This article was originally published as
Cracau & Köthe (2020): "Medical Delivery in Urban Areas: The Power of Backup Systems and Hardware-in-the-Loop Simulation". European Drone Forum 2020, pp. 50-53.
A brief Introduction and Motivation
Unmanned aircraft in the class below 25 kg (sometimes even below 150 kg) typically have only a single redundant flight control system and data links to the ground. This means that even a single fault in the flight control system can endanger people, ground infrastructure or other aircraft. A current example is a lost survey drone in Britain, or a test drone from the renowned company UAV Navigation, which continued its flight uncontrolled after the communications link was broken . Redundant systems for unmanned aircraft are usually out of the question for reasons of cost and weight.
For this reason, AlphaLink Engineering GmbH develops a backup system, which ensures the safe operation of unmanned aircraft (initially: mass less than 25 kg). The backup system terminates the flight in a safe manner if a critical error occurs, e.g. in the flight control system. This backup system thereby provides a simple dissimilar redundancy. It is intended to enable the operation of unmanned aerial vehicles (UAV) in airspace where UAV are prohibited for safety reasons if a single failure can have critical consequences.
The paper describes the integration of the backup system into the flight control system of an existing UAV including the actuators used for flight control and the higher-level systems, from which the commands to the control systems come. In fault-free operation, the backup system behaves transparently, i.e. the commands of the higher-level systems are forwarded directly to the actuators. As soon as the backup system detects a fault, it reacts correspondingly.
With the followed approach, the backup system itself is safety critical and must be developed with processes like those used in manned aviation. However, these are not yet finally defined for this class of aircraft. The processes for the hardware and software development of complex safety-critical systems in aviation are extremely complex and represent an enormous hurdle for smaller companies developing UAV. This is true both in terms of cost and the necessary expertise and infrastructure. The backup function is much simpler than the overall flight control function. Hence, it is reasonable to assume a large-scale applicability of the system that justifies the single effort of the complex development process.
Since an unmanned aircraft with the backup system can continue to operate safely even in the event of a fault of certain higher-level systems, it can comply with the uniform European regulations for the operation of drones and, for example, enable flights beyond visual range (BVLOS).
The paper also presents an application for the backup system to enable large-scale delivery of medical equipment. As part of a cooperation with a Berlin-based drone manufacturer, a UAV will be equipped with the backup system for BVLOS flight. First target to perform BVLOS flights for fast and secure medical transportation will be the German capital region Berlin. In total, the presentation of technology and application of the backup system demonstrates the benefits of civil drone use in Germany and Europe.
Along the paper, first, the backup system that enables BVLOS operation is described. Second, the testing approaches are presented. Last, in the outlook section, upcoming challenges are discussed.
BVLOS Operation with a Backup System
The market for unmanned aircraft continues to grow. A great potential of such vehicles is that they can also cover greater distances out of sight. This section describes the developed backup system and its advantages. At the end of the section, a planned extension is discussed.
Backup System to Prove higher Operational Safety
To prove that the flight is possible even outside of visual range, drone operators must perform the Specific Operational Risk Assessment (SORA) analysis. Based on aircraft, equipment, and operational scenario, a risk assessment results, which allows or prohibits the operator to fly out of sight. If the drone operator uses a Flight Envelope Protection System, which was developed based on an industrial standard, she can significantly reduce her risk in terms of the SORA analysis and, thus, fly out of sight.
Such a system was developed, which is functionally safe and both separated and sufficiently independent from other subsystems of the drone. The concept provides for the permanent monitoring of the drone’s flight condition based on the measurement of attitude and rates. If the aircraft is outside its flight envelope, the system sends a signal to trigger a rescue system, which then launches a parachute. The backup system also monitors the position of the drone. If it flies, unintentionally, permanently into a forbidden area, the parachute can also be released. The same applies to impending collisions with other air traffic participants or the failure of other components, such as the battery or the radio connection.
The final system is based on a safety analysis, which has identified all critical points in the concept and secured them, for example, via redundancies. Functional safety and, thus, a safe flight out of sight can be guaranteed. The system can be used for both fixed-wing aircraft and copters. It complements existing hardware, such as the flight control computer, and due to its low weight, it can be integrated into many existing UAV.
The Advantage of Galileo-Based Position Data
Using Galileo as a primary source for position localization, dissimilarity is achieved and a single point of failure is excluded regarding determining the flight status of the drone in operation. The European system is more accurate than the secondary systems used: GPS or GLONASS.
It is planned to integrate a Galileo-enabled receiver into the backup system. The developed backup system aims to be a platform-independent component to be installed in existing and future drones. The GNSS position data are used to determine flight envelope and to check the flight path (geofencing). This in turn helps confirming the correct operation of the medical delivery drones. Because the Galileo data are a source of information independent from GPS data, dissimilarity is achieved and the backup system is qualified for safety-critical use, as required in drones. The specific equipment used is the receivers (hardware) that track the position information provided by Galileo and the software that allows interpreting the information in a correct way.
For the first time, the system itself introduces a platform-independent backup system for drone manufacturers/operators. This system is developed based on ISO 61508 to achieve functional safety. This will allow a safe operation, which protects people, objects and other air traffic participants (manned & unmanned). Using Galileo position data as part of the backup system to determine the correct flight path of the drone eventually enables BVLOS operation. The independent Galileo position data provide the possibility to guarantee a precise localization of the drone, which in turn helps to confirm correct (safe) operation of the delivery drone.
The next section reports about the last step of the development process: testing and validation.
Simulation and Testing
Before the actual operation of the new backup system, extensive testing of the component itself and of the complete UAV system is necessary. This testing is not only relevant with experimental systems, but rather highly needed to confirm the required safety of future commercial products .
Both, a hardware-in-the-loop simulation and a virtual flight test is applied to guarantee safety and operational comfort of the new solution.
Flight tests are expensive and time-consuming - every drone manufacturer is interested in ensuring that the flight test is successful and that the invested effort is worthwhile. Therefore, it is desirable to test as much as possible in advance.
Testing should be as close as possible to real flight tests and this is only possible with a hardware-in-the-loop (HiL) simulator. In HiL testing, the movement of the aircraft, the environment, and the sensors and actuators are replaced by a mathematical model. All other systems of the aircraft are tested in real life.
In cooperation with Vector Informatik, a HiL simulator was developed that can be used for Pixhawk flight control systems with CAN interface . In a Simulink model, the nonlinear flight dynamics and the behavior of sensors and actuators are simulated. Data is transmitted via the interface to the CANoe software and then prepared for transmission via CAN interface using a DBC. Using hardware from Vector Informatik, the data is sent via CAN bus. The Pixhawk runs the PX4 flight stack which was modified.
The software was modified on operating system level to allow CAN bus communication. In addition, the sensor driver model was modified so that instead of the sensor data the values from the flight simulation can be read in. Besides the commands to the real actuators, the commands are sent back to the flight simulation via CAN interface. The implementation allows that all other software packages, like the extended Kalman filter, the flight controller or the output module, run like in real flight test. Furthermore, interaction with QGroundControl and the remote controller is possible.
Through the graphical interface of a Virtual Flight Test Environment, the flight movement can be followed in the browser. In flight simulation, disturbance variables such as gusts and turbulence can be simulated. Moreover, sensors can deliberately send wrong values or fail completely. This allows a safe testing of the entire system and further increases safety in unmanned aviation. The simulation model can be created for any drone tailoring the HiL simulator to the operator/manufacturer needs. This means that the system can also be tested prior to flight testing, saving time and money.
A Digital Twin: Virtual Flight Test Environment
The Virtual Flight Test Environment (VFTE) is a web-based flight simulation that enables flight tests to be performed to test controllers without the need for additional tools. An unmanned drone can be flown using the keyboard (see picture below).
In the preview version that is available free of cost, the aircraft can be controlled directly, or the flight characteristics can be influenced by a controller .
The user can either take a perspective in which he is directly behind the drone or observe the drone’s movement from a fixed position on the ground. Displays allow the monitoring of flight parameters. In the mode where the user has a fixed position, the displays can be used as a ground station. Behind the movement of the aircraft is a non-linear flight dynamic that simulates the real flight behavior - in addition, the dynamics of sensors and actuators are simulated.
In fact, what are the primary use cases for the VFTE? Before pilots go into real flight testing, the flight behavior can be tested in the simulation. This reduces the risk of crashes. Before new control concepts are tested in practice, the concepts can be verified in the safe world of the virtual platform. System failures can be simulated in order to check the behavior in these exact cases of failure. The VFTE benefits every drone owner, every drone manufacturer and every researcher who wants to make sure that her real flight test is a success and saves costs. If demanded, any geographic area and any drone can be integrated into the VTFE. The web-based environment allows each stakeholder anywhere in the world to virtually test their copter or fixed-wing aircraft using a browser and keyboard only. The VTFE can be used in combination with the HiL simulator and the drone can be controlled directly via remote control or ground station.
The backup system solution addresses the current and expected upcoming EU drone regulations and their specific focus on safety and risk reduction. Following an initial, highly urgent application case with a local Berlin partner and its Labfly drone (see picture below), the solution was designed to fit with the needs of BVLOS drone delivery in Berlin. Having achieved that, it can be scaled to EU-wide applications following the harmonized regulations expected to come into effect by January 1, 2021. While BVLOS operation is already possible after individual approval in some cases, the backup system solution targets large-scale operation as a result from general flight approval, thereby enhancing the potential for drone delivery use across the continent.
Anticipating that third-country parties outside Europe will follow a well-functioning European solution, particularly in terms of future drone regulations, there seems to be a clear potential for positively impacting regions in Asia, where the medical drone delivery case is already started under a different regulatory framework.
Finally, further studies using the backup system and the delivery drone will be conducted to study the impact of integrated and decoupled transportation mechanism. This will be particularly important to evaluate the potential for medical drone delivery of different kinds, e.g. COVID-19 test kits or standard blood samples vs. aerial transportation of organs or other highly vulnerable goods.
D. Hambling, “Drone Crash Due To GPS Interference In U.K. Raises Safety Questions,“ Forbes, www.forbes.com/sites/davidhambling/2020/08/10/ investigation-finds-gps-interference-caused-uk-survey-drone-crash, 10 August, 2020.
A. Köthe, “Closed-Loop Flight Tests with an Unmanned Experimental Multi-Body Aircraft,” International Forum on Aeroelasticity and Structural Dynamics (IAFSD), 2017.
J. Hopf, J. Dommaschk, N. Block, R. Reinfeld, M. Krachten, P. Worrmann, D. Cracau, A. Köthe, “Unmanned Aircraft Experimental System – The Flying Lab for Applied Flight Control and Flight Mechanics,” 69th German Aerospace Congress, September 2020.
AlphaLink Engineering GmbH, “Virtual Flight Test Environment (VFTE),” www.vfte-alphalink.com, 2020.