[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Paparazzi-devel] Re: Redundant System

From: Yves Touchette
Subject: RE: [Paparazzi-devel] Re: Redundant System
Date: Thu, 13 Aug 2009 08:09:41 -0400

Instead of looking of a redundant system, you could look for a system to revert back to manual control in case the AP locks.

Here's how I see it:

Build a servo encoder/demux/external powerboard that looks at the PPM signal coming from the AP.  It could be simply checking that the PPM signal is there or look for a particular pattern in a spare channel. The fail safe board could then feed the servos directly from the RC signal if the AP locks up. That same board could allow you to manually override the AP with a spare channel on your transmitter as well.

I haven't look at all the details but the failsafe demux from diydrone looks like a good start!

It's not AP redundancy, but at least you can regain control is you experience problems with the AP in flight!


Date: Thu, 13 Aug 2009 08:35:57 +0000
Subject: Re: [Paparazzi-devel] Re: Redundant System
From: address@hidden
To: address@hidden

Thanks for the replies. I will have that info in account and think about the sual servos and dual batteries system.
Best regards
Rui Costa

On Thu, Aug 13, 2009 at 7:42 AM, Christophe De Wagter <address@hidden> wrote:
Hi Rui,

On larger rotorcraft we considered 2 autopilots for fail safe purposes. A third system (usually a micro controller that also drives the servos) monitored the health of both systems using a "heart beat monitor" (a wire with pulses that are made by the main control loop software) and serial ports (to receive data from both flight computers). In practise several problems arise:

-Sensors had one-way communication and could be routed to both computers so that part was solved easily.
-But using something as simple as a heart beat monitor solves some problems like power problems etc but does not detect things like corrupted RAM etc, missing/wrong sensor data, broken (analog) wires in the sensor parts etc...
-The communication with the ground is 2-way. Only one can be connected at the time while both flight computers need to have the full set of control gains, and preferably flight plan etc... If your protocol has something like retransmission upon missing acknowledgement this causes problems ...
-Adding an extra system with copper wires also increases EMC/EMI problems considerably, not even talking about the weight increase and endurance decease.

About the safety we have following considerations after looking back on 5 years of work while building over 15 aircraft/quads/helicopters from 30 cm to 350cm and ?? (I have no idea) hours of flying.

Failure cases:

1) attitude determination: the problems that arise most often are always linked to attitude determination. Usually the attitude quality decreases below the required threshold for good flight and things like precision landings become a problem
    the higher the gliding ratio of the aircraft, the worse errors in pitch become...
    a) thermopile attitude (like paparazzi) -low IR contrast, temperature offsets between 2 thermopiles, thermopiles asymmetrically looking at hot fuselages, rain, clouds (we have flown in clouds with themopiles WITH success, believe it or not but there is(can be) a slight temperature difference between the bottom of the cloud and the top: you need to calibrate the thermopiles very well though and a backup system [magnetic/airspeed] is nice to have)... 
   b) kalman filter convergence problems

2) EMI/EMC: 35MHz RC trouble, GPS quality decrease, reduced communication ranges, ...

3) Servos: after a few hundred hours of autopilot driven flight, especially cheap brushed servos DO die. Replace servos every few years and buy good quality.

4) Battery problems: after several hundred cycles LiPo batteries DO die... having 2 batteries with a diode?
Usually 1) requires manual take-over, usually 2) is left as is accepting the consequences. Nr 4 is usually detected just-in-time for a precautionary landing. Clearly the worst case for us is nr 3. 

I can imagine that several other things can go wrong, but most are linked to a bad aircraft: using the tiny "TINY" power supply for driving several large servos simply is way beyond the capabilities and the intentions of the board. 


I am not convinced that 2 parallel processors will highly increase the safety of our MAV. I think they are more likely to add new failure cases. I personally see more benefits is a redesign of the power system for MINI UAV (dual power supply for servo/processor, possibility to add dual battery with e.g. 1 NiCd[low internal resistance] to survive servo short circuits, dual actuators for elevator/ailerons) and maybe the addition of a few extra sensors like pitot tube that can help the thermopiles. At least that is what we are working on.


---------- Forwarded message ----------
From: Rui Costa <address@hidden>
To: address@hidden
Date: Tue, 11 Aug 2009 17:05:52 +0000
Subject: [Paparazzi-devel] Redundant System
Hello all,
It would be very nice to implement a redundant system control for the paparazzi project.
A system with for example two TWOGs. In case of a twog failure the other one assume the control.
What do you think about it? It's difficult to design?

Best Regards
Rui Costa

Paparazzi-devel mailing list

Rui Costa

Stay in the loop and chat with friends, right from your inbox! Learn how!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]