Update 8/8/11: In firmware version 1.24 a number of features have been added, Non-Reversible Flight Termination (NRFT) being the main addition. NRFT is enabled and disabled using the configuration software. When enabled, NRFT behaves as follows: - On power up, the red LED illuminates to indicate that NRFT is selected. This is the ONLY circumstance under which the red LED comes on "solid". The only other time the red LED illuminates is during flight termination, which is indicated by the red LED flashing at 1Hz. - The Failsafe waits indefinitely for the first heartbeat, but once the first heartbeat is received the Failsafe is "armed" and will terminate the flight if heartbeats ever stop for the pre-programmed period of time. - The red LED goes out when the first heartbeat is received. - Once flight termination occurs there is no way to reverse it other than powering down the board, or re-configuring it. If the write protect feature is enabled, then powering down is the only way. - Once flight termination occurs RC can no longer be selected. However, if heartbeats are lost during a period when RC is already selected (i.e. the vehicle is under manual pilot control), flight termination is deferred until RC is deselected. Heartbeat processing resumes when RC is deselected. This suspension of heartbeat processing whilst RC is selected allows for the in-flight rebooting of an autopilot. The other feature added at firmware version 1.24 is a geofence termination input. This is intended to interface to a geofence device, so that flight termination occurs when a vehicle strays outside of a pre-determined area. The geofence termination input is enabled and disabled using the configuration software. When enabled, the geofence termination input behaves as follows: - When the geofence termination input is taken to its active state, flight termination occurs. If non-reversible flight termination is enabled, then this is irreversible. Powering down the board (or re-configuring it) is the only way to reset the terminated state. - Geofence termination occurs regardless of the state of the RC input. In other words, if you fly through the boundary under manual control, the Failsafe board will take over and terminate your flight. - The geofence termination input is active low (i.e. a low signal should be used to indicate a boundary violation), and may be connected directly to 3.3V logic, or a relay contact that connects this pin to ground, or an open-collector output stage. The Failsafe board provides its own pull-up resistor. - As noted previously, the geofence termination input observes the programmed NRFT mode. When NRFT is enabled, the geofence termination input is ignored until the first heartbeat arrives. This is to give the attached geofence device time to initialise and output a valid signal. Andrew Dunlop Millswood Engineering 8th August 2011 Update 23/7/11: The OBC rules are now crystal clear - flight termination is final and irreversible. A firmware version will be produced that complies with this requirement. Andrew Dunlop Millswood Engineering 23rd July 2011 Some brief notes regarding the use of the Millswood Engineering Failsafe device in the Australian UAV Outback Challenge Search and Rescue Competition 2011/2012 What the Failsafe board is not: - The Failsafe device is not approved or endorsed in any way by the organisers of the Outback Challenge. - Using a Failsafe board will not guarantee that your deliverables will be accepted. It might even get you rejected - see areas of potential non-compliance below. It is your responsibility to ensure that you are in compliance with the rules, or seek clarification if in doubt. - There is now considerable sophistication possible in flight termination. The Failsafe board will not do most of this - it is essentially a set of switches that connects your servos to either your autopilot, your RC receiver, or internally generated flight termination positions. Yes, it does a few other things, but switching is it's main job. What the Failsafe board is: - Reliable. Has never crashed a plane accidentally. (To the best of my knowledge, has never crashed a plane.) - Fast - switches are hardware, not decoded and regenerated PWM. - Supported by Happy Killmore's GCS. - An easy way to interface an autopilot to a Digi XTend radio, or to interface a Digi XTend radio to a PC. - A way to save some time, better spent on more interesting things. - Well supported. Areas of potential non-compliance: There are some grey areas in the rules for the Search and Rescue Challenge. The Failsafe design philosophy has been always to allow the maximum possible chance that an aircraft can be recovered. This is not necessarily in accordance with the OBC rules. Two areas of potential non-compliance are: 1. RC override after flight termination has occurred. Was cited last year as a no-no. The Failsafe permits RC override under all circumstances. A simple workaround this problem would be to not use the RC inputs on the Failsafe board. Instead, use the RC inputs on your autopilot. There are other workarounds, but they are more complex and require custom GCS. You may contact us to discuss them, if required. 2. Resumption of Autopilot control if heartbeat returns. The Failsafe will re-connect the autopilot to the servos anytime a valid heartbeat signal is detected. This does not appear to be specifically banned in the rules, but is probably not permitted. Depending on demand, later this year a firmware version will be produced that addresses both of these issues. Existing boards can be upgraded with new firmware, but it will be a return to factory to change the microprocessor, with possibly a nominal charge. Any boards manufactured after June 1, 2011 will be field upgradeable; this requires an AVR programmer and a little bit of skill. There is no charge for field upgrades. Andrew Dunlop Millswood Engineering 8th June 2011