The top-level logic of the Safety Officer is based on a finite state machine (FSM). A simplified state transition diagram is shown in Figure D.7. The software initializes in Not
Armed state. When the human pilot presses the Autopilot Arm push button, the FSM
transits into Armed state. When the Flight Management Computer (FMC) commands to start autopilot, the FSM transits into Autopilot state. In any state, when autopilot disconnect is commanded through FMC or one of the push buttons, the FSM transits into Not Armed state. In Not Armed and Armed states, the motors remain off, and the clutches are disengaged. In the Autopilot state, the motors are on and controlled by the FMC, and the clutches are engaged. The goal of this state machine design is to ensure the autonomous control only starts with human pilot’s consensus and can be disabled at any time.
Autopilot Armed
Not Armed
AP Arm button FMC command
Autopilot disconnect or error
Init
Figure D.7: State transition diagram of the Safety Officer
Each of the clutch servo motors has an FSM. It is shown in Figure D.8. In Out state, the clutch is disengaged, and in In state, the clutch is engaged. The FSM initializes in Moving
Out state. The clutch motor disengages the clutch mechanism in full power and transits into
Out state upon success. When Autopilot is triggered in Out state, the clutch transit into
Moving In state, where the clutch motor applied gentle pressure to the clutch mechanism,
and the control surface motor gently rotates until the clutch meshes, which transits the FSM into In state. In any state except Moving Out state, the Autopilot Disconnect trigger will transit the FSM into Moving Out state. This design ensures the clutch can be disengaged instantly in any state. Even in Out state, the Autopilot Disconnect trigger will cause the clutch to retry disengaging, in case the clutch mechanism did not hold its position in Out state.
If the clutch mechanism fails to mesh in Moving In state before time out, the FSM transits into Moving Out state and raise an error message. If Moving Out times out, the FSM transits into Error state. The human pilot may recover from the error by retry disengaging the clutch.
Moving
Out Out Moving In In
Error Success Success Fail Fail Autopilot Autopilot Disconnect Autopilot Disconnect Init Autopilot Disconnect Autopilot Disconnect
Figure D.8: State transition diagram of clutch servo motors
D.5
Actuator Disconnect Relays and Driving Circuit
The actuator power off relays electrically disconnect the motors from H-bridge drivers. The relays are required to cut off 60 A DC current with a highly inductive load. TE Connectivity Potter & Brumfield Relays V23134J1052D642 are used in the physical implementation.
To prolong the life of the relay and reduce electromagnetic interference (EMI), the arc across the contacts generated by cutting off inductive load must be suppressed. An RC network and a TVS diode are placed in parallel with the relay contact (Figure D.9). The TVS (Transient Voltage Suppression) diode should have a breakdown voltage higher than maximum back EMF generated by the motor when back-driven. The TVS diode clamps the voltage across the relay contact to 24V, and the RC network dissipates the arcing energy. The RC network is omitted in the final implementation because the qualifying physical components are unrealistically large, and a TVS diode alone can provide enough protection for the relays.
The driving circuit on the Safety Officer board is an array of N-channel MOSFETs with flyback diodes driven by microcontroller GPIOs. Opto-isolation for the MOSFET gate signal was considered but omitted due to the low and predictable inductance in the relay coil. The relays are powered from the main battery power only. Loss of main battery power disconnects the relay and enables the motors to be safely back-driven.
D.6
Clutch Servo Driving Circuit
The aileron, stabilator, and rudder motors have clutches for decoupling the motors from the yoke and control surfaces when the human pilot takes control. An RC servo motor is chosen to drive each clutch mechanism because the RC servo has a high torque motor and gearbox with a position feedback sensor in a compact package. However, the integrated driving circuit pre-installed in the RC servo is unsuitable for our application because it does not provide an interface to directly control the torque of the motor and read back the position. Simply commanding the servo with PWM signal to mesh the clutch will cause the servo to operate in full power stall condition and will cause it to overheat. To address this problem,
Figure D.9: Relay arc suppression circuit
the pre-installed driver circuit in the RC servos was removed and all the signals were exposed to the Safety Officer board (Figure D.10). The safety officer board included 3 motor driver channels for the motors and 3 ADC channels for the potentiometers. The motor torque is set by the duty cycle of the pulse width modulation (PWM) signal, and the motor position is read from the potentiometer with the on-chip ADC. With the position feedback, the position of the clutch servo is close-loop controlled with a PID controller.
Each channel of the driver circuit (Figure D.11) uses a Texas Instruments DRV8835 Dual Low-Voltage H-Bridge IC to drive a motor. Each channel in the DRV8835 supplies up to 1.5 A current, and two channels can be connected in parallel for 3 A driving current[2]. The torque of the motor is set by PWM on IN1 and IN2 ports in the schematic. The POT port connects to an ADC pin on the microcontroller.
The DRV8835 are powered from a 5 V 10 A output DC-DC converter, offering consistent performance under varying input power conditions. The input voltage ranges from 7 V to 14 V.
Texas Instruments DRV8835 is selected because it integrates the control logic, the gate driver, the FETs, and the protection circuits into a tiny package. It has a good balance between the size and the on resistance.
The clutch motors can be externally overridden when the Safety Officer fails. Each motor connects to a DPDT on-off-(on) switch. The on side connects to the Safety Officer, and the momentary (on) side connects to a backup battery. In normal operation the switches are left at on position, allowing the Safety Officer to control the clutch motors. In Safety Officer fail condition, the pilot toggles the switch to the (on) position, and use the battery power to drive the clutch to the disengage direction. When the pilot release the switch from the (on) position, it rests at off position and keeps the clutch motor off.
Figure D.10: Modified clutch servo motor. The rear cap was removed to show the wiring 1 1 2 2 3 3 4 4 D D C C B B A A Title Number Revision Size A Date: 12/13/2016 Sheet of File: C:\Users\..\servo.SchDoc Drawn By: VM 1 MODE 11 AIN1/APHASE 10 AIN2/AENBL 9 BIN1/BPHASE 8 BIN2/BENBL 7 VCC 12 AOUT1 2 AOUT2 3 BOUT1 4 BOUT2 5 GND 6 EPAD 13 U6 DRV8835_DSS_12 VCC_3.3 PGND PGND 104 C25 Cap_0603 PGND AGND VCCA IN1 IN2 104 C26 Cap_0603 POT
Gutted servo driver + pot connection 104 C18 104 C19 VCC_SERVO PGND C22 47uF 104 C24
NO ERC: connecting driver outputs permitted
1 2 3 4 5 J7 691321100005
Figure D.11: Clutch servo driver circuit