Replies to This Discussion

DeveloperPermalink Reply by R_Lefebvre on May 25, 2012 at 3:53pm

That was me that started using the Kill term, because that was what was being suggested:  If anything goes wrong, kill the motors and let the quad fall where it may.  It's the wrong approach.  We can do better.

• ▶ Reply

Permalink Reply by Brad Smith on May 25, 2012 at 1:42pm

first we not to stop referring to the turnigy 9x when you mean a er or flysky 9x or that has been flashed with some other software its confusing the issues, on my "STOCK" turnigy 9x i set what the failsafe does (refer to the pics above) i dont know about FS 9x or flashed 9x's or if turnigy has changed their software? i suggested a solution above that would patch the problem untill we can decide on a fix .

• ▶ Reply

Permalink Reply by Brad Smith on May 25, 2012 at 2:52pm

mine is a stock turnigy9x from hobby king NO:H554395 stock software and receiver

• ▶ Reply

Permalink Reply by Dave on May 25, 2012 at 4:03pm

The standard firmware has a menu for Failsafe.  According to everything I have read, this only worked with the early (72 MHz?) radio modules.  The 2.4 GHz radio modules do not support it, hence the reason the ER9x firmware does not have a Failsafe menu.

I assume you have actually tested the Failsafe in which case, is it a 72 MHz version?

• ▶ Reply

Permalink Reply by Andreas on May 25, 2012 at 5:14pm

Have you actually tried FS on the stock 9x? Plug in several servos move the sticks, turn the transmitter off. I have 4 different 9x receivers purchased over the last 16 months. They all just hold the sticks position until the transmitter is turned back on. Hence my assumption that the FS menu is VERY pretty but not functional. Some comments on this thread make it sound like some receivers do have some FS logic. But personally I have seen the same number of unicorns ;)

Same test with the FrSky works as expected and the servos take the position that was programmed for FS (hold stick/switches, push FS button on receiver -> FS position is programmed).

• ▶ Reply

DeveloperPermalink Reply by Andreas M. Antonopoulos on May 25, 2012 at 3:53pm

I tested my TH-9x with the original V2 firmware and got the exact same result. This was not surprising, as failsafe is handled in the RX, not the TX. The RX that ships with the TH-9x does not necessarily follow the same release or versioning/naming cycle. So two seemingly identical TH-9X radios, both V2, both running the same firmware may ship with different RX modules (either different hardware or different firmware in the RX) and therefore different failsafe responses. 

The firmware of the TX does not control failsafe - which is unfortunate, because then it could be fixed in firmware, but it cannot - it has to be fixed in the RX or you have to replace the radio module.

More broadly however, what this means is that failsafe responses are not easily predictable by model or firmware - they are only observable in practice. 

In the end, more than changes to software, I think this is much more an issue of adequate documentation, a pre-flight checklist and a clear (safe) process for validating the failsafe systems before each flight.

I am now developing a failsafe check during RX calibration in MP as "standard" procedure and I'm documenting it for future use. 

• ▶ Reply

DeveloperPermalink Reply by R_Lefebvre on May 26, 2012 at 4:46am

This is great Kevin, thank you, if you put this in a wiki page it will be very helpful.  I think we should create a safety page, and put it near the top.

• ▶ Reply

Permalink Reply by Brad Smith on May 26, 2012 at 7:17am

the turnigy 9x8cv2 is the one i have and it has programmable failsafe that does what you tell it too

• ▶ Reply

Permalink Reply by Brad Smith on May 27, 2012 at 10:19am

might i suggest a "pending" or "approved" or "suspect" or only with specific firmware, and we really need to be concise on exactly what tx rx firmware that we are talking about so we don't confuse the issue .and remember "problems are the roads of life solutions are only on ramps to the next problem" Brad Smith. and that while where building better more idiot proof products the worlds busy building better idiots : )

• ▶ Reply

Permalink Reply by Jake Stew on May 25, 2012 at 5:35pm

You cannot have a craft crash under power.  If you have a system you know does this it is "reckless endangerment" to operate it.  If all else fails you HAVE TO PULL THE PLUG!

In the issue we're dealing with ALL control is lost.  In that situation your only option is to pull the plug.  To do anything else is simply reckless.  You just can't legally risk people and property to try and save your gear.  

If you had some better option it that would be great.  But if you loose control you must still always have a kill switch or "deadman" type switch.  It's very simple to implement.  Anyone can understand that if you are getting no signal you should not be holding the throttle on.

If control of the craft is lost it MUST be shut down.  To legally operate the APM it must always:

#1 cut throttle when it's not getting throttle signal (in the absence of any better auto pilot control method kicking in).

#2 cut throttle when any lockup or freeze of the system occurs.

The long and short of this is that it must have a deadman type kill switch that operates in all circumstances.  I write this because I have seen enough liability lawsuits to know exactly how this will go in court.  The prosecution will come up with dozens of examples where this is considered a basic safety feature (lawnmowers, etc., etc.) and they will have a programmer testify that they could do it in 10 minutes with a line or two of code with a watchdog timer.  They will then present evidence that this is a known bug/design flaw (this and the other threads here) and that nobody made any effort to mitigate the danger.  They will say it was reckless to operate a craft without this most basic, and easily understandable, safety feature.  It's just the same as the Toyota brake failure issue or a lawn mower that didn't shut down when the handle is released.  Lot's of people don't like these sort of safety features or disable them, but defeating them or not having them exposes you to tremendous legal liability.

Believe me, this is how it would go down and they would quite easily get a large judgement against both the pilot and 3DR.  There are lot's of ways to mitigate both the danger and the liability, but ignoring it or pretending it's not a bug is not one of them.  You'll hear "So you KNEW about this bug/design flaw/possibility/danger," so many times you'll be sick of it by the end.

I bother to type these posts because I want to see the hobby do well with minimal regulation.  I'm also now unfortunately placed in a position where I am very wary of operating my APM knowing that it could easily be painted as reckless endangerment.  

If my plane were to crash under power, and I knew this could happen, and I did nothing to prevent it, and I operated the craft anyways, and it killed someone... I'd be guilty of manslaughter and facing 5+ years in prison.  That's the simple way of looking at it and it's easy to ignore this remote possibility.  But even if NOBODY gets hurt it's still reckless endangerment just for risking it.

If I pull the plug and it crashes unpowered that is taking reasonable precautions to mitigate the danger.  A reasonable person would assume that a styrofoam plane, traveling at a relatively low speed, with a relatively low weight, unpowered, with reasonable safety features shouldn't be expected to kill someone.  Even if someone was killed I'd face little or no criminal prosecution for it.

• ▶ Reply

Permalink Reply by Jake Stew on May 26, 2012 at 1:58am

Well, you can't disclaim liability.  That is to say that if you're liable for something because your actions caused it and they were reckless or negligent or intentional... having someone sign a waiver or giving a disclaimer/warning does little or nothing to absolve your responsibility.  

OTOH the participants were warned what was going to happen and willingly chose to stay.  This makes it harder for them to claim your behavior was reckless as the reasonable person standard would seem to show that the participants, being reasonable people, chose to stay and be subject to the results of the behavior.  People are assumed to not willingly subject themselves to reckless endangerment.

However, all that is out the window again because the participants would all certainly testify that they thought reasonable safeguards were in place.  I would bet that almost all of them would be shocked to learn that the electronics had a known design flaw/bug that would cause the craft to continue to run after the throttle signal was removed and that it had no form of automatic shutdown in the case of electronic failure. (no dead man kill switch or watchdog)

What the crowd anticipates is a standard failure involving loss of control.  The reasonable person would assume their danger is limited to the second or two when the craft is out of control but before the operator can shut the device down, and any danger from the resulting crash.  They certainly don't expect that the craft will turn into an unstoppable out-of-control device that must run out of power or be physically destroyed before it stops endangering people.

So the end analysis is that if someone would have been injured I think he would have certainly been liable for 100% of any damages, but probably not criminally liable due to the fact that he didn't know about the design flaw/bug.  Any lawyer worth his salt would put down any thoughts of Chris calling this a "design feature" or admitting it was intentional or even known about.  If it could be proved that Chris knew about this problem he would likely be subject to punitive damages, meaning he would be paying more than the actual damages in order to punish him.  That's where you get multi-million dollar awards for coffee burns.

This is why I'm bothering to make an issue about the legal aspect.  Unless Chris thinks myself and others in this thread are unreasonable people, he needs to consider that legally a court could well find this to be an issue that a reasonable person would think is dangerous.

If they were to decide that a reasonable person would know that a computer or circuit that maintains throttle on a motor vehicle despite the throttle signal being removed was dangerous... that would make operating that device within range of other people reckless endangerment.

• ▶ Reply

Permalink Reply by Jake Stew on May 26, 2012 at 2:29am

Just an aside to Chris for an earlier post lost in this thread where he suggested I don't understand open source software or liability...

#1 I'm not a lawyer, nor do I play one on TV.

#2 I don't have any idea about the idiosyncrasies of CA liability law.

#3 I point this shit out not to argue with you, but because I don't want to see my current autopilot platform go down in flames.

Despite this, I have the basic common sense of a reasonable person.

#1 You have designed, make, and sell a hardware platform that you suggest is suitable and capable of being an autopilot. (warranty of fitness for a purpose)(express warranty)

#2 You show videos and post descriptions of safe operation of this device (further express warranty)

#3 You 100% control the documentation that people follow to use this device. (the pseudo wiki)

#4 When people buy your hardware, follow your instructions, and operate the device as shown and described it is known to maintain the throttle despite removal of the throttle signal.

#5 This behavior has the documented potential for loss of equipment and property damage.

#6 A reasonable person would believe this behavior has the real potential to cause property damage, injury, or even death.

Please consult with a lawyer and see if this set of facts exposes you to legal liability.  I think you already know the answer to this.  You might also mention that you also have 100% control over the software that you instruct the users to load, despite the fact that's it's open source.

You can ignore me, argue with me, or change things up.  Consider which option might be the most constructive and beneficial to the project, or which might be in your own best interest legally.  That's all I ask.

• ▶ Reply

• ‹ Previous
• 1
• …
• 7
• 8
• 9
• 10
• 11
• 12
• Next ›
• Page