A couple days ago we were talking about redundancy and reliability in the APM:Plane 2.74 thread. I have been thinking about how to add more redundancy without adding too much complexity and cost. I have been thinking about how to safely guide a plane after a total APM failure. This requires not giving the APM control of every servo, and hooking one of two elevator servos and the rudder servo directly to the receiver which is powered by a different source. This means that during autoflight, the APM will have to be tuned to make do with only half an elevator and no rudder. I believe that is totally doable, but not a very elegant solution. So then i was thinking how to backup the control of a servo so that it could still be utilized if the APM was dead.

Is it possible to simply Y-splice a servo signal line between the APM and the Rx so both had simutaneous control? So during auto flight the servo would be getting signals from the APM unless the pilot moved the sticks, then there would be two different signals being sent to the sevo at the same time. I wonder what a servo would do? Would it freak out and jitter, or would it simply react to the sum of the signals and behave sort of like the Stick_Mixing parameter?

I know this is a ridiculous idea, so feel free to ridicule it. Perhaps there is a more elegant way of sharing a servo for redundancy. Ideally the APM would have a true RX pass through that would function with no power. I don't know if such a device could be created as a stand alone unit, or if there could be a software solution.

Redundant system integration is the key to our success in the eyes of the FAA, so it is a conversation worth keeping active.

Views: 3336

Reply to This

Replies to This Discussion


It should be possible to fairly easy create a device receiving signals from both RX and APM to forward the APM signal as long it is there and fallback to the RX signal. A cheap AVR powered from the RX should do the trick.

That would be perfect. Maybe one of the brains here can help out. There are many devices to share multiple servos from a single source, but I don't know of any that will allow multiple sources for a servo.

For a prototype an arduino would do the job perfectly. 

The only "problem" is to detect the outage of the APM. Should it react to:
* No signal at all?

* Same signal for X seconds (indicating a frozen APM)?



Am I right in saying the APM already has a physical bypass, so that if the APM fails the RX inputs are passed directly to the outputs?  I vaguely recall that when in mode 6 ('hard' manual) it engages this passthrough? Or did I imagine all of that?

Obviously this doesn't guard against the APM going bonkers only crashing or losing power (a power loss that doesn't affect the RX)

I think the APM already has a funtion that bypasses the signals when it fails, but I'm not sure of that.

Now that we are talking about redundancy: I'm planning to buy a wing/elevon plane as a stepup from my ol' bixler, and I will fit it with four servo's. I will split each elevon in half and have each halve controlled by one servo. That way when a servo fails (and they will fail) It will not result in loss of control.

I also would like to see dual airspeed sensor usage in APM, so we have redundant airspeed measurement.

The old APM hardware (APM 1.4 with the oilpan) had a hardware fail safe driven by a separate ucontroller.

Since APM 2 that was lost (I think because a straight through fail safe doesn't make any sense for a multicopter).

@ Michael
You can get a separate board http://www.buildyourowndrone.co.uk/FailSafe-Mux-p/fs-mux. There are other similar designs around also.

If anyone is interested in hacking an old APM 1.4 let me know and I'll send you one to play with.

Cheers Paul
I was thinking the same thing for a wing. You could take it a step further and only give control of the outboard set of elevons to the APM. Power the inboard seperately and attach them directly to your Rx. This way you will still have manual control if the APM dies. If the APM has all 4 servos and one fails, I'm not sure how it could handle the sudden asymmetric control authority of both pitch and roll.

We recently discussed dual airspeed sensors and I believe it is being considered. In the meantime, dual pitot tubes to the same sensor will work with no code modification or parameter changes, and offers redundancy in the part of the system most likely to see a failure.
That link doesn't work. Please post another link for such a failsafe device.

Sorry about that try this

Cheers, Paul

Yes the dual pitot tube will reduce the risk of blockage, but poses a challenge of connecting them to one sensor. I don't have the tiny manifolds required that size, and manufacturing them myself seems a bigger risk over the extra redundancy gained.
I would rather have real redundancy, and have dual sensors as well.

The splitted elevons only work if you take over control manually I think. But with the new attitude controllers and enough I action in the control loops, and differential spoilers set for yawing action, the APM might be able to cope with it. (that would be so awesome, I am going to test that!)

How about this dual receiver buddy box system? http://www.hobbyking.com/hobbyking/store/__20002__Wireless_Buddy_Bo...
Is this essentially the same thing you linked to?
The trick is identifying a failed APM and having it automatically switch over.

Just jumping on this from a different angle ,

 is it possible to have multiple APM on a single platform? Say have a master (1x APM2.5) and slave (1xAPM2.5) with a spare reduntant (1xAPM2.5) unit to replace master if something goes wrong, while if the both masters go bad then the spare could guide the plane back to take off.


Reply to Discussion


© 2019   Created by Chris Anderson.   Powered by

Badges  |  Report an Issue  |  Terms of Service