I have elected to install my board with an "autopilot" type of installation for an airplane while I'm working on IMU code. Having not completely perused Tom's code - can someone chip in with their thoughts about fail safe/manual reversion to recover a model if the code totally crashes. Any thoughts about hardware, firmware.... Tom - could you share what you've been doing as you test?
TIA
Mitch
Fail Safe
Moderator: lukasz
3 posts
• Page 1 of 1
Re: Fail Safe
by Tom » Thu Feb 18, 2010 7:37 pm
Hi Mitch,
I never had any problems with my previous autopilots, although I can not assure it is 100% fail-proof. These are some of the principles I keep in mind:
- Minimize the startup time. If the code would reboot, it should do so in tens of milliseconds. This is crucial. A lot of avionics code automatically reboots every few seconds or milliseconds.
- Try to keep it simple, especially manual control
- The Control & PPM/PWM input loops have the highest priority
- Initialize all variables on startup, to make sure a reboot doesn't reuse the old "bad" values
Fail safe:
- Watchdog timer
- No RC signal (out of range)
- No GPS signal
=> fly home or fly straight & cut motor
What are your ideas on this topic?
I never had any problems with my previous autopilots, although I can not assure it is 100% fail-proof. These are some of the principles I keep in mind:
- Minimize the startup time. If the code would reboot, it should do so in tens of milliseconds. This is crucial. A lot of avionics code automatically reboots every few seconds or milliseconds.
- Try to keep it simple, especially manual control
- The Control & PPM/PWM input loops have the highest priority
- Initialize all variables on startup, to make sure a reboot doesn't reuse the old "bad" values
Fail safe:
- Watchdog timer
- No RC signal (out of range)
- No GPS signal
=> fly home or fly straight & cut motor
What are your ideas on this topic?
-
Tom - Site Admin
- Posts: 1016
- Joined: Fri Nov 13, 2009 6:27 pm
- Location: Belgium
Re: Fail Safe
by Mitch » Thu Feb 18, 2010 8:03 pm
Now having explored your newest code, I see you already have my primary concern covered with the manual reversion channel in the configuration utility. Most of the RC craft I've used stability augmentation on in the past could not be flown in manual reversion due to onboard mixing and instabilities - thus if a microprocessor gliched, there was no potential for manual recovery without a quick processor reset. I haven't had a problem yet either!
I see a few companies are doing failsafe switches. It would be simple enough to select and switch a set of servo pulses or a ppm stream, however, this adds another micro, more wiring, more hardware, and adds additional failure modes.
I agree with your philosophy completely.
I see a few companies are doing failsafe switches. It would be simple enough to select and switch a set of servo pulses or a ppm stream, however, this adds another micro, more wiring, more hardware, and adds additional failure modes.
I agree with your philosophy completely.
-
Mitch - Posts: 118
- Joined: Sat Dec 05, 2009 1:59 pm
- Location: Florida, USA
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 17 guests