What do you think the APM should do on fail safe

First this IS NOT a bashing session this is a search for answers and opinions so try to be respectful and courteous !


me personally i think the APM is capable of bringing my plane back and landing if the rx fell out ! do i think DIY should be responsible to implement it ? no but they are flying too so if we come up with a good proposal i,m sure they would try to make it happen !


this discussion is intended to come up with scenarios where your platform would go out of control ! and what we can do ! there should be a sister post Mitigating the chances of losing control .


 i,ll start out . with Geofencing(here after to be referred to as GF) turned on i can't see how your platform can fly away so maybe GF should be turned on from default with a tiny box that you have to adjust to your area,platform,and conditions ? but not all of us carry a laptop to the field so maybe we should be able to save it and recall a few different versions for different fields and or conditions that way you could program it at home and go fly , but if you turn it on to far away from the place you selected as home it should lock up and beep or flash an error that way it wont try to fly 40mls back to your house (00) a safe configurable selectable autoland function tied too GF would be nice too.


at least this would protect the DIY community from litigation and put responsibility on the user and would save a newbie from a painful costly learning experience !!! feel free to poke holes in my ideas !


Questions leads to answers and isn't it wonderful we need not wait another second to make the APM better and if we do a good enough job maybe the government will force the AMA to use our product on all there large dangerous aircraft ! and would help in the UAV community acceptance into the sport

now have at it

You need to be a member of diydrones to add comments!

Join diydrones

Email me when people reply –


  • Apologies if this has already been posted, but after reading this thread I wanted to report an apparent success.

    I set Fail Save on my new quad in the following way, which appears to work testing on the bench without props and watching telemetry with Mission Planner.

    Using new Quad with APM2 2.8.1 and a DX8.

    I wanted I set Fail Safe to RTL.  Using instructions in the DX8 manual we did the following.

    RF connection to Quad for telemetry, using Mission Planner to watch mode.

    Props off, DX8 off, quad off

    Inserted bind plug into receiver on quad and powered up.

    Removed the bind plug while the RX light was still flashing fast.

    Set the DX8 throttle to just above mid point and switches to a RTL flight mode.

    Powered on the DX8 and watched it go through the bind process. When done, cycled the power on the quad and DX8.

    Tested as follows:

    Flight mode switches in Stabilize.  Power on DX8, power on quad.  Enabled. Ran the throttle up a way in Stabilize, but not to mid point.  Noted Stabilize mode in the telemetry display of the HUD.  Powered off the DX8.  Motors spun a bit faster, FM showed RTL. Simulated returning into range by turning the DX8 back on while FM switches still in Stabilize.  Telemetry showed Stabilize mode and the motors dropped in speed a bit and were controllable with the DX8.

    So that would seem to show that if signal is lost at the receiver the quad will go into RTL.  Hopefully that will get it back into range and return to whatever mode I have the FM switches set to, which will likely be Stabilize or Position Hold.

    Caution.  I've not tested this in flight. Will do so tomorrow weather permitting.

  • I first saw a "Berg Pin Header Strip" on the original IBM PC in 1981.  They're cheap, lightweight, and easy to use (although non-polarized in most applications).  They were, however, never intended for high vibration applications.  No, I'm not picking on 3DR at all; unfortunately they've become a standard in the hobby industry with which any manufacturer would be obliged to comply.

    Needless to say, you won't find any such connectors in my aircraft.  From the APM connections to the LiPoly pack balance access harness, everything is soldered permanently where possible.  The few connectors are high-grade locking types.

    Considering that there are few machines with vibration signatures as high in magnitude or complexity as a multicopter, any serious practitioner in the art should solder wherever they can and incorporate higher-quality connectors where they must.  This eliminates many of the potential "fails" from which the craft must be saved.

  • there i read it!

    ive been watching in horror as the number of replies ballooned here, but given the subject i had to read it.  im glad to see that its come down to what seems to me the best possible conclusion.

    hopefully will get around to setting up and testing this soon, but of course, hopefully ill never need it!



  • Developer

    I have updated the ArduPPM firmware for the APM2 (v2.2.67) so that it will detect a missing throttle signal and set the the throttle value to 900us. APM1 version will come later.

    Binaries: http://code.google.com/p/ardupilot-mega/source/browse/#git%2FTools%...

    How-To: http://code.google.com/p/ardupilot-mega/wiki/APM2Encoder

  • What happened to Kevin?  Apparently he wasn't only banned... he was permabanned and all his posts completely erased.

    That's too bad since he's probably contributed more to safety than anyone else here.

  • Moderator

    You can set it to whatever you feel is best, after all, you are responsible for what you are doing with it? you can even preconfigure a course of action to take in great detail if you wish, such as stop for so long then go somewhere then stop again then come back and spin around a few times, the possibilities are endless, but the buck stops with whoever is in command of the vehicle. So whereever you fly you, the pilot must decide what is best for the scenario..

  • My opinion would be on initial failsafe, enter loiter mode for a predetermined time...  after a delay ( say 30sec while it waits for a signal) enter RTL.  That way in case of a failure it will basically stop and wait to see if you can regain control.  if not then come back to home so that you don't have a fly away.

  • Moderator

    Perhaps I am being stupid? forgive me I have only read the first couple of pages and the last page, but isn`t it fairly easy to set up a failsafe upon loss of signal? my Tricopter returns to launch and lands on loss of signal, but I can change it to do a few other things if I feel it would be better?

  • Developer

    OK let's try dealing with a specific case related to failsafe performance, instead of all this high level abstraction going on.

    ArduPPM (ppm encoder) failsafe and throttle channel:

    First some back story. Reading PWM signals from up to 8 R/C receiver channels and maintain timing so that you have good stick resolution  (>1000 steps), is very difficult with the atmega32u2 hardware. The PWM pulses from all the channels has to be intercepted and dealt with using a single shared interrupt, regardless of the channel signal pattern that may or may not have overlapping pulses. At the same time you also have to stay compatible with the USB<->Serial conversion code that Arduino use to reach the main atmega2560 chip from a USB connection (replacing the expensive FTDI chip used earlier).

    So certain shortcuts had to be made in the design, to make it possible. One such shortcut is not dealing with the (physical) loss of single channels. Checking for such combination in a shared interrupt, takes to long and would affect stick resolution. So the loss of throttle channel (actual wire signal loss) not triggering failsafe has been a known weakness from the start.

    Now for the dealing with a specific case part.

    I think it would be possible to make a special case for the throttle, without having to degrade the stick resolution. But it would have to be a very specific set of behavior. I see two possible behaviors (that would be possible with the limitations set by timing requirements).

    1. After a certain duration without a valid throttle signal, the 'all channels lost' failsafe option is triggered (throttle 900, channel 5 1555 (mode 4), the rest centered at 1500) . This failsafe would then stay active until a valid input is detected on the throttle again. The problem with this is that it would actively disable input from other channels if throttle dies.

    2. After a certain duration without a valid throttle signal, throttle is set to 900. How this is dealt with is then up to the main logic in the APM code.

    As I see it option 2. is the best solution. Any suggestions, comments before I implement this?

This reply was deleted.


Neville Rodrigues liked Neville Rodrigues's profile
Jun 30
Santiago Perez liked Santiago Perez's profile
Jun 21