First this IS NOT a bashing session this is a search for answers and opinions so try to be respectful and courteous !
me personally i think the APM is capable of bringing my plane back and landing if the rx fell out ! do i think DIY should be responsible to implement it ? no but they are flying too so if we come up with a good proposal i,m sure they would try to make it happen !
this discussion is intended to come up with scenarios where your platform would go out of control ! and what we can do ! there should be a sister post Mitigating the chances of losing control .
i,ll start out . with Geofencing(here after to be referred to as GF) turned on i can't see how your platform can fly away so maybe GF should be turned on from default with a tiny box that you have to adjust to your area,platform,and conditions ? but not all of us carry a laptop to the field so maybe we should be able to save it and recall a few different versions for different fields and or conditions that way you could program it at home and go fly , but if you turn it on to far away from the place you selected as home it should lock up and beep or flash an error that way it wont try to fly 40mls back to your house (00) a safe configurable selectable autoland function tied too GF would be nice too.
at least this would protect the DIY community from litigation and put responsibility on the user and would save a newbie from a painful costly learning experience !!! feel free to poke holes in my ideas !
Questions leads to answers and isn't it wonderful we need not wait another second to make the APM better and if we do a good enough job maybe the government will force the AMA to use our product on all there large dangerous aircraft ! and would help in the UAV community acceptance into the sport
now have at it
Exactly. The idea of an overarching watchdog is really bad, as it can only serve to increase crashes. If the APM hangs without a watchdog, the aircraft will crash. If the APM hangs and it has a watchdog, it will crash anyway if it's a Copter, the AC code has absolutely no provision for air restart. If it's an airplane and the watchdog forces a reboot, it may save the plane as airplanes can theoretically air re-start. However, airplane guys can also switch over to manual mode, and fly manually while THEY trigger a controlled reboot, which IMO is safer than random, unsignalled, unknown, reboots caused by a watchdog.
So it really does not make anything safer. All it does is create a whole bunch of things that could go wrong. It can trigger reboots (crashes) when nothing is actually wrong. And it can trigger failsafe actions on the ground, which can trigger unwanted engine-starts, etc.
If Jake wants "E-stop Safety", his only real option is to have something like a copilot, with a seperate Rx and Tx mounted on the aircraft. The Tx is slaved to FETs which kill motor power. If and only if the copilot decides to shut down the motors, will it happen.
Actually, if the APM has hung the pilot cannot switch over to manual because by then the APM can't accept the "switch to pass-thru" command or do the actual pass-thru.
So on a fixed-wing aircraft, the watchdog might let a skilled pilot save the plane.
- If they're lucky and high enough up!
Even with that caveat, any triggering of the watchdog is very likely to cause a crash.
The reason it may be a good idea to enable it is to turn "power off into the sunset" into "probably crash, maybe manual rescue".
So I suppose the watchdog primarily applies to fixed-wing and surface craft which are stable enough to travel unaided, and even then it'd have to be very forgiving.
well mine in its present state if the throttle wire were to fall off i could switch to RTL or even better for a Quad FBWA which you can preset the min max throttle set the max low enough for it to slowly come down
That,s what where trying to figure out i think the throttle wire is probably the most dangerous for most vehicles and the mode would be next so maybe we need to have FBWC OR SAFTY MODE which on planes helis and quads could reduce throttle to an exceptable level and shut down once on the ground or for ground vehicles just shut it off. in mine if the rx were too fall out GF would bring it back and circle till the ESC cut out
There is already a failsafe function on ArduPlane at this time.
Of course you need to be able to programmed it on your receiver.
I use a Spektrum DX8 with AR8000 receiver.
Setup is easy in order to provide below 1000 ppm on throtle when receiver lost contact with Tx Radio and triggering Failsafe on APM.
I'm not sure I understood quite well the discussion about watchdogs...
I do not think that APM should re-invent the weel. I did not follow all the post in details. And I'm aware that Spektrum gears are expensive.
Regarding getting the planes back... before playig with the Geo Fence.
A newbie like me should work on basic fail safe and forget about Geo Fencing for a while.
Regarding safety... with the Lipo inside, like a member wrote.. I could be kms away from civilisations and could hit someone far far away because the airframe had enough juice to travel.
This is a video regarding the Circle problem. I'm quite sure it is a Rudder not doing is job... or maybe not....
And for safety sake, I did not wanted to wait for the 20 seconds RTL. But I know RTL is working. It was configured and tested.
Here it is:
The watchdog is irrelevant and should never have been brought up.
I'm annoyed with myself for replying to Jake about watchdog, he clearly is either trolling or doesn't know what a watchdog is.
What I mean is that the Watchdog is not related to "RC Failsafe" and this thread has clearly confused the two.
Watchdog is to force "hung" firmware to crash-land the aircraft.
Many fixed-wing aircraft will fly quite happily simply by applying power, so a 'hung' firmware won't bring the aircraft down.
In the worst case, if the control surfaces are 'flat', it could vanish into the sunset and crash later when the batteries run out.
However, copters will flip and crash pretty soon after firmware hangs, because the necessary active stabilisation has ceased.
A Watchdog can shut down the motors (good), but once the aircraft is falling and no longer level it's basically impossible to "catch" it.
The problem with this thread, and the previous one is that there is no specific problem we are "fixing". There are a range of issues, all of which got lumped as "safety" issues, requiring a "failsafe".
There's not even any consensus on what issue cause Zen's flyaway, or what can be done to avoid in future.
If the point of this thread is to make this hobby "safe" for all, then it is pointless. If the point is to fix a specific problem, then we have to agree on what the problem is, test and validate that it exists and solve it. So far, I've seen discussion of 5-6 related but separate problems, which require different fixes. Anytime someone asks any question it goes ad-hominem, so I'm gonna stick to writing code. When this is all figured out, maybe we can "fix" it, but until we agree what "it" is... it can't be fixed.
Last night I proved out the solution to the phsyical problem of the throttle wire losing contact.
I'm using an FrSky module in an older Futaba radio, and an FrSky DR8SP receiver feeding CPPM to the APM2. This means there is only a single wire going to the APM, not 4+. This means that if the single wire should lose contact, you lose *all* control. So, single point of failure. But then again, you only have to get 1 wire right. If the loss of any single signal could cause a loss of control, this solution is 4 to 8 times less likely to cause a loss of control.
But the real test was what happens when that wire is lost? So I unplugged it, and the radio channel display in MP shows that the throttle signal drops to 900, all others are centered, and so the APM enters failsafe which is RTL. IMO, this is the safest option.
Now, I did discover that when reconnecting the Rx to the APM, it caused the APM to reboot. I tracked this down to the apparent fact that there are some caps in the Rx which need to charge, and the inrush currently momentarily browns out the APM. This would be a problem if you had a flaky connection that was coming on and off. However, I solved this by simply plugging a 3300uF capacitor into the APM to help support the voltage level when the Rx is reattached.
So to summarize:
1. Cost is only ~$60? This also gets you telemetry, which is awesome. This allows you to see an impending radio link loss before it happens! AND you get a fully programmable failsafe so that you can program in whatever failsafe you want to have if the Tx signal is lost. Want to shut the motors down? No problem. Want to RTL? No problem. Want to Loiter/Circle? No problem.
2. The CPPM signalling is easier, cleaner, and 8 times less likely to cause a partial loss of control.
3. The FrSky system is extremely fault tolerant. It has possibly the best RF noise rejection available, and the fastest reboot and re-link time you can buy. True diversity from dual antennas. And does not brown out until <2.8V
4. I think everybody should have a capacitor bank installed on the APM power rail as a safety precaution in any case. These cost a few bucks at most, and can prevent a momentary power glitch from causing a reboot.
I use one of these on my big heli. It helps if a servo has a problem, and can actually keep the APM alive for well over 2 seconds if power is lost.
IMO, "Failsafe" is not trying to make a system handle a fault in the least terrible way. Failsafe is making a system that won't have a problem in the first place. Reducing failure points is a huge part of that. Choosing the right equipment is also very important. And finally, flying in a safe location is the 3rd leg of the stool.
You are all now informed of the "best practices" for safety, and you have no excuse to try and blame 3DR or the APM Developers if you have a crash caused by using a crappy 9X radio system.
Again, IMO, all this talk of watchdog timers forcing reboots is potentially increasing the chance of crashes. And again, people exist on the ground, not in the air, so not crashing into the ground should be mission #1. Forcing a reboot GUARANTEES a crash of a Copter. Causing unnecessary reboots will increase crashes, and increase risk.
I'm very new to all of this so please excuse me if I ask dumb questions. I have a "crappy 9x" and after reading your post I'm curious if I install the FrySky module in the 9X can it be set to do the same thing or would I need to replace the radio?
If the FrSky unit can be put into the 9X (I'm not sure, but I think it can based on the comments) then you can definitely program it for the failsafe, as the programming is done between the transmitter module and the receiver. With the standard FrSky firmware, you simply set your Tx to whatever control position you want for failsafe, then push the button on the Rx, and it remembers the settings. If it ever loses radio link with the Tx, then it sends the preset signals. I have tested this and it works.
Optionally, you can flash new official firmware to the Tx module, where, if you press the button on the Tx module, it sets the failsafe settings. This is useful for some situations where you want to fly your aircraft and program in a functionality. So, assuming no APM, if you have a stable aircraft, you could get your aircraft in a nice gentle, level circle, push the button, and remember those positions. Then if you lose signal, there's a chance it will start circling without crashing. Alternatively, you could program in a snap-roll with min-throttle. This will be the lowest-energy possibility for a controlled crash landing of your airplane. Obviously this would only be done if it's determined that you'd rather be able to pick up the pieces, rather than have a fly-away. The airfame would be toast, but you'd get your engine and electronics back.
This is what I ordered and put in my Turnigy 9X. Works great.
Adding the FrSky module is only a matter of plugging it in. Preserving the 9x module is another story as the antenna cable can't be unplugged.
I essentially did the same procedure as posted in the link below. The only tricky part was to reconnect the miniature coax antenna cable of the 9x module. Have not done any range tests, but so far it looks like it survived the operation.