Failures, safety and redundancy

stolk13 · January 17, 2015, 12:55pm

Hi all,

I am working on a design for a reasonable size plane. At this point it is all on paper, so I like to approach everything from a theoretical point of view. I’ve been out of the RC world for quite some time and it has changed to say the least. So I consider myself a newbie at this point. I was still playing around with analog transmitters and crystals. Anyway, I have some (maybe noobish) questions about the Navio and some other general questions, mostly related to fail-over. I have an aviation and IT background and if I send a plane up which I have designed myself, I’d like to have a very acceptable safety margin in place (comparable with commercial drone rules and regulations).

I’ve flown Airbus in real life and what I learned is: electronics will fail. IRS’s will fail, autopilots will fail, mechanical parts will fail. That’s OK though, because there is double or sometimes triple redundancy in place. Sometimes, a simple reboot will fix a flight computer, sometimes there is an abnormal checklist to be followed. With that in mind, I’d like to design my plane. I don’t really like the idea of a rebooting Pi in mid air (I have a Pi which fails under high load lying around here somewhere…). So I’m thinking about the following: I’d like to fly the plane by joystick with APM, with FPV, artificial horizon and telemetry. I am creating a list with all components that could fail and I try to figure out what the bare minimum of flight controls is (including mechanical failures). I’d like to focus on telemetry and the Navio for the time being. Also, I like to consider out of range situations as a precaution.

My basic questions are:

What if I use 2 Navio’s, 2 Raspberry Pi’s and let them talk to each other in a master-slave configuration (working together would be even better). If the link fails for whatever reason (power issues, pi failure, navio failure, software failure), they switch to the backup. I don’t think I can hook up a servo to Navio 2 boards at the same time, so I probably have to design a circuit board to allow for this. Any tips on how to achieve this? Has it been done before? Worst case scenario: I lose signal, autopilot takes over and then the Navio or Pi fails. Is it possible to connect 2 Navio’s via the UART bus and write software to let them work together?
Manual control with a receiver? What happens when the Navio fails (including power failures)? Will the receiver be able to control the servo’s? If it is out of range it will be useless…?
Maybe use only one autopilot and use a fully independent Pi with Piface and 3G in which case I can disable the electric system of the autopilot and deploy a parachute in case of emergency. This adds weight and I don’t like this option (only when the wings fall off :P).

Maybe I’m thinking too much. However, “Autopilot fail drone” on YouTube tells me otherwise.

Any help, tips etc. would be greatly appreciated! Thanks in advance!

igorvereninov · January 18, 2015, 1:55pm

Hello Stefan,

Those are some good questions you have there.
Redundancy should be approached systematically by determining the weakest points. From my experience in RC I can list the most common errors that lead to crash:

Pilot error
RC link failure usually because of interference
Airframe mechanical failure

Introducing and autopilot onboard reduces some of these risks, but adds some others. A smart built autopilot cluster will protect you from RPi reboot and software errors, but even if you have dual autopilot system and they still control a single servo on the elevator it will not help much.

It is possible to connect two Navios over UART or ethernet. If we encounter a power failure there will be no manual control available. A very simple supervisor and a parachute might be the best option, but please keep in mind that in some cases parachute deployment will lead to worse consequences and when opened on high speed it might break the airframe.

stolk13 · January 19, 2015, 6:03pm

Thanks Igor, you raise some good points, especially with the parachute and high speed. Let’s forget the parachute option for a minute and go back to two Pi’s and two autopilots. Let’s power them individually and connect them by either UART or Cross cable. All flight controls are powered by an individual servo so we can have a failure there. So, I’m now purely focusing on the hardware…
Is there already software for dual autopilot (with failover detection)? If not, can you give me some pointers on where to start (in source code for example?). What method would you recommend, UART or Ethernet?
Thanks!

igorvereninov · January 19, 2015, 6:14pm

Stefan,

I do not see a point in connecting two autopilots together. I think the easiest option is to have a special piece of hardware that will take inputs from two autopilots, check both for health and output signals to servos. If one autopilot fails it will automatically switch to another and reboot the first.

But we still lose the airplane if this system fails.

stolk13 · January 21, 2015, 11:01am

Sounds good Igor, something like this? http://www.hobbyking.com/hobbyking/store/__18703__Wireless_Buddy_Box_System_8CH_Dual_RX_Controller_.html

igorvereninov · January 21, 2015, 11:22am

Yes, but this is just a switch, you need something that will be able to monitor both autopilots and do the switching between them.

emanuelpop · January 22, 2015, 8:42am

Something like this morelikely:
https://www.youtube.com/channel/UC6Hrp0z1YpUnlaGTWRxa6dA

They are developing it since a while.

See the videos!

stolk13 · January 22, 2015, 5:47pm

Very interesting stuff. Thank you!