Model safety

Hai-Lee

Old and Bold RC PILOT
Introduction/Preamble: This thread is just me downloading about 4 years of experience and research into making myself safe when operating my model aircraft.

A radio controlled model aircraft can be a very dangerous device and every year many people are injured, (some seriously), through loss of control and unexpected or inadvertent motor start.

After a hundred years of radio control systems you would think that there would be technological solutions to make the operation of a model aircraft safe. Well surprise, there are modern safety features that are provided for the individual operator to use BUT their use is not mandatory and the safety features are not adequately explained and often not even mentioned.

To me a radio controlled model aircraft can be seen as something like a firearm. It has the potential to cause injury or death if mishandled. A firearm needs to be loaded and cocked prior to use and they have a safety arrangement that can reduce the risk of being fired, energised when not required. With a firearm anytime it is loaded it should be considered as capable of discharging and the same is true of a radio controlled model aircraft.

I have scoured the internet and been in direct contact with a number of radio manufacturers, in addition I have taken my research down to component suppliers and undertaken a program of testing of safety and operational features of a number of digital radio equipments. In the following posts I intend to describe the operation of digital radio system operation and safety features. This thread should be titled Smartsafe simply it is the only trademarked name, (Trademarked by Spektrum), to describe the safest operation according to my research. Please note that TOYS and other such low end radio control equipment will not be covered in this discussion and Analogue radio system operation has its own safety rules due to the less than secure nature of the radio modulation used.

Digital modulation.

With digital radios the modulation used is akin to the modulation used in WiFi though nowhere near as sophisticated as yet. The radio encodes the information it communicates as a series of numbers and each individual digital bit that is transmitted is actually a pulse train or code. Noise from internal sources and even atmospheric noise does not supply the correct and expected sequence of coded pulses and therefore the modulation is IMMUNE to noise.

As the transmitter and receiver are each identified to each other, (through the binding process), they will only respond when the correct identification information is transmitted and received. This information is in the form of digital numbers coded before transmission and decoded, error checked and correlated after reception. If the received information received does not pass the checks after reception it is discarded and ignored.

Using this features of the radio modulation and demodulation technology the radio system is very secure and error free. By this I mean that if the model aircraft does something it is because it was instructed to do so. If it does something unexpected then the user has done something unexpected or unknowingly or even not setup the radio system to operate safely. There are a few small exceptions to this rule but they are normally only possible in rare and extreme situations so the remaining hazards will be discussed in the final post.

Next post will be a short post on transmitters!

Have fun!
 

Hai-Lee

Old and Bold RC PILOT
Current safety features – 1 Transmitter.

The modern digital radio transmitter is a computer controlled spread spectrum transmitter which on most radio brands will not boot up if the throttle control is not held at zero and if the array of option switches is not in their respective off or boot up positions.

The transmitter will listen on the radio spectrum as it scans for clear channels and thereby determine is operating channel set for its hopping profile. YES the transmitter has a receiver in it simply because if it did not how would it ever receive the Globally Unique Identifier, (GUI), or identifying number of the receiver to bind to it?

On most brands the transmitter will NOT allow you to select a different slot, (model program), if the existing slot is still connected to the receiver assigned to the current slot. This is actually a required and advanced safety feature the need for which is described in the final post called remaining hazards.

Once booted up the transmitter searches for its bound receiver. When the receiver connects the receiver goes through its arming sequence and is ready for instant throttle activation. For the firearm analogy the transmitter is the sole source of ignition or the trigger. The throttle lever is the actual trigger and the “Kill” switch effectively only a safety switch. It makes me cringe to consider the number of radio operators who actually rely on safe handling of a transmitter as the ONLY method of preventing a motor start. Often I see large electric models being carried with the transmitter in one hand and the other arm wrapped around the model. A single bump or even the dropping of the transmitter could easily result in the doctors needing to close deep gashes or reattach removed digits. This is something I have observed and seriously wish to prevent for myself and others.

Setup:

The safest setup for the transmitter is to ensure that you properly configure and test a kill switch. It is also important that you set, AND TEST, the failsafe to have the motor throttle set to zero or off in the event of a loss of radio connection/signal. As the transmitter is the source of radio instructions for motor start it is dangerous and must always be treated with respect when the transmitter and the model are both energised.

Failsafe is simply a set of control channel settings for the ESC, Throttle, the control surfaces, and any auxiliary function like Return to Home, that are programmed into the receiver during the bind process. These pre-programmed settings are applied to the receiver outputs in the event of a loss of radio communication with its bound transmitter.

Please note: If the receiver failsafe is programmed to have the motor or throttle held at zero when there is no transmitted signal it is possible to completely make the model safe from motor activation simply by removing the only source of throttle activation, (the transmitter). This is the feature that Spektrum relies on with its Smartsafe recommendation. Effectively by turning the transmitter off, (with properly set failsafe), the receiver forces the throttle into the ESC to be held at zero throttle. In firearm terms, turning the transmitter off is akin to removing the firing pin!

Next post the receiver!

Have fun!
 

Hai-Lee

Old and Bold RC PILOT
Current safety features – 2 Receiver.

The modern digital radio receiver is a microprocessor/computer controlled pre-programmed device with a number of safety features in its programming. A receiver has a boot sequence which must be followed in sequence before it will allow a model aircraft to operate. The first part of the boot sequence is the low power reset. The low power reset is actually something that prevents the radio from booting until the voltage has exceeded the minimum required operating voltage for the receiver. This feature is required to ensure that the instructions downloaded from the on board memory are correct and not subject to corruption from sagging voltage or even voltage spikes. When a model operator complains of brownouts and the like it is this feature that the user is battling. The receiver requires a stable voltage supply of more than a specific minimum.

After the Initial reset is completed the receiver will have its channel outputs disconnected, (not held at zero volts or even at the supply voltage). This open circuit condition only lasts for the period of the receiver starting its search for, acquiring of, and synchronisation with the transmitter signal. The current trend on receiver programming is to maintain the throttle channel disabled rather than apply the failsafe setting until the receiver establishes its connection with the paired transmitter.

Once the receiver establishes communication with the transmitter the channel outputs are supplied with the channel information coming from the transmitter. Of course once the receiver is connected to the transmitter and has armed or enabled its channel outputs the transmitter has complete control over the receiver channel outputs UNTIL the transmitter signal is lost. Upon losing the transmitter signal, (and after a very small time delay to check if the loss is long term/permanent), the pre-programmed failsafe settings are generated within the receiver and applied to the channel outputs. Where a channel has not been pre-programmed under failsafe, (as in failsafe is off or a control surface’s channel information when using Spektrum Smartsafe), the channel from the receiver is actually muted or held open circuit. This feature allows the channel information to remain unaltered and so the channel is effectively frozen. This feature provides the “Last Received” position for control surfaces when using Smartsafe.

Safety in operation:

As mentioned in the transmitter section the transmitter signal is the only source of causing the receiver to output a non-zero throttle setting to the motor control circuitry or servo. With the transmitter signal absent as the receiver boots up the output channels are not enabled. So simply put the receiver cannot complete its boot up sequence without a valid transmitted signal.

By leaving the transmitter turned off when you connect the battery into the model and power up the receiver the model motor control circuitry will do nothing as the receiver will NOT provide a throttle output. On some receivers it is possible that the receiver may apply the failsafe settings if it fails to acquire a transmitter signal during boot up. Always configure your failsafe properly when binding and test it thoroughly.

A note of Caution:

Some radios allow for NO failsafe to be enabled and some radios do not even support failsafe. When using these radios it is important to note that the throttle channel output will also be “Last Received” and this poses a possible additional hazard when using gas engines but as you will see for electrically powered models, the modern range of ESCs have a feature to even deal with this eventually.
 

Hai-Lee

Old and Bold RC PILOT
Current safety features – 3 Electronic Speed Controllers, ESCs.

ESCs are the most misunderstood device that is in widespread use in radio controlled models. Simply put they are packed full of safety and self protection features and actually make transmitters look quite dumb.

Firstly the ESC is also a microprocessor controlled device that must go through a boot up process fully before the motor drive circuitry is enabled and it has a number of features to shutdown the motor drive circuitry to prevent unwanted operation, self damage or even motor damage. Sadly the features are mostly unknown, ignored or even abused in the very short life that some experience.

With Brushless ESCs the motor drive circuitry has pseudo three phase AC outputs combined with BACK EMF sensing and even current measuring circuitry, (on the more expensive and high power types). The ESC has a voltage sensor circuit as well as a Low Voltage Cut out Protection program to protect the connected battery. Most have an onboard regulator for use as a BEC, (Battery Eliminator Circuit), which supplies a regulated low voltage output for the receiver and servos. An ESC also has an over temperature circuit which is to prevent the ESC from getting too hot and thereby triggering the over temperature circuitry of the BEC. Once triggered, the BEC over temperature function will remove all voltage from the receiver, (A Disaster).

Other features on an ESC include a range of adjustable/programmable features to allow for specific operating parameters to suit a plethora of applications. One more interesting feature of the ESC is the reuse of the motor drive circuitry as an audio generator which in turn is designed to provide outputs to any connected motor that causes the motor to twitch at audio frequencies and be heard as a speaker would. Whilst these features are all nice and quite interesting this thread is to be about safety features and so most ESC features will not be discussed in detail.

Upon connecting the battery to an ESC it enters its boot up sequence after a small reset delay. If the applied voltage is too low it is possible that the ESC will not come out of reset and therefore it will not boot up.

After the boot process is started the ESC loads its programmed settings, and then measures the applied voltage, (the measurement is done in the number of applied cells). During this part of the boot up sequence the motor drive circuitry is disabled or muted. Next the ESC will check for an input from a receiver of similar device. If the ESC detects an open circuit on its input the ESC will enable and use the motor drive circuitry as a speaker driver and the motor as a speaker to provide the series of beeps associated with NO INPUT! Should the ESC detect a valid throttle input signal BUT the signal is not for minimum throttle the ESC will cease its boot up sequence and enter its Programming/Throttle Calibration mode. The ESC will remain in this calibration/programming mode until the user finishes any programming changes and the throttle is returned to minimum throttle position. Please note that the audio generator function is used during the programming and the throttle calibration.

Once the programming changes and the throttle range are set the ESC saves the information in its flash memory and returns to the boot sequence. As the throttle is at minimum the ESC will now signal the applied battery voltage and signal that the motor drive circuitry is armed before actually arming the motor drive circuitry.

Motor drive safety features:

If the ESC is commanded to rotate the motor is initially tries to comply with the required instruction BUT it does not just apply full power to see what happens. The ESC will supply current and check for a generated back EMF. The back EMF is used to determine the actual motor rotation. Where the applied current is actually high and the motor movement or acceleration is low the ESC can determine, (subject to its programming), that the motor is impeded in some manner and remove all motor drive and of course it may signal the disconnected condition. If impeded just remove the issue and by returning the throttle to minimum the ESC drive is reset and ready to try again.

If the ESC is functioning normally with the motor rotating under channel input command and the channel input signal is lost, (either the ESC has been disconnected from the receiver OR the receiver has lost signal and there is no failsafe setting for the receiver to apply), then the ESC will maintain the “Last received” throttle position for a small period of time, (up to around 30 seconds but it varies according to the chipset used). After the time has expired and if the throttle signal is still absent the ESC will remove all motor drive and output an audio signal equivalent to the Disconnected Alarm.

If when the receiver experiences a loss of valid transmitter signal, the receiver has a failsafe setting programmed for the throttle of minimum, then of course the ESC will respond to the provided input and remove the motor drive.

A quick summary of the motor drive safety features pertinent to the rotation of the motor upon applying the model’s battery.

  • If the ESC input is detected as being open circuit it will not arm the motor but rather just alarm.
  • If the ESC receives a throttle signal that is not zero it will enter program and calibration mode with the motor drive disarmed.
  • If the motor detects that the receiver is connected but does not receive a valid throttle signal it will halt the boot up sequence and await the receiver prior to recommencing the boot up sequence. This halt is NOT alarmed as some ESCs will boot faster than some receivers or receiver/stabiliser combinations.
  • If the ESC detects the receiver is connected and it receives a valid minimum throttle setting the ESC will continue with its boot up sequence and finally arm the motor drive circuitry.
  • The ESC will disable or return to minimum throttle position the motor drive after a set time period if a valid throttle signal is lost.
  • An ESC will only attempt to cause a motor to rotate for a set time period or number of attempts before the motor drive circuitry is disabled through a programmed motor fault detection feature.
What does this all mean?

Simply put the ESC is the MAIN feature in a Smartsafe setup and a safe handling procedure. The ESC MUST have a valid connection to a receiver in order to even complete its boot sequence. An ESC will only cause a motor to rotate if it is firstly armed and then commanded to do so.

A receiver will not enable a valid throttle output until it has completed its boot up and attained a connection to its paired or bound transmitter.

A transmitter must have its throttle setting at zero before the transmitter is even allowed ot complete its boot up sequence.

NOW the summary!

If the transmitter signal is lost the throttle is immediately cut and held at zero because of the receiver failsafe setting and so by turning off the transmitter after the flight with the throttle setting already at minimum throttle, a receiver having failsafe set for minimum throttle will set the output to the ESC for minimum and where the receiver does not support failsafe the receiver disables its outputs thereby providing the ESC, (which last received a minimum throttle setting), to maintain that setting for the ESC default timing period. In both circumstances the motor cannot continue or start rotating. The only way to have the motor start is to receive a further transmitter command to do so.

If the model is powered up before the transmitter the receiver will not supply a valid throttle input to the ESC. If the ESC does not receive a valid throttle input it will not complete its boot up sequence and so the motor drive circuitry is held as disabled.

This model powered up first and removing the model battery with the transmitter already turned off is what Spektrum refers to as “Smartsafe”. If your transmitter is NOT a Spektrum but it does have a failsafe setting applicable to the throttle then the use of “Smartsafe” is equally applicable to the radio system you use! If your radio system does not support failsafe but the transmitter throttle setting is for minimum when you turn the transmitter off the minimum throttle setting will be maintained for a short while before the motor drive circuitry is disabled.
 

Hai-Lee

Old and Bold RC PILOT
Remaining Hazards:

The remaining hazards are sadly only really pertinent where a transmitter is still powered up. The powered up transmitter can be a hazard to other radio users especially if they are using the same radio modulation techniques as the powered up transmitter.

This hazard is more applicable in a residential setting where persons leave their transmitters turned on when not actually using them to fly a model aircraft. Please note that the problem or issue is connected directly to the modulation methodology and the spread used.

Spectral pollution:

This is rather obvious but not understood by many. There are only a set number of channels available for the radio to operate on. With the spectral pollution caused by microwave ovens, blue tooth devices a a plethora of other transmitter sources and devices the band can suffer from a decreased bandwidth availability and so the number of co-sited transmitter can be far less than the manufacturer claims. Where persons leave their transmitters turned on for their entire flying day AND the number of persons is significant a problem of a lack of available channel space arises and Loss of Signal events start to rise considerably. The unused transmitter use up the available radio spectrum and actually can be the cause of the LOS events.

Polarisation loss:

Whilst this issue is not just a feature of digital radio systems it is mentioned as it is extremely pertinent to the following hazard, Signal capture. For best radio reception antennas should be parallel to each other. Where the receiver has two or more antennas they should be positioned so that at least one of them is as close to right angles to the transmit antenna at all times. Where two antennas are at right angles to each other, additional signal losses are incurred and it is possible that the signal could fail to reach the receiver at all. The same issue arises where either the transmitter or receiver antenna actually points, end on, at the other. This means that whilst the aircraft is flying the receive signal level fluctuates rapidly as the receiver antenna/s achieve a broad range of angels to the transmitter antenna/s. When at a minimum the signal can be subject to signal capture or even a complete denial of service due to spectral congestion.

Signal Capture:

Signal capture is a very rare event but it can be extremely dangerous. Where the available radio spectrum is congested transmitters can be forced to share individual channels at the same time. This being required to share channels is greatest where many transmitters are transmitting at the same time and is not related to the number of models actually flying. If there are twenty transmitters all transmitting in the pit area whilst 5 models are flying the total transmitter usage is twenty five and all of those signals must share the available radio spectrum at the same time.

Signal capture can actually cause a transmitter’s signal to swamped by the signal from a second transmitter when the wanted signal is faded due to distance or polarisation loss and the unwanted signal is actually markedly stronger. In extremes it is possible that the GUI is received clearly and the following information is scrambled or even relaced with the information of the interfering transmitter. There are error checks and the like performed within the receiver but it is possible, (and a rare possibility, thankfully), that a false set of channel settings can be applied to the model just before the receiver disconnects, declares a LOS and applies its failsafe settings.

During the small window of opportunity it can cause a model to appear to twitch it flight controls and start an uncommanded manoeuvre before it suddenly plunges from the sky out of control.

Additional hazards summary:

Simply put the transmitter is the enabler of all hazards we encounter. The motor cannot rotate without the transmitter being powered up.

Transmitter mishandling is only a hazard with the transmitter being powered up.

Not turning your transmitter off does not make you safer but rather increases the risk of the available channels being congested such that flying models can be interfered with. The transmitter “Always ON” group is actually one of the real causes of the often undefined sources or causes of interference.

Thread summary:

Spektrum SMARTSAFE is the current safest possible model handling procedure that i can find or devise with the battery connected in the model. You should always test everything for yourself and take nothing for granted.

Personally I have used a Smartsafe setup for about 4 years and I have NEVER had an inadvertent motor start that was not due to transmitter mishandling with the transmitter being powered up.

That is all, well without getting into brand specific features and even more heavy reading and the like.

If you read this far I suggest that you devise your OWN safe radio operating methodology and setup.

As always - Have fun!