I had a geofence problem yesterday that resulted in a flyaway and the loss of an aircraft. I'd be grateful for any help identifying what I did wrong. I just moved across the US, and started my first flying day by creating a new geofence polygon around my new flying area. I added the geofence return point and uploaded to my APM 2.6 running ArduPlane. The polygon turned pink and it looked like everything was configured, but when I switched on the geofence on the ground using my transmitter, Mission Planner immediately indicated a fence breach. To troubleshoot, I tried downloading the geofence from the APM to ensure it matched what I had just uploaded. The new polygon I'd created vanished. I spent the next 20 minutes trying to get the new geofence to upload without success. At one point I scrolled back down to my original state of Alabama, and an old geofence was still showing up. I couldn't figure out how to clear or replace it.
Eventually I gave up on the geofence and decided to fly without it. I just had a short test planned with an AUTO takeoff and a few waypoints, followed by a MANUAL return. Immediately after takeoff, I realized my mistake: I'd forgotten to disable FENCE_AUTOENABLE. The geofence immediately activated, the aircraft detected a fence breach, and it set out on a 2000+ mile journey back to a return point in Alabama. I tried to switch back to MANUAL, but the fence continued to operate and the aircraft wouldn't leave GUIDED mode. I was hoping the aircraft would switch to GLIDE when the radio link was lost and the throttle failsafe activated. However, Mission Planner indicated FAILSAFE for several seconds before I lost the telemetry link, and there was no reduction in throttle. So again, I'm guessing that the geofence handling trumps the throttle failsafe? This was a very confusing experience because I haven't seen a hierarchy of failsafes.
So here are my specific questions:
1) What was I doing wrong trying to upload the geofence? Why wouldn't the new one take?
2) Can anyone help me understand the sequence of events once I launched in AUTO? Am I understanding events correctly?
3) Is there anything I could have done to regain control of the aircraft once the fence breach was indicated?
For the benefit of anyone who might encounter this thread in the future, I've gained some important insights into the failsafe hierarchy:
I've been continuing to review my flyaway logs, run bench tests, and review the source code. I have a pretty good idea of what happened. The bottom line is that the geofence response does indeed trump failsafe mode. The failsafe only triggers one time in ArduPlane, changing the flight mode in accordance with user-specified parameters. In my case, the failsafe should have triggered a zero-throttle FBWA. But the goefence check continues to run every 2.5 seconds, even after the fence is breached. If the fence is breached and the aircraft is not in GUIDED mode, ArduPlane switches the mode back to GUIDED. So while there may have been a brief moment when the plane handled the throttle failafe, it was quickly overruled by the geofence handler.
I still have no idea why I couldn't get my new geofence to load. I can upload and download them with no problems on an alternate APM, so am convinced there was a bug somewhere. I probably should have reinstalled the firmware when I couldn't get the new geofence to upload.