Replies to This Discussion

Permalink Reply by Jake Stew on May 28, 2012 at 9:17pm

...got cut off at the airport.  I see a couple circumstances for failsafe behavior.

In manual mode, if the autopilot doesn't have a solution, the kill/deadman switch needs to engage.  I think this has to be the default setting.  It should probably enable that way for each flight unless specifically changed each time.  The reason for that being that every flight is different and unless you have a specific plan for failsafe and operate mindfully in a manner that makes sure the specific failsafe you set is the correct choice, you're back to square one and should kill the throttle so you don't crash under power.

If the autopilot has the sensor data and proper information to make a decision then obviously engaging an auto mode failsafe would be the safest thing.  In the most simple case the autopilot only knows it's altitute.  In that case you would loiter for some set time then descend before battery/gas runs out.  Shortly before landing it should cut throttle completely and glide in.  For this mode you need a defined crash/ditch area.  The geofence could work for this for now.  A quad could land normally as long as it knows it's location.

In a more normal case the autopilot has all sensors working and simply returns to base or executes it's mission as desired.

In any case, if control is lost it must cut power before hitting the ground.  So if you lose manual control and have enough information to switch to auto it should.  If the autopilot loses control (physical damage or sensor failure) and the auto doesn't know where it is or can't effectively control the craft... it needs to reduce speed as best as possible and cut power right before it crashes.

All of those failsafes should be possible to disable, and whatever crazy scheme you want put in place.  But you would ONLY use that if you're operating far enough away from other people that the craft couldn't possibly reach a populated area.  If you're flying in farmland the potential for crashing into someone would be remote enough to be an acceptable risk in some circumstances.

I think all of this is pretty straight forward.  You're always expected to take the safest course of action and that's always going to be killing the throttle unless you have a safer option.  Totally losing control without cutting the power is never going to be acceptable because it puts people at greater risk.  You just get further from your safe operating area with less chance of regaining control and less idea where it's going to crash.  Cutting the engine also might well reduce radio interference or raise the voltage enough to regain control and glide back.

• ▶ Reply

DeveloperPermalink Reply by R_Lefebvre on May 29, 2012 at 9:48am

Jake, I do machine safety as part of my job.  I'm quite aware of how things work.  Unfortunately, technical details are often lost on lawyers, which is why things sometimes seem to be black and white, when they should not be.

So when I'm programming the emergency stop feature of a machine (something I do often as my job), I have to ask myself "How fast should this machine stop?"  It's often possible to program the drive system to try to stop it within 0.1 seconds.  A person such as yourself might say this is the obvious was to go.

The problem lies in the REALITY of the physical world.  If I program the drive to stop that fast, it is very likely to result in a mechanical explosion, potentially causing shrapnel in the area of the drive system.  Or it could also result in an electrical fire due to overloading the capacitor bank and/or braking resistor.  I therefore have to design the system to stop as quickly, yet as SAFELY as possible.

Now, if something happened, and somebody were injured because a machine did not stop fast enough, yes, I'm sure I will end up in court in front of lawyers and will have to argue the point.  But I would win, because the weight of physical reality, and previous case laws, back me up.

It is for the exact same reason that I argue that shutting down the motors, absolutely, on loss of signal will make the situation more dangerous than attempting to more intelligently manage the situation.

• ▶ Reply

Permalink Reply by Dave on May 29, 2012 at 12:05am

@Vernon - I suspect PPM_Encoder.h is the latest code used both for APM2 and later APM1, judging by the comments at the start.

I agree that if you want to start discussing Failsafe options, another Discussion should be created - it's gone way beyond relevance for the current one.

• ▶ Reply

Permalink Reply by Dave on May 29, 2012 at 1:10am

That's not going to work for Auto or Loiter where you might not touch the controls for minutes at a time.  The PPM Encoder has no knowledge of what mode you are in.

Also, if you go into the Radio Calibration page and leave the RC controls alone, you will see (well, I do) that the values can flicker +/-1 or so.

• ▶ Reply

Permalink Reply by Ellison Chan on May 29, 2012 at 9:40am

Joining this late, but what's the point of arguing the legalities of not having failsafe?  I think that we'd all like to have failsafe as an option for the APM.  Why don't we figure out what the technical obstacles are and work to add this feature to the AC and AP code?

• ▶ Reply

Permalink Reply by Jake Stew on May 29, 2012 at 10:27am

Well, it's important to understand the law when trying to design something to operate legally and be accepted by the government.  Because this wasn't taken into consideration in the first place we now have a board that is semi-difficult to change and may well be illegal (or at least against the regulatory guidelines) to operate in the UK.

The thread wouldn't have gotten so long winded except for the fact that the main man tried to call this a "feature" rather than admit it was a bug or design flaw.  So it's taken a lot of argument and fact finding just to get over the denial stage.  To his good credit he only got ornery rather than going Nazi on this thread.

I would like to see the APM operate in a legal manner.  In my opinion there always has to be some type of deadman switch since IME it is generally considered reckless endangerment to start a dangerous machine if you have no guaranteed way to stop it if it goes out of control.  Others here are more worried about their gear than public safety or legality and are trying to make an argument that it's ok to crash under power because of the chance that it might recover or land a little softer if it remains under power.

I just want people to understand that a jury wouldn't see it that way and they could go to prison for quite a long time if someone was killed or injured.  I think I've made that point as clear as I can, so I'm pretty much done trying to convince people to act in their own best interest.  They've been warned and if they persist in wanting to crash under power I wouldn't be surprised if this thread gets entered into evidence at their trial.

• ▶ Reply

Permalink Reply by Ellison Chan on May 29, 2012 at 10:43am

Well, from a legal standpoint, I don't know of any RC equipment maker providing failsafe as a legal requirement nor can I see anyone being able to make the legal case that not providing it is grounds for negligence.  But, I'm not a lawyer.

Technically, failsafe doesn't have to be based on loss of signal. Because we are an autopilot, We have an IMU that can tell us our acceleration and elevation.  Basically, if we're heading for the ground at a high rate of acceleration, we're in trouble, loss of signal or not.  We can add code that detect this situation and in the case of a x-copter, stop and hover at a safe height.  For a plane, we can do the same with a loiter.

• ▶ Reply

Permalink Reply by Brad Smith on May 29, 2012 at 10:44am

i started a new discussion on this subject here what do you think the APM should do on fail safe       i wanted to to post as a new topic but can't figure out how ? this discussion should be moved there

thanks Brad

• ▶ Reply

Permalink Reply by Ellison Chan on May 29, 2012 at 10:44am

I'll repost this in the new discussion.

• ▶ Reply

DeveloperPermalink Reply by R_Lefebvre on May 29, 2012 at 1:13pm

Jake, even the much vaunted 9X failsafe (I'm snickering) does not shut off the throttle on a gas engine.  So, where's the failsafe?

• ▶ Reply

DeveloperPermalink Reply by R_Lefebvre on May 30, 2012 at 7:02am

Kevin, I have 6 Nitro powered airplanes.  Some of them are pretty fast!  This one is almost 200mph.

 Not a single one has a spring on the throttle.  I've never even heard of such a thing in 20 years of doing this.  Maybe they are doing it now, or maybe they're doing it on gas engines.  I have no idea.  But this was in no way Standard Operating Proceedure when I last flew, nor was it in the MAAC safety code.

But  radio range check before every flight, was.

I honestly don't see how you could possibly have a spring strong enough to force an unpowered servo to close, that also wouldn't cause a problem for that servo if you were trying to fight that spring for the whole flight.  Well, I have some coreless servos now that have little resistance when unpowered, but something like an HS422?  No way. 

Jake:  Pull the plug?  What plug?  What are you talking about?  There's no spark plug on a Nitro engine.  

I do not think the argument you have put forth makes any sense either. That's not my argument, I never made it, don't try to create a strawman.

My point was simply that the 9X failsafe is NOT logical, it's stupid.  You are suggesting that the 9X has a wonderful failsafe that is defeated by the APM, and that's false.  The 9X failsafe is stupid, and the APM just fails to fix it.

• ▶ Reply

DeveloperPermalink Reply by R_Lefebvre on May 30, 2012 at 7:59am

One solution to your problem is to never start the engine until the APM is booted.  Another solution is to not cause reboots while driving (watchdog reboots).  And finally, don't put an APM on a fast nitro powered ground vehicle.  What really are you trying to do?

• ▶ Reply

• ‹ Previous
• 1
• …
• 9
• 10
• 11
• 12
• Next ›
• Page