Flight termination: lockdown if failure is detected on takeoff

[bresch]

During the first few seconds after takeoff, the failure detector is allowed to trigger motor lockdown.
This is done for safety reasons to detect tipping-over or unstable tuning gains.

SITL test: takeoff with unstable gains
https://logs.px4.io/plot_app?log=b43c05ec-0330-414a-b069-41309ce13cf5

FYI @Jaeyoung-Lim

[bresch]

@hamishwillee The documentation for flight termination is here but where exactly should we mention that the failure detector is active during the first few seconds after takeoff even if the circuit-breaker is set? Should it be just a "note" and a modification of the diagram?

[hamishwillee]

Hi @bresch

• Is the whole failure detector enabled on takeoff or just the attitude trigger? i.e. could an ATS still trigger on takeoff with the circuit breaker enabled?
• Is the failure detector enabled before arming, or after arming before takeoff?

In any case, first I'd suggest we update the text in Safety > Failure Detector. Perhaps replace the existing note with.

Note Failure detection is always enabled for the first few seconds after takeoff. It can be enabled/disabled in flight using the CBRK_FLIGHTTERM=0 circuit breaker.

For the flight termination doc I would change the first pullet point under the software configuration heading to:

• Enable the failure detector during flight by setting CBRK_FLIGHTTERM=0 (disabled by default).

  Note The failure detector active for a few seconds after takeoff, irrespective of the value of CBRK_FLIGHTTERM (in order to detect the vehicle tipping during launch).

Updating diagram would be good. Perhaps you could just add a text where shown saying something like "(After takeoff complete)" where marked?

[bkueng]

So it would trigger a parachute?

[hamishwillee]

@bkueng Good question. I would assume so if set up to do so in flight termination. @bresch ?

[bresch]

@bkueng It triggers flight termination, so if you have flight termination associated with a parachute trigger, yes. Should we trigger a "manual lockdown" (aka: kill) ?
I thought this wasn't a big issue because most of the new setups that would benefit from this feature won't have a parachute for their first flight, and even if it triggers it, you would have this as well with an external flight termination system. However, I agree that a simple kill would be enough because the parachute will most of the times not help, except if the drone shoots in the sky fast enough.

[julianoes]

I'm scared that this will lead to false positives where we trigger termination after having taken off successfully within 5 seconds. Which detectors are used here and how sensitive are they?

[bresch]

@julianoes By default, it's the tilt limit of 60 degrees (defined by FD_FAIL_P). We can reduce the 5s period or increase the default if required, but I've never seen a false detection in any of our flights

[julianoes]

Ok, which means this won't work when flying acro, and maybe planes.

[bresch]

@julianoes Correct, the failure detector is not active in acro, rattitude and FW manual modes

[LorenzMeier]

@bresch I don't think termination is the right choice here. I would limit to 3 seconds or less and lock the system down rather than triggering termination.

Otherwise we will have parachute deployments on the ground and some of them are kinetic (explosives).

[LorenzMeier]

This should probably be a lockdown without termination (the architecture enables that) and a shorter period to make sure we've not left the ground.

[julianoes]

Ok!

[hamishwillee]

@bresch Did you make the changes needed in docs for this? i.e. as discussed in #14428 (comment)

Did this end up being "flight termination" or some other action? Still triggered by the failure detector?