Implementing ESC Fail Safe


I had a request to provide information on how I implemented an ESC fail safe on my quadcopter and posted a small image of the process under the ArduCopter 2.5 firmware thread.  Since I suspect there may be a more general interest in this, I'm posting a blog segment on this fail safe.

Above is an image of the process.

Also, here's a pdf copy

Edit: the Pololu devices are Pololu Servo Multiplexer, Part # 721.  pololuservomultiplexer

E-mail me when people leave their comments –

You need to be a member of diydrones to add comments!

Join diydrones


  • First, a clarification of my initial motivations:

    (1) my first quadcopter design was to use redundant flight controllers.  A heartbeat signal would switch between the two controllers.  This was because I was designing my own controller and was going to utilize a COTS device for backup in case my code went wonky during testing.  From a true redundancy point of view, it didn't seem to hold water on paper, as ultimately the MCU putting out the heartbeat signal was the weak link in the chain.

    (2) this ESC protection really affords its place only as a way to remove ESC signal from the motors while I'm testing inside, for example, with the radio on and don't feel like removing props.  I remove the jumper and get a low signal on each ESC which prevents them from arming.  The 8 channels were drawn in case others wanted to use this idea to turn off their ESCs in a similar fashion and were running 4, 6, or 8 discrete channels on their birds.  Of course, only one board is needed for 4 channels, like I have on my quad right now.

    (3) the idea of utilizing the radio channel to turn off power to the motors during flight came as an extension to the discussion for a fail-save in the ArduCopter 2.5 thread where others were talking of having a radio switch to remove power from the motors in case of a failure and they couldn't turn the motors off by conventional means.  Because of the extra feature on the Pololu servo multiplexer that includes the jumper for selecting master or outputting low for invalid radio signals, this board works great for me when I don't have an actual radio signal attached to it and rely only on the jump to allow my testing to happen.  It was mentioned that failure of the radio would mitigate the "safety" features of this fail-safe (maybe fail-safe isn't the right word in this context?) as a failed radio may drop the quad out of the sky.  Who knows when and where the proper time for this to actually occur?  Would require further investigation.  This idea was really to provide a way of removing ESC signals via radio control, as well as facilitate powered-on testing, but it is very true and should be considered that the in-flight variant with the radio-controlled signal should probably not be used--at least not without some forethought from the end user.

    Sorry for the juxtaposition of ideas.  My original quad was to use a redundant controller, but that got scrapped and I used some of the "parts" to implement an ESC cutoff feature to help with my testing.  I thought this could get extended, as indicated, but after reading some of these comments about radio issues, I don't think having motors drop out mid-air would be any safer.  Yet another method is likely needed to remove power/signal from the ESCs in the event of a crash or failure where the motors are spinning out of control.

    Thank you all for your valuable input.  I'm loving my APM2 and am starting to approach my 10th full flight on my quad.  What a blast!

  • Michael.  I understand.

    You may be able to pass radio redundancy by using the joystick control over telemetry radio in conjunction with the rc radio.  The redundancy require seems a little over the top, since real large scale airplanes get licensed without all that redundancy.

  • Coptaire, yes, from Jani's response I had the impression it was a quad with redundant motors.  Like he said, it's a lot of extra weight and drag to carry around.  I think for redundancy, since we are in the mode of adding extra hardware, we could add simple encoders on each motor/prop to detect motor failure.  Maybe just a simple opto switch to roughly detect RPM.  Feed all the signals back to a cheap atmega328, which sends the message to the APM with a bitmask indicating which motor is failing.  Our motors code could them use this indication to optimally operate all the remaining motors to do a soft landing.  This could work well for any number of motor failures, as long as we have enough motors to stabilize and lift the craft.

  • Michael, I don't see the need to sacrifice a craft in event of a radio failure.  That's the reason we have an auto pilot.  The AP should be able to detect radio signal loss, and either hover the craft of attempt a landing.  In fact most radio signal loss is transient, and if the craft does the hover on failure, recovery may still be possible.  Having a redundant radio may not help either, since most often hard radio failure is a result of flying out of range.  Since both radios will have the same range this will not add any redundancy.  On the other hand, having a redudant AP could be useful in case of an AP failure, but again I not sure how often that happens.

    Probably  most common mode of failure is a motor or esc loss or sensor confusion.  Neither of these is solved by redundant AP or radio.

  • @Ellison.

    Apparently, the APM is in quad config coax, X8. But, only 4 motors are used, the 4 remaining are like a backup. A quad with upper props spinning, and bottom ones unpowered. The 2 pololu boards are configured to react differently, based on PWM value: When one board is ON, the other is OFF. One RC channel is triggering both of Pololu.

    This is where I don't agree this setup. If there is a TX/RX transmission problem, triggering a failsafe condition (like auto-landing), I don't see why the motors are concerned, triggering an instant, and perhaps violent, 4 motors in-flight change.

  • Don't get it.  Is this radio signal failsafe or motor redundancy?

  • Developer

    It's the same mux chip that we are using on APM1. Idea is rather good but not sure how well it works in real-life applications as normally you need to start pushing out low PWM values first to start motors. In this case we would bush out immediately high PWM outputs and it might cause problems on system during switch over. 

    Also it would work only on quads as there are not enough PWM outputs on APM2 board. And bottom motors will create drag so you will loose some efficiency on it. Still it's an interesting idea.

  • Developer

    I think I understand now...

  • Developer

    Can you post a link to that pololu component. What is it exactly? 

    It is not clear from this image what exactly this does or how, but it sounds very interesting

    more info please!

This reply was deleted.