On larger rotorcraft we considered 2 autopilots for fail safe purposes. A third system (usually a micro controller that also drives the servos) monitored the health of both systems using a "heart beat monitor" (a wire with pulses that are made by the main control loop software) and serial ports (to receive data from both flight computers). In practise several problems arise:
-Sensors had one-way communication and could be routed to both computers so that part was solved easily.
-But using something as simple as a heart beat monitor solves some problems like power problems etc but does not detect things like corrupted RAM etc, missing/wrong sensor data, broken (analog) wires in the sensor parts etc...
-The communication with the ground is 2-way. Only one can be connected at the time while both flight computers need to have the full set of control gains, and preferably flight plan etc... If your protocol has something like retransmission upon missing acknowledgement this causes problems ...
-Adding an extra system with copper wires also increases EMC/EMI problems considerably, not even talking about the weight increase and endurance decease.
About the safety we have following considerations after looking back on 5 years of work while building over 15 aircraft/quads/helicopters from 30 cm to 350cm and ?? (I have no idea) hours of flying.
1) attitude determination: the problems that arise most often are always linked to attitude determination. Usually the attitude quality decreases below the required threshold for good flight and things like precision landings become a problem
the higher the gliding ratio of the aircraft, the worse errors in pitch become...
a) thermopile attitude (like paparazzi) -low IR contrast, temperature offsets between 2 thermopiles, thermopiles asymmetrically looking at hot fuselages, rain, clouds (we have flown in clouds with themopiles WITH success, believe it or not but there is(can be) a slight temperature difference between the bottom of the cloud and the top: you need to calibrate the thermopiles very well though and a backup system [magnetic/airspeed] is nice to have)...
b) kalman filter convergence problems
2) EMI/EMC: 35MHz RC trouble, GPS quality decrease, reduced communication ranges, ...
3) Servos: after a few hundred hours of autopilot driven flight, especially cheap brushed servos DO die. Replace servos every few years and buy good quality.
4) Battery problems: after several hundred cycles LiPo batteries DO die... having 2 batteries with a diode?
Usually 1) requires manual take-over, usually 2) is left as is accepting the consequences. Nr 4 is usually detected just-in-time for a precautionary landing. Clearly the worst case for us is nr 3.
I can imagine that several other things can go wrong, but most are linked to a bad aircraft: using the tiny "TINY" power supply for driving several large servos simply is way beyond the capabilities and the intentions of the board.
I am not convinced that 2 parallel processors will highly increase the safety of our MAV. I think they are more likely to add new failure cases. I personally see more benefits is a redesign of the power system for MINI UAV (dual power supply for servo/processor, possibility to add dual battery with e.g. 1 NiCd[low internal resistance] to survive servo short circuits, dual actuators for elevator/ailerons) and maybe the addition of a few extra sensors like pitot tube that can help the thermopiles. At least that is what we are working on.
---------- Forwarded message ----------
From: Rui Costa <address@hidden>
Date: Tue, 11 Aug 2009 17:05:52 +0000
Subject: [Paparazzi-devel] Redundant System
It would be very nice to implement a redundant system control for the paparazzi project.
A system with for example two TWOGs. In case of a twog failure the other one assume the control.
What do you think about it? It's difficult to design?