Extend Failure Detector functionalities #14766
Conversation
bresch
force-pushed
the
pr-failure-detector
branch
from
1913a23 to
b3c10ea
Compare
|
I rebased on top of master to re-run the CI checks |
src/modules/commander/Commander.cpp
Outdated
| mavlink_log_critical(&mavlink_log_pub, "ESCs did not respond to arm request"); | ||
| } | ||
|
|
||
| } else if (hrt_elapsed_time(&_time_at_takeoff) < (1_s * _param_com_lkdown_tko.get())) { |
There was a problem hiding this comment.
Why is this an else? It means during the first 500ms you don't check this.
There was a problem hiding this comment.
I originally made it like this because if you use PWM outputs in the first 500ms the signal is still in the spoolup phase, thus the vehicle has not yet taken off.
This probably does not hold if you use UAVCAN, right?
There was a problem hiding this comment.
No, and I'd like to avoid these kind of dependencies and implicit assumptions.
| * Time-out for detecting a failure after takeoff | ||
| * | ||
| * A non-zero, positive value specifies the timeframe in seconds within Failure Detector is allowed to put the vehicle into | ||
| * a lockdown state if attitude exceeds the defined limits. |
There was a problem hiding this comment.
This does not hold for all flight modes. Can you either clarify or better reference where it is clearly described?
| bool status_changed = _status != FAILURE_NONE; | ||
| _status = FAILURE_NONE; | ||
|
|
||
| int attitude_fields_bitmask = _status & (FAILURE_ARM_ESCS - 1); |
There was a problem hiding this comment.
This is not very robust. I'd rather enumerate all attitude bits.
| updated |= resetAttitudeStatus(); | ||
| } | ||
|
|
||
| if (areEscSmart()) { |
There was a problem hiding this comment.
This does not do what I would expect from the method name.
Rather use _sub_esc_status.updated() directly.
|
|
||
| /** | ||
| * Enable checks on ESCs that report their arming state. | ||
| * |
There was a problem hiding this comment.
Might be worth describing which checks and the consequences of a failed check
|
Would I be correct in thinking that this has no docs implication? - current failure detector docs are here: http://docs.px4.io/master/en/config/safety.html#failure_detector |
|
@cmic0 Could you please address Beat's comments please? |
| bool status_changed = _status != FAILURE_NONE; | ||
| _status = FAILURE_NONE; | ||
|
|
||
| int attitude_fields_bitmask = _status & (FAILURE_ROLL | FAILURE_PITCH | FAILURE_ALT | FAILURE_EXT); |
There was a problem hiding this comment.
non_esc_bitmask? Otherwise this is fine.
@hamishwillee I'd say we would need to add something to this sentence: as now can be disabled with |
| bool status_changed = _status != FAILURE_NONE; | ||
| _status = FAILURE_NONE; | ||
|
|
||
| int attitude_fields_bitmask = _status & (FAILURE_ROLL | FAILURE_PITCH | FAILURE_ALT | FAILURE_EXT); |
There was a problem hiding this comment.
non_esc_bitmask? Otherwise this is fine.
src/modules/commander/failure_detector/failure_detector_params.c
Outdated
Show resolved
Hide resolved
|
@bkueng addressed the final comments. Let me know if you want me to clean the commit history up or if this is already good to go |
| _esc_failure_hysteresis.set_state_and_update(false, time_now); | ||
| _status &= ~FAILURE_ARM_ESCS; | ||
| updated = true; |
There was a problem hiding this comment.
This should not always return true.
There was a problem hiding this comment.
Signed-off-by: Claudio Micheli <[email protected]>
- Introduced COM_LKDOWN_TKO parameter
- Introduced auto disarm for lockdown state
- Do not trigger flight termiantion if system is in lockdown
Signed-off-by: Claudio Micheli <[email protected]>
Signed-off-by: Claudio Micheli <[email protected]>
cmic0
force-pushed
the
pr-failure-detector
branch
from
2f7e5cf to
0fab8ff
Compare
| // reset ESC bitfield | ||
| _esc_failure_hysteresis.set_state_and_update(false, time_now); | ||
|
|
||
| if (_status & FAILURE_ARM_ESCS) { |
There was a problem hiding this comment.
@bkueng this should guarantee that the status is updated only if the bit is reset.
Describe problem solved by this pull request
Main goal of this PR is to extend Failure Detector logic to handle ESC arming state.
Some types of ESC require that you send them an arm command before they can actually spin.
If they succeed transitioning to the armed state, they will send back an acknowledgment to PX4.
This PR extends Failure Detector logic to handle this kind of information:
after the vehicle is armed Failure Detector will wait
300_msto get an answer from the ESCs.If within this time window all the ESCs do not report to be armed Failure Detector will auto disarm the vehicle.
Checks are performed using
esc_status.esc_armed_flags.During the development of this PR i've also addressed the following points:
Added autodisarm if system is in lockdown. Having the vehicle in lockdown but still armed can be really misleading from a UX standpoint.
Avoid triggering flight termination if vehicle is already in a lockdown state
Introduced a parameter COM_LKDOWN_TKO to extend/disable the "lockdown window".
In some development cases it might be super useful having this logic disabled.