I'm playing around with Failsafe. (ver 2.2)
If FS_LONG_ACTN and FS_SHORT_ACTN is zero, and THR_FAILSAFE is 1 and THR_FS_VALUE is 950 (which all seem to be the defaults according to http://code.google.com/p/ardupilot-mega/wiki/MAVParam ) and you get into failsafe either by turning off the TX if the RX failsafe is programmed as negative throttle, or pulling throttle hold if that is 950 or less (below the bottom of the natural throttle range).
THEN ..
The plane goes into CIRCLE mode (note: not LOITER) and stays in it, both thru short and long failsafe modes. RTL is not invoked.
I think this is not a desirable thing for two reasons ..
a) the correct default FS_LONG_ACTN should be 1 so that CIRCLE morphs to RTL if it is a long failsafe because unless you know what you are doing, if you lost RC signal perhaps due to range etc, the best hope is for RTL
b) *if* FS_LONG_ACTN = 0, shouldn't CIRCLE at least morph to LOITER, because if you don't want RTL on long failsafe, why circle with the prevailing wind, ignoring GPS ?
Am I understanding CIRCLE right? the code says
case CIRCLE:
// we have no GPS installed and have lost radio contact
// or we just want to fly around in a gentle circle w/o GPS
// ----------------------------------------------------
and yet failsafe_short_event_on() and failsafe_long_event_on() are mode setting without regard to GPS status
Also the wiki on failsafe needs updating:
http://code.google.com/p/ardupilot-mega/wiki/Failsafe
as it does not explain the default values, or warn that CIRCLE is actually not around a GPS point, but a 33% of max roll with flat pitch, and "cruise" throttle (meaning plane at whim of wind).
Replies
I suspect there is a bug. I have reported it as an issue on APM project site for APM2.24, but got no feedback from dev team yet. You can read it here, I also suggest a fix.
And there is another minor problem with FAILSAFE.
The way failsafe code works is it triggers only on a change in state: from radio OK to radio throttle channel below magic number. At which point it sets the failsafe mode, and that triggers the change in autopilot mode -- to save the plane.
The problem is where the mode gets changed back to manual, but the radio is still in failsafe mode. In that case, since the radio state has not changed, the "save the plane" event does not happen. And the plane crashes.
How can the mode change to manual without the radio doing it (which would mean radio is ready to trigger failsafe again)?
one way is the ground station requests manual mode. (Or in Xplane you hit the manual button). There may be another way, perhaps if RX glitches the flight mode switch, maybe a timing issue if channels do not switch to failsafe at the same time.
If the radio is already in failsafe, and autopilot goes manual, the plane crashes..
So I think the plane should not accept a mav link request for MANUAL mode, if the radio is in failsafe. Or the radio should reset its failsafe triggers for renewed optimism, if it sees autopilot mode change back to manual, so it can re-trigger the failsafe events if the radio is still actually down.