Difference between revisions of "Failsafe"

From PaparazziUAV
Jump to navigation Jump to search
(forgot gps lost)
Line 3: Line 3:
The [[Flight_Plans#Exceptions|exceptions]] feature of the flight-plans allow for very flexible failsafe features.
The [[Flight_Plans#Exceptions|exceptions]] feature of the flight-plans allow for very flexible failsafe features.


== Home mode ==
The HOME mode is a failsafe mode where the standard navigation is suspended and the aircraft
flies a circle around the HOME waypoint at a safe altitude (''security_height'' attribute in your flight-plan). This mode is triggered on different events.


=== Far from HOME ===
== FBW (Fly By Wire) ==
 
=== 'Failsafe Switch' ===
 
The lowest level of paparazzi is the FBW (Fly By Wire) controller that reads the RC, reads the autopilot commands and drives the servo's based on the lowlevel failsafe options.
 
This is the 'switch' between '''manual''' or '''automatic''' modes. Therefor there is no need for an other failsafe board. Indeed, the paparazzi FBW has evolved with so much intelligence that it is probably safer or at least as safe as most other failsafe switches. This is because paparazzi configures has precise remote control information in it's RC.xml. If you use a wrong type of transmitter (e.g. not the right amount of channels, or not the correct interval or sync pulse length) than even when on the same frequency the FBW will not listen to the commands.
 
  * be aware that there exist many failsafe switches that use a pulse of the RC (e.g. channel 5) to switch between autopilot or RC. When using analog RC equipment this is very unsafe as whenever the RC is out of range the switch will start switching back and forth putting the UAV out of control even if the autpilot is perfectly OK.
 
=== FBW logic ===
 
-RC GOOD: listen to the MODE switch on the Transmitter (this means whenever the remote control is close enough the pilot has the final word)
-RC BAD: go to automatic mode (see further on for handling of automatic modes)
-RC BAD AND AUTOPILOT DATA TIMEOUT: failsafe command values from airframe configuration XML (do not omit to fill in useful failsafe values in the command section)
 
 
== AP (AutoPilot) ==
 
=== Home mode ===
 
The HOME mode is a failsafe mode where the standard navigation (own flightplan) is suspended and the aircraft
flies a circle around the HOME waypoint at a safe altitude (''security_height'' attribute in your flight-plan). This mode is triggered on different events.
Leaving this mode is done by clicking on the red HOME text in the GCS.
 
==== Too far from HOME ====
 
Home mode is triggered if the distance to the HOME waypoint is greater than a threshold ('''max_dist_from_home''' attribute) set in the  
Home mode is triggered if the distance to the HOME waypoint is greater than a threshold ('''max_dist_from_home''' attribute) set in the  
fight-plan (displayed as a circle on the GCS map).
fight-plan (displayed as a circle on the GCS map).


=== RC uplink failure ===
==== RC link failure while manual ====
 
Home mode is triggered if RC uplink is lost in '''MANUAL''' or '''AUTO 1''' modes.
Home mode is triggered if RC uplink is lost in '''MANUAL''' or '''AUTO 1''' modes.


== Kill mode ==
-When '''MANUAL''' the manual mode is restored as soon as RC link is restored as expected.
In this mode the throttle is killed (also the initial mode). You can enter this mode manually with the kill button (with confirmation). Kill mode is also triggered in the following cases:
-However: In '''AUTO 1''' mode, one must manually leave the HOME mode using the GCS
 
! Word of caution with respect to '''AUTO1''':
When flying auto1 with a lot of RC interference (which is not recommended anyway), be prepared that the plane might enter HOME mode.
Also, do not be tempted to fly far away in auto1 mode (possibly out of RC range) without a fully tuned auto2 autopilot or sufficient visual contact to allow manual control. As soon as you are so far that RC packets get lost, paparazzi will switch to HOME and will stay in HOME until you choose MANUAL of re-enable AUTO1 on the GCS !
 
=== Kill mode ===
 
In this mode the throttle is killed (this is the default mode when switching on the autopilot). You can enter this mode manually with the kill button (with confirmation). Kill mode is also triggered in the following cases:
 
==== Catastrophic battery level ====


=== Catastrophic battery level ===
If the battery level goes under the catastrophic low level (defined in the airframe file)
If the battery level goes under the catastrophic low level (defined in the airframe file)


=== Way too far from HOME ===
==== Way too far from HOME ====
 
The plane goes into kill mode if it is too far away from the HOME waypoint. You can configure this '''KILL_MODE_DISTANCE''' in your airframe file:
The plane goes into kill mode if it is too far away from the HOME waypoint. You can configure this '''KILL_MODE_DISTANCE''' in your airframe file:
   <section name="MISC">
   <section name="MISC">
     ...
     ...
Line 27: Line 62:
     ...
     ...
   </section>
   </section>
In this example it is set to 1.5 times the '''max_dist_from_home''' (attribute set in your flight plan).
In this example it is set to 1.5 times the '''max_dist_from_home''' (attribute set in your flight plan).


== GPS signal lost ==
=== GPS signal lost ===
In this mode, the autopilot uses the failsafe roll, pitch and throttle settings defined in the airframe file.
In this mode, the autopilot uses the failsafe roll, pitch and throttle settings defined in the airframe file.


== Lost datalink communication ==
=== Lost datalink communication (optional) ===
This is done via the a flight-plan exception, e.g. go to the Standby block after 30 seconds:
 
This can be done via the a flight-plan exception, e.g. go to the Standby block after 30 seconds:
   <exceptions>
   <exceptions>
     ...
     ...
Line 40: Line 77:
You also need to include the ''datalink.h'' header file in the header section of your flight plan.
You also need to include the ''datalink.h'' header file in the header section of your flight plan.


== Outside mission boundary ==
=== Outside mission boundary (optional) ===
 
Also use exceptions and/or [[Flight_Plans#Call|function calls]] for this.
Also use exceptions and/or [[Flight_Plans#Call|function calls]] for this.



Revision as of 06:01, 23 October 2010

Paparazzi has several built-in failsafe features.

The exceptions feature of the flight-plans allow for very flexible failsafe features.


FBW (Fly By Wire)

'Failsafe Switch'

The lowest level of paparazzi is the FBW (Fly By Wire) controller that reads the RC, reads the autopilot commands and drives the servo's based on the lowlevel failsafe options.

This is the 'switch' between manual or automatic modes. Therefor there is no need for an other failsafe board. Indeed, the paparazzi FBW has evolved with so much intelligence that it is probably safer or at least as safe as most other failsafe switches. This is because paparazzi configures has precise remote control information in it's RC.xml. If you use a wrong type of transmitter (e.g. not the right amount of channels, or not the correct interval or sync pulse length) than even when on the same frequency the FBW will not listen to the commands.

 * be aware that there exist many failsafe switches that use a pulse of the RC (e.g. channel 5) to switch between autopilot or RC. When using analog RC equipment this is very unsafe as whenever the RC is out of range the switch will start switching back and forth putting the UAV out of control even if the autpilot is perfectly OK.

FBW logic

-RC GOOD: listen to the MODE switch on the Transmitter (this means whenever the remote control is close enough the pilot has the final word) -RC BAD: go to automatic mode (see further on for handling of automatic modes) -RC BAD AND AUTOPILOT DATA TIMEOUT: failsafe command values from airframe configuration XML (do not omit to fill in useful failsafe values in the command section)


AP (AutoPilot)

Home mode

The HOME mode is a failsafe mode where the standard navigation (own flightplan) is suspended and the aircraft flies a circle around the HOME waypoint at a safe altitude (security_height attribute in your flight-plan). This mode is triggered on different events. Leaving this mode is done by clicking on the red HOME text in the GCS.

Too far from HOME

Home mode is triggered if the distance to the HOME waypoint is greater than a threshold (max_dist_from_home attribute) set in the fight-plan (displayed as a circle on the GCS map).

RC link failure while manual

Home mode is triggered if RC uplink is lost in MANUAL or AUTO 1 modes.

-When MANUAL the manual mode is restored as soon as RC link is restored as expected.
-However: In AUTO 1 mode, one must manually leave the HOME mode using the GCS
! Word of caution with respect to AUTO1: 

When flying auto1 with a lot of RC interference (which is not recommended anyway), be prepared that the plane might enter HOME mode. Also, do not be tempted to fly far away in auto1 mode (possibly out of RC range) without a fully tuned auto2 autopilot or sufficient visual contact to allow manual control. As soon as you are so far that RC packets get lost, paparazzi will switch to HOME and will stay in HOME until you choose MANUAL of re-enable AUTO1 on the GCS !

Kill mode

In this mode the throttle is killed (this is the default mode when switching on the autopilot). You can enter this mode manually with the kill button (with confirmation). Kill mode is also triggered in the following cases:

Catastrophic battery level

If the battery level goes under the catastrophic low level (defined in the airframe file)

Way too far from HOME

The plane goes into kill mode if it is too far away from the HOME waypoint. You can configure this KILL_MODE_DISTANCE in your airframe file:

 <section name="MISC">
   ...
   <define name="KILL_MODE_DISTANCE" value="(1.5*MAX_DIST_FROM_HOME)"/>
   ...
 </section>

In this example it is set to 1.5 times the max_dist_from_home (attribute set in your flight plan).

GPS signal lost

In this mode, the autopilot uses the failsafe roll, pitch and throttle settings defined in the airframe file.

Lost datalink communication (optional)

This can be done via the a flight-plan exception, e.g. go to the Standby block after 30 seconds:

 <exceptions>
   ...
   <exception cond="datalink_time > 30"  deroute="Standby"/>
 </exceptions>

You also need to include the datalink.h header file in the header section of your flight plan.

Outside mission boundary (optional)

Also use exceptions and/or function calls for this.

For an example see EMAV2009_safety.xml in the directory conf/flight_plans is an example of a safety procedure that can be included in other flight-plans. It uses two sectors defined in EMAV2009_data.xml, a smaller Green "soft boundary" and a hard boundary defined by the Red sector.

<procedure>
  <exceptions>
    <exception cond="Or(! InsideGreen(GetPosX(), GetPosY()), GetPosAlt() > ground_alt + 150)" deroute="Center"/>
  </exceptions>

  <blocks>
    <block name="Center" pre_call="if (!InsideRed(GetPosX(), GetPosY())) NavKillThrottle();">
      <circle wp="_CENTER" radius="DEFAULT_CIRCLE_RADIUS"/>
    </block>
  </blocks>

</procedure>

The first exception deroutes the plane to the Center block below it, if it is outside the Green sector or higher than 150m over ground. While in the Center block the statement in the pre_call function gets evaluated each time, if the plane is now also outside of the Red sector throttle is killed.