...
The Safety firmware runs on an STM32F0 microcontroller and it generates actuator commands for onboard servos and electronic speed controllers (ESC) using commands from our autopilot or ppm input form a hobby receiver. It contains five main modules: the ppm receiver module, which receives and packages ppm input from our hobby receiver; the inter-chip module, which receives and packages commands from our autopilot firmware; the Attitude Manager, which converts ppm and autopilot commands into actuator commands using PIDs and inverse kinematic (IK) modules; an IMU sensor driver, which provides data for our IK models to run; and a PWM module that sends actuator commands to our servos and ESCs. The safety firmware is purposefully designed to contain only the modules needed to allow for manual flight, helping the safety code base be as simple and reliable as possible. The figure below illustrates the architecture of the safety firmware.// Insert some diagram here…
...
In ZeroPilot, the autopilot firmware runs on a separate STM32H7 microcontroller. The decision to have the autopilot and safety firmware run on separate microcontrollers was made in order to ensure that there was a layer of redundancy. In this way, even the hardest failure in the complex autopilot firmware cannot crash the Safety firmware, which defaults to being human controlled in times of emergencies. The Safety and Autopilot microcontrollers communicate using Serial-Peripheral Interface as a result of the low complexity of the system and high data transfer speed. The figure below shows the safety firmware’s state logic. // Insert some diagram here…
...
The autopilot firmware, on the other hand, is responsible for gathering all sensor data and communicating with a ground station during normal operation. Using this information, it makes all decisions about what the aircraft needs to do and sends the commands to the safety firmware, which then uses the commands to generate actuator commands. The autopilot architecture consists of four FreeRTOS threads that each manage either a state machine, sensor data acquisition, or inter-chip communication. The two state machines are the Path Manager; responsible for navigation of the drone by instructing the safety firmware to generate actuator commands to achieve certain attitudes and airspeeds, and the Telemetry Manager; responsible for all communication with the ground station and onboard CV Jetson. At the same time, there will be a thread for the Sensor Fusion module, ensuring data is collected and fused at well timed intervals. There also is a thread dedicated to inter-chip communication between the autopilot and safety chips so information is passed at well-timed intervals. The figure below depicts these threads as well as the communication between them, with black arrows representing inter thread communication while the white arrows represent communication with an external piece of hardware.
// Insert some diagram here…
The firmware thus has the capability to fly the aircraft in a stable manner across any desired flight plan. Further, if so commanded, Path Manager can switch from flying mode to takeoff/landing modes. This allows fully autonomous takeoffs and landings.
Automation
Comms
Inter-thread communication on Autopilot
...