People think it's this veneer — that the designers are handed this box and told, 'Make it look good!' That's not what we think design is. It's not just what it looks like and feels like. Design is how it works.
- Steve Jobs
4th May 2021
On 4th July 2019 the airspace at Goodwood airfield, near Chichester in West Sussex, was closed from 11.15 to 11.45 to allow a demonstration flight of an unmanned aircraft (UA, also Unmanned Aircraft System (UAS), usually known as a drone) in front of a band of invited guests. The aircraft was called the Alauda Airspeeder Mk II, it was 3m long, weighed 95kg and it was intended to be a demonstrator for a new type of electric-powered racing aircraft. As such, the Festival of Speed was a natural venue for the demonstration. The company behind the project was Alauda Racing and they were based in Australia; this was the first international outing of the model, development had up till then taken place in Australia.
The aircraft took off and performed a few passes along the main runway at Goodwood, as intended, but after a minute the remote pilot (described as 22 years old, with 18 hours experience on type) discovered that he had lost radio control. The aircraft started to climb in a level attitude and continued to do so at a rate of 2000 feet per minute; the maintenance engineer attempted to operate the “kill switch”, which by a separate remote radio link should cut all power to the motor controllers and cause the aircraft to fall to the ground, but it didn’t. The aircraft climbed vertically for around 4½ minutes, reaching a height of nearly 8,000 feet and entering controlled airspace as a result, until its battery power was exhausted, whereupon it fell back to earth, crashing fortuitously in a field of crops adjacent to the airfield, with damage only to itself. The invited guests were told to “take cover” when control was lost. The winds were light and variable at the time; had there been a stronger north-easterly component the aircraft could have drifted over Chichester during its climb and crashed anywhere in the town, or with a south-west component it could have crashed into the Festival of Speed’s 35,000 attendees.
My interest in this event has two strands. First, I live near Chichester and I hold a Private Pilot’s Licence; although no longer current, I flew for many years from Goodwood and regard it as my home base. Any aeronautical incident there is of interest.
But second, I trained as an electronics design engineer and since 1990 have been a consultant to many industries in the field of electromagnetic compatibility (EMC), which charts the methods and techniques used in electronics design to ensure that interference of any sort between separate items of electronic equipment doesn’t occur. I’ve worked, amongst other areas, both with motor racing and aerospace electronics engineers to review their designs in this respect. So I’m naturally interested in the build and design techniques that would be used in a device like this.
This article is based very largely on the AAIB’s report (AAIB Bulletin 03-2021) into the incident. For an incident which resulted in no casualties, the report is unusually detailed and is evidently the result of considerable field investigation and analysis; possibly since the consequences could have been far more serious, and perhaps because drone incidents of this sort are a new phenomenon and justify more detailed inspection. As with all AAIB reports, it does not seek to apportion blame or express opinions, but in this case it doesn’t need to; the facts detailed therein are quite sufficient in themselves to illustrate the issues. I would strongly recommend that this report should be read, not only by people interested in air accidents, but by any electronics or software designer who has to work in a safety-related field, aerospace or otherwise. This article will make much more sense if read in conjunction with the report.
The report considers the crash from a number of aspects. Much of it has to do with the operator’s compliance (or lack of it) with the CAA’s exemption conditions - at the time of the accident flight, in order to fly this weight of UAS in the UK, an exemption from certain parts of the UK Air Navigation Order was required – and with the CAA’s own oversight of the operator and their application for exemption. I’m not concerned in this article to discuss these aspects, other than that they illuminate the operator’s attitude to regulation, and the difficulty that an under-resourced regulator has in policing its regulations. The interested reader will find food for thought in the AAIB’s report.
But from the perspective of a design engineer, the report makes startling reading. Pages 30-36 of the report detail the design of the Airspeeder, with photographs. The aircraft is a quadcopter, as is typical of small drones. The basic control system configuration is shown in Figure 7, reproduced here.
This appears to be the total system, that is, there are no other parts to the flight control, although the crashed aircraft did carry two cameras, evidence from which gave the actual flight profile. Each of the four propellers were powered by a brushless DC motor, driven by a dedicated Electronic Speed Controller (ESC) which supplied high voltage from the 58V lithium polymer battery to the motors, based on the commands from the flight control system. This was powered by a dedicated 7.2 V battery. Throttle and flight control commands were received by the on-board controller from a 915 MHz radio receiver. These commands were processed, along with inputs from two Inertial Measurement Units (IMUs), to produce the motor commands. The IMUs were used as a basic stability and control system; if no input was received, the onboard control system would freeze the current throttle command to each of the motors but would self-level the UA using the IMU sensors. The effect of this was that in the event of comms link failure, the UA would continue flying the last known command but at a level attitude.
The 7.2V flight controller power supply was passed through a “kill switch” relay. This relay was wired as ‘Normally Closed (NC)’ meaning that if the relay was unenergised, power was available to the flight controller. When activated, the kill switch signal opened the relay, cutting the power to the flight controller. With the control system unpowered, the ESCs would receive no command and the motors should stop. No lift would be generated, and the aircraft would immediately plummet.
The kill switch module was powered by an independent 7.2 V battery and operated on a different frequency (433 MHz Long Range) and a different remote control transmitter to the normal flight control system. The remote transmitter was shown as a laptop with USB connection to an uncased radio PCB with attached antenna; to activate the kill switch a command had to be entered into the laptop which would then be transmitted and, if correctly received and actioned, would open the kill switch relay. A photograph in the report shows this setup but not in sufficient detail to be able to identify the make of USB-powered transmitter, but the assembly appeared to be a USB interface feeding a transmitter board and a connected antenna, mounted on a prototyping board; similar parts are available online in the UK for a few pounds.
The boards described in Figure 7 were assembled into a plastic box which could be transported between airframes. A photo of the inside of this box (after the crash) shows the method of assembly. The circuit boards were mounted on Velcro with a foam lining; the kill switch relay was apparently glued to a prototyping board carrying the kill switch receiver and its antenna, and the flight control receiver appeared to be plugged into the main control board via a board-to-board connector with no retention scheme. It had clearly become detached and broken into pieces, probably as a result of the crash, but it is also possible that it simply came out in flight. The report drily notes
Initial examination of the circuit boards revealed some concerns regarding build quality and workmanship. The boards were populated with ‘hobbyist’ components with exposed wiring, large amounts of solder and lumps of adhesive. The kill switch used an electronics prototyping board with a number of jumper wires instead of a printed circuit. Failure of any of these wires would render the kill switch inoperative… The examination revealed a number of issues with the flight control system and both the airborne and ground-based kill switch assemblies. All the assemblies failed an evaluation against all IPC A-610 classes due to quality and workmanship issues. Examples included misaligned components, burnt insulation, the use of solder bridges, excessive flux residues and a power connector that appeared to be installed in the incorrect orientation…
The construction of the aircraft used a large number of plastic tie-wraps to keep components in place. This included the ESCs, cabling and the connector plates from the control system ethernet cables to the ESCs. Failure of any of these connectors or cables would render the aircraft uncontrollable.
Or, to put it another way, the build quality was something that even a hobbyist might be embarassed by. This for an assembly which had substantial safety implications. A further point noted by the report was that the main motor battery, a lithium polymer custom-built 58.8V rated part, had no electronic internal safety monitoring for charge, discharge, temperature or open/short circuits, and was not placarded with details of battery voltage or the risks it might pose to first responders.
As far as the actual cause of the flyaway is concerned, the report does not attribute a single cause but says
The loss of control was caused by a loss of link between the ground and airborne control systems. The exact reason for this could not be established but considered likely to be either RF interference or a failure of the onboard control system.
Some specific observations on the design, going beyond the poor build quality, are pertinent.
The unit relied on the kill switch as a last ditch method to prevent it flying off without control and without an automatic return-to-base or geofencing mechanism. The kill switch didn’t work when it needed to; although when it was tested on the ground before the demonstration flight, it was working.
In theory, a relay disconnection of the power supply to the motor control system should be capable of instantly disabling the propellor motors. The AAIB report doesn’t evaluate this, merely saying that “With the control system unpowered, the ESCs would receive no command and the motors would stop.” In fact, from the simple system block diagram, this last point isn’t necessarily true; the flight control system communicates with each motor ESC through an Ethernet link but the ESCs themselves appear to be powered directly from the propulsion battery. Although the Ethernet would go down, this only means that the motor controllers would stop receiving instructions. There may be a state in which they would continue powering the propellors as per the last instruction received. This is speculation; the report doesn’t give any detail of whether this is a possibility.
Beyond this, there is the weakness of the relay configuration itself: wired normally closed (NC) rather than normally open (NO). This means that any failure to energize the relay, due to a wiring fault, radio interference or a faulty relay itself, would nullify the kill switch function and the aircraft could not be “killed”. A fail-to-safe configuration would wire the relay as normally open, so that it would have to be permanently energized in order for the aircraft to function at all, and a kill instruction would simply de-energize the relay. In the case of the Airspeeder, there was no continuous feedback to the operator to indicate that the kill function was available in flight, so that if connectivity was lost, it would remain unknown until an attempt was made to use the system.
Curiously, the AAIB report under “Detailed examination of the wreckage” notes that “Only one of the 7.2 V batteries was present, the other was not recovered.” It doesn’t follow up this point, and does not state which battery was missing; but if it had been the separate battery which operated the kill switch receiver and relay, and if this had in fact been missing on takeoff, then it is no surprise that the kill switch didn’t work. This has to be left as an unresolved point. On the same page, the report goes on to say
Initial examination of the on-board kill switch circuit board showed that the relay and one of the battery power supply leads had detached from the board. Loss of either of these components would render the kill switch inoperative.
This is unclear, as the critical question is which battery power supply lead had detached. It’s not the case that complete loss of the relay would render the kill switch inoperative; in fact, if the relay were completely detached then there would be no power to the motor controller through its contacts and the aircraft would be effectively “killed”. But if the battery connection to the killswitch controller had detached (in flight), then this would certainly have rendered the system inoperative.
As a design choice, it is understandable that the designers might choose the normally-closed configuration, since the loss of a complete aircraft as a result of a transient fault in the kill switch circuit would have been expensive. Perhaps for the same reason, there is no hint in the report that the operator had presented evidence of the kill switch actually being tested in flight, as opposed to on the ground. It does, though, indicate that the safety consequences of the choice were not uppermost.
In contrast to the kill switch circuitry, the flight control board appears to be a proper PCB with eight RJ45 Ethernet connectors, and two identical mezzanine daughter boards which are probably the inertial units, though not identified as such. There is presumably a microcontroller also on the board although this is not visible in the photo. The photo does show the location of the receiver board and an inset shows how it should be fitted, as a vertical daughter board with an inter-board connector. After the accident impact, the receiver board was broken in pieces lying in the enclosure, with no part of it left in the main board connector. There was no indication of where and how the antenna was connected; however the photograph appears to show an FrSky R9 board, which chimes with the quoted use of an FrSky transmitter. This has dual antennas connected via SMA jacks on the top end of the board, and a 24+3+3-way board-to-board connector at the other end. In the specification, its weight is said to be 15.8g. (Its operating range is said to be “up to 10km or above”. Choose your value.)
The fact that the receiver was a plug-in part with no apparent retention clip opens the possibility that it may have become separated from the main control board during the flight, simply as a result of attitude changes and vibration. Any electronics designer working in aerospace knows that assured component and connector retention is an absolute must. If the receiver board had worked loose, this would have immediately caused a loss of link.
From the EMC perspective, any type of radio-link remote control is a hazardous exercise. Particularly with unlicensed frequency bands, the operator has no way (without a spectrum analyser continuously monitoring the local environment) of knowing what other transmitters may be on or near the operating frequency and potentially interfering with it.
The flight control transmitter that was used for this demonstration is listed as a FrSky Taranis X9D, which is often used for radio control of model aircraft and drones. FrSky is a Chinese company whose website says
FrSky is focused on the R&D, production and sales of the electronic products and embedded software in the areas of remote control systems and intelligent control systems. The main product lines include transmitters, receivers, modules, flight controllers, sensors and related embedded software, which are widely used in various areas of tele-communication, RC model, commerce, industrial, agriculture, etc.
The current version (May 2021) of the X9D Plus is listed as operating at 2.4GHz, but the AAIB report notes that for the demonstration system the transmit frequency could be set to either 868MHz or 915MHz. This is presumably an earlier model of Taranis.
Both 868MHz and 915MHz are allocated in the UK to short-range device use. The relevant document is Ofcom, IR 2030 – UK Interface Requirements 2030, Licence Exempt Short Range Devices. IR 2030 allows use of the 433MHz band explicitly for model control but otherwise, the non-specific use section (part 1) is applicable; for the band 863 – 870MHz the transmit power is limited to 25mW with low duty cycle limitations. For the band 915 – 921MHz there is the same condition, but airborne operation is not permitted.
The AAIB report states that
The transmitter could be programmed to operate in a number of modes. These included an ‘EU’ and ‘FCC’ mode which used different frequencies (868 MHz and 915 MHz respectively) and gave different power options. When the transmitter was examined, it was set to ‘FCC’ mode with a power of 10 mW.
‘FCC’ implies that the unit was set for use in the USA. Therefore the operator was technically in breach of UK regulations by using this mode, since the 915MHz band is not applicable for airborne operations. But the consequence of this choice was also significant from the point of view of susceptibility to other nearby radio transmissions.
Firstly, a power level of 10mW is usually sufficient for short-range line of sight operation, but hardly enough if you need to have assured communication out to longer ranges. The report notes that
All previous flights in Australia had been performed using a frequency of 915 MHz and transmitter power of 1 W
which were successful; but a power reduction of 100 times equates to a range reduction of 10 times, all other things being equal. Thus the operation was compromised even in the absence of interference. However, the significance of 915MHz in the UK – and one reason for the non-applicability to airborne operation – is that the frequency band directly below it, 880 – 915MHz, is the GSM-900 mobile cellphone band for the uplink, i.e. mobile transmission to base station. Although a lot of mobile operation (3G and later) has migrated to higher frequencies, there are still plenty of GSM-900 users in the UK. By their nature, such transmissions are pretty much random in occurrence, depending on who is using what type of phone on what channel in the vicinity. It would be entirely possible to perform a preliminary “site-specific signal strength inspection”, as was said to have been performed by the operator, while such signals were absent, and therefore not to realise that the potential for interference existed.
The interfering effect of such a mobile phone transmission would depend on many factors; on the transmitting side, proximity to the receiver, transmit channel frequency bandwidth and power, and type of modulation; on the receiving side, actual wanted signal strength, receive channel frequency bandwidth and adjacent channel rejection performance. This latter is a crucial parameter of the receiver specification in terms of interference rejection. Low-cost receivers are generally poor in this respect. The FrSky R9 specification does not give any details of this parameter; it is reasonable to assume that interfering signals that are close to the receive channel in frequency only need a signal strength that is comparable to the wanted signal to cause its degradation. As a back-of-the-envelope comparison, if the wanted transmitter is operating just above 915MHz at 10mW, an interfering mobile phone transmitter operating a similar distance away – in this case, for instance, in the viewing area – just below 915MHz would need little more than 10mW to cause wanted signal degradation. The GSM standard allows a mobile phone to transmit at up to 2W, i.e. 200 times more power, in some circumstances.
Had the Airspeeder remote control transmitter used 868MHz, it would have been legal and somewhat less likely to be affected by this issue.
The interference susceptibility on the kill switch channel is different. This was said to operate in the 433MHz “LoRa” (Long Range) unlicenced short-range device band. “Long range” in this context does not mean higher power from the transmitter, which by regulation is limited to 10mW. It uses a particular type of spread-spectrum modulation to create a higher sensitivity receiver.
In this band, there are very many potential interferers since it is widely used for numerous applications, such as garage door openers, car key fobs and all sorts of telemetry. But these applications, although just as random in occurrence as mobile phone transmissions, operate with low duty cycles and with minimal power, so the likelihood of wanted signal degradation is lower. On the other hand, the same band is used by radio amateurs who are licenced to transmit at much greater power levels. Even so, the susceptibility of the kill switch system will also depend on the datalink protocol; if the kill code is only transmitted once then it may be coincident with an interfering transmission. Repetitive transmission of the code should be more secure, as long as there is no continuous transmission on or near the same frequency. The AAIB report does not analyse or discuss this aspect of the system design.
Overall, it would seem that the cause of the loss of control and resultant flyaway could be due either to the poor build quality or to poor system design, including choice of radio frequency and consequent susceptibility to RF interference, or indeed to a combination of these factors. It is a truism in the aviation community that accidents occur when “all the holes in the Swiss cheese line up”, i.e. when a number of design and operational weaknesses coincide, even if any one weakness is not critical.
It’s salutary also that the AAIB report mentions the context, under “Other similar events”, that a quarter of drone operators in the UK have lost a drone, of which losses over half have been due to battery loss, poor signal, or a technology failure.
The AAIB regularly receives accident reports where control of UAS devices has been lost leading to a fly-away or a crash. In AAIB Bulletin 3/2020, five of the seven UAS investigations reported this type of event and Table 4 in AAIB report EW/C2019/03/02 reports 16 loss of control events with one type of UAS in a 20-month period.
What is more surprising is that the manufacturer and operator of the Airspeeder was prepared to field a machine that was so poorly designed and built, at an occasion where not only were there safety implications of failure, but also there was the significant commercial embarassment of such failure in front of an invited audience whom, it must be assumed, the manufacturer wanted to impress. Some of the operator’s statements quoted in the AAIB report indicate that their understanding of high integrity techniques was to say the least limited: for instance, on page 59, the operator’s safety case says that there are “Four individually controlled motors/propellers - therefore a large amount of built-in motor redundancy”; yet the aircraft could not be controlled if one propellor was not working. This is not redundancy.
A further observation of the AAIB was that
During the course of the investigation the operator demonstrated little knowledge or understanding of appropriate industry standards, in particular, those relating to airworthiness and for developing electronic hardware and software.
Sadly, it confirms this author’s experience that there are many electronics system designers who enter the business, particularly using radio control links in safety critical systems, with no experience of the pitfalls implicit in such projects. In this case, it’s not even obvious that the system designer(s) had much actual electronics experience; the control system appears to have been largely thrown together from hobbyist modules bought off the internet with no care given to the overall assembly methods. I hope, at least, that the AAIB’s report and this review will have brought to some designers’ attention one more sad tale of the consequences of such lack of experience.
A flying club in the USA. There is no evidence that Alauda Racing are or were affiliated.