Emergency Fault Tolerance System and Method for Heavy-Duty Unmanned Aerial Vehicles
By constructing a priority sequence and communication network, the problem of attitude loss of heavy-load UAVs after a failure was solved, and stable mission continuation and safe flight were achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHENZHEN HOBBYWING TECH CO LTD
- Filing Date
- 2026-03-25
- Publication Date
- 2026-06-30
AI Technical Summary
Existing UAV systems have difficulty automatically recovering mission context after a failure, and attitude loss is prone to occur during the switching process of heavy-load UAV modules, which cannot meet the mission continuity requirements of heavy-load UAVs in complex environments.
A priority sequence is constructed to determine the master module. Real-time monitoring is conducted through the communication network, and a rapid switch is made when the master module fails. Power control and attitude stabilization functions are optimized in combination with the characteristics of heavy-duty UAVs, and data is cached by the basic service module to achieve rapid recovery.
It enables stable flight and mission continuation of heavy-duty UAVs in the event of a failure, reduces the risk of system crash, shortens module switching delay, suppresses attitude loss of control and load swing, and improves mission success rate and safety.
Smart Images

Figure CN122309211A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of heavy-duty unmanned aerial vehicle (UAV) technology, specifically to an emergency fault-tolerant system and method for heavy-duty UAVs. Background Technology
[0002] In the existing centralized software architecture, the strong coupling between the onboard mission computer and the flight control computer means that failure of any component (such as software failure or crash due to code errors, memory overflows, or external interference) can directly lead to the core control system losing effective command input, causing the UAV to go out of control. Furthermore, the system cannot automatically restart after a crash. Even with manual intervention to restart the software, the restarted system needs to reinitialize all software modules, unable to inherit the mission context from before the crash (such as executed flight segments and incomplete payload operation states), resulting in forced mission interruption and difficulty in resuming the mission, significantly reducing mission reliability.
[0003] Especially for heavy-load drones (≥30kg), which have significant characteristics of large inertia and large payload, slow attitude response and high power requirements, existing emergency control methods for drones have not been adapted and optimized for this type of drone. During the software module switching process, problems such as excessively long switching delay, attitude loss of control, and inability to quickly suppress payload swing are likely to occur, which further exacerbates the risk of loss of control of heavy-load drones and cannot meet the safe flight and mission continuity requirements of heavy-load drones (such as logistics transportation, emergency rescue, engineering hoisting and other scenarios). Summary of the Invention
[0004] The purpose of this invention is to provide an emergency fault-tolerant system and method for heavy-load unmanned aerial vehicles (UAVs), which solves the problems of existing UAV core control systems being unable to take over tasks after failures and the easy loss of attitude control during the switching of heavy-load UAV modules.
[0005] To achieve the above objectives, the present invention provides the following technical solution: an emergency fault-tolerant method for heavy-load unmanned aerial vehicles (UAVs), comprising: constructing a priority sequence based on the functions and operating status of each software module in the airborne mission computer, and determining a master module in each software module to control the heavy-load UAV based on the priority sequence; the priority sequence, combined with the large inertia and large payload characteristics of the heavy-load UAV, adjusts the functional emphasis weight of each software module, and strengthens the priority ratio of functions related to power control, attitude stabilization, and payload protection.
[0006] A communication network is constructed with the main module as the central node and the other software modules, flight control computer, and ground control system as peripheral nodes. The periodic communication frequency between the main module and the flight control computer is increased to ≥200Hz to provide real-time feedback on the attitude deviation and power consumption data of the heavy-load UAV.
[0007] Through periodic communication between nodes in the communication network, the operating data of the other software modules, as well as the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV, are sent to the ground control system and basic service module through the main module.
[0008] The periodic communication is monitored. When a communication anomaly occurs and it is determined that the master module has failed, the flight control computer enters the heavy load attitude lock mode in advance. It dynamically adjusts and locks the current altitude and attitude through PID to suppress the swing of the heavy load and control the swing amplitude within ±1°. The failed master module releases the CPU resources it occupies, prioritizes the preservation of core resources related to heavy load control, and delays the release of non-core resources. At the same time, the data of the failed master module's most recent normal communication is saved.
[0009] The supervisor module is updated according to the priority sequence to take over control of the heavy-load UAV. When the new supervisor module takes over, it first pulls the heavy-load core data from the basic service module cache, with a pull time of ≤20ms. Subsequently, it pulls complete historical data, and the total module switching latency is controlled within ≤150ms. The heavy-load UAV undergoes functional degradation or functional restoration according to the priority of the updated supervisor module. The functional degradation range is dynamically adjusted according to the payload weight, flight attitude, and power consumption of the heavy-load UAV.
[0010] During module switching, the flight control computer establishes a temporary communication link with the new and old master modules. Before the new master module takes over, it outputs temporary attitude correction commands in advance through the basic service module to ensure that the attitude error is always ≤±1.5° during the switching process.
[0011] In one possible implementation, the step of constructing a priority sequence based on the functions and operating states of each software module in the airborne mission computer includes:
[0012] The airborne mission computer is divided into multiple software modules according to its function;
[0013] The priority of each software module is determined and sorted based on its function and operating status, resulting in a priority sequence. The function priority determination is combined with the core requirements of flight safety and mission execution of heavy-load UAVs. High-priority modules are equipped with additional functions such as heavy-load power reserve monitoring and load tension closed-loop control to ensure that the power reserve is ≥30% and the load swing is ≤±0.5° during normal operation.
[0014] In one possible implementation, the step of "when a communication anomaly occurs and it is determined that the supervisor module has failed" includes:
[0015] If a request from the supervisor module or other software modules fails to respond or times out, it is determined that a communication anomaly has occurred in the supervisor module or other software modules; and / or,
[0016] If the main module or other software modules in the communication network do not receive a response within a predetermined time, it is determined that the main module or other software modules have a communication abnormality.
[0017] When communication anomalies are detected in the master module from at least two peripheral nodes and these anomalies continue to occur within the first consecutive time period, the master module is deemed to have failed. At the same time, the basic service module analyzes attitude response speed and power consumption changes through the overload fault prediction function, and provides early warning of the risk of attitude loss of control that may be caused by module switching.
[0018] In one possible implementation, the step of "when a communication anomaly occurs and it is determined that the supervisor module has failed" further includes:
[0019] The failed supervisor module releases the CPU resources it occupies and triggers an update of the priority sequence; and / or,
[0020] Save the data from the most recent normal communication of the failed supervisor module; and / or,
[0021] The flight control computer enters hover mode until the updated master module communicates with it and takes over control of the heavy-load UAV; the hover mode is connected with the heavy-load attitude lock mode, and the module automatically exits the heavy-load attitude lock mode after the switch is completed.
[0022] In one possible implementation, the construction of a communication network with the main module as the central node and the remaining software modules, flight control computer, and ground control system as peripheral nodes further includes:
[0023] A basic service module is electrically connected to the main module and other software modules respectively; wherein, the basic service module is used to store operating data and the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV, cache the core heavy-load data, add heavy-load working condition identification and heavy-load fault prediction functions, and convert the received data into commands for the control of the heavy-load UAV.
[0024] One possible implementation also includes:
[0025] When a communication failure occurs and it is determined that other software modules have failed, the supervisor module controls the restart of the corresponding other software modules.
[0026] One possible implementation also includes:
[0027] Control of the same function in different software modules is downgraded as their priority decreases; and / or, lower-priority software modules contain fewer additional functions than higher-priority software modules.
[0028] When a medium-priority module takes over as the master module, it retains the core functions of power redistribution and attitude stabilization, disables unnecessary auxiliary functions, adds a heavy-load sway suppression algorithm, and ensures that the power distribution response time is ≤100ms. When a low-priority module takes over as the master module, it retains the basic attitude control and emergency load separation functions, and adds a heavy-load forced landing attitude calibration function. When the load is ≥100kg, the low-priority module still retains the power redundancy distribution function after taking over. When attitude sway is detected to be ≥±2°, non-core functions are automatically suspended and downgraded to prioritize the attitude stability of the airborne mission computer.
[0029] This application provides an emergency fault-tolerant system for heavy-load unmanned aerial vehicles (UAVs), including an airborne mission computer, a flight control computer and a ground control system electrically connected thereto. The airborne mission computer includes a main module, multiple alternative modules and a basic service module that are functionally divided and electrically connected to each other. The main module communicates periodically with the multiple alternative modules and the flight control computer at a set frequency (≥200Hz).
[0030] The master module is used to: control the heavy-load UAV; obtain the operation data of the alternative modules and the relevant parameters of the heavy-load UAV through the periodic communication, and send them to the basic service module and the ground control system; add a heavy-load power linkage function, establish real-time linkage with the power system and the load mounting system, send a heavy-load power holding command when switching modules to ensure that the power fluctuation is ≤5%, and simultaneously tighten the suspension rope to suppress the load swing.
[0031] The multiple alternative modules are used to: monitor whether the supervisor module has failed through the periodic communication; when the supervisor module fails, update the alternative module to the supervisor module, and at least when updating to the supervisor module, preferentially pull the cached heavy-load core data from the basic service module to take over the supervisor module to control the heavy-load drone;
[0032] The basic service module is used to: store operational data and the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV; cache core heavy-load data; add heavy-load operating condition identification and heavy-load fault prediction functions; and convert various received data into commands for controlling the heavy-load UAV.
[0033] In one possible implementation, the plurality of alternative modules include priorities determined based on their own functions and operating status. These priorities are used to determine the order in which each alternative module takes over control of the heavy-load UAV from the main module. The priorities are combined with the core requirements of the heavy-load UAV to adjust their weights, thereby strengthening the priorities of modules related to power control, attitude stabilization, and load protection.
[0034] In one possible implementation, the alternative module includes its primary function and additional functions; when the alternative module is not updated to the primary module, it only performs its primary function; when the alternative module is updated to the primary module, it performs both its primary function and additional functions; the additional functions include functions adapted to heavy-load scenarios such as heavy-load sway suppression, heavy-load forced landing attitude calibration, and power redundancy allocation.
[0035] Compared with the prior art, the beneficial effects of the present invention are:
[0036] This application's embodiments employ a heavy-load UAV emergency fault-tolerant system and method to achieve emergency handling of heavy-load UAVs when software modules fail. By updating the master module, the strong coupling limitations of traditional centralized software architecture are broken, making the system more flexible in the face of failures, reducing the risk of the entire system crashing due to the failure of a single software module, and improving the stability and success rate of heavy-load UAVs performing tasks in complex environments. It can determine the current task status based on stored operational data to continue task execution; the heavy-load UAV's functions are downgraded or restored according to the priority of the updated master module, ensuring that the heavy-load UAV can still maintain a certain level of flight capability and task execution capability in the event of a failure, adapting to its characteristics of large inertia and large payload.
[0037] Meanwhile, by optimizing module switching delay, adding heavy-load attitude pre-stabilization, and dynamic function degradation, the system effectively suppressed attitude loss of control and load swing during the module switching process of heavy-load UAVs, shortened the switching interval, and ensured the flight safety of heavy-load UAVs during fault switching. The newly added heavy-load operating condition identification and fault prediction functions in the basic service module further improved the system's adaptability to heavy-load scenarios, provided early warning of loss of control risks, and reduced the probability of fault expansion. The newly added heavy-load power linkage function in the main module ensured stable power output during module switching and further adapted to the power requirements of heavy-load UAVs.
[0038] Furthermore, all optimized designs do not require additional independent hardware or increase the onboard computing power burden, meeting the needs of miniaturization and low cost for heavy-duty drones, and are highly practical. Attached Figure Description
[0039] Figure 1 This application provides an architecture diagram of a heavy-load unmanned aerial vehicle (UAV) emergency fault-tolerant system.
[0040] Figure 2 This is a flowchart of the emergency fault-tolerant method for heavy-load unmanned aerial vehicles provided in Embodiment 1 of this application. Detailed Implementation
[0041] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0042] The following description of some technologies involved in the embodiments of this application is provided to aid understanding and should be considered merely exemplary. Therefore, those skilled in the art should recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of this application. Similarly, for clarity and brevity, some descriptions of well-known functions and structures are omitted in the following description.
[0043] This invention discloses an emergency fault-tolerant method for heavy-load unmanned aerial vehicles (UAVs), comprising: constructing a priority sequence based on the functions and operating status of each software module in the airborne mission computer, and determining the master module in each software module to control the heavy-load UAV based on the priority sequence;
[0044] The priority sequence takes into account the large inertia and large payload characteristics of heavy-load UAVs (≥30kg) and adjusts the functional emphasis of each software module, strengthening the priority ratio of functions related to power control, attitude stabilization, and payload protection.
[0045] A communication network is constructed with the main module as the central node and the other software modules, flight control computer, and ground control system as peripheral nodes.
[0046] The periodic communication frequency between the master module and the flight control computer is increased to ≥200Hz, providing real-time feedback on the attitude deviation and power consumption data of the heavy-load UAV.
[0047] Through periodic communication between nodes in the communication network, the operating data of the other software modules, as well as the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV, are sent to the ground control system and basic service module through the main module.
[0048] The periodic communication is monitored. When a communication anomaly occurs and it is determined that the master module has failed, the flight control computer enters the heavy load attitude lock mode in advance. It dynamically adjusts and locks the current altitude and attitude through PID to suppress the swing of the heavy load and control the swing amplitude within ±1°. The failed master module releases the CPU resources it occupies, prioritizes the preservation of core resources related to heavy load control, and delays the release of non-core resources. At the same time, the data of the failed master module's most recent normal communication is saved.
[0049] The supervisor module is updated according to the priority sequence to take over control of the heavy-load UAV. When the new supervisor module takes over, it first pulls the heavy-load core data from the basic service module cache, with a pull time of ≤20ms. Subsequently, it pulls complete historical data, and the total module switching latency is controlled within ≤150ms. The heavy-load UAV undergoes functional degradation or functional restoration according to the priority of the updated supervisor module. The functional degradation range is dynamically adjusted according to the payload weight, flight attitude, and power consumption of the heavy-load UAV.
[0050] During module switching, the flight control computer establishes a temporary communication link with the new and old master modules. Before the new master module takes over, it outputs temporary attitude correction commands in advance through the basic service module to ensure that the attitude error is always ≤±1.5° during the switching process.
[0051] refer to Figure 1 A heavy-load unmanned aerial vehicle (UAV) emergency fault-tolerant system includes an airborne mission computer, a flight control computer and a ground control system electrically connected thereto. The airborne mission computer is characterized in that it includes a main module, multiple alternative modules and a basic service module that are functionally divided and electrically connected to each other, and the main module communicates periodically with the multiple alternative modules and the flight control computer at a set frequency (≥200Hz).
[0052] The master module is used to: control the heavy-load UAV; obtain the operation data of the alternative modules and the relevant parameters of the heavy-load UAV through the periodic communication, and send them to the basic service module and the ground control system; add a heavy-load power linkage function, establish real-time linkage with the power system and the load mounting system, send a heavy-load power holding command when switching modules to ensure that the power fluctuation is ≤5%, and simultaneously tighten the suspension rope to suppress the load swing.
[0053] The multiple alternative modules are used to: monitor whether the supervisor module has failed through the periodic communication; when the supervisor module fails, update the alternative module to the supervisor module, and at least when updating to the supervisor module, preferentially pull the cached heavy-load core data from the basic service module to take over the supervisor module to control the heavy-load drone;
[0054] The basic service module is used to: store operational data and the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV; cache core heavy-load data; add heavy-load operating condition identification and heavy-load fault prediction functions; and convert various received data into commands for controlling the heavy-load UAV.
[0055] The following two embodiments illustrate the technical solution of this application in detail:
[0056] Example 1
[0057] This embodiment is designed for medium-to-heavy-load drones (such as logistics lifting drones) weighing 30-100kg, adapting to their characteristics of large inertia and medium payload, and refers to... Figure 2 The specific implementation process is as follows:
[0058] Step 1: Construct a priority sequence and determine the master module. The airborne mission computer is divided into five software modules based on function: airborne management module, obstacle avoidance module, image processing module, data service module, and intelligent algorithm module. The data service module and intelligent algorithm module serve as basic service modules, while the remaining three modules serve as switchable master / alternate modules. Based on the core requirements of flight safety and mission execution for medium-to-heavy-load UAVs, a priority sequence (from high to low) is determined: Airborne Management Module > Obstacle Avoidance Module > Image Processing Module. The airborne management module, as the high-priority master module, adds additional functions such as heavy-load power reserve monitoring and load tension closed-loop control. It monitors the power system status in real time to ensure that the power reserve is ≥30% and the load sway is ≤±0.5° during normal operation, preventing attitude imbalance caused by excessive load sway.
[0059] Step 2: Constructing the Communication Network. A star-topology communication network is constructed with the airborne management module as the central node and the obstacle avoidance module, image processing module, flight control computer, and ground control system as peripheral nodes. The periodic communication frequency between the main module (airborne management module) and the flight control computer is increased to 200Hz to provide real-time feedback on UAV attitude deviation and power consumption data, ensuring timely detection of attitude anomalies. A lightweight network communication protocol is used between the main module and other software modules and the ground control system, employing a request-response mechanism to reduce data transmission latency. The basic service modules (data service module and intelligent algorithm module) are electrically connected to the main module and other software modules, respectively, to store operational data and UAV inertia parameters, payload weight, and dynamic characteristic data. They also cache core heavy-load data (attitude parameters, power distribution parameters, and payload tension data), add heavy-load condition identification and heavy-load fault prediction functions, and convert various received data into commands for controlling the heavy-load UAV.
[0060] Step 3: Periodic Communication and Data Transmission. All software modules and the flight control computer maintain periodic heartbeat interactions according to a set frequency. The master module (airborne management module) sends a heartbeat packet to the flight control computer every 20ms and to the other software modules every 50ms. The heartbeat packet contains the respective operating data and heavy load related parameters. After receiving the heartbeat packet, the other software modules and the flight control computer return a report within 10ms. The report returned by the flight control computer includes attitude angles (0.1 degrees accuracy for each axis), position coordinates, power system voltage, and fault codes. The master module performs CRC cyclic redundancy check and field parsing on all reports, stores the valid operating data and heavy load parameters in the basic service module, and encapsulates the data into a ground status report frame every 1 second and sends it to the ground control system.
[0061] Step 4: Communication Anomaly Monitoring and Supervisor Module Failure Determination. The supervisor module monitors the periodic communication status of each node in real time, maintaining an independent heartbeat reception counter for each peripheral node: For other software modules, three consecutive failures to receive a response (50ms × 3 = 150ms) are considered a communication anomaly; for the flight control computer, three consecutive failures to receive a HEARTBEAT response (20ms × 3 = 60ms) are considered a communication anomaly, triggering two serial port retries; for the ground control system, two consecutive TCP heartbeat failures (10 seconds × 2 = 20 seconds) are considered a communication anomaly. When both the obstacle avoidance module and the image processing module detect a communication anomaly in the supervisor module (airborne management module) for 60ms consecutively, the supervisor module is deemed to have failed; simultaneously, the basic service module, through its heavy-load fault prediction function, analyzes attitude response speed and power consumption changes to provide early warnings of potential attitude loss risks during module switching.
[0062] Step 5: Emergency Handling After the Failure of the Main Module. Upon failure of the main module (airborne management module), immediately release the CPU resources it occupies, prioritizing the preservation of core resources related to heavy load control such as power distribution and attitude control, while delaying the release of non-core resources such as data logs and auxiliary interactions. Simultaneously, save the most recent normal communication data before the failure for subsequent fault analysis. The flight control computer enters heavy load attitude lock mode in advance, dynamically adjusting and locking the current altitude and attitude via PID control to suppress heavy load swings and ensure the swing amplitude is controlled within ±1°, reserving a stable foundation for module switching.
[0063] Step 6: Supervisor Module Update and Succession Control. Based on the priority sequence, the obstacle avoidance module with the second highest priority is updated to the supervisor module. When the new supervisor module (obstacle avoidance module) takes over, it prioritizes fetching heavy-load core data from the basic service module cache, with the fetch time controlled within 18ms (≤20ms). Complete historical data is then fetched subsequently, with the total latency of the entire module switchover controlled within 140ms (≤150ms). During the module switchover, the flight control computer establishes a temporary communication link with the old and new supervisor modules. Before the new supervisor module takes over, it outputs temporary attitude correction commands in advance through the basic service module to ensure that the attitude error remains ≤±1.5° during the switchover process, avoiding attitude loss of control caused by the large inertia of the medium-to-heavy-load UAV.
[0064] Step 7: Function Degradation Adaptation. The new supervisor module (obstacle avoidance module), as a medium-priority module, will undergo function degradation after taking over. It will retain the core functions of power redistribution and attitude stabilization, while disabling unnecessary auxiliary functions such as task planning and image processing. Simultaneously, a heavy-load sway suppression algorithm will be added, controlling the power redistribution response time to 90ms (≤100ms) to quickly counteract load inertial sway and ensure the attitude stability of the medium-to-heavy-load UAV. The basic service module, through its heavy-load condition identification function, monitors the UAV's payload weight (currently 80kg), flight attitude, and power consumption in real time, dynamically adjusting the function degradation level. Since the payload ≥100kg threshold has not yet been reached, function degradation will be performed according to the medium-priority module standard.
[0065] Step 8: Handling Failures of Other Software Modules. If a communication anomaly is detected in the image processing module and it is determined to have failed, the current supervisor module (obstacle avoidance module) will control the image processing module to restart. After restarting, it will restore its original functions without affecting the emergency control process of the supervisor module.
[0066] In this embodiment, after the main module of the medium-to-heavy-load UAV fails, the above process enables rapid module switching, effectively suppressing load swing and attitude loss of control. The switching process is smooth, and the mission can be continued, which is suitable for the use of 30-100kg heavy-load UAVs.
[0067] Example 2
[0068] This embodiment is designed for heavy-duty / ton-class drones with a payload capacity of ≥100kg (such as heavy-duty drones for engineering hoisting and emergency rescue), adapting to their characteristics of ultra-large inertia and large payload. The specific implementation process is as follows:
[0069] The heavy-load UAV emergency fault-tolerant system used in this embodiment includes an onboard mission computer, a flight control computer electrically connected to it, and a ground control system. The onboard mission computer includes a main module, multiple alternative modules, and a basic service module, which are functionally divided and electrically connected. The main module communicates periodically with the multiple alternative modules and the flight control computer at a set frequency (250Hz, ≥200Hz). The main module adds a heavy-load power linkage function, establishing real-time linkage with the power system and payload mounting system. The alternative modules include an onboard management module, an obstacle avoidance module, and an image processing module. Their priority sequence is determined based on their own functions and operating status (onboard management module > obstacle avoidance module > image processing module). The priority is adjusted based on the core requirements of the heavy-load UAV, strengthening the priority of modules related to power control, attitude stabilization, and payload protection. The basic service module stores operating data and the UAV's inertia parameters, payload weight, and power characteristic data, caches core heavy-load data, and adds heavy-load condition identification and heavy-load fault prediction functions. It converts various received data into commands for controlling the heavy-load UAV.
[0070] Detailed implementation process:
[0071] Step 1: Construct a priority sequence and determine the master module. The airborne mission computer is functionally divided into an airborne management module, an obstacle avoidance module, an image processing module, a data service module, and an intelligent algorithm module. The data service module and intelligent algorithm module serve as basic service modules, while the airborne management module, obstacle avoidance module, and image processing module serve as master / alternate modules. Based on the core requirements of flight safety and mission execution for ton-class UAVs, a priority sequence (from high to low) is determined: Airborne Management Module > Obstacle Avoidance Module > Image Processing Module. The airborne management module, as the high-priority master module, adds heavy-load power reserve monitoring and load tension closed-loop control functions to monitor the power system status in real time, ensuring that the power reserve is ≥30% and the load swing is ≤±0.5° during normal operation, adapting to the control requirements of ton-class loads.
[0072] Step 2: Construct a communication network. A star-topology communication network is constructed with the airborne management module as the central node and the obstacle avoidance module, image processing module, flight control computer, and ground control system as peripheral nodes. The periodic communication frequency between the main module (airborne management module) and the flight control computer is set to 250Hz (≥200Hz) to provide real-time feedback on UAV attitude deviation and power consumption data, shortening the monitoring cycle for attitude anomalies. A lightweight network communication protocol with other software modules and the ground control system is used, employing a request-report mechanism. Serial communication is used between the main module and the flight control computer to reduce data transmission latency. The basic service module is electrically connected to the main module and other software modules, storing operational data and UAV inertia parameters, payload weight (currently 120kg), and dynamic characteristic data. It caches core heavy-load data (attitude parameters, power distribution parameters, and payload tension data), monitors the operating conditions in real time through the heavy-load condition identification function, and analyzes attitude response speed and power consumption changes through the heavy-load fault prediction function to provide early warnings of loss of control risks.
[0073] Step 3: Periodic Communication and Data Transmission. All software modules and the flight control computer maintain periodic heartbeat interactions at a set frequency. The master module (airborne management module) sends a heartbeat packet to the flight control computer every 20ms and to the other software modules every 50ms. Each heartbeat packet contains its respective operational data and heavy-load related parameters. Upon receiving the heartbeat packet, the other software modules and the flight control computer return a report within 10ms. The flight control computer's report includes attitude angles, position coordinates, power system voltage, and fault codes. The master module performs CRC cyclic redundancy check and field parsing on all reports, storing valid operational data and heavy-load parameters in the basic service module. Every second, it encapsulates the data into a ground status report frame and sends it to the ground control system. Through the heavy-load power linkage function, the master module establishes real-time linkage with the power system and load mounting system, adjusting power output and sling tension in real time to suppress load sway.
[0074] Step 4: Communication Anomaly Monitoring and Supervisor Module Failure Determination. The supervisor module monitors the periodic communication status of each node in real time. For other software modules, a communication anomaly is determined if no response is received for three consecutive times (50ms × 3 = 150ms). For the flight control computer, a communication anomaly is determined if no HEARTBEAT response is received for three consecutive times (20ms × 3 = 60ms), triggering two serial port retries. For the ground control system, a communication anomaly is determined if there is two consecutive TCP heartbeat no response (10 seconds × 2 = 20 seconds). When the obstacle avoidance module and the image processing module, two peripheral nodes, simultaneously detect a communication anomaly in the supervisor module (airborne management module), and the anomaly persists for 60ms, the supervisor module is determined to have failed. At the same time, the basic service module, through its heavy load fault prediction function, analyzes the slowed attitude response speed and abnormal power consumption, providing early warning of the risk of attitude loss of control that may result from module switching, and triggering the flight control computer's heavy load attitude lock mode in advance.
[0075] Step 5: Emergency Handling After the Failure of the Main Module. Upon failure of the main module (airborne management module), immediately release the CPU resources it occupies, prioritizing the preservation of core resources related to heavy-load control such as power distribution and attitude control, while delaying the release of non-core resources such as data logs and auxiliary interactions. Simultaneously, save the most recent normal communication data before the failure for subsequent fault analysis. The flight control computer enters heavy-load attitude lock mode, dynamically adjusting and locking the current altitude and attitude via PID control to suppress ton-level load swings, ensuring the swing amplitude is controlled within ±1° to avoid attitude loss of control due to excessive inertia.
[0076] Step 6: Supervisor Module Update and Succession Control. Based on the priority sequence, the obstacle avoidance module with the second highest priority is updated to the supervisor module. The new supervisor module (obstacle avoidance module) serves as a backup module. Before being updated to supervisor, it only performs its primary obstacle avoidance function. After being updated, it performs its primary function and additional functions (heavy load sway suppression algorithm). When the new supervisor module takes over, it prioritizes retrieving heavy load core data from the basic service module cache, with the retrieval time controlled within 15ms (≤20ms). Complete historical data is then retrieved subsequently, with the total delay of the entire module switchover controlled within 130ms (≤150ms). During module switchover, the flight control computer establishes a temporary communication link with the new and old supervisor modules. Before the new supervisor module takes over, it outputs temporary attitude correction commands in advance through the basic service module to ensure that the attitude error remains ≤±1.5° during the switchover process. Simultaneously, the new supervisor module sends a heavy load power hold command to the power system through the heavy load power linkage function to ensure power fluctuation ≤5%, and simultaneously tightens the suspension cable to suppress ton-level load sway, further ensuring a smooth switchover process.
[0077] Step 7: Function Degradation and Adaptation. The new supervisor module (obstacle avoidance module), as a medium-priority module, will undergo function degradation after taking over. It will retain core functions such as power redistribution and attitude stabilization, while disabling unnecessary auxiliary functions such as mission planning and image processing. Simultaneously, a new heavy-load sway suppression algorithm will be added, controlling the power redistribution response time to 80ms (≤100ms) to quickly counteract the inertial sway of a ton-class load. The basic service module, through its heavy-load condition identification function, will monitor the UAV load in real time to ensure it is 120kg (≥100kg), dynamically adjusting the function degradation range and instructing the new supervisor module to retain the power redundancy distribution function, ensuring that the remaining power can cover the inertial requirements of the ton-class UAV. During subsequent flight, if attitude sway ≥±2° is detected, the degradation of non-core functions will be automatically paused, prioritizing attitude stabilization, and the degradation will be completed only after the sway is suppressed.
[0078] Step 8: Emergency Handling After Another Failure of the Main Module. If the new main module (obstacle avoidance module) fails during operation, the image processing module will be updated to the main module according to the priority sequence. The image processing module, as a low-priority backup module, will perform its primary and supplementary functions (heavy-load forced landing attitude calibration, power redundancy allocation) after being updated to the main module. It will retain basic attitude control and emergency load separation functions, while disabling complex power adjustment functions. Simultaneously, since the current load is 120kg (≥100kg), the power redundancy allocation function will still be retained to ensure attitude stability. The newly added heavy-load forced landing attitude calibration function ensures that a smooth forced landing can be achieved in the event of a subsequent severe failure, avoiding impact tonnage loads on the fuselage.
[0079] Step 9: System Recovery. The ground control system receives operational data and abnormal information from each node in real time. After the fault is resolved, the priority sequence update can be manually triggered to reset the airborne management module as the master module. The system will then resume full-function operation, inheriting the mission context before the fault and enabling mission continuation.
[0080] In this embodiment, the ton-class heavy-load UAV can quickly switch modules in the event of two failures of the main module, effectively suppressing load swing and attitude loss of control. The function is downgraded to adapt to the ultra-large inertia and large load characteristics of the ton-class UAV, fully meeting all the aforementioned limitations, and ensuring the flight safety and mission continuity of the ton-class heavy-load UAV.
[0081] Although embodiments of the present invention have been shown and described, these specific embodiments are merely explanations of the invention and are not intended to limit it. The specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. After reading this specification, those skilled in the art may make modifications, substitutions, and variations to the embodiments as needed without departing from the principles and spirit of the invention, but such modifications, substitutions, and variations are protected by patent law as long as they are within the scope of the claims of the present invention.
Claims
1. A heavy load unmanned aerial vehicle emergency fault-tolerant method, characterized in that, include: A priority sequence is constructed based on the functions and operating status of each software module in the airborne mission computer, and a master module is determined in each software module to control the heavy-load UAV based on the priority sequence. The priority sequence, combined with the characteristics of heavy-duty UAVs with large inertia and large payload, adjusts the functional emphasis of each software module and strengthens the priority ratio of functions related to power control, attitude stabilization, and payload protection. A communication network is constructed with the main module as the central node and the other software modules, flight control computer, and ground control system as peripheral nodes. The periodic communication frequency between the master module and the flight control computer is increased to ≥200Hz, providing real-time feedback on the attitude deviation and power consumption data of the heavy-load UAV. Through periodic communication between nodes in the communication network, the operating data of the other software modules, as well as the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV, are sent to the ground control system and basic service module through the main module. The periodic communication is monitored. When a communication anomaly occurs and it is determined that the master module has failed, the flight control computer enters the heavy load attitude lock mode in advance. It dynamically adjusts and locks the current altitude and attitude through PID to suppress the swing of the heavy load and control the swing amplitude within ±1°. The failed master module releases the CPU resources it occupies, prioritizes the preservation of core resources related to heavy load control, and delays the release of non-core resources. At the same time, the data of the failed master module's most recent normal communication is saved. The supervisor module is updated according to the priority sequence to take over control of the heavy-load UAV. When the new supervisor module takes over, it first pulls the heavy-load core data from the basic service module cache, with a pull time of ≤20ms. Subsequently, it pulls complete historical data, and the total module switching latency is controlled within ≤150ms. The heavy-load UAV undergoes functional degradation or functional restoration according to the priority of the updated supervisor module. The functional degradation range is dynamically adjusted according to the payload weight, flight attitude, and power consumption of the heavy-load UAV. During module switching, the flight control computer establishes a temporary communication link with the new and old master modules. Before the new master module takes over, it outputs temporary attitude correction commands in advance through the basic service module to ensure that the attitude error is always ≤±1.5° during the switching process.
2. The heavy payload drone emergency fault-tolerant method according to claim 1, wherein, The construction of a priority sequence based on the functions and operating status of each software module in the airborne mission computer includes: The airborne mission computer is divided into multiple software modules according to its function; The priority of each software module is determined and sorted based on its function and operating status, resulting in a priority sequence. The function priority determination is combined with the core requirements of flight safety and mission execution of heavy-load UAVs. High-priority modules are equipped with additional functions such as heavy-load power reserve monitoring and load tension closed-loop control to ensure that the power reserve is ≥30% and the load swing is ≤±0.5° during normal operation.
3. The heavy payload drone emergency fault-tolerant method according to claim 1, wherein, When a communication anomaly occurs and it is determined that the supervisor module has failed, the following applies: If a request from the supervisor module or other software modules fails to respond or times out, it is determined that a communication anomaly has occurred in the supervisor module or other software modules; and / or, If the main module or other software modules in the communication network do not receive a response within a predetermined time, it is determined that the main module or other software modules have a communication abnormality. When communication anomalies are detected in the master module from at least two peripheral nodes and these anomalies continue to occur within the first consecutive time period, the master module is deemed to have failed. At the same time, the basic service module analyzes attitude response speed and power consumption changes through the overload fault prediction function, and provides early warning of the risk of attitude loss of control that may be caused by module switching.
4. The heavy payload drone emergency fault-tolerant method according to claim 1, wherein, When a communication anomaly occurs and it is determined that the supervisor module has failed, the following further applies: The failed supervisor module releases the CPU resources it occupies and triggers an update of the priority sequence; and / or, Save the data from the most recent normal communication of the failed supervisor module; and / or, The flight control computer enters hover mode until the updated master module communicates with it and takes over control of the heavy-load UAV; the hover mode is connected with the heavy-load attitude lock mode, and the module automatically exits the heavy-load attitude lock mode after the switch is completed.
5. The emergency fault-tolerant method for heavy-load unmanned aerial vehicles according to claim 1, characterized in that, The construction of a communication network with the main module as the central node and other software modules, flight control computer, and ground control system as peripheral nodes also includes: A basic service module is electrically connected to the main module and other software modules respectively; wherein, the basic service module is used to store operating data and the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV, cache the core heavy-load data, add heavy-load working condition identification and heavy-load fault prediction functions, and convert the received data into commands for the control of the heavy-load UAV.
6. The emergency fault-tolerant method for heavy-load unmanned aerial vehicles according to claim 1, characterized in that, Also includes: When a communication failure occurs and it is determined that other software modules have failed, the supervisor module controls the restart of the corresponding other software modules.
7. The emergency fault-tolerant method for heavy-load unmanned aerial vehicles according to claim 1, characterized in that, Also includes: Control of the same function in different software modules is downgraded as their priority decreases; and / or, lower-priority software modules contain fewer additional functions than higher-priority software modules. When a medium-priority module takes over as the master module, it retains the core functions of power redistribution and attitude stabilization, disables unnecessary auxiliary functions, adds a heavy-load sway suppression algorithm, and ensures that the power distribution response time is ≤100ms. When a low-priority module takes over as the master module, it retains the basic attitude control and emergency load separation functions, and adds a heavy-load forced landing attitude calibration function. When the load is ≥100kg, the low-priority module still retains the power redundancy distribution function after taking over. When attitude sway is detected to be ≥±2°, non-core functions are automatically suspended and downgraded to prioritize the attitude stability of the airborne mission computer.
8. A heavy-load unmanned aerial vehicle (UAV) emergency fault-tolerant system for implementing the method described in any one of claims 1-7, comprising an onboard mission computer and a flight control computer and a ground control system electrically connected thereto, characterized in that, The airborne mission computer includes a main module, multiple alternative modules, and a basic service module that are functionally divided and electrically connected to each other. The main module communicates periodically with the multiple alternative modules and the flight control computer at a set frequency. The master module is used to: control the heavy-load UAV; obtain the operation data of the alternative modules and the relevant parameters of the heavy-load UAV through the periodic communication, and send them to the basic service module and the ground control system; add a heavy-load power linkage function, establish real-time linkage with the power system and the load mounting system, send a heavy-load power holding command when switching modules to ensure that the power fluctuation is ≤5%, and simultaneously tighten the suspension rope to suppress the load swing. The multiple alternative modules are used to: monitor whether the supervisor module has failed through the periodic communication; when the supervisor module fails, update the alternative module to the supervisor module, and at least when updating to the supervisor module, preferentially pull the cached heavy-load core data from the basic service module to take over the supervisor module to control the heavy-load drone; The basic service module is used to: store operational data and the inertia parameters, payload weight, and power characteristic data of the heavy-load UAV; cache core heavy-load data; add heavy-load operating condition identification and heavy-load fault prediction functions; and convert various received data into commands for controlling the heavy-load UAV.
9. The heavy-load unmanned aerial vehicle emergency fault-tolerant system according to claim 8, characterized in that, The multiple alternative modules include priorities determined based on their own functions and operating status. These priorities are used to determine the order in which each alternative module takes over control of the heavy-load UAV from the main module. The priorities are combined with the core requirements of the heavy-load UAV to adjust their weights, thereby strengthening the priorities of modules related to power control, attitude stabilization, and load protection.
10. The heavy-load unmanned aerial vehicle emergency fault-tolerant system according to claim 8, characterized in that, The alternative module includes its primary function and additional functions. When the alternative module is not updated to the primary module, it only performs its primary function. When the alternative module is updated to the primary module, it performs both its primary function and additional functions. The additional functions include functions adapted to heavy-load scenarios, such as heavy-load sway suppression, heavy-load forced landing attitude calibration, and power redundancy allocation.