Failsafe Device

The Millswood Engineering Failsafe Device is designed to fulfil the failsafe requirements of the Australian UAV Outback Challenge. This event requires search and rescue aircraft to have an on-board failsafe device that activates if the autopilot or communication link fails for more than 5 seconds.

In the case of the UAV Outback Challenge, the Failsafe will usually be configured to manage flight termination, but for day-to-day use a Failsafe can do a lot more than just put your UAV into a death spiral.

UAVs tend to be infested with a huge number of electronic devices, all wired together with a giant rats' nest of cables. The Failsafe integrates many of these bits and pieces into a single device, providing a central point of connection and greatly simplifying a UAV's wiring.

Apart from a lot of messy wiring, a Failsafe eliminates:

• Voltage regulator / BEC - there's a high-efficiency 2 Amp switching power supply on the board. 5V and 6V outputs.
• Radio modem carrier board - the Digi XTend telemetry radio plugs straight in. Mounting hardware included.
• Autopilot / RC multiplexer - the 8-channel muxes are implemented entirely in hardware for predictable signal latencies.
• Payload controller - the PTZ has 4 channels awaiting your command. Hardware PWM with 12-bit timing resolution.
• RS232 / TTL level converters - 2 full-duplex pairs of converters on the board. 5V tolerant / 3.3V compatible inputs.
• Redundant power supply logic and switches - in combination with a ServoStation all the heavy lifting has been done.

Principles of operation

The Failsafe and Failsafe PTZ provide reliable control surface and engine management in the event of autopilot, communications or power system failure. The PTZ version sacrifices 4 failsafe channels to provide 4 channels of payload control - nominally pan, tilt, zoom and trigger.

Failsafe operation is similar to a deadman switch: a heartbeat must be detected on a regular basis or the failsafe will activate. When activated the failsafe takes control of all servos and drives them to predetermined failsafe positions. The failsafe positions are fully programmable, and do not have to result in flight termination.

Activation of the Failsafe is highly configurable: it can be enabled, disabled, triggered manually or automatically, there are multiple heartbeat sources that may be used separately or in combination, the timing is programmable as is the heartbeat string, and failsafe activation can be reported on the downlink with yet another programmable string.

Radio control may be resumed any time a valid RC signal is present, even after the Failsafe has activated and taken control of the aircraft. The 4 payload channels of the PTZ also have failsafe positions, but telemetry control resumes immediately after activation and continues for as long as the uplink remains viable.

Programming

The failsafe programmer is a free application that provides an easy way to configure all features of the Failsafe and Failsafe PTZ. You can even use it to control up to 8 servos in realtime using just your mouse or keyboard.

The programmer requires the Microsoft .NET framework v2.0 (or later) installed in order to run.

Source code is available on request.

Application: A typical 4-channel failsafe system

This is a block diagram of a 4-channel failsafe system showing RC receiver, autopilot, telemetry radio, failsafe and servos.

The failsafe works by monitoring the telemetry stream for a heartbeat string. This string is user defined, and can be generated by the Ground Control Station (GCS) or the autopilot. Monitoring a GCS generated string ensures that both the uplink and autopilot are working. Monitoring an autopilot generated string only ensures that the autopilot is operational.

If the heartbeat string stops, then the autopilot is disconnected and the internal PWM generator takes over, sending the servos to their pre-defined failsafe positions.

The telemetry radio doesn't have to be a Digi XTend - a generic radio connector is provided so that any suitable radio modem can be used.

Application: Failsafe system with redundant power supplies

This is a block diagram of a failsafe system with redundant power supplies.

Both the ServoStation and the failsafe device are 8 channels wide throughout, leaving plenty of room for other functions such as camera pan & tilt, landing gear, parachute release, etc.

Application: A joystick controlled aircraft with RC override

Joystick controlled aircraft:

Because the Failsafe includes a precision 8 channel serial servo controller, it is a simple matter to connect a joystick to a PC and fly an aircraft using the telemetry radio link. No autopilot is required, and if you're really adventurous, no RC either!

How it works:

If the failsafe timeout period is set to zero, then timeout will occur at power-up and the serial servo controller will always be selected instead of the autopilot. This reduces the multiplexing logic to a single multiplexer (mux2) that selects between RC and the serial servo controller.

The groundstation hardware consists of a joystick, a PC, and a suitably interfaced telemetry radio. Obviously some software is needed to run on the groundstation PC, and we've chosen to use RoboRealm:

Joystick controlled 4 channel aircraft:

Proportional joystick control of ailerons, elevator, throttle and rudder. Includes trim and direction reversal on all channels, and settings are automatically saved to disk. See the comments in the VBScript for more details.

Joystick controlled flying wing:

Proportional joystick control of elevons and throttle, and joystick fire button operates servo 4. Includes trim and direction reversal on all channels, and settings are automatically saved to disk. See the comments in the VBScript for more details.

And here are the same 2 files, but with 50% exponential on ailerons, elevator (or elevons) and rudder:

Homepage | ServoStation | Failsafe Device | Downloads | Links | Purchase | About Us | Contact