R/C Systems Redundancy
Murphy’s Law: If something can go wrong, sooner or later it WILL go wrong !
The aim of this paper is to give practical guidance to new operators of glider Tugs, and other large models, in the 7kg to 20kg weight bracket in order to minimise risk resulting from equipment malfunction. Above 20kg, specific systems and structural requirements must be met within an accepted inspection scheme. The specialist body for model aircraft above 20kg in the United Kingdom is the LMA, who should be consulted early in the design and construction stages of such aircraft. We do not intend to revisit the full provisions of the Air Navigation Order (ANO) here, but it must be recognised that final responsibility for safe operation rests with the operator of the flying machine. This paper concerns ‘Avionics’ systems and the aerodynamic surfaces to which those outputs are directed; it is assumed throughout that the structure of the model is sound and remains airworthy. For large gliders, slightly different requirements apply, see CAP 658.
There is no such thing as an uncrashable aeroplane, and no “Final Answer” to the most appropriate system configuration, the permutations are almost endless. The suggestions in this paper are offered to stimulate thought during the design of an onboard control system. The options available to a builder range from “Adopt none of these proposals” to “Adopt all of these proposals”. Other than specific requirements of the ANO (see below), none of the configurations suggested should be interpreted as being mandatory. However, several common threads do emerge for good system design and “Best Practice” which will contribute to meeting the legal requirements of the ANO and the ability to safely recover a model which has suffered some sort of control malfunction.
Note 1: Training advice is offered for some of the malfunctions which can safely be practiced. Until you are thoroughly familiar with your model’s handling characteristics, make sure you conduct such practice at least ‘three mistakes high’. One of the purposes of this paper is to get pilots to think of how they might overcome different malfunctions. No matter what your level of skill, you are far more likely to cope if you have indulged in such ‘Hangar flying’ before the event. Modern software engineers think that the concept of ‘virtual reality’ is a modern manifestation – whereas aviators have been practicing this for decades before the transistor was even invented !
Note 2: When all appears lost … Whatever malfunction afflicts you, never give up until all movement has ceased. Fly the model all the way to the crash site – all is not lost until there is actually a smoking hole in the ground. You may discover after all that you do retain enough control to minimise the effect of the failure. Remember Neil Williams who suffered a (fullsize) main spar failure in the air. Quick thinking and instinct had him invert the aircraft, whereupon the wing returned to a mechanically stable condition. The roll to upright on Finals was a moment of fine judgement, both of timing and for the correct direction of rotation ! If you do manage to retain control, don’t rush your approach to terra firma. Take time to work out just how much control you do have and plan accordingly.
Note 3: The views below are drawn from the inputs of other ScaleSoaring contributors and experienced Tug pilots. Further contributions are welcome. This is intended to be a ‘living’ document which remains responsive to all valid inputs. If you have an observation, alternative view, or criticism, please pass your thoughts via the Moderator of the Tugs Forum.
Note 4: Different model flying organisations may seek compliance with specific criteria before flying is allowed on their sites. It is always prudent to confirm such details before travelling to any site where you have not flown before.
Basic Systems Philosophy for Failure-tolerance
Modern RC systems are surprisingly reliable, but no manufacturer will commit to any statement on mean time between failures (MTBF) and it is not certain that such figures would be meaningful anyway. Sooner or later, malfunction WILL occur; therefore it is desirable that installations are designed such that no single failure within the Flight Control System shall result in total loss of Flight Path Control . Whilst this approach might appear ultra-cautious for ‘normal’ models, the considerations involved are worth exploring. For Primary Flight controls (Aileron, Elevator, Rudder), the implication is that failure of the relevant control (stuck at any achievable flight position) can be overcome by aerodynamic forces generated by one or more of the remaining control surfaces. For Secondary functions (Throttle, Tow Release, etc.) some alternative action can be taken which will maintain Flight Safety. A further assumption is that the model is landed as soon as a ‘reversionary’ mode is encountered (see Note). The probability of double failure during this brief period of recovery should be extremely remote (therefore acceptable). This all sounds idyllic. However, there are dangers in inappropriate complexity; it is very easy to design-in liability to Common-Mode Failure [CMF]. This is discussed in more detail below. “CMF” appears at several places in the text where this risk arises.
Note: Until the model is safely on the ground, there is no certainty what the failure has actually been. A failed/stalled servo can rapidly drain even a backed-up battery system and so time for recovery should be minimised.
The requirements of the ANO apply to all flying machines but model aircraft below 20kg are granted exemptions from all but a few key clauses which are clearly stated in the BMFA Handbook and the CAA CAP 658 (see References at the end of this paper). As well as wanting to take a serviceable model home at the end of a good day’s flying, it is the responsibility of the operator to ensure that any risk to persons or property resulting from that flying activity is reduced to as low as is reasonably practicable (the ALARP principle). Despite our best efforts, technical and human-error accidents will continue to happen but insurers and any subsequent legal defence will acknowledge the pursuit of ALARP. There will always be some trade off between system complexity and reliability.
Common-Mode Failure [CMF]
Otherwise known as a “gotcha !” When designing systems for redundancy, all the good work can be negated by a CMF. A simplified definition of this is any single component failure which can have an undesirable effect on apparently separate systems. Safety-critical systems (Primary Flight Controls) must be carefully examined end-to-end to ensure that CMF are not present. A good example might be the Battery Backer where receiver power-source redundancy is achieved by automatic sensing and switching of separate batteries to ensure that the Rx and servos will continue to receive power after a failure of the primary source, or its switch and leads. However, if the output of that backer is then a single lead and connector to the Rx, failure of that one component negates all the good work going on upstream. ( Remember Murphy’s Law ) style=”text-align:left; margin-bottom:11px”>
Notwithstanding battery backers or how sophisticated the transmitter mixing and the number of independent servos driven from Slave channels at the Rx, a single transmitter and receiver combination is itself a glaring example of CMF. Double receiver installations are discussed below, as too is the consideration of a ‘standby’ transmitter.
Throttle
During loss of signal, the Failsafe device should return the throttle to a benign (idle ?) setting (see paragraph 27). Closing the throttle to actually shut an IC engine down is an option but this may not be too smart if flight path control is subsequently regained. In the case of servo failure, a completely separate control (choke, fuel cutoff, or ignition ‘kill’ switch ?) can produce the same function. With twin Rx, or using Slave Channels, it is possible to mechanically mix the outputs of separate servos. However, this does present a Common-Mode Failure [CMF] if the final link or throttle arm itself fails. This latter risk can be mitigated by the presence of a spring on the throttle barrel, which will close the throttle in the absence of any other mechanical input (see also paragraph 31 below). This ‘closing spring’ is true of Walbro carbs, but note that many ‘glow’ engine carbs have an internal spring which will tend to OPEN the throttle if it is free to do so ! ( When that happens, the fuel tank is sure to be full – Sod’s Law )
Tow Release
An experienced Tug pilot will always try to return with the towline still attached, as long as it does not compromise the safety of his own machine. A well briefed glider pilot will get to his own release switch on the second part of the call “Release, Release, RELEASE !” He knows that if he has not let go by the third command, he will be dumped anyway. For the Tug itself, the consensus appears to be that a Failsafe setting which releases the towline as well as closing the throttle is not always ideal. This is because a relatively minor ‘glitch’ during the takeoff could unceremoniously, and unnecessarily, dump the glider in a poor, or even dangerous, recovery position. If the Tug’s release system fails, the Glider’s own release constitutes an adequate reversionary mechanism for the Tug/Glider combination. The probability of both releases failing simultaneously is extremely remote. It is for the Tug pilot to decide which option he is most comfortable with.
Elevator
Redundancy is achieved by having two separate halves, driven by separate servos. A failed servo will often freeze in its last commanded position and full deflection is unlikely to coincide with the moment of failure. However, some signal processing malfunctions can lead to servo runaway to full travel and so this failure mode must be considered. The worst case is then a failed servo which has runaway to full available travel; the other servo should be able to oppose it aerodynamically leaving Pitch control forces just balanced (See Note ). Some Pitch control may subsequently be achievable by use of Throttle and/or Flaps. If there is a ‘down’ bias try flying inverted. With double Rx installation, each Rx drives the separate surfaces. The option of inverted flying may not seem appropriate to models such as large Cubs or others not normally considered ‘aerobatic-capable’. However, this remains an option to attempt in extremis , where the only alternative is a certain crash in an undesirable location.
Training : Note the effects of Flap and any Throttle/Pitch aerodynamic coupling. Become competent at flying inverted (with a suitable model) for prolonged periods.
Note: With such differential on the Elevator sections (one full UP, one full DOWN), a significant Roll component may be present.
Ailerons
Single Rx installation : Separate servos for each wing can be driven from separate channels if suitable Tx (Master/Slave) mixers are available, otherwise ‘Y’ lead from a common Rx output [CMF]. The worst case is a failed servo which runs to, or jams at, full available travel. If it is still receiving a position input, the other servo will be able to oppose the failure aerodynamically leaving control forces just balanced. The only remaining Roll control will be that achieved by Secondary effects of Yaw (Rudder). A model with poor Rudder authority (specifically, Yaw-Roll coupling) will not be well placed, but it should at least be possible to have more choice over the eventual crash site.
Double Rx installation : Separate Aileron outputs to servos in each wing. Possibilities are one Rx output to Port Aileron, other Rx to Stbd Aileron. If multiple Aileron sections are used, perhaps outputs from one Rx drive Stbd outer and Port inner surfaces. The other Rx goes to Port outer and Stbd inner, thereby each Rx system can generate equal values of Roll power. Failure of one servo is easily overcome by the remaining servos. Failure of one complete Rx system leaves the same situation as in paragraph nine above except that the probability of both servos failing at full travel is remote.
Training : Initiate the practice by leaving Ailerons at neutral and attempt to control Roll with Rudder. Start with zero Aileron and progressively work towards small fixed deflection as experience grows with use of the Rudder for Roll control. Make sure that you are familiar with the spinning and stall characteristics first.
Rudder
Split rudders are rarely seen, however, this may be the only truly failure-tolerant configuration (see Note ). The handling effect of a failed servo at full available travel will depend very much on Yaw/Roll coupling of the airframe. If full Rudder deflection cannot be contained/overcome by the Ailerons, control of the aircraft may quickly be lost. It is possible to link separate servo outputs mechanically (‘Y’ lead, Master/Slave channels, or two separate Rx). However, like the Throttle, this control remains at risk of a Common-Mode failure in the final linkage. In this case such mechanical failure is probably benign: If the Rudder centre of pressure lies behind the hinge line (which would be normal), failure of the linkage will allow this control surface to float freely in the airstream, leaving little or no residual Yaw effect. If a closed-loop linkage fails, Rudder authority may still be available in one direction.
Note: It would be interesting to experiment here, too. With modern Tx mixing the two rudder halves could form an effective airbrake.
Training : Similar to Aileron malfunctions, but this time initiate the practice by setting a fixed Rudder deflection. Practice controlling your aircraft at high sideslip angles. Start with gentle Rudder deflections and progressively work towards full deflection as experience grows. Make sure that you are familiar with the spinning and stall characteristics first.
Flaps
Good design will ensure that any achievable Flap position can be stabilised by available Elevator authority. In that case, loss of Rx signal to Flap servos is likely to be benign. With multiple servos and dual receivers, the inner/outer section arrangement discussed under ‘Ailerons’ could be used , but in this case each separate Rx should drive ‘matched’ surfaces (one Rx to both inner sections, the other Rx to both outer sections) such that failure of one Rx will not introduce a rolling moment. Unless the Flaps on both wings are connected mechanically, any single servo failure is likely to generate a significant rolling moment. When activating a powerful control such as Flaps, it is good practice to keep your finger on the activating Tx lever/switch until the desired/expected effect is seen. If an undesired roll is introduced, control the flight path with Aileron (plus Rudder if necessary) but your instinctive response should be to return the Flap control to its previous position and then you can work out what went wrong. (All the fullsize pilots should be nodding their heads at this stage).
Training : With no Flap deflection, practice flying the circuit with Elevator grossly out of trim. Then practice trimming the aircraft throughout the speed range at all available Flap settings.
Multiple Battery Sources
Single Rx installation : Where a Battery Backer circuit is used to feed the Rx from two separate batteries, two distinctly separate systems provide power to the Rx through separate switches. If one source fails, the other will take over without interruption (good so far). Whilst this is better than a single power source, it does have a weakness. Unfortunately, a CMF exists between the Battery backer and the Rx power input. Failure of that single connection could still remove all power from the Rx, leaving even separately powered servos with no control position signal. This risk can be mitigated somewhat by arranging for a second power lead from the backer into the Rx using the “+” and “-” pins of a spare Rx servo connection. This CMF must also be considered if Opto-isolators are battery-backed.
Double Rx installation : Each Rx will have its own dedicated power source (and switch). Addition of a second battery and associated Battery Backer to each of these Rx is possible, but is considered an unnecessary complication. Failure of either one of these single sources still leaves the other Rx operating and control of the aircraft should be maintained, albeit degraded. The chance of such power failure leaving the servos of that Rx at full travel is remote. If an obvious Failsafe or Telemetry warning is not triggered by the failure event, the malfunction will probably be detected by the need for greater than expected deflections at the Tx sticks for any given aircraft response.
Switches
All switches in powered aircraft live a harsh life. Under ideal conditions, contact life is advertised in hundreds of thousands of reliable operations. However, in our environment, that is asking a lot. Always use a switch that is operating well inside its contact ratings and protect it from fuel, exhaust fumes, dust etc. Using two sets of contacts in parallel will hugely enhance reliability. A four pole switch (contacts in parallel) in any power lead will put the odds even more in your favour. The best place for any switch is inside the airframe, perhaps activated by a pushrod or lever through to the outside world. Even better, the switch actuator would live under a guarded hatch so that it could never be snagged by the towline or other outside influence.
Connectors
The most frequent source of malfunction in Avionics systems is found in connectors. For example, incorporation of a servo extension lead doubles the number of connectors in that one channel and thereby increases the probability of failure. Ensure that all connectors are mechanically supported and mating halves cannot be inadvertently separated. Keep connectors scrupulously clean and protect them from fuel, oil, dust etc. Like multi-pole switches, if you can use connectors where each signal and power lead uses at least two pins, reliability will be significantly increased, especially those where frequent connection/disconnection is made (e.g. wing servos). With most RC receivers you are limited by what the manufacturer has given you and that is one reason why a dual-receiver installation becomes an attractive way of simply achieving redundancy and better systems reliability. Do not trust friction alone to retain servo and power connectors to the Rx; some form of mechanical restraint should also be used to ensure that these connectors cannot work loose in flight. That applies to the Rx crystal too.
Leads & Cables
Loose cable runs should be gathered up and supported. Allowance must be made for the movement in flight of key components supported by vibration-absorbing material, but care taken to avoid applying mechanical stress to connectors. Unnecessarily long cables are undesirable and, to minimise stray signal pickup, ‘spare’ power and signal carrying leads should not be formed into coils. The exception here might be when Ferrite rings are used, in accordance with established practice, to filter out such stray signals coming into the Rx via power and servo leads. Keep all power leads well away from the antenna.
Opto-Isolators
22. These are devices which are added in series with the Rx servo outputs to give total signal isolation from outside sources. An ‘Opto’ is often employed when long extended servo leads are prone to generating ‘glitching’ interference or adversely affect Rx range. Whether a Battery Backer is used for the Rx or not, embodiment of an Opto-Isolator requires a separate Power source for the servos downstream of it. The Rx supply is only then required to supply the small RF and signal output currents and can be correspondingly sized. For true redundancy, it would be necessary to have a separate Battery Backer for the heavier servo supply too. See [CMF]
Transmitters
If dual receivers are used, each should have its own separate opto and associated servo battery. .Any sort of Tx failure while airborne is a traumatic experience ! Some lucky people have managed to change depleted batteries while a relatively stable model is at altitude. Some have even suffered from the battery falling out and managed to replace it before the aircraft becomes ‘terminal’. Aerials have fallen out or been broken off. RC transmitters are increasingly sophisticated devices using microprocessor and memory chips. While these are built and tested to accepted standards for compliant RF emissions, they are not devices which are EMP hardened. Mobile phones HAVE affected settings but there is a also a finite possibility of a passing Cosmic Ray resetting a single memory latch which could theoretically change the modulation from PPM to PCM ! That would really not be your day. You may scoff at this but even ‘hardened’ Avionics systems suffer from unaccounted mode shifts, which sometimes go away after a full system reset. ‘Real’ Flight-Safety critical systems usually require at least three levels of redundancy, often with different software coding, which is way beyond what we are considering here. Transmitters may also contain several potential CMF: one battery, one switch, etc.. Failure can be initiated by something as simple as a single drop of rain landing on the crystal holder and running down to lodge between the pins. Some transmitters seem almost designed (unintentionally) to encourage this ! Even if oscillation does not actually cease, the frequency could be shifted enough to significantly degrade contact with the Rx.
As operators of RC models, our only real reversionary position would be to have a separate (Emergency) Tx available on the same frequency, and with the same basic settings. Tug pilots are advised to have a ‘caller’ with them and that person could carry this standby Tx at readiness to switch on if required. However, unless an obvious defect, it might take some time to determine that any loss of Flight Path Control was due to the Tx rather than the airborne elements.
Failsafes
For models between 7kg and 20kg, CAP 658 states:
A serviceable ‘fail-safe’ mechanism should be incorporated to operate on loss of signal or detection of an interfering signal. For example on a power driven model this should operate, as a minimum, to reduce the engine(s)speed to idle.
Minimum requirement is that the throttle is closed to a setting that ensures that the model returns to earth. The tow release has been discussed above (paragraph 8). Discussion on flight control settings in prolonged Failsafe mode is contained in a separate briefing thread.
When choosing your failsafe settings, remember that many ‘loss of signal’ events are transient, lasting for only a second or so. It is not advisable to choose Failsafe control positions that will cause the model to depart from stable flight during such ‘glitches’ because when control is (hopefully) resumed you might have to recover from an unwanted extreme attitude. RF behaviour at 35MHz can appear strange and is sometimes affected by climatic conditions. Surface features such as power cables or wire fences can cause reflections that may confuse the Rx and a change of Tx aerial orientation can often improve the situation. It has been noted that twin Rx installations with differing antenna orientations seem to be more resistant to this type of signal ‘outage’.
Battery Maintenance
Onboard systems with the levels of redundancy implied in this paper will contain several critical, but separate power sources. It is advisable to monitor the amount of charge required by each of these batteries after any flying session. This will validate earlier calculations made to ensure that adequate capacity has been chosen to match expected loads and airborne time. With the easy availability of Delta-peak chargers, increasing numbers of operators of large/heavy models now give a monitored top-up charge before each flight. Periodic full cycling is strongly recommended to ensure that there has been no long-term loss of battery capacity. Comprehensive advice for battery charging is freely available elsewhere. It is sufficient to say that unnecessary use of fast charging at high currents does not enhance battery longevity.
Servo Types
Analogue/Digital etc. The type of servo connected to each control surface in your model could have an effect on behaviour after either a control signal failure, or loss of supply voltage. Many Digital servos will allow the surface to ‘blow back’ when power is removed or lost. Furthermore, some Digitals can be programmed to adopt a predetermined ‘Failsafe’ position if power remains but the position signal is lost. The permutations are considerable therefore have not been factored into the paragraphs above. However, servo characteristics must be considered when analysing the aircraft handling effects of each potential failure. One good example might be the use of a small Digital servo with a coreless motor for the throttle and placing a throttle-closing spring in the final linkage. The servo will easily overcome this light spring when normal DC power is available: the characteristic of free rotation when servo power is lost can then be used to advantage.
Typical Installation Options
Figs 1 to 4 below are examples of typical R/C installations showing basic functions (Throttle, Elevator, Rudder, Ailerons, Tow Release) only. Additional functions may be added as required. Connectors and battery charging arrangements are omitted. Where a Failsafe is shown, this may be a dicrete stand-alone device or part of the Rx circuitry depending on the equipment manufacturer. An alternative is to use a Digital servo which has a pre-settable Failsafe function.
References & Links
32. More detailed information may be obtained from the following sources:
a. Civil Aviation Authority Safety Regulation Group
CAP 658. Model Aircraft: A Guide to Safe Flying . This publication is ‘essential reading’ and contains a synopsis of the applicable parts of the ANO and other good advice derived in consultation with bodies such as the BMFA and LMA. The latest version of this document is available in electronic format (.pdf) at: www.caa.co.uk
Note: It is understood that CAP 658 will be revised in the near future.
b. BMFA Handbook available from: www.bmfa.org
c. Large Model Association : www.largemodelassociation.com
34. Appropriate aeronautical sayings:
a. Sod’s Law: “When it does go wrong, it will be at the worst time and place.”
b. “Take offs are optional – landings are mandatory.”
Last updated 20 Dec 05
M.S. (aka ‘Spike’)
With thanks and acknowledgement to Dave Hoare for supportive comments during preliminary drafts.
Cartoons with acknowledgement to Tugg Wilson.
(Commercial use not permitted without permission of the artist)
