I would like to start a discussion on Parachute fail safe systems.

As you know the various Governments are buckling down on us, why not show them that we have the capabilities and have implemented them into our UAS to be a very safe hobby. One of the requirements by all these Governments is to have various fail safes; the parachute seems to be a widely accepted way of terminating flight.

Has anybody built one that would like to share their experiences and show some pictures?



I will start.

This will be for a 2kg flying wing.

The spring is from a shock tower for a 1/8th scale RC buggy, the prototype box is made of balsa and bass wood. AUW with parachute is 110g. Parachute is a 70'' nylon chute from http://www.redarrowhobbies.com/top_flight.htm

A separate interface board will be made with its own power for the fail safe trigger.

The wires for the parachute travel through the box and to the spar or attachment point, this is probably one of the most critical parts of this project as placement can cause more problems then solve.

I believe a better release and top for the box are in order, anybody care to give suggestions?

how will this be mounted? I remember there was a trainer parachute system if you lost control of your plane that would mount to the top and it was more of an airfoil shape, just thinking depending on what kind of flight characteristics you are looking for a little sleaker design may help. oh and i think you mean 70" parachute not 70' :D

how will this be mounted? I remember there was a trainer parachute system if you lost control of your plane that would mount to the top and it was more of an airfoil shape, just thinking depending on what kind of flight characteristics you are looking for a little sleaker design may help. oh and i think you mean 70" parachute not 70' :D


OOPS ;)

The box will be mounted inside the fuselage of the wing, it will be imbedded and will have very little sticking out the top of the aircraft, chances are it will look like a little bubble once I am finished. I thought about a parafoil type parachute but it adds a bit of complication to the project. Have you ever tried one? Would be interested in hearing what the percentage of full canopy openings are?

Strange, I was thinking about this concept last night after reading MA magazine (AMA's magazine). There was a letter from the AMA president regarding possible FAA regulation changes.

RC aviation may need to adapt more stringent safety features for anything larger than a parkflyer. I don't disagree that added safety features would be beneficial as long as they are phased in with plenty of time for the RC community to adopt them without spending loads of money.

I've made a parachute failsafe system for a ~15kg plane. The parachute was a custom design by a guy who makes parachutes for skydivers and the release mechanism was a custom made bag coupled with a springed parachute (that is used for releasing full size skydiving parachutes).

The spring parachute would be compressed inside a bag and a final pin would hold everything together. The fail safe consisted of a motor that pulled this pin and released the canopy and the spring chute. This chute would then pull out the main 3m parachute from within the fuselage. I can post pictures of this if you are interested.

I've made a parachute failsafe system for a ~15kg plane. The parachute was a custom design by a guy who makes parachutes for skydivers and the release mechanism was a custom made bag coupled with a springed parachute (that is used for releasing full size skydiving parachutes).

The spring parachute would be compressed inside a bag and a final pin would hold everything together. The fail safe consisted of a motor that pulled this pin and released the canopy and the spring chute. This chute would then pull out the main 3m parachute from within the fuselage. I can post pictures of this if you are interested.


Very interested, looking forward to it!

Chris

Thanks for sharing this - very impressive. I am about to start work on a similar system so will provide details when available too.

Nice system, and a really good idea,

To be a bit picky, the term "fail-safe" is usually used about systems that fails to a safe condition, (do not need to be activated by a operator). E.g the brake in a normal car can be regarded as a "safety system" vs the brake(-system) in a truck is often also a fail-safe system. Why is that the brake it the truck also goes on if the system fails, e.g. loss of preassure due to broken tube/hose.

According to the distinction above, for now I would call this system as described as a safety-system and not true fail-safe system. Either way, the idea is good, and additional fail-safe functionality could be added at a later stage, e.g. release if:
- engine stop,
- loss of signal,
- empty battery,
- etc.

brakar

Heres a basic setup from DIYdrones

http://diydrones.ning.com/video/parachute-recovery-system

Braker, the Atto should bring your bird home before you run out of power, its setup to return to home if it cannot complete its mission. There are also loss of signal conditions.

I guess a good look at the SR22 parachute recovery system might be in order as well!

G

The term failsafe does rather suggest that all else has completely failed, therefore a system that needs operator input is useless
The only true failsafe would be opperated similar to the one in Garys link above that activates when RC signal is lost, the failsafe pic would also have to be isolated from the main flight battery, so a seccond battery and monitor would be needed for a legitimate system

Design of true fail-safe systems are often difficult, specially when it's difficult to specify a condition that actually is safe. E.g if the engine stops when flying the model over salty water it would probably be a better choice to try to glide the model towards land then parachute it right into the ocean. For situations like this an allert/override function would be desireable - but also add complexity.

In the case with of the Atto, it seems to have it's own built in fail-safe functions, which you probably do not want to mess-up.

Taking into account the complexity of a true fail-safe system and the possibility that such a system might trigger by fault, l think a basic system easy to install and operate, like the one described, would be a very good choice - specially compared to nothing.

Nice system, and a really good idea,

To be a bit picky, the term "fail-safe" is usually used about systems that fails to a safe condition, (do not need to be activated by a operator). E.g the brake in a normal car can be regarded as a "safety system" vs the brake(-system) in a truck is often also a fail-safe system. Why is that the brake it the truck also goes on if the system fails, e.g. loss of preassure due to broken tube/hose.

According to the distinction above, for now I would call this system as described as a safety-system and not true fail-safe system. Either way, the idea is good, and additional fail-safe functionality could be added at a later stage, e.g. release if:
- engine stop,
- loss of signal,
- empty battery,
- etc.

brakar


brakar,

Sorry I was not more specific, it was very late here.

The system will be a full fail safe system; it will require zero pilot intervention and will rely on monitoring multiple parts of the system.

There are a few ideas I have to trigger the fail safe; these ideas came from real world experience flying a UAS without one.

I envision the fail safe to act similar to a relay, normally closed is what the aircraft will see when all systems are working right and feeding the correct information, normally open will be the default function of the "relay" that will disable power and trigger the parachute. Of coarse this would have a separate battery backup, it would not take much as all it has to do is trigger a servo and "relay".

In the event of a failure the system would cut all power to the UAS and deploy the parachute. Some symptoms I think should trigger the system are as follows:

1. GPS sat count less then 3 for more then 5 seconds
2. Very low battery (Atto users have a RTL feature that is user set)
3. Low altitude (a defined altitude that triggers the fail safe)
4. Loss of RC signal for more then 3 seconds (this feature is questionable as some autopilots such as Atto have a RC lockout that us user defined, if in auto the RC transmission should technically not matter until aircraft is back to is designated distance)
5. High roll angle (user defined. This would be set to an angle the aircraft should never see during AUTO flight)
6. High pitch angle (Same as roll)

I am very open to suggestions or comments; this is supposed to be a constructive thread to help each other out.

Thanks for the kind words.

Chris

Back to the box.

So the ground tests seem to work well, I am not sure the way I am releasing the lid is the best way to go, I will think through this today.

Here is a short clip with me manually moving the servo.

Chris


http://www.youtube.com/watch?v=t7XoS1HIzVg

Almost time to test.

I have dry fitted the box to my e-flight airliner, this bird is almost the exact weight as our wing and cost considerably less....

First tests will be with a 30" chute, we will start there and work our way up to the 70" if needed. I want to keep as much weight as I can out of the bird and stay away from unnecessary canopy area which results in a larger box.

Sorry for the cruddy pics, thats an Iphone for you...... Too lazy to go get the good cam.....

Don't forget to take glitches into account.

I myself have been thinking of the same idea,but realised that a glitch could ruin almost every flight as glitches are common to most people.

Without a chute a glitch means nothing,but with a chute it means you'll have to land the damn thing.Maybe a delayed failsafe would be the ticket to succes with a chute aboard the plane.

Don't forget to take glitches into account.

I myself have been thinking of the same idea,but realised that a glitch could ruin almost every flight as glitches are common to most people.

Without a chute a glitch means nothing,but with a chute it means you'll have to land the damn thing.Maybe a delayed failsafe would be the ticket to succes with a chute aboard the plane.


I agree, this is the reason for the large time delay before fail safe on a number of features, 2-5 seconds in airplane time going 50mph is forever and is more then enough time to crash the plane if altitude is too low. This is my largest concern with the RC side of things, as you said and as we all know glitches are very common and almost always guaranteed during flight. I would be pissed if a simple couple millisecond glitch caused the bird to abort the mission.....

I think a big red button should be included somewhere.

With either warning or danger on it

Now is at the tail or on the nose the best place to harness the chute.

If you have cameras in the nose at least they will arrive at the scene last, if the chute is attached from the nose

I think a big red button should be included somewhere.

With either warning or danger on it

Now is at the tail or on the nose the best place to harness the chute.

If you have cameras in the nose at least they will arrive at the scene last, if the chute is attached from the nose

Big Red Button..... Can do, good idea!

I was thinking about the attachment point, obviously you would want to go to the main spar to distribute the shock over the strongest part of the airplane, the question is do you want it to fall slightly nose down or slightly nose up. I would think slightly nose up would be the best given the hardware up front.

You could mount the parachute module wherever was convienient and run the risers to the CG. This would free up space on the CG for (payloads/fuel/batteries).

I have some work experience dealing with parachute recovery systems on DOD UAV's.

You could mount the parachute module wherever was convienient and run the risers to the CG. This would free up space on the CG for (payloads/fuel/batteries).

I have some work experience dealing with parachute recovery systems on DOD UAV's.


I guess a little illustration might help; I am having a hard time envisioning this. I catch your thought and a darn good one, if you have a bird that has a usable payload chances are it’s placed over the CG, don’t want to crud up that area with other boxes.......

Thanks for the thoughts.

bottom of this page shows a parachute recover system that was employed by a user for a commercially available system.

Cheers,

Cort

Er am I being thick Cort? Where should I be looking?

Quote airmcn_3
The system will be a full fail safe system; it will require zero pilot intervention and will rely on monitoring multiple parts of the system.

There are a few ideas I have to trigger the fail safe; these ideas came from real world experience flying a UAS without one.

I envision the fail safe to act similar to a relay, normally closed is what the aircraft will see when all systems are working right and feeding the correct information, normally open will be the default function of the "relay" that will disable power and trigger the parachute. Of coarse this would have a separate battery backup, it would not take much as all it has to do is trigger a servo and "relay".

In the event of a failure the system would cut all power to the UAS and deploy the parachute. Some symptoms I think should trigger the system are as follows:

1. GPS sat count less then 3 for more then 5 seconds
2. Very low battery (Atto users have a RTL feature that is user set)
3. Low altitude (a defined altitude that triggers the fail safe)
4. Loss of RC signal for more then 3 seconds (this feature is questionable as some autopilots such as Atto have a RC lockout that us user defined, if in auto the RC transmission should technically not matter until aircraft is back to is designated distance)
5. High roll angle (user defined. This would be set to an angle the aircraft should never see during AUTO flight)
6. High pitch angle (Same as roll)


Chris,
My experience with fail-safe systems is limited to the railway-sector, learning from collegues and not by designing them myself. Just as you know. With the railways, the design of fail-safe systems probably was easyer, since "the safe condition" usually was easy to define, (change the signal-light to red, activate the brakes on the train, release door-locks in the case of fire, etc).

From what I learned there, I think of a fail safe system as a system where the neutral position in off / in the safest condition. To be able to use the system (train itself, the signalling system or close the lock on fire-doors) where the fail-safe system was embedded, a whole lot of conditions/systems/processes had to be monitored, and if any of these conditions/sub-systems/processes did not respond properly - the fail-safe system was activated. (Red light, brakes on, fire-door open).

In your case, this means that the parachoute should be held back by a magnetic lock, or a relay, which required current to prevent the parachoute from being released. This follows from the assumption that a released parachoute is the safest condition, and that even failure in the fail-safe system itself, (e.g flat fail-safe system battery) should activate the fail-safe system.

Anyway, I am not shure if this is a good philosophy to use in an airplane, (maybe except from the idea of a magnet/relay requiering current to prevent releasing the parachoute - might save you a servo and some components).

This is why I partly changed my mind in my second post and suggested a manual release.

After have given the idea some more thought, my priority-list for dealing with failures would probably be:
1. go through all previous excperience with failures, and prevent these failures to happen again - by re-design/removing the cauce of the failure. (In the railway-business we often used "threat-logs" / lists over known fail-sources. Maybe there exists something similar for airplanes/UAVs).
2. try to implement some corrective actions before releasing the parachoute, e.g. return to base, climb to higher altitude to try to regain signal, start circling, and so on.
3. If everything fails, release parachoute.

Don't know if any of this actually was of any help,

brakar

You might want to put some thought into "false positives" for your fail safe system. It would really suck if a boundry condition occured and thus sending your UAV down when it really didn't have to.

But at this point you will have gone beyond the point of no return in complexity for sure. Don't ask me how I know...

You might want to put some thought into "false positives" for your fail safe system. It would really suck if a boundry condition occured and thus sending your UAV down when it really didn't have to.

But at this point you will have gone beyond the point of no return in complexity for sure. Don't ask me how I know...

That last little comment sounds costly fly, but your right, how sensitive should a failsafe system be before if becomes a nusance

Good posts all of you! Keep them coming.

I realize this is not going to be easy but nobody said pleasing the Govt. was going to be.....



A good point has been brought up, what is the sensitivity limit....... I can tell you one thing, it will be known shortly.....

Er am I being thick Cort? Where should I be looking?


Not sure Gary, I am looking myself.... :D

ooops sorry guys....here's the link

http://mekri.joensuu.fi/cropcam/inventions.htm

I would like to start a discussion on Parachute fail safe systems.

As you know the various Governments are buckling down on us, why not show them that we have the capabilities and have implemented them into our UAS to be a very safe hobby. One of the requirements by all these Governments is to have various fail safes; the parachute seems to be a widely accepted way of terminating flight.

Has anybody built one that would like to share their experiences and show some pictures?



I will start.

This will be for a 2kg flying wing.

The spring is from a shock tower for a 1/8th scale RC buggy, the prototype box is made of balsa and bass wood. AUW with parachute is 110g. Parachute is a 70'' nylon chute from http://www.redarrowhobbies.com/top_flight.htm

A separate interface board will be made with its own power for the fail safe trigger.
Ive been kicking the same idea around also:D.....The j-3 is my test plane.Planes AUW is 20 ozs.The chute is 24" Dia.Havent had time to test it tho.GOOD LUCK w/ yours..RTR

You could mount the parachute module wherever was convienient and run the risers to the CG. This would free up space on the CG for (payloads/fuel/batteries).

Another concern is about having the parachute hang on the tail of the AV.

I saw a UAV that had the parachute module located on the end of the tail so that it could not get hung. The risers were located in a channel along the top of the fuselage and ran to the CG.

I have been involved in testing where we secured the AV to a trailer and drove along. We then deployed the parachute and video taped the extraction. This enabled us to find where we had problems without putting the AV at risk.

Ive been kicking the same idea around also:D.....The j-3 is my test plane.Planes AUW is 20 ozs.The chute is 24" Dia.Havent had time to test it tho.GOOD LUCK w/ yours..RTR


Nice work!

Another concern is about having the parachute hang on the tail of the AV.

I saw a UAV that had the parachute module located on the end of the tail so that it could not get hung. The risers were located in a channel along the top of the fuselage and ran to the CG.

I have been involved in testing where we secured the AV to a trailer and drove along. We then deployed the parachute and video taped the extraction. This enabled us to find where we had problems without putting the AV at risk.


Ya I don’t think attaching it to the ass end would be the best idea, unless it was a disposable type airframe. Besides, wont work to well with a flying wing.

Thanks for the idea on the trailer.

If its a wing, maybe it could go left or right wing tip.

Inadvertant deploy.... (keep watching)

http://www.youtube.com/watch?v=xk-psmXzYCE&NR=1

And deal maker, quite cool headed guy, the tow cables around the prop

http://www.youtube.com/watch?v=JXQKaxp6Rlk

Some info from grownups http://www.butlerparachutes.com/PDF/BUPS%20-%20Recovery%20System%20Qualification.pdf

And finally a UAV

http://www.youtube.com/watch?v=F-Zz1l7MJR4&feature=related

Thanks Gary,that last video is exactly what I've been thinking of.

Best place for attachment of the strings would be the tail of the bird IMHO.
This situation will not put as much stress on certain part as a chute that's attached on any other part of the plane.The forces will be inline with the fuse and thus get distributed over a larger surface.

You could connect a CF rod underneath the fuse and use that as an attachpoint of the chute .
Get yourself a rod that's longer than the fuse itself and use rubberbands to connect it to the fuse.This way the rubberbands will dampen the shock of the pulling chute and the shock of the impact on landing nose down.
Man,I'm getting more and more enthousiastic about this idea!

Now,where can I get this idea patented?!

No patent now you've released it to the wild!! ;-)

If its a wing, maybe it could go left or right wing tip.

Inadvertant deploy.... (keep watching)

http://www.youtube.com/watch?v=xk-psmXzYCE&NR=1

And deal maker, quite cool headed guy, the tow cables around the prop

http://www.youtube.com/watch?v=JXQKaxp6Rlk

Some info from grownups http://www.butlerparachutes.com/PDF/BUPS%20-%20Recovery%20System%20Qualification.pdf

And finally a UAV

http://www.youtube.com/watch?v=F-Zz1l7MJR4&feature=related


That first one looked painfull

I have been doing some thinking and I have come to the conclusion that the attachment point of the parachute to the airframe is very critical in how the aircraft hits the ground. The way I currently have it, due to the hole in the center of the box all the guide wires are essentially being centralized to a singe attachment point, it would not matter how you have it attached to the airframe after the pass through the box as it will still act like it’s all attached to one central point.

I need some help in coming up with a way to attach all 4 guide wires of the parachute to specific spots on the airframe whilst still being shot out the box....

Any suggestions?

Instead of running the risers (guide wires) through the bottom of the box, cut a notch in the edge of the lid and route them out. Then tape them down with some low stick tape (painters tape). Mount them to the needed location.

This way the spring mechanism ejects the chute out of the airframe, the chute pulls the risers free of the tape, and suspends the AV from the needed location.

A way to make this less involed you could create a bridle of the needed lengths and connect the risers to the central point of the bridle. To alter the AV attitude under the chute you just alter the length of the bridle and leave the risers alone.

I have also seen spring loaded drogue chutes used to extract the main chute.

This way the spring mechanism ejects the chute out of the airframe, the chute pulls the risers free of the tape, and suspends the AV from the needed location.

This is in fact exactly how BRS chutes are installed on small aircraft. Additionally, it's nice if the attachment point is just forward of the CG, so that a deployment will cause the nose to pitch up, thus adding some additional braking.

Can't wait to see the deployment test. Please tell me there will be video :D

Cheers,
Rusty

This is in fact exactly how BRS chutes are installed on small aircraft. Additionally, it's nice if the attachment point is just forward of the CG, so that a deployment will cause the nose to pitch up, thus adding some additional braking.

Can't wait to see the deployment test. Please tell me there will be video :D

Cheers,
Rusty


Oh there will be video good or bad ;)

I like to try one but I can not get information about which size of paracute is good for which Kg of total weight.

Please guide

see attached

I bought a couple of these chutes for quadrocopters, but haven't tried them yet. It also looks like they have some good info, descent calculators, etc on the page which might help.

http://www.aeroconsystems.com/chutes/p48in.htm

Cheers,
Rusty

Maybe I missed this earlier

Is the purpose of the parachute to salvage the airframe and expensive bits in the event of a mishap or is it supposed to deliver the entire package to terra firma undamaged after said mishap?

The answer to this determines how slow of a decent rate is needed and that drives the size of the parachute.

Maybe I missed this earlier

Is the purpose of the parachute to salvage the airframe and expensive bits in the event of a mishap or is it supposed to deliver the entire package to terra firma undamaged after said mishap?

The answer to this determines how slow of a decent rate is needed and that drives the size of the parachute.


It’s really more for the safety aspect. I don’t want a non guided aircraft headed to the ground.......

Of coarse I would like it to save the airframe as well. My calculations were done for a 3.8 m/s decent rate which is still too high.

Obviously this is done to try and keep UAV's flying in civilian hands.

Pure and simple, just wait and watch...

Obviously this is done to try and keep UAV's flying in civilian hands.

Pure and simple, just wait and watch...


I am a bit confused..... :confused: :confused:

Fly is right.....

This would be categorized as a "safety mitigation" in the process of getting UA's in the NAS. We've seen all sorts of academic efforts suddenly appear in certification/process/procedure applications so it would not be a surprise if this didn't appear "officially" in some mitigation process. The CAA would probably look favorably on this as well.

Gene

Fly is right.....

This would be categorized as a "safety mitigation" in the process of getting UA's in the NAS. We've seen all sorts of academic efforts suddenly appear in certification/process/procedure applications so it would not be a surprise if this didn't appear "officially" in some mitigation process. The CAA would probably look favorably on this as well.

Gene


Gene,

Not sure how this thread got pushed off the subject but would you care to elaborate a bit more on the post?

I apologize if I seem stupid but I am simply not getting what you two are talking about...

Cheers

A "safety mitigation" would simply cause the vehicle to stop flying in a failure condition with no regard to saving it from damge. The bigger the chute, the slower the descent so coming down slow is a good thing for safety. BUT, a big chute would let the vehicle blow a long ways in a wind causing a different problem as far as airspace goes, so like all things it is a balance....

You might want to put some thought into "false positives" for your fail safe system. It would really suck if a boundry condition occured and thus sending your UAV down when it really didn't have to.

But at this point you will have gone beyond the point of no return in complexity for sure. Don't ask me how I know...

As Fly says, give some thought to a separate "arming" mechanism/command for the parachute actuation system. Having two steps (for example, a separate command from the downlink and then the "fail safe" command from the autopilot or the downlink) would prevent actuation on the ground or on take-off/landing. Failures which do things inadvertently with only one event are called "single-point" failures. The protocol would be to "arm" the system when it leaves the immediate area and to "de-arm" when it returns.

Practically, this could be as simple as having the arming command be a relay that provides on command the power to the contacts of the "fail-safe" (for lack of a better term) chute relay/solenoid. This way, even if the command is given to actuate the chute, nothing happens unless it is armed. Using a time-delay that requires the command to be there for a appreciable amount of time (say a half-second or so) makes sense to avoid very short duration glitches. As was already mentioned though, that is a balance too because it if is a relatively long period, the vehicle could cover a lot of territory before the chute comes out.

Full-size UASs actually have two inputs to the "Flight Termination System (FTS)". There is both the "fail-safe" from the autopilot/onboard computer and the big red button from the ground. The big red button is generally held by the Range Safety Officer or operational flight safety officer. The FTS systems used on test ranges are generally completely independent systems with a separate power sources so it can be actuated regardless of the operational state of the UAS.

This thread has turned into a really great discussion ! :)



This would be categorized as a "safety mitigation" in the process of getting UA's in the NAS. We've seen all sorts of academic efforts suddenly appear in certification/process/procedure applications so it would not be a surprise if this didn't appear "officially" in some mitigation process. The CAA would probably look favorably on this as well.


Gene's and fly_boy99's observations are right on the money. Chris, the consideration your making with regards to your parachute fail-safe/safe-fail system are directly related to the 'safety mitigation' assessment you would make for certifying a UAV. In a way your looking at both the technical aspects and regulatory requirements,.....


In the event of a failure the system would cut all power to the UAS and deploy the parachute. Some symptoms I think should trigger the system are as follows:

1. GPS sat count less then 3 for more then 5 seconds
2. Very low battery (Atto users have a RTL feature that is user set)
3. Low altitude (a defined altitude that triggers the fail safe)
4. Loss of RC signal for more then 3 seconds (this feature is questionable as some autopilots such as Atto have a RC lockout that us user defined, if in auto the RC transmission should technically not matter until aircraft is back to is designated distance)
5. High roll angle (user defined. This would be set to an angle the aircraft should never see during AUTO flight)
6. High pitch angle (Same as roll)

I am very open to suggestions or comments; this is supposed to be a constructive thread to help each other out.


I think the failure mode considerations you mentioned in post #14, above, are limited, but a good start.

There is a difference in safety emphasis between manned aircraft and UAVs, since the former maximise occupant safety whilst the latter aims to minimise collateral damage. The triggering of a failure mode should therefore also take into account, as correctly noted be someone (can't recall who),... the drift of the aircraft with the wind after a parachute has been deployed,... and as I understand the regulations, this means that the UAV either remains within the designated operational zone during an event resulting in the deployment of the parachute, or the fail have provision to allow transit of the UAV to a given location (potentially in a no power condition) prior to activation of a parachute, and again consideration given to wind drift considerations while the UAV is descending. These are all system design considerations required for certification under the heading of 'safety mitigation' for UAVs.

A "safety mitigation" would simply cause the vehicle to stop flying in a failure condition with no regard to saving it from damge. The bigger the chute, the slower the descent so coming down slow is a good thing for safety. BUT, a big chute would let the vehicle blow a long ways in a wind causing a different problem as far as airspace goes, so like all things it is a balance....

This is a great description Mel, thank you for including it.

The following document contains some really good guidence for the design considerations (and safety mitigation) for UAVs, their system failure modes, and design considerations in general which might be of interest to some of you guys (who may be looking at government work ;) ); (specifically Section 2 Chapter 15)

http://www.everyspec.com/ADF/download.php?spec=ADF-AAP_7001-054.011352.pdf

This thread has turned into a really great discussion ! :)




Gene's and fly_boy99's observations are right on the money. Chris, the consideration your making with regards to your parachute fail-safe/safe-fail system are directly related to the 'safety mitigation' assessment you would make for certifying a UAV. In a way your looking at both the technical aspects and regulatory requirements,.....



I think the failure mode considerations you mentioned in post #14, above, are limited, but a good start.

There is a difference in safety emphasis between manned aircraft and UAVs, since the former maximise occupant safety whilst the latter aims to minimise collateral damage. The triggering of a failure mode should therefore also take into account, as correctly noted be someone (can't recall who),... the drift of the aircraft with the wind after a parachute has been deployed,... and as I understand the regulations, this means that the UAV either remains within the designated operational zone during an event resulting in the deployment of the parachute, or the fail have provision to allow transit of the UAV to a given location (potentially in a no power condition) prior to activation of a parachute, and again consideration given to wind drift considerations while the UAV is descending. These are all system design considerations required for certification under the heading of 'safety mitigation' for UAVs.



This is a great description Mel, thank you for including it.

The following document contains some really good guidence for the design considerations (and safety mitigation) for UAVs, their system failure modes, and design considerations in general which might be of interest to some of you guys (who may be looking at government work ;) ); (specifically Section 2 Chapter 15)

http://www.everyspec.com/ADF/download.php?spec=ADF-AAP_7001-054.011352.pdf


That’s one long document!

Failure modes are still up in the air as you can tell; I was just stating some things that came to mind.

I initially wanted to make this a 3 part thread starting with the ejection method of the parachute. The second part was going to be parachute size and placement. Third was going to be the hardware/software and features.

I am very glad this thread has become active; hopefully there will be continued participation.

We ordered a new chute; it’s a 58" and should be good for a moderate decent rate. I figured having a few sizes on had before I sacrifice the airliner would be a good idea.......

Still wrapped up on what to do for attachment as the single point is going to simply bring the bird down with no care for the airframe.

Chris

Failure modes are still up in the air as you can tell; I was just stating some things that came to mind.


I hope you don't take my comments as criticism, this is a really great discussion spanning a little beyond design, and I think you've made a terrific start.


I initially wanted to make this a 3 part thread starting with the ejection method of the parachute. The second part was going to be parachute size and placement. Third was going to be the hardware/software and features.

We ordered a new chute; it’s a 58" and should be good for a moderate decent rate. I figured having a few sizes on had before I sacrifice the airliner would be a good idea.......

Still wrapped up on what to do for attachment as the single point is going to simply bring the bird down with no care for the airframe.


Have you thought about testing the parachutes initially with a variety of attached weights off an elevated height to experiment/determine parachute decent speeds/performance before you needlessly sacrifice the airliner.

I have some literature somewhere about parachute setups for UAVs,... I'll find it and post it as soon as I can.

Take Care

Nick

I hope you don't take my comments as criticism, this is a really great discussion spanning a little beyond design, and I think you've made a terrific start.



Have you thought about testing the parachutes initially with a variety of attached weights off an elevated height to experiment/determine parachute decent speeds/performance before you needlessly sacrifice the airliner.

I have some literature somewhere about parachute setups for UAVs,... I'll find it and post it as soon as I can.

Take Care

Nick


Nick,

I absolutely did not take your post as criticism. No worries mate!

As for the weights attached at an elevation. This is what I have been doing to get a good idea of weight, I can sit here and calculate all day long but when it comes down to it nothing beats real world testing.

One of the ways I started testing was to take the box closed with the parachute and add 2kg to the bottom, I then went on to the roof and threw it up as high as I could. Attached was an Rx to command the servo. I had somebody hit the switch at the apex of the throw.
This did two things for me. One it verified that the ejection of the chute worked as should and two the decent rate at the aircraft weight. The only thing that is not added in is airframe drag... Guess I could run CFD on it at the projected decent rate to find out.......

The reason the airliner is in jeopardy is the attachment point and how level it falls ;) :D

Chris

Very good subject indeed and very good posts as well. When doing calculations for a parachute as part of an emergency recovery system, it is better to use the energy at impact rather than the rate of decent.

If regulations start pushing for this emergency recovery mode, they most likely will use a maximum energy at impact value. This is interesting as for small UAS you might not need a parachute: entering in a flat spin (with the proper design) could lead to a very low energy at impact. The added mass of a parachute and its deployment mechanism could be penalizing in some cases…

Pattern type model fitted with parachute stowed beneath the jettisonable canopy. Attachment point must be in front of the CG to compensate for vertical lift from tailplane during descent.

Got this info from HERE (http://silvertone.com.au/mk22-crx.htm)

Pattern type model fitted with parachute stowed beneath the jettisonable canopy. Attachment point must be in front of the CG to compensate for vertical lift from tailplane during descent.

Got this info from HERE (http://silvertone.com.au/mk22-crx.htm)


Good find!

Very good subject indeed and very good posts as well. When doing calculations for a parachute as part of an emergency recovery system, it is better to use the energy at impact rather than the rate of decent.

If regulations start pushing for this emergency recovery mode, they most likely will use a maximum energy at impact value. This is interesting as for small UAS you might not need a parachute: entering in a flat spin (with the proper design) could lead to a very low energy at impact. The added mass of a parachute and its deployment mechanism could be penalizing in some cases…


Good point, I guess if you’re trying to save the airframe as well you would want the energy at impact rather low. Now we are back to the issue of the how far the bird floats away.....

It’s going to take a fine balance in order to satisfy everyone......

Could the parachute fire when the airframe is at x altitude??

Still as we will not be above 400' I guess the variable then becomes wind speed as to far downwind airframe will go.

This is a great thread, very interesting.

Could the parachute fire when the airframe is at x altitude??

Still as we will not be above 400' I guess the variable then becomes wind speed as to far downwind airframe will go.

This is a great thread, very interesting.



Sure,

I was thinking two settings, max altitude and minimum altitude. These are two hard settings that we will never breach. Same with Roll and pitch, those setting are set to never be breached, if the system sees an attitude other then its max for a given period of time then it will trigger. We all know what parameters the aircraft is not supposed to be in.

You are correct, 400' at 5ft/s decent rate and a 10mph (14.66ft/s) wind the bird would be 1172' down wind. Obviously this is just a rough calculation. That’s a long hike and a good amount of distance to get in trouble.......

Guys THIS is a huge problem with parachute recovery: how to control the decent…

This is why the energy at impact is the way to go as you are not looking at saving the aircraft but lives and assets.

Now controlling the recovery is an other can of worms… big time. The weather and atmospheric turbulences do have an incredible impact on parachute recovery and you need a fairly large flat and unobstructed area to guaranty a near zero damage recovery. A point worth mentioning is the need of decoupling the parachute from the aircraft at impact: having the chute dragging the aircraft on the ground can be pretty damaging…

Been there, done that: I believe in parachute for safety (it might be the only way to go in some cases) even with the weight penalty and the added complexity to the system. Regarding recovery I do not believe in it unless it is in a very specific and controlled environment (i.e. dedicated area with the required space and landscape) and this is defeating the purpose of mobility in most cases.

Originally Posted by airmcn_3
In the event of a failure the system would cut all power to the UAS and deploy the parachute. Some symptoms I think should trigger the system are as follows:

1. GPS sat count less then 3 for more then 5 seconds
2. Very low battery (Atto users have a RTL feature that is user set)
3. Low altitude (a defined altitude that triggers the fail safe)
4. Loss of RC signal for more then 3 seconds (this feature is questionable as some autopilots such as Atto have a RC lockout that us user defined, if in auto the RC transmission should technically not matter until aircraft is back to is designated distance)
5. High roll angle (user defined. This would be set to an angle the aircraft should never see during AUTO flight)
6. High pitch angle (Same as roll)
To take a step back, what basic requirements are established for the parachoutes trigger system?
- Is the system going to be "stand-alone" or based on input from an autopilot?, if so a generic interface or a propriatary one? (to Atto)?
- Under what defined situations/conditions are the system required to fire/not fire? A few examples:
a) if the engine is still running, will the system be allowed to trigger? (If fired at high speed, the AF might be ripped apart, or go down with the running prop as a potential danger)
b) if the autopilot is running ok, fire anyway? (ther might be a temoprary problem)

brakar

To take a step back, what basic requirements are established for the parachoutes trigger system?
- Is the system going to be "stand-alone" or based on input from an autopilot?, if so a generic interface or a propriatary one? (to Atto)?
- Under what defined situations/conditions are the system required to fire/not fire? A few examples:
a) if the engine is still running, will the system be allowed to trigger? (If fired at high speed, the AF might be ripped apart, or go down with the running prop as a potential danger)
b) if the autopilot is running ok, fire anyway? (ther might be a temoprary problem)

brakar

There are two main times and ways you would want to pop the chute:
1. When the onboard systems (I'm counting the uplink and downlink here) are in a failure mode such that there is a risk of uncontrolled flight, be it a fly-away or a crash AND the error handling routines in the avionics can still make the decision to terminate.

2. When the operator/observer notices a hazardous condition such as unresponsiveness of the vehicle, loss of TM/downlink/ etc. or an environmental/airspace issue where the vehicle has to come down NOW.

What this then infers is a need for both an autonomous trigger AND an independent trigger.

In my opinion, the system has to function without respect to the attitude, speed or control mode. The autonomous triggers need to be chosen with a great deal of care such that THEY are not potential single point failures that would pop the chute as soon as the system was booted up and that they do not unnecessarily bring down a good vehicle with a truly transient problem.

Some of the above mentioned error conditions (see below) are a good start.

1. GPS sat count less then 3 for more then 5 seconds
2. Very low battery (Atto users have a RTL feature that is user set)
3. Low altitude (a defined altitude that triggers the fail safe)
4. Loss of RC signal for more then 3 seconds (this feature is questionable as some autopilots such as Atto have a RC lockout that us user defined, if in auto the RC transmission should technically not matter until aircraft is back to is designated distance)
5. High roll angle (user defined. This would be set to an angle the aircraft should never see during AUTO flight)
6. High pitch angle (Same as roll)

Now comes the question. Who is your target market? If this is to be a generic item, then you will need to establish a generic interface control document that sets out what the signals to the unit have to be. Then the UAV user will have to map the signals he has available into what the system needs. This may result in some solutions for specific systems being non-optimal. If you plan on it being offered for a specific system/community (like the ATTO), then you can optomise the performance for the chosen system, but you will have a much more limited user base and thus a more limited market.

Here we go again, it is a balance... :p :p

Does anyone have a link to a video of the aerosonde UAV launching its recovery parachute?
Thanks in advance

A Flat-Spin might be the ticket.

You'll need a (FMA) wing leveler to hold the wings flat and set failsafe to full rudder deflection.

Advantage:


-No need for extra weight and less complexity

-In case you regain radio link you'll be able to fly the bird back home.

Example: (it gets interesting from 00:30 and on)

http://www.youtube.com/watch?v=D7KaWTMgOM4&NR=1

A Flat-Spin might be the ticket.

You'll need a (FMA) wing leveler to hold the wings flat and set failsafe to full rudder deflection.

Advantage:


-No need for extra weight and less complexity

-In case you regain radio link you'll be able to fly the bird back home.

Example: (it gets interesting from 00:30 and on)

http://www.youtube.com/watch?v=D7KaWTMgOM4&NR=1


From a no damage point of view, it would make sense. The trouble is that the video was done on what looks like an almost windless day. If you get the sink rate down that low, it will blow a long ways down wind if you have a decent breeze going. That is exactly what you do not want from an airspace perspective....

Mel Duval

A Flat-Spin might be the ticket.

You'll need a (FMA) wing leveler to hold the wings flat and set failsafe to full rudder deflection.

Advantage:


-No need for extra weight and less complexity

-In case you regain radio link you'll be able to fly the bird back home.

Example: (it gets interesting from 00:30 and on)

http://www.youtube.com/watch?v=D7KaWTMgOM4&NR=1



This can be done with many 3D birds relatively easy, I really do not see it as a viable option for a UAS but it was fun to watch....


I am waiting on a new chute and I will begin flight testing. I do not see any problems with the ejection method but I am still having a hard time with the attachment going to a single point.

Chris

This can be done with many 3D birds relatively easy, I really do not see it as a viable option for a UAS but it was fun to watch....


I am waiting on a new chute and I will begin flight testing. I do not see any problems with the ejection method but I am still having a hard time with the attachment going to a single point.

Chris


Something you might think about is having the main stress taken on by the single point attachment at the CG and having a couple of much smaller bridles to orient the vehicle during the descent....

To take a step back, what basic requirements are established for the parachoutes trigger system?
- Is the system going to be "stand-alone" or based on input from an autopilot?, if so a generic interface or a propriatary one? (to Atto)?
- Under what defined situations/conditions are the system required to fire/not fire? A few examples:
a) if the engine is still running, will the system be allowed to trigger? (If fired at high speed, the AF might be ripped apart, or go down with the running prop as a potential danger)
b) if the autopilot is running ok, fire anyway? (ther might be a temoprary problem)

brakar


I do plan on the system being a "stand alone" unit. I will require information from the autopilot and the goal is to make it a universal system. Not necessarily proprietary to Atto.

We are still trying to come up with the conditions; this was a large reason for this thread. I was hoping we could put all our heads together and make a very safe and reliable system. Some of the trigger conditions are mentioned above.

The way I see it is the fail safe system shuts down all power to the aircraft and deploys chute, so it would not necessarily fire under power but it will almost defiantly still be moving at a good forward velocity. I suspect this will vary considerably on the fail safe condition.

Not sure what you mean on the autopilot running properly and firing the chute, I am assuming you are talking about the issue if the fail safe system miss fires and deploys the chute under "normal conditions". This goes back to making a very robust and well designed system, obviously they are electronics and errors do happen so I guess it will require a lot of real world testing. Don’t have a problem with that ;)

I do see many potential issues with a system like this. Beyond the injury and damage that can be caused by a falling object comes the fact that in order to make a true fail safe system the interface will be capable of completely shutting down your aircraft in flight. I really do like the thought of this possibly happening by an error in the fail safe and not the aircraft.

Thanks for the good discussion! I hope we all can continue to contribute to what has become a good thread.....

Chris

Originally Posted by airmcn_3
Not sure what you mean on the autopilot running properly and firing the chute, I am assuming you are talking about the issue if the fail safe system miss fires and deploys the chute under "normal conditions".
Yes, this is what I ment. Looking at the initially described conditions for when to deploy the chute, it seems to me that there are only single cause indicators mentioned. As mentioned earlier, I am afraid this could lead to miss-fires. Just one example:
1. GPS sat count less then 3 for more then 5 seconds
Suppose everything runs normal, but the GPS-conditions are not ideal, loosing lock every now and then. If the UAV is not flying over populated areas the best way to proceed would probably be to instruct the autopilot to head straight back home (corrective action), and not to pop chute (emergency). If you on the other hand detect a new indication of fail, (eg. loosing altitude) there are two indicators of a "true" problem. By combining the two pieces of information you will have a lot better indication of fail, and be able to reduce the probability of miss-fire significantly.

Thus, I think it would be a good idea to combine the information from two or more indicators when possible. You then might need to take a step back and look at what situations/conditions and you want to handle, and imagine what the list of sympthoms/indicators would be for that paricurlar situation/condition - instead of looking at the indicators individually. Attached picture is ment to illustrate my point.

brakar

Brakar, you are on the right track, but it is much more complex than that. This is the start of a failure mode analysis with the incidence on the mission and the corrective actions until an eventual termination.

An other factor in to consider is the time for reaction after a failure is detected. You do not need the same reaction time (popping or not the chute) when you have an engine failure (you may glide back home or glide/crash in a safe preprogrammed area) or if you have a structural failure (wing loss over high G’s) where you need almost instant parachute triggering before the aircraft starts falling of the sky in a configuration preventing the proper opening of the chute (if any).

It is interesting with this tread about recovery/safety how it start to look at failure analysis and safety of UAS in a broader way.

I agree with your comments fnev. But for the record, I wasn't really suggesting a full blown safety analysis, just wanted to give the ball a new quick.

Anyway, I do not belive that the list of errors/conditions/etc. would neccessarily have to be that long. When dealing with safety matters, statements like: "the 10% most common errors accounts for 90% of the accidents" is often heard. If this is also relatively true with UAVs, it might be possible to write a short-list, and I suspect that there also might be possible to find a few common "indicators" to groups of these errors/condition which could provide a better base for determining when to activate the parachute, then any one of the indicators alone. (E.g in case of a AV totally out of control (any reason), wouldn't actually a lot of indicators change rapidly and therefore be viable as base for the triggering?).
Along with this, I have to admit I have not yet had the pleasure of using an autopilot myself, and that my experience with model aircrafts is also limited.

When it comes to thinking safety of UAS in a broader way, I think that designing the paracute system (specially the triggering system) would be the hardest part. I would have wanted a way to instruct the autopilot to return to base, but what would come next? As a start, possibly:
- some basic requirements for the pilot, autopilot, AV, etc.
- a few check-lists, (before leaving home, before flight, flight plan, post flight, etc),
- some simple software to check the setup and way-point files,
- an archive to store check-lists, error logs, flight-plans, setup files etc.

brakar

Skip the failsafe part & just make a paraglider. Someone's going to make a pocket paraglider any moment now.

Skip the failsafe part & just make a paraglider. Someone's going to make a pocket paraglider any moment now.


LOL, would be considerably easier......

Good stuff!

I think in order to achieve all the functions you are talking it would require the fail safe system to be built in with the autopilot. There would have to be considerable information being passed back and forth from each unit checking conditions. Autopilots based off of thermopiles are not capable of returning to home in the event of GPS loss. That requires an IMU and in order to achieve accurately it would require 9DOF.

I like where you guys are going here, please keep up the great comments.

I am going to start simple and work up from there.... No problem with baby steps.

Chris

Chris,

I've been lurking on this thread and finally feel compelled to contribute. So here goes:

Assumptions:

1. The least likely device to fail is the microcontroller. The only likely catastrophic failure mode is due to power supply brown out. There is no reason for brown out to occur in a model airplane (it happens with low line voltage in appliances and starter cranking on cars).

2. The sought after situation in case of failure is graceful degradation. If things go bad, the system does not need to complete the mission. It is best to continue operation in as safe a manner as possible.

3. The most desirable action of failure detection is the ability of the system to limp home. The goal of limp home is to return the system to the circle of visual and transmitter range.

4. Catastrophic failure is the result of unanticipated events. Catastrophic failure can be countered by redundant, diverse systems (a parachute is a diverse redundant system but it's functional degradation is not graceful).

5. Anticipated events can be avoided by design.


Comments:

I am not seeing loss of sats as a problem. Is that because of conservative operation, terrain or dumb luck? Does the loss persist?

Navigation in canyons or below tree top level is bad form.

Endless circling of a missed WP is detectable.


Solutions:


A gimbal mount for the GPS would be lighter and cheaper than a parachute, if angle is the problem.

A compass would provide a valuable bit of diverse redundancy. Attopilot knows the heading and distance of the way home. A compass would allow the system to maintain a general heading between good fixes. Of course, if you got a bug up your pitot tube you'd need a chute.


So, maybe the best path is for us to grovel and whine to Dean for a compass plug-in with a limp home firmware upgrade.

Just some thoughts,

Tom

Not wishing to move this too far OT, your Atto should have a smart RTH, which would'nt work with the compass only option.

If you had a compass only RTH and there was a mountain or something else in the way on the straight track home then you might hit it.

Atto will work out when it does not have enough power to complete its mission and then RTH back along its track, thereby not hitting anything.

I think Dean enabled that, but I might be talking out of turn, never been known before.

When we all go IMU that wont really be an issue either.

What about for those with unlimited resources having two autopilots onboard??

Sorry this is going too far from the parachute idea.

Chris,

I've been lurking on this thread and finally feel compelled to contribute. So here goes:

Assumptions:

1. The least likely device to fail is the microcontroller. The only likely catastrophic failure mode is due to power supply brown out. There is no reason for brown out to occur in a model airplane (it happens with low line voltage in appliances and starter cranking on cars).

2. The sought after situation in case of failure is graceful degradation. If things go bad, the system does not need to complete the mission. It is best to continue operation in as safe a manner as possible.

3. The most desirable action of failure detection is the ability of the system to limp home. The goal of limp home is to return the system to the circle of visual and transmitter range.

4. Catastrophic failure is the result of unanticipated events. Catastrophic failure can be countered by redundant, diverse systems (a parachute is a diverse redundant system but it's functional degradation is not graceful).

5. Anticipated events can be avoided by design.


Comments:

I am not seeing loss of sats as a problem. Is that because of conservative operation, terrain or dumb luck? Does the loss persist?

Navigation in canyons or below tree top level is bad form.

Endless circling of a missed WP is detectable.


Solutions:


A gimbal mount for the GPS would be lighter and cheaper than a parachute, if angle is the problem.

A compass would provide a valuable bit of diverse redundancy. Attopilot knows the heading and distance of the way home. A compass would allow the system to maintain a general heading between good fixes. Of course, if you got a bug up your pitot tube you'd need a chute.


So, maybe the best path is for us to grovel and whine to Dean for a compass plug-in with a limp home firmware upgrade.

Just some thoughts,

Tom


Tom,

Good thoughts.

To the GPS question. I think it’s a mixture of many things. We are transmitting 36MHz and 72MHz depending on the country, we have 1W of 2.4GHz video running and 1W of 900MHz telemetry pumping out, and of coarse GPS is trying to receive data at the same time. Sometimes I just have bad luck..... It can all work perfect many times over and then the next time it is flown it may or may not have GPS issues..... (Weather????)

A compass plug-in with a limp home firmware upgrade is a great thought. Fortunately Dean and I are working on this together so.......... I will talk with him.....

Unfortunately the parachute is still a very desired feature and has to be implemented into our aircraft weather it has limp home features or not so back to the drawing board.

Thanks,

Chris

Not wishing to move this too far OT, your Atto should have a smart RTH, which would'nt work with the compass only option.

If you had a compass only RTH and there was a mountain or something else in the way on the straight track home then you might hit it.

Atto will work out when it does not have enough power to complete its mission and then RTH back along its track, thereby not hitting anything.

I think Dean enabled that, but I might be talking out of turn, never been known before.

When we all go IMU that wont really be an issue either.

What about for those with unlimited resources having two autopilots onboard??

Sorry this is going too far from the parachute idea.


Gary,

You are correct that feature is enabled in Atto.

Yes IMU will solve most of our problems, well at least the ones that are thermopile based issues...

Two autopilots are not a problem and are a great idea if you can afford the space, weight and cost. The problem still persists if both autopilots are something like thermopile based and the issue occurs with those components.

The primary reason for the parachute was and is not necessarily to save the aircraft. This project was to prevent a fly away and a high speed impact in the even of a catastrophic failure. The Australian Govt. is asking us to implement the parachute and the US Govt. has told us it would be a good idea to have when we go for Certification in the USA so I unfortunately don’t see a way around it.

This is something everyone who chooses to go through the COA process is going to have to look at. I was and still am hoping that we can create a product that is universal and will work with most if not all autopilots but as you can see its going to be a rather significant project.

No worries on the topic, it all has to do with this project.

Thanks,

Chris

This is becoming a great tread and I enjoy the comments and inputs from everyone.

To use a controlled parachute (paraglider) has been tried and is way more complex than it sounds. You need a completely independent control system (that might fail as well) and it is far from a trivial exercise. You are still very weather dependant with all the consequences attached to it. I believe that a pure parachute to minimize damages (and eventually lives) on the ground is the way to go.

As pointed out the triggering of the chute is NOT simple. You may use a preloaded device (OK for small UAS but weight penalty), a completely aerodynamic opening system (does work but is subject to the aircraft attitude and speed) and the pyrotechnic systems (works EVERY time but regulations and handling are pretty tough as you have to manipulate it all the time unlike when onboard of a full size airplane). In any case the best is to use a combination of any of the above with a drogue chute to help parachute deployment and minimize weight, space and complexity. You have to realize that ANY system involved with safety will take away payload and/or endurance capability.

Having two autopilots sounds great, but WHOM or WHAT is going to be the judge to decide which one is faulty and/or which one to believe/trust? Not a simple task. Regarding the autopilot, it might be a good idea to dissociate the pure “autopilot” function and the “flight management” functions. Sounds more complex but it is in fact much simpler as you now have a dedicated item to fly the aircraft and a dedicated item to mange the mission, the payload(s) AND the safety issues. By having two separate piece of hardware/software helps separating the functions and is a plus on the safety side.

To rely only on GPS for navigation is looking for trouble if you start flying far and with potential obstructions (out of line of sight). This is why you have an inertial navigation system plus a magnetometer as a backup. But, aren’t we digressing here and try to fly to far and in conditions that most likely will be only possible for MUCH more complex and sophisticated systems?

To continu on the secondary autopilot idea, would it be an option to use a fairly simple imu board as the trigger? This board would then have to read the same waypoint file as the autopilot and to continually check that the AV was in the defined "tunnel" between waypoints were it was supposed to be. If out of the tunnel, but over the tunnel floor, return to home, (mission failed anyway). If below tunnel floor, stop engine, release paracute.

By the way, is it possible to change/override Atttopilots flight-pattern/waypoints after launch?

On the Attopilot, yes if you have data modems.

I did a failsafe test with Airframe1, letting it spiral down trimmed, my word did it go further than I thought from 400' and it was pretty tense watching it skim over some tree tops.

If a secondary device could hold the nose up in a deep stall into wind so little or no progress over the ground was made and as the craft neared the ground the nose dipped forward a little for some speed which was converted into a flare for the final landing it might be good.

But then thats a dream ticket limitless money solution!!

If your lipo, powering the autopilots had failed your in the dwang anyway.

So the independently powered parachute still rocks. (well gently swings)

If a secondary device could hold the nose up in a deep stall into wind so little or no progress over the ground was made and as the craft neared the ground the nose dipped forward a little for some speed which was converted into a flare for the final landing it might be good.

But then thats a dream ticket limitless money solution!!

What I had in mind was not a full featured autopilot, just an autopilot board used as a triggering system, (no navigation).

Let's say Atto is used for navigation and that Ardupilot + seperat gps (or some other board with a processor and a gps interface) was programmed just to check that the AVs actual location is in the "tunnels" between waypoints. If not, some action;
- instruct the autopilot to go home if AV is outside allowed side offset, or
- release parachute if AV is below allowed offset from waypoint-line or "tunnel floor"

This way, the triggering would be based on relatively simple mathematic formulas. It would also be straight forward to de-activate the system close to base or to set a maximum allowed distance from base.

What I had in mind was not a full featured autopilot, just an autopilot board used as a triggering system, (no navigation).

Let's say Atto is used for navigation and that Ardupilot + seperat gps (or some other board with a processor and a gps interface) was programmed just to check that the AVs actual location is in the "tunnels" between waypoints. If not, some action;
- instruct the autopilot to go home if AV is outside allowed side offset, or
- release parachute if AV is below allowed offset from waypoint-line or "tunnel floor"

This way, the triggering would be based on relatively simple mathematic formulas. It would also be straight forward to de-activate the system close to base or to set a maximum allowed distance from base.



Hey I like that! Very good thinking.

Again we get back to another failure point but I would imagine it would be a bit less likely to have an error due to simplicity.

I will think on that a bit more....

Chris

Interesting idea, but the basic assumption is that the monitor (ArduPilot) is more reliable than the primary (AttoPilot). Consider the case where the primary system is correct and the monitor is wrong, it will still deploy the chute.

Actually AttoPilot could perform this function internally. After each position and control calculation Attopilot could predict a circle into which the model should move before the next measurement is made. Some number of failed predictions would constitute an error. With the availability of logged data, Attopilot could evaluate the failure and determine the best remedy.

Interesting idea, but the basic assumption is that the monitor (ArduPilot) is more reliable than the primary (AttoPilot). Consider the case where the primary system is correct and the monitor is wrong, it will still deploy the chute.

Actually AttoPilot could perform this function internally. After each position and control calculation Attopilot could predict a circle into which the model should move before the next measurement is made. Some number of failed predictions would constitute an error. With the availability of logged data, Attopilot could evaluate the failure and determine the best remedy.


I would suggest a separate system and the use of a different architecture to avoid commom mode (sometimes called common cause) failures. Heck, given how cheap programmable logic devices are today, use three of them and have a voting circuit so 2 of three controls the system response...

Interesting idea, but the basic assumption is that the monitor (ArduPilot) is more reliable than the primary (AttoPilot).
Not really, because there is also the possibility for structural failures in the AV itself. Besides, even if Atto was the perfect autopilot, I think it would be easy to to build or configure a UAV in such a way that Atto would not be able to handle it. (Load it to heavy, mess up the configuration file, etc).

Not really, because there is also the possibility for structural failures in the AV itself. Besides, even if Atto was the perfect autopilot, I think it would be easy to to build or configure a UAV in such a way that Atto would not be able to handle it. (Load it to heavy, mess up the configuration file, etc).

Yes there is no doubt about that, you can build an airplane that Atto cant fly but you will not be able to fly it either ;) :D

I think you would be pleasantly surprised on what that little component is capable of...

Anyhow Back to the Parachute system.

E.g if the engine stops when flying the model over salty water it would probably be a better choice to try to glide the model towards land then parachute it right into the ocean.
How about the idea of dropping a sonobuoy in regular periods that re-transmits the data to the airplane? You would drop it only in emergency situation in order to make the decision :p
Seriously, the whole idea stinks precisely of the high probability of the parachute to open in the wrong way, too late or to open during one of the 50 normal flights, purely due to mechanical fatigue of the chute system in 'battlefield' condition.
I would add a parachute to over 3...5KUSD airframe, under that limit, there are usually a lot of components to recover post-crash, you don't have to worry too much about losing the whole sum.

There is no reason for brown out to occur in a model airplane (it happens with low line voltage in appliances and starter cranking on cars).
There is a good reason. Dying servo, with stripped or rather blocked gears.
High power consumption. High bat voltage drop. Or some other nasty forward then back action of dying servo that is sucking the current from decoupling capacitors along GND cable, even if you have seemingly separate power for sevos and autopilot.

I think a big red button should be included somewhere.

On the nose, precisely.
Seriously, I don't understand the whole talk about jittery transmission that might trigger the parachute prematurely. Aren't we supposed to use PCM or other TXes with failsafe when playing with autopilots?
Of course time-hysteresis and level-hysteresis is always necessary when implementing failsafe systems or triggers.

kbsosak,

Brown out on a Lipo is highly unlikely. The internal impedance is so low that it will destroy anything in it's path (short wise).

I agree on the Big Red Button - a range officer and a button makes the best deployment criteria!

Brown out on a Lipo is highly unlikely.
Yet, u-nav is quoting its autopilots for graceful recovery of 3500 from brown-out somewhere on their site, if I remember well.

How about the idea of dropping a sonobuoy in regular periods that re-transmits the data to the airplane? You would drop it only in emergency situation in order to make the decision :p
Seriously, the whole idea stinks precisely of the high probability of the parachute to open in the wrong way, too late or to open during one of the 50 normal flights, purely due to mechanical fatigue of the chute system in 'battlefield' condition.
I would add a parachute to over 3...5KUSD airframe, under that limit, there are usually a lot of components to recover post-crash, you don't have to worry too much about losing the whole sum.


Our bird is worth well over 5kUSD....

As I said got to have it. And again this is not because I want to have a parachute on my bird its cause we were asked to put one on there.

Chris

Kbozac, grumpy tonight? Brakar :D

OK, so to review the bidding as I see it:

Basic requirements
-System must terminate flight on command of mission computer or ground command
-Two function (ARM and FIRE) switching to avoid single point and inadvertent activations
-Manual ARM awitching by the pilot/ground control system
-FIRE switching controlled by both mission computer error conditions (TBD) and "Big red button"
-System to be as independent as practical (separate power if possible, maybe even separate radio link for "big red button" and separate electronic control module)
-Glitch protection on activation circuitry to avoid false alarms, but filtering time delay set as small as possible to limit footprint covered in error state
-Termination mode has to limit drift after activation (small chute, deep stall, drag flap, spoilers,etc.) --> Means a max wind speed will have to be assumed

Nice to haves
-Sink rate slow enough to reduce/eliminate vehicle damage on touchdown (but has to meet drift rate requirement)
-Attachment point such that vehicle sinks as close to horizontal as possible
-Small/light as possible
-Low cost
-Built-in flexibility to allow installation on as many platforms as possible

Here is another document that may be of interest. Note the reference section that has a lot of good info: https://wsmrc2vger.wsmr.army.mil/rcc/manuals/321-07/321-07%20Common%20Risk%20Criteria%20Standards%20for%20 National%20Test%20Ranges.pdf

OK, so to review the bidding as I see it:

Basic requirements
-System must terminate flight on command of mission computer or ground command
-Two function (ARM and FIRE) switching to avoid single point and inadvertent activations
-Manual ARM awitching by the pilot/ground control system
-FIRE switching controlled by both mission computer error conditions (TBD) and "Big red button"
-System to be as independent as practical (separate power if possible, maybe even separate radio link for "big red button" and separate electronic control module)
-Glitch protection on activation circuitry to avoid false alarms, but filtering time delay set as small as possible to limit footprint covered in error state
-Termination mode has to limit drift after activation (small chute, deep stall, drag flap, spoilers,etc.) --> Means a max wind speed will have to be assumed

Nice to haves
-Sink rate slow enough to reduce/eliminate vehicle damage on touchdown (but has to meet drift rate requirement)
-Attachment point such that vehicle sinks as close to horizontal as possible
-Small/light as possible
-Low cost
-Built-in flexibility to allow installation on as many platforms as possible

Here is another document that may be of interest. Note the reference section that has a lot of good info: https://wsmrc2vger.wsmr.army.mil/rcc/manuals/321-07/321-07%20Common%20Risk%20Criteria%20Standards%20for%20 National%20Test%20Ranges.pdf


Thanks for compiling the list. And thank you for the link.

I have run into the newest problem with the parachute. PACKING!! In order to achieve a decent descent rate the chute needs to be rather large in comparative size to the UAS. The flying wing this is going on is 1.3m with a nice fuselage but...........Not that big.......

Chris