[robomartin]

> Feels like it would be relatively trivial to have some kind of parachute system that went off automatically on system failure.

> if SpaceX can make self landing rockets

Failure tolerant design isn't well understood by engineers who do not live in that world. We speak of Fault Tolerance levels, or FT-levels for short.

FT0 means any one failure renders the system inoperable. In other words, it can't even tolerate a single failure.

What "inoperable" means is --in terms of consequences-- is a function of what the system in question might be. If we are talking about a life support system in a spacecraft, FT0 is a really bad idea.

An example of a an FT0 system that might not have a horrible failure mode might be a bicycle tire. If the valve fails, it deflates. For the most part, that's not likely to be horrific. Yes, the tire does not work and becomes horribly inefficient, however, it is unlikely it will kill you. There are other elements of a bike that could definitely kill you with a single failure, particularly at speed. Anything that causes the front wheel to come off qualifies.

Higher FT levels provide protection from catastrophic failure. NASA, for example, used to require FT2 for life support systems (tolerate two failures). This, however, changed over the years to a more sophisticated framework. For example, redundancy alone does not fulfill safety requirements.

In terms of drones, no, one can't think of a trivial parachute system providing failure tolerance in real terms. Design Failure Mode and Effects Analysis (DFMEA) is the very first step in understanding how a drone could fail and create undesirable consequences; two of which could be harming people or property.

This subject area isn't simple. It also isn't impossible to create failure tolerant designs. The issue, outside of aerospace/military applications is that FT designs can get very expensive, very quickly. It can be hard to justify some of the design decisions one might have to make in the context of low cost commercial products. This is the main issue with drones.

Wikipedia covers the topic to a reasonable depth:

https://en.wikipedia.org/wiki/Fault_tolerance

[rcarr]

I get it isn't perfect but it's impossible to eliminate all risk. I think we should be evaluating drone failure within the scope of the wider picture. If drone accidents are less likely and deadly than motor vehicle accidents (including lives lost to pollution) then we should probably press ahead with them even if the technology isn't perfect because we'll be saving more lives overall.

[robomartin]

> I get it isn't perfect but it's impossible to eliminate all risk.

I don't think I said that anywhere in my comment. You are stating an obvious fact of life.

> I think we should be evaluating drone failure within the scope of the wider picture. If drone accidents are less likely and deadly than motor vehicle accidents (including lives lost to pollution) then we should probably press ahead with them even if the technology isn't perfect because we'll be saving more lives overall.

Good luck with that.

[rcarr]

> I get it isn't perfect but it's impossible to eliminate all risk.

>> I don't think I said that anywhere in my comment. You are stating an obvious fact of life.

Your original comment implied it's too expensive to be worth undertaking and I just don't think that's the case unless we're letting perfect be the enemy of good.

> I think we should be evaluating drone failure within the scope of the wider picture. If drone accidents are less likely and deadly than motor vehicle accidents (including lives lost to pollution) then we should probably press ahead with them even if the technology isn't perfect because we'll be saving more lives overall.

>> Good luck with that.

Well we have lots of traffic accident data and there are also lots of studies on estimated deaths due to pollution. It would not be difficult to get early data in pilot studies of these drones, extrapolate it and compare it with the traffic and pollution studies.

[robomartin]

> Your original comment implied it's too expensive to be worth undertaking

No. That's not what I said. Quoting:

"outside of aerospace/military applications is that FT designs can get very expensive, very quickly. It can be hard to justify some of the design decisions one might have to make in the context of low cost commercial products. This is the main issue with drones."

In a commercial environment you have real financial boundaries. If the acceptable cost range for a drone is in the order of $100K, nobody is going to pay $500K for one. A drone with aircraft-grade certification and failure tolerance can easily cost that much; even more.

It isn't a matter of "too expensive to be worth undertaking" --a statement that can easily be twisted into something about not caring enough about human lives, etc. That isn't the point. At all.

Delivering a package costs X. Nobody is going to pay ten times X for the same delivery. Why? Because there are excellent deliver services that will do the job for X, if not less. And so, the financial equation regulating the acceptable cost range of a drone-based operation is related to what the market is willing to accept. This, in turn, determines what type of engineering one can apply to the drones.

It's simple, really. Commercial products are bound by constraints imposed by the market. If you are not willing to pay $75 for a cheeseburger, the burger-joint employees cannot make $50 per hour. It's impossible. It isn't necessarily a question of it not being worth it (paying them that much). Not at all. The market will not support it. You just can't do it.

> extrapolate it and compare it with the traffic and pollution studies.

Name one product. A single commercial or industrial product. Whose design safety requirements were determines and actually implemented by evaluating deaths due to pollution as a decision-making metric.

It's nice to talk about these things, and you might have a fantastic idea. Yet, once we descend to the realities of this world, well, as I said, good luck. Not going to happen. That's just not how things work. Perhaps they should. Not today. Not anytime soon.

[robomartin]

I need to add something to my comment. I can't edit it, so here it is.

One of the reasons for which a parachute can be considered to be inadequate in terms of failure tolerance for drones comes from the long list of failure modes generated when one goes through the DFMEA process.

If, for example, you have a bird strike that takes out one or more propellers (or motors) you could have a situation where the drone is spinning out of control. Don't laugh, I've had this kind of thing happen. In fact, I had a hawk attack and destroy a 2.4 meter drone.

Tumbling/spinning can happen for other reasons. One or more motor controllers fail. Software bug. Flight computer failure. Propeller fatigue causing the loss of a blade. Motor/controller overheats. FOD. Etc.

Under those conditions a simple parachute deployment design will result in a parachute wrapping around the drone. In other words, it would be useless.

OK. We need a more reliable method to deploy the parachute. Maybe we also need three parachutes instead of one.

A typical method will shoot the parachute out with some force, perhaps using a strong spring, explosive charge or compressed CO2. The idea being to get the parachute out quickly and as far as possible from anything that could entangle it. You could have a couple of meters of rope before the parachute cords. This would allow for some entanglement without necessarily affecting the parachute.

Here's the problem: Now you need layers of safety and failure tolerance for the parachute deployment mechanism. You cannot even consider using a simple mechanism at all. Why? Imagine the simple parachute mechanism launching the parachute at full force in the warehouse, while people are working around it. Depending on scale, you could seriously hurt or even kill someone.

And this is how we descend down a road that can make failure tolerance very expensive. As I said, this can be very hard to justify in commercial products.

Simple example of a design we completed a couple of decades ago. A failure-tolerant coolant recirculation pump. I won't get into the entire design. We had to have a custom motor made that effectively consisted of two motors built on the same shaft. You could not simply use couplers to link to single motors together because then the coupler becomes a single point of failure element. A solid shaft was deemed to be the most secure option, hence the custom motor. These kinds of decisions are not cheap. Particularly when you are making less than, say, 10K units.