Overview
...
From the highest level, one can think of the entirety of the ZeroPilot software engine as being a black box which takes in instructions from a ground station (about the flight plan, amongst other data) and outputs a series of actuator commands in order to fly the aircraft. ZeroPilot runs across 2 separate microcontrollers that communicate with each other over SPI. The first chip, “Autopilot”, is responsible for all aspects of autonomous flight except final control of the actuatorsattitude management and actuator control. The second chip, “Safety”, is responsible for relaying AutoPilot’s attitude management (generating PWM values for the actuators) and sending instructions to the actuators and . Safety is also used for reading in a redundant telemetry link which may be used in the event of catastrophic failure.
As a whole, ZeroPilot is designed to take care of everything from takeoff to level flight to landing and apart from collecting instructions from the ground station about where we want to go, it does all this without the need for any human intervention.
Software design
...
Safety
All The safety firmware on this chip is run bare-metal, sitting only atop the HAL driver APIis made to contain the bare minimum required to perform manual flight. As seen in the flowchart, the safety component of ZeroPilot consits consists of only 4 a few blocks. These are responsible for collecting data from AutoPilot Autopilot as well as from the secondary telemetry link, and depending . Depending on whether an emergency has occurred or not, the Decision Module will either send the AutoPilot instructions to the actuators, or send the secondary telemetry link instructions Autopilot or telemetry information into the Attitude Manager. The Attitude Manager then converts the inputted data into PWM values that are sent to the actuators. The functionality of each Safety module is detailed in a child page of this one.
...
Autopilot
Firmware that runs on the AutoPilot chip does so atop FreeRTOS.
The entirety of the autopilot consists of 3 two managers (telemetry , and path, and attitude), a sensor fusion engine, a series of peripheral drivers, and an inter-chip driver. All these components are run at strict rates. The managers each live inside their own threads, as do the sensor fusion module and inter-chip. The drivers are grouped together based on how often they refresh. For instance, all sensor drivers that refresh at 200Hz live inside the same thread. Most drivers, however, will be used across 2 threads, one for beginning a transaction, and one for using the data (this is detailed in the “Sensors” child page).
...