Hacker News new | past | comments | ask | show | jobs | submit login
Swiss Post Suspends Drone Delivery Service After Second Crash (ieee.org)
155 points by sytelus 74 days ago | hide | past | web | favorite | 150 comments

This could have been very ugly:

the 10-kg drone suffered an uncontrolled crash “in a wooded area of Zurich’s university quarter only 50 yards away from a group of playing kindergarten children.”

One of the things that few people are aware about is quadrotor MTBF is very low relative to other common vehicles. For many drones, the expectation for failure dramatically increases just after 100-200 hours of operation[1]. Figuring out points of failures, building systematic fault trees and increasing MTBF by order of magnitude or two would be big part of the drone delivery projects.

[1] https://catsr.vse.gmu.edu/SYST490/490_2014_SPDAV/DST-NSPDAV_...

Wow, that's shockingly low. The paper doesn't describe why -- do you have any idea what part(s) are failing so quickly? The rotors, the motors, the battery?

For commercial delivery service, it seems quite clear that we'll need either

1) "enterprise-grade" drones (like difference between consumer and enterprise SSD's),

2) reliable sensors to detect imminent failure before a flight,

and/or 3) easy replacement of failing parts.

I mean, for many hobbyists 100-200 hrs seems like a reasonable cost/benefit tradeoff... but not even close for commercial delivery services.

> do you have any idea what part(s) are failing so quickly? The rotors, the motors, the battery?

It doesn't really matter what fails, what matters is that there is no way to do a controlled descent once anything goes wrong on a loaded drone because there is no margin for error. A drone this heavy relies on the whole chain of components functioning perfectly.

I'm surprised it is as good as it is given the number of parts. If it were a winged drone you'd at least have a chance to glide it to a safe spot, but a drone that is kept up by spinning props can only crash uncontrolled. There was a video of downing one in a more controlled way but the only fault it could cover was single rotor failure and even then the amount of control was very limited.

These things have absolutely no business over areas occupied by people.

> what matters is that there is no way to do a controlled descent once anything goes wrong on a loaded drone because there is no margin for error.

Not entirely true. The drone had a parachute system to allow a controlled descent in situations like this and an alarm to alert nearby people to its descent. The problem here was that the parachute's single tether was severed shortly after deployment.

> The drone had a parachute system to allow a controlled descent

The parachute would allow the drone to avoid a rapid descent. Most parachute systems are not steerable/flyable so they won't make it a controlled descent.

Parachutes won't control the descent. Might slow it down a little, but that is of arguable value if all 10 kg landed on top of those kids mentioned in the article.

They don't control the descent, but they do control the descent. That is the descent (rate thereof) is controlled to a safe speed while the alarm alerts those below of its approach.

They have parachutes installed. In the 2nd crash it deployed but the line hit a sharp part of the craft and was severed. Upgrades are being made (redundant cords and metal braiding) and the whole fleet was grounded in the meantime.

  If it were a winged drone you'd at
  least have a chance to glide it to
  a safe spot, but a drone
The last time I looked at the retail quadcopter/RC plane market, when faced with a communications failure most of the quadcopters would return to the launch point and safely land. None of the RC planes had such a function - most seemed to just turn off the propeller and glide in whatever direction they were facing at the time.

Seemed to me the quadcopter response to communication failures was a much safer one. Is this still the case? It was quite some time ago.

>The last time I looked at the retail quadcopter/RC plane market, when faced with a communications failure most of the quadcopters would return to the launch point and safely land. None of the RC planes had such a function - most seemed to just turn off the propeller and glide in whatever direction they were facing at the time.

Once you have a quadcopter you've got enough digital hardware and software that adding "return to base" is basically free since it's just an additional software routeine.

RC planes don't already have the required hardware/software to implement a return to base feature because they don't need it and of course nobody is going to greatly increase the cost and complexity of the product just to add that one feature.

A handful of the quad controllers also support planes. I have multiple RC planes with that functionality - it adds a little complexity but not a ton.

> The last time I looked at the retail quadcopter/RC plane market, when faced with a communications failure most of the quadcopters would return to the launch point and safely land.

That isn't really accurate at all.

> https://hobbyking.com/en_us/turnigy-t1000fc-auto-pilot-syste...


Very few micro and mini quads have this functionality.

Return To Home functionality is common any medium and larger RC aircraft intended for FPV flying.

Often fixed wing RC with RTH functionality won't attempt to land, it return to home and enter a circular holding pattern until contact is re-established or the battery fails.

I tested some quadcopters and all had the behavior to land immediately on connection loss, no matter what is below them. Better not have something like that happening above a pond. So no automatic navigating to a starting point. It has been a few years, maybe that changed.

3D Robotics Solo has that feature (return to launch), but that was 5 years ago now. You could also set it so when the battery started to get too low it would return home as well. But that was one of the most advanced hobby drones in terms of software that existed at the time. DJI now uses it as well. It's all built into ardupilot. http://ardupilot.org/

Is there any reason a drone couldn't autorotate like a helicopter does to slow its descent?

A helicopter's rotor has a complex control system that has you changing the pitch of the rotor blades and the angle of the rotor disk, with the rotor behaving similarly to the wing of an airplane. Quadcopters usually rely purely on thrust for control. For example to bank, the motors on one side spin faster (more thrust) and the motors on the other side spin slower (less thrust). If you lose a motor, or lose the ability to control a motor, you lose the ability to control the quad.

In comparison, a helicopter will have a clutch that can disengage the rotor from the engine and let it turn freely. The pilot still has the ability to control the rotor, so she has some control during the autorotation. At the end, just before landing/impact, she will perform a flare, using the rotational energy in the rotor to slow the helicopter's descent.

For autorotation you need to passively stay upright and a certain propeller area to weight ratio.

All of which are not present in a typical multirotor.

And you need pitch control ("collective").

Helo autorotation largely requires the momentum of the blades to keep going after engine failure (as well as the pitch and forward momentum). I don't think the blades on small drones are heaby enough to store enough momentum for autorotation.

More importantly, most drones cannot physically adjust the tilt of the rotor blades (which is called collective pitch control in helicopters). Helicopter autorotation requires rotors with a lot of angular momentum and usually an abrupt change in the collective pitch right before landing to turn that momentum into thrust and slow the helicopter down.

There are RC aircraft with collective pitch controls, like most RC helicopters and even some multirotors. These RC aircraft generally can autorotate, as well as do things that are probably not practical for full-scale aircraft to do, like fly upside down. :)

A collective pitch quadcopter flying upside down: https://youtu.be/MVL_Hf4ilLg?t=162

An RC helicopter doing, well, all sorts of acrobatics that hardly make sense: https://youtu.be/KmPchrGW1TQ?t=48

An RC helicopter autorotating: https://youtu.be/bxQ5kwqiPN4?t=136 (this one has an internal combustion engine, although that shouldn't make much of a difference for autorotation)

>that hardly make sense

Just a guess: stronger strength to weight, and power to weight ratios, compared to the real thing. The tail rotor in particular appears to be quite a bit more powerful for the weight of the model than would be expected in a full size aircraft. And then also, these kinds of movements with a person inside? Haha! No!

Yeah, I've been pretty deep in the RC community, but what doesn't make sense to me is the physical skills of pilots like that! Handling orientation changes like that is insanely difficult. I practiced flying RC helis for a while in a simulator and even the basic orientation exercises are pretty challenging.

Why not autorotation? https://wikipedia.org/wiki/Autorotation

Is it less mass and therefore momentum in the rotor/drivechain?

That needs forward flight to work. A quad copter does not have a glide ratio high enough that it would be able to start up the rotors to spin fast enough to get some lift out of them. A quad copter is best modeled as a brick with a magic anti gravity device attached, if the anti gravity device fails it is a suspended brick and gravity will soon assert itself.

A real helicopter (or an auto-gyro) is best modeled as a rotating wing, as long as the blades rotate you can control the craft to greater or lesser extent. It still won't be pretty in a proper helicopter but at least you have a chance.

Additionally, you need "collective pitch" control, i.e. the ability to angle the rotor blades for windmilling and then for hover flight right before touchdown. Multicopters just have fixed-pitch rotors and rely on differential torque/thrust for attitude control and ascend.

>A quad copter is best modeled as a brick with a magic anti gravity device attached, if the anti gravity device fails it is a suspended brick and gravity will soon assert itself.

Very nice definition.

There isn't AFAIK such a neat distincion in English, in Italian the iron (the device you use for ironing, maybe flatiron?) has a specific name "ferro da stiro" so it is common to use it as a term of comparison for such a behaviour.

Is it possible to design a self-destruct sequence so powerful that the entire thing is fragmented to dust over a wide area?

I'm sorry, did you just suggest we pack explosives in commercial cargo drones as a safety measure? Explosives enough to vaporise 10kg drone plus its cargo. Are we looking at mini nukes here?

I don't know, as you can tell I don't know much about explosives. But you wouldn't need to literally vaporise it, I guess, and I doubt it'd need a miniature nuke.

In my defence, a quick search shows this story:


So apparently it's not a stupid suggestion and Amazon are thinking along the same lines.

I only ask because it seems making drones land safely is hard. I mean, a paracute with a whistle is a great idea until it drifts in front of a car moving at high speed, or lands on a deaf person or shorts out a high-voltage cable. They all have problems. If there was a way to convert the failed drone into widely dispersed very small objects, the harm may be much lower.

I think the combination of being airborne, remotely controlled and high explosives might get you attention of a kind you would like to avoid.

Sure, but it might explode near people

I didn't say it had to be explosive, but at any rate, you know anyone can buy fireworks right?

maybe you could have started a new comment thread since your post doesn't remotely answer the question you quoted

> Wow, that's shockingly low. The paper doesn't describe why --

It's because many drones, even "commercial" ones, are built using hobby parts with poor QC. If you use high end components then the reliability will be up by a two orders of magnitude, as will the price.

(Also as mentioned by others, multirotors and especially quadrotors have many single points of failure and so even with reliable parts the whole contraption isn't very reliable.)

Commercial drones can push to 10^3 hrs but that's still far cry from aviation standards of 10^5 hrs. According to this nav system and fuel+actuators are two big failing components: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6165073/pdf/sen...

That article seems to be referring to winged UAV drones (e.g. Predator) not the quadcopter-type drones used for deliveries.

Good catch. It is possible for quadcopter-type drones to come with four extra motors that sit opposite of the traditional four motors and props and face down with slightly different sized props and rotating the opposite way.

In the case of failure of a prop in this configuration (the most common failure in my own experience with quads and octos), it is possible to program the n-copter to automatically change to flying in 7 prop mode or 6 prop mode or 5 prop mode, and so on and so forth as a redundancy feature. This could help with a not insignificant amount of crashes but obviously comes with increased costs.

Airplanes get regular (and quite extensive) maintenance though.

> do you have any idea what part(s) are failing so quickly? The rotors, the motors, the battery?

My bet is on the power electronic semiconductors, mostly MOSFETs, in the motor controllers. Life time of these components decreases exponentially with the temperature difference they see in the semiconductor junction, i.e. the difference between hot (current is flowing, heating the junction with a power of I^2 * R_ds_on) and cold.

To make this deltaT_junction small, you need to choose big components, but at the same time you want to save weight, which is fundamentally at odds with overdimensioning everything.

Those are solid state components, though, and they exist (or can) in the downwash of the rotor, so it really shouldn't be that hard to keep them cool.

I'd think the motor and rotor itself would be much more likely to be the problem.

I don't know of any multi-rotor craft that incorporates the ESC (electronic speed controller) in such a way as to be cooled by the downwash of the props. Not saying there aren't any, but I haven't seen it.

Most hobbyist multirotors use smaller controllers (which are essentially a PWM'd set of mosfets) zip-tied or otherwise affixed to the arms of the machine, with short connections to the motors and to the controller/and power-supply distribution board on the body.

Consumer multi-rotor craft will generally have the ESCs integrated on a motherboard or daughterboard in the main body of the craft (cheaper to manufacture), well away from the prop wash and enclosed (not good for cooling).

I'm not sure what commercial (or large-scale) multi-rotor craft use, but it is probably similar to the others.

Again - I'm not saying it hasn't been done, or couldn't be done; in fact, it seems like a good idea. I can even envision how it could be integrated on the motor itself (board on the back with mosfets, with an extended shaft with fan for cooling the mosfets (inrunner motor), or with the fins of the mosfets in the wash of the prop, or something like that for an outrunner motor).

It wouldn't surprise me if such motors don't come on the market (or maybe they already exist - I haven't looked)...

Ok - well, apparently the idea isn't a new one:


...and it has been tried and sold to some success. So I imagine such motors are still available somewhere. TIL.

A helicopter can autorotate when its single engine quits, or continue flying when one of its multiple engines quit. Quadrocopter requires all four motors to work to remain in the air. This is a reasonable tradeoff for light hobby drones, but not for heavier drones for commercial delivery.

This isn't quite true. Cheap drones may not have this capability, but controlled, safe landings of quadrotors with a single failed motor have been demonstrated, see this ETH Zurich video from 2014:


Obviously there are still other single points of failure such as the battery or controller, but at this point there's no excuse for crash landing a commercial drone just because a single motor (or rotor) has failed.

Arducopter flight controller user here:

There is a reason why pro grade filming setups carrying $40,000 to $150,000 cameras are all coaxial octocopters or flat octocopters. Even a hexacopter cannot 100% reliably recover from a single motor failure.

Personal opinion, any craft that is over 3 to 4kg and spends time over people needs to be an octo.

I've held the opinion that we shouldn't be using multirotors but VTOLs when it comes to aerial deliveries. The multirotors are extremely energy inefficient, have very low MTBF, short-range and very low payload cap. On the other hand designing safe reliable VTOL is hard but solvable problem when thrown enough resources because you can draw a lot from existing aviation tech. However, Amazon has gone through quadrotors to VTOL and then they switched back to multirotor again, surprisingly. Unfortunately, most of the delivery vehicles are being built by relatively small limited resources startup-like groups. While multirotors are very easy to build, they have an enormous number of problems. I think if there was a well-funded group of 500 or so engineers working over ~5 years, there is a decent chance we can have safe reliable commercial-grade VTOL for autonomous point-to-point deliveries that can be adopted as standard. Unfortunately, this is a big capex project.

Google has been experimenting with tailsitters, which I think is a no-brainer.

Zipline is, imho, the real out of the box thinker. Catapault launch plus the snag line is Short takeoff, effectively-vertical landing, main downside is you need ground gear to land without damage. Main upside is weight savings for peak power (takeoff) is reduced, landing gear gone, and your engineering space is shrunk to solely the problem of steady state flight.

I foresee the paradigm of winged mothership for last-hundred-mile, plus n-rotor drones for air-to-land leg of delivery.

Zipline's system is a much lower cost, light weight implementation of what InSitu (now a Boeing subsidiary since they were acquired) designed for the defense market, for their Scaneagle. They were by no means the first to launch or recover a fixed wing drone in that manner.

As you point out it provides a lot of advantages in not needing to carry the extra weight for a VTOL, no landing gear, extra energy boost on launch. It's very close to the optimal energy usage in watts for motor, per size of craft, that can be achieved right now.

The other advantage of using a single motor fixed wing craft is ability to use lithium ion batteries which are relatively higher Wh/kg density. These are not as capable of instantaneous high amps as lithium polymer are. The best commodity, commercially available lithium ion batteries are in the range of 210 to 248Wh/kg right now. The best lithium polymer batteries are about 178Wh/kg.

FPV hobbyist fliers who build fixed wing and flying-wing craft use lithium ion for longer range.


Zipline only works if you have a single base where you launch from land at. If you need to land at the customers site then you need VTOL capability.

I think the idea is that the full-payload drone is launched via catapult, and the takeoff from the customer's site is without payload, allowing for lower power.

Yeah I've been thinking same, possibly a UAV dirigible for the mothership. That would be cool.

Due to the very low energy storage density in Wh/kg for li-ion and li-po type batteries, VTOLs are the inevitable design decision a lot of companies are arriving at. For a big filming octo, capability to stay in the air for 45, 60 or 90 minutes is not essential and it doesn't need to travel far.

If you look at the pilot projets for drone delivery in Canberra, it's all VTOLs.


The instantaneous watts required for forward flight with wings at a reasonable speed are much lower than the watts required for the same weight of craft, same general dimensions, same speed, forward flight with four, six or eight rotors.

Any insight as to why Matternet is using quads still? Just nearsightedness? Yeah, they might be a bit cheaper, but now they are grounded, that's never good for the bottom line.

Furthermore, safety critical systems are all about layers. Yeah redundant motors are good, parachute is nice, but what about passive measures?

Maybe drones should have stub wings which, in addition to lift boost, have deadman switches which cause one to spring 180° on power loss, forcing the hull to autorotate in the event the chute fails.

Ok, the gps dies, the motors fail, chute fails to deploy, and the wing ripped off, you are dropping at full speed. Well now the rapid descent causes a pressure differential (artificial eustacian tube, if you will) which trips some azide charge, inflating an airbag.

It's like they are putting in bare minimum of effort with the quad+parachute.

I actually recognize the drone body that Matternet is using there, it's a monocoque molded carbon fiber + fiberglass body from a manufacturer in China, where it's sold as an agricultural spraying drone.

Rapid descent sensors don't necessarily need to be pressure based at all. While in controlled flight there is a limitation (as governed by flight controller and ESCs) for how rapidly a quad, hex or octo can descend. Accelerometer data can be used to trigger a parachute and/or airbag system. A multiply-redundant array of small accelerometers that can detect freefall is very tiny and light weight.

Most higher end flight controllers have double or triple accelerometers onboard.

Thanks for contributing toward progress and not toward fear/restriction.

There's valid technical reasons for having a coaxial octo within a total craft body+arm size radius of 1.5 meters as well. You can generate more thrust and carry more payload for the same disc loading area.

Four large motors and four 28" CF props produce less thrust than four arms, each arm with two motors stacked, and eight props.

Octos are not a conservative, redundant, fail tolerant design decision just for the sake of protecting expensive gear. Many of them still have 1+0 non redundant power systems.

Quadrotor form factor seems unusual for something that clearly has reliability/safety as a high priority.

I think multirotors have the capability to be made quite safe. The only moving parts are the rotors, and with higher rotor counts, graceful degradation of flight performance is possible in the case of a rotor-out.

Problem is that most of the components (batteries, motor controllers, flight controllers) are built by and for hobbyists. Motor burns a winding? ESC spontaneously lets the smoke out? Whatever, they're $15 bucks each. The field of "commercial grade cargo multirotor" is still in its infancy. The balance of safety and cost for the components hasn't been struck in the market. You either deal with random chinese components and control algorithms written by intrepid RC airplane nuts, buy very expensive industrial/aerospace grade components, or roll your own solution.

Hexes and octocopters are "safer" than quads - since they can (with appropriate controllers) cope with any one motor/controller out, and some combinations of multiple motors out. (Anyone flying expensive DSLR cameras uses these for that reason.)

There are some quad copter controllers that try to deal with single motor failures, but they're mostly experimental (at least on the hobby end to the space) since they need to be able to reverse a motor, which most motor controllers used in these applications are not build to do.

I recall a quadcopter control mode that spins the entire craft quite rapidly, exchanging yaw control for altitude control.

Found a vid: https://m.youtube.com/watch?v=bsHryqnvyYA

Without even clicking that I knew it was gonna be ETH Zurich... They do pure magic. Pretty much nobody _else's_ quadcopters can survive a motor failure... (But it'll come, presumably. Amazing software is cheaper than redundant hardware, after all...)

Not to detract from how cool this work is but the preconditions for this to work are quite far-reaching. It is based on bridging the reality gap by having that gap approach zero - by removing error sources from the real world rather than model and account for them. Same goes for other ASL work.

I don’t expect a service delivery company to use hobbyist components. That’d be s recipe for disaster. One would think they’d put something like this though its paces before testing it out in public. I’d expect they buy aerospace grade components where possible and build their own to spec where needed.

I fully expect most "service delivery companys" to buy their drones from the same Alibaba vendors that share bike ad scooter companies buy from...

Losing them, crashing them, having people steal them or throw them in a lake - those are things to include in your VC funded "operating costs" and to mitigate/offload the risks in your TOS...

(Small print: "The delivery customer shall be wholly and solely responsible for any damages and costs incurred by their delivery and any company equipment used in the completion of the customer's delivery, including but not limited to the drone crashing into a playground full of children." Just like Tesla's abrogation of responsibility when their "autopilot" software is driving the car they sold you...)

Not sure how things work in Switzerland, but at least in the US I think these aircraft would be under the purview of the FAA who likely would require some rigor. Likely something similar in CH.

The market is too young for this kind of process. Regulators around the world are smart enough to realise you can't expect drones to follow classic aeronautical design and safety processes right now, you would just stop dead the whole field.

So while they gently introduce such rules (mostly centered around see and avoid for now, also identification), the main way they use to ensure safety is restrict where and who can fly them.

You know they can't be trusted, so you don't fly them above sensitive areas. As processes mature, reliability increase and trust is gained, you will see drones expand the airspace in which they are allowed. It's already happening for BVLOS (beyond visual line of sight) flights which requires a waiver from the FAA in the US (with paperwork such as risk assessment, collision tests on mannequins and so on), as well as specific equipment/processes.

These aircraft are in fact manufactured by a US company (Matternet).

There's no aerospace grade for most of the components. It's either custom made for the most critical/unique components, hobbyist parts (who else needs 4" propellers), or cots that are designed for other applications.

Pretty much no one besides DJI has the scale for custom made, except on a few select components. Drones are still in their infancy, those companies are still trying to see if they have a business model and improving/creating technologies. You can't expect mature processes from this environment.

In a sense, most other aerial vehicle types are worse. Helicopters, with only one main rotor are incredibly complex machines requiring constant maintenance. The rotor blades are articulated to provide flight control. Quadcopters are a ton simpler because their rotors are "just" rotors, and flight control is achieved through differential thrust, not angling the blades. On the other hand, helicopters often seem to deal with engine failure better than quadcopters or even fixed wing aircraft.

Fixed wing drones have the big problem that they need to go fast to stay in the air. Which requires a lot more motion planning.

Your typical helicopter is made to entirely different standards than your typical drone.

Yes, of course. But toy helicopters have been around for a lot longer than quad-copters have been popular. And I've not seen a lot of people using single-rotor RC helicopters for filming and delivery (I'm sure there are some ...).

My point is that multicopters are a lot simpler mechanically. No articulation, no transmission, just propellers on an electrical motor, controlled by pure electronics with no mechanical components in the loop except the drive coils.

Arguably multicopters are easier to control automatically (with modern electronics), though that wouldn't be THAT big a factor today, I guess.

Also electrical engines can deal a lot better with variable load and RPM. Multicopters with combustion engines (driving the rotors directly, not through a generator) seem to be quite uncommon.

Still, if multicopters are supposed to be routinely used in the presence of people, they need similar standards of maintenance and failure control as would bigger aircraft, be they manned or unmanned...

You're not wrong, but even model helicopters can autorotate: https://www.youtube.com/watch?v=bxQ5kwqiPN4&t=135

That figure doesn't sound convincing, and the linked paper seems to just make it up without any explanation or justification.

The limiting factor of a quad's ability to fly is the motor and unexpected failure of the battery. Higher end brushless motors have a life expectancy in the tens of thousands of hours. Battery failure is already mitigated in consumer drones by having independent packs each of which provides enough current to continue operation.

Quads do occasionally just fall out of the sky because a defective bearing ceases or a defective cell sags, but it's very rare. Most of the time they crash due to operator error.

You've left out the critical component between the battery and the bldc motors: the motor controller. These deal with the most difficult thermal issues and fail frequently.

On a quad there a 4 motor controllers on board, and only one needs to fail, greatly increasing the odds of overall failure.

I've never heard of anyone having an ESC fail mid flight. Again, it might happen, but the mean lifespan of a healthy ESC is definitely >100hrs.

None of this is even really relevant. GP quoted a figure from a paper that pulls the figure out of thin air and doesn't justify it in any way. The figure can be disregarded. I'm just pointing out that the figure seems much lower than mtbf of any of the critical components of a quad.

That's some interesting statistics you claim, would love to see the source on that.

Considering that mechanical failure is basically a rounding error compared to human error when it comes to causing crashes of every other vehicle and piece of machinery humans operate I'm inclined to believe the same is true for drones.

People have a much lower tolerance for mechanical failure in vehicles that carry people. Anything that crashed at a higher rate from mechanical failure than human error would not be produced for very long.

My only question is, why are there no blade guards in place? Not to protect the blades but to protect anyone near this drone?

I imagine that it reduces efficiency for the fastest part of the blades to pass very close to a stationary ring, as opposed to letting the turbulence tumble off the ends of the blades unimpeded.

Can’t this be mitigated with parachutes and other safety measures when certain descent speeds or other failures are detected? It could also broadcast an alarm during any descent to warn people.

Perhaps you didn't read the article but that's exactly what they had. The drone would flash light, deploy chute and make big whistle sound if it detected a crash. The problem is that it still does count as a crash. In the second crash chute system, itself failed.

As an additional potential recovery mode: ETH Zurich's Institute for Dynamic Systems and Control [0] has done amazing work on quadcopter recovery after rotor control loss [1] (I believe they are down to controlled flight with only one or two rotors left, but I cannot find the link right now). I've been waiting for this to filter into the real world but have yet to see it.

[0] https://idsc.ethz.ch/ [1] https://www.youtube.com/watch?v=ek0FrCaogcs

This is really impressive. Are the algos published / open sourced / licensable?

Amazing. I can see my flat in that photo :)

Anyway, I think there are a few things to point out here:

This program was in place to test the efficiency of sending biological samples between hospitals quickly.

I'm not entirely sure why this is a problem we need to solve. Is it really better to use drone delivery of blood samples to central hospitals than to add another testing machine at the remote location? Seems like the answer could be no.

It's really weird to get a letter in the mail telling you that a blood delivery drone crashed in a lake nearby.

This program seems like it's an answer in search of a problem.

A lab is not just "a testing machine". Depending on the analysis being performed, you need an array specialist equipment. Then the lab has to be staffed.

I imagine shipping samples to a shared facility is significantly more cost effective, otherwise it wouldn't be being trialled.


> Is it really better to use drone delivery of blood samples to central hospitals than to add another testing machine at the remote location?

Could it be a case of being cheaper to use drones instead of setting up an actual lab?

Wow that is another level. Now in the event of a crash there are issue related to contamination, and also personal medical information leakage.

Besides crashes, another issue with autonomous vehicles traveling without passengers is going to be hijacking for payload and parts. Maybe not in Switzerland, but in the US there are already people stealing packages right on other people's properties, now they can do the same in the middle of nowhere, plus grab a large drone in the process and resell parts. Capture, cut power, disassemble, deactivate the GPS if it has its own power source, done.

> According to the German newspaper Frankfurter Allgemeine Zeitung, the 10-kg drone suffered an uncontrolled crash “in a wooded area of Zurich’s university quarter only 50 yards away from a group of playing kindergarten children.”

Something tells me that a German newspaper wouldn't be using yards. Sure enough, looking at the source, it's a mistake in Google's translation model

> Dass die mehr als 10 Kilogramm schwere Drohne vom Typ Matternet M2V9 in einem Waldstück des Zürcher Universitätsviertels nur rund 50 Meter entfernt von einer Gruppe spielender Kindergartenkinder zu Boden krachte, erwähnte der staatliche Logistikkonzern indes nicht.

Bing translate gets it right though.

That’s a fine translation, better than “only 54.68 yards away from a group of playing kindergarten children.”

Well, to be fair the original German has "rund" in it that was lost in translation, so that would be "only approximately 50 meters", which would make the 50 yards acceptable.

Probably I would have translated it as "less than 60 yards" ;-).

Interestingly, if you remove "rund" it changes from "only 50 yards" to "just 50 meters".

Yards and meters are interchangeable for news purposes, since the estimates are well within the percentage difference between a single yard and a single meter. When a news article says '100 meters from the accident' it does not imply someone used a tape measure.

Delivery drones are definitely unnecessary in densely populated areas. It's cool and futuristic, but it's not economical at all, it's very unsafe and also loud. However it's a wonderful thing for rural places with poor infrastructure. For example Zipline in Rwanda, one of the most interesting solutions an engineering perspective too: https://youtube.com/watch?v=jEbRVNxL44c

Having large numbers of drones in the sky, where any failure has the potential to drop a large weight on a person seems like a show stopper. Or just crashing onto a house or car and causing damage is going to get annoying for the community real fast. I doubt drones can be made as reliable as aeroplanes at anything like a realistic price.

This is an emotional answer: "any failure...potential... large weight... person... show stopper". That's emotions speaking, we need probabilities and reason instead (because a delivery truck should trigger the same fear with you but it doesn't).

Planes ARE the safest way to travel: maybe drones are the safest in certain conditions, like for these urgent hospital deliveries in Switzerland, or in dangerous/isolated settings. And maybe drones will become safer and safer, like with parachutes in the article.

Okay the parachutes will need Dyneema strings instead of simple ones, just like parachutes were used before Dyneema was invented. Oh wait, someone's working on Dyneema parachutes for drones: https://www.textilemedia.com/latest-news/mobiletex/drone-par...

As you can see, there's no reason to throw the baby out with the bathwater. Find how you can save lives and make the world better, not how to use emotions to exert power and kill Freedom. The world needs innovation more than ever, be it electronic cigarettes or self driving cars or drones.

This is a fanboy answer: "Planes ARE the safest way to travel: maybe drones are the safest in certain conditions"

Western airliners are very safe, but the USA averages one GA accident per day:


Helicopters have much worse failure modes, even in multi-million dollar aircraft. Small drones are the worst of all, and should not be flown over populated areas.


The FAA historically has regulated that aircraft fly 500' and above over non sparsely-populated areas for a reason. Or you lose your license.

Drone deliveries fundamentally violate that, as regardless of where your warehouse is located, you're deliberately flying towards a populated area (ie. customers.)

The above is why the FAA has justly been slow on allowing drones into the airspace, and why you have to register them.

A constructive comment I can add is that I can only see delivery drones being safe with a built-in fixed wing that allows it to glide to the ground power-off below 10 mph.

Source: commercially-rated airplane pilot.

347 lives lost per year, or one per million people. Similar to Prion disease fatalities. Sure, that's 3 times more than lightening strikes... but that's still extremely low AND safer than whatever.

As for the risk of a plane over a populated area, I think it's safe to say that a 4kg drone is a much lesser threat than a Cessna weighing 200 times more, and that's a very small plane. So it's really not fair to compare a drone crash and a plane crash (we're not talking military drones here, I hope you've read the article).

"...I can only see delivery drones being safe with a built-in fixed wing that allows it to glide to the ground power-off below 10 mph": and it seems many people disagree but feel free to prove them wrong and show the world how you can glide a drone to the ground in a dense city to deliver blood at a hospital.

GA is very safe too, there are just lots of very unsafe GA pilots.

Probabilities and stats are actually incomplete and naive way people justify human deaths. Let's say you hit another car and kill another driver because you were texting. This would lead to perhaps prison, heavy fines and taking you off the road to prevent future incidence. However, cars themselves would not get banned. Now imagine the accident was because of car malfunction and not your mistake. What would happen? You guessed right: that models of cars would be taken away from the road.

Now here's a thought experiment: Let's say humans have a choice of only two models of cars: A and B. Car A fails less often, kills fewer people overall but none of the failures are due to human mistake. It just speeds up randomly and uncontrollably sometimes and kills whoever is on the way. Engineers have raised their hand that this cannot be fixed for a few years. On the other hand, car B fails only when a human makes a mistake even though its statistically 10X more overall failures per year. Which car society would approve?

Airliners have (2000-2010) 0.2 fatalities per 10 billion passenger-mile. That's passenger-mile - there are tens or hundreds of passenger on each flight.

In 2017, UPS had 5 fatalities per 14 billion miles driven, or 3.6 fatalities per 10 billion miles. Given that a UPS truck has tens or hundreds of packages the fatalities per package-mile is much lower.

Using UPS would be far safer than using delivery drones, even delivery drones reach the reliability and safety levels of commercial airliners.

It doesn't seem too unreasonable to plan for requiring the drones spend as much as possible of the route they fly take place over places where the risk of dropping them on a person is small.

Fly them preferentially over roads/railwaylines/rivers/canals/buildings instead of sidewalks/schools/parks.

Require them to be insured for personal and property damage (in much the same way as cars are in many places), have the companies operating them be subject to the same sort of existential threat as Boeing is under right now if they fuck up.

I don't think this should be an industry lead by "move fast and break things" style engineering, but I suspect if could usefully exist with a lower regulatory standard/cost than commercial airlines...

Fit them with ballistic chutes. If you could slow the descent to 10-15mph that'd reduce the potential for damage quite a bit.

This was the solution in OP article but the 2nd crash happened when chute itself failed.

I really don't get the hacker news algorithms on these posts, I've submitted this interesting article 7 days ago [0] and there was no interest (which is fine, that's not the issue). I guess 7 days is the cut-off then?

[0] https://news.ycombinator.com/item?id=20563123

> This is the first time we had a failure on the vehicle’s parachute system.

Doesn't this mean that neither Matternet nor the Swiss Post tested the failure modes of this drone enough? If it never happened before, they didn't test it enough to get any estimate for a MTBF for this particular part.

But this is to be expected from the Swiss Post, they do sloppy work and blame others, just read their dementi:

>As such, we have asked Matternet to implement various urgent measures:

>[...]The shrill whistle, which alerts people near the drone when it is making an emergency landing, will be made louder.

The whistle couldn't be heard in that accident... Sound like somebody didn't test a single emergency landing in that forest and asked the numerous strollers whether they have heard anything

This says ~3000 successful flights with 2 crashes - how many road incidents per journey does a standard mail truck encouter?

Is 1500 trips a low / mid / high figure with regards to collisions?

That's an over-simplified analysis. With road accidents, people have reasonable expectations that certain behaviors can reduce their personal risk of being killed in an accident. For instance, that average includes people who drove drunk, run redlights, drive during ice storms, etc. By avoiding these activities an individual can reduce their personal risk dramatically below the national average.

Not to mention I can virtually eliminate any possibility of dying in a traffic accident by remaining in my backyard, where I might still be struck in the head by a delivery drone. What risky behaviours am I meant to avoid there, being outside? You should instead compare the risk somebody following reasonable safety precautions would have in each scenario.

The USPS has ~30,000 motor vehicle accidents per year.

The entire USPS fleet travels ~1.28B miles / year, with the LLVs traveling 764M miles.

The LLVs travel about 18 miles per day, 300 days per year, which gives you an estimated 43 million LLV trips per year.

Assuming all 30,000 motor vehicle accidents are LLVs, that amounts to 1 accident every 1433 LLV trips.

Of course, on each LLV "trip", it delivers letters and parcels to hundreds of addresses; each drone delivery is presumably one.

(The USPS also averages 1 accident every ~43,000 miles; this is significantly above the US average of 1 accident per 165,000 miles driven. I would assume the increased rate is (1) USPS vehicles drive slow and stop frequently along their routes; I would guess many accidents are other vehicles driving too fast and trying to pass in unsafe areas (2) distracted driving; drivers are performing other tasks eg retrieving the next addresses mail while driving and (3) every USPS accident is likely reported; drivers are responsible for the condition of their vehicle and small fender-benders that we might not report are likely included in USPS statistics.)

// 1 accident every 1433 LLV trips.

So an accident once per 1443 llv trips * ~400(average packages per llv trip) -> an accident per ~600k packages -> will need an accident per 600k drone trips * ~ 10mile/trip -> an accident per 6M drone miles.

This was posted a few days ago when it was "news":



It's really odd sometimes how duplicate, late posts get more comments and upvotes than the original. Perhaps the time of posting is too important.

I agree that this is bad, 2 crashes at relatively low volume is not great. However, I do wonder if reason will prevail in the long run with regards to overall safety and environmental impact. I recall early laws being very unfair to vehicular traffic, such as the apocryphal law that if a car startled a horse the owner should dismantle the car until the horse is no longer perturbed.

Zipline seems to be the more like successor in this field. https://spectrum.ieee.org/automaton/robotics/drones/zipline-...

One thing I don't understand is, why are they doing live testing above inhabited areas? Until the tech is proven, the only right thing to do is to implement drones routes that avoid populated areas as much as possible, or at least go thru very sparsely populated areas by default, until all failure modes are well understood.

They didn't, it happened over a forest. Many people seem to think it happened near a kindergarten, but that's not the case, it just happened that kindergarten-aged kids were playing in the area.

You can find everything in the report (in German) https://www.sust.admin.ch/inhalte/AV-berichte/ZB_SUI-9903.pd... Just enter the coordinates of the crash in Google map, you can see there's no school around.

Thanks, then the article was confusing on that particular point.

Why has IEEE Spectrum turned their nice HTML blog into a site that requires JS to read?

2 crashes. I didn't see the article mention how many successful deliveries there have been.

Sadly, as pointed out by Neil deGrasse Tyson, we respond to spectacle over data.

How many deaths per 1,000,000,000 package delivery happen with trucks? Truck deliver is not a zero death thing. I'd even want to see truck air pollution factored in somehow.

If drones have a lower %, we should view falling death boxes as acceptable. Even though it does have a strangely dystonia aspect to it.

I think the difference from a psychological point of view is that getting a drone drop randomly on your head feels, well random. Therefore it does not feel like you can do much of anything to avoid it, unlikely though it would be in practice. Getting killed by a terrorist or mass killer feels equally bad because it is random.

But something like sky divers getting killed does not bother me because I can avoid it, by not sky diving. Just like I can choose not to drive and so avoid almost any chance of being killed by another driver. It is the randomness and the fact you cannot avoid it that, I think, makes to less acceptable.

I personally know someone who was killed by a UPS truck on his parking lot. Don't think randomness only happens to others.

But the example you use is exactly that: something happening to another person.

People who don't drive don't get killed by trucks?

That's news to me.

I was thinking trucks get into accidents with public transportation, as well as run over pedestrians and bicyclists.

The fact that it doesn't appear random doesn't mean it isn't.

Getting killed by medical malpractice is also random, yet we don't really fret over our extremely error prone medical system. We don't even argue for removing doctors working 24 hour shifts, while we wouldn't allow a street sweeper to do the same.

> If drones have a lower %, we should view falling death boxes as acceptable

Yes, if drone delivery is safer we should switch. (Though there are better mortality measures than frequency of fatality.)

We’re not close now. In aerospace, frame is fate. Quadcopters are optimised for maneuverability and cost, not safety or reliability. They have no inherent redundancy and limited margins of safety. The reason they were chosen for this application is they’re cheaper to MVP, given the standing supply chain.

Compare that to the number of things that must go wrong for a truck to seriously injure someone. (Here: speed failure, braking failure, airbag failure, et cetera.)

The costs of the status quo are already priced in when people think about risk. Drones are a new thing, and new things are always harder to accept than the status quo.

If you want to appeal to the general public you'll need to stop treating people like perfectly rational mathematical calculators and start treating them like people who are embedded in a cultural context where car accidents are accepted as part of life and drone accidents are not. Statistical arguments are not convincing.

> and start treating them like people who are embedded in a cultural context ... Statistical arguments are not convincing.

Is this not the definition of pandering?

I'm not saying you are wrong, I just want to be clear what you are saying: less logic, more pandering.

These are preventable risks. We have the technology where this would be a much less likely problem (hexacopters, octocopters, better string for the parachute etc), as many people in this very thread have pointed out.

Things Tyson pointed out (Medical errors, flu, suicide, car accidents, homicides) are preventable too, but he's making an unfair comparison.

We're already doing a lot to prevent deaths from the reasons he stated (better training, vaccination, suicide hotlines and more available mental healthcare, safer cars and better driver training, [many things]), but we're not doing nearly enough to prevent deaths that are caused by pure hatred towards those that are unlike them. Deaths from those reasons aren't going up by any significant amount while deaths by hate crimes are, which is one of the big reasons why people are taking problem with this, they want to prevent deaths of many innocent people before they happen.

Can you please point me to data that backs up your claim?

I mean specifically: # of hate crime deaths per 100,000.

It seems so cowardly halting progress so fast just because of two harmless crashes. There's never going to be zero risk to anything. Still much safer than cars so far.

Progress is not necessarily halted by not having something in production. Perhaps it needs more work in testing. The article says 3000 successes/2 failures. That is too high when you have 10kg things falling out of the sky.

2 packages falling from the sky over 3000.... sounds like a higher failure rate than the current vehicle delivery mechanisms.

I wonder what the score is for postal vehicles (similarly for crashes with other vehicles and the like)

The word "cowardly" seems completely inappropriate here. First off, the second crash clearly was only harmless by pure chance, it could have easily killed someone - would you have written the same in such case? Secondly, how many other countries' national postal services are even running experiments like this at all? And above a major metropolitan city nonetheless! This is exactly the right reaction, temporarily suspend in the name of safety, address the issue, and then resume.

The public has already accepted the risk of car crashes, but not the risk of drone crashes. "Safer than cars" assumes people have a purely mathematical approach to risk, but in fact people always err on the side of the status quo unless a new thing is way better.

This particular drone crashed near a school -- if it had hit a child, there would be demands to ban drone deliveries, and you just know that politicians never miss an opportunity to grandstand about public safety, particularly when children are involved.

It's better to back off for now, improve the drones, and try again later, because one or two bad accidents could end the entire project. We are more likely to end up with drone deliveries when the drone companies are sensitive to managing the public reaction.

I don't think it's that people's natural conservatism when it comes to technology has changed, but rather our inclination to indulge (and enforce) such conservatism on nation wide levels. If merry-go-rounds, swings, and climbing polls were not already staples of childhood play, would we allow them today? I mean a child can get quite high in a swing and fall out. He can even die. Indeed looking at the numbers just between 1990 and 2000 some 147 children < 14 years old died on playgrounds in the US alone. [1] About 45 of those deaths were on public playgrounds. Injures requiring emergency room visits are exponentially more common with the majority occurring at schools.

I think the answer is a resounding no, we would not even consider allowing playgrounds today. And that's quite pitiful.

Taleb wrote an interesting article on how the most intolerant within a society eventually come to determine its fate, nearly regardless of their size. [2] It may be only a few percent of society that would not allow playgrounds, but so long as these people complain loud enough - they will win. Because their aversion to any sort of risk whatsoever is unlikely to be countered by a group that happen to be equally fervent 'playground enthusiast.' And so the path of least resistance is to simply ban playgrounds. Hahah, hopefully this post doesn't give somebody the idea to go start an attention seeking social media campaign to ban playgrounds. It might very well succeed!

[1] - https://www.cdc.gov/HomeandRecreationalSafety/Playground-Inj...

[2] - https://medium.com/incerto/the-most-intolerant-wins-the-dict...

Who could have guessed that falling out of the sky would be the main issue with things carrying things through the sky?

Seems strange that Swiss Post would be the first to test out these drones, given the extremely high standard of quality that the Swiss demand. The reality is that any new technology, especially hardware, will need time to mature and work out the bugs. One crash out of 3000 isn't that bad: reality has a lot of edge cases to test for.

> One crash out of 3000 isn't that bad

It is actually very bad. Amazon ships ~2M packages per day by one estimates. Assume only 10% of these gets drone delivered. This would translate to 66 crashes each day. If only 10% of these crashes happen on people, it would be 6 people randomly getting killed each day.

Agreed, 1 out of 3000 is horrible. To be a viable business delivery drones will have to have a safety record at least reasonably close to that of conventional road delivery. I would hope regulators would demand this but I'm sure that insurance providers will. Conventional road delivery services have to carry insurance and the cost of that is related to how often they get into accidents and how severe they are. If delivery drones cause more property damage and injury then their insurance costs will be higher.

If you look at the surface area of the world, a tiny percentage of it is taken up by people's heads. Like, probably <.01%. Unless you'r eat a large gathering (where right now it's illegal to fly drones.)

It's not just people's heads that need protection. Roads, traffic lights, cars, power lines, windows... people can die in lots of ways other than having a drone fall directly on their head.

If you look at the surface area of the world serviced by Amazon delivery and population densities there, chances it hits someone's head are pretty decent.

May the odds forever be in your favor ;)

How many people die from crashes related to delivering packages in our current form?

I'm guessing its != 0

People often miss a big point here. Delivery truck crashing into car is a human mistake. There was another human involved who could have severe punishment including death, loss of job, loss of wealth etc. Humans killing 10,000 humans each day in driving mistake is not same as drones killing 10,000 humans each day due to random tech failure. Even if drones killed only 1000 humans and there was a net reduction of 90% of deaths, I bet it would not be acceptable to larger human society.

You can do a thought experiment: Let's say airplanes failed at 100X of current rates but it was relatively still less number of deaths if people drove that distance by themselves. Would you be able to argue airplane failure rate was still acceptable? For drones, I bet there would be an immediate movement for banning the whole thing if there was a single drone ever fell on playing kindergartners randomly. This is one situation where just bringing data and making rational arguments don't work.

I'm baffled that technology-related accidental deaths that can be and will be reduced by technology could feel somehow unacceptable, whereas a higher risk of human caused deaths would be OK just because you hope these humans will be punished somehow.

Let's punish drones then...

> Let's say airplanes failed at 100X rates but it was relatively still less number of deaths if people drove that distance by themselves. Would you be able to argue airplane failure rate was still acceptable?

For me? Absolutely. For most of the people I spend time with? Yes. For the majority of the population? No.

This is why bringing numbers and logic to the arena is so important.

Otherwise, we spend billions avoiding 10 deaths while we could avoid other deaths for mere thousands. Much like coal and nuclear. The level of lunacy is hard to deal with for me.

> Delivery truck crashing into car is a human mistake.

Actually, all drone mistakes are human mistakes. Even if the drone was put together by machine, it was a human process that created it.

This isn't a constant linear crash rate. Each crash creates the impetus for a more robust product generation. But in the beginning, you should expect to see things go wrong. See SpaceX for example.

People getting hit on the head is not acceptable whilst the technology and standards mature. A few rockets blowing up, without hurting anyone, is acceptable whilst technology matures.

So far as I can tell - nobody has (yet?) been hit on the head with a delivery drone.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact