Redundancy in UAV Autopilots: The proof that quantity is not equal to quality
Redundancy is a commonly used term in the aeronautical industry, because safety is almost always the primary concern when designing any system. The starting point is to assume that any system may be subject to partial or complete failure. Consequently, the principal objective when designing a system is to reduce or eliminate any single point of failure which may lead to the loss of any critical system functionality. Part of this process may be the inclusion of redundant systems to ensure a Mean Time Between Failure (MTBF) greater than a defined level. In addition, it is important to understand the behavior of all sub-systems, by means of a Fault Tree Analysis (FTA) to be able to predict and plan for failure.
In this sense, and as an introduction to this matter, two concepts can be identified: hardware and functional redundancy.
- Hardware redundancy means that additional components are used in parallel. If one of the components demonstrates an unwanted behavior, then the malfunctioning component can be identified and isolated so that another correctly functioning component can continue to work as normal. This approach often features complete (double or triple) redundancy for every component part of a system, from the CPU to the final actuator.
- Functional redundancy is based on the comparison of outputs from the components to evaluate their performance. The system uses internal algorithms in order to analyze the data from the components taking into account special algorithms or in some cases, historical values to define if the system is working correctly and then switch to a secondary logic, based on different principles, but which delivers similar functionality. This makes the system more robust as it identifies not only if the system components are working, but also if they are working properly. In this sense, there are specific studies that help manufacturers to understand the probability of failure within their systems.
Hardware redundancy has the dual advantages of reliability and full isolation; however it also has disadvantages such as additional cost, additional weight and the additional space required to accommodate a physically larger system, perhaps with great power consumption.
Functional redundancy, however, is based on a software solution that can be implemented on small processors without the disadvantages outlined above.
The fact that an aircraft is equipped with redundant hardware systems does not necessarily mean that the autopilot will be capable of continuing the mission in case of a partial or complete system failure. A better approach may be to design a system with a low probability of failure or a high MTBF. At UAV Navigation, we subjected our VECTOR-600 autopilot to a third-party and independent company study achieving an MTBF over 19500 hours. The study was composed of a Reliability Prediction Report (RPR), Failure Mode Effects and Criticality Analysis (FMECA), and Fault Tree Analysis (FTA).
On the other hand, UAV Navigation has invested significant resources into improving Functional Redundancy in order to improve MTBF for the system as a whole. Examples of the work in this area include the logic to detect engine failure, for example with automatic autorotation within the rotary wing solution, GNSS-denied navigation capabilities and predictive paths in the GCS software which provide the operator with a visual reference of the point where the aircraft will touch down. Another example is the failsafe logic that can switch automatically between CPUs without a reset.
Common Misconceptions or Drawbacks normally used when talking about redundancy
In order to achieve redundancy, some autopilot manufacturers use several replicas of a control unit together with a multiplexer. This has the attraction of being able to show two, three or even more autopilots side by side in a UAV installation which may look impressive. However, including multiple and identical systems but with high rates of MTBF is not the solution. To the uninitiated, it would seem that two autopilots are ‘obviously’ twice as safe as one, and so on. However, there are drawbacks to this approach:
- Drawback #1 is related to arbitration. In a triple redundant system, a complex dissimilar arbitration unit is required in order to be able to select between the different units available; this is more complicated than the relatively simple logic of a watchdog which simply switches between two CPUs. In the case of arbitration other considerations have to be taken into account and complicate the logic. Such logic may imply more uncertainty which can lead to a higher probability of failure if the system is not correctly designed, not only within the arbitrator, but also in each autopilot unit. This is because each autopilot must communicate status information to the arbitrator in addition to its primary purpose: control of the UAV.
- Drawback #2 is related to software inside redundant hardware systems. Hardware redundancy only helps to safeguard against hardware failure; however, if these components include the same software and it has been released with a bug, all the components will fail catastrophically.
- Drawback #3 relates to increased unreliability in systems which feature multiple connections between units and peripherals. When integrating a system with multiple autopilots into a UAV, it will be necessary to duplicate or even triplicate the number of connectors for the control units, power supply, datalink and GNSS antennas etc. Hardware connectors are known to be common points of failure within an installation; more connectors means more likelihood of failure.
UAV Navigation’s VECTOR family of autopilots has been designed and manufactured to demanding military standards (MIL-STD) and features a deterministic system with hardware and functional redundancy in critical components such as flight control CPUs and sensors. This design maximizes reliability (and therefore flight safety) without compromising the system with unnecessary additional hardware.
Redundancy is not only based on component duplication, as a low reliability of each component could lead to catastrophic results. For this reason, UAV Navigation has studied flight data collected over many years to improve system reliability. Additionally, the C ompany has used its years of experience developing advanced automatic safety logics and sensor fusion algorithms to enhance system reliability and robustness.
UAV Navigation's systems have been designed for use in UAS where there is a requirement to reach a compromise between size and weight, and which will not put at risk the platform or the payload. The design philosophy is to ensure operational reliability due to high reliability of components, sensor fusion logics, advanced flight control logics and additional features to recover the platform safely if required using techniques such as autorotation, gliding or a Flight Termination System (FTS) - some of which are now mandatory features under current legislation.