Failure detector / Failsafe (Parachute) triggering

[bresch]

Replaces #10091

Warning
This has never been tested in flight and could potentially kill the vehicle in air.
This PR enables flight termination by disabling the corresponding circuit breaker (reverts ab40008)

Description
This PR enables failsafe parachute triggering capabilities for an autopilot with or without IO processor by the use of disarmed and failsafe values.

Any kind of failure detection can be made using the FailureDetector class, which is instantiated in Commander. At the moment, a simple attitude check is made and sets its internal flags to true if roll or pitch exceed some defined parameters (FD_FAIL_R/P). On each axis, an hysteresis can be configured using the parameters FD_FAIL_R/P_TTRI.
Commander then sets the force_failsafe flag (actuator_armed message) that goes to the FMU driver and to the IO chip (if available).

If the autopilot has an IO chip, one can set a parachute (or other failsafe device) pin to an IO pin and IO will also then be able to trigger it if FMU dies (through a timeout check - 0.5s).

The objective is also to do different check and to have different behaviors if the vehicle is a fixed-wing, a multicopter, a VTOL or a rover. FailureDetector will then be a base class for FWFailureDetector, MCFailureDetector, etc.

How to use it

• Set the "OFF" value of the failsafe system (parachute) using a PWM_MAIN/AUX_DISx parameter
• Set the "ON" value of the failsafe system using a PWM_MAIN/AUX_FAILx parameter
• Adjust FD_FAIL_R/P_TTRI hysteresis if needed
• Add a NullMixer (Z:) where the failsafe system has to be connected (already on output 7 of the quad_x mixer)

Mainly useful for

• Parachute triggering
• Foldable landing gear (unfold to protect the gimbal and camera)
• Gimbal (look up to protect the camera)
• Activate drone finder device
• ...

TODO

• The only way to reset the failsafe state should be to unpower/repower the autopilot, at the moment, the force_failsafe flag is reset when FMU reboots (remove https://github.com/PX4/Firmware/blob/81f0b64ad32ffaf446ad9e3f937986711f353ac2/src/drivers/px4io/px4io.cpp#L1393 ?)
• Low-pass the attitude data in the Failure Detector
• Run Failure Detector before arming and check its state in the preflight checks. Deny arming if a flag is set
• Replace quadchute logic for VTOL (use VTOLFailureDector class) Do that in separate PR
• Test a lot in simulation and test on real drone with disabled logic (CBRK_FLIGHTTERM = 121212). The flag force_failsafe is set even if the logic is disabled but doesn't trigger the parachute.

FYI @LorenzMeier @bkueng @RomanBapst @dagar

@dagar This now prevents issues where a mixer could output some values to the parachute channel (a NullMixer has to be set to that specific output and it outputs NANs which are translated to disarmed or failsafe values only).

Flight termination logic diagram:

[dagar]

Just for testing?

[bresch]

Nope. the termination should always be available by default. At the moment, if someone sets "Terminate" in the drop-down menu of the "Safety" tab of QGC, flight termination will not be triggered. Flight termination was disabled by default "for now", 4 years ago, because "it wasn't safe" but the objective of this PR is also to review and test the flight termination logic.

[dagar]

That sounds fine as long as we're sure of the implications system wide and document it clearly. Especially within the px4io firmware.

[bresch]

This circuit breaker is now again enabled by default.

[julianoes]

Let me try to wrap my head around this:

• Setting this parameter to 121212 will disable the flight termination action.

Ok, I understand that flight termination is enabled given the param is 0 by default, so far so good.

WARNING: ENABLING THIS CIRCUIT BREAKER IS AT OWN RISK

Hm, what risk? So enabling the circuit breaker means no termination is possible which is risky, ok got it. Although having the termination enabled seems risky in its own way.

Ok, I think I get it and it's correct.

[dagar]

This is looking better.

[bkueng]

Generally looks good. I remarked a few things, but didn't look at the mixer changes in-depth.

[bresch]

Now IO sets failsafe PWM values if FMU is not responding but was initialized and armed. This action can be disabled by the flight termination circuit breaker.

[bresch]

I've rebased my local branch cleanly on master (now that the safe version has been merged). I'll do some bench tests before pushing again.

[bresch]

@dagar I added a check in Preflight Checks so it will reject arming if a failure is already detected on ground. Did I do it the correct way?

[dagar]

Do you only want it to block arming with a message, or potentially complain periodically preflight?

[bresch]

Block arming only.

[dagar]

Then I would do it in the state machine helper prearm check.

https://github.com/PX4/Firmware/blob/master/src/modules/commander/state_machine_helper.cpp#L920-L1009

What's the intended use case? Blocking rearming after a real failure or preventing a tipped vehicle from arming? Does the failure ever clear?

[bresch]

The intended use case is to prevent arming a vehicle if it would directly enter the flight termination state after arming. The failure flags are always updated and can freely be set and cleared by the Failure Detector. The termination (no return) is only active when the vehicle is armed.

[dagar]

Makes sense, prearm_check in state machine helper sounds appropriate.

[bresch]

Rebased on master and tested on a bench setup with a Pixhawk4.

Works as expected:

• with SYS_USE_IO=1: switch to failsafe if FMU dies or if attitude failure has been detected
• with SYS_USE_IO=0: switch to failsafe if attitude failure has been detected
• rejects arming if attitude failure is detected during the preflight checks
• tested with several angles, disabled if angle is 0
• tested with different hysteresis values for roll and pitch

@PX4/testflights Can you fly this PR with a quad with your standard parameters (don't enable flight termination!) to confirm that there is no regression? Thanks!

[bresch]

Rebased on master, ready for merging

[bkueng]

Let's merge this then