We present the design and implementation of the safety critical avionics for the Stanford Dragonfly Unmanned Aerial Vehicles (UAVs). The software architecture of the avionics is based on the Client-Server architecture of QNX Neutrino, the real-time operating system used. Our architecture is hierarchical and modular: it isolates user-defined applications from underlying low-level system services for implementing inter-process communication, data-acquisition, and associated hardware management. As well, we provide a high-level interface for rapid implementation of different control algorithms. The integrated hardware architecture is based on standard PC/104 and RS232 technology, making it possible to use Commercial OffThe-Shelf (COTS) components and provide an efficient means of communication between components. We have developed this architecture in parallel (and in conjunction) with Boeing's Open Control Platform (OCP) architecture, which is a new software infrastructure based on real-time CORBA technology, and we use the OCP to implement ground station functionalities. We present the design principles and choices, the resulting avionics architecture, and the implementation in a robust and compact avionics package. We then present initial results of the avionics in car tests, and discuss the results.
Introduction
As control engineers, our main focus over the past several decades has been to design control systems which render dynamic systems stable, and which give high system performance and an adequate level of robustness to uncertainty and disturbance. With the advent of the use of digital computers in implementing control schemes, the direct design of digital control schemes by control engineers became commonplace. Now, as microprocessors become smaller and more powerful, and as embedded software controllers with vast arrays of functionality become widespread, the opportunity exists to use higher levels of automation than ever before to control complex, large scale systems. A prime example in the aeronautics field is in Unmanned Air Vehicles (UAVs), [1] [2] [3] in which research programs are underway to design the systems needed for a fleet of tactical autonomous aircraft to operate, with minimal control effort by a human operator. 4 In such systems, the software architecture itself has significant ramifications for the control algorithms -a knowledge of the software architecture is indeed necessary in order to optimize performance of the controller. For example, in a low-cost avionics system in which processing power and capability is limited, the scheduling priorities of sensed information and actuator update, and the resulting realization of the schedule, determine the effectiveness of the control scheme. However, while the fields of both control and software engineering have evolved significantly over the last decades, there is not yet a strong link between these two areas. In many industrial firms which design avionics, for example, control and software engineering constitute separate groups within the company, and most of the communication between groups occurs once the control design is almost complete.
This need for more integration between the tasks of control engineer and software engineer has sparked an interest in the academic and industrial research communities. In the past few years, there has been an effort to design tools which automate the control software implementation. These tools require knowledge of the software architecture (the processes and their computing rates, the mechanism for communicating between processes, the memory allocation and access structure), and given certain (currently, strong) assumptions about this architecture, can make guarantees about the behavior of the resulting control software. This is important, since it enables formal verification of the tool, or method, which generates real-time code from a high level specification (by a control engineer). Such toolkits which are currently available are SCADE from Esterel Technologies 5 (which generates formally verified code), MetaH from Honeywell Labs, 6 and Boeing's
Open Control Platform (OCP), which is built using CORBA ACE/TAO. 7 Currently, the ability of such tools to produce formally verified code falls short of the functionality needed to be applied to current (or future) practical complex systems.
8
Digital avionics have generally been implemented using a federated architecture, in which each function or component (for example, autopilot, flight management, data acquisition, and display) has its own computer system that is only loosely coupled to the computer systems of other functions. An inherent advantage of this architecture is that a fault in the computer system supporting one function, or in the software implementing that function, is unlikely to propagate to other functions because there is very little that is shared across the different functions. The obvious disadvantage of this approach is its inefficient use of resources: each function needs its own computer system with all the attendant costs of acquisition, space, power, weight, cooling, installation, and maintenance. In reaction to this, the integrated modular architecture has emerged as a design concept to challenge the federated architecture (see Fig. 1 ). In this approach, a single computer system provides a common computing resource to several functions. Since it is almost impossible for individual functions to protect themselves against corruption to the computational resource on which they depend, any realization using this approach should provide partitioning to ensure that the shared computer system provides protection against fault propagation from one function to another, in order to achieve comparable protection that is inherent to the federated architecture.
During the past two years, we have designed, built, and tested a software architecture for the avionics system controlling the Stanford DragonFly UAV. In our system, we have based our designs on the ideas of the integrated modular architecture, and the actual control algorithm is closely linked to the software architecture itself. We have worked in parallel with Boeing in the development of their Open Control Platform (under the DARPA Software Enabled Control program), though our design is unique and specific to a low cost UAV with COTS parts.
The DragonFly UAVs (we currently have two) are fixed-wing, heavily modified model aircraft. With ten-foot wingspan and a gross takeoff weight of 56 lbs., the first UAV (DragonFly I) (see Fig. 2(a) ) is outfitted with an eight horsepower, two cylinder engine, four GPS antennas, at each wing tip, top front, and top rear, for providing position, velocity, and attitude measurements, and has an air-data system underneath the right wing for providing airspeed, angle of attack, and sideslip measurements. It can carry approximately 18
a) The Stanford DragonFly I.
b) The Stanford DragonFly II. The newly acquired UAV (DragonFly II) (see Fig. 2(b) ) is made of a composite material, and is lighter and smaller in weight and size but capable of carrying 25 lbs. of payload. It is now in the stage of being modified for the installation of the air-data probe, GPS, wireless communication antennas, and the interface for the avionics connection. In addition to providing a testbed for our research in the design of embedded avionics, the DragonFly project is used in our group to support and validate research on applied advanced control systems such as distributed cooperative control (multiple agents, peer to peer networking, robust control over communication links), autonomous fleet management (formation flying, decentralized control, point to multi points networking), and sensor integration (GPS/INS blending, fault detection and isolation, redundancy). These first two vehicles are providing the initial experimental test-bed for single vehicle control and navigation (specifically, the development and testing of a 40-channel, five-antenna GPS board), 9, 10 dual vehicle approach control, 11 and decentralized optimization schemes for formation flying. 12 All flight tests take place at Moffett Federal Airfield, close to NASA Ames Research Center.
To support the level of performance required by these research areas and at the same time maintain a strict level of safety and reliability, we have specified and analyzed the avionics system design criteria, including the overall architecture and allocation of functions (components) among the major system elements. Since the DragonFly UAV is not subject to typical aviation specifications, we take advantage of commercial test equipment, software, and recent electronics development. Table 1 summarizes the avionics system design criteria and resulting design decisions or requirements. In this design criteria, we do not consider hardware redundancy (duplex or triplex), which is common in avionics system design today, since the integration of resulting design decisions is still subject to fundamental limitations; the avionics is housed in 5" × 5" × 12" aluminum case, payload is less than 15 lbs, and power and budget are strictly limited. Rather, we try to achieve a comparable level of redundancy by implementing robust space-and time-partitioned software and hardware architectures. In this paper, we show how we have integrated design decisions and COTS components into a platform which uses a hierarchical and modular architecture, which is stronger and more • All mission critical parameters available in telemetry
Safety
• Redundant, independent servo control system
• No hazardous voltages fault tolerant than any of the single components.
The paper is organized as follows. First, the major components of the avionics system are described. Then, we present the DragonFly avionics architecture design, focusing on the hierarchical software architecture.
We describe the software integration and our current development, which includes an automated real-time code generation tool, and a link with Boeing's OCP. We present our hardware-in-the-loop simulation testbed, for use as a validation testbed for the avionics and control algorithms, and conclude with presentation and discussion of car test results with our avionics.
Avionics Components
The avionics consists of PC-104 flight computer system, analog and digital sensors, and safety switch and servo controller. In this section, we briefly describe the major components and their functions.
Processor
The avionics uses the Panther PC/104 (AMD K6-2e 266MHz) as a flight computer. The Panther is a complete computer system in a compact two-board set. The analog input section features 16 single-ended input channels with 16-bits resolution, fast 10µsec conversion, and ±5V or ±10V input resolution. Throughput of up to 100 kHz may be realized by conversion on one channel and up to 67 kHz when scanning between channels. The analog output section includes two 12-bits channels, which can be configured for 0-5V and 0-10V output.
Communication
The avionics is arranged in a star network centered on the flight computer. All remote communications are directly supported by RS-232/RS-422/RS-485 interfaces. PCM-3640, four port RS-232 module is a high speed RS-232 serial interface module (speed up to 115 kbps). It provides four independent COMcompatible serial interfaces. The module's industry 16C550UART 3 is fully programmable and is compatible with standard PC software drivers.
Inertial measurement unit
The inertial measurement unit is a Crossbow DMU-AHRS (AHRS300CA-). It is a low cost IMU with three gyros, three accelerometers, and three magnetometers. The three angular rate sensors consist of vibrating ceramic plates that utilize the Coriolis force to output angular rate independently of acceleration. The three MEMS accelerometers are surface micro-machined silicon devices that use differential capacitance to sense acceleration (see Table 2 ). The three-axis magnetometer also helps the measurement of magnetic heading.
1 Integrated Disk Interface, an interface for mass storage devices where the controller is integrated into disk or CD-ROM. 2 Universal Serial Bus, interface that connects a computer and peripheral devices such as a keyboard and printer. 3 Universal Asynchronous Receiver Transmitter, circuit in serial port which converts information into serial current. The DMU-AHRS has both an analog output and an RS-232 serial link. Data may be requested via the serial link as a single polled measurement or may be streamed continuously up to 166 Hz. The analog output (update rate is 200 Hz) are fully conditioned and may be directly connected to the data acquisition module.
The input voltage can range from 8 -30 VDC at 275 mA. The unit is nicely contained, aligned, and isolated in a small case weighing less than 1.25 pounds and measuring approximately 4 inches cubed.
GPS receiver
For simplicity and ease of use, we are currently using a single Lassen-SK8 GPS receiver with DGPS correction.
The receiver provides measurements of position, velocity, time, and raw GPS observables.
The 8-channel, 32-correlator design provides extremely fast cold starts while delivering 2 meter DGPS performance (see Table 2 ). The high level of integration provides a small footprint (3.25" × 1.25" × 0.40") and contributes to the lowest power consumption (0.75 watts) for a complete GPS receiver. It also provides direct CMOS compatible TTL level serial I/O.
Avionics Architecture
Integrated modular avionics (IMA) offers economic advantages by hosting multiple avionics applications on a single hardware platform, which shares this common resource with several functions. Unlike federated avionics whose components are loosely coupled and thus provide inherent functional separation, IMA has to ensure that applications or functions are safely partitioned to achieve the same level of functional separation.
In this section, we first present general properties of the software operating system, which is a fundamental part of the IMA platform. Then we present our hierarchical software architecture, which is realized by the Client-Server mechanism with shared memory. Finally, we describe the modular and integrated hardware communicating over a standard network, which will ease future modification and growth. A key requirement of the real-time operating system is that it handle multiple events and ensure that the system responds to these events within predictable time limits. We have used QNX Neutrino (QNX RTOS v6.1) 13 as a real-time platform for developing the avionics system.
Neutrino is a microkernel operating system, which means that it is structured as a tiny kernel that provides the minimal services used by a team of cooperating processes. The microkernel itself lacks filesystems and many other services normally expected of an OS -these may be included in the process structure. It has two main features:
• Client-Server Architecture: The microkernel implements only the core services, such as execution units, message passing, synchronization, scheduling and timer services. Additional functionality is implemented in cooperative processes, which act as server processes and respond to the request of client processes (e.g. an application process);
• Message-based Interprocess Communication (IPC): The message passing service is based on the client-server model. This message passing mechanism is network transparent i.e., the system can be seamlessly distributed over several nodes, without requiring any changes in the application code.
Neutrino uses processes and threads. A thread can be thought of as the minimum "unit of execution", the unit of scheduling and execution in the kernel. A process, on the other hand, can be thought of as a "container"
for threads, defining address space within which threads will execute. A process will always contain at least one thread; there are 63 distinct thread priority levels available to applications. The scheduler schedules the threads according to a prioritized FIFO or round-robin algorithm. manage the computing resource in a coordinated manner so that individual functions are synchronized and executed in real-time to achieve intended purposes. Also message passing capability provides a better and more efficient means of communication between functions.
Hierarchical Software Architecture
The software architecture of the DragonFly avionics, illustrated in Fig. 3 , is based on a Client-Server architecture (threads and multi-processes), scheduling algorithm, and message passing.
Client-Server Architecture
The objective of using the Client-Server architecture is to isolate the application (client) from safety critical data presentation and management (server), which handles system resources and hardware through associated device-drivers. By doing so, not only does the development and integration of the application become easier, with minimal customized plug-in and device drivers, but also every manager and device driver runs in its own virtual memory address space, resulting in a robust and reliable system. The architecture is composed of three layers of functionality:
• Services are independent threads for the hardware of the avionics, such as inertial measurement unit, GPS receiver, air-data probe, and data acquisition board, and provide low-level services for implementing communication, data acquisition, and hardware management. Services glue to the hardware through a server library containing those service codes, which are programmed by standard "POSIX C" or "ANSI C" functions. The server library allows services to make use of the underlying hardware in a generic way. Unlike device drivers tightly bound into the OS itself and treated as system processes, services can be started and stopped as standard threads and do not affect any other part of the OS. By doing so, we can develop and debug services like any other applications and eventually minimize the burden on designers from changing and verifying their codes whenever new hardware is added.
• Management is a process containing services and manages inter-process communication (IPC), synchronization, scheduling, and software watchdog. It creates and destroys individual services dynamically depending on service status and quality, and provides the synchronization via a scheduling algorithm so that the OS handles and responds multiple events (services) within predictable time limits. Another important role of management is IPC services between server and client. Management creates a shared memory region, so messages between server and client contain a reference to the shared memory region rather than copy all data through the message pass. This allows the server and client to read or write the data directly. The software watchdog in management, also, makes an intelligent decision about how best to recover from the failure, instead of forcing a full reset as the hardware watchdog timer would do. It can abort failed services and any related services and initialize the hardware to "default" state, then restart related services without shutting down the rest of the system.
• Client is a high level interface for user defined applications. It is a separate process containing one or more application programs (threads) and is completely isolated from server or low-level service, which helps alleviate the burden on control designers and application developers. All required functions to access data in the shared memory are included in client library. Therefore, creating a client containing the application can easily be done using the synchronization and scheduling services provided by the OS in a coordinated manner.
Message passing using a shared memory
IPC plays a fundamental role in the Client-Server architecture shown in Fig. 3 . Although message passing is the primary form of IPC in Neutrino, since it is network transparent and robust, message passing in small embedded systems requiring large volumes of data flow potentially causes applications or services to miss their deadlines. Therefore, we choose a shared memory communication mechanism, which offers the highest bandwidth IPC available.
In the shared memory configuration, the client and server create a memory object in which each memory address is mapped to virtual or physical memory object, thus they share the same address space. Then, the client and server can use pointers to directly read from and write to this address. However, this means that access to shared memory is in itself not synchronized. If the server is updating a block of shared memory, care Fig. 4 Block diagram of the prioritized RR scheduling algorithm must be taken to prevent the client from reading or updating the same block because it may get information that is in flux and inconsistent.
To resolve this problem, we have designed mutual exclusion locks, or mutexes, as synchronization primitives for use with shared memory. Only one thread may have the mutex locked at any given time. When the thread unlocks the mutex, the highest-priority thread waiting to lock the mutex will unblock and become the new owner of the mutex. In this way, threads will sequence through the shared memory in priority-order.
While shared memory is much faster than message passing and thus is appropriate for a data communication mechanism in a single avionics package, QNX Neutrino does not support network-distributed shared memory objects yet. Thus, we limit shared memory to all tasks in the same package, and we use a different method for implementing tasks over a network for multi-vehicle controls. Assuming that the interaction between functions in different systems requires lower bandwidth than that between functions in the same system, we can use the standard serial interface (RS232/485/422) using wireless modems capable of performing pointto-point, point-to-multipoint applications. For an ethernet network, we use Neutrino's message passing as a primary form of IPC.
Scheduling
For real-time applications, multiple events which occur in both the client and server have to meet their deadlines. However, even if multiple threads are active at the same time, since the avionics has a single CPU, only one thread can actually execute at a single point in time. Thus, we must develop a structure to decide how to share CPU time among the different threads. 
Fig. 5 Examples of Prioritized Round Robin algorithm
There are two scheduling algorithms that the Neutrino kernel understands: RR (Round Robin) and FIFO (First-In, First-Out). In the FIFO scheduling algorithm, a thread is allowed to consume CPU time as long as it wants, unless other threads of a higher priority are ready to be run. If the running thread quits or voluntarily gives up the CPU, then the kernel looks for other threads at the same priority that are capable of using the CPU. If there are no such threads, then the kernel looks for lower priority threads capable of using the CPU power. The RR scheduling algorithm is identical to FIFO, except that the thread will not run forever if there is another thread at the same priority. It runs only for a predefined timeslice which is fixed
and cannot be changed (we set our timeslice to 50 msec). The kernel starts the RR thread, and notes the time. When a single timeslice has expired, the kernel checks if there is another thread at the same priority that is ready, and if there is, runs it. If not, then the kernel will continue running the RR thread (the kernel grants the thread another timeslice).
We have used prioritized RR scheduling algorithm as shown in Fig. 4 ; the algorithm is applied to threads at the same priority. If a higher priority thread is ready to use CPU, then the current thread is interrupted (mid-timeslice) and the CPU runs the highest priority thread. For example, Fig. 5 shows how the RR algorithm works for threads at the same and different priority. As shown in Fig. 5(a) , two threads at the same priority are scheduled to share the CPU cycle. A 50 msec timeslice is assigned to the "DAQ" thread (threads are queued in FIFO order), and the thread consumes its timeslice. Once its timeslice is expired, then "DAQ" thread is preempted no matter whether it has finished its task or not, and the next READY thread, "IMU", is given the CPU. Any remaining tasks in the "DAQ" thread are executed after "IMU" Fig. 6 Hardware components of the DragonFly avionics thread voluntarily relinquishes control, i.e., it has finished its task within the timeslice, or consumes its time. Fig. 5(b) shows the scheduling for threads at the different priority. Since there are no other threads which have higher priority than "DAQ" in the FIFO at the beginning, the "DAQ" thread is queued and starts to consume its timeslice. However, after t d elapses, the "DAQ" thread is preempted (even though it has not consumed its timeslice) since a higher priority thread, "GPS", is placed on the ready queue. The preempted "DAQ" thread is then run when "GPS" thread relinquishes control or consumes its timeslice.
Integrated Modular Hardware Architecture
As shown in Fig. 6 , the DragonFly avionics has three functional separations, Computing, Actuating, Gathering, arranged in a star network centered on Computing. They are also physically separated from each other.
• Computing is a stand-alone flight computer consisting of the PC/104 processor, data acquisition (A/D and D/A), communication, and power regulator modules. PC/104 and PC/104-plus provide ideal low profile, small-size embedded factors suitable for our design decisions. They are flexible, upgradeable, expandable, and scalable. Due to their self-stacking bus, PC/104 and PC/104-plus products are a compact form-factor (less than 4" × 4") with a high expendability. They are also economical since they require no backplane or card cage for interconnection. Low power consumption also helps to make PC/104 products an optimal choice because our onboard battery power is strictly limited by an allowable payload.
• Actuating is a stand-alone microprocessor unit dedicated to monitoring the R/F link between a receiver and a transmitter, and switch control authority among the manual, autopilot, and preset modes. It consists of a safety switch and a servo controller. Its power is separated from others, and it communicates with the flight computer through a RS-232 interface.
• Gathering contains all analog and digital sensors installed in the DragonFly UAV. 
Software Integration
In this section, we introduce the current development of an automated real-time code generation for userdefined applications from a simplified system description, which abstracts the implementation of underlying functionalities. Then, the current effort of Boeing on the open control platform (OCP) is briefly described, and its features are compared with those of the software architecture of the DragonFly avionics. Finally, the integration of the OCP with the DragonFly ground station is presented.
Automated code generation from system description
In the Client-Server architecture with a shared memory, the server provides wrapper functions which simplify the standard QNX interfaces and help isolate the application from low-level service and management of the hardware. This allows the client to be free from hardware interfaces and have the ability to read and write data flow directly (using the mutex) without interaction with the server, thus alleviating the burden on application developers (control designers) who build the client (or application) code. The client code may consist of multiple threads and processes with necessary functions/interfaces and may have different components depending on applications. Therefore, if we can abstract a code structure or a framework of the client from the simple expression of the client characteristics without knowing core layers of the OS, then it allows application developers to focus on their technologies instead of focusing on developing and debugging embedded codes. The client API (application interface) in Fig. 7 is a concept for this purpose. The developer defines the abstract functionality of the client using a simple high-level description language to provide access to the underlying functionality while hiding details of how that functionality is implemented on the frame of the OS.
Then the interpreter in the client API automatically provides the "C" or "C++" framework which consists of a thread or multi-threads customized by shared memory, priority and scheduling, timer/interrupt, and database for implementing the intended functionality.
Link with the Open Control Platform
The OCP is "a software infrastructure intended to enhance the ability to develop and test control algorithms which will eventually execute in embedded software within UAVs". The OCP program is one pillar of the DARPA Software Enabled Control (SEC) program.
A detailed description of the OCP and its architecture is available in reference, Implementing the ground station functionality using the OCP consists of an interconnected system of components that communicate through ports, as shown in the upper right side of Fig. 9 ; there are three components, GroundStation, SerialPort, and UserInterface, and each component consists of user-defined application code, input port, and output port. The input and output port is used to transfer data between user-defined components. When data are available on an input port, the application code is executed. The structural layout of the system in Fig. 9 can be specified using Simulink models, or high-level description language supported by the OCP as one shown in Fig. 10 .
Once the structural layout of the system is specified, then we can use Controls API Front/Back End tools to generate an OCP code script that can be executed to configure and run the ground system using the OCP. Hardware-in-the-Loop simulation testbed
The Hardware-in-the-Loop simulation of the DragonFly provides similar conditions to those that the aircraft will be exposed to during flight tests; it is an important testbed for developing and evaluating control algorithms and also verifying associated hardware. Fig. 11 shows the simplified structure of the Hardwarein-the-Loop simulation that we have designed. As can be seen, it is running under two different operating 
Preliminary Test Results
An initial prototype of the avionics for the Dragonfly UAVs has been constructed and tested before having flight experiments. The avionics box was installed in an automobile (see Fig. 12 ) in order to use every opportunity to exercise the hardware and software together before flight test. The car was driven around
Campus Drive Loop at Stanford for approximately 20 minutes, and data was collected. We created prioritized threads that install interrupt handlers and hardware timers as shown in Table 4 . Threads for "GPS" and "IMU" are driven by the serial interrupt roughly every 1 sec and 12.5 msec respectively, and remaining threads triggered by the timer interrupt every 40 msec (except threads for "Downlink" and "Watchdog" which are executed every 1 sec and 100 msec respectively). Threads related to the control of a vehicle were not considered because of the test configuration. Rather, they are currently being extensively evaluated using the Hardware-in-the-Loop simulation testbed. Fig. 13 shows measured execution rates or intervals for the "GPS" and "DAQ" threads. These measure the system's scheduling ability because high priority and accompanying (same priority) threads are constantly claiming all available CPU power; the worst-case time interval for the "DAQ" thread is 30 msec and 1.22 sec for the "GPS" thread, and no interrupt is lost for 30,000 interrupts serviced for the "DAQ" thread and for 1,141 interrupts serviced for the "GPS" thread. The jitter of the time interval on "GPS" thread has occurred even though it is assigned to the highest priority. The thread is triggered by an interrupt from the GPS receiver, and the interrupt is supposed to occur every 1.0 sec. However, due to the clock resolution and signal characteristics affected by environments, the interrupt may not be triggered every 1.0 sec, thus the resulting time interval of "GPS" thread is jittered. If this jitter causes problems to associated applications (navigation and control), then we will either upgrade our GPS receiver or improve the GPS code structure. Upgrading the GPS receiver is the simplest solution yet most expensive. We can Improve the GPS code by using a timer instead of using an interrupt in order to poll data from the GPS receiver.
The price to pay is the consumption of the CPU cycle. The jitter on the "DAQ" thread is more widespread than that of "GPS" thread. This is because "DAQ" thread has to share the CPU cycle with others which have the same priority. The allowance of the jitter will be evaluated with all user-defined applications, and a) Avionics system. b) Air-data probe. the corresponding architecture will be refined if necessary. A good knowledge of the software and hardware architecture and its implementation is tightly coupled with designs of a control scheme itself. These two areas have to be processed in parallel so that benefits inherent to chosen architecture and control scheme are maximized, thus providing high performance. For example, the sample rate of a control scheme may have significant impacts on the overall software and hardware architecture: for control service with a high sample rate, associated functions (data acquisition, servo control, navigation, and so on) must be at least same or faster than the sample rate of the control service, resulting in jitter and latency, lack of available CPU cycles, and large volume of data flow (high bandwidth). Eventually, the scheduling of data transfer and software execution can not be done at design time, thus various scheduling algorithm and IPCs including the possibility for changing associated hardware have to be investigated.
In our previous paper, 9 we designed a discrete nonlinear control scheme for an embedded digital system and showed that the proposed control law is robust across a range of sample rates; a nominal control law was designed at a sample rate 10 Hz, and the corresponding closed-loop system was stable even at a sample rate 1 Hz for specific maneuvers. Therefore, implementing this control scheme on the current architecture will alleviate the utilization of the CPU cycle, thus providing benefits for a flexible software architecture design.
Conclusion
In this paper, we have presented the design and implementation of an embedded avionics system as an integrated modular computing platform. The integrated modular hardware architecture realized by the self-stacking PC/104 and standard RS232 interface makes it possible for us to use COTS products and provides a better and more efficient means of communication and ease of future modification and growth. The software architecture based on the Client-Server architecture of QNX Neutrino isolates user-defined applications from underlying low-level services for implementing IPC and managing the hardware component, thus alleviating the burden on application developers. Also, we use a shared memory, which offers the highest bandwidth IPC available, as the primary form of IPC in Neutrino. We have also employed the OCP's integration for implementing the ground station functionalities and successfully tested it in ground experiments.
Performing car tests using a prototype avionics have showed that all activities in the system such as scheduling programs, sending data between processes, managing a computer resources, etc., function together seamlessly and transparently.
In parallel with the avionics development, we have brought DragonFly I, and are in the process of bringing DragonFly II, to flight readiness conditions (they have been test flown several times with 'dummy' avionics), using RC links. We plan to perform flight tests for the single vehicle control and navigation and dual vehicle algorithm on the DragonFly UAVs in the next month, and will present these results in the final version of the paper. 
