Different customers, different needs
Any system has a chance to fail. Like a child playing with a remotely controlled car that suddenly runs out of battery, we learnt that sometimes Murphy imposes his rule. Best case scenario is a life-lesson duly learnt. Worst case scenario is a lethal event. According to the feared event, corrective actions are to be taken to repel Murphy. Dependability considerations usually lead engineers to size these actions proportionally to the effects and occurrence of the feared event. Therefore redundancy is often tailored to decrease the expected frequency and/or criticality of a feared event according to the system specificities. This dysfunctional design is often difficult to achieve, because of the complexity of the trade-off that can lead to extensive costs to make a redundant unmanned vehicle.
From an abstract point of view, it is possible to make a whole unmanned platform redundant, like buying the child a second car. In the real world, the customer is not a spoilt child and has to pay for an enhanced safety. This is why inexpensive components are more often made redundant; on the other hand, it requires a deep understanding of the unmanned system to ensure that corrective actions are safer than the unmodified unmanned system. Such an understanding can be either quantitative or qualitative but there are common criterions:
- How often could this failure occur?
- How bad could it impact the unmanned vehicle?
From then on the solution relies on decreasing the error rate or its criticality, and even sometimes both at once.
How to go a bit further against Murphy
Detection means allow a further enhancement in failure treatment. Built-In Test (BIT) or Built-In Self-Test (BIST) as an example, is an auto-diagnostic tool detecting that a malfunction happened. Depending on the life phase, the failing component might be quickly replaced (use of Line Replaceable Unit, LRU for example) or the system can then adopt automatic behaviors to overcome the error. It may indeed be possible to implement a secondary way to achieve the function despite the failure (Fail-Operational, FO) or to go to a safe mode limiting the failure criticality (Fail-Safe, FS). FS strategies are usually considered easier and cheaper to implement than FO. Critical systems are often required to overcome double failures scenarios, thus achieving FO-FS or FS-FS behavior.
Customisable redundant unmanned systems provided by Embention, 4x Redundant Veronte Autopilot
Embention’s products allow the most customizable redundancy. Most obviously the autopilot itself can be easily made redundant using Veronte 4x (it even allows to mitigate with a third-party autopilot in order to avoid common failure modes). In addition, this redundant unit is actually a triplicated architecture (there are three built-in Veronte units) which makes possible to implement a majority vote as a nominal architecture and possibly ignoring a failing autopilot as safe mode (“fail-operational” behavior). Anyway, the arbiter is configurable, so that the best choosing strategy can be flawlessly implemented: discarding the autopilot whose sensors are the noisiest for example, and more…
A simpler option might consist of using Veronte units as a LRU and using the power-up BIST to decide if it needs to be replaced or not. This highly relies on the operational conditions and on a high inventory availability. Therefore safety is achievable in a limited number of scenarios but operational flexibility is not. This is an example of a “fail-safe” behavior being favored instead of a “fail-operational” behavior.
Being in itself highly configurable, it is also possible to teach Veronte how to detect a sensor or actuator failure and therefore adopt its controlling parameters. This not only overcomes the failure but decrease the operator’s workload. Such a gain is critical when dealing with swarms for example.
All these needs are highlighted in together with the possible need to make the ground station redundant as well. Indeed, making the ground station redundant is a great way to leverage failures risks in the scenario of a swarm, since the ground station redundancy profits to the whole swarm.
Any user will appreciate the possibility to tailor safety measure as easily as it can be done with Embention’s products. Not only will this contribute to safety but it will also expand mission success probability while improving flexibility. Murphy is still there but in fewer, thinner details.