AUTOPILOT FAILURE RESILIENCE
Corvus intelligently manages 2 autopilots and automatically switches from primary to secondary autopilot if necessary:
Single point of failures must not lead to loss of vehicle stability. Therefore both autopilots are being monitored during normal operation, therefore redundancy can be guaranteed.
During normal operation there are no additional tasks for the user, vehicle control does not differ from not having Corvus installed. In the background both autopilots are constantly being monitored. If secondary autopilot is not ready for taking over controls, lack of redundancy is being reported over mavlink. If primary autopilot fails when secondary autopilot is not capable of taking over, a parachute can be chosen as an additional backup. If Corvus’ software ever crashes – your vehicle will continue to operate with the default controls and primary autopilot stays in control!
AUTOPILOT COMPATIBILITY
- 3V3/5V PWM INPUT < 1khz (individually configurable for both autopilots)
- 3V3/5V PWM OUPUT < 1khz
- MAVLink protocol with arm/disarm/flight mode control
- connector boards pin compatibility for
- Pixhawk pinout (RC | SBUS | 8 x PWM-SIGNAL)
- Cube carrier board pinout (RC | 8 x PWM-SIGNAL)
- Custom breakout board for self-soldering
FUNCTIONAL DESCRIPTION
Both autopilots’ pulse width modulated (PWM) signals (and mavlink status messages) are constantly being analyzed by dutycycle and frequency. EKF filters can also be chosen to trigger a fail over event. When signals don’t represent a valid PWM signal to the speed controllers, corvus checks if secondary autopilot’s status and PWM signal is healthy:
If the 2nd autopilot is ready for takeover, all controls (PWM signal, remote controls and telemetry) will be handed over.
If the 2nd autopilot is not ready (armed & valid PWM signals) for takeover during normal flight, you will be informed over mavlink.
The secondary autopilot will only be armed by corvus when arming of the primary autopilot is detected. Corvus does NOT control (especially arm or disarm) the primary autopilot.
Corvus is not an autopilot on it’s own. It is an objective instance to surveille 2 autopilots. For redundancy, choosing 2 different autopilots (in terms of soft- and hardware) is the optimal choice for resilience. Backup autopilots must support MAVLINK protocol including arming and flight mode control.
PWM signal thresholds (frequency, dutycycle, amount of PWM signals) & many more details are customizeable through Mission Planner!
If
- Primary autopilot is armed
- PWM signals exceed their allowed boundaries/fail to be produced (configurable)
- OR
- EKF STATUS exceeds limits (configurable)
AND
- Secondary autopilot is armed
- Secondary autopilot provides valid PWM signals
-> Corvus switches controls to secondary autopilot
PWM SIGNAL MODULE
- Triple redundant power supply: 2 x onboard 5VDC rails & external 5V supply from servo rail (up to 12VDC)
- Default state: pass through of primary’s autopilot PWM signal (no intervention from Corvus needed)
- Overvoltage protection: isolates the autopilot from the ESCs (electronic speed controllers) or servos on the pwm rail
- Input signal 3V3 or 5V independently for each autopilot
- Output signal 3V3 or 5V independently from input signal
