We brought up some safety items in the http://www.rcgroups.com/forums/showthread.php?t=360746 "switch between manual/autopilot" thread.

I think it is worth discussing them in their own thread, so here goes...

How do hobbyists operate UAVs safely?

What mechanisms and techniques (electronic, mechanical, human) can be used to keep operation of UAVs safe?

We brought up some safety items in the http://www.rcgroups.com/forums/showthread.php?t=360746 "switch between manual/autopilot" thread.

I think it is worth discussing them in their own thread, so here goes...

How do hobbyists operate UAVs safely?

What mechanisms and techniques (electronic, mechanical, human) can be used to keep operation of UAVs safe?


There's plenty of discussion on rcapa.net/forums about this. For the past couple months we've hammered things out to bring to the FAA / ATSM.

--Scott

Thanks Scott,

From the looks of it, a lot of ground has been covered on the RCAPA site. I guess we shouldn't bother with this forum at all :)

Can you post a link to specific safety guidelines for operation? The RCAPA guidelines posted on their home page are fairly general. There appear to be many discussions in the forums, and if you can point out the most relevant it would be appreciated.

For discussion sake, we could refine this to cover technical solutions such as failsafes, how to determine loss of control, when an autopilot should or should not take over control, etc.

[edit] Also, I would like to keep this discussion focused to those of us building "Hobby" UAVs. Hobby being defined as building/flying for pure enjoyment and not for any monetary gain.

Thanks,
Jay

DanStriedr,

That philosophy is flawed. In the event if a loss of signal, you should have the plane level out and at a low power setting in a controlled glide. If you do not have an autopilot, you should have slow glide trimmed with idle throttle. Most signal interference is temporary in nature and you want to buy as much time as you can to get control of the model to PREVENT a crash instead of your hard over that would CAUSE a crash in short order. If it does crash, less damage will be sustained in a controlled glide than a stall spin. Not hitting as hard is always better, and from a safety standpoint its also better.

Many people get so narrow minded and paranoid thinking about "safety" that they ending up doing the WRONG thing and making BAD choices. The hard over option is a clear example of overthinking "safety" to the point that you have lost common sense, it you actually create more of a hazard than you solve.

Give your self every oportunity and time to prevent a crash. Minimize damage to your plane and whatever it may hit. Its simple....

Jett,

I appreciate your input. To qualify my response, this method is what the AUVSI rules state, not what I would necessarily like to do.

That being said, I understand where the hard-over comes from. The officials don't want a flyaway condition much more than they don't want a crash. For them, an uncontrollable airplane headed toward spectators, albeit perhaps even in a shallow glide, is bad news. A spin is an energy-dissipating maneuver. Additionally, a spin is localized; the aircraft doesn't keep flying away. So, from the officials' point of view, a controlled spin into the turf is good safety for the spectators.

From my point of view, I would prefer to see a holding pattern failsafe. If the manual RC link is cut, the aircraft starts a 30 degree bank orbit. If after a time interval the link does not return, then initiate a "controlled crash" maneuver (whatever method this may be). However, if the autopilot goofs during that time, are your spectators more than your time interval's distance away from the aircraft? If your delay is 10 seconds and your speed is 100 ft/s, then spectators 1000 feet away are at risk.

I do agree with your idea of a shallow glide when spectators are not of concern. During our testing phase in an isolated area, we go to "all hold" on the PCM failsafe. This gives the aircraft time to regain link and doesn't snap the servos to a preset location (which potentially could strip servo gears, making things worse). Assuming normal flight conditions before loss of signal, perhaps a shallow glide would be better.

I do hope this post illustrates there are different ideologies for different circumstances, especially when humans aren't at the controls. While the hard-over idea I discussed may be better is some situations, the shallow glide or all hold idea may be better for initial testing in unpopulated areas.

To respond directly to your comments, I do intend to make a common-sense decision: Spectators are always more important than my airplane.

Dan


For background information, please see this thread, post #47:
http://www.rcgroups.com/forums/showthread.php?t=360746

I would like to add what I am doing to this thread. I'm not nearly as advanced and skilled as some of the other guys. I have taken basically an "off the shelf" approach for my own plane. I designed and built the plane myself. It's a 20 pound plane with a Fuji BT32 gas engine for power. It flies very well. I am keeping it inside the range of a standard RC system. I have a U-nav PDC-10 and PDC-20. A Garmin geko 201 GPS and an FMA Co-pilot employed in roll only. I use a Futaba 8UAP PCM radio and an 8 channel EMS Jomar Glitch buster to level shift the 3.3 vdc Futaba PCM pulses to full voltage level. The receiver is on it's own 4.8 vdc NiMH 1200 mah pack and the Glitch buster has 6 volt regulated input from an EMS Jomar Battery backer. There are two 6 vdc 2400 mah NiMH packs going into the battery backer. This is Servo and flight control power. The down link is a high res color board camera and a 600 mw 900 MHz link. (Clean and clear) I also use an IC circuits GPS overlay on the Video.

Before any flight, I allow the GPS to get lock where I'm taking off from. Once it does, I set the location as a waypoint and then tell the GPS to "GOTO" that way point. (During the whole flight, it tries to go there.) I can fly up to my desired altitude and set the PDC-20 altitude lock so the plane will stay right there. I confirm altitude throughout the flight by watching the GPS altitude information. The Co-pilot is pre-set on the ground for maximum roll control at all times. I leave it that way. I don't have the enable line used on it. That makes it always enabled. I fly around with rudder input only. The plane makes big flat turns.

In the event of interference, or getting lost on which way to turn to head back for a landing, Or in the event I fly too far and leave RC range, the PCM receiver enables the PDC-10 as well as maintaining the PDC-20 enabled and locking the throttle where I last had it set. The plane simply comes back and loiters overhead unless I take it back manually once I can orient myself with it.

I would never advocate flying in this manner beyond a 3 mile "see and avoid" flight plan. I can tell if any full scale plane is even 4 or 5 miles out.

That’s my story of safety in a UAV. Not all the answers, but certainly a very functional setup.

Dan

I thought of a couple more safety considerations. Something much more fundamental. Parts!!!! and Person!!!!!.

Parts. I never use plastic gear train servo's on any control surface or critical function. I use Servo's that are high torque, with coreless motors for efficient operation. Like the Airtronics 94738 as an example of a favorite. I use real positive lock linkage. Heavy duty control horns with Z bends at the servo and 4-40 rods. (Short as possible) The Clevis end gets the clevis and a Jam nut to prevent lateral flex and metal fatigue. The Jam nut is either a nylon insert lock nut or a standard 4-40 nut with lock tite. I never use Digital servo's in this type of application. (Too power hungry even when not hardly being used) I use High end heavy duty servo wire's and connectors. My favorite is Gold plated JR or the Futaba big ones. (Not standard AWG) I have a guy at the hobby shop locally that always gives me grief for not buying the cheap Expert brand. "Made by JR" he says. "The JR's are overpriced he says". But I know quality. The JR's are likely over priced. But so are the Expert brand. Expert connectors can be plugged in either direction and come apart with little to no effort. No thanks. Cheap is cheap and your UAV is only as reliable as it's weakest link, as well as your installation quality. Keep things dress right dress and not under strain. I saw a guy flying RC once that had his battery pack loose inside of a trainer. It sat right in front of the landing gear plate where it stayed in place by accident. Close inspection even showed abrasion on the wires right where they entered the heat shrink from bouncing against the walls around it. You could tell it wasn't going to be long before he could say good bye to the plane not to mention the carnage if he hit the crowd. I scolded him politely about it and he told me he'd been flying it that way for months with no problems. That it would be just fine. (Great) I reported it to the club safety officer who fortunately made him rectify it. (Funny, the guy hated me for having done that) Thats the kind of stuff that's pretty flagrant as a no no. But even pulling wires too tight around the inside of a plywood former where vibration can start to cut through the insulation then copper etc. Bundling wires neatly, but pulling cable ties too tightly and compressing the insulation. You got to be careful you don't go overboard trying to nail things down till they stay still. I think this fundamental building process is incredibly important and if it isn't done well, all of your other safety steps and high priced gear can be pretty meaningless.

Person. It is my considered opinion that almost ALL crashes are due to Pilot error. A very good part of the remaining crashes happen due to (Builder/owner error) Things not built right. Wrong linkages. Letting things get trashed and wore out without proper long term maintanance and repair. Flying violent manuvers with light duty parts. (Shouldn't be doing that with a true UAV anyhow) Poor rebuilding or checking after crash damage. Ignoring subtle little warning signs. Thinking it will improve once your in the air. I have never lost a UAV type plane for many, many hours and miles of flying. I have crashed my fair share of RC planes in the past. I am proud to say I can look to something I did as a pilot, or a builder, in every one of those crashes and I can blame each crash on something I did or didn't do. I think thats how good pilots get to be good. I have seen guys that crashed every other time they flew and always blamed interference or something beyond themselves. Equipment manufacturers, Sun, Paging repeaters, whatever. I bet to this day, if those guys are still flying, they're still crashing. You got to look at yourself real hard and be able to face facts. You got to leave the ego at home if you're prone to have one. That helps you become safer by allowing you to accept and recognize your shortcomings, and gives you a chance to work at overcoming them. Keep the fun plane charged up and ready for getting wild. Keep the UAV a UAV and fly it like you care for it.

Dan

I think the best system is what I have done. I have two complete radio systems in my airplane. Two batteries, two receivers, two power switches... Each system controls one half of the flight controls on its side of the airplane, one elevator, one aileron, and one engine, so no matter what goes wrong, I can still fly and land. I had a battery fail in flight :eek: , I lost half the flight control authority and control of one engine, but it flew just fine. I flew around for for an hour until the engine over which I had no control ran out of gas, when it finally quit I brought the other engine out of idle and landed normally :) . I have had this plane for years and did video links on 435 mhz. I am just getting modern electronics, autopilot and GPS to put inside this plane. The plane is powered by two G-62's, weighs 40 pounds, has more thrust than weight, and will take off on one engine.

The thought of programming an airplane plane to crash in case of interference is just wrong :mad: , there are better soloutions. As far as flying in front of spectators, UAV's just are not a threat. UAV's are very rarely flown with a bunch of people around. There is a huge hazard when 100 scale models are flown in front of large numbers of spectators by guys that are great builders but cant fly worth a damm. Programming a UAV to crash at first loss of signal is paranoia. When fear and paranoia rule you, you end up making bad choices :mad: . I will program my plane to return by GPS, and fly circles over the far side of the runway until it either runs out of gas and glides, or until I regain control of it :D

Thats a mongo plane. It oughta go vertical with a pair of G 62's. How do you tie the rudder in to your split functions?

Dan

I do like the dual receiver idea and my guys have been kicking it around for a while. Unfortunately I cannot figure out how to integrate that type system with our autopilot. There are some y-harnessing issues that I can't yet resolve. I do think the redundancy of a sedond receiver is good.

An alternative to the split control is a receiver switcher. Two receivers are y-harnessed together by an RC mux switch (much like the other discussion) that uses a primary signal source but can switch to the secondary source if there are problems with the primary. Battery power can be likewise y-harnessed with the EMS Battery Backer. This solution I can easily integrate with my current autopilot setup and I think would work well.

My question now becomes what about RFI? Any RFI will likely be spread spectrum and affect both receivers equally. Even having either of the dual receiver setups listed above won't gain much, if any, RFI resistance.

Now we're back to the original question of what to do with a loss of signal.



I don't like the idea of crashing my airplane, don't get me wrong at all Jett. Over half of the autopilots at this competition are experimental with less piloting time than most guys get on their first trainers. I wouldn't trust some of the stuff I've seen to go to a location and orbit during which time I have zero ability to bring it down away from spectators. And we routinely have 100-200 spectators at competition.

So, how does one deal with experimental autopilots with unproven track records with spectators at the field and an uncontrollable airplane?

For your testing, indeed a failsafe orbit is good because the only specators you have are you or people next to you.

Most autopilot problems, if there are problems, seem to happen during one of two times:
1. immediately after turn on: the autopilot wasn't tested enough or thinks it should head to alabama or thinks it's upside down,
2. just after a large gust of wind or external perturbation: most hobby and mini commercial autopilots can't handle spins, being inverted, tip stalls, or similar violent attitude changes, so they don't know what to do.

In either of these two circumstances, the manual pilot should have the ability to take over and correct the problem. If the manual link is broken during this time, it is impossible to guess what the autopilot will do with the airplane.

Am I overthinking things? Maybe. But, I am presenting very possible scenarios; I have seen both to happen my own UAV, not to mention others' UAVs. The Boy Scout motto seems applicable here: Be Prepared. It's better to know at all times and in all potential circumstances what the aircraft will do. Can a "go home and orbit" failsafe fail? Yes, and that is the root of the problem.

As the autopilots at competition get more robust and better tested, perhaps the field safety guys can adopt a failsafe orbit similar to what you mention that you'd like to do.

Dan E.


PS for other Dan
I've heard of the split receiver setup for giant scale aerobatic planes. I'm not sure what Jett is doing, but those giant scale pilots split their controls...
RX1 : left aileron, right elevator, throttle
RX2 : right aileron, left elevator, rudder
Jett will likely vouch you can make it home on either receiver.

“An UAV should not crash, and it should be programmed to return safety to the ground unless its power is completely down”. This is my philosophy when I am seriously getting to build my first UAV. Two radio systems as JettPilot did is another way to bring the UAV down when lost one signal, and thanks for that idea. Redundant systems are the best ways to control a full scale UAV.
As a hobbyist, I built an autopilot system using accelerometer ADXL210 (one chip for both aileron and elevator) from Analog devices and a PLD (Cyclone with Nios DSP) from Altera. It constantly detects the presence of the carrier while airborne. When carrier signal is lost, it automatically switches to landing mode. However, my UAV is just at its early stage, so it does not have GPS or INS to return to its starting point. I’ve been watching my “bird” flying alone in the blue sky. This is a great hobby with lots of challenges. Do we have a separate link about hobbyist UAV because I am kind of new to this site? Thanks.

PS danstrider,

I think it is best to bring digital signal (signal to servos) into a PLD and do detection there. Two RXs at two different frequencies would not have RFI of each other, and if they do, you need to complain to your RX manufacture and FCC (try to avoid using CH-20). Use RF shielded container (I used kitchen aluminum fold to wrap around everything onboard except antenna wire – of course not), and you would not have to worry about RFI.

“An UAV should not crash, and it should be programmed to return safety to the ground unless its power is completely down”. This is my philosophy when I am seriously getting to build my first UAV. Two radio systems as JettPilot did is another way to bring the UAV down when lost one signal, and thanks for that idea. Redundant systems are the best ways to control a full scale UAV.
As a hobbyist, I built an autopilot system using accelerometer ADXL210 (one chip for both aileron and elevator) from Analog devices and a PLD (Cyclone with Nios DSP) from Altera. It constantly detects the presence of the carrier while airborne. When carrier signal is lost, it automatically switches to landing mode. However, my UAV is just at its early stage, so it does not have GPS or INS to return to its starting point. I’ve been watching my “bird” flying alone in the blue sky. This is a great hobby with lots of challenges. Do we have a separate thread about hobbyist UAV because I am kind of new to this site? Thanks.

PS danstrider,

I think it is best to bring digital signal (signal to servos) into a PLD and do detection there. Two RXs at two different frequencies would not have RFI of each other, and if they do, you need to complain to your RX manufacture and FCC (try to avoid using CH-20). Use RF shielded container (I used kitchen aluminum fold to wrap around everything onboard except antenna wire – of course not), and you would not have to worry about RFI.

bluebird,
Not the receivers receiving interference from each other ...
spread-spectrum interference affecting multiple frequencies (like 72MHz and 2.4GHz, which I can confirm has happened to me), so even with two receivers, getting both simultaneously blanked out. Not an RX problem, rather the nature of the RFI itself.

Does this clarify my comment a little?

Dan

BTW, what's wrong with channel 20?

I know the guys flying Big birds, 1/4 scale and up to 40 percent models will use the split receiver system. I think it's a very workable solution but like anything else, it too has it's shortcomings. If both receivers are on the same channel, and the channel gets interfered with, it hits both channels. If they are PCM units though, you can have the failsafe set to enable the GPS return function. At some point there are catastrophic failures that won't permit anything save for a descent. I think it is quite viable on fixed wing aircraft to use a parachute in these cases. A microcontroller like a Basic Stamp can monitor certain conditions and if they exist either singly or in pairs it activates an engine shut down and chute deployment. I'm talking about being far enough away while flying that you can't dead stick back to the airstrip.

Example would be, Flying in the air, under GPS guidance, (PCM engaged or no signal from pilot present) and engine shuts down. In this case maybe a time out occurs before deploying the chute. Say 5 seconds. If in that time frame Pilot control resumes, (You turned on the transmitter to take manual control for a dead stick landing) no chute deploys. But if the 5 seconds goes by and there is no signal from ground, (Pilot doesn't know the engine quit or simply chooses to let the chute deploy) then the deployment sequence occurs. I would make that sequence one routine that first closes the throttle servo and in some cases even has to activate a kill switch for those gas engines that need one. Then after 3 a second or so pause, deploys the chute. Thats just one scenario. You have to monitor various things to do it though. Like having your micro controller read speed from the GPS. If there isn't any speed detected in the GPRMC string, it won't do the chute deployment because your sitting on the ground not flying. (BTW, Here's a cool link for guys writing code for GPS.)
http://home.mira.net/~gnb/gps/nmea.html#gprmc

That brings me to another scenario. Plane is in motion at a minimum of 10 to 15 knots, It is flying under GPS guidance. No signal from ground. GPS out put stops. (Dead GPS or GPS power source, or loses 3 and 2 D lock) 5 seconds elapses (or whatever timeout you think is good with any given airframe. It would depend on how fast it flies) The micro controller goes back to the chute deployment routine. First kills engine if applicable and pauses long enough to let the prop stop turning. Then deploys chute.

Obviously it would take a lot of "What if's" to get the code up to what you want. For example, if your in motion, engine is dead but pilot is in control, we assume a normal Dead stick landing. No action taken.

Any time there is no speed detected, or below a certain threshold, the code doesn't even go into the flight mode to do anything. (Your sitting on the ground)

The Deployement system would need to be on it's own power source. In the event catastrophic battery failure is taking you out, you still want it to function. I think a LiIon battery of it's very own would be a good choice. You can charge that up and it won't leak off it's power the same as Nicds and Nimhs. Just hit it with a smart charger once a month and it probably won't even need a charge.

Many sizes of very strong yet quite small parachutes are availble in the Model Rocket community from on-line sources.

I have no idea what to do with rotor craft. (A million individual parts flying together in close formation) I think they don't lend themselves to the type of platform we're talking about very easily.

Dan

Merlin Fail-Safe Parachute recovery system (http://www.megamodels.co.uk/radiocon.htm)

The inventor and developer of the system Roy Lever, passed away at the beginning of this year, but there might be some useful information remaining on the Megamodels website regarding this.

That brings me to another scenario. Plane is in motion at a minimum of 10 to 15 knots, It is flying under GPS guidance. No signal from ground. GPS out put stops. (Dead GPS or GPS power source, or loses 3 and 2 D lock) 5 seconds elapses (or whatever timeout you think is good with any given airframe. It would depend on how fast it flies) The micro controller goes back to the chute deployment routine. First kills engine if applicable and pauses long enough to let the prop stop turning. Then deploys chute.


The system I'm thinking about employing is to have an emergency parachute sytem onboard. The system would be completly self contained with its own microcontroller and batteries. The main computer would have a software routine to tell the emergency system, "Hey, I'm still working here. No need to deploy." about once a second. If the system doesn't hear the "I'm OK" signal or hears a ground signal to deploy it will automaticly do it's thing. The software routine in the main computer can't be a hardware interupt driven. If for what ever reason the software gets wedged into a loop the hardware interrupts might still function. Bad Juju.

I don't know how you would get the IC motors stopped in my system but since I'm experimenting with electric airplanes and gliders, it's not much of a problem for me.

I love the flow of ideas in this forum.
Dart

I think the use of an 'emergency' chute is extremely practical and desirable. Aside from its ability to extricate you from a dangerous situation, it's also not a bad way to land autonomously without all the complexity of sonar, etc...

Everyone has probably already seen this guy (http://members.shaw.ca/sonde/index.htm) but by measuring wind speed and direction on ascent, he was able to get his onboard computer to deploy the chute on his glider such that the wind would carry it to the desired landing spot. A couple times he was fairly successful with this.

I do agree with your idea of a shallow glide when spectators are not of concern. During our testing phase in an isolated area, we go to "all hold" on the PCM failsafe. This gives the aircraft time to regain link and doesn't snap the servos to a preset location (which potentially could strip servo gears, making things worse).
:confused:
Strip servo gears in flight when they return to PCM Failsafe position? :D This would require sabotage on the TX side! I assume the transmitter should be configured before flight.

I think the use of an 'emergency' chute is extremely practical and desirable. Aside from its ability to extricate you from a dangerous situation, it's also not a bad way to land autonomously without all the complexity of sonar, etc...

Everyone has probably already seen this guy (http://members.shaw.ca/sonde/index.htm) but by measuring wind speed and direction on ascent, he was able to get his onboard computer to deploy the chute on his glider such that the wind would carry it to the desired landing spot. A couple times he was fairly successful with this.
http://www.youtube.com/watch?v=1viOfIYFaxI
Polish student's project (Warsaw Institute of Technology if I remember), BSL Osa (BSL means UAV).
http://miwl.smil.org.pl/w2007/PW-OSA.pdf

This is a link to the commercial proposed guidelines...

http://wcs_bbs.tripod.com/RCAPAProposal_11-LATEST.pdf


Has anyone thought about amateur guidelines?