[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Paparazzi-devel] simultaneously using two autopilot systems for rel

From: Christophe De Wagter
Subject: Re: [Paparazzi-devel] simultaneously using two autopilot systems for reliability
Date: Tue, 9 Apr 2013 21:47:37 +0200


Extra Servo's: can improve safety. They wear over time, having spare is useful.

Extra wires & connectors: does certainly not improve safety.

Extra satelite receiver: expecially in RC mode that is considered as a very good thing to do

Extra autopilot running the same code? when using the same imu/gps types with same ahrs, it will most likely give the same attitude errors in that particular flight case. So this only solves pure hardware malfunctions (broken chip) by adding extra wires (which typically break more easily than chips inflight) and connections and adding extra code to detect malfunctions.

My personal idea is that with a good hardware redesign placing both autopilots with their separate shielding and power on a single PCB, without connectors but with protecting line drivers, tvs and ferrites on all lines it can make a dual/triple board design actually safer than a single board. However, if 2 separate lisa's are placed in a plane with wires in between, I hardly doubt it will ever be safer than a single lisa.


On Wed, Mar 27, 2013 at 1:55 AM, Chris Gough <address@hidden> wrote:
Hi Refik

In my opinion it's difficult to make a the system more reliable by
adding complexity. If you have an additional component choosing which
autopilot should be in control, that device has to be more reliable
than the autopilots otherwise the system will be less reliable than a
single autopilot. The autopilots are very reliable, so it's a hard

In the Outback Challenge competition we were required to have an
independent failsafe device. Initially developed a "failsafe/mux"
device that with a "failover feature", it would try falling back to
the a spare autopilot before triggering a failsafe (deliberate crash).
We abandoned that because we felt it was less secure than having a
simpler failsafe and a single autopilot. To many wires, an immature
component on the critical failure path, more complexity than
absolutely necessary. I'm not convinced the failsafe made the system
any more secure either, but it was necessary because of the rules of
the competition.

Redundant communication links do make sense if link reliability is
important in your application. Any given link can fail for a number of
reasons, spatial and spatial diversity of multiple links probably adds
more than the additional networking component takes away.

For redundant GPS', I suppose the information is there to chose "the
best of many" one but my guess is that the benefit would be marginal
compared to single, well installed GPS (good location, good cable

I don't know about redundant IMUs.

Split control surfaces (redundant servos) are a common precaution on
larger airframes.

Chris Gough

On Tue, Mar 26, 2013 at 7:21 PM, refik <address@hidden> wrote:
> Hello,
> In paparazzi, is it possible to use two complete autopilot systems for
> reliability ? (each system includes GPS, imu, transmitter and autopilot, if
> one of the systems is gone, the system automatically switches to other).
> If it is not possible currently, I think that it will be a good choice to
> implement.
> We will try to fly an aircraft for 24 hours within 20km, therefore we will
> need a reliable autopilot. What configuration (autopilot, imu, Gps and
> modem) do you suggest to use?
> Cheers,
> Refik
> _______________________________________________
> Paparazzi-devel mailing list
> address@hidden


Paparazzi-devel mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]