See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/329298451

Failure Mode and Effects Analysis for large scale multirotor Unmanned Aerial
Vehicle Controlled by Moving Mass System

Conference Paper · October 2018

DOI: 10.1109/SysEng.2018.8544444

CITATION READS

1 1,730

4 authors:

Nedim Osmic Tahirbegovic Anel

University of Sarajevo Intelligent Systems Hub doo
46 PUBLICATIONS   369 CITATIONS    5 PUBLICATIONS   6 CITATIONS   

SEE PROFILE SEE PROFILE

Adnan Tahirovic Stjepan Bogdan

University of Sarajevo University of Zagreb
37 PUBLICATIONS   202 CITATIONS    240 PUBLICATIONS   2,707 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Navigation and robot following using Pioneer 3-dx platform View project

EuRoC - European Robotics Challenges View project

All content following this page was uploaded by Nedim Osmic on 08 September 2020.

The user has requested enhancement of the downloaded file.

 Failure Mode and Effects Analysis for large scale
multirotor Unmanned Aerial Vehicle Controlled by
Moving Mass System
1st Nedim Osmic, 2nd Anel Tahirbegovic, 3rd Adnan Tahirovic
Department of Automatic Control and Electronics
Faculty of Electrical Engineering
University of Sarajevo
Zmaja od Bosne bb, 71000 Sarajevo, Bosnia and Herzegovina
{nosmic, atahirbego1,atahirovic}@etf.unsa.ba
Abstract—In this paper Failure Mode and Effects Analysis
(FMEA) for a large scale multirotor systems (with moving mass)
based on novel system for aircraft control will be presented. This
system uses four petrol engines for lift and a moving mass system
to control the vehicle. Analysis presented in this paper assesses
the vulnerabilities of the system during the vehicle operation.
The main objective of the analysis is to understand the cause and
severity of the failures that can occur to the petrol engines and the
moving mass system. Our unmanned aerial vehicle system is used
for environmental monitoring and maritime security developed
under MORUS project funded under NATO SPS Program. The
ultimate goal of our research and design is to make an unmanned
aerial vehicle that can lift larger amount of load (approximately
40kg). During its operation time the unmanned aerial vehicle
might fail to complete a certain assignment so failure mode and
effects analysis is needed to account for such problems and to
find appropriate activities to reduce the overall risk the system
faces during the mission.
Index Terms—System failure and recovery, System design,
Aircraft control, Autonomous vehicles
I. I NTRODUCTION
Over the past few decades research interest in unmanned
aerial vehicles has grown. First applications of these vehicles
were mainly for military purposes, but today they cover a lot
of different areas such as: precision agriculture [1], aerial con-
struction [2], search and rescue missions in indoor and outdoor
environments [3], aerial transportation [4] and swarming [5].
Dye to variety of applications, different techniques for design
of UAV have been developed [6].
During the process of UAV design, there are few aspects that
should be discussed [7]. Two most important aspects in early
stages of development were endurance and range. Today these
aspects include load, safety and funcionality [8]. Safety is
usually achieved through hardware redudancy and some other
This work is supported by NATO’s Emerging Security Challenges Division
in the framework of the Science for Peace and Security Programme as Multi
Year Project under G. A. number 984807, named Unmanned system for
maritime security and environmental monitoring - MORUS.
4th Stjepan Bogdan
Department of Control and Computer Engineering
Faculty of Electrical Engineering and Computing
University of Zagreb
Unska 3, 10000 Zagreb, Croatia
stjepan.bogdan@fer.hr
methods such as adaptive control and early fault detection [9],
[10].
Functionality is achieved through selection of appropriate
hardware and software modules. However, UAV design is
complex assignment and has to be carried out by experts
from different areas of expertise. One of the most important
necessities in design and development of UAVs is to have all
requirements known in advance.
The first UAV designs, which appeared in the early nineties,
were based on the design of classical aircraft like helicopters.
In the design of civil, UAVs, the main limitation relates
to low cost of the final product [11], [12]. Increase in the
computational power in last two decades and development of
reliable software enabled arise of modern UAVs. Two main
types of UAVs currently dominated the market - fixed wing
aircraft and multirotor vehicles.
When vehicle is designed it is important to investigate
possible situations that can occur during the UAV operations.
There are various methods that are used for this type of
analysis and investigation.
One of the frequently used methods, conducted even in the
conceptual stage of the system design, is failure mode and
effects analysis (FMEA). This method is used to predict and
handle different modes of failures effective and it turned out
to be a really effective and reliable system engineering tool.
Even though the FMEA identifies and classifies all possible
hazards in a system, the results of this analysis may not
be comprehensive and has its limitations [13]. In addition,
since the risk priority number (RPN), which is the measure
used within the FMEA method, is based on different factors
including failure severity, failure occurence frequency and
failure detectability, some less serious failures might have
higher RPN indications than some other more serious failures
[14]. The ordinal rankings used to quantify the factors for all
failure modes within the FMEA, only provide the information
that that one of the failure modes is higher ranked in terms of
its criticality but it does not provide the exact information on
what would be the difference between the RPN values of the
two successive failure modes. For instance, a ranking of ”4”
may not be twice as severe as a ranking of ”2”.
In this paper the FMEA is used for assessing the risks of
failure for individual parts of a large UAV which uses four
petrol engines for lift and a moving mass system to control
the vehicle. The remainder of the paper is organized as follows.
In Section II general information about used UAV platform is
given. Section III describes basics of the FMEA method, while
implementation of the FMEA is conducted for a novel UAV
design controlled with moving masses is given in Section IV.
Concluding remarks and future work are outlined in Section Fig. 2. MORUS UAV in early stage of design, compared with AscTec Firefly
V.

II. A NOVEL DESIGN OF HEAVY PAYLOAD UAV PLATFORM petrol engines (single four stroke ICE) which are controlled
through additional four mechanical variators which distribute
The flight research platform presented in this paper is
the power via shafts and gears. It is also possible to use petrol
developed under the ongoing NATO project named MORUS.
engine in combination with a system which shifts the center of
The main goal of this project is to construct a heterogeneous
mass of the UAV to ensure favorable dynamical performance.
cooperative fully autonomous system which is capable to
For this purpose in this project four IC engines are used, which
operate in air and underwater (Fig 1. and Fig 2.).
control the UAV by varying the overall CoG with a moving
This heterogeneous system consists of an autonomous un-
mass system (Fig 3. and Fig 4.). This control system concept
derwater vehicle (AUV) and an unmanned aerial vehicle
is often used for underwater vehicles and missiles [17], [18],
(UAV) where both work together on the task of maritime
and was heavily investigated in [19], [20]. For this ongoing
surveillance. The main task of the UAV is to lift the underwater
research, we will consider this type of control system with
vehicle from the ground and carry it to a designated position.
control schemes as described in [15], [21], [22].
In order to do so, the UAV needs to be equipped with a perch
The construction of this type of UAV is the same as for the
mechanism which can reliably grab the underwater vehicle.
classical quadrotor (a configuration known in the literature as
Additionally, the UAV needs to be designed to have a high
the ”+” configuration), where in center of the body electronics
enough thrust force to lift the underwater vehicle (i.e.>50 kg)
and a fuel tank are mounted. This central part holds all
for a relatively long time period (about 1 h). Commercially
components together (Fig 2.). Additionally, four arms with
available UAV platforms rely on electrical motors, which
petrol engines are mounted symmetrically to it. Each of these
either can not generate a thrust of this magnitude, or are
arms contains a moving mass (Fig 3.), which controls the
restricted to mission times which are much smaller than
roll and the pitch of the UAV. By moving this mass from
what is required. To overcome this burden, a good candidate
end to end, we can vary the overall CoG of the UAV. Each
for an engine, which can accomplish the task at hand with
of those masses can be moved separately, and has its own
respect to both payload and time, may be a petrol engine.
displacement vector with respect to the body frame L0 (Fig
However, due to the low dynamical performance of those
4.), which we will denote as rob . Additionally, this movement
engines the overall dynamical performance of the UAV may be
causes variations in the overall moment of inertia (MoI) of the
unfavorable. To overcome this, the authors of [16] have used
vehicle. By exploiting this, we can change the torque acting on

Fig. 1. Cooperative autonomous robotic system able to work both in air and
underwater [15] Fig. 3. Detail of moving mass in one of four arm

Fig. 4. Moving mass concept [15]
the system and consequently control the attitude of the system.
To summarize, this novel UAV configuration has 6 degrees of
freedom (DOF), where two of those degrees - namely the roll
and the pitch can be controlled by the moving masses. Hence,
we require additional control structure to perform yaw and
height control. We will use the classical approach to control
these quantities, which is the variation of the velocities in the
rotors. The overall control structure is shown in figure 4.
III. FAILURE MODES AND EFFECT ANALYSIS
A. Principles of the Failure Mode and Effects Analysis
As mentioned in Section I there are two procedures or
tools for system reliability and failure modes analysis: first
one is inductive (bottom-up) and second is deductive (top-
down). The FMEA can be used as bottom-up methodology
used to discover and analyse possible system failure modes
and effects of those failure modes on system or its parts and
also to determine their criticality. The FMEA is often limited
to systems hardware components failures and consequences
of those failures on system functionality. This procedure can
be shortly explained as follows. All system components, their
function and operation modes must be analysed and docu-
mented before proceeding with FMEA [23]. Then, we analyse
all failure modes that can occur during the operation of each
component. After that, we analyse the effect of each failure
mode of particular component, to any other part of system
and the system itself. A qualitative severity (or criticality)
ranking is assigned to each potential failure and corresponding
effect according to its potential damage and/or probability of
occurrence. Doing the research and development stage several
different severity criteria are formed. Resulting FMEA tables
can serve as feedback to the design process, enabling revisions
in early stages of development.
One way in which failure modes are qualitatively classied
is based on the following parameters: (1) likelihood of oc-
currence, (2) criticality of effects of that failure, and (3) the
TABLE I
FMEA R ISK M ATRIX [10]
Criticality
Likelihood 4 3 2R 2 1R 1
High M M H H H H
Medium L M M M H H
Low L L M M M M
overall risk for the system based on occurence and criticality
[10]. Likelihood of failure modes for each system is not
always possible to determine. Because of this, today we use
rating scales to determine the criticality of failure. Criticality
might be evaluated on a three-point scale which is very simple
and consists of low (L), medium (M), and high (H) estimate
factors.
Categories for criticality classification based on NASA stan-
dards for FMEA for vehicles mentioned and described in [24]
were defined as follows: 1. Catastrophic - Failure modes that
could result in damage to the vehicle, property damage, serious
injury, or loss of life; 1R Catastrophic - Modes of identical or
equivalent redundant hardware items that, if all failed, could
result in Category 1 effects; 2. Critical - Failure modes that
could result in loss of one or more mission objectives; 2R.
Critical - Failure modes of identical or equivalent redundant
hardware items that could result in Category 2 effects if all
failed; 3. Significant - Failure modes that could cause serious
errors in mission objectives; and 4. Minor - Failure modes that
could result in insignificant or no loss to mission objectives.
Possibility of failure and the criticality of its potential
effects can be combined to provide a qualitative estimate
of the risk. Scale with low (L), medium (M), and high (H)
ratings is used to identify system weaknesses and prioritize
future development and improvements of the UAV design and
operations modes. One way to create risk matrix with low,
medium and high risk from NASA standards for FMEA is
shown in Table I. For example, if we have criticality with
number 1, but with likelihood rating low then it has a rating
medium (M) in three point scale mentioned earlier. Another
way to approach and analyse this problem is numerical defini-
tion of parameters of system parts failure modes via severity,
occurrence and detection and finding of RPN number. This
approach is explained in detail in [9].
The three factors: occurrence (O in Table II), severity (S
in Table II) and detection (D in Table II), are assigned in a
range of 1-5 in this analysis shown in Table II [9]. Occurrence
is divided in five categories: Never - so unlikely that it is
not expected to happen in the entire lifetime of a system,
Low - not expected to happen several times in the entire
lifetime of the system, Moderate - unlike to occur to all system
during its lifetime or occur several times in lifetime, High -
occur most of the times, Very high - occurs several times.
Severity is also divided into five categories: No effect, Minor -
affects small part of the system noticed by average customers,
Moderate - most customers are annoyed, High - caused a loss
 Multirotors system Electronic parts of UAV

External batery Power supply Communication Ground Equipment

module

Procesor unit
Mission Comunication
planing module

Electrical motor Control Estimation

with rotor unit unit
Sensor unit

External sensor

Fig. 5. Structure of multirotor [9]

of primary function and customers are not satisfied, Very high
and hazardous - product becomes inoperative. Detection is also
divided in five categories: Almost certain, High, Moderate,
Low and Very remote to absolute uncertainty.
The RPN represents the product of these factors (RPN
= O·S·D) and as these factors are in range of 1 to 5, the
maximum possible value for RPN is 125. However, the RPN
above 30 is considered as a high priority risk which needs
to be further analysed [9]. Then, these risks can be divided
and treated in groups that represent failures which are usually
called a risk reduction group. Then, following discussion will
be concentrated on these risks reduction groups and failure
modes inside these groups that have a highest RPN value.
If the resulting analysis of these groups shows that one of
the groups has a lot of failure modes with high RPN value
we can create redundant components to increase functionality
and safety of entire system. In this way the analysis of failure
modes is simplified and it is ensured that the minimal required
actions are conducted and system is efficiently restored.
B. Failure Mode and Effects Analysis for UAV based on
electrical motors
Detailed description of FMEA for UAV with electric mo-
tor is described in [9]. Author abstracted system’s physical
and logical low-level components into functional blocks. The
obtained functional block diagram (FBD) is shown in Fig.
5. A detailed focus during this analysis was put both on
all logical parts and physical parts of the system. By using
the FMEA, the following risk reduction groups have been
defined: 1. Propulsion system, 2. Motor communication bus, 3.
Flight electronics and 4. Battery. The author has discovered 80
possible failure modes of the system on and their subsystem
of UAV with electrical motor, 43 of them have RPN above
of 30 and represent components with high priority risks.
A high RPN number have the failure modes related to the
fault of components including: power supply, accelerometers,
gyroscopes, brushless engine controller, magnetometers and

TABLE II
R ATING FOR OCCURRENCE (O), SEVERITY (S) AND DETECTION (D)

FMEA Ratings
O S D RPN=O·S·D
Rate Description value effect
No Almost
1 Never 1 No risk
effect certain
Small
2 Low Minor High ≤16
risk
Medium
3 Medium Medium Medium ≤30
risk
High
4 High High Low ≤125
risk
Very Very Very
5
high high remote
Fig. 6. Structure of system for control and communication
 TABLE III
PART OF H IGH P RIORITY R ISKS TABLE FROM [9]

FMEA resulting table for fuel tank

Failure mode Effect Cause(s) Possible action RPN
A.301 discharging under the loss of power → bad battery level monitoring, measuring voltage/
50
battery operating voltage inactivation of the system user ignores alert and alert user
A.302 loss of power →
failure of battery damaged battery none 50
battery inactivation of the system
C.101
flight low/high/no output low battery voltage no power supply for components none 50
elect.
G.201
failure of the propulsion unit
DC MCU crash software error none 50
short circuit of the battery
motor
E.201 fast attitude changes
no signal sampling failure none 50
gyros control can be unstable
A.402 deviation from partial rotor damage adaptive
loss of control 48
prop. desired torque loss of motor control

flight control electronics.
Part of the table that cointains failure modes with high RPN
values presented by the author in [9] is shown in Table III.
In the table the author shows part of the system to which is
the failure mode related, Failure mode-type of failure mode,
Effect-effects of the failure mode to entire system, Cause(s)-
possible part of system that causes failure mode, Possible
action-actions to overcome the failure mode. As it can be seen
from Table III, the failure mode which is directly related to
a possible control issue was related to the battery voltage,
propulsion and sensors systems.
It is possible to perform certain improvements of these
components to decrease the RPN value under 30, and to
improve functionality and security of the overall system. The
author has used a fault control technique to improve the RPN
values for the failure modes related to the propulsion system
and stabilization control categories.
After the detailed FMEA, the author conducted experimen-
tal system testing. During these tests the author discovered
that the two main problems are related to: battery voltage
(battery voltage rapidly changes while discharging and cause
problems with motor control and sensor system) and control of
DC motors (unstable rotor speed or motors jamming in place).
After the FMEA and experimental testing of UAV the author
concludes that the risk of a failure in the propulsion system
should be considered with the highest priority level.
IV. FAILURE M ODE AND E FFECTS A NALYSIS FOR THE
PROPOSED UAV PLATFORM
We now perform the FMEA for the UAV design, which has
been previously designed throughout NATO-MORUS project
and presented in [15] and [21].
Because classical type of UAV usually has problems with
battery supply (see section III-B), the design addressed within
this paper uses petrol engines instead of brushless DC motors
for lifting the UAV. However, the batteries are still used for
the electrical components and for other four electrical motors.
These four motors are used for a instantaneous allocation of
the moving masses to control the vehicle.
Besides the potential problems related to the battery supply,
the system sensors are also the system units which have
to be carefully addressed. In the classical UAV design [9],
the FMEA listed 43 failure modes having high RPN values.
Almost 30 % of those failure modes were caused by sensors
and flight control electronics faults.
Having in mind these potential design bottle necks, the
novel UAV has been designed (Fig. 6) by introducing a
redundancies. Namely, the control algorithm is implemented
throughout two stages, the one for lower control level (im-
plemented on Pixhawk), and the one for planning level (im-
plemented on Intel Nuc platform). In the proposed design,
there were two Pixhawk units which are connected in parallel,
where each unit has its own sensors (3x accelerometer, 3x
gyroscope, 3x magnetometer, 2x barometer). The implemented
redundancy certainly addressed the problems the previous
FMEA has shown, and ensured the failure modes related
to the used sensors and flight control electronics have now
much smaller RPN values within the FMEA conducted for
this novel design. The main difference between the classical
UAV design and the proposed UAV design pertain to the used
hardware components (petrol engine for lifting and moving
mass for control roll and pitch). Using these new components,
we have formed propulsion system (petrol engine), moving
mass system, flight electronics, and fuel tank, to be the new
FMEA risk reduction groups fully presented in Tables IV, V
and VI.
As shown in Table IV, the first risk reduction group reflects
the failure modes related to the petrol engine and flight
electronics. Because the FMEA is mainly purposeful for the
identification of failure modes with high RPN values, we put
focus on those failure modes that have the highest RPN and
propose the actions by which one could address the relevant
design problems and reduce their respective RPN values.
One of the modes with the highest RPN value is marked
 TABLE IV
FMEA RESULTING TABLE FOR PETROL ENGINE AND FLIGHT ELECTRONICS

FMEA resulting table for petrol engine part and flight electronics
Failure mode
overheating of
1 damaging the unit
petrol engine
2 mechanical failure
some parts of the engine
3 power loss
engine has no reaction
4 unable to start engine
on starting
engine has no reaction
5 unable to start engine
on starting
engine starts, speed increases
6 12
and then engine stops
engine starts, speed increases
7 12
and then engine stops
jamming in place, engine
it is not possible to control
8 is rotating at same rpm
regardless of desirable speed
jamming in place, engine
9 is rotating at same rpm
regardless of desirable speed
engine unable to reach
10
desirable speed
11 engine speed unknown
not sufficient amount
12
of thrust
13 loss of speed
engine has no reaction
14
on initial starting
engine has no reaction
15
on initial starting
engine has no reaction
16
on initial starting
engine has no reaction
17
on initial starting
engine has no reaction
18
on initial starting
jamming in place, engine is
19 rotating at same rpm
regardless of desirable speed
20 loss of speed
one cylinder temperature
21
unknown
overheating on controller
22
of the petrol engine
communication bus
23 error on controller of
the petrol engine
Effect
destruction of the motor
not working properly
engine shuts down after
initial start
engine shuts down
after initial start
speed of engine
it is not possible to
control speed of engine
loss of thrust
no sensor reading
engine is rotating
but the propeller is not
engine speed
damaged or lost fuel tank
increasing rapidly
unable to start engine
unable to start engine
unable to start engine
unable to start engine
unable to start engine
it is not possible to
control speed of
engine
engine shutting down
no temperature
sensor reading
destruction of UAV
wrong set points
Cause(s) Possible action RPN
emergency shutdown /
overloading safe landing 20
with the parachute
testing of take off /
fatigue, overheating 20
emergency shutdown
perform
low level of trust 20
safe landing
battery for starting not visual inspection and
8
working properly battery test
electrical starter engine visual inspection and
12
not working properly mechanical test
problems with getting mechanical inspection
fuel to the engine of fuel tank
not enough oxygen visual inspection and
in carburetor carburetor check
wrong signal from check sum /
ARM control unit or redundant ARM control / 32
broken ARM controller safe landing
failure detection /
jammed fuel injector 30
safe landing
redundant sensor /
fuel injector not
failure detection / 16
opened correctly
safe landing
damaged sensor wiring redundant sensor /
16
or sensor itself failure detection
loss connection between
safe landing 18
engine and propeller
safe landing /
10
emergency shutdown
dynamixel engine
visual inspection
for choke valve 12
and choke check
not working properly
petrol engine is visual inspection /
16
not working properly petrol engine check
ignition module not visual inspection /
16
working properly petrol engine test
visual inspection /
starter not working 12
starter test
visual inspection /
carburetor stuck 12
petrol engine check
dynamixel engine emergency shutdown /
for thrust not safe landing 30
working properly with the parachute
emergency shutdown /
petrol engine is not
safe landing 30
working properly
with the parachute
broken wiring or redundant sensor /
24
sensor itself failure detection
overloading saturation of current 20
check sums /
wrong trust emergency shutdown 24
with the parachute

in Table IV as number 8 and represents the mode related wrong signals generating from the ARM controller. This type
to the effect of engine jamming in place, which causes the of failure can cause system breakdown and permanent damage
loss of controllability of the engine. Such a loss is caused by of the aircraft. Our proposed solution or action to this failure
 TABLE V
FMEA RESULTING TABLE FOR FUEL TANK

FMEA resulting table for fuel tank

Failure mode Effect
loss of trust and torque →
level of fuel under
1 engines shutting down →
the minimum
falling down(destroyed)
loss of trust and torque →
2 tank falling off engines shutting down →
system falling down(destroyed)
fuel level decreasing rapidly →
loss of trust and torque →
3 ruptured tank
engines shutting down →
system falling down(destroyed)
Cause(s)
bad fuel level monitoring,
user ignores alert
loose screws, collision
collision with sharp objects
Possible action RPN
sensor for measuring fuel level/
36
redundant sensor
sensor for fuel tank presence/
failure detection / 15
parachute landing
measuring of speed of
fuel level change / 15
parachute landing

TABLE VI
FMEA RESULTING TABLE FOR MOVING MASS SYSTEM

FMEA resulting table for moving mass

Failure mode Effect Cause(s) Possible action RPN
UAV unable to follow visual inspection of UAV
1 incorrect control broken arm control unit 20
planned path before take off
use advanced control of
moving mass engine one of the cabling wires
2 unable to move mass speed of rotors / 16
stays in the last position broken
safe landing
visual inspection of UAV /
calibration of moving one or both limit points
3 unable to move mass redundant sensor / 27
mass is not possible broken
failure detection
visual inspection of UAV
engine moving left or right one or more toothpicks
4 stohastic position of mass before take off / 16
regardless of control input broken
safe landing
visual inspection of UAV
mass not reaching UAV unable to take right one or more toothpicks
5 before take off / 24
desired position orientation broken
safe landing
visual inspection of UAV
mass not reaching UAV unable to take right lose connection between before take off /
6 40
desired position orientation moving mass and toothpicks use advanced control of
speed of rotors
no information about unable to get desired encoder wiring damaged redudant sensor /
7 9
mass position orientation or encoder itself failure detection
use advanced control of
mass unable to move unable to get desired damaged ARM controller
8 speed of rotors / 15
and stay in any position orientation for mass positioning
safe landing

mode is having a continuous checking of communication
between ARM controller and Pixhawk. In case of any noticed
inconsistency, the system should switch to the second ARM
controller.
A similar type of failure mode caused by jammed fuel
injector listed as number 9 in Table IV can also cause
permanent damage of the aircraft. Possible action for this
failure mode is to include additional sensor that will will be
continuously checking if injector is opened and to perform a
safe landing if necessary. Failure modes 19 and 20 in Table IV
can also cause permanent damage to the aircraft and represent
a huge problem for the aircraft control. In this case, the only
possible action left is to perform an emergency shut down and
parachute landing, to try to save the UAV from the further
damage. It is important to mention that there are some failure
modes that can occur while the UAV is not in flight mode.
These failure modes are serious but their RPN is low because
aircraft is on the ground. Examples of these failure modes are
listed as numbers 4, 5, 6, 7, 14, 17 and 18 in Table IV. The
reader can see all other failure modes for this risk reduction
group and our proposed actions.
The second risk reduction group is reflected by the failure
modes related to the fuel tank. Some possible failure modes
for the fuel tank are shown in Table V. The failure mode with
the highest RPN value pertains to the fuel level being below
the minimum value. This mode might be caused by a faulty
fuel level monitoring procedure, or by a user who ignores
a relevant alert. However, such a failure lead to permanent
damage of the aircraft. Our proposed action for this mode is
to include a redundancy with doubling the sensors dedicated
to the fuel level monitoring. The failure modes 2 and 3 from
Table V are also interesting to report. Although, these failures
can instantly lead to the aircraft destruction, they have not large
RPN values since the probability of occurrence is estimated to
be much smaller than in other cases. However, the proposed
action for saving the UAV from a total damage is to perform
parachute landing.
The final risk reduction group, which is also important to
be presented in terms of the FMEA, can be considered as the
most relevant to this novel UAV type of design. Namely, this
group is related to the proposed moving mass system used to
control the vehicle. All failure modes from this group are show
in Table VI. The mode with the highest RPN value is related
to a possible situation in which a mass is not able to reach a
desired position. This problem can be caused by an irregular
connection between a moving mass and the toothpicks. Some
possible actions we propose based on this FMEA include (1)
a relevant visual inspection of the UAV immediately before
taking off, (2) a use of classical control of rotor speed with
respect to the vehicle height to improve stability of the UAV,
and (3) performing of a safe landing if possible. One possible
action might be also to improve the moving mass system by
a novel design. Other failure modes and possible actions are
listed in Table VI.
V. CONCLUSIONS
In this paper the FMEA is performed on a recently de-
veloped UAV design. The main goal of the analysis was to
determine all possible failure modes that can affect stability of
the entire UAV. The resulting FMEA is presented by estimated
RPN values for each failure mode, and by proposing some
relevant actions for the most important ones, after this actions
some of RPN values are improve (for example Failure modes
2, 3 and 6 in Table VI). In Section IV we explained in detail
the three relevant risk reduction groups of this FMEA, with
the focus on those failure modes with the highest RPN values.
Our analysis has given 104 possible failure modes, from which
34 were unique for this novel UAV design. It is important to
mention that this system is still in its testing phase and in
the future we plan to collect even more data and to update
this FMEA tables in terms of the respective RPN values. In
addition, we also plan to improve parts of the system having
high RPN values with better mechanical design, redundant
sensor system and control techniques. Some uncertainties like
expertise of compilers, assigned ranks, missed failure modes
will also have some impact on the outcomes and will be
subject of our future work.
R EFERENCES
[1] C. Zhang and J. M. Kovacs, “The application of small unmanned
aerial systems for precision agriculture: a review,” Precision agriculture,
vol. 13, no. 6, pp. 693–712, 2012.
[2] Q. Lindsey, D. Mellinger, and V. Kumar, “Construction of cubic struc-
tures with quadrotor teams,” Proc. Robotics: Science & Systems VII,
2011.
View publication stats
[3] T. Tomic, K. Schmid, P. Lutz, A. Domel, M. Kassecker, E. Mair,
I. L. Grixa, F. Ruess, M. Suppa, and D. Burschka, “Toward a fully
autonomous uav: Research platform for indoor and outdoor urban search
and rescue,” IEEE robotics & automation magazine, vol. 19, no. 3, pp.
46–56, 2012.
[4] N. Michael, J. Fink, and V. Kumar, “Cooperative manipulation and
transportation with aerial robots,” Autonomous Robots, vol. 30, no. 1,
pp. 73–86, 2011.
[5] A. Kushleyev, D. Mellinger, C. Powers, and V. Kumar, “Towards a
swarm of agile micro quadrotors,” Autonomous Robots, vol. 35, no. 4,
pp. 287–300, 2013.
[6] M. Sadraey, “A systems engineering approach to unmanned aerial
vehicle design,” in 10th AIAA Aviation Technology, Integration, and
Operations (ATIO) Conference, 2010, p. 9302.
[7] E. Torun, “Uav requirements and design consideration,” TURKISH
LAND FORCES COMMAND ANKARA (TURKEY), Tech. Rep.,
2000.
[8] P. Elands, J. de Kraker, J. Laarakkers, J. Olk, and J. Schonagen,
“Technical aspects concerning the safe and secure use of drones,” TNO,
Tech. Rep., 2016.
[9] T. Schneider, Fault-tolerant Multirotor Systems. ETH Zurich, Swiss
Federal Institute of Technology Zurich: MSC thesis, 2011.
[10] P. Freeman and G. J. Balas, “Actuation failure modes and effects analysis
for a small uav,” in American Control Conference (ACC), 2014. IEEE,
2014, pp. 1292–1297.
[11] H. Bendea, P. Boccardo, S. Dequal, F. Giulio Tonolo, D. Marenchino,
and M. Piras, “Low cost uav for post-disaster assessment,” The Inter-
national Archives of the Photogrammetry, Remote Sensing and Spatial
Information Sciences, vol. 37, no. B8, pp. 1373–1379, 2008.
[12] F. Neitzel and J. Klonowski, “Mobile 3d mapping with a low-cost uav
system,” Int. Arch. Photogramm. Remote Sens. Spat. Inf. Sci, vol. 38,
pp. 1–6, 2011.
[13] H. W. Potts, J. E. Anderson, L. Colligan, P. Leach, S. Davis, and
J. Berman, “Assessing the validity of prospective hazard analysis meth-
ods: a comparison of two techniques,” BMC health services research,
vol. 14, no. 1, p. 41, 2014.
[14] S. Kmenta and K. Ishii, “Scenario-based failure modes and effects
analysis using expected cost,” Journal of Mechanical Design, vol. 126,
no. 6, pp. 1027–1035, 2004.
[15] T. Haus, M. Orsag, and S. Bogdan, “Design considerations for a large
quadrotor with moving mass control,” in Unmanned Aircraft Systems
(ICUAS), 2016 International Conference on. IEEE, 2016, pp. 1327–
1334.
[16] B. Bluteau, R. Briand, and O. Patrouix, “Design and control of an
outdoor autonomous quadrotor powered by a four strokes rc engine,”
in IEEE Industrial Electronics, IECON 2006-32nd Annual Conference
on. IEEE, 2006, pp. 4136–4240.
[17] C. Woolsey and N. Leonard, “Moving mass control for underwater
vehicles,” in American Control Conference, 2002. Proceedings of the
2002, vol. 4. IEEE, 2002, pp. 2824–2829.
[18] T. L. Edwards and M. H. Kaplan, “Automatic spacecraft detumbling by
internal mass motion,” AIAA Journal, vol. 12, no. 4, pp. 496–502, 1974.
[19] I. Palunko and R. Fierro, “Adaptive control of a quadrotor with dynamic
changes in the center of gravity,” IFAC Proceedings Volumes, vol. 44,
no. 1, pp. 2626–2631, 2011.
[20] M. Orsag, C. M. Korpela, S. Bogdan, and P. Y. Oh, “Hybrid adaptive
control for aerial manipulation,” Journal of intelligent & robotic systems,
vol. 73, no. 1-4, pp. 693–707, 2014.
[21] T. Haus, N. Prkut, K. Borovina, B. Marić, M. Orsag, and S. Bogdan,
“A novel concept of attitude control for large multirotor-uavs based on
moving mass control,” in Control and Automation (MED), 2016 24th
Mediterranean Conference on. IEEE, 2016, pp. 832–839.
[22] T. Haus, M. Orsag, and S. Bogdan, “A concept of a non-tilting
multirotor-uav based on moving mass control,” in Unmanned Aircraft
Systems (ICUAS), 2017 International Conference on. IEEE, 2017, pp.
1618–1624.
[23] U. Army, “Failure modes, effects and criticality analysis (fmeca) for
command, control, communications, computer, intelligence, surveil-
lance, and reconnaissance (c4isr) facilities,” Department of the Army,
Technical Manual No. TM, pp. 5–698, 2006.
[24] M. U. NASA Goddard Space Flight Center, Greenbelt, “Flight assurance
procedure p-302-720: Performing a failure modes and effects analysis.”
2007.