PX4-Autopilot icon indicating copy to clipboard operation
PX4-Autopilot copied to clipboard

Published 20 hours ago verified publisher icon PX4

Commander failsafe state machine rewrite

Open bkueng opened this issue 2 years ago • 8 comments

This brings the failsafe state machine from https://github.com/PX4/PX4-Autopilot/pull/19708.

General

  • The concept is the same as from the RFC
  • Removes state_machine_helper.cpp completely
  • Introduces a UserModeIntention class that handles mode switching, which then goes through the failsafe state machine which outputs the actually set mode.
  • The implementation can be simulated & tested on https://logs.px4.io/plot_app/static/failsafe_test/index.html image

I tested various things, but more testing certainly wouldn't hurt.

Changed behavior

  • mode switching is always possible while disarmed. Mode initialization is to Hold, then to the RC configured mode if RC comes in.
  • when disarming: switch back to the previous mode where arming is possible. E.g. Position -> RTL -> disarm -> Position
  • user override: failsafes generally go into hold first for 5s, w/o stick override possible, then trigger the action where stick override is possible. Override by mode switching is generally always possible.
  • RC: the failsafe state machine considers RC as optional if lost during arming. Once found and lost again, RC loss actions are triggered. This is close to the current behavior. Later on we can use mode requirements to prevent arming & mode switching for the modes requiring RC.
  • arming is prevented if both RC and DL are missing
  • if DL loss action configured, a missing DL prevents arming
  • removed COM_OBL_ACT
  • various other small details

Let me know if you find cases that don't work or would like to have differently.

TODO later

  • rename vehicle_status_flags to failsafe_flags
  • integrate and deploy the simulation to the docs

bkueng avatar Sep 06 '22 15:09 bkueng

Hi @beat, I apologize, I accidentally pushed to your branch while thinking I was updating #20164. I've reverted my mistake.

This PR looks good to me so far. I'll be doing some testing today and will update you with anything I learn.

mcsauder avatar Sep 06 '22 17:09 mcsauder

Flight tested checking geofence behaviors and mode changes here: https://review.px4.io/plot_app?log=fb5dc914-1d7b-479f-816e-9b054fd2a8e7

mcsauder avatar Sep 06 '22 18:09 mcsauder

What is COM_OBL_ACT getting replaced with? COM_OBL_RC_ACT? Also, will rc failsafe still work while in offboard? For my use case, I need to always have RC available while in offboard.

benjinne avatar Sep 06 '22 18:09 benjinne

@bkueng This sounds pretty awesome. Did you plan to document this?

We need to think about:

  • QGC config / safety screens
  • Failsafe docs - https://docs.px4.io/main/en/config/safety.html#safety-configuration-failsafes
  • Developer docs - how to extend this

I can see you already put quite a lot of thought into how this might be done in https://logs.px4.io/plot_app/static/failsafe_test/index.html and the RFC.

hamishwillee avatar Sep 07 '22 07:09 hamishwillee

What is COM_OBL_ACT getting replaced with? COM_OBL_RC_ACT? Also, will rc failsafe still work while in offboard? For my use case, I need to always have RC available while in offboard.

Yes COM_OBL_RC_ACT is generally used now. If you have both offboard + RC loss, the more severe action is triggered. You can check yourself in the simulator: https://logs.px4.io/plot_app/static/failsafe_test/index.html Let me know if you cannot achieve your desired behavior.

bkueng avatar Sep 07 '22 07:09 bkueng

Did you plan to document this?

Yes exactly. The docs will need some smaller updates, and I want to automatically deploy the simulation to the docs - it allows to simulate the exact behavior of what the vehicle is doing. I will look into that. QGC setup page does not need changes, but ideally we'd have something like the actuators page where we just generate the page(s) from all the options that the vehicle has.

bkueng avatar Sep 07 '22 07:09 bkueng

Yes exactly. The docs will need some smaller updates, and I want to automatically deploy the simulation to the docs - it allows to simulate the exact behavior of what the vehicle is doing. I will look into that.

Sounds great. I'll leave you to do first shot at required changes and get back to me then.

I think this is pretty important.

QGC setup page does not need changes, but ideally we'd have something like the actuators page where we just generate the page(s) from all the options that the vehicle has.

That would be great.

The problem with many of the screens at the moment is that they omit things. For example: http://docs.px4.io/main/en/config/safety.html#rc-loss-failsafe allows you to set COM_RC_LOSS_T when most are interested in COM_RCL_ACT_T (the first is a short timeout after you stop getting data to indicate RC lost, and the second is the timeout before you do something about that loss.

What I imagine is that a dynamically created screen might display all of them, and but hide the less important ones behind "advanced". Not sure if we can identify params as "advanced" though :-)

hamishwillee avatar Sep 08 '22 01:09 hamishwillee

  • arming is prevented if both RC and DL are missing
  • if DL loss action configured, a missing DL prevents arming

Thank you, this is embarrassingly overdue.

dagar avatar Sep 14 '22 19:09 dagar

Any objections to merging this?

bkueng avatar Sep 30 '22 10:09 bkueng

There's a small merge conflict from the minimal open droid id handling, but it shouldn't be too bad (I held back the preflight check).

Let's try to get this PR settled now? I can make sure no other commander changes come in.

dagar avatar Oct 05 '22 13:10 dagar

Rebased

bkueng avatar Oct 06 '22 07:10 bkueng

@dagar should we bring this in?

bkueng avatar Oct 11 '22 12:10 bkueng