I recently steeped down as moderator so I can address this issue and the BS about it. Over the next few day's I be going over the code and addressing the real issues and possible solutions or not possible solutions. Ones that work or don't work.
First we need to establish exactly what the APM should do in failsafe and what the safety issues really are. So lets hear the issues cause and effect and we'll get to the bottom of this one way or another. I hear talk about fixes that I don't consider fixes just work arounds. I know that one of them works for the 9x but it doesn't fully address the issue and nothing I have seen so far does.
I'll be digging out the code and finding the truth myself so lets have at it.
I think the first step is to state the scenarios you're trying to protect.
I can see that you have a few possible issues. You may lose input from the receiver (loss of ppm), the receiver may freeze (same ppm repeatedly for a long period). The receiver may implement its own safety system (return to known state on loss of signal).
Then you have issues with the APM that may need a failsafe to be triggered. I thought there was some handling in the ppm output code that would turn off if it lost the incoming signal? I can't see that you can do much else.
Hopefully that'll stimulate some debate ;)
See below and a previous post. I also believe that when fail safe is set to RTL, that -in case of loss of TX signal- the copter should RTL, LAND and then disarm by itself. There is no TX signal to switch back to STAB and then disarm.
I hard landing close to the ARM location is still better than a crash at an unknown location, with all liability to booth.
Just my 2 cents worth...
I join the debate.
I can add two scenarii (found over the internet):
My concern is that even with external telemetry, it is impossible today to set RTL and land successfully, because the stick erroneous position will add to the navigation RTL mode, isn't it?
I don't pretend to understand all that is going on with this issue, but I had one instance that I believe should NEVER happen. The current manual warns of this, but I think there's no excuse for the particular implementation of the feature.
If you've set your failsafe to RTL, and your copter is setting on the ground, and some small distance from where it took off, and you turn off your transmitter, your copter will, all by itself, take off, and RTL.
Now, I REALLY like the idea of you loose your radio, while it's in the air, it returns to launch, that's wonderful, but if it's on the ground, it should NEVER take off by itself.
I knew about this, and I've always maintained vigilance when I'm turning off my transmitter, "Is the copter disabled?" I always ask myself.... Well, almost always.....
But one time I didn't. I was right next to a tree and a building. I turned off my transmitter, and the copter took off, and almost hit the tree, then almost hit the building, barely clearing the edge of the building. I was able to turn my xmtr back on and recover, but it was scary. I think learning by experience is a better way of learning, and I don't *think* I'll do that again, but I'm sure it will happen to someone else.
The solution is extremely simple... Are the motors stopped? Have they been stopped for a given amount of time? Ok, if so, don't fly away!
Yes, plus the copter wasn't within the distance from where launch was.
I knew what would happen, just forgot that one time. Fortunately, no harm done, and instead of just head knowledge, I also have heart knowledge, so I'm more careful now.
I'm pretty sure I had to search for it.... Hold on.... Let me look again.....
Yeah, here it is:
Ok, this is a potentially valid issue.
I mean, first I want to say that... to a certain degree this is the type of thing users simply SHOULD NOT be doing. Period. Never turn off your Tx unless the machine is in a safe state. This is like removing your steering wheel while you car is driving on the freeway, throwing it out the window, and complaining that your car crashed.
Now, that being said... are you saying that the copter is "armed", and you turn off the Tx, with the Rx programmed to send an RTL command?
I was going to say I don't understand how this is possible, because, unless there's some bug, it absolutely will NOT take off unless you raise the throttle stick. However, as I wrote this I realized that of course the failsafe position programmed into the Tx would have the throttle stick in the middle position so that it will RTL if it's in the air.
So again, I come back to the steering wheel analogy. If you have things set up this way, and you are turning off the Tx when the copter is armed... I don't know how to prevent this. We could add a check where, if RTL is invoked when the motors are not currently running, then don't go into RTL. But that would get complicated, because the throttle signal will come in at the exact same time that the RTL mode signal comes in. So... We'd have to look back in time and try and watch for the scenario where the motors are not running, but then suddenly and RTL and throttle mid signal comes in. We'd need to check "Ok, were the motors running 1 second ago? Yes, ok, RTL, otherwise, disarm."
Yes, I'm sure, with full knowledge of what would happen, I inadvertently shut of my transmitter, I obviously had thought I had disabled the copter.
This has and will happen again if not addressed.
Oh, BTW, I've NEVER inadvertently shut off my ignition while I was driving, again, a bad analogy.
Let's see, a better analogy would be running out of gas. I have done that before, without looking at my gas gauge....
No, I think shutting off the engine is a good analogy. Why would you ever shut off your Tx if the battery is plugged into the quad? Or possibly, it's like parking, shutting off the engine, but not putting it in park or setting the parking brake, and then exiting the vehicle, to have it roll downhill. (this is exactly the reason why now, American cars will not release the keys from the cylinder unless it's in park, something else to prevent these "accidents")
The "armed" status times out after 30 seconds of inactivity in any case. So you must have armed, or landed after flying and not disarmed, and then within 30 seconds forgot that you were still armed, and turned off the Tx.
I strongly encourage people to also make use of the external LEDs feature. It's a very easy way to tell at a glance, what is the status of the copter. If the lights are on, it's armed.
So just like the park/key interlock, I think we can probably protect for this, but at some point we're going to run out of options.
Nope. Big, bright, bold, external LED's. The board can support up to 10mA per LED per output channel, and there are up to 8 channels. So you can run these:
Directly off the APM. It helps a LOT.
Is there an article somewhere on connecting and configuring these external LEDs?
I have another post indicating that this was a bad way of testing fail safe: it happened to me too. I landed, was done (batteries almost empty, engines completely shut-off) and turned off TX before taking power of copter. It jumped back in the air, went to RTL altitude. Fortunately was able to turn TX back on and land safely. This happened with the copter within 1 foot of where it was armed.
BTW: I agree that this scenario SHOULD never happen: turn off TX before copter, but it did, even with my 20+ years of rc experience. Just distracted by my kids walking out.