paparazzi-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Paparazzi-devel] simultaneously using two autopilot systems for > r


From: Karoly Molnar
Subject: Re: [Paparazzi-devel] simultaneously using two autopilot systems for > reliability
Date: Wed, 27 Mar 2013 18:03:30 +0100

Hello

Fail safe mechanisms and redundancy / SIL decomposition are very common in high integrity systems. The question is actually how you classify an UAV.
So I fully understand the request from organizers of the Outback Challenge that they have requested measures to ensure some sort of fail safe operation. Actually you are still lucky that they did not request a safety certification package. You can read an example of and UAV going mad here http://www.casa.gov.au/scripts/nc.dll?WCMS:STANDARD::pc=PC_101298

I really have no clue if there are any specific safety standards for unmanned vehicles. Anyone knows about this?
The only thing that I know about, and could compare to, is DO254 and DO178, and perhaps IEC61508. These are considering the system from the perspective of safety impact in case of failure; so it is not exactly about the original question (reliability). Taking a look at the Paparazzi hardware and software, my first guess is that a single hardware board with the paparazzi software installed could meet Level E or D / SIL1. In contrary I suspect that a strict regulation code would require Level C for the smaller or Level B for the larger UAVs in fully autonomous mode, because a failure here could cause serious damages if the aircraft crashes in populated area. Hence my opinion is that an UAV system equipped with a single paparazzi controlled board would be difficult to certify for a commercial unmanned flight license (if such licenses were provided at all). The software fail safe mechanism is a step to a good direction. Redundancy could be another step.

Sorry for the long and boring mail, safety is not the most sexiest topic. Still in case you need more information on safety I am glad to share my understanding on this in more details.

Regards
Karoly

> From: address@hidden
> Subject: Paparazzi-devel Digest, Vol 108, Issue 77
> To: address@hidden
> Date: Wed, 27 Mar 2013 12:00:26 -0400
>
> Send Paparazzi-devel mailing list submissions to
> address@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
> or, via email, send a message with subject or body 'help' to
> address@hidden
>
> You can reach the person managing the list at
> address@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Paparazzi-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: simultaneously using two autopilot systems for
> reliability (Chris Gough)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 27 Mar 2013 11:55:17 +1100
> From: Chris Gough <address@hidden>
> To: address@hidden
> Subject: Re: [Paparazzi-devel] simultaneously using two autopilot
> systems for reliability
> Message-ID:
> <address@hidden>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Refik
>
> In my opinion it's difficult to make a the system more reliable by
> adding complexity. If you have an additional component choosing which
> autopilot should be in control, that device has to be more reliable
> than the autopilots otherwise the system will be less reliable than a
> single autopilot. The autopilots are very reliable, so it's a hard
> ask.
>
> In the Outback Challenge competition we were required to have an
> independent failsafe device. Initially developed a "failsafe/mux"
> device that with a "failover feature", it would try falling back to
> the a spare autopilot before triggering a failsafe (deliberate crash).
> We abandoned that because we felt it was less secure than having a
> simpler failsafe and a single autopilot. To many wires, an immature
> component on the critical failure path, more complexity than
> absolutely necessary. I'm not convinced the failsafe made the system
> any more secure either, but it was necessary because of the rules of
> the competition.
>
> Redundant communication links do make sense if link reliability is
> important in your application. Any given link can fail for a number of
> reasons, spatial and spatial diversity of multiple links probably adds
> more than the additional networking component takes away.
>
> For redundant GPS', I suppose the information is there to chose "the
> best of many" one but my guess is that the benefit would be marginal
> compared to single, well installed GPS (good location, good cable
> management).
>
> I don't know about redundant IMUs.
>
> Split control surfaces (redundant servos) are a common precaution on
> larger airframes.
>
> Chris Gough
>
>
> On Tue, Mar 26, 2013 at 7:21 PM, refik <address@hidden> wrote:
> > Hello,
> >
> > In paparazzi, is it possible to use two complete autopilot systems for
> > reliability ? (each system includes GPS, imu, transmitter and autopilot, if
> > one of the systems is gone, the system automatically switches to other).
> >
> > If it is not possible currently, I think that it will be a good choice to
> > implement.
> >
> >
> > We will try to fly an aircraft for 24 hours within 20km, therefore we will
> > need a reliable autopilot. What configuration (autopilot, imu, Gps and
> > modem) do you suggest to use?
> >
> > Cheers,
> > Refik
> >
> >
> > _______________________________________________
> > Paparazzi-devel mailing list
> > address@hidden
> > https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>
>
>
> --
> .
>
>
>
> ------------------------------
>
> _______________________________________________
> Paparazzi-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/paparazzi-devel
>
>
> End of Paparazzi-devel Digest, Vol 108, Issue 77
> ************************************************

reply via email to

[Prev in Thread] Current Thread [Next in Thread]