but not limited to, route information, geofencing information, communication codes and/or security protocols. In some embodiments, the digital data port 141 can be used to retrieve flight logging data from the AFLA 100 after a mission. In some embodiments, the digital data port 141 can be used to receive system status data from the AFLA 100. Various embodiments may provide any or all of the previously described features using a single digital data port 141 or multiple ports. In some embodiments, the digital data port 141 can be configured as a USB port and communicate using USB standards.
[0044] As previously described, the monitor/limiter subsystem 104 includes a plurality of assured function modules 108, 110, 112, 114 and 116. Each assured function module is implemented as a combination of hardware and software, developed to an appropriate level of integrity, such that the outputs of each function can be trusted and leveraged as part of an Operational Safety Case ("OSC") for the attached UAS. In this context, the term "appropriate level of integrity" means that reliability is required to be both quantitatively and qualitatively appropriate for the particular use case. For example, sufficient Redundancy and Dissimilarity ("RD") is required to achieve the quantitative design targets and eliminate Single Points of Failure ("SPOF"). This includes Systematic Causes of Hazards ("SCOH") requiring that software and complex electronic hardware will be developed in accordance with appropriate good practice and guidance adopted by the broader aerospace industry. The assured function modules are operatively connected (i.e., for power and/or data) to one another and to the other components of the AFLA 100 to communicate with one another and function as described herein. In some embodiments, the assured function modules can have their own dedicated processors, memory, firmware, software and communications interfaces, whereas in other embodiments, some or all of the assured function modules can utilize the processing power, memory, firmware, software and communication interfaces of the processors 140. In some embodiments, the memory associated with the processors 140 can contain assured logging to provide a record of the systems's performance during a mission.
100451 Some of the assured functions of the monitor/limiter subsystem 104 are now described.
The order of presentation of these assured functions does not imply a priority. The function module 108 is an assured messaging module. The assured messaging function of module 108 can enable messages to be sent between the AFLA 100 and a Ground Control Station ("GCS") with assurance that the messages are received, and received as intended, by the AFLA without the message content being misconstrued. In some embodiments, the AFLA 100 includes a data communication port 142 operatively connected to the assured messaging module 108. Messages from a GCS received by a radio in the attached UAS can be shared or forwarded to the assured messaging module 108 via the data communications port 142. In some embodiments, the AFLA 100 can include a dedicated radio 144 mounted on, or housed within, the chassis or enclosure 102 and operatively connected to the assured messaging module 108 for receiving messages from a GCS independent of any radio on an attached UAS. It will be understood in some embodiments, the AFLA 100 can include only the data communication port 142, in other embodiments, the AFLA can include only the dedicated radio 144, and in still other embodiments, the AFLA can include both data port 142 and dedicated radio 144. In embodiments where both are included, messages received via the data port 142 and messages received via the dedicate radio 144 can be compared by the assured messaging module 108 to provide increased messaging reliability.
[0046] In some embodiments, the assured messaging module 108 implements a first assured messaging function by receiving a message from a Ground Control Station (GCS), determining when the message is received as intended, and providing an assured messaging output signal only when the message is received as intended. In some embodiments, the assured messaging module 108 implements a second assured messaging function by determining when the message is a remote flight termination message and providing a flight termination output signal only when the message is the remote flight termination message.
[0047] The function module 110 is a loss of communications detection module. The Loss of Communications Detection function will also monitor the Assured Messaging function between the UAS and its Ground Control Station (GCS) for the presence of a "Heartbeat" or "Watchdog" (i.e., assured continuity) message, indicating communication between the two systems is being maintained. The assured continuity signal may include pseudo-random number sequences, encryption or other security features to ensure the authenticity of the signal and/or to reject unauthorized signals. If the Heartbeat/Watchdog message is not received within a specified time window, this indicates that the Operator will be unable to use the Flight Termination behaviour (nor any other assured messages implemented in future), and the Loss of Communications Detection function will request Safe Flight Termination.
100481 In some embodiments, the loss of communication module 110 implements the loss of communications function by receiving the assured messaging output signal and providing a first output having a value of "SAFE" when the received assured messaging output signal is received.
[0049] The function module 112 is a remote flight termination module. The assured messaging function of the assured messaging module 108 can facilitate a remote flight termination function to be implemented, where the AFLA 100 can monitor the assured messaging input (e.g., radio messages from data communication port 142 and/or from dedicated radio 144) for receipt of a specific "Terminate Flight" command from the operator (e.g., at a GCS). This remote flight termination module 112 can provide the operator with the ability to terminate flight of an attached UAS at any moment, for example should the UAS display undesired behaviour that does not otherwise trigger any of the other functions.
[0050] In some embodiments, the remote flight termination module 112 implements the remote flight limitation function by receiving the remote flight termination message and providing a second output having a value of "SAFE" when the received remote flight termination message is not received.
[0051] The function module 114 is a position geofencing module. The position geofencing module 114 is operatively connected to the sensor suite 105 to receive position information from the on-board sensors of the AFLA 100. In some embodiments, the position geofencing module 114 can also be operatively connected to an external sensor port 115 to receive position information from the sensors of an attached UAS. When the AFLA 100 receives such external position information from the sensors of an attached UAS via the external sensor port 1 15, such external information can be compared to the internal position information from the on-board sensors 105 and/or 105' to provide increased reliability and assurance regarding the position of the attached UAS. The position geofencing module 114 uses the received sensor information to determine the current position of the AFLA. The geofencing function of the position geofencing module 1 I 4 can monitor the instantaneous position of the AFLA 100 in terms of ground position coordinates (i.e., not including altitude) and thus also determine the position of the attached UAS, and compare the position to a series of pre-defined position geofences. The geofences can be provided in various ground coordinates, e.g., latitude/longitude, GPS ground position, ranges from beacons or landmarks, etc. In other words, in some embodiments, the geofencing of the position geofencing module 114 can be specified "positively," i.e., by identifying safe areas, e.g., flight corridors, in other embodiments the geofencing can be specified "negatively," i.e., by identifying unsafe areas, e.g. no-fly areas, and in still other embodiments the geofencing can be specified using a combination of positive and negative areas. The position geofencing information can be stored in a memory in the position geofencing module 114 or in a memory associated with the processor 140. The position geofencing module 114 can request Safe Flight Termination when the position geofencing function indicates that an attached UAS has ground coordinates corresponding to an unauthorized position/location. This Safe Flight Termination can ensure that the attached UAS does not leave its operational boundary, or inversely that it does not enter areas where it shouldn't.
[0052] In some embodiments, the position geofencing module 114 implements the position geofencing function by storing a predetermined position geofence, receive position signals from a position sensor, determining a current position from the position signals, and providing a third output having a value of "SAFE" when the current position is within the predetermined position geofence.
[0053] In other embodiments, the position geofencing module 114 implements the position geofencing function by storing a predetermined position geofence, receiving position signals and additional information from the sensor suite 105 and/or external sensor port 115 and determining a current position and additional parameters of flight operation, e.g., current heading and current horizontal speed, from the received signals and information. The position geofencing module 114 then determines the expected time (denoted Texp(P)) until an extrapolated horizontal position for the AFLA 100 (and any attached UAS) based on the current position, past positions, and/or determined additional flight parameters, e.g., current heading and current horizontal speed, reaches the position geofence boundary. The module 114 provides a third output having a value of "SAFE" when the Texp(P) is greater than a predetermined minimum time (denoted Tmin(P)). I.e., the third output is "SAFE" when the projected time before position boundary breach, Texp(P), is greater than a predetermined minimum time for assured operation, Tmin(P). Put another way, Texp(P) represents the length of time for the UAS to travel from its current position to the position geofence boundary assuming the current speed and heading remain constant, and Tmin(P) represents a temporal "margin of safety" that allows time for flight termination, if necessary, before the UAS reaches the position geofence boundary. In some embodiments, the value of Tmin(P) can be a constant, while in other embodiments the value of Tmin(P) can be programmed to change for different geographical areas or along different sections of a flight path, and in still other embodiments the values Tmin(P) can be changed by receiving assured messages from a GCS.
[0054] In some embodiments, the position geofencing module 114 further provides a position geofence advisory function by determining the current value of Texp(P) and then outputting position geofence advisory signals, e.g., via the digital data port 141, indicative of the current value of Texp(P) and/or of the current relative value between Texp(P) and Tmin(P). The position geofence advisory function, if present, does not replace the position geofencing function of the module I 14. Rather, the position geofencing advisory function simply provides signals indicative of the current value of Texp(P) and/or of the current relative value between Texp(P) and Tmin(P), which signal can be received by an attached UAS for use as determined by the OEM or operator of the UAS. For example, the flight controller of the UAS (which is not part of the AFLA 100 nor controlled by the AFLA) may be configured by the OEM to reduce the speed of the UAS upon receiving position geofence advisory signals indicative that the current value of Texp(P) is below a predetermined value for the UAS, thereby reducing the possibility of flight termination prompted by the UAS going too fast to ensure that it cannot reach the position geofence. In any event, regardless of the presence of a position geofence advisory function, the position geofencing module 114 will continue to independently implement the position geofencing function and implement the flight termination function if necessary to prevent the UAS from breaking a position geofence boundary.
100551 The function module 116 is an altitude fencing module. The altitude fencing module 116 is operatively connected to the sensor suite 105 to receive altitude information from the onboard sensors of the AFLA 100. In some embodiments, the altitude fencing module 116 can also be operatively connected to the external sensor port 115 to receive altitude information from the sensors of an attached UAS. When the AFLA 100 receives such external altitude information from the sensors of an attached UAS via the external sensor port 115, such external altitude information can be compared to the internal altitude information from the on-board sensors 105 and/or 105' to provide increased reliability and assurance regarding the altitude of the attached UAS. The altitude fencing function of the altitude fencing module 116 can be used to monitor the instantaneous altitude of the AFLA 100 and thus, the position of an attached UAS, and compare it to predefined altitude fences comprising upper and lower altitude thresholds. The altitude fences can be provided in various altitude coordinates, e.g., altitude above sea level, altitude above ground, etc. The altitude fencing information can be stored in a memory in the altitude fencing module 116 or in a memory associated with the processor 140. The altitude fencing module 116 can request Safe Flight Termination when the altitude fencing module indicates that an attached UAS has an instantaneous altitude corresponding to an unauthorized altitude. This Safe Flight Termination can ensure that the attached UAS remains within altitude limits at all times.
[0056] In some embodiments, the altitude fencing module 116 implements the altitude fencing function by storing a predetermined altitude fence, receiving altitude signals from an altitude sensor, determining a current altitude from the altitude signals and providing a fourth output having a value of "SAFE" when the current altitude is within the predetermined altitude fence.
[0057] In other embodiments, the altitude fencing module 116 implements the altitude fencing function by storing a predetermined altitude fence, receiving altitude signals and additional information from the sensor suite 105 and/or external sensor port 115 and determining a current altitude and additional parameters of flight operation, e.g., rate of climb or descent, from the received signals and information. The altitude fencing module 116 then determines the expected time (denoted Texp(A)) until an extrapolated altitude for the AFLA 100 (and any attached UAS) based on the current altitude and determined additional flight parameters, e.g., current rate of climb or descent, reaches the altitude fence boundary. The module 116 provides a fourth output having a value of "SAFE" when the Texp(A) is greater than a predetermined minimum time (denoted Tmin(A)). Thus, the fourth output is "SAFE" when the projected time before altitude boundary breach, Texp(A), is greater than a predetermined minimum time for assured operation, Tmin(A). Put another way, Texp(A) represents the length of time for the UAS to change from its current altitude to the altitude geofence boundary assuming the current rate of climb or descent remains constant, and Tmin(A) represents a temporal "margin of safety" that allows time for flight termination, if necessary, before the UAS reaches the altitude geofence boundary. In some embodiments, the value of Tmin(A) can be a constant, while in other embodiments the value of Tmin(A) can be programmed to change for different geographical areas or along different sections of a flight path, and in still other embodiments the values Tmin(A) can be changed by receiving assured messages from a GCS.
[0058] In some embodiments, the altitude geofencing module 116 further provides an altitude geofence advisory function by determining the current value of Texp(A) and then outputting altitude geofence advisory signals, e.g., via the digital data port 141, indicative of the current value of Texp(A) and/or of the current relative value between Texp(A) and Tmin(A). The altitude geofence advisory function, if present, does not replace the altitude geofencing function of the module 116. Rather, the altitude geofencing advisory function simply provides signals indicative of the current value of Texp(A) and/or of the current relative value between Texp(A) and Tmin(A), which signal can be received by an attached UAS for use as determined by the OEM or operator of the UAS. For example, the flight controller of the UAS (which is not part of the AFLA 100 nor controlled by the AFLA) may be configured by the OEM to reduce the rate of climb of the UAS upon receiving altitude geofence advisory signals indicative that the current value of Texp(A) is below a predetermined value for the UAS, thereby reducing the possibility of flight termination prompted by the UAS climbing too quickly to ensure that it cannot reach the altitude geofence. In any event, regardless of the presence of an altitude geofence advisory function, the altitude geofencing module 116 will continue to independently implement the altitude geofencing function and implement the flight termination function if necessary to prevent the UAS from breaking an altitude geofence boundary.
[0059] Note that while multiple AFLA-equipped UAS might adhere to the same position geofence or altitude fencing rules, the AFLA 100 is a single-platform device. The functionality to share position geofences and/or altitude fences from a centre coordinating source would be provided in some embodiments.
[0060] In some embodiments of the AFLA 100, each of the assured functions provided by the monitor/limiter subsystem 104, namely, assured function modules 108, 110, 112, 114 and 116 outputs a Boolean status, nominally equivalent to "safe" or "not safe", e.g., communications present or communications not present; messaging assured or messaging not assured; within geofenced area or not within geofenced area; within altitude fencing or not with altitude fencing; etc. In other embodiments, some or all of the monitor/limiter assured functions may output a digital or analog value status. The output of these monitor/limiter subsystem assured function modules act as the input to a second layer of assured functions provided by modules 118 and 120 in the safe flight termination subsystem 106, namely, the terminate flight function and the initiate safe outcome function.
[0061] The function module 118 is a terminate flight module, which is operatively connected to each of the assured function modules 108, 110, 112, 114 and 116 in the monitor/limiter subsystem 104 to receive output signals therefrom. The terminate flight function provided by the terminate flight module 118 takes inputs from each of the assured function modules 108, 110, 112, 114 and 116 in the monitor/limiter subsystem 104 and determines if any of the respective inputs exceeds a predetermine respective value (or respective range of values), enacting "flight termination status" when any of the inputs exceed its permitted value. In embodiments of the AFLA 100 where the assured functions of the monitor/limiter subsystem 104 output Boolean status (i.e., "safe" or "not safe"), the terminate flight function provided by the terminate flight module 118 takes inputs from each of the assured function modules 108, 110, 112, 114 and 116 and acts as a functional 'OR' gate, enacting "flight termination status" when any of the inputs has a "not safe" status. When the terminate flight termination module 118 enacts flight termination status, a signal (e.g., "FLIGHT TERMINATION" signal) can be sent via flight termination outputs 146 to prevent further flight of the attached UAS. In the embodiment shown in FIG. 1, one flight termination output 146 can be operatively connected to the internal relay 132 installed in the propulsion power line 130. The relay 132 is configured to open upon receiving the FLIGHT TERMINATION signal, thereby isolating the attached UAS's propulsion motors from power. In the embodiment of FIG. 1, another flight termination output 146' is available via the terminate flight outlet 136, which is operatively connectable to the attached UAS to open an external relay 132' in the attached UAS, and in doing so isolate the attached UAS's propulsion motors from power. Other embodiments of the AFLA 100 may have only one of the two flight termination outputs 146 and 146'. In still other embodiments of the AFLA 100, the flight termination output 146 and/or 146' can cause flight termination of the attached UAS in other ways.
100621 The function module 120 is an initiate safe outcome module, which is operatively connected to the terminate flight module 118 to receive output signals therefrom. The initiate safe outcome function provided by the initiate safe outcome module 120 ensures that an attached UAS remains safe during the flight termination procedure initiated by the AFLA I 00. The initiate safe outcome module 120, after receiving a signal from the terminate flight module 1 I 8 indicating that "flight termination status" is enacted (e.g., a "TERMINATE FLIGHT" signal), can output an initiate safe outcome signal (e.g., a "SAFE OUTCOME" signal) to an attached UAS at a safe outcome control port 148. The initiate safe outcome signal ("SAFE OUTCOME" signal) can trigger actions and/or devices on the UAS to ensure a safe outcome. In most embodiments, the safe outcome device itself is not part of the AFLA 100, but rather is a component or system of the UAS. Typically, the Original Equipment Manufacturer ("OEM") of the UAS will specify the actual devices and/or processes that ensure that safe outcome is appropriate for their Operational Safety Case (OSC). The SAFE OUTCOME signal output by the AFLA 100 serves to activate such devices and/or processes. In some embodiments, the initiate safe outcome signal can activate a kinetic energy reduction system ("KERS") on the UAS to limit the kinetic energy of the UAS while un-powered to a safe level, e.g., a parachute to control descent. Note the AFLA 100 itself does not include any KERS or other safe outcome system, rather the AFLA's initiate safe outcome module 120 only function to activate the KERS or other safe outcome system on the attached UAS when necessary, i.e., as part of a flight termination procedure. In some embodiments, the SAFE OUTCOME signal output by the AFLA 100 can also cut off propulsion power to the UAS independent of other systems, thus providing a separate safe outcome.
100631 In some embodiments, the safe outcome module 120 outputs the "SAFE OUTCOME" signal to the safe output control port 148 immediately upon receiving the "TERMINATE FLIGHT" signal from the terminate flight module 118. In other embodiments, the safe outcome module 120 implements a time delay after receiving the "TERMINATE FLIGHT" signal from the terminate flight module 118 before outputting the "SAFE OUTCOME" signal. In some embodiments, the length of the time delay is predetermined. In other embodiments, the length of the time delay can be determined by the safe outcome module 120 based on position, altitude or other data received from the sensor suite 105, for example, when the "SAFE OUTCOME" signal is received when the UAS is operating at a relatively higher altitude, a relatively longer time delay can be selected to minimize parachute drift after deployment, whereas when the "SAFE OUTCOME" signal is received when the UAS is operating at a relatively lower altitude, a relatively shorter time delay can be selected to ensure time for reliable parachute deployment. In still other embodiments, the length of the time delay can be determined by the safe outcome module 120 based on assured messages received prior to, or along with, a remote flight termination message.
[0064] In some embodiments, the main hardware assembly of the AFLA 100 to be integrated into, or onto, an attached UAS includes a minimum of two embedded controller/microprocessors; appropriate sensors (altitude, position, etc.); a suitable chassis and/or enclosure; and ancillary power management and distribution components.
[0065] In some embodiments, the AFLA 100 can be configured/parameterized before deployment, for example by hardcoding or transferring encoded files to memory (e.g., of the processors 140), or through the use of a bespoke configuration application.
[0066] In some embodiments, the AFLA 100 can include functions for sending assured messages to the AFLA during deployment, for example through integration with an existing mission management application, or from a bespoke management application.
[0067] In some embodiments, the AFLA 100 can include dedicated hardware enabling an operator (e.g., at a GCS) to trigger specific assured messages (e.g. the Remote Flight Termination assured message) during deployment.
[0068] In some embodiments, the AFLA 100 can receive assured messaging through integration with the existing UAS-GCS communications link (e.g., through communication port 142) without including a radio in the AFLA itself.
[0069] In some embodiments, the AFLA 100 is a self-contained, enclosed "black box" product that can be installed inside or outside a UAS at the discretion of the developer. The enclosure can be "optional" (i.e., virtual) so that integrators can physically embed the core components of the AFLA into their UAS if desired, while still retaining the independent assured limitation functionality described herein.
[0070] In some embodiments, the AFLA 100 can be designed into the UAS as a core subsystem from early development stages, whereas in other embodiments, the AFLA can be retrofitted to an existing UAS platform to provide assurable functionality to a previously un-assurable UAS.
[0071] In some embodiments, the AFLA 100 can be designed to minimise the internal volume of the enclosure 102 as much as possible to facilitate easier UAS integration. The specific shape of the chassis or enclosure 102 can be chosen to minimise volume with respect to the required components identified during development. In some embodiments, the chassis or enclosure 102 can have a flat rectangular shape for ease of mounting and interfacing.
[0072] In some embodiments, the AFLA 100 the enclosure 102 and core components can be designed to offer standardised mounting points to facilitate internal and external UAS integration options.
[0073] In some embodiments, the AFLA 100 can output warning signals as the operating envelope limits (e.g., position geofence or altitude fence) are neared in order to afford the UAS opportunity to act appropriately.
[0074] Referring now to FIG. 2, there is illustrated an assured flight limitation apparatus 100 attached to a UAS 200 in accordance with another aspect. The UAS 200 includes a body 202 mounting an electric propulsion system comprising multiple motor-propeller units 204, a motor control unit 206 and a propulsion battery 208. The UAS 200 further includes a safe outcome device 210, e.g., a ballistically-deployed parachute or other kinetic energy reduction system (KERS). An AFLA 100 such as described in connection with FIG. I is installed on the body 202. In the illustrated embodiment, the AFLA 100 is mounted internally within the UAS body 202, however, in other embodiments, the AFLA can be mounted externally to the body. The internal mounting can be selectively removable in some embodiments, and permanent in other embodiments. In still other embodiments, the internal mounting can be "virtual", i.e., the AFLA 100 can be built-in to the structure of the UAS 200, but with independent functionality regarding assured operations and flight limitation.
100751 A battery line 212 of the OAS's propulsion system is connected from the propulsion battery 208 to the AFLA's power system 122 via the propulsion power inlet port 131 (or, if port 131 is not present, via the power inlet port 128), a power outlet line 214 is connected from the AFLA's power outlet port 134 to the motor control unit 206, and power distribution lines 216 are connected from the motor control unit to each of the respective motor-propeller units 204 to supply power for operating the propellers to maintain flight during operation of the UAS 200. A safe outcome control line 218 can be connected from the AFLA's safe outcome control port 148 to the UAS's safe outcome device 210.
[0076] As best seen in FIG. 1, the AFLA's power system 122 and power outlet port 134 are operatively connected by the propulsion power line 130, and the internal flight termination device 132 (in this case an electrical relay) is operatively installed on the propulsion power line to operatively connect the power system to the power outlet port when the flight termination device is not activated (i.e., relay is closed) and to isolate the power system from the power outlet port when the flight termination device is activated (i.e., relay is open) due to receiving the "FLIGHT TERMINATE" signal from the terminate flight module 118. Referring again to FIG. 2, isolating the AFLA's power system 122 from the power outlet port 134 will isolate the connected UAS's propulsion components 204, 206 from the propulsion system battery 208, thereby ensuring the flight of the UAS 200 is immediately terminated when the "FLIGHT TERMINATE" signal is generated. Once the "FLIGHT TERMINATE" signal is received by the AFLA's initiate safe outcome module 120, a "SAFE OUTCOME" output is sent to the safe outcome control port 148, and thereby made available via the safe outcome control line 218 to a connected safe outcome device 210 to initiate a safe outcome, e.g., by launching the ballistic parachute to slow the descent of the UAS 200. As previously described, the SAFE OUTCOME signal output by the AFLA 100 is available to activate safe outcome devices and/or processes; however, the safe outcome device 210 is not part of the AFLA 100, but rather is a component of the UAS 200. The OEM of the UAS typically specifies the actual devices and/or processes that ensure the manner of safe outcome that is appropriate for their Operational Safety Case (OSC).
[0077] Referring now to FIG. 3, there is illustrated an assured flight limitation apparatus 100 attached to another UAS 300 in accordance with another aspect. The UAS 300 includes a body 202 mounting an electric propulsion system comprising multiple motor-propeller units 204, a motor control unit 206 and a propulsion battery 208. An AFLA 100 such as described in connection with FIG. 1 is installed on the body 302. In the illustrated embodiment, the AFLA 100 is mounted externally on the UAS body 302. The external mounting can be selectively removable in some embodiments, and permanently affixed in other embodiments. The UAS 300 further carries an external flight termination device 132' (i.e., external to the AFLA 100) and a safe outcome device 210. In some embodiments, the external flight limitation device 132' can be a remotely disposed component of the AFLA 100 (i.e., disposed away from the main unit, but still a part of the overall AFLA), whereas in other embodiments, the external flight limitation device 132' is actually a component of the UAS 300 that is configured for activation by the AFLA. As previously discussed, the safe outcome device 210 is not part of the AFLA 100, but rather is a component or system of the UAS 300.
[0078] A battery line 212 of the UAS's propulsion system is connected from the propulsion battery 208 to the external flight limitation device 132', a power outlet line 302 is connected from the flight limitation device 132' to the motor control unit 206, and power distribution lines 216 are connected from the motor control unit to each of the respective motor-propeller units 204 to supply power for operating the propellers to maintain flight during operation of the UAS 300. A flight termination control line 304 is connected from the AFLA's terminate flight outlet port 136 (see FIG. 1) to the external flight termination device 132' and a safe outcome control line 218 is connected from the AFLA's safe outcome control port 148 (see FIG. 1) to the UAS' s safe outcome device 210.
[0079] The OAS's battery line 212 and power outlet line 302 are operatively connected through the external flight termination device 132' to provide power to the propulsion system when the flight termination device is not activated. The flight termination device 132' is activated when it receives the "FLIGHT TERMINATE" signal from the flight termination control line 304 connected to the AFLA's terminate flight outlet port 136, thereby isolating the OAS's propulsion components 204, 206 from the propulsion system battery 208, thereby ensuring the flight of the UAS 300 is immediately terminated when the "FLIGHT ILRMINATE" signal is generated. Once the "FLIGHT TERMINATE" signal is generated by the AFLA 100, a "SAFE OUTCOME" signal is sent from the safe outcome control port 148 to the safe outcome device 210 of the UAS via the safe outlet control line 218. to initiate a safe outcome, e.g., by launching the ballistic parachute to slow the descent of the UAS 300. As previously discussed, the safe outcome device 210 is not part of the AFLA 100, but rather is a component or system of the UAS 300.
[0080] It will be appreciated by those skilled in the art having the benefit of this disclosure that the systems and apparatus for assured limitation of flight operations of unmanned aerial systems described herein provide many improvements over conventional systems. It should be understood that the drawings and detailed description herein are to be regarded in an illustrative rather than a restrictive manner, and are not intended to be limiting to the particular forms and examples disclosed. On the contrary, included are any further modifications, changes, rearrangements, substitutions, alternatives, design choices, and embodiments apparent to those of ordinary skill in the art, without departing from the spirit and scope hereof, as defined by the following claims. Thus, it is intended that the following claims be interpreted to embrace all such further modifications, changes, rearrangements, substitutions, alternatives, design choices, and embodiments.

Claims (15)

  1. WHAT IS CLAIMED IS: 1. An apparatus for assured limitation of flight operations of unmanned aerial systems (UAS), the UAS including a safe outcome system, the apparatus mountable on the UAS and comprising: a monitor subsystem including: an assured messaging module configured to receive a message from a Ground Control Station (GCS) and: determine when the message is received as intended, and send an assured messaging output signal only when the message is received as intended; and determine when the message is a remote flight termination message, and send a flight termination output signal only when the message is the remote flight termination message; a loss of communications detection module operatively attached to the assured messaging module to receive the assured messaging output signal, and configured to send a first output having a value of "SAFE" when the received assured messaging output signal is received; a remote flight termination module operatively attached to the assured messaging module to receive the remote flight termination message, and configured to send a second output having a value of "SAFE" when the received remote flight termination message is not received; a position geofencing module including a current position geofence defining one or more geofence boundary, the module operatively connected to at least one position sensor to receive successive position signals from the at least one position sensor, each respective successive position signal being indicative of the position of the UAS at a respective successive time, the position geofencing module further configured to: determine a current position, heading and horizontal speed of the UAS using the received successive position signals; determine an expected time Texp(P) until the UAS reaches the current position geofence boundary from the current position at the current heading and horizontal speed; and send a third output having a value of "SAFE" when the time Texp(P) is greater that a minimum position safe time Tmin(P); and an altitude fencing module including a current fence defining one or more altitude boundary, the module operatively connected to at least one altitude sensor to receive successive altitude signals from the at least one altitude sensor, each respective successive altitude signal being indicative of the altitude of the UAS at a respective successive time, the altitude fencing module further configured to: determine a current altitude and rate of climb or descent of the UAS using the received successive altitude signals; determine an expected time Texp(A) until the UAS reaches the current altitude fence boundary from the current altitude at the current rate of climb or descent; and send a fourth output having a value of "SAFE" when the time Texp(A) is greater that a minimum altitude safe time Tmin(A); and a safe flight termination subsystem, the safe flight termination subsystem including: a terminate flight module operatively connected to the monitor subsystem to receive the first, second, third and fourth outputs and configured to send a fifth output having a value of "FLIGHT TERMINATION" when any of the received first, second, third and fourth outputs does not have a value of "SAFE"; and an initiate safe outcome module operatively connected to the terminate flight module to receive the fifth output and configured to send a sixth output having a value of "SAFE OUTCOME" when the received fifth output has a value of "FLIGHT TERMINATION".
  2. 2. The apparatus of claim 1, wherein the fifth output sent by the terminate flight module is routed to at least one of the following: a flight termination device configured to terminate the flight of an attached UAS when the received fifth output has a value of "FLIGHT TERMINATION"; and a flight termination port configured for operable connection of the fifth output to an external flight termination device of the attached UAS, wherein the external flight termination device is configured to terminate the flight of the attached UAS when the received fifth output has a value of "FLIGHT TERMINATION".
  3. 3. The apparatus of claim 1, wherein the sixth output sent by the initiate safe outcome module is routed to a safe outcome control port configured for operable connection of the sixth output to an external safe outcome device of an attached UAS that is configured to initiate a safe outcome when the sixth output has a value of "SAFE OUTCOME".
  4. The apparatus of claim 1, further comprising: a power system including: a power inlet port configured to receive electric propulsion power from a propulsion power system of an attached UAS; a power outlet port configured to deliver the electric propulsion power to a propulsion system of the attached UAS: and a propulsion power line connected between the power inlet port and the power outlet port for carrying the electric propulsion power; and wherein a flight limitation device is operatively connected into the propulsion power line to selectively isolate the propulsion system of the attached UAS from the propulsion power system of the attached UAS to prevent a flow of electrical power therebetween when the received fifth output has a value of "FLIGHT TERMINATION".
  5. 5. The apparatus of claim 4, wherein the flight limitation device further comprises: an electrical relay configured to automatically enter a safe state when no value is received from the fifth output; and wherein the safe state of the electrical relay isolates the propulsion system of the attached UAS from the propulsion power system of the attached UAS to prevent a flow of electrical power therebetween.
  6. The apparatus of claim I, wherein the position geofencing module is further configured to: determine a current values of Texp(P) and Tmin(P); send to an external data port, a position geofencing advisory signal indicative of at least one of: a current value of Texp(P); and a current relative value (ratio) between Texp(P) and Tmin(P); wherein the external data port is configured for operative connection to an attached UAS to make the position geofencing advisory signal available to the attached UAS; and whereby a position geofencing advisory function is implemented.
  7. 7. The apparatus of claim 6, wherein the value of Tmin(P) used by the position geofencing module can be programmed with different values for different geographical areas.
  8. 8. The apparatus of claim 6, wherein the value of Tmin(P) used by the position geofencing module can be programmed with different values for different sections of a flight path.
  9. 9. The apparatus of claim 6, wherein the value of Tmin(P) used by the position geofencing module can be changed by receiving assured messages from a GCS.
  10. 10. The apparatus of claim 6, wherein the at least one position sensor is an offboard sensor able to track the position of the UAS comprising one of a ground based radar, a ground based camera and a ground based acoustic sensor; and wherein sensor inputs from the offboard sensor are received by the assured messaging module, sent to the position geofencing module, and used to determine the current position of the UAS.
  11. 1 I. The apparatus of claim I, wherein the altitude fencing module is further configured to: determine a current values of Texp(A) and Tmin(A); send to an external data port, an altitude geofence advisory signal indicative of at least one of a current value of Texp(A); and a current relative value (ratio) between Texp(A) and Tmin(A).wherein the external data port is configured for operative connection to an attached UAS to make an altitude fence advisory signal available to the attached UAS; and whereby an altitude fence advisory function is implemented.
  12. 12. The apparatus of claim I, further including a chassis supporting the monitoring subsystem and safe flight termination system for mounting on the UAS.
  13. 13. The apparatus of claim 1, further including an enclosure for enclosing the monitoring subsystem and safe flight termination system for mounting on the UAS.
  14. 14. A system for assured limitation of flight operations of unmanned aerial systems (UAS), the UAS including a safe outcome system, the system incorporated into the UAS and comprising: a loss of communications detection module operatively attached to an assured messaging module and configured to send a first output having a value of "SAFE" when an assured messaging output signal is received from the assured messaging module; a remote flight termination module operatively attached to the assured messaging module and configured to send a second output having a Value of -SAFE" when a remote flight termination message is not received the assured messaging module; a position geofencing module operatively connected to at least one position sensor to receive successive position signals from the at least one position sensor and configured to determine an expected time Texp(P) until the UAS reaches a current position geofence boundary from a current position at a current heading and horizontal speed using the successive position signals, and to send a third output having a value of "SAFE" when the time Texp(P) is greater that a minimum position safe time Tmin(P); and an altitude fencing module operatively connected to at least one altitude sensor to receive successive altitude signals from the at least one altitude sensor and configured to determine an expected time Texp(A) until the UAS reaches a current altitude fence boundary from the current altitude at a current rate of climb or descent, and to send a fourth output having a value of "SAFE" when the time Texp(A) is greater that a minimum altitude safe time Tmin(A); and a terminate flight module operatively connected to receive the first, second, third and fourth outputs and configured to send a fifth output having a value of "FLIGHT TERMINATION" when any of the received first, second, third and fourth outputs does not have a value of "SAFE".
  15. 15. The system of claim 14, further comprising an initiate safe outcome module operatively connected to receive the fifth output and configured to send a sixth output having a value of "SAFE OUTCOME" when the received fifth output has a value of "FLIGHT TERMINATION".
GB2303033.1A 2023-03-01 2023-03-01 System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS) Pending GB2628526A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB2303033.1A GB2628526A (en) 2023-03-01 2023-03-01 System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS)
PCT/EP2024/055270 WO2024180190A1 (en) 2023-03-01 2024-02-29 System and apparatus for assured limitation of flight operations of unmanned aerial systems (uas)
AU2024230315A AU2024230315A1 (en) 2023-03-01 2024-02-29 System and apparatus for assured limitation of flight operations of unmanned aerial systems (uas)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2303033.1A GB2628526A (en) 2023-03-01 2023-03-01 System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS)

Publications (2)

Publication Number Publication Date
GB202303033D0 GB202303033D0 (en) 2023-04-12
GB2628526A true GB2628526A (en) 2024-10-02

Family

ID=85794006

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2303033.1A Pending GB2628526A (en) 2023-03-01 2023-03-01 System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS)

Country Status (3)

Country Link
AU (1) AU2024230315A1 (en)
GB (1) GB2628526A (en)
WO (1) WO2024180190A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160340049A1 (en) * 2015-05-18 2016-11-24 The Boeing Company Flight termination for air vehicles
US20170193827A1 (en) * 2015-12-30 2017-07-06 U.S.A. As Represented By The Administrator Of The National Aeronautics And Space Administration Assured Geo-Containment System for Unmanned Aircraft
US20170253345A1 (en) * 2016-03-07 2017-09-07 Cloud Cap Technology, Inc. Aircraft recovery systems
US20180017967A1 (en) * 2015-07-15 2018-01-18 Chiman KWAN High Performance System with Explicit Incorporation of ATC Regulations to Generate Contingency Plans for UAVs with Lost Communication
US20190129411A1 (en) * 2017-10-26 2019-05-02 9013733 Canada Inc. Flight termination system for unmanned aircraft systems
US20200202720A1 (en) * 2014-12-19 2020-06-25 Aerovironment, Inc. Supervisory safety system for controlling and limiting unmanned aerial system (uas) operations
US20200331618A1 (en) * 2015-10-14 2020-10-22 Flirtey Holdings, Inc. Parachute control system for an unmanned aerial vehicle

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105247593B (en) 2014-04-17 2017-04-19 深圳市大疆创新科技有限公司 Flight Controls in Restricted Areas

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200202720A1 (en) * 2014-12-19 2020-06-25 Aerovironment, Inc. Supervisory safety system for controlling and limiting unmanned aerial system (uas) operations
US20160340049A1 (en) * 2015-05-18 2016-11-24 The Boeing Company Flight termination for air vehicles
US20180017967A1 (en) * 2015-07-15 2018-01-18 Chiman KWAN High Performance System with Explicit Incorporation of ATC Regulations to Generate Contingency Plans for UAVs with Lost Communication
US20200331618A1 (en) * 2015-10-14 2020-10-22 Flirtey Holdings, Inc. Parachute control system for an unmanned aerial vehicle
US20170193827A1 (en) * 2015-12-30 2017-07-06 U.S.A. As Represented By The Administrator Of The National Aeronautics And Space Administration Assured Geo-Containment System for Unmanned Aircraft
US20170253345A1 (en) * 2016-03-07 2017-09-07 Cloud Cap Technology, Inc. Aircraft recovery systems
US20190129411A1 (en) * 2017-10-26 2019-05-02 9013733 Canada Inc. Flight termination system for unmanned aircraft systems

Also Published As

Publication number Publication date
GB202303033D0 (en) 2023-04-12
AU2024230315A1 (en) 2025-09-25
WO2024180190A1 (en) 2024-09-06

Similar Documents

Publication Publication Date Title
US11886204B2 (en) Unmanned aerial vehicle and supervision method and monitoring system for flight state thereof
ES2272901T3 (en) EMERGENCY SECURITY CONTROL SYSTEM, PROCEDURE AND APPLIANCE FOR AIRCRAFT.
RU2318243C2 (en) System with aviation electronics device and ground-based station for controlling an aircraft which deviated from its route, and for emergency communication
US10745127B2 (en) Systems and methods for execution of recovery actions on an unmanned aerial vehicle
CN107074375B (en) Fail-safe aircraft monitoring and tracking
US20210263537A1 (en) Uav systems, including autonomous uav operational containment systems, and associated systems, devices, and methods
US9786188B2 (en) Safety motor controller for a vehicle
JP7616699B2 (en) Method and system for determining drone box location for landing and charging drones
CN105243878B (en) A kind of electron boundary device, unmanned flight's system and unmanned vehicle monitoring method
WO2021168347A1 (en) Uavs, including multi-processor uavs with secured parameters, and associated systems, devices, and methods
BR102016021336B1 (en) APPLIANCE FOR REPORTING STATUS INFORMATION FOR AN AIRCRAFT
US20180026705A1 (en) Communications system for use with unmanned aerial vehicles
CN108513640B (en) Control method of movable platform and movable platform
WO2016172251A1 (en) Systems and methods for execution of recovery actions on an unmanned aerial vehicle
CN106468775B (en) Aircraft tracking and equipment and installation method
US20160075445A1 (en) Aircraft comprising at least one emergency beacon, and such an emergency beacon
US11756439B2 (en) Method and system for avoiding mid-air collisions and traffic control
GB2628526A (en) System and apparatus for assured Limitation of flight operations of Unmanned Aerial Systems (UAS)
KR20170035801A (en) Controller for an aircraft tracker
CN106950993A (en) The controllable unmanned plane of headroom spatial domain flight path