Monday, February 13, 2017

"Spam in a can"

Reports are circulating of person-carrying, fully autonomous, battery-powered drones entering the marketplace later this year.   Can it be done safely?

The vehicle is the EHang 184.

Net weight is 240 kg, with a payload of another 100 kg - 340 kg gross weight  (750 lbs).

Motors for the EHang 184 have also been upgraded to the third-generation iteration, as have the electronic speed controllers. This new motor can conduct sweep frequency experiments and detect real-time motor speed and motor rotation. EHang had to develop its own flight control system, which currently has full redundancy design with two system sets, each with two sets of sensors that can communicate with each other. The flight control system has begun to conduct simulation tests based on virtual prototype. Also in the third-generation variant is the battery management system. The upgrade is a high-pressure version with greater battery capacity.

It would appear that the EHang 184 has two sets of four motors operating independently.

It can only be assumed that each flight control setup is capable of "landing safely", assuming the other flight control system is not fully opposed.

How can these vehicles can be shown to satisfy expected certification criteria?

Would these vehicles be best for experimental demonstration only, and under highly restricted flight profiles, and with additional safety measures in case of emergency?

The technology to facilitate automated flight has been progressing steadily in both cost and capability.   

The wide-spread adoption of personal flying camera drones and the heavy investment in self-driving (autonomous) cars has spurred an obvious intersection - creating a flying drone capable of carrying either packages or even people.

In my post from Feb, 2015, I contemplated the challenges of package delivery, including a discussion of ways to minimize the public concerns from noise and intrusion.
Amazon Prime Air: If you can't beat them?
Here I am taking another step when considering that an autonomous vehicle may carry a passenger.

Fully autonomous operation, without pilot-controls, represents a significant advance in the state of the art, but along the direction of electronic stability and control enhancements.

But, before looking deeply at the US FAA regulations (AC 27-1B), just think of the obvious safety challenges - the hazards that must be managed.  

This is not a formal document, just sharing my personal impressions of the challenges faced with certificating autonomous drone technology.

With news accounts proliferating, the manufacturers should be forthcoming with their overarching architectural strategies that can convince the public that their designs are suitable.

Any certification exercise should address the concerns raised here, and there should be an overt effort to ensure that any approvals are appropriate.


Fail-Safe implies an architecture that accommodates a first (and subsequent) failure(s) in a response that is safe. 

The high level statement that is marketed - the drone will land safely upon any failure.

Landing safely implies that the descent and touch-down are done in a controlled manner, and that a suitable landing zone is within range.

Autonomous cars have the option to simply stop (even if in the middle of a freeway) with a good likelihood of survival.   Flying objects have no such option, and thus must accommodate failures with more capability, and especially to not endanger those overflown.

11 March 2017 - I wonder if one method that may gain favor is use of a parachute to deploy in the event of loss of controllability or loss of lift.  With the potential for fire, perhaps the entire cabin deploys from the "base", leaving behind all the power pack and the motors, and deploying a parachute for final descent. Star Trek featured such a detachable concept on the Enterprise, and Cirrus has famously added a parachute in case of engine failure.


1) Loss of control 
2) Loss of guidance
3) No suitable landing zone within range

Acceptable Failure Rate

A failure rate for each motor can be applied to an exposure window (time) to predict the probability of an individual motor failure.

Independent failures can be multiplied so that the second failure is much less likely.  

Common failure are applied unilaterally to all redundant elements, such that all redundant motors may fail together.  

The management of multiple engines to operate in a controllable manner is effectively an autopilot.  

The autopilot commands and the ability of each motor to follow them, and how they each accommodate internal failures, represents challenges in reliable system engineering.

Commercial avionics struggle with MTBF > 10,000 flight hours using industrial grade components that are capable of operating across a wide temperature range and subject to overall environmental stress.

Consumer grade equivalents would be more likely to have MTBF between 1,000 and 10,000 flight hours, conservatively modeled at 1,000 hours (1E-3 failures per flight hour).

If commercial grade, then modeled at 1E-4 failures per flight hour.

FAA AC23-1309-1E expresses a strategy for assessing reliability against hazard

The level of risk (the failure rate) for catastrophic failure modes is progressively more stringent as the airplane gets bigger and heavier.

The Joint Authorities for Rulemaking of Unmanned Systems (JARUS) offers a translation of xx.1309 criteria to remotely piloted aircraft systems (RPAS).

RPAS.1309 expresses complexity levels (CL) that reflect the level of automation.

Complexity level III (autonomous) are not covered at the time of the latest publication.

For complexity level II, the catastrophic failure rate should be 1E-7 per flight hour or less, and software should be developed to design assurance level B.

Note 3 expresses that there can be no single failure leading to catastrophe.

The EHang184 operates with a remote pilot, but the reliability of the radio link may not be 100%, especially with manned flight concerns.  In this case, some degree of autonomy is expected.  

It must be presumed that EHang184 is being designed at complexity level II, but this may have significant operational restrictions, in particular the availability of a backup remote pilot.

It should be noted that EHang refers to the model 184 as autonomous.

Autonomous operation may require a failure rate of 1E-9 and DAL A software, however this is not published.

EHang has been marketing their remote pilot facility.

It may be possible to achieve 1E-7 failure rate in a dual hardware configuration.  The failure interval for each independent channel, without a critical path, would be 3,162 hours.

It takes three 1E-3 systems to combine independently to achieve 1E-9 failure rate (loss of control).
A dual combination of systems each with an independent failure interval of 31,623 hours could theoretically achieve 1E-9 failure rate.

The failure modes would have to be accounted for, with particular emphasis on any that modes cause loss of motor control or otherwise render the surviving channel inoperative.

Loss of control

Loss of control captures the "inner-loop" aspects of managing the velocity, position, and attitude of the vehicle.

A typical drone will rely entirely on differential propulsion for inner-loop control.  

It is not apparent if any ability to "wind-mill" or "auto-rotate" a drone that uses a set of small electric motor propellers is available when there is no power to "spin" the motors themselves.  Therefore, a minimum number of electric motors and propellers would have to be available in order to maintain control of the vehicle, even if unable to maintain level flight.

Most drones will accommodate failures by "modularizing" the propulsion such that one or more of the motors can fail without losing control.

Some failures lead to loss of function, the motor stops.

Some failures lead to loss of control of a motor, in which case the motor may operate at any speed, or erratically.

It takes a minimum of three motors with suitable radial separation to maintain control.

A four motor setup (quad-copter) would allow for any one motor to fail, and rely on the remaining three motors to overcome the lost lift, and each remain controllable.

Means to overcome disagreement is essential, and having many more channels to compare, for example if nine motors (3motors x 3axis), each motor could  contribute the flight control solution, allowing for voting out as many as four valid, but failed control solutions.

A dual system arrives at a difficulty when each system believes itself to be valid, yet each system does not agree.

Loss of Guidance

Guidance provides a pathway for directing control, the outer-loop.   

A failure of guidance under instrument meteorological conditions (Instrument Flight Rules, IFR) leaves a catastrophe somewhat inevitable.

Autonomous vehicles are inherently under instrument controls.

A manual override of the guidance function, if at least to refine the landing spot, could have benefits if used appropriately, but may be hazardous if misused.

Radio navigation, whether satellite based or using terrestrial radio-navigation aids, inherently requires a receiver and a signal.  

The loss of the signal is beyond the control of the vehicle.

It should be assumed that loss of a radio signal cannot cause any significant difficulty, that it is considered a likely event.

Accuracy of a valid received signal may not be assured.

Confidence of a received position may not be measurable.

Multiple receivers may offer an accommodation for any single receiver failure, unless the failure renders a divergence in valid data.

Reliance on internal sensors provides a healthy alternative to external dependency, but may be limited in fidelity or capability. 

No Suitable Landing Zone

The intended flight path may be formulated to ensure that a suitable landing zone is within range, based on a set of assumptions regarding available vehicle capability and underlying weather patterns.

Operating in heavy winds may require adjustments to flight paths to ensure that a vehicle will drift towards the safe landing zone.

Operation over water or rugged terrain would introduce new system features.  For example, over-water may requires some form of flotation devices. 

Operation over rugged terrain may require extraordinary measures.  For example, carrying an emergency balloon or parachute.

Other Factors

Use of a ground party to take control of the drone in the event the guidance function is compromised relies on an available control channel between the drone and the ground controller.

The ground controller would need adequate awareness of the vehicle position and have adequate controls available.

Use of high-storage-energy devices (batteries) creates concerns over fire and fire propagation.

Fire is a big concern overall.

Common-mode failures are manifested in hardware and in software.

Common software failure modes must be managed through rigorous design, development, and test - and cannot be realized for high reliability as an after-thought.

The use of isolated software development teams to fight against common-mode failures can be beneficial.

Common requirements can offset independent software development.

Vehicles in flight may be struck by lightning, which can exert considerable effects upon connected electrical devices and structural components.

Vibration resulting from failure of structural components or through mismanaged controls may have considerable widespread effects, whether manifested rapidly or progressively over many flight-cycles.

Avoiding unexpected encounters with other flying objects in a fully autonomous vehicle implies the ability to detect any flying threat in a timely manner.  This may include birds or other vehicles.  

A fully autonomous vehicle presents challenges integrating into any air traffic control system that relies entirely on voice as the backup to automation failures or in urgent situations.

It may be required to demonstrate continued controllability after taking a bird strike.

Icing and heavy moisture may represent challenges for the propellers, propulsion, control, and guidance.

Smoke and cabin flammability would be high concern items.

Stay tuned!

Peter Lemme
peter @

Follow me on twitter: @Satcom_Guru

Copyright 2017     All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 35 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chairs the SAE-ITC AEEC Ku/Ka-band satcom subcommittee developing PP848, ARINC 791, and PP792 standards and characteristics. 

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes.  Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success.

1 comment: