(19)
(11)EP 3 564 882 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
06.11.2019 Bulletin 2019/45

(21)Application number: 19162369.3

(22)Date of filing:  15.11.2012
(51)International Patent Classification (IPC): 
G06Q 10/10(2012.01)
G06Q 50/26(2012.01)
B64C 39/02(2006.01)
G05D 1/10(2006.01)
G06Q 50/18(2012.01)
B64C 19/00(2006.01)
G05D 1/00(2006.01)
G06Q 30/00(2012.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 15.11.2011 US 201161560234 P

(62)Application number of the earlier application in accordance with Art. 76 EPC:
12849894.6 / 2780869

(71)Applicant: Insitu, Inc.
Bingen, WA 98605 (US)

(72)Inventors:
  • KNAPP, Jeffrey H.
    Hood River, OR 97031 (US)
  • TASKER, David
    Beaverton, OR 97007 (US)
  • VIVIANI, Gary Lee
    White Salmon, WA 98672 (US)

(74)Representative: Smith, Jeremy Robert et al
Kilburn & Strode LLP Lacon London 84 Theobalds Road
London WC1X 8NL
London WC1X 8NL (GB)

 
Remarks:
This application was filed on 12-03-2019 as a divisional application to the application mentioned under INID code 62.
 


(54)METHOD FOR LIMITING RANGE AND MONITORING PAYLOAD OF UNMANNED AERIAL VEHICLES


(57) The presently disclosed technology is directed to methods configured to satisfy a first set of export control regulations, such as those within the jurisdiction of one government entity or international body (e.g., the U.S. Department of Commerce) without falling within the purview of a second set of export control regulations, such as export control regulations within the jurisdiction of another government entity or international body (e.g., the U.S. Department of State). Through limited range of operation, limited payload types, limited capabilities, and tamper-proof or tamper-resistant features, embodiments of the unmanned vehicle system are designed to fall within the purview and under control of one agency and not within the purview and under control of another agency.


Description

CROSS-REFERENCE TO RELATED APPLICATIONS



[0001] This application claims the benefit of U.S. Patent Application No. 61/560,234, filed November 15, 2011, entitled CONTROLLED RANGE AND PAYLOAD FOR UNMANNED VEHICLES, AND ASSOCIATED SYSTEMS AND METHODS, which is herein incorporated by reference in its entirety. To the extent the foregoing application or any other material incorporated herein by reference conflict with the present disclosure, the present disclosure controls.

BACKGROUND



[0002] Unmanned systems (e.g., unmanned aerial or aircraft systems, unmanned ground systems, unmanned underwater systems) provide a low-cost and low-risk alternative to a variety of reconnaissance-type tasks performed by manned systems. Unmanned aircraft systems, for example, are used by TV news stations, by the film/television industry, the oil industry, for maritime traffic monitoring, border/shore patrol, civil disaster surveillance, drug enforcement activities, monitoring fleets of fish (e.g., tuna), etc. Law enforcement agencies use manned helicopters and airplanes as an integral part of their operations, but unmanned aircraft systems are starting to be used in a growing number of places. The uses for aviation equipment in law enforcement that can be filled by unmanned aerial systems include, for example:
  • Photographic uses,
  • Surveillance uses,
  • Routine patrol / support,
  • Fugitive searches,
  • Search and Rescue,
  • Pilot Training,
  • Drug Location / Interdiction,
  • SWAT operations, and
  • Firefighting / Support.


[0003] Table 1 provides statistics related to the use of aviation units by large law enforcement agencies with one hundred or more full time officers in the United States.
Table 1
Aviation Law Enforcement Statistics
Number of aviation units, US 2010
Rotary - median $/flt.hr. $168 (Maintenance) $45 (Fuel)
Fixed - median $/flt.hr. $54 (Maintenance) $74 (Fuel)
Unmanned   $1.79/hour


[0004] Unmanned systems can include a Global Positioning System (GPS) receiver to obtain adequate near real time position data to know where the system is, and calculate attitude with feedback information from solid-state rate gyros. Unmanned aerial systems capable of, for example, automated take-off/launch, flight via programmed way-points, and snag-type recovery have been developed that reduce the cost to own and operate when compared to human-operated aircraft (e.g., single-pilot fixed and rotor aircraft). Unmanned vehicles that are covered by the United States Munitions List (USML) are subject to export controls administered by the U.S. Department of State under the Arms Export Control Act and the International Traffic in Arms Regulations (ITAR) defined at 22 C.F.R. §§ 120-130. For example, the Missile Technology Control Regime ("MTCR") (See 22 C.F.R. § 121.16) defines two categories of unmanned air vehicles subject to State Department Control, each category subject to different export controls. "MTCR Category I" vehicles are those vehicles that 1) are capable of at least 300 km of autonomous flight and navigation and 2) can carry a payload of at least 500 kg. "MTCR Category II" vehicles are those vehicles that either 1) are capable of at least 300 km of autonomous flight and navigation or 2) can carry a payload of at least 500 kg. (See 22 C.F.R. § 121.16 (2011).) Commodities subject to export controls administered by other agencies (e.g., the U.S. Department of Commerce), such as unmanned air vehicles that are incapable of autonomous flight and navigation for 300 km or more and cannot carry a payload of 500 kg or more, are subject to less stringent export requirements.

BRIEF DESCRIPTION OF THE DRAWINGS



[0005] 

Figure 1 is a block diagram illustrating a control station configured in accordance with an embodiment of the disclosure.

Figure 2 is a block diagram illustrating subsystems of an unmanned aerial vehicle configured in accordance with an embodiment of the disclosure.

Figure 3 is a block diagram showing some of the components incorporated in associated computing systems in accordance with an embodiment of the disclosure.

Figure 4 is a flow diagram illustrating the processing of an "operate vehicle module" configured in accordance with particular embodiments of the disclosure.

Figures 5A-5B illustrate overall views of apparatuses and methods for capturing unmanned aircraft in accordance with an embodiment of the disclosure.

Figures 6A-6C illustrate an arrangement for launching an unmanned aircraft in accordance with an embodiment of the disclosure.


DETAILED DESCRIPTION



[0006] The presently disclosed technology is directed generally to unmanned vehicle systems and methods configured to satisfy certain restrictions. For example, the systems and methods can satisfy Commerce Department jurisdiction requirements without falling within the purview of State Department control. Through limited range of operation, limited payload types (e.g., surveillance equipment, munitions, insecticides or other materials for agricultural crops) and capabilities, and tamper-proof or tamper-resistant features, embodiments of the unmanned vehicle system are designed to fall within the purview and under control a first set of export control regulations or requirements, such as Export Administration Regulations ("EAR") overseen by the U.S. Commerce Department, and not within the purview and under control of a second set of export control regulations or requirements, such as MTCR, ITAR, and other State Department control thresholds. Disclosed techniques in accordance with particular embodiments provide protection against repurposing a vehicle as a weapons delivery device and repurposing a commercial vehicle for military or other operations by, for example, modifying operation of the vehicle (e.g., preventing vehicle systems from executing, preventing the vehicle from launching, preventing the vehicle's engine from starting) in response to detecting these conditions. Representative techniques can also provide protection against inflight handoff between ground controlling authorities, eavesdropping of available data streams, and so on by, for example, restricting use of commands for performing these functions. Although this disclosure discloses particular embodiments in the context of Category II vehicles by way of example, one skilled in the art will recognize that the disclosed techniques may be applied to Category I vehicles in addition to other vehicles or commodities that may be subject to varying sets of requirements.

I. System Design and Capabilities



[0007] In some embodiments, the unmanned vehicle has a low payload capability of 3.3 lbs., (1.5 Kg), a diameter of 7 inches, a length of 42 inches, a wingspan of 10 feet, an empty weight of 26 lbs, and a gross takeoff weight of 40 lbs. Furthermore, the unmanned vehicle's design and capabilities are based on its airframe structure electronics systems and software architecture, which includes trusted computing technologies, and are described in further detail below.

A. Airframe Structure



[0008] In certain embodiments, the aircraft structure, which comprises the fuselage, main wing box, wing skin sandwich panels, winglets, fuel tank, and internal brackets, is fabricated using, for example, low cost carbon fiber/epoxy materials, fiberglass, aluminum, or molded plastics based on considerations of size, weight, power, cost, etc. and hard-tool molding commercial techniques. Such techniques have been used in, for example, bicycle frame, snow-sport and water-sport equipment manufacturing.

B. Command and Control System and Software


1. Command and Control System



[0009] In certain embodiments, the electronic hardware and software of the unmanned vehicle are configured to limit range (distance from designated point, such as a point of origin or launch location), but not necessarily endurance (total distance traveled during a flight). For example, the range can be limited to 60 nautical miles from the operator control station (e.g., ground control base station or mobile control base station) using a radio transmitter and antenna gain combination that limits the maximum physical range of communication for the provided radio link on the aircraft to the control station antenna. Flight operation limits can be achieved through the physical limits of radio frequency command and control wireless data links coupled with software commands that prevent waypoint entry beyond the radial distance of 60 nautical miles. For example, aircraft mission management software can be configured to compare control station GPS location to aircraft GPS location to maintain radio-link margin distance at all times. In the case of a lost data or communication link, the aircraft can alter course to regain the lost data or communication link with a control station. If link interruption continues, the aircraft can return to the last known GPS position of the control station to execute flight termination or emergency landing procedures. In this embodiment, travel of the unmanned vehicle beyond 60 nautical miles causes the auto pilot to steer the unmanned vehicle toward the control station GPS location to secure communication. The software may also be configured to limit the range of the unmanned vehicle or return to base at or below the 299km distance from a launch location to meet MTCR requirements.

a. Navigation System



[0010] In some embodiments, to limit the operation of the unmanned vehicle, the unmanned vehicle is not equipped with a magnetic compass or accelerometers to estimate current altitude, speed, and direction. Instead, the unmanned vehicle can be equipped with a rudimentary navigation system. Without adequate GPS data, the unmanned vehicle cannot maintain a known navigation solution and will attempt to return to the control station or terminate travel based on one or more emergency procedure protocols known to those of ordinary skill in the art. For example, in the case of lost communications and/or lost GPS connectivity, the unmanned vehicle can deploy speed-reducing devices (e.g., parachutes or parafoils) and/or airbags and execute a spin-stall maneuver, causing the aircraft to tumble as slowly as possible to the ground. The unmanned vehicle's navigation protocol and emergency procedures are designed to prevent flight beyond the 60 nautical mile range of the Command and Control system. The unmanned vehicle may typically fly over uninhabited terrain at altitudes below 5,000 feet above the ground, thereby reducing the probability of human injury. The unmanned vehicle can be configured to tumble out of the sky using automatic auto rotation and/or automatic chute deployment in the case of lost communications and/or lost GPS connectivity.

[0011] In other embodiments, a collection of multiple control stations are available for communication with the unmanned vehicle system. For example, environment conditions (e.g., obstructions to line of sight) and communication systems may prevent the unmanned vehicle system from communicating with control stations beyond a certain distance, such as 60 nautical miles. In these embodiments, control stations and the unmanned vehicle system can perform a handoff procedure as the unmanned vehicle system approaches a specified distance (e.g., 60 nautical miles) from the control station with which the unmanned vehicle system is communicating to another control station so that the unmanned vehicle system can maintain control station connectivity and take advantage of a greater permissible range, such as 299 km from a launch location. The handoff procedure may be based on, for example, the type of vehicle and control station involved, the speed and/or direction of the vehicle and/or control station, the launch location or target of the vehicle, and so on. In this manner, the range of the unmanned vehicle can approach the "299 km from launch location" limit discussed above. However, embodiments of the system will prevent the aircraft from flying beyond the "299 km from launch location" limit discussed above. Furthermore, the aircraft can be configured to set a transponder to squawk an emergency code if the aircraft is approaching the edge of a navigation restriction zone or is within a predetermined distance (e.g., ten feet, 2000 feet, or one mile) from the edge.

[0012] In some embodiments, the unmanned vehicle system is configured to prevent flight beyond 60 nautical miles from the control station (e.g., ground control station) and/or 299 km from a launch location at least in part by:
  • establishing and confirming location of the Control Station,
  • maintaining an autopilot navigation solution without a GPS solution and switching to an Emergency Response Procedure, such as changing course to "dead reckon" toward the control station, maintaining level flight until a flight termination timer expires, executing a spin-stall maneuver to slowly descend from the sky, or establishing a GPS-based navigation solution,
  • limiting the Command & Control Data Link RF communication between the aircraft radio transmitter and the associated send/receive antenna for the control station. In the event that communication is lost, the unmanned vehicle will attempt to navigate toward the last known GPS coordinate location of the control station to achieve connection. If connection is not re-established, the unmanned vehicle will automatically navigate back to a predefined GPS location within 3 nautical miles of the control station for emergency landing.
  • Hard coded data entry configured to:
    • control emergency landing location to within, for example, 3 nautical miles of the control station,
    • prevent "hand-off' to alternate control stations, and
    • prevent way-point entry beyond a 60 nautical mile radius of the GPS coordinates for the control station.

b. Control Station and Unmanned Vehicle



[0013] In some embodiments, the control station and unmanned vehicle comprise computers, video monitors, hobby-market controllers for radio controlled hobby vehicles, keyboards, track-ball mouse, power cables and connectors and associated software.

[0014] In some embodiments, the control station and unmanned vehicle utilize Trusted Computing Group technologies modeled after implementations developed under the NSA High Assurance Platform (HAP) Program (see http://www.nsa.gov/ia/programs/h_a_p/index.shtml). The unmanned vehicle can use Trusted Platform Module (TPM) security chips, such as those provided by Infineon Technologies AG, that attest to or confirm the identity of the control station and the aircraft computer's identity and further confirm the integrity of the software running on each. Furthermore, computers within the unmanned vehicle system can use, for example, a National Institute of Standards and Technology (NIST) verified Trusted Operating System utilizing Trusted Boot to measure and attest to the boot measurements (e.g., system configuration measurements and diagnostics made at boot time) when appropriate. Remote confirmation verifies software state on client and remote machines. Trusted Computing technologies confirm that the unmanned vehicle is operating as expected based on its design (e.g., only authorized software is running on the vehicle) to ensure that the unmanned vehicle system remains compliant with Commerce Department export control requirements.

[0015] Trusted Computing technologies allow the unmanned vehicle to verify the integrity of sub-system components relative to initial configuration information. For example, at boot-time or during operation, a trusted component of the unmanned vehicle can verify that the unmanned vehicle is configured as originally designed by querying the various components for their identification and current configuration information. In this manner, the unmanned vehicle can ensure that it is equipped with components that do not render the unmanned vehicle subject to State Department export control. For example, system devices (avionics, radios, transponder, integrated flight controller, ground control station, etc.) are configured to include a software module and/or a hardware module that can publish an identification of that device and can certify identifications from some other device. In other words, one cannot, for example, swap in military mission components subject to ITAR control without causing system failures and rendering the system inoperable because the swapped-in components will have different identifications than the components of the vehicle in its initial configuration and the vehicle will not be permitted to, for example, operate, launch, accept input commands, transmit data, etc. Accordingly, an unmanned vehicle constructed and equipped to comply with Commerce Department export control requirements can be rendered inoperable after modification. In some embodiments, the unmanned vehicle may send a communication to a ground control station or satellite in response to determining that its configuration has changed.

[0016] In some embodiments, the unmanned vehicle includes a commercial Advanced Encryption Standard (AES)-256 Encrypted data interface in the onboard electronics and all data links between the unmanned vehicle and the control station. Encrypted data protocols will allow operators to maintain configuration control and limit device connection with specific encryption keys controlled by a central authority.

c. Tampering Prevention



[0017] In some embodiments, the hardware and software of the unmanned vehicle system are designed to prevent and/or detect tampering and provide security to the system. Trusted Platform Module (TPM) technology to be used in the unmanned vehicle system (e.g., Infineon Technologies, TPM Chip SLB9635T1.2, ECCN 5A992, TPM Professional Package (Software), ECCN 5D002) is controlled by the Commerce Department. In some embodiments, the unmanned vehicle may send a communication to a ground control station or satellite in response to detecting tampering. Design elements include, for example:
  • An Avionics Module containing: a) the commercial GPS receiver (e.g., Novetel OEMV-2-L1L2 GPS - ECCN No. 7A994); b) an Auto Pilot computer; and c) a regulated power conditioning system. These components can be factory sealed in the Avionics Module to prevent tampering. Data communication to and from the Avionics Module requires matching encryption keys to function. The avionics are factory-programmed using specific compiled code and Trusted Platform Module encryption techniques.
  • The Avionics Module is capable of factory-only programming and encryption key configuration. Updates to the software are limited to factory only upgrades of the Avionics Module.
  • For an unmanned aircraft, a tail-less design prevents over-flight weight or aircraft length modifications due to the physical limitation of flight envelope (Bernoulli principle). Without proper updates to the autopilot, stable flight is typically impossible within 30 seconds to 2 minutes. The time elapsed between stable and non-stable flight will depend on localized atmospherics, how much integration error the aircraft attitude algorithm has accumulated at the time the GPS is turned off, and the actual maneuver the aircraft is performing at the moment the GPS is turned off. For example, navigation direction is lost immediately when the aircraft does not have an on-board compass and GPS provides the only reference to Earth.


[0018] Sensors for the unmanned vehicle may include, for example, EAR99 (i.e., subject to Commerce Department export control) Electro-optical sensors to a commercial Sony Handycam®, LongWave Infrared Sensors, such as the Goodrich Aerospace Short Wave Infrared (SWIR).

2. Software



[0019] In some embodiments, the software of the unmanned vehicle system is written using C++ industry standard commercial language and development methodology. A modular system architecture allows feature sets of the vehicle control or control station software to be removed before compiling at the factory. Removal of features sets for the software assures the system operation is limited to the desired feature set. The feature set specific to the unmanned vehicle will be modules that are left out or added in when code is compiled and no source code or variable settings/switches will be available to the user. Moreover, human-readable characters may be removed from the code using, for example, a pre-parser. Further, the code may be subjected to obfuscation techniques or programs (See, e.g., www.preemptive.com/products/dotfuscator/overview).

[0020] In some embodiments, delivered unmanned vehicle hardware does not include programmable devices. Software and hardware upgrades to the unmanned vehicle are accomplished by delivering new hardware from the factory. Software and hardware features are limited to factory delivered configuration through the use of Trusted Computing technologies.

[0021] The control station hardware includes commercial off-the-shelf work stations and laptops using, for example, the MICROSOFT WINDOWS® operating system, which is recognized by industry as a trusted operating system allowing complete implementation of the Trusted Computing strategy applied to the unmanned vehicle system.

3. Representative Design Features:



[0022] Table 2 below identifies representative design features for several subsystems of an aircraft system configured in accordance with embodiments of the present technology.
Table 2
Navigation:
Range Restriction - ROM Chip Prevent vehicle from flying outside of a Latitude/Longitude box and prevent user from modifying the Latitude/Longitude box by, for example, burning the Latitude/Longitude box into a ROM chip.
Range Restriction - Expanding Box Prevent vehicle from flying outside of an expandable Latitude/Longitude box and prevent user from modifying the Latitude/Longitude box beyond a certain size.
Reduced Navigation Accuracy Limit the accuracy of the navigation system.
Flight Termination on High Speed Disable navigation system if vehicle exceeds a predetermined speed.
Limited Speed Prevent indicated airspeed from exceeding a defined threshold.
Server-Validated Flight Plans Software validates flight commands (flight plans, orbits, and recovery definitions) through a home server. The data is sent to the server, if it passes a given set of criteria it is encrypted with a Private Key and returned, requiring decryption with, for example, a public key.
Approved Flight Box A combination of the Latitude/Longitude box restriction and the Public/Private Key challenge and response.
Time Limited Approvals (Expiration) A combination of any of the Pub/Private key schemes, but the response has a time limit encoded into it. After the time limit expires, it will no longer be accepted.
Minimum Height Above Terrain Software will not command flight less than a predetermined altitude above the ground level (e.g., 200 ft) as reported by Digital Terrain Elevation Data (DTED).
Flight Termination on Engine Out Command a flight termination at current location if engine is not running.
Flight Termination on Low Altitude A combination of the DTED restriction and the engine out flight termination.
Homecoming-Near Launch Location Prevent a change to the home coming route if the terminal point is more than a predetermined distance from the launch location (e.g., 50 nautical miles).
COMMUNICATION:
Unique Radios Use radios which are not compatible with radios used in a vehicle subject to ITAR control (or other regulations).
PAYLOADS:
Payload Weight Restrictions Prevent operation if mass and center of gravity change.
Video to Fly Prevent operation if proper video signal is not detected because, for example, a video recorder has been removed.
DECODING / DATA ASSURANCE:
Potting Simplified Avionics The entire avionics unit is converted to single board and then potted, so as to make it impossible to add/remove/decode/modify any parts to unit.
Anti-Tamper-Avionics Any attempt to disassemble a section of the vehicle breaks it. Frangible connectors.
Anti-tamper-Elec Discharge Any attempt to disassemble a section of the vehicle breaks it. Charged capacitors that discharge into ICs if not opened correctly.
No Payload-Foam Fill Empty spaces in the vehicle are filled with unremovable foam/goo (so there is no place to add explosives).
Removed Screens Screens deemed unnecessary are hidden.
Single Programming -- All Prevent reprogramming of executables/param files in the field (e.g., burn once NVRAM).
HARDWARE / SYSTEM INTEGRITY:
Proprietary Connectors Use proprietary (or difficult-to-find/acquire) connectors to make it difficult to add/swap part.
Anti-Tamper-Unreadable FLASH Use hardware that prevents user from reading NVRAM/FLASH data (e.g., MPC-555).

C. General Electronics



[0023] In some embodiments, electronics used in the unmanned vehicle system include those derived from U.S. industrial and automotive grade components. For example, an auto-pilot system of the unmanned vehicle may include the Motorola/Freescale 555 processor, a widely used microprocessor in the automotive industry.

1. Circuit Cards



[0024] Circuit cards of the unmanned vehicle system can be designed by using IPC standard design and manufacturing standards commonly applied by the U.S. industry.

2. Propulsion System



[0025] The propulsion system of the unmanned vehicle can be based on publicly-available hobby aircraft 2-stroke technology (e.g., available 3W-Modellmotoren GmbH (3W Modern Motors) of Rödermark, Germany), commercially-available electric motor systems, commercially-available battery and/or fuel cell technologies, etc.

3. Generator



[0026] The electrical power system (e.g., the generator) of the unmanned vehicle can include, for example, a brushless electric motor, such as a Kollmorgen industrial brushless electric motor (EAR99) available from Kollmorgen of Radford, VA or a Kollmorgen authorized distributor.

II. Export Control Analysis


MTCR & ITAR



[0027] The disclosed unmanned vehicle is designed with limited capability so that it will not meet ITAR-control threshold criteria (e.g., range equal to or greater than 300 km), thereby not reaching the minimum threshold for State Department export control, thereby falling within the purview of and under control of the U.S. Commerce Department export control regulations.

[0028] As described in Section I, specific safeguards have been put in place to protect concerns of National Security and U.S. government military technologies. In particular embodiments, such safeguards, which were described in more detail in Section I, include:
  • Range Limited to less than 300 Km - The software and hardware will limit flight range to less than 300 Km from point of origin.
  • Trusted Computing Technologies - Tamper-proof and/or tamper-resistant technologies (endorsed by NIST) to maintain the as-delivered configuration of the unmanned vehicle and control station.
  • Commerce Controlled Components - Components of the unmanned vehicle and control station are traced to EAR control requirements (Commerce Depart export control).
  • Aircraft Limited Payload Capacity - The design and configuration of the aircraft limit payload capacity to less than 2 kilograms in particular embodiments.


[0029] One feature of embodiments of the present technology is that by constructing the unmanned vehicle without ITAR-controlled components and military capability, the unmanned vehicle will not require compliance with the ITAR controls for items covered under Category VIII of the U.S. Munitions List. Rather, the unmanned vehicle is designed to be controlled under the Commerce Control List (CCL), such as Export Control Classification Number (ECCN) 9A012, which covers non-military "unmanned aerial vehicle" (UAV) with Missile Technology (MT) and National Security (NS) reasons for control. An advantage of this feature is that it can expand commercial use of the vehicle without creating compliance issues with national security regulations. Many of the techniques used to implement this feature are directly contrary to features designed into conventional vehicles and in particular, conventional aircraft. For example, typical conventional aircraft are designed to maximize payload capacity and/or range while embodiments of the present technology are designed to deliberately limit either or both of the foregoing technical features and/or other technical features.

[0030] The computing devices on which the disclosed techniques may be implemented can include a central processing unit, memory, input devices (e.g., keyboard and pointing devices), output devices (e.g., display devices), and storage devices (e.g., disk drives). The memory and storage devices are computer-readable storage media that may be encoded with computer-executable instructions that implement the technology, which means a computer-readable storage medium that stores the instructions. In addition, the instructions, data structures, and message structures may be transmitted via a computer-readable transmission medium, such as a signal on a communications link. Thus, "computer-readable media" includes both computer-readable storage media for storing and computer-readable transmission media for transmitting. Additionally, data used by the facility may be encrypted. Various communications links may be used, such as the Internet, a local area network, a wide area network, a point-to-point dial-up connection, a cell phone network, wireless networks, and so on.

[0031] The disclosed technology may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, and so on that perform particular tasks or implement particular abstract data types. Typically, the functionality of the program modules may be combined or distributed as desired in various embodiments, including cloud-based implementations.

[0032] Many embodiments of the technology described herein may take the form of computer-executable instructions, including routines executed by a programmable computer. Those skilled in the relevant art will appreciate that aspects of the technology can be practiced on computer systems other than those shown and described herein. Embodiments of the technology may be implemented in and used with various operating environments that include personal computers, server computers, handheld or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, digital cameras, network PCs, minicomputers, mainframe computers, computing environments that include any of the above systems or devices, and so on. Moreover, the technology can be embodied in a special-purpose computer or data processor that is specifically programmed, configured or constructed to perform one or more of the computer-executable instructions described herein. Accordingly, the terms "computer" or "system" as generally used herein refer to any data processor and can include Internet appliances and hand-held devices (including palm-top computers, wearable computers, cellular or mobile phones, multi-processor systems, processor-based or programmable consumer electronics, network computers, mini computers and the like). Information handled by these computers can be presented at any suitable display medium, including a CRT display, LCD, LED display, OLED display, and so on.

[0033] The technology can also be practiced in distributed environments, where tasks or modules are performed by remote processing devices linked through a communications network. In a distributed computing environment, program modules or subroutines may be located in local and remote memory storage devices. Aspects of the technology described herein may be stored or distributed on computer-readable media, including magnetic or optically readable or removable computer disks. Furthermore, aspects of the technology may be distributed electronically over networks. Data structures and transmissions of data particular to aspects of the technology are also encompassed within the scope of the technology.

[0034] Figure 1 is a block diagram illustrating a control station configured in accordance with particular embodiments. In this example, the control station includes a control station subsystem 110 communicatively-coupled to an antenna interface subsystem 120 and a control GPS interface 130. The control station subsystem 110 includes a video/data exploitation computer, a video antenna switch, an uninterruptible power supply (UPS), a trusted platform module, and an interface computer comprising one or more display screen(s), a keyboard interface, and a multifunction interface. The antenna interface subsystem 120, which is communicatively coupled to a command control and payload control antenna 125, includes an antenna control interface, a command/control transmitter/receiver, a video receiver, an antenna pointing control interface, and a power conditioning module. The command control and payload control antenna 125 includes frequency feed(s) and antenna pointing actuator(s). The control GPS interface 130 includes a GPS receiver, a GPS antenna interface, and a subsystem and control interface, and is communicatively coupled to a 2-channel GPS antenna 135.

[0035] Figure 2 is a block diagram illustrating subsystems an unmanned aerial vehicle configured in accordance with particular embodiments. In this example, the unmanned aerial vehicle includes an avionics subsystem 210 communicatively coupled to a left wing subsystem 220, a right wing subsystem 230, a payload subsystem 240, and a propulsion subsystem 250. The avionics subsystem 210 includes a GPS receiver and antenna, a data bus interface, a vehicle/subsystem control interface, a trusted platform module, and a mission computer/autopilot comprising airspeed sensors and rate gyros. The left wing subsystem 220 includes a command/control transmitter/receiver, a video transmitter, and control surface actuators. The right wing subsystem 230 includes a video transmitter, and control surface actuators. The payload subsystem 240 includes a payload/turret computer comprising rate gyros and turret axis drives, includes a sensor package comprising a focal plane and a lens assembly, and includes a trusted platform module. The propulsion subsystem 250 includes an engine management module, a generator and related interface, a throttle actuator, and a trusted platform module.

[0036] Figure 3 is a block diagram showing some of the components incorporated in associated computing systems in some embodiments. Computer system 300 comprises one or more central processing units ("CPUs") 301 for executing computer programs; a computer memory 302 for storing programs and data while they are being used; a persistent storage device 303, such as a hard drive for persistently storing programs and data; a computer-readable media drive 304, such as a CD-ROM drive, for reading programs and data stored on a computer-readable medium; and a network connection 305 for connecting the computer system to other computer systems, such as via the Internet. While computer systems configured as described above are suitable used to support the operation of the disclosed technology, those skilled in the art will appreciate that the techniques may be implemented using devices of various types and configurations. Moreover, communications to and from the CPU and on data buses and lines can be encrypted to protect against snooping of internal data.

[0037] Figure 4 is a flow diagram illustrating the processing of an "operate vehicle module" configured in accordance with particular embodiments of the disclosed technology. The module is invoked to perform vehicle operations based on an initial specification for a vehicle and the current configuration of the vehicle and its installed components. In block 405, the module receives an initial specification for the vehicle. The initial specification may include a list of all components installed on the vehicle and their state or configuration at the time of installation or delivery. For each installed component, the specification can include an indication of whether the component must be present to perform a particular operation. The initial specification may be encrypted and can be installed by the vehicle manufacturer or another party e.g., an explicitly authorized party. In block 410, the module receives a request to operate the vehicle, such as a request to change the speed of the vehicle, a request to modify a planned route for the vehicle (e.g., add or remove a waypoint from a flight plan), a request to change the direction of travel of the vehicle, and/or other requests. In block 415, the module identifies those components that must be present for the request to be granted by, for example, analyzing the initial specification. In block 420, the module loops through each of the identified components to determine whether they are present and properly configured. In decision block 425, if the component has already been selected then processing continues at block 430, else the module continues at decision block 435. In decision block 435, if the selected component is present, then the module continues at block 440, else the module continues at block 455. In block 440, the module retrieves the current configuration information for the selected component. In decision block 445, if the current configuration information for the selected component is different from the configuration information specified in the initial specification, then the module loops back to block 420 to select the next component, else the module continues at decision block 450. In decision block 450, if the change is acceptable then the module loops back to block 420 to select the next component, else the module continues at block 455. For example, if the initial specification indicates that an acceptable payload is 1.4kg +/- 0.2kg and the payload has changed from 1.3kg to 1.5kg, the module will determine this change to be acceptable. In this manner, the module can determine whether a current configuration for a vehicle is consistent with an initial configuration of the vehicle in determining whether to grant or deny a request. In block 430, the module grants the request, thereby allowing the requested operation to occur and then completes processing. In block 455, the module denies the request and then completes processing. In some cases, the module may perform additional actions when denying a request, such as sending out an emergency signal, sending a notification to a ground control station or another vehicle, safely rendering the vehicle inoperable, and so on.

[0038] Figures 5A-5B illustrate overall views of representative apparatuses and methods for capturing unmanned aircraft in accordance with embodiments of the disclosure. Representative embodiments of aircraft launch and capture techniques are also disclosed in U.S. Patent Application No. 11/603,810, filed November 21, 2006, entitled METHODS AND APPARATUSES FOR LAUNCHING UNMANNED AIRCRAFT, INCLUDING RELEASABLY GRIPPING AIRCRAFT DURING LAUNCH AND BREAKING SUBSEQUENT GRIP MOTION (now U.S. Patent No. 7,712702) and U.S. Patent Application No. 13/483,330, filed May 30, 2012, entitled LINE CAPTURE DEVICES FOR UNMANNED AIRCRAFT, AND ASSOCIATED SYSTEMS AND METHODS, each of which is herein incorporated by reference in its entirety. Beginning with Figure 5A, a representative unmanned aircraft 510 can be captured by an aircraft handling system 500 positioned on a support platform 501. In one embodiment, the support platform 501 can include a boat, ship, or other water vessel 502. In other embodiments, the support platform 501 can include other structures, including a building, a truck or other land vehicle, or an airborne vehicle, such as a balloon. In many of these embodiments, the aircraft handling system 500 can be configured solely to retrieve the aircraft 510 or, in particular embodiments, it can be configured to both launch and retrieve the aircraft 510. The aircraft 510 can include a fuselage 511 and wings 513 (or a blended wing/fuselage), and is propelled by a propulsion system 512 (e.g., a piston-driven propeller).

[0039] Referring now to Figure 5B, the aircraft handling system 500 can include a recovery system 530 integrated with a launch system 570. In one aspect of this embodiment, the recovery system 530 can include an extendable boom 531 having a plurality of segments 532. The boom 531 can be mounted on a rotatable base 536 or turret for ease of positioning. The segments 532 are initially stowed in a nested or telescoping arrangement and are then deployed to extend outwardly as shown in Figure 5B. In other embodiments, the extendable boom 531 can have other arrangements, such as a scissors arrangement, a parallel linkage arrangement or a knuckle boom arrangement. In any of these embodiments, the extendable boom 531 can include a recovery line 533 extended by gravity or other forces. In one embodiment, the recovery line 533 can include 0.25 inch diameter polyester rope, and in other embodiments, the recovery line 533 can include other materials and/or can have other dimensions (e.g., a diameter of 0.3125 inch). In any of these embodiments, a spring or weight 534 at the end of the recovery line 533 can provide tension in the recovery line 533. The aircraft handling system 500 can also include a retrieval line 535 connected to the weight 534 to aid in retrieving and controlling the motion of the weight 534 after the aircraft recovery operation has been completed. In another embodiment, a different recovery line 533a (shown in dashed lines) can be suspended from one portion of the boom 531 and can attach to another point on the boom 531, in lieu of the recovery line 533 and the weight 534.

[0040] In one aspect of this embodiment, the end of the extendable boom 531 can be positioned at an elevation E above the local surface (e.g., the water shown in Figure 5B), and a distance D away from the nearest vertical structure projecting from the local surface. In one aspect of this embodiment, the elevation E can be about 15 meters and the distance D can be about 10 meters. In other embodiments, E and D can have other values, depending upon the particular installation. For example, in one particular embodiment, the elevation E can be about 17 meters when the boom 531 is extended, and about 4 meters when the boom 531 is retracted. The distance D can be about 8 meters when the boom 531 is extended, and about 4 meters when the boom 531 is retracted. In a further particular aspect of this embodiment, the boom 531 can be configured to carry both a vertical load and a lateral load via the recovery line. For example, in one embodiment, the boom 531 can be configured to capture an aircraft 510 having a weight of about 30 pounds, and can be configured to withstand a side load of about 400 pounds, corresponding to the force of the impact between the aircraft 510 and the recovery line 533 with appropriate factors of safety.

[0041] Figure 6A illustrates a launch system 610 having a launch guide 640 and a carriage 620 that together accelerate and guide an aircraft 650 along an initial flight path 611 at the outset of a flight. The launch guide 640 can include a support structure 641 carrying a first or upper launch member 642 (e.g., a track) and a second or lower launch member 643, both of which are generally aligned with the initial flight path 611. The support structure 641 can be mounted to a vehicle (e.g., a trailer or a boat) or to a fixed platform (e.g., a building). Portions of the first launch member 642 and the second launch member 643 can be non-parallel to each other (e.g., they can converge in a direction aligned with the initial flight path 611) to accelerate the carriage 620, as described below.

[0042] The carriage 620 can include a gripper 680 having a pair of gripper arms 681 that releasably carry the aircraft 650. The carriage 620 can also include a first or upper portion 622 and a second or lower portion 623, each of which has rollers 621 (shown in hidden lines in Figure 6A). The rollers 621 can guide the carriage 620 along the launch members 642, 643 while the carriage portions 622, 623 are driven toward each other. Accordingly, normal forces applied to the rollers 621 can drive the rollers 621 against the launch members 642, 643, drive the carriage portions 622, 623 together, and drive the carriage 620 forward, thereby accelerating the aircraft 650 to flight speed.

[0043] An actuator 613 can be linked to the carriage 620 to provide the squeezing force that drives the carriage portions 622, 623 toward each other and drives the carriage 620 along the launch guide 640. Many actuators 613 that are configured to release energy fast enough to launch the aircraft 650 also have a spring-like behavior. Accordingly, the actuators 613 tend to exert large forces at the beginning of a power stroke and smaller forces as the power stroke progresses and the carriage 620 moves along the launch guide 640. An embodiment of the system 610 shown in Figure 6A can compensate for this spring-like behavior by having a relative angle between the first launch member 642 and the second launch member 643 that becomes progressively steeper in the launch direction. In one example, the force provided by the actuator 613 can decrease from 6000 lbs to 3000 lbs as the carriage 620 accelerates. Over the same distance, the relative slope between the first launch member 642 and the second launch member 643 can change from 6:1 to 3:1. Accordingly, the resulting thrust imparted to the carriage 620 and the aircraft 650 can remain at least approximately constant.

[0044] At or near a launch point L, the carriage 620 reaches the launch speed of the aircraft 650. The first launch member 642 and the second launch member 643 can diverge (instead of converge) forward of the launch point L to form a braking ramp 644. At the braking ramp 644, the carriage 620 rapidly decelerates to release the aircraft 650. The carriage 620 then stops and returns to a rest position at least proximate to or coincident with the launch position L.

[0045] In one embodiment, the actuator 613 includes a piston 614 that moves within a cylinder 615. The piston 614 is attached to a flexible, elongated transmission element 616 (e.g., a rope or cable) via a piston rod 617. The transmission element 616 can pass through a series of guide pulleys 645 (carried by the launch guide 640) and carriage pulleys 624 (carried by the carriage 620). The guide pulleys 645 can include first guide pulleys 645a on a first side of the support structure 641, and corresponding second guide pulleys 645b on a second (opposite) side of the support structure 641. The carriage pulleys 624 can also include first carriage pulleys 624a on a first side of the carriage 620 and second pulleys 624b on a second (opposite) side of the carriage 620. One or more equalizing pulleys 646, located in a housing 647 can be positioned between (a) the first guide pulleys 645a and the first carriage pulleys 624a on the first side of the support structure 641, and (b) the second guide pulleys 645b and the second carriage pulleys 624b on the second side of the support structure 641.

[0046] In operation, one end of the transmission element 616 can be attached to the first side of the support structure 641, laced through the first pulleys 645a, 624a, around the equalizing pulley(s) 646, and then through the second pulleys 645b, 624b. The opposite end of the transmission element 616 can be attached to the second side of the support structure 641. The equalizing pulley(s) 646 can (a) guide the transmission element 616 from the first side of the support structure 641 to the second side of the support structure 641, and (b) equalize the tension in the transmission element 616 on the first side of the support structure 641 with that on the second side of the support structure 641.

[0047] When the transmission element 616 is tensioned, it squeezes the carriage portions 622, 623 together, forcing the carriage 620 along the converging launch members 642, 643. The carriage pulleys 624 and the rollers 621 (which can be coaxial with the carriage pulleys 624) are secured to the carriage 620 so that the carriage 620 rides freely along the initial flight path 611 of the aircraft 650 as the carriage portions 622, 623 move together.

[0048] Figure 6B illustrates the launch of the carriage 620 in accordance with an embodiment of the disclosure. The carriage 620 is held in place prior to launch by a trigger device 639, e.g., a restraining shackle. When the trigger device 639 is released, the carriage 620 accelerates along the launch members 642, 643, moving from a first launch carriage location to a second launch carriage location (e.g., to the launch point L). At the launch point L, the carriage 620 achieves its maximum velocity and begins to decelerate by rolling along the braking ramp 644. In this embodiment, one or more arresting pulleys 648 can be positioned along the braking ramp 644 to intercept the transmission element 616 and further decelerate the carriage 620.

[0049] As shown in Figure 6C, once the carriage 620 begins to decelerate along the braking ramp 644, the aircraft 650 is released by the gripper arms 681. Each gripper arm 681 can include a forward contact portion 682a and an aft contact portion 682b configured to releasably engage a fuselage 651 of the aircraft 650. Accordingly, each contact portion 682 can have a curved shape so as to conform to the curved shape of the fuselage 651. In other embodiments, the gripper arms 681 can engage different portions of the aircraft 650 (e.g., the wings 652). Each gripper arm 681 can be pivotably coupled to the carriage 620 to rotate about a pivot axis P. The gripper arms 681 can pivot about the pivot axes P to slightly over-center positions when engaged with the aircraft 650. Accordingly, the gripper arms 681 can securely grip the fuselage 651 and resist ambient windloads, gravity, propeller thrust (e.g., the maximum thrust provided to the aircraft 650), and other external transitory loads as the carriage 620 accelerates. In one aspect of this embodiment, each pivot axis P is canted outwardly away from the vertical. As described in greater detail below, this arrangement can prevent interference between the gripper arms 681 and the aircraft 650 as the aircraft 650 is launched.

[0050] At least a portion of the mass of the gripper arms 681 can be eccentric relative to the first axis P. As a result, when the carriage 620 decelerates, the forward momentum of the gripper arms 681 causes them to fling open by pivoting about the pivot axis P, as indicated by arrows M. The forward momentum of the gripper arms 681 can accordingly overcome the over-center action described above. As the gripper arms 681 begin to open, the contact portions 682a, 682b begin to disengage from the aircraft 650. In a particular aspect of this embodiment, the gripper arms 681 pivot downwardly and away from the aircraft 650.

[0051] From the foregoing, it will be appreciated that specific embodiments of the technology have been described herein for purposes of illustration, but that various modifications may be made without deviating from the disclosure. For example, the unmanned vehicle system can include additional components or features, and/or different combinations of the components or features described herein. While particular embodiments of the technology were described above in the context of ITAR, MTCR, and EAR regulations, other embodiments using generally similar technology can be used in the context of other regulations. Such regulations may vary from one jurisdiction (e.g., national or regional jurisdictions) to another. Additionally, while advantages associated with certain embodiments of the new technology have been described in the context of those embodiments, other embodiments may also exhibit such advantages, and not all embodiments need necessarily exhibit such advantages to fall within the scope of the technology. Accordingly, the disclosure and associated technology can encompass other embodiments not expressly shown or described herein.

[0052] The disclosure comprises the following items:

Item 1. A method, performed by a computing system of an unmanned aerial vehicle, for ensuring that the unmanned aerial vehicle complies with specified export control requirements throughout the operation of the unmanned aerial vehicle, the method comprising:

storing an indication of an initial specification of the unmanned aerial vehicle, the initial specification of the unmanned aerial vehicle specifying initial configuration information and an identification for each of a plurality of tamper-resistant trusted components of the unmanned aerial vehicle, wherein the initial configuration of the unmanned aerial vehicle is in compliance with the specified export control requirements and wherein at least one of the trusted components is configured to ensure that the range of the unmanned aerial vehicle does not exceed a predetermined distance;

in response to receiving a request to operate the unmanned aerial vehicle, for each of the plurality of trusted components of the unmanned aerial vehicle,

querying the trusted component for current configuration information, wherein communication with the trusted component is encrypted,

in response to determining that the trusted component is not present within the unmanned aerial vehicle, modifying the operation of the unmanned aerial vehicle, and

in response to determining that the configuration of the trusted component has been modified since the initial specification was stored, modifying the operation of the unmanned aerial vehicle;

in response to receiving a command from a control station, ignoring the received command in response to determining that the control station is not a trusted control station;

in response to determining that the unmanned aerial vehicle is at least a predetermined distance from a launch location, modifying the path of the unmanned aerial vehicle; and

in response to determining that communication between the unmanned aerial vehicle and a control station has been lost, modifying the path of the unmanned aerial vehicle.

Item 2. The method of item 1 wherein the specified export control requirements are administered by the U.S. Department of Commerce.

Item 3. The method of item 1 wherein the unmanned vehicle is not subject to export control requirements defined by the International Traffic in Arms Regulations. Item 4. The method of item 1 wherein the unmanned vehicle is not a vehicle defined by the Missile Technology Control Regime of the International Traffic in Arms Regulations.

Item 5. The method of item 1 wherein at least one of the trusted components is configured to ensure that the payload of the unmanned aerial vehicle cannot operate when its payload exceeds a predetermined weight.

Item 6. The method of item 1, further comprising:
in response to determining that the speed of the unmanned aerial vehicle is in excess of a predetermined threshold, disabling a navigation system of the unmanned aerial vehicle.

Item 7. The method of item 1 wherein at least one of the trusted components is configured to ensure that the altitude of the unmanned aerial vehicle exceeds a predetermined threshold while the unmanned aerial vehicle is not taking off and not landing.

Item 8. The method of item 1 wherein modifying the operation of the unmanned aerial vehicle comprises disabling a launch of the unmanned aerial vehicle.

Item 9. The method of item 1 wherein modifying the operation of the unmanned aerial vehicle comprises executing a spin-stall maneuver.

Item 10. The method of item 1 wherein modifying the operation of the unmanned aerial vehicle comprises disabling a navigation system of the unmanned aerial vehicle.

Item 11. An unmanned vehicle comprising:

a memory configured to store initial configuration information for each of a plurality of tamper-proof trusted components of the unmanned aerial vehicle having an initial configuration that is in compliance with specified export control requirements; and

a system verification component configured to, for each of the trusted components,

query the trusted component for current configuration information, receive the current configuration information, and

disable the unmanned aerial vehicle in response to determining that the current configuration information is different from the initial configuration information.

Item 12. The unmanned vehicle of item 11 wherein the unmanned vehicle is not subject to export control requirements defined by the International Traffic in Arms Regulations.

Item 13. The unmanned vehicle of item 11 wherein the unmanned vehicle is not a vehicle defined by the Missile Technology Control Regime of the International Traffic in Arms Regulations.

Item 14. The unmanned vehicle of item 11 wherein at least one of the trusted components is configured to ensure that the range of the vehicle does not exceed a predetermined distance.

Item 15. A computer-readable storage medium storing instructions that, if executed by a computing system, cause the computing system to perform operations comprising:

storing an indication of an initial specification of a vehicle that, at the time of an initial configuration, is in compliance with specified control requirements;

in response to receiving a request to operate the vehicle, for each of the plurality of trusted components of the vehicle,

querying the trusted component for current configuration information, wherein communication with the trusted component is encrypted,

in response to determining that the trusted component is not present within the vehicle, denying the request to operate the vehicle, and

in response to determining that the configuration of the trusted component has been modified since the initial specification was stored, denying the request to operate the vehicle.

Item 16. The computer-readable storage medium of item 15 wherein at least one of the trusted components is configured to ensure that the range of the vehicle does not exceed a predetermined distance.

Item 17. The computer-readable storage medium of item 15, wherein the operations further comprise:
in response to receiving a request to operate the vehicle, for each of the plurality of trusted components of the vehicle,

in response to receiving a command from a control station, ignoring the received command in response to determining that the control station is not a trusted control station, and

in response to determining that the vehicle is at least a predetermined distance from a launch location, modifying the path of the vehicle.

Item 18. The computer-readable storage medium of item 15, wherein the operations further comprise:

receiving a plurality of points, each point having an associated latitude and longitude;

identifying an area defined by the received plurality of points; and

preventing the vehicle from traveling outside of the area defined by the received plurality of points.

Item 19. The computer-readable storage medium of item 18, wherein the operations further comprise:
in response to determining that the vehicle is within a predetermined distance from an edge of the area defined by the received plurality of points, broadcasting an emergency code.

Item 20. The computer-readable storage medium of item 19 wherein at least a first trusted component of the plurality of trusted components of the vehicle is a software module and wherein at least a second trusted component of the plurality of trusted components of the vehicle is a hardware module.

Item 21. A method, performed by a computing system, for ensuring that an unmanned aerial vehicle complies with specified export control requirements throughout the operation of the unmanned aerial vehicle, the method comprising:
for each of a plurality of the export control requirements,

determining a threshold value associated with the export control requirement, and

installing a component on the unmanned aerial vehicle configured to ensure that the unmanned aerial vehicle cannot be operated when an attribute of the unmanned aerial vehicle violates the threshold value associated with the export control requirement.

Item 22. The method of item 21 wherein a first export control requirement has an associated threshold range value and wherein installing a component for the first export control requirement comprises installing a component configured to ensure that the unmanned aerial vehicle cannot be operated when the distance of the unmanned aerial vehicle from a launch point exceeds the threshold range value.




Claims

1. A method, performed by a computing system (300) of an unmanned aerial vehicle, for ensuring that the unmanned aerial vehicle complies with specified export control requirements throughout the operation of the unmanned aerial vehicle, the method comprising:

storing an indication of an initial specification of the unmanned aerial vehicle, the initial specification of the unmanned aerial vehicle specifying initial configuration information and an identification for each of a plurality of tamper-resistant trusted components of the unmanned aerial vehicle, wherein the initial configuration of the unmanned aerial vehicle is in compliance with the specified export control requirements and wherein at least one of the trusted components is configured to ensure that the range of the unmanned aerial vehicle does not exceed a predetermined distance;

determining the distance of the unmanned aerial vehicle from a launch location;

if the determination is that the unmanned aerial vehicle is at least a predetermined distance from the launch location, in response to determining that the unmanned aerial vehicle is at least the predetermined distance from the launch location, modifying the operation of the unmanned aerial vehicle by modifying the path of the unmanned aerial vehicle.


 
2. The method of claim 1 comprising:

receiving a command from a control station;

determining whether the control station is a trusted control station;

if the determination is that the control station is not a trusted control station, in response to determining that the control station is not a trusted control station, modifying the operation of the unmanned aerial vehicle by ignoring the received command.


 
3. The method of any preceding claim comprising:

determining whether communication between the unmanned aerial vehicle and a control station has been lost; and

if the determination is that communication between the unmanned aerial vehicle and the control station has been lost, in response to determining that communication between the unmanned aerial vehicle and the control station has been lost, modifying the operation of the unmanned aerial vehicle by modifying the path of the unmanned aerial vehicle.


 
4. The method of any preceding claim comprising:

receiving (410) a request to operate the unmanned aerial vehicle;

in response to receiving the request to operate the unmanned aerial vehicle, for each of the plurality of trusted components of the unmanned aerial vehicle:

determining (435) whether the component of the plurality of the trusted components is present within the unmanned aerial vehicle;

if the determination is that the component of the plurality of the trusted components is not present within the unmanned aerial vehicle, in response to determining that the component of the plurality of trusted components is not present within the unmanned aerial vehicle, modifying (455) the operation of the unmanned aerial vehicle; and

if the determination is that the component of the plurality of the trusted components is present within the unmanned aerial vehicle, in response to determining that the component of the plurality of trusted components is present within the unmanned aerial vehicle:

querying (440) the component of the plurality of trusted components for current configuration information, wherein communication with the component of the plurality of trusted components is encrypted;

determining (445) whether the current configuration information of the component of the plurality of trusted components has been modified since the initial specification was stored; and

if the determination is that the configuration of the component of the plurality of trusted components has been modified since the initial specification was stored, in response to determining that the configuration of the component of the plurality of trusted components has been modified since the initial specification was stored, modifying the operation of the unmanned aerial vehicle.


 
5. The method of any preceding claim, wherein the specified export control requirements include one or more of: the unmanned aerial vehicle being incapable of autonomous flight and navigation for less than 300 km; and a payload capacity of the unmanned aerial vehicle of less than 500 kg.
 
6. The method of any preceding claim, wherein at least one of the trusted components is configured to render the unmanned aerial vehicle inoperable when a payload of the unmanned aerial vehicle exceeds a predetermined weight.
 
7. The method of any preceding claim, further comprising:
in response to determining that the speed of the unmanned aerial vehicle is in excess of a predetermined threshold, disabling a navigation system of the unmanned aerial vehicle.
 
8. The method of any preceding claim, wherein at least one of the trusted components is configured to ensure that the altitude of the unmanned aerial vehicle exceeds a predetermined threshold while the unmanned aerial vehicle is not taking off and not landing.
 
9. The method of any preceding claim, wherein modifying the operation of the unmanned aerial vehicle comprises disabling a launch of the unmanned aerial vehicle.
 
10. The method of any preceding claim, wherein modifying the operation of the unmanned aerial vehicle comprises executing a spin-stall maneuver.
 
11. The method of any preceding claim, wherein modifying the operation of the unmanned aerial vehicle comprises disabling a navigation system of the unmanned aerial vehicle.
 
12. A computing system of an unmanned aerial vehicle, the computing system being configured to carry out the method of any preceding claim.
 
13. A computer-readable storage medium storing instructions that, if executed by a computing system, cause the computing system to perform operations according to the method of any one of claims 1 to 11.
 




Drawing

























Search report









Search report




Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description