Overview:
From the highest level, one can think of the entirety of the ZeroPilot software engine as being a black box which takes in instructions from a ground station (about the flight plan, amongst other data) and outputs a series of actuator commands in order to fly the aircraft. ZeroPilot runs across 2 separate microcontrollers that communicate with each other over SPI. The first chip, “Autopilot”, is responsible for all aspects of autonomous flight except final control of the actuators. The second chip, “Safety”, is responsible for relaying AutoPilot’s instructions to the actuators and also for reading in a redundant telemetry link which may be used in the event of catastrophic failure. As a whole, ZeroPilot is designed to take care of everything from takeoff to level flight to landing and apart from collecting instructions from the ground station about where we want to go, it does all this without the need for any human intervention.
Software design
...
Safety
All firmware on this chip is run bare-metal, sitting only atop the HAL driver API. As seen in the flowchart, the safety component of ZeroPilot consits of only 4 blocks. These are responsible for collecting data from AutoPilot as well as from the secondary telemetry link, and depending on whether an emergency has occurred or not, either send the AutoPilot instructions to the actuators, or send the secondary telemetry link instructions to the actuators. The functionality of each Safety module is detailed in a child page of this one.
AutoPilot
Firmware that runs on the AutoPilot chip does so atop FreeRTOS.
...