I recently steeped down as moderator so I can address this issue and the BS about it. Over the next few day's I be going over the code and addressing the real issues and possible solutions or not possible solutions. Ones that work or don't work.
First we need to establish exactly what the APM should do in failsafe and what the safety issues really are. So lets hear the issues cause and effect and we'll get to the bottom of this one way or another. I hear talk about fixes that I don't consider fixes just work arounds. I know that one of them works for the 9x but it doesn't fully address the issue and nothing I have seen so far does.
I'll be digging out the code and finding the truth myself so lets have at it.
I think the first step is to state the scenarios you're trying to protect.
I can see that you have a few possible issues. You may lose input from the receiver (loss of ppm), the receiver may freeze (same ppm repeatedly for a long period). The receiver may implement its own safety system (return to known state on loss of signal).
Then you have issues with the APM that may need a failsafe to be triggered. I thought there was some handling in the ppm output code that would turn off if it lost the incoming signal? I can't see that you can do much else.
Hopefully that'll stimulate some debate ;)
I join the debate.
I can add two scenarii (found over the internet):
My concern is that even with external telemetry, it is impossible today to set RTL and land successfully, because the stick erroneous position will add to the navigation RTL mode, isn't it?
I don't pretend to understand all that is going on with this issue, but I had one instance that I believe should NEVER happen. The current manual warns of this, but I think there's no excuse for the particular implementation of the feature.
If you've set your failsafe to RTL, and your copter is setting on the ground, and some small distance from where it took off, and you turn off your transmitter, your copter will, all by itself, take off, and RTL.
Now, I REALLY like the idea of you loose your radio, while it's in the air, it returns to launch, that's wonderful, but if it's on the ground, it should NEVER take off by itself.
I knew about this, and I've always maintained vigilance when I'm turning off my transmitter, "Is the copter disabled?" I always ask myself.... Well, almost always.....
But one time I didn't. I was right next to a tree and a building. I turned off my transmitter, and the copter took off, and almost hit the tree, then almost hit the building, barely clearing the edge of the building. I was able to turn my xmtr back on and recover, but it was scary. I think learning by experience is a better way of learning, and I don't *think* I'll do that again, but I'm sure it will happen to someone else.
The solution is extremely simple... Are the motors stopped? Have they been stopped for a given amount of time? Ok, if so, don't fly away!
Yes, plus the copter wasn't within the distance from where launch was.
I knew what would happen, just forgot that one time. Fortunately, no harm done, and instead of just head knowledge, I also have heart knowledge, so I'm more careful now.
Ok, this is a potentially valid issue.
I mean, first I want to say that... to a certain degree this is the type of thing users simply SHOULD NOT be doing. Period. Never turn off your Tx unless the machine is in a safe state. This is like removing your steering wheel while you car is driving on the freeway, throwing it out the window, and complaining that your car crashed.
Now, that being said... are you saying that the copter is "armed", and you turn off the Tx, with the Rx programmed to send an RTL command?
I was going to say I don't understand how this is possible, because, unless there's some bug, it absolutely will NOT take off unless you raise the throttle stick. However, as I wrote this I realized that of course the failsafe position programmed into the Tx would have the throttle stick in the middle position so that it will RTL if it's in the air.
So again, I come back to the steering wheel analogy. If you have things set up this way, and you are turning off the Tx when the copter is armed... I don't know how to prevent this. We could add a check where, if RTL is invoked when the motors are not currently running, then don't go into RTL. But that would get complicated, because the throttle signal will come in at the exact same time that the RTL mode signal comes in. So... We'd have to look back in time and try and watch for the scenario where the motors are not running, but then suddenly and RTL and throttle mid signal comes in. We'd need to check "Ok, were the motors running 1 second ago? Yes, ok, RTL, otherwise, disarm."
Bad analogy about the steering wheel. I KNOW that I will NEVER accidently remove my steering wheel while I'm driving, in addition to that, if I'm stopped at a stoplight, and my steering wheel falls off, I won't start driving again.
But certainly agree that users should NOT be doing it, it's just that turning off a transmitter while the copter is armed WILL be something that happens inadvertently, or for that matter, a beginner may do it on purpose if he/she doesn't know the consequences.
But your idea about looking back in time to see if motors were running 1 second ago is a GREAT idea! Plus fairly simple.
Ok, maybe not the best example. Then try this. You're driving on the freeway, and "accidentally" turn off the ignition, which engages the steering lock. Same deal, you can't steer.
Anyway, the point is, this is bordering on the type of thing that starts to get impossible to protect for. These are very basic user errors. I think maybe we could get this one, but I'm not positive, and I'm sure we can't get them all.
I'm pretty sure I had to search for it.... Hold on.... Let me look again.....
Yeah, here it is:
Yes, I'm sure, with full knowledge of what would happen, I inadvertently shut of my transmitter, I obviously had thought I had disabled the copter.
This has and will happen again if not addressed.
Oh, BTW, I've NEVER inadvertently shut off my ignition while I was driving, again, a bad analogy.
Let's see, a better analogy would be running out of gas. I have done that before, without looking at my gas gauge....
No, I think shutting off the engine is a good analogy. Why would you ever shut off your Tx if the battery is plugged into the quad? Or possibly, it's like parking, shutting off the engine, but not putting it in park or setting the parking brake, and then exiting the vehicle, to have it roll downhill. (this is exactly the reason why now, American cars will not release the keys from the cylinder unless it's in park, something else to prevent these "accidents")
The "armed" status times out after 30 seconds of inactivity in any case. So you must have armed, or landed after flying and not disarmed, and then within 30 seconds forgot that you were still armed, and turned off the Tx.
I strongly encourage people to also make use of the external LEDs feature. It's a very easy way to tell at a glance, what is the status of the copter. If the lights are on, it's armed.
So just like the park/key interlock, I think we can probably protect for this, but at some point we're going to run out of options.
Nope. Big, bright, bold, external LED's. The board can support up to 10mA per LED per output channel, and there are up to 8 channels. So you can run these:
Directly off the APM. It helps a LOT.
Radio off = radio signal loss. In fact it is the best way to simulate and test what happens during radio signal loss.
So by looking at the signals from the receiver only, there is no way to prevent RTH from activating if you turn off the radio. Other then disabling R/C fail-safe completely that is.
So then you have to start to look at autopilot logic judging height, speed, movement etc. to prevent RTH from activating even if the receiver is sending a RTH trigger signal. Needless to say the whole thing becomes very complicated and there is no perfect solutions that covers any and all scenarios.
So the pragmatic solution is, always turn off your TX last.