WO2005017672A2 - Apparatus, system and method for aircraft security and anti-hijacking intervention - Google Patents

Abstract

A security mechanism identifies users, so as to restrict access and operation to authorized users, such as to persons authorized to access and fly a particular aircraft. The security mechanism comprises one or more security devices to identify the user attempting to gain access or operate the controller; and one or more monitoring devices to determine whether or not the user identified is authorized to have access or operate the controller. Methods of safely operating aircraft are also described. The methods include protocols for limiting access to the aircraft and assuming remote control of the aircraft if a possibly hostile situation is detected.

Description

APPARATUS, SYSTEM AND METHOD FOR AIRCRAFT SECURITY AND ANTI- HIJACKING INTERVENTION

FIELD OF THE INVENTION The present invention relates generally to security mechanisms and methods, and more particularly to aircraft security mechanisms and methods.

BACKGROUND OF THE INVENTION The airline industry has, for over half a century, transported large volumes of travelers on a daily basis to destinations around the world. One of the primary concerns of the airline industry during this time period has been to maintain the safety of its passengers and aircraft. Over time, the general public, and most airline passengers, developed a positive feeling for airline safety. Statistically speaking, air travel has been considered safer than other presumably safe activities; for example, routinely there have been more people involved in auto or gun related accidents or fires than people involved in aircraft related accidents. The occasional liijacking was not considered a major threat, as most ended without passenger casualties or damage to aircraft.

The attitude toward air travel forever changed on the morning of Sep. 11, 2001, when the World Trade Center in New York, NY and the Pentagon in Washington, D.C. became the objects of a terrorist attack of previously unimaginable proportions. On that day, hijackers took over control of four separate aircraft and then managed to personally fly three of those as weapons of mass murder into the buildings, destroying the buildings, surrounding buildings and all three aircraft. The fourth plane crashed into an open field just outside of Pittsburgh following a valiant struggle by passengers to recapture the plane. Tragically, all passengers on all four planes and several thousand people on the ground died that day. Following the aftermath of "911", there is now a greater emphasis than ever before on improving airline security to try to prevent hijacking of aircraft. Much of the efforts have been directed to reducing the chances that a successful hijacking may occur, such as by instituting more stringent searches at check-in, by placing armed marshal on flights and by better securing the door separating the passenger and cockpit areas of the plane. These efforts, however, have done little to address the source of the problem, which is hijackers taking over control of an aircraft. In view of which, there is seen a need to improve the manner by which the occurrences of hijacking on aircraft can be reduced.

SUMMARY OF THE INVENTION In accordance with the present invention, an embodiment comprises a security mechanism for identifying individuals, so as to restrict operation to only those authorized, such as to persons authorized to fly a given aircraft. The security mechanism comprises a controller operable by a user; one or more security devices to identify the user attempting to operate the controller; and one or more monitoring devices to determine whether or not the user identified is authorized to operate the controller.

The invention also relates to methods of safely operating aircraft, including methods by which automated or remote control can be assumed in the event of a possibly hostile situation. The invention also relates to methods of limiting access to aircraft, authenticating individuals requesting access to aircraft and categorizing individuals who are given access to aircraft.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a block diagram of an embodiment of a security system in accordance with the present invention.

Fig. 2 is a partial schematic, partial block diagram of the system of fig. 1. Fig, 3 is a further exemplary embodiment of a controller of fig. 2.

Fig. 4 is a block diagram of an exemplary application of the system of fig. 1.

Fig. 5 is a flowchart showing a method of safely operating an aircraft according to an embodiment of the invention.

Fig. 6 is a flowchart representing a method of avoiding prohibited airspace according to an embodiment of the invention.

Fig. 7 is a flowchart representing a method of limiting and recording access to an aircraft prior to takeoff. Fig. 8 is a flowchart representing a method of loading cargo onto an aircraft according to an embodiment of the invention.

Fig. 9 is a flowchart representing a method of authenticating individuals prior to permitting access to an aircraft according to an embodiment of the invention. Fig. 10 is a flowchart representing a method of categorizing individuals who are requesting access to an aircraft or a portion of an aircraft according to an embodiment of the invention.

DESCRIPTION OF THE INVENTION In accordance with embodiments of the present invention, apparatus, systems and methods are disclosed for restricting access to and the operation of an aircraft, vehicle or other device or system to only authorized personnel. In general, as shown in fig. 1, for the purpose of restricting operation of the aircraft, a controller 112 is provided operable by a user, one or more security devices 114, such as biometric readers, is provided associated with the controller 112, one or more monitoring systems 116, such as a computer, is provided in coirimunication with the security devices 114 and one or more control mechanisms 118 is provided in communication with the monitoring systems 116. Any desired biometric characteristics may be utilized for this purpose, such as, for example, fingerprint, retina, facial or DNA characteristics. The one or more biometric readers 114 may be utilized in a variety of different manners, such as being mounted on or integrated within the controller 112 or may be a separate device. The following illustrates exemplary embodiments adapted for aircraft use, such as airplanes or helicopters.

Fig. 2 is a perspective view of an embodiment in which biometric readers in the form of fingerprint and retina readers 119 and 121, respectively, are associated with the control 112, i.e., the controller, of an aircraft. In one preferred embodiment, the fingerprint reader 119 is of a type that also incorporates a pulse sensor. In the embodiment shown, the fingerprint/pulse reader 119 may be provided on one or both of the control arms 122a and 122b. The retina reader 121 is shown provided centrally disposed between the two upright control arms 122a/122b. As should be understood, the finge rint/pulse reader 119 and retina reader 121 may be utilized at other desired locations as well, such as the fingerprint/pulse reader 119 being associated with other components or the retina reader 121 mounted at other locations in the cockpit. The fingerprint/pulse reader 119 and retina reader 121 may be conventional devices, such as any commercially available components, or may be specially manufactured hardware and/or software where desired. Alternatively, as should be understood, other types of biometric sensors may be utilized where desired, hi fig. 3 is illustrated another exemplary embodiment of a control 312. In this embodiment, the fingerprint/pulse reader 319 comprises a series of four inward radius portions 330 shaped to accommodate a user's fingers and a thumb reader 332. The remaining portions are the same as that illustrated in fig. 2. As should be understood, the control may comprise other shapes and configurations as well, and should not be construed as being limited to the designs shown in figs. 2 and 3; for example, a single straight arm, circular steering wheel type design, T-shaped, etc.

In addition, preferably the one or more monitoring systems 116, such as a computer illustrated in fig. 2, is provided in communication with the fingerprint/pulse reader 119 and retina reader 121. The term "computer" as used herein should be broadly construed to comprise any device capable of receiving, transmitting, and/or using information, including, without limitation, a processor, a microprocessor, a personal computer, a network server, a distributed computing system involving parallel processes over a network, network computing or a mainframe. As discussed above, the monitoring system 116 is also preferably in communication with one or more control mechanisms 118 on the aircraft, such as, for example, the control 112, any system controlled by the control 112, the auto-pilot control system, a Global Positioning System ("GPS"), such as a GPS chip, located on the aircraft and/or integrated within one or more biometric sensors, or any conventional systems on the aircraft, as examples. The monitoring system 116 may comprise the aircraft's existing on board computer system or may comprise a separate computer system located on the aircraft itself or at designated locations outside of the aircraft, such as an air traffic control center, which is in communication with the on board computer system or directly with the aircraft's security devices 114 and/or control mechanisms 118. In addition, the monitoring system 116 may be programmed, such as by authorized personnel, so as to be responsive to data received from the fingerprint/pulse reader 119 and/or retina reader 121 in order to control specific operations of the aircraft, such as designated ones of the aircraft's control mechanisms 118. In some exemplary embodiments, the monitoring system 116 may be preprogrammed so as to grant designated personnel permission to operate the aircraft for specific tasks; for example, granting only the designated pilot and copilot of a certain flight the ability to fly the aircraft, granting designated crew the ability to turn off and/or on the aircraft beacon system, granting designated ground crew and maintenance personnel the ability to service the aircraft, etc. In this manner, different types of permissions may be granted where desired to different categories of personnel. Biometric sensors may be utilized wherever restrictions may be desired to operate the aircraft; for instance, biometric verification required to fly the aircraft, for operation of the beacon control system or for access into designated areas, for example, via a biometric interlock on doors, panels and/or hatches providing access to any area on the aircraft potentially vulnerable to sabotage, such as, for example, providing access onto the aircraft itself, into cockpit areas and/or for access to storage compartments, such as cargo areas underneath the aircraft, etc. hi this and other embodiments, the GPS system may operate by sending positioning information to designated locations, such as ground control, in response to various occurrences on the aircraft, such as, for example, where unauthorized persons attempt to fly the plane, a plane goes off its normal course, etc. An exemplary application of this embodiment is illustrated in the accompanying flow chart of fig. 4, which is described in greater detail below.

As shown at step 210 in fig. 4, prior to flight, the pilots and crew that are pre-authorized have their fingerprint and retina biometric information loaded into the designated monitoring system 116, such as the airplane's on-board computer. As mentioned above, a separate computer system located on or outside of the aircraft may be utilized as well. The biometric data that is loaded may have been previously taken from the individuals and stored in a database in electronic form, which is then transferred to the plane computer. Alternatively, the biometric data to be loaded may be read from these individuals on site, such as at the time boarding occurs, and then loaded into the on-board computer system at that time. In addition, where desired, a separate biometric check may be performed to verify identity, such as taken from the pilots and crew prior to boarding the plane, such as a fmgeφrint check that may be compared against stored biometric data for the designated persons, as shown in dotted lines at step 212.

As shown at step 214, the pilot is required to hold the control 112, so that the pilot's fingeφrint/pulse can be detected by the fingeφrint/pulse reader 119 and communicated to the monitoring system 116 to verify identity. An authorized pilot will be able to fly the aircraft, as shown at step 216. Otherwise, as shown at step 218, the control 112 will not function properly and the individual will not be able to fly the plane; for example, in one embodiment, the monitoring system 116 will kick back to auto-pilot mode, as shown at step 220. The term "fly" as used herein should be broadly construed to refer to any phase of an aircraft flight, starting up of the aircraft, movement of the aircraft from a fixed position, take-off or landing of the aircraft, taxiing of the aircraft as well as in the air flight. Accordingly, in other exemplary embodiments, where the aircraft is on the ground, for instance, the monitoring system 116 may operate to prohibit takeoff where an unauthorized pilot is detected, for example, by failing to turn on engines, locking of the control 112, etc. Further, where an unauthorized person may place their hand on the control 112 in order to try to fly the aύplane, the monitoring system 116 may also communicate that information to designated authorities, such as, for example, via an unauthorized pilot notification or a disaster alert signal sent to ground control, as shown at step 222. The monitoring system 116 may also at the same time send the unauthorized person's biometric data to designated authorities, as shown at step 224, so that a subsequent biometric check may be performed to uncover the identity of that individual. In this embodiment, the pulse sensor of the fmgeφrint/pulse reader 119 operates to detect further information about the condition of the individual holding the control 112, such as whether or not there is the presence of a pulse, to signify that the hand placed on the control is of a live individual, or if there is a rapid or irregular pulse, such as to signify that the individual is in a distressed state. The monitoring system 116 can be programmed to notify authorities, such as ground control, if any such unusual pulse reading occurs, such as, for example, via a distressed pilot notification or a disaster alert, as shown at step 226.

In addition, the retina reader 121 can also be used in this embodiment as an additional level of security , such as to communicate with the monitoring system 116 so as to authorize engagement or disengagement of the auto-pilot. For example, the retina reader 121 can verify whether an authorized pilot is in his or her seat, and control subsequent operations based that information, where desired, such as to allow disengagement of the auto-pilot, as shown at steps 228-232. Other suitable types of biometric devices may be utilized as well where desired in place of the retina reader 121; for example, a heat signature device or a camera located in the seat of the pilot rather than a retina reader, certain embodiments, retina reader 121 can comprise one or more commercially available cameras adapted for taking a biometric read of the retina of designated persons at specified times. For example, the camera can of a type activated to take a biometric read anytime there is motion sensed. For instance, the camera can be mounted in the cockpit area and operated to take a retina read anytime there is movement by the pilot, i addition, that same camera, or another camera, can be provided to take a photograph of the designated person at the same time a retina read is taken. Multiple cameras may also be used where desired, such as for the pilot and copilot, etc. In addition, in this and other embodiments, the camera can also be activated so as to take a photograph of the designated persons at other desired times, such as when an unauthorized person attempts to take the controller or access particular areas, an irregular pulse is detected or any other distressed condition is detected. The photograph, along with any other desired information, may then be transmitted to desired locations, such as via satellite, cellular or independent transmitter, as examples. Some examples of the desired locations include, but area not limited to, the airlines, as mentioned above, the Department of Defense and/or Department of Homeland Security. In some embodiments, it may be desired to grant permission to certain additional persons as a matter of course or in emergency situations to have limited or full authority to operate the aircraft who originally did not have that authority. For instance, in certain circumstances, for example, such as where any crew become ill or incapacitated during a flight, it may be desired that authority to operate a given aircraft be granted to additional persons, such as any off duty crew or any passenger pilots on the aircraft. In such situations, a biometric check can be implemented to verify identity of the additional persons before any authority to operate the aircraft will be given. The biometric check can be performed on the aircraft and compared against stored biometric information contained either on the aircraft, such as contained in the onboard computer, or any database located outside of the aircraft, such as a database kept by designated authorities, such as by individual airlines, the airline industry or a central reporting database, as examples. The biometric check can be done by utilizing a separate biometric device on the aircraft, or by using any of the existing biometric devices mentioned above, such as the fmgeφrint/pulse reader 119 and/or retina reader 121. i some embodiments, a flight management system (FMS) or a remote station can monitor the progress of the aircraft's flight, using, for example, altitude, course and GPS data. The FMS can be a computer system provided as part of the monitoring system 116, integrated therewith, or independent therefrom. The FMS can compare data relating to the flight's progress with a flight plan that has been pre-recorded in memory. In such embodiments, the FMS, monitoring system or remote station can alert ground controllers or other authorities to deviations from the flight plan for corrective measures, or the FMS can assume automated control of the aircraft to prevent the flight from entering prohibited or restricted air space or if a possibly hostile situation is detected.

Figure 5 is a flow chart showing how such a system can operate. Box 402 represents the status of a flight in computer-guided mode, e.g., with the auto-pilot engaged, or a flight being monitored by ground control through an airborne flight information system (AFIS). The AFIS provides communication between the aircraft and ground controllers so that the flight plan can be monitored remotely. The AFIS can be configured to automatically transmit flight-related data, such as course, altitude and position, and information received from the monitoring system 116 to ground controllers or other authority, and can receive instructions therefrom without pilot or crew interaction.

During flight operations, a course correction or deviation from the flight plan may be desired for a number of reasons, such as the approach of inclement weather, flight traffic congestion, an obstacle in the flight path or a bird strike. When a course correction is desired, such as at box 404, the next step of the method will depend upon whether or not an authorized pilot is at the controller 112 of the aircraft. As shown at step 406, the biometric readers 114, such as the fingeφrint/pulse readers 119 retina reader 121 described above, can be utilized to determine if an authorized pilot is at the controller 112.

If an authorized pilot is at the controller 112, a decision 408 must be made as to whether there is adequate time for notification of the proposed course correction to ground controllers. If there is sufficient time to notify ground control of the proposed course correction, the ground controllers can be notified, as in step 410. If the proposed course correction is found to be suitable by the ground controller, the course correction plan can be approved, as at step 412, and a new flight plan generated and uploaded to the aircraft, as shown at step 414. After the new flight plan has been validated at step 416, the computer guided flight mode (if engaged) can be disengaged as at step 418. The approved course correction can then be initiated, as at step 420, by the pilot. While the course correction is being executed, ground controllers can assess control of the aircraft through data received from the AFIS, through voice communication with the pilot and/or through the cockpit camera as at step 422. Assessment of the state of control of the aircraft can include an evaluation of whether an authorized pilot is in command, or if an unauthorized and potentially hostile individual may have seized control of the aircraft. The data received from the AFIS that can be used as part of the assessment can include information communicated from the security devices 114, such as fmgeφrint/pulse readers 119 and retina readers 121. Where a possibly hostile situation can not be ruled out, a potential threat can be assumed as explained below.

If the state of control of the aircraft appears to be acceptable, as shown at step 424, the auto-pilot (the flight management guidance computer) can be engaged or re-engaged when the correction has been completed, and the new flight plan can be evaluated by the pilot as shown in step 426. At step 428, the modified flight plan and the control of the aiφlane can be evaluated by the ground controller, other authority and/or monitoring system 116. This step can include an evaluation of whether the new flight plan will bring the aircraft unacceptably close to any prohibited or restricted airspace, such as, for example and without limitation, power generating plants, such as nuclear plants, military installations, government areas, such as the Capital and White House, and national monuments. Prohibited airspace evaluation can be performed in accordance with the method described below in connection with Figure 6. If the modified flight plan is found to be acceptable, the aircraft can resume normal operations as shown in box 402.

If the ground controller or other authority finds the progress of the flight, the new flight plan or the control of the aiφlane to be unacceptable, control of the aircraft can be assumed from the ground or other location remote from the aircraft, such as a chase plane. Alternatively, control of the aircraft can be assumed by an automated system on board the aircraft. In either case, control of the aircraft is at least partially taken away from the pilot, as at step 430. Control of the aircraft can be assumed using a variety of different means. Examples of such means include the provision of a Mission Management Unit (MMU) or a secondary FMS. A MMU is a control system that allows ground controllers to override the on-board FMS and aircraft control

, systems in order to command the aircraft from the ground through radio or satellite communications. A secondary FMS can be pre-programmed with an unalterable flight plan or an alternative contingent flight plan that can be activated in the event of an airborne hostile event. When the secondary FMS is engaged, it can override any commands or control, or selected commands, attempted by the pilot or unauthorized user. The unalterable flight plan can be hard- programmed into the secondary FMS with instructions to fly the aircraft to a pre-selected safe altitude or location. Assumption of aircraft control can be assumed by a MMU, secondary FMS or other control device anytime a hostile event is suspected.

Other scenarios in which aircraft control can be assumed from the ground, another location remote from the aircraft, or by a secondary FMS is if an authorized pilot is not detected at step 406, or if it is determined at step 408 that there is not adequate time to notify ground controllers of a desired course correction and other conditions are met. If there is no time to notify ground controllers at step 408, such as if an obstacle is detected in the flight path or in the event of a bird strike, the auto-pilot (if engaged) can be disengaged at step 432 and short term course correction can be immediately initiated by the pilot at step 434.

Following any course correction, it can be determined whether the course deviation is within the tolerance of the flight plan at step 436. As such, the FMS or monitoring system 116 can be preprogrammed with acceptable tolerances or be able to calculate tolerances based on the particular situation. Tolerances of greater magnitude may be acceptable where the aircraft is in transoceanic flight or is otherwise not near any potential terrorist targets. Lesser tolerances may be appropriate where the flight path takes the aircraft near restricted air space or other areas that may contain potential terrorist targets. If it is determined that a course deviation is within flight plan tolerance, then the course correction can be considered to be complete and the method resumed at step 424.

If at step 436 it is found that the course deviation is not within flight plan tolerance, an alarm can be sent to the ground controller, such as by the AFIS, as shown in box 438. Such an alarm can be considered a first stage alarm event or alert condition. Upon declaration of a first stage alarm, the ground controller can attempt to initiate communication with the aircraft and assess the status of the flight, including the state of control of the aircraft through the AFIS, voice communication and/or the cockpit camera, as in step 422. If, after the assessment step 422, it is determined that a hostile event may be in progress, a second stage alarm or condition event can be declared. As shown in step 442, a second stage alarm event can be accompanied by continuous monitoring of the cockpit camera and preparation by ground control or another authority to assume control of the aircraft.

An elapsed time period threshold can be established for second stage alarm events. If, at step 444, ground, controllers determine that a hostile event is not occurring, the second stage alarm condition can be cancelled and the ground controllers can re-assess control of the aircraft according to step 422. However, if ground controllers observe evidence of hostile activity, or if the threshold time to make a determination is exceeded, the ground controller or other authority can assume control of the aircraft via the MMU, or the secondary FMS can assume control.

If a course correction is desired and, at step 406, it is determined that an authorized pilot is not in control of the aircraft, a second stage alarm condition can be immediately declared and the method carried out directly from step 442.

Figure 6 shows a method of preventing an aircraft from entering restricted or prohibited airspace according to some embodiments of the invention. As shown in step 452, a database having information relating to prohibited airspace can be loaded into a computer on the aircraft, such as the FMS, and can also be available to ground controllers or other authorities on the ground. The flight plan for the aircraft can be loaded into the aircraft computers prior to departure (or subsequently uploaded as in step 414 of figure 5). The flight plan can be entered into the ground based systems as shown in step 456. At step 458, the flight plan can be compared with the prohibited-airspace database to ascertain whether or not the flight plan will bring the aircraft too close to or within prohibited airspace. In addition, acceptable tolerances to the flight plan can be calculated based on proximity to prohibited airspace, the nature of the prohibited airspace and other factors. If it is determined that prohibited airspace may be violated, or if there are other concerns regarding the flight plan, the pilot and the ground controllers can agree to adjust the flight plan at step 459 as appropriate.

If adjustments to the flight plan are made, the adjusted flight plan can be reentered into the aircraft and ground-based computer systems at steps 454 and 456. Thereafter, the analysis of step 458 can be repeated as many times as necessary.

If at step 458 it is determined that the flight plan is acceptable, the aircraft is permitted to proceed under the flight plan at step 460. If it is desired to adjust the flight plan en route or otherwise make course corrections, such as those described above in connection with step 404, the modification can be entered into the guidance computer or manual (pilot) control can be assumed as shown in box 462. When modifications to the flight plan are made or if manual flying mode (i.e., the auto-pilot turned off) is initiated, the GPS system onboard the aircraft can be used for satellite and ground tracking of the flight's progress at step 464. The GPS data, other data communicated through the AFIS, and the modified flight plan can then be analyzed at step 466 to determine whether the aircraft is proximate to prohibited airspace or if the flight plan, as modified, includes a vector that would violate prohibited airspace tolerance. If, at step 468, it is determined that the aircraft is not proximate to prohibited airspace and that the flight plan includes no vectors that would violate prohibited airspace tolerance, the aircraft is permitted to proceed with existing flight telemetry as shown at box 460.

If at box 468 it is determined that the aircraft is proximate to prohibited airspace or a flight plan vector would violate prohibited airspace tolerance, then an alarm condition can be declared, as at box 470. Under the alarm condition, it can be determined whether a prohibited airspace violation is imminent. A violation may be imminent, for example, if the aircraft vector is directed at a potential terrorist target or if the altitude of the aircraft falls below a pre-selected flight floor restriction as shown at step 472. If it is determined that a prohibited airspace violation may be imminent, the modified flight plan can be overridden and automatically replaced with the original flight plan or with a contingent flight plan as shown at box 474. As discussed above in connection with step 430 of Figure 5, the ground controller can assume command of the aircraft via the MMU or the secondary FMS can assume control in order to override the modified flight plan.

If at step 472 it is determined that no violation of prohibited airspace is imminent, it may not be necessary to immediately assume control of the aircraft via an MMU or secondary FMS unit. Instead, a course correction can be required so that the aircraft is no longer proximate to prohibited airspace or so that the flight plan includes no vectors that would violate prohibited airspace, as shown at step 476. Once a suitable course correction has been determined, the flight plan should again be modified and entered into the computer in accordance with step 462. The flight can then be permitted to proceed according to the modified plan and the subsequent steps of the method.

As noted above, some embodiments of the invention relate to methods of limiting access to the aircraft by passengers and unauthorized crew to further enhance safety. The methods of limiting access will now be described in more detail in connection with Figures 7 through 10. The methods can involve establishing one or more databases of passenger and flight staff information, including biometric information. The appropriate information for each individual that is to have access to the aircraft can be transmitted from the database to the aircraft and ground systems. Individuals requesting access to the aircraft can be identified at one or more access points, such as the aircraft door or gate, prior to accessing the aircraft. Security devices, such as biometric readers 119, 121 described above and/or smartcard or name badge scanners, can be provided at the access point to identify individuals. Access to the aircraft can therefore be limited to individuals who are pre-approved for access.

Figure 7 is a flow chart showing an overview of a method for limiting pre-departure access. As shown in step 502, the flight preparation cycle can be initiated prior to any crew member or passenger accessing the aiφlane. The identities and related information for members of the flight crew and ground crew are recorded in a secure data source and validated, as discussed in more detail below. The data shown at box 504 can include appropriate biometric information and data encoded on a smartcard or name badge in possesion of the crew for identifying the individual when necessary.

The identities of the crew members assigned to the particular flight and their associated biometric information and/or smartcard data can be loaded to the aircraft computers and ground systems by radio, DND or any other secure electronic means at step 506. This limited data subset of authorized individuals can be accessed when any individual requests access to the aircraft. If, after biometric scarrning, smartcard reading and/or other secure identification process, the crew members are confirmed to be the appropriate crew members for that flight, access to the aircraft is authorized as shown in step 508. As shown in step 510, the flight plan can also be entered into a flight management guidance computer and/or into the momtoring system 116. Once individual crew members are authorized, access by the interior crew and ground crew can be recorded at steps 512 and 514. The cockpit camera, access control devices or other recording devices can also begin recording access to the cockpit, hi addition to recording of cockpit activity, the image from the cockpit camera can be monitored remotely in real time by ground personnel until the flight deck has been secured. Flight deck activity recording and monitoring are shown in boxes 516 and 518.

While access to the aircraft is being monitored and recorded, automated violation monitoring can be performed as shown at box 520. Such monitoring can include monitoring of compartments or hatches that should not be accessed and tracking of crew members to make sure that an individual does not access areas for which that individual is not authorized. If the automated monitoring detects any possible violations, an alarm can be declared and appropriate response procedures initiated as at step 522.

A similar database of passenger information and system for passenger authentication can be established if desired. Once crew members and passengers have boarded the plane, the aiφlane exterior can be secured, as shown at step 524, and a preflight checklist can be performed, as at step 526. As part of the preflight checklist, access data can be sent to the pilot and/or ground personnel. This report can be reviewed as part of the preflight checklist for any unauthorized access to the aircraft, or any other violations that may have occurred during flight preparation. If any violations have occurred, the nature of the violation can be investigated and cleared prior to providing approval for flight departure, as at Step 528. At times it is necessary to make last minute changes to the crew, passengers or cargo onboard the aircraft. If a last minute change is necessary, as shown in box 530, authentication of the added person or cargo can be performed at step 532. In this regard, triple authentication can be performed using biometric readings of the newly added person or cargo, the person bringing that newly added person or cargo to the aircraft, as well as the person allowing the newly added person or cargo access to the aircraft. In addition to this triple authentication, remote approval (from ground personnel) can be obtained prior to allowing the newly added person or cargo access to the aircraft, as represented by box 534. Once any last minute additions to the crew, cargo or passengers have been completed, the aircraft exterior can again be secured in accordance with step 524 and a new report generated and reviewed as part of the preflight checklist.

Access to the aircraft by ground crew and cargo loading personnel can be limited according to the method shown in Figure 8. As discussed above, identity and biometric data of all personnel who are authorized to have access to the aircraft is downloaded from a secure data source. As shown in box 552, access to the entire tarmac can be limited to those ground crew members having authorization to access at least one aircraft on the tarmac. Therefore, ground crew members can undergo biometric scanning prior to being permitted on the tarmac. Once permitted on the tarmac, the cargo loading team can proceed to the aircraft to which they are assigned, as shown in box 554. The ground team gains access to the aircraft when a member of the ground team, such as the Ground Team Lead, patches into an aircraft commport and authenticates his or her identity. Authentication, represented by Box 556, can be performed using a name badge or smartcard with encoded identifying data, and/or using fingeφrint/pulse authentication or retina scanning at security devices provided at the commport. The authentication of the Ground Team Lead or other ground crew member can open an electronic lock to allow access through one or more cargo hatches on the aircraft. Thereafter, the Ground Team Lead can authorize the loading of cargo, and the remainder of the ground crew can be authenticated using smart cards or biometric reading each time a ground crew member accesses the aircraft, as shown at boxes 558-562. As shown at box 564, an electronic display, such as an LED scoreboard, can be provided on or near a portal door at the aircraft. The electronic display can display the number of cargo loading personnel that have been authenticated and are authorized to load cargo onto the aircraft. This information can be transmitted to or monitored by a member of the ground team, who can visually observe the number of personnel loading cargo, as shown in box 566. If at step 568 it is determined that the number of personnel visually counted does not match the number displayed on the electronic display, security personnel can be notified and the loading operation interrupted. As shown at box 570, the cargo loaded onto the plane can then be inspected. Further, as shown at step 572, it can be determined which personnel on or near the aircraft are not authenticated, or which authenticated personnel are missing. If it is determined that an unauthorized individual has accessed the aircraft or the cargo being loaded onto the aircraft, a hostile situation can be declared as at step 574 and an appropriate response initiated. If it is determined that no unauthorized personnel have accessed the aircraft and that no hostile situation is occurring, a report can be made as at box 576 and the loading process completed as shown at box 578. Once cargo loading is complete and the loading personnel have departed, the ground team can lock down the aircraft as shown at box 580.

Provided that there are no last minute additions to cargo, the report regarding ground team authentications and any violations can be sent to the pilot for review as part of the pre-flight checklist as shown at box 584 and discussed above. Thereafter, the aircraft can be cleared for takeoff as shown at box 586. If at step 582, additional cargo must be loaded onto the aircraft, the cargo loading team can proceed back to the aircraft and reinitiate the method starting at step 554.

A method of authenticating authorized personnel is shown in more detail in Fig. 9. As noted above and indicated at box 602, a central system is established to maintain identity and biometric information regarding personnel. The central system includes the ability to add biometric information for new staff members and to delete information with regard to terminated staff members. Further, the central system should be configured so as to accept and transmit data to and from remote systems. These remote systems, as shown at box 604, can be provided with the capabilities to add and delete identifying and biometric information regarding staff, and to accept and transmit data from and to the central system.

At step 606, procedures can be established to safeguard the data. For example, privileges to enter, modify and delete data can be restricted to personnel who have pre-selected security clearance. Background checks can be performed on each new staff member to be added to the system. Biometric information for new staff can be captured using fingeφrint/pulse readers and/or retina readers as described above. These procedures can be used to enroll staff by capturing each individual's biometric information, and adding that information to the database in association with the staff member's identity, identifying information encoded on the staff member's name badge or smartcard, and other information of interest.

If cockpit crews, cabin crews and service crews are selected for a particular aircraft or flight, the information for that flight can be downloaded to the aircraft at the appropriate time, as shown at box 610. As indicated by box 612, procedures can be established to ensure that only information for the appropriate crew members (i.e., those actually assigned to the particular flight) are downloaded to the aircraft. Therefore, staff members who are not assigned to that particular flight will not be able to authenticate or otherwise gain access to the aircraft. The transmission of the crew information should be performed using secure network protocols or other means for secure data transfer as shown at box 612. When a staff member attempts to access the aircraft, biometric information of that staff member is captured using appropriate biometric reading devices, as at step 614, using the methods and apparatus described above. At step 616, the newly captured biometric information is compared to the biometric information downloaded to the aircraft from the secure database. The comparison of the biometric information of the individual requesting access and the downloaded information for the appropriate individual can be used to generate a score to determine whether or not there is a match as shown at 618. The score can be based on the number of common identifying points from a fingeφrint comparison, common identifying features from the retina reads or other identifying characteristics. A comparison resulting in a score above a pre-selected threshold can be considered a match. In addition, the individual's name badge or smartcard can be scanned to read identifying information encoded thereon for comparison with that downloaded from the database. If a match is determined, the individual staff member is authenticated and is permitted to proceed with access to the aircraft, as at box 620. If it is determined that there is not a match between the biometric information or smartcard data of the individual requesting access and the downloaded data, the individual's biometric information can be re-read a pre-selected number of times. For example, as shown at box 622, if an individual staff member is permitted four scans, and the fourth scan does not produce a match, the individual can be considered potentially hostile. In that case, security procedures can be implemented as shown at box 624 and the individual's biometric information can be provided to security personnel or an appropriate authority. Where four scans are permitted and the individual has been scanned less than four times, the individual's biometric information can be re-read at step 614.

Figure 10 shows a method of categorizing all individuals who are seeking access to an aircraft. At box 652, a database is provided having the identities and associated biometric information for aircraft crew and passengers. A subset of this data can be limited to only the crew members assigned to the flight and the passengers expected to be on the flight. The limited subset of expected individuals can be downloaded to the aircraft. (The word "cargo" in Figure 10 is used to m'ean passengers when the method is being used to differentiate or categorize individuals requesting access to the aircraft.)

The method begins at step 654 by considering all individuals to be "bystanders". The biometric information for each of these individuals is read and captured by one of the appropriate means described above. Once biometric information has been scanned at steps 656, the scanned information is then compared to the information contained in the database at step 658. If, at step 662, the individual's newly scanned information meets the criteria for a match with that contained in the database, that individual is then categorized as "crew" or "passenger," as shown at box 664. Smartcards or name badges can also be scanned and compared to database information for additional security. Once appropriately categorized, the individual can be given privileges based on the assigned category, such as access to the appropriate areas of the aircraft. For example, passengers can be given access to the passenger cabin; whereas crew members can be given access to their appropriate work areas. It is also possible, as shown at step 666, to provide an individual with access privileges based on predefined crew status, geographic position or sensor type.

If at step 662 it is determined that the individual's newly scanned data does not meet the criteria for a match with information contained in the database, the individual's biometric information can be re-scanned a pre-selected number of times. For example, if an individual is to be permitted four attempts at a successful scan, as shown at box 668, and the fourth attempt fails, the individual can be considered potentially hostile and the newly scanned data can be captured. In that case, security procedures can be implemented as shown at box 670 and the newly scanned biometric information can be provided to the appropriate authorities. If, after scanning less than four times, the individual's newly scanned biometric information does not meet the criteria for a match, the individual can be re-scanned at step 656. Thus, a method for categorizing individuals and providing the appropriate access to an aircraft is provided.

If circumstances warrant, it is also possible to use the method to re-categorize individuals after boarding the aircraft. An example of such a circumstance may be that discussed above with regard to granting privileges to an off-duty pilot in an emergency or if a crew member falls ill. In that instance, smartcard or biometric information can be uploaded to the aircraft via radio or satellite communications from the central or a remote database. Thereafter, the passenger can be re-scanned using biometric readers or smartcard scanners onboard the aircraft for authentication and upgrading to crew status. In such circumstances, any passenger who attempts to upgrade to crew status and fails authentication can be considered hostile. As should be understood, the embodiments discussed above can be susceptible to many different modifications or variations. For example, it should be understood that any number of security devices may be used in connection with embodiments of the present invention, and with any number being biometric readers. For instance, in the illustrated embodiment, one or more biometric readers may be utilized where desired, and the biometric readers may be of any desired type, such as a fingeφrint/pulse reader and/or retina reader as shown or any other desired types of biometric reading devices. In addition, in certain embodiments, it may be desired that there be a combination of biometric and nonbiometric type security devices, or that no biometric type security devices be used. In addition, the term "controller" as used herein should be broadly construed to comprise any mechanism utilized for operation of the aircraft, such as the control yoke, as well as any suitable type of device, system or method for regulating operation, such as a control of any desired shape, as mentioned above, a keyboard, trigger, buttons, tracking ball, single or dual joystick, lever, wheel, etc. Further, while the illustrated embodiment is described in relation to aircraft, it should be understood that embodiments may also comprise other types of apparatus or systems as well, including vehicles, such as, for example, military vehicles, commercial vehicles(e.g., trains, buses, trucks, taxi cabs, etc), private vehicles(e.g. passenger cars), or any desired products or equipment, such as controls for nuclear reactors or military weapons, computer terminals, firearms, etc. The embodiments of the present invention may be implemented using hardware or software or any combination of the two where desired. Various embodiments may also be implemented using commercially available technology. Accordingly, it is intended that the invention not be limited to the specific illustrative embodiments, but be inteφreted within the full spirit and scope of the appended claims and their equivalents.

Claims

What is claimed is: 1. A method of operating an aircraft in which automated or remote control can be assumed in the event of a possibly hostile situation, the method comprising the steps of: inputting flight plan information into a monitoring system; calculating acceptable deviation tolerances relating to the flight plan; operating the aircraft according to the flight plan; deviating from the flight plan if a modification to the flight plan is desired; after deviating from the flight plan, assessing whether a possibly hostile situation exists; and if a potentially hostile situation cannot be ruled out within a reasonable time, assuming control of the aircraft by t (i) remotely controlling the aircraft from the ground or other location remote from the aircraft, or (ii) engaging an automated control unit on the aircraft to execute a preprogrammed flight path or contingency protocol that contradicts the modification.

2. The method of claim 1 wherein, after deviating from the flight plan, the step of assessing whether a possibly hostile situation exists comprises the steps of: monitoring information relating to the position and course of the aircraft; and based on the position- and course-related information, determining if a potential threat exists.

3. The method of claim 2 further comprising the step of providing information relating to prohibited airspace.

4. The method of claim 3 wherein the step of calculating acceptable deviation tolerances comprises calculating tolerances with respect to prohibited airspace.

5. The method of claim 4 wherein the step of assessing whether a possibly hostile situation exists comprises the step of calculating whether or not the aircraft is proximate to prohibited airspace or whether the course of the aircraft will violate prohibited airspace.

6. The method of claim 5 wherein the step of assessing whether a possibly hostile situation exists further comprises the step of determining whether or not a prohibited airspace violation is imminent.

7. The method of claim 6 wherein the step of determining whether or not a prohibited airspace violation is imminent comprises the step of assessing whether or not the vector of the aircraft is directed at a potential terrorist target or whether the altitude of the aircraft is below a pre-selected flight floor limit.

8. The method of claim 1 wherein, after deviating from the flight plan, the step of assessing whether a possibly hostile situation exists comprises the steps of assessing, from the ground or other location remote from the aircraft, the state of control of the aircraft by monitoring automated communications received from the aircraft, listening to voice communications from the aircraft, or monitoring a video signal from a cockpit camera on the aircraft.

9. The method of claim 8 further comprising, if the state of control of the aircraft is not found to be acceptable, the steps of: declaring an alarm condition; on the ground or other location remote from the aircraft, continuously monitoring the video signal from the cockpit camera or other monitoring device on the aircraft; and preparing to assume control of the aircraft from the ground or other location remote from the aircraft.

10. The method of claim 9 further comprising the step of assuming control of the aircraft from the ground or other location remote from the aircraft if (i) evidence of hostile activity on board the aircraft is detected, or (ii) the elapsed time of continuously monitoring the cockpit camera or other monitoring device exceeds a pre-selected tlireshold time without ruling out the possibility of hostile activity.

11. The method of claim 1 further comprising the step of determining whether or not there is adequate time to notify ground control of the desired modification prior to deviating from the flight plan.

12. The method of claim 11 wherein, if there is not adequate time to notify ground control of the desired modification, the step of assessing whether a possibly hostile situation exists comprises the steps of: determining if the deviation is outside of acceptable deviation tolerance; and (i) if the deviation is outside of acceptable deviation tolerance, declaring an alarm condition, and (ii) if the deviation is not outside of acceptable deviation tolerance, continuing flight operations.

13. The method of claim 12 wherein, if the deviation is outside of acceptable deviation tolerance, the step of assessing whether a possibly hostile situation exists further comprises the step of: from the ground or other location remote from the aircraft, determining the state of control of the aircraft by monitoring automated communications received from the aircraft, listening to voice commuiiications from the aircraft, or monitoring a video signal from a cockpit camera on the aircraft.

14. The method of claim 13 further comprising, if the state of control of the aircraft is not found to be acceptable, the steps of: declaring a second alarm condition; on the ground or other location remote from the aircraft, continuously monitoring the video signal from the cockpit camera or other monitoring device on the aircraft; and preparing to assume control of the aircraft from the ground.

15. The method of claim 14 further comprising the step of assuming control of the aircraft from the ground or other location remote from the aircraft if (i) evidence of a hostile situation on board the aircraft is detected, or (ii) the elapsed time of continuously monitoring the cockpit camera or other monitoring device exceeds a pre-selected threshold time without ruling out the possibility of hostile activity.

16. The method of claim 11 further comprising, if an authorized pilot is not at a controller of the aircraft, the steps of declaring an alarm condition; on the ground or other location remote from the aircraft, continuously monitoring a video signal from the cockpit camera or other monitoring device on the aircraft; and preparing to assume control of the aircraft from the ground.

17. The method of claim 16 further comprising the step of assuming control of the aircraft from the ground or other location remote from the aircraft if (i) evidence of a hostile situation on board the aircraft is detected, or (ii) the elapsed time of continuously monitoring the cockpit camera or other monitoring device exceeds a pre-selected threshold time without ruling out the possibility of hostile activity.

18. A method of limiting access to an aircraft comprising: maintaining a database having identity and associated biometric information relating to crew members; downloading a subset of information from the database to the aircraft, the subset consisting essentially of information relating to crew members that are assigned to the aircraft for a particular flight; reading biometric information of an individual requesting access to the aircraft; comparing the biometric information read from the individual requesting access to the information downloaded to the aircraft to determine if there is a match; if a match is determined, granting the individual access to the aircraft.

19. The method of claim 18 further comprising the steps of preparing a report relating to aircraft access, including any access violations, and reviewing the report as part of a preflight checklist.

20. The method of claim 18 further comprising the step of remotely monitoring the cockpit until the cockpit is secured.

21. The method of claim 18 further comprising the step of monitoring any access violations with automated means.

22. The method of claim 21 further comprising the steps of declaring an alarm and initiating a response if the automated means detects an access violation.

23. The method of claim 18 further comprising the step of securing the exterior of the aircraft after passengers, crew and cargo is aboard the aircraft.

24. The method of claim 23 wherein if an additional crew member, passenger, or cargo is to be added to the aircraft after the exterior of the aircraft has been secured, the method further comprises the step of triple authenticating the additional crew member, passenger, or cargo.

25. The method of claim 24 wherein the step of triple authenticating comprises the steps of reading biometric information of the newly added crew member, passenger or cargo, the person bringing that newly added crew member, passenger or cargo to the aircraft, and the person allowing the newly added person or cargo access to the aircraft.

26. The method of claim 24 further comprising the step of preparing a report relating to aircraft access, including any access violations, and reviewing the report as part of a preflight checklist.

27. The method of claim 26 further comprising the steps of: updating the report after an additional crew member, passenger, or cargo is added to the aircraft after the exterior of the aircraft has been secured; and reviewing the updated report as part of the preflight checklist.

28. The method of claim 27 further comprising the step of granting departure approval after clearing any access violations noted in the report.

29. The method of claim 18 further comprising the steps of: downloading a second subset of information from the database to a point of access to a tarmac on which the aircraft is found, the subset consisting essentially of information relating to ground crew members that are assigned to any aircraft on the tarmac; reading biometric information of an individual requesting access to the tarmac; comparing the biometric information read from the individual requesting access to the information downloaded to the point of access to determine if there is a match; if a match is determined, granting the individual access to the tarmac.

30. The method of claim 29 wherein the step of granting the individual access to the aircraft comprises opening a hatch.

31. The method of claim 30 wherein the step of opening a hatch comprises opening an electronic lock after the match is determined.

32. The method of claim 29 further comprising the step of providing an electronic display that displays the number of ground crew members that have been authorized to load cargo onto the aircraft.

33. The method of claim 32 further comprising the step of visually observing the number of ground crew members and comparing the number visually observed with the number displayed on the electronic display.

34. The method of claim 33 wherein, if the number of ground crew members visually observed does not match the number displayed on the electronic display, the method further comprises the step of notifying security personnel.

35. The method of claim 29 further comprising the step of securing the exterior of the aircraft after cargo is aboard the aircraft.

36. The method of claim 35 wherein, if additional cargo is to be added to the aircraft after the exterior of the aircraft has been secured, the method further comprises the step of authenticating the additional cargo.

37. The method of claim 36 wherein the step of authenticating the additional cargo comprises the steps of reading biometric information of the person bringing the newly added cargo to the aircraft and reading biometric information of the person allowing the newly added cargo access to the aircraft.

38. The method of claim 35 further comprising the step of preparing a report relating to aircraft access, including any access violations, and reviewing the report as part of a preflight checklist.

39. The method of claim 38 further comprising the steps of: updating the report after additional cargo is added to the aircraft after the exterior of the aircraft has been secured; and reviewing the updated report as part of the preflight checklist.

40. The method of claim 39 further comprising the step of granting departure approval after clearing any access violations noted in the report.

41. The method of claim 18 wherein the step of maintaining the database comprises the step of providing a central system for recording the identity and associated biometric information, the central system being capable of accepting and transmitting the information.

42. The method of claim 41 wherein the maintaining step further comprises the step of enrolling staff by capturing biometric information for new crew members and loading the biometric information into the central system.

43. The method of claim 42 wherein, if a match is not determined during the comparing step, the method further comprises repeating the step of reading biometric information of the individual requesting access to the aircraft a pre-selected number of times.

44. The method of claim 43 wherein, if a match is not determined during the comparing step after repeating the step of reading biometric information of the individual requesting access to the aircraft a pre-selected number of times, the method further comprises the steps of considering the individual to be potentially hostile and implementing security procedures.

45. The method of claim 44 wherein, if a match is not determined during the comparing step after repeating the step of reading biometric information of the individual requesting access to the aircraft a pre-selected number of times, the method further comprises the step of recording the individual's biometric information and providing the biometric information to security personnel or other authority.

46. The method of claim 18 further comprising the step of downloading passenger- related information to the aircraft, the passenger-related information comprising biometric information for passengers expected to be on the aircraft for a particular flight.

47. The method of claim 46 further comprising the step of initially considering all individuals requesting access to the aircraft to be bystanders.

48. The method of claim 47 wherein, if a match is determined during the comparing step, the method further comprises the step of categorizing the individual.

49. The method of claim 48 wherein, if the biometric information read from the individual requesting access matches downloaded passenger-related information, the categorizing step comprises considering the individual to be a passenger.

50. The method of claim 49 wherein, if the biometric information read from the individual requesting access matches downloaded passenger-related information, the method further comprises granting passenger privileges to the individual.

51. The method of claim 48 wherein, if the biometric information read from the individual requesting access matches downloaded crew member-related information, the categorizing step comprises considering the individual to be a crew member.

52. The method of claim 51 wherein, if the biometric information read from the individual requesting access matches downloaded crew member-related information, the method further comprises granting crew member privileges to the individual.

53. The method of claim 48 further comprising the step of uploading additional crew member-related information to the aircraft while the aircraft is in flight.

54. The method of claim 53 further comprising the step of repeating the reading and comparing steps if an individual desires to be re-categorized during flight.

55. The method of claim 50 wherein, if an individual categorized as a passenger desires to be categorized as a crew member while the aircraft is in flight, the method further comprises the steps of: uploading additional crew member-related information to the aircraft while the aircraft is in flight; and repeating the reading and comparing steps.

56. The method of claim 48 wherein, if a match is not determined during the comparing step, the method further comprises the step of repeating the reading and comparing steps a pre-selected number of times.

57. The method of claim 56 wherein, if a match is not determined for an individual during the comparing step after the reading and comparing steps have been repeated the pre- selected number of times, the method further comprises the steps of considering the individual to be potentially hostile and implementing security procedures.

58. The method of claim 57 wherein, if a match is not determined during the comparing step after repeating the reading and comparing steps the pre-selected number of times, the method further comprises the steps of recording the individual's biometric information and providing the biometric information to security personnel or other authority.

59. An apparatus for operating an aircraft in which automated or remote control can be assumed in the event of a possibly hostile situation, the apparatus comprising: a monitoring system containing flight plan information and acceptable deviation tolerances relating to the flight plan; and means for assuming control of the aircraft if a potentially hostile situation cannot be ruled out within a time period following a deviation from the flight plan, wherein the means for assuming control comprises: (i) means for remotely controlling the aircraft from the ground or other location remote from the aircraft, or (ii) means for engaging an automated control unit on the aircraft to execute a preprogrammed flight path or contingency protocol that contradicts the deviation.

60. A system for limiting access to an aircraft comprising: a database having identity and associated biometric information relating to crew members; a storage device into which is downloaded a subset of information from the database, the subset consisting essentially of information relating to crew members that are assigned to the aircraft for a particular flight; a biometric device for reading biometric information of an individual requesting access to the aircraft; and means for comparing the biometric information read from the individual requesting access against the information downloaded to the storage device to determine if there is a match, and if a match is determined, granting the individual access to the aircraft.