Safety Configuration (Failsafes)
PX4 has a number of safety features to protect and recover your vehicle if something goes wrong:
- Failsafes allow you to specify areas and conditions under which you can safely fly, and the action that will be performed if a failsafe is triggered (for example, landing, holding position, or returning to a specified point). The most important failsafe settings are configured in the QGroundControl Safety Setup page. Others must be configured via parameters.
- Safety switches on the remote control can be used to immediately stop motors or return the vehicle in the event of a problem.
Failsafe Actions {#failsafe_actions}
Each failsafe defines its own set of actions. Some of the more common failsafe actions are:
Action | 描述 |
---|---|
None/Disabled | No action (the failsafe will be ignored). |
报警 | A warning message will be sent to QGroundControl. |
Hold mode | The vehicle will enter Hold mode. For multicopters this means the vehicle will hover, while for fixed/wing the vehicle will circle. |
返航模式 | The vehicle will enter Return mode. Return behaviour can be set in the Return Home Settings (below). |
降落模式 | The vehicle will enter Land mode, and lands immediately. |
RC Auto Recovery (CASA Outback Challenge rules) | TBD |
Flight termination | Turns off all controllers and sets all PWM outputs to their failsafe values (e.g. PWM_MAIN_FAILn, PWM_AUX_FAILn). The failsafe outputs can be used to deploy a parachute, landing gear or perform another operation. For a fixed-wing vehicle this might allow you to glide the vehicle to safety. |
Lockdown | Kills the motors (sets them to disarmed). This is the same as using the kill switch. |
Note It is possible to recover from a failsafe action (if the cause is fixed) by switching modes. For example, in the case where RC Loss failsafe causes the vehicle to enter Return mode, if RC is recovered you can change to Position mode and continue flying.
Note If a failsafe occurs while the vehicle is responding to another failsafe (e.g. Low battery while in Return mode due to RC Loss), the specified failsafe action for the second trigger is ignored. Instead the action is determined by separate system level and vehicle specific code. This might result in the vehicle being changed to a manual mode so the user can directly manage recovery.
QGroundControl Safety Setup {#qgc_safety_setup}
The QGroundControl Safety Setup page is accessed by clicking the QGroundControl Gear icon (Vehicle Setup - top toolbar) and then Safety in the sidebar). This includes the most important failsafe settings (battery, RC loss etc.) and the settings for the return actions Return and Land.
Low Battery Failsafe
The low battery failsafe is triggered when the battery capacity drops below one (or more warning) level values.
The most common configuration is to set the values and action as above (with Warn > Failsafe > Emergency
). With this configuration the failsafe will trigger warning, then return, and finally landing if capacity drops below the respective levels.
It is also possible to set the Failsafe Action to warn, return, or land when the Battery Failsafe Level failsafe level is reached.
The settings and underlying parameters are shown below.
Setting | 参数 | 参数描述 |
---|---|---|
Failsafe Action | COM_LOW_BAT_ACT | Warn, Return, or Land based when capacity drops below Battery Failsafe Level, OR Warn, then return, then land based on each of the level settings below. |
Battery Warn Level | BAT_LOW_THR | Percentage capacity for warnings (or other actions). |
Battery Failsafe Level | BAT_CRIT_THR | Percentage capacity for Return action (or other actions if a single action selected). |
Battery Emergency Level | BAT_EMERGEN_THR | Percentage capacity for triggering Land (immediately) action. |
RC Loss Failsafe
The RC Loss failsafe is triggered if the RC transmitter link is lost.
The settings and underlying parameters are shown below.
Setting | 参数 | 参数描述 |
---|---|---|
RC Loss Timeout | COM_RC_LOSS_T | Amount of time after losing the RC connection before the failsafe will trigger. |
Failsafe Action | NAV_RCL_ACT | Disabled, Loiter, Return, Land, RC Auto Recovery, Terminate, Lockdown. |
RC Loss Loiter Time | NAV_RCL_LT | If the Failsafe Action (NAV_RCL_ACT ) is set to CASA Outback Challenge rules this sets the loiter time after RC loss. |
Data Link Loss Failsafe
The Data Link Loss failsafe is triggered if a telemetry link (connection to ground station) is lost when flying a mission.
The settings and underlying parameters are shown below.
Setting | 参数 | 参数描述 |
---|---|---|
Data Link Loss Timeout | COM_DL_LOSS_T | Amount of time after losing the data connection before the failsafe will trigger. |
Failsafe Action | NAV_DLL_ACT | Disabled, Hold mode, Return mode, Land mode, Data Link Auto Recovery (CASA Outback Challenge rules), Terminate, Lockdown. Selecting the Data Link Auto Recovery (CASA Outback Challenge rules) action additionally enables the Data Link Loss parameters. |
Geofence Failsafe
The Geofence is defined as a “virtual” cylinder around the home position. If the vehicle moves outside the radius or above the altitude the specified Failsafe Action will trigger.
The settings and underlying geofence parameters are shown below.
Setting | 参数 | 参数描述 |
---|---|---|
Action on breach | GF_ACTION | None, Warning, Hold mode, Return mode, Terminate. |
Max Radius | GF_MAX_HOR_DIST | Horizontal radius of geofence cylinder. Geofence disabled if 0. |
Max Altitude | GF_MAX_VER_DIST | Height of geofence cylinder. Geofence disabled if 0. |
Note Setting
GF_ACTION
to terminate will kill the vehicle on violation of the fence. Due to the inherent danger of this, this function is disabled using CBRK_FLIGHTTERM, which needs to be reset to 0 to really shut down the system.
The following settings also apply, but are not displayed in the QGC UI.
Setting | 参数 | 参数描述 |
---|---|---|
Geofence altitude mode | GF_ALTMODE | Altitude reference used: 0 = WGS84, 1 = AMSL. |
Geofence counter limit | GF_COUNT | Set how many subsequent position measurements outside of the fence are needed before geofence violation is triggered. |
Geofence source | GF_SOURCE | Set whether position source is estimated global position or direct from the GPS device. |
Circuit breaker for flight termination | CBRK_FLIGHTTERM | Enables/Disables flight termination action (disabled by default). |
Return Home Settings {#return_settings}
Return is a common failsafe action that engages Return mode to return the vehicle to the home position. This section shows how to set the land/loiter behaviour after returning.
The settings and underlying parameters are shown below:
Setting | 参数 | 参数描述 |
---|---|---|
Climb to altitude | RTL_RETURN_ALT | Vehicle ascend to this minimum height (if below it) for the return flight. |
Return behaviour | Choice list of Return then: Land, Loiter and do not land, or Loiter and land after a specified time. | |
Loiter Altitude | RTL_DESCEND_ALT | If return with loiter is selected you can also specify the altitude at which the vehicle hold. |
Loiter Time | RTL_LAND_DELAY | If return with loiter then land is selected you can also specify how long the vehicle will hold. |
Note The return behavour is defined by RTL_LAND_DELAY. If negative the vehicle will land immediately. Additional information can be found in Return mode.
Land Mode Settings
Land at the current position is a common failsafe action that engages Land Mode. This section shows how to control when and if the vehicle automatically disarms after landing. For Multicopters (only) you can additionally set the descent rate.
The settings and underlying parameters are shown below:
Setting | 参数 | 参数描述 |
---|---|---|
Disarm After | COM_DISARM_LAND | Select checkbox to specify that the vehicle will disarm after landing, and enter delay after landing before disarming. The value must be non-zero but can be a fraction of a second. |
Landing Descent Rate | MPC_LAND_SPEED | Rate of descent (MC only). |
Other Failsafe Settings {#failsafe_other}
This section contains information about failsafe settings that cannot be configured through the QGroundControl Safety Setup page.
Position (GPS) Loss Failsafe
The Position Loss Failsafe is triggered if the quality of the PX4 position estimate falls below acceptable levels (this might be caused by GPS loss) while in a mode that requires an acceptable position estimate.
The failure action is controlled by COM_POSCTL_NAVL, based on whether RC control is assumed to be available (and altitude information):
0
: Remote control available. Switch to Altitude mode if a height estimate is available, otherwise Stabilized mode.1
: Remote control not available. Switch to Land mode if a height estimate is available, otherwise enter flight termination.
Fixed Wing vehicles additionally have a parameter (NAV_GPSF_LT) for defining how long they will loiter (circle) after losing position before attempting to land.
The relevant parameters for all vehicles shown below (also see GPS Failure navigation parameters):
参数 | 参数描述 |
---|---|
COM_POS_FS_DELAY | Delay after loss of position before the failsafe is triggered. |
COM_POSCTL_NAVL | Position control navigation loss response during mission. Values: 0 - assume use of RC, 1 - Assume no RC. |
CBRK_GPSFAIL | Circuit breaker that can be used to disable GPS failure detection. |
CBRK_VELPOSERR | Circuit breaker for position error check (disables error checks in all modes). |
Parameters that only affect Fixed Wing vehicles:
参数 | 参数描述 |
---|---|
NAV_GPSF_LT | Loiter time (waiting for GPS recovery before it goes into flight termination). Set to 0 to disable. |
NAV_GPSF_P | Fixed pitch angle while circling. |
NAV_GPSF_R | Fixed roll/bank angle while circling. |
NAV_GPSF_TR | Thrust while circling. |
Offboard Loss Failsafe
The Offboard Loss Failsafe is triggered if the offboard link is lost while under Offboard control. Different failsafe behaviour can be specified based on whether or not there is also an RC connection available.
The relevant parameters are shown below:
参数 | 参数描述 |
---|---|
COM_OF_LOSS_T | Delay after loss of offboard connection before the failsafe is triggered. |
COM_OBL_ACT | Failsafe action if no RC is available: Land mode, Hold mode, Return mode. |
COM_OBL_RC_ACT | Failsafe action if RC is available: Position mode, Altitude mode, Manual mode, Return mode, Land mode, Hold mode. |
Mission Failsafe
The Mission Failsafe checks prevent a previous mission being started at a new takeoff location or if it is too big (distance between waypoints is too great). The failsafe action is that the mission will not be run.
The relevant parameters are shown below:
参数 | 参数描述 |
---|---|
MIS_DIST_1WP | The mission will not be started if the current waypoint is more distant than this value from the home position. Disabled if value is 0 or less. |
MIS_DIST_WPS | The mission will not be started if any distance between two subsequent waypoints is greater than this value. |
Traffic Avoidance Failsafe
The Traffic Avoidance Failsafe allows PX4 to respond to transponder data (e.g. from ADSB transponders) during missions.
The relevant parameters are shown below:
参数 | 参数描述 |
---|---|
NAV_TRAFF_AVOID | Set the failsafe action: Disabled, Warn, Return mode, Land mode. |
Adaptive QuadChute Failsafe
Failsafe for when a pusher motor fails (or airspeed sensor) and a VTOL vehicle can no longer achieve a desired altitude setpoint in fixed-wing mode. If triggered, the vehicle will transition to multicopter mode and enter failsafe Return mode.
The relevant parameters are shown below:
参数 | 参数描述 |
---|---|
VT_FW_ALT_ERR | Maximum negative altitude error for fixed wing flight. If the altitude drops more than this value below the altitude setpoint the vehicle will transition back to MC mode and enter failsafe RTL. |
Failure Detector {#failure_detector}
The failure detector allows a vehicle to take protective action(s) if it unexpectedly flips - for example, it can launch a parachute or perform some other action.
Note Failure detection is deactivated by default using a circuit breaker. You can enable it by setting CBRK_FLIGHTTERM=0.
More precisely, the failure detector triggers flight termination (in all modes) if the vehicle attitude exceeds predefined pitch and roll values for more than a specified time.
The relevant parameters are shown below:
Parameter | Description |
---|---|
CBRK_FLIGHTTERM | Flight termination circuit breaker. Unset from 121212 (default) to enable flight termination due to FailureDetector or FMU loss. |
FD_FAIL_P | Maximum allowed pitch (in degrees). |
FD_FAIL_R | Maximum allowed roll (in degrees). |
FD_FAIL_P_TTRI | Time to exceed FD_FAIL_P for failure detection (default 0.3s). |
FD_FAIL_R_TTRI | Time to exceed FD_FAIL_R for failure detection (default 0.3s). |
Safety Switches {#safety_switch}
A safety switch allows you to immediately stop all motors or return the vehicle from the remote control transmitter (if you lose control of the vehicle, this may be better than allowing it to continue flying).
The safety switches may be enabled as part of QGroundControl Flight Mode Setup.
This section lists the available safety switches.
Kill Switch {#kill_switch}
A kill switch immediately stops all motor outputs (and if flying, the vehicle will start to fall)! The motors will restart if the switch is reverted within 5 seconds. After 5 seconds the vehicle will automatically disarm; you will need to arm it again in order to start the motors.
Arm/Disarm Switch {#arming_switch}
The arm/disarm switch is a replacement for the default stick arming/disarming mechanism (and serves the same purpose: making sure there is an intentional step involved before the motors start/stop). It might be used in preference to the default mechanism because:
- Of a preference of a switch over a stick motion (e.g. if using a stick on another autopilot).
- It avoids accidentally triggering arming/disarming in-air with a certain stick motion.
- There is no delay (it reacts immediately).
The arm/disarm switch immediately disarms (stop) motors for those flight modes that support disarming in flight. This includes:
- Manual mode
- Acro mode
- 自稳
- Rattitude
For modes that do not support disarming in flight, the switch is ignored during flight, but may be used after landing is detected. This includes Position mode and autonomous modes (e.g. Mission, Land etc.).
Return Switch {#return_switch}
A return switch can be used to immediately engage Return mode.