Veronte Autopilot 4x has been designed as a high-reliability control system that is robust to simple failures. In this way, it guarantees a robust “fail-operational” operation, even in the face of a failure in the referee.
Power Redundancy
In order to ensure system redundancy, power is a key factor. Veronte Autopilot 4x has 4 power inputs: one for each core and an additional one for the referees.
Each core is fed individually and has fuse protections so that, in case of failure, it does not spread to the rest. In addition, the referees have power redundancy, which means that each feed pin of each core is redundant to feed the referees.
For the power supply of the different internal peripherals, independent power domains are generated, thus distributing power supply to the different components reliably and robustly to failures.
Redundancy 3+1
The 4x autopilot consists of 3 independent internal cores (Veronte Autopilot 1x), allowing the connection of a fourth external autopilot, either from Embention or from another manufacturer.
All autopilots have the ability to control the vehicle, with the arbitration stage being responsible for designating which of the cores should take control at each time. In the event of a core failure, the referees will detect this event and decide which of the cores should have control of the vehicle based on the redundancy strategy configured.
Redundancy Management
The referees receive information from the different autopilot cores. On the one hand, each core has its own internal built-in tests (BITs) that allow it to perform a self-diagnosis and communicate its status to the referees through a watchdog. This clicked signal also serves to detect whether the microcontroller of any of the cores is not working properly. In addition, the different cores send state messages and voting variables to the referees through two redundant communication buses. This information is processed by the referees, who decide which core takes control of the vehicle.
Robust to Faults in the Referee
In the remote case of failure of one of the referees, there are several types of failure that could occur, but one of the autopilots would always be in control. If the referee is not generating an output signal, Core 1 is selected by default. Since the referee has failed, no core failures are expected.
I/O robustness
The redundancy of the system should be designed with the redundancy of the vehicle as a whole in mind. To avoid catastrophic failure points, it is critical that actuators or other critical elements are also redundant. These devices can communicate through multiple ports on the autopilot, managing communication redundancy internally.
The redundant system design should take into account the autopilot outputs and power banks to avoid possible single points of failure. On buses such as RS232 or RS485, the data output (Tx) will be that of the core selected by the referee, while the input (Rx) data will be received on all cores simultaneously through individual buffers, avoiding the single point of failure in reception. The management of other signal types, such as PWM and GPIO, has its own independent multiplexer banks. In the event of a multiplexer failure, the associated I/O could be lost; in this case, the second I/U associated with the peripheral would be used.
Integrated FTS
In addition, the Veronte Autopilot 4x has a completely hardware-independent referee voting system that can be used as a FTS (Flight Termination System) in the event of a catastrophic failure of the 3 autopilot cores.
These features make the Veronte Autopilot 4x the most robust redundant control system in its category. In addition, its lightweight and compact design makes it the ideal solution for controlling autonomous vehicles, and it is the control system of choice for leading manufacturers of all types of drones and eVTOLs.