Keywords: unmanned aerial vehicle (UAV), flight control, system on a programmable chip (SOPC), fault tolerance.
Introduction
With the development of aviation microelectronics, micro sensors and control theory technology, microminiature unmanned aircraft vehicle (UAV) which has small size, flexible application, strong concealment and low power consumption has been widely used in civil and military field. As microminiature UAV application scope expands, the complexity of task execution increases and the environmental condition is variable and complex. Therefore, the requirements of reliability and stability of the UAV is higher and higher.
Flight control computer is the core part of UAV flight control system. Its typical application functions include reading and processing sensors data, performing control law computations, sending commands to actuators, management of the navigation control and radio link and so on. So its reliability and safety is directly related to the performance of the UAV [1] . To improve the dependability of flight control computer, it is difficult to meet the requirement only from aspects of the quality of components or assembly process. Whereas, the architecture of the flight control computer is key to the property. Hence, the better choice is to use redundant fault-tolerant techniques to improve the system reliability, guarantee the flight stability and safety of UAV and complete all kinds of complicated task.
Nevertheless, fault-tolerant design of flight control computer will bring the redundancy of system structure. It is also necessary to design a fault-tolerant flight control platform that could satisfy the requirement of miniaturization.
Fault-tolerant System Design
In design of fault-tolerant flight control system structure, the selection of redundancy scheme and model is the key. Generally, fault-tolerance is achieved through modular redundancy and the voting of data from replicated tasks based on hardware, software and time.
The Redundancy Structure of System. The redundancy technology can improve the mission reliability of flight control computer system, but system task reliability is not proportional to the redundancy number. Because along with the increase in redundancy number, the corresponding devices with functions include detection, judgment and arbitration, isolation and switching are bound to increase. Their basic reliability in series will decrease the overall system reliability. Therefore, the choice of the redundancy number should be from the perspective of overall system dependability, and take the size, weight, cost and redundancy management manner into account. Duplex redundant flight control computer system has small dimension, light weight, low cost and fine electromagnetic compatibility. It is a preferred choice for microminiature UAV.
According to different standard, redundant structure has different classification. In a dual redundant system, there are three types by working pattern of the redundant part: standby reserve type, load sharing redundant type and double machine parallel redundant. Double machine parallel redundant type not only satisfies the real-time and reliable requirement of flight control system, but also will not lead to reset after failure. It can avoid blind area of control in time, and realize the seamless switching of two machines [2] . Microminiature UAV usually has small size and high integration, but modular redundancy design will make the system size and power consumption multiplied. Considering the central processing unit (CPU) is the "brain" of flight control system platform which plays a key role, and the hardware usually has a better stability than software, this design is only to focus on the design of processor redundancy.
Reliability of Dual Redundant System Analysis. The flight control computer hardware malfunction is mainly caused by fault of the key device which belongs to the accidental failure at large. The actual reliability function is close to exponential function. For the reliability function of the uniprocessor
Type: λ is system failure rate (unit is 1/h); t is the unit work time (unit is h). Dual redundant flight control computer is two single redundant units (single machine) in parallel, so its reliability
2 e e
Mean time to failure of system (MTTF) is the expectation of the first failure time. It can be calculated by the probability density function. The MTTF of single and double machine system can be calculated respectively.
, 0
It is obvious that the MTTF of dual redundant system is longer than the single's by the deduction of Eq. 3 and Eq. 4. That is, the probability of breakdown is smaller. Thus, the reliability of flight control system is greatly improved through using double redundancy technology.
Dual Redundancy System Management. Redundancy management is a key point in the redundancy design. It is in charge of the management of redundant system running mechanism and malfunction handling. Its purpose is to maximize system resource utilization, enhance the flexibility of the system dynamic reconfiguration and make the system have great fault-tolerance. In a duplex redundant fault-tolerant system, one is a host machine and the other is vice. Both of them complete the same tasks at the same time, communicating and supervising each other at predefined intervals. When the malfunctions happen, the arbitration module selects and switches the output channel [3] . The working block diagram is illustrated in Fig. 1 . The sensor module of UAV collects analog signal includes height, velocity, and attitude et al. Then it will be converted into digital signal after filtering. The processor will use the digital signal to calculate output control signal by the control law of the aircraft. The output control signal will drive steering gear after D/A module converting it into analog signal. The UAV is to accomplish the flight attitude adjustment through adjusting the corresponding control surface by the servo [4] .
Dual-core Design in FPGA. In the signal FPGA chip processor, there are two Nios IIs embedded to compose a duplex redundant system structure to improve the system fault-tolerant ability and enhance the system reliability. The driver of A/D, D/A conversion module, RS232, RS422, and CAN periphery module is written in Verilog language, and then encapsulated as IP cores mounted to the Nios II Avalon bus. So the processor can communicate with peripheral devices at any time with high efficiency. Due to the communication of peripheral modules is realized by IP core in hardware, it is more real-time and stable than in software. The design of FPGA internal system structure is illustrated in Fig. 3 . Fig. 3 FPGA internal system structure The Task Design of Redundancy System. The software development of flight control system is mainly the development of FPGA. The driver of peripheral modules is written by Verilog and encapsulated into IP cores. Integrate dual-core processor and IP components in the internal structures of FPGA by Qsys tool. Finally, develop and program software of CPU1 and CPU2 using the NiosII EDS software, respectively. In order to accommodate common-mode faults and improve the system reliability, one software program is in C language and the other uses assembly language.
Dual redundant fault-tolerant system consists of two processors which respectively finish sensor signal collecting and processing, calculation of flight control law, ground station communication, fault self-diagnosis, and test tasks. Dual-core resource sharing, mutual communication and supervision are implemented by a Mutex. According to the management of fault information, the aircraft would output correct control signal to finish safe flight with a failure. The system software architecture is illustrated in Fig. 4 . Synchronization and Communication. Synchronization is the basic core of redundancy management. It is meaningful to compare and vote for the fault-tolerant system only when redundancy modules act in unison. The synchronization generally can be classified as clock synchronization, loose synchronization, and task synchronization. Among them, the task level synchronization has loose execution, no clock synchronization, and very high real-time and flexible operation. It is based on an independent operation with certain logic as the synchronization foundation. And it sets up one or more comparing points in the task to judge consistency at predefined intervals [5] . Double machine task synchronization process is shown in Fig. 5 . If there is a discrepancy between the two, the processor has failure. 5) Read the pre-stored data in sharing on-chip RAM. If the acquisition of Mutex or reading RAM has problems, the data could not read within the preset time or discord. That is, the processor is off normal. Dynamic Reconfiguration. After fault diagnosis, arbitration logic would select fine processor to control the output according to fault signal and the priority. When two processors are normal, the prior is the host to control output [6] . After the host fails, the vice (low priority) is to replace the host and run into a stand-alone mode. The logic of enable signal of control output:
Wherein, "Pr" is the processor priority signal, "1" represents a high priority, "0" indicates a lower priority. "Ao" and "Bo" represent a fault signal of processors A and B, "1" indicates that the processor is intact, "0" is defective.
Dual-processor Output Switching Verification
In order to ensure the redundancy management module can correctly finish arbitration logic and channel switching according to the fault information. The simulation result of output channel switching in Fig. 6 was artificially injected fault information. Among them, the "Pr_A" and "Pr_B" are respectively the priority signal of processor A and B. The priority of A is higher than B's. "Ao" and "Bo" are respectively A and B fault signal, "0" is the fault. "Out_sel" is select signal of output control. The "1" indicates that processor A acts as the host to control output, while "0" is B to act as host. According to the injection fault signal, channel selection is correct and the fault isolation and system reconfiguration can realize.
Fig. 6. Channel switching waveform simulation

Summary
Combining the SOPC and fault-tolerant technology in the design of microminiature UAV flight control platform, this paper gives a particular analysis and design from hardware and software. By simulation and practical test, this scheme not only can finish flight, but also can realize fault detection, isolation and system reconfiguration. Practice proves that this design can effectively solve the problem of microminiature UAV which has contradiction between small size, light weight, and high integration with high reliability. This design improves the reliability, availability, maintainability and safety of flight control computer. It has a broad application prospect.
