Embention’s Veronte Autopilot 4x is a highly reliable control system engineered to endure basic failures, ensuring a ‘fail-operational’ capability even in the event of a malfunction.
Ensuring Power Redundancy
Power redundancy plays a vital role in sustaining system reliability. The Veronte Autopilot 4x is equipped with four distinct power inputs: one for each of its three cores and an additional one for the referees. Each core operates independently and is safeguarded with fuse protections,ensuring that a power failure in one core does not affect the others.
the referees also enjoy power redundancy, featuring duplicated feed pins for each core. This design establishes independent power domains for internal peripherals, effectively distributing power to various components in a reliable and fault-tolerant manner.
3+1 Redundancy Architecture
The Veronte Autopilot 4x consists of three internal cores (Veronte Autopilot 1x) and allows for the integration of a fourth external autopilot, which can be sourced from Embention or other manufacturers.
All autopilots possess the capability to manage the vehicle, with an arbitration process determining which core should assume control based on a redundancy protocol. Should a core fail, the referees will identify the issue and select the appropriate core to ensure continuous vehicle control.
Management of Redundancy
The referees gather data from the various autopilot cores, each of which performs built-in self-diagnostic tests (BITs) and relays its status through a watchdog signal, aiding in the detection of malfunctions. The cores transmit status updates and voting data to the referees via two redundant communication buses, which the referees utilize to determine which core should govern the vehicle.
Resilience Against Referee Failures
In the rare case of a referee failure, mechanisms are in place to guarantee that at least one autopilot maintains control. If a referee fails to produce an output signal, core 1 is automatically selected. Given the referee’s failure, no additional core failures are expected.
Discover more about the Veronte Autopilot 4x >>
I/O System Robustness
The redundancy within the system is designed to enhance overall vehicle reliability. To mitigate critical failure points, redundant actuators and essential components should be utilized. These devices can connect through multiple ports on the autopilot, with internal management of communication redundancy.
The thorough redundant system design should take into account autopilot outputs and power sources to minimize single points of failure. for communication buses such as RS232 or RS485, the output (Tx) is managed by the core chosen by the referee, while input data (Rx) is received by all cores through individual buffers, thereby reducing potential failure points.
Signals like PWM and GPIO are handled by independent multiplexer banks, and in the event of a multiplexer failure, choice I/O options are activated.
Integrated Flight Termination System
The Veronte Autopilot 4x also incorporates a hardware-independent referee voting mechanism that can serve as a Flight Termination System (FTS) in the event of a catastrophic failure involving all three autopilot cores.
These features position the veronte Autopilot 4x as one of the moast resilient redundant control systems available. Its compact and lightweight design makes it particularly suitable for managing autonomous vehicles, making it an excellent choice for manufacturers of drones and eVTOLs.
Explore more about the Veronte Autopilot 4x >>
