Safety Architecture

Owned by Sahil Kale
Last updated: 2021-10-14 by Dhruv Rawat
3 min read

The two components making up ZeroPilot’s firmware system are the safety firmware and the autopilot firmware. The Safety firmware runs on an STM32F0 microcontroller and is responsible for running attitude management and actuating the servos and electric speed controllers. It also reads ppm input from a hobby receiver. Figure 3.1 illustrates the inputs and outputs of the safety firmware.

The Attitude Manager is a new addition to the Safety controller for the 2022 UAS competition as a result of the requirements to run math models on remote-controller inputs when flying a hexacopter.

Figure 3.1: The inputs and outputs of Safety

During regular flight, where both Autopilot and ground data are being received by safety, the Decision Module is responsible for selecting the correct commands to send into the Attitude Manager. For example, if we want to fly the plane in autonomous mode, the Decision Module will ignore the data sent in via PPM so the drone can be flown autonomously. Likewise, if we want to fly the plane in manual mode, the Decision Module will ignore the data sent by Autopilot and only send the PPM input commands through the Attitude Manager.

The decision to have the autopilot and safety firmware run on separate microcontrollers was made in order to ensure that there was a layer of redundancy. In this way, even the hardest failure in the complex autopilot firmware cannot crash the Safety firmware, which defaults to being human controlled in times of emergencies. The Safety and Autopilot microcontrollers communicate using Serial-Peripheral Interface (SPI) as a result of the low complexity of the system and high data transfer speed. Figure 3.2 shows the safety firmware’s state logic.

 

Figure 3.2 Safety State Machine (PWM Manager is the same as Attitude Manager)

Sensors

The Safety controller has an IMU (BMX160) connected via I2C that feeds accelerometer, gyroscope, and magnetometer data to the Attitude Manager. This is needed to run the math models that allow for stable flight when generating the PWM values.

Attitude Manager

The Attitude Manager was previously on the Autopilot chip pre-2022 UAS competition. It’s main purpose is to convert commands sent via the PPM controller and Autopilot chip into PWM values for all actuators. In the context of a hexacopter, the PWM values will determine the power output of the motors while for a fixed winged aircraft it will also include the position of the elevators, rudder, etc.

More information on the composition of Attitude Manager can be found in the Attitude Manager documentation on the ZeroPilot Confluence page.

FreeRTOS

FreeRTOS is leveraged by Safety for the IMU, PPM control receiver, and Decision Module/Attitude Manager. With our current design, the IMU will run at 150 Hz, the PPM control receiver will run at 150 Hz, and the Decision Module/Attitude Manager will run at 100 Hz.

Interchip will run on an interrupt-based system.

Interchip Communication

The autopilot and safety chip communicate with SPI. @Aaditya Chaudhary to write more here.