Plane Failsafe Function

Plane has a limited failsafe function which is designed to do four things:

  1. Detects a RC Failsafe condition and then initiating a defined response, such as returning to home. Detection of an RC Failsafe is either a complete loss, or corruption, of RC signals, or the receiver sets a FS bit in its data stream for those protocols supporting it (SBUS, etc.), or that the throttle channel PWM value falls below a certain point set by THR_FS_VALUE. This RC failsafe must be enabled by setting THR_FAILSAFE = 1.

  2. Optionally, detect loss of telemetry (GCS Failsafe) and take an programmable action, such as switching to return to launch (RTL) mode.

  3. Detect loss of GPS for more than 20 seconds and switch into Dead Reckoning mode until GPS signal is regained. See https://youtu.be/0VMx2u8MlUU for a demo.

  4. Optionally, detect low battery conditions (low voltage/remaining capacity) and initiate a programmable response, such as returning to home. ArduPilot supports this on multiple batteries.

Here’s what the failsafe will not do:

  • Detect if one or more individual RC channel has failed or become disconnected

  • Detect if you’re flying too far away or are about to hit the ground

  • Detect autopilot hardware failures, such as low-power brownouts or in-air reboots

  • Detect if the Plane software is not operating correctly

  • Detect other problems with the aircraft, such as motor failures

  • Otherwise stop you from making setup or flight mistakes

Note

See Advanced Failsafe Configuration for extended failsafe configurations.

RC Failsafe

Radio Signal Failure

If the received signal is lost or the control information corrupted, or the receiver sets its “failsafe bit” in protocols which have this (like Sbus, FPort, etc.), then an RC Failsafe condition occurs and the actions described in the RC Failsafe Actions section below will be taken, if the THR_FAILSAFE parameter is 1.

Note

by setting RC_OPTIONS bit 2, you can force ArduPilot to ignore the “failsafe” bits in the protocol, and only initiate RC Failsafe due to missing or corrupted control information.

Throttle Failsafe

In addition, if the throttle signal falls below a threshold set by THR_FS_VALUE and the THR_FAILSAFE is = 1, an RC Failsafe condition will be entered, a Ground Control Station text message (“Throttle Failsafe On”) will be sent (to differentiate from a Radio Signal Failure Failsafe), and the actions described in the RC Failsafe Actions section below will be taken.

Throttle Failsafe Setup

Note

Throttle Failsafe is not required. If you wish to have failsafe protection against RC signal loss, but not setup a throttle signal controlled failsafe, then set THR_FS_VALUE lower than the lowest RC throttle signal that can be sent to the autopilot from the receiver.

In order to activate the Throttle Failsafe, the throttle signal received by the autopilot must be below THR_FS_VALUE. Once setup, this can be controlled by the pilot to initiate Throttle failsafe intentionally (for testing, or instead of setting up an RTL position on the flight mode switch), or by having the receiver, itself, send that value when it loses RC signal.

Note

having the receiver send a pre-set failsafe throttle value upon signal loss is NOT recommended and can lead to issues if a battery level failsafe is setup in QuadPlanes. Setting the receiver to send “no pulses” is much preferred. However, some very old receivers will only send a low throttle level in failsafe, see the section below, Old Receivers.

The system must be setup such that the throttle channel’s signal can go below THR_FS_VALUE (Default is 950), but still be above it for normal low throttle stick operation. Before doing the RC Calibration setup step which determines normal operating ranges for the throttle channel and others, make sure that the low throttle stick position on your transmitter is above THR_FS_VALUE. This can be done several ways:

  • When you do the RC Calibration setup step, change the trim tab for the throttle channel to adjust its signal 40-50us above THR_FS_VALUE at low throttle stick. This will be the normal operating position. Lowering the trim tab and setting the THR_FS_VALUE to that value allows initiating a failsafe at low trim.

  • Setup a transmitter switch that you will use to force failsafe such that it forces the throttle channel signal, using a mix, to below THR_FS_VALUE when activated, allowing normal operation otherwise.

RC Failsafe Operation

  • When RC Failsafe is entered, all RC inputs (except throttle in the case of Throttle Failsafe), are ignored as the autopilot takes its failsafe actions.

  • First, the autopilot will go into Short Failsafe when it detects RC Failsafe for more than FS_SHORT_TIMEOUT seconds.

  • A message will be displayed on your Ground Control Station(GCS), or OSD, if its message panel is enabled, that a Short Failsafe is active, and the flight controller will take the FS_SHORT_ACTN, if enabled. The default is CIRCLE mode.

  • If the condition causing the Short Failsafe is removed, the vehicle will return to the previous mode, and a message will be displayed that Short Failsafe is cleared. If it was a Throttle Failsafe that caused the RC Failsafe, and throttle was increased in order to exit, then an additional message will be sent stating that the Throttle Failsafe is OFF.

  • If the condition causing the Short Failsafe persists longer than FS_LONG_TIMEOUT seconds the autopilot will go into Long Failsafe, send a message to the GCS that it has been entered, and execute the FS_LONG_ACTN action, if enabled. The default setting for Long Failsafe action to take is RTL (Return to Launch).

  • If the RC Failsafe condition is later exited, a message will be displayed that the Long Failsafe is cleared, but the flight mode will not revert. If it was a Throttle Failsafe that caused the RC Failsafe, and throttle was increased in order to exit, then an additional message will be sent stating that the Throttle Failsafe is OFF.

Note

The action set by FS_LONG_ACTN will continue even if your RC signal is reacquired, if the flight mode is the same as it was before the failsafe action began. Once RC signal is reacquired, the FS_LONG_ACTN can be exited via a mode change on the FLTMODE_CH. If the mode on the RC transmitter was changed during the failsafe period, then this changed mode is entered after the RC signal is restored. In addition, other failsafes, such as battery failsafe, can also change the mode, if they occur subsequently to the RC signal loss.

Bench Testing RC Failsafe

  1. Power up the system and verify that you are seeing RC control in the Mission Planner SETUP->Mandatory Hardware->Radio Calibration tab and in a non-auto mode (Manual, Stabilize, FBW are ok). Check that normal throttle movements to idle do NOT trigger a failsafe and normal control stick movements are observed.

  2. Switch to Mission Planners DATA View tab. Turn off the transmitter. After FS_SHORT_TIMEOUT seconds, if enabled, you should see the flight mode switch to FS_SHORT_ACTN. After FS_LONG_TIMEOUT sec, if enabled, the flight mode should then switch to FS_LONG_ACTN. Turn the transmitter back on and change flight modes. The Long Failsafe flight mode should change to the selected mode.

  3. If Throttle Failsafe is setup (ie via trim tab or transmitter switch). Check that it operates correctly by activating it and watching for Short and Long Failsafes to occur.

If you observe this behavior, your RC Failsafe function has been set up correctly. If not, recheck that the parameters above have been set correctly.

Older Receivers

Some very old RC receivers cannot be set to send “no pulses” when losing RC signal and simple hold the ROLL/PITCH/YAW RC channels at their last value and set the throttle channel to its minimum PWM value (low throttle). For those, the only way to setup an RC failsafe is to set the THR_FS_VALUE to slightly above that value and use the transmitters trim tab to raise the idle stick value 40-50us above that for normal operation.

Note

be sure to do ESC calibration after you have setup the failsafes and throttle ranges.

Transmitter Tutorials:

Spektrum Setup

GCS Failsafe

How it works. When flying while using telemetry on the GCS, the autopilot can be programmed to trigger into failsafe mode if it loses telemetry. In the event that the autopilot stops receiving MAVlink (telemetry protocol) heartbeat messages. FS_LONG_ACTN applies just in the case of a long Throttle Failsafe.

Setup.

  1. Set FS_GCS_ENABL to 1 to enable it.

  2. Connect to the Mission Planner via telemetry. Verify on the bottom right corner of the HUD that you are “flying” in a non auto mode (Manual, Stabilize, FBW are ok).

  3. Unplug one of the telemetry radios. After a few minutes power off your autopilot. (Remember the autopilot will not go fully into failsafe until FS_LONG_TIMEOUT seconds of MAVLink inactivity have passed).

  4. Connect your autopilot to the mission planner and pull the logs. Verify on the log that the autopilot went into RTL after FS_LONG_TIMEOUT sec of MAVLink inactivity.

Configuring for Ground Control Station Control beyond RC range

If the telemetry range exceeds the RC transmitter range, then it may be desired to prevent loss of RC signal from initiating a failsafe. Reliance on the above GCS failsafe would be then be used to provide failsafe protection. In order to prevent the RC system from interfering with GCS operation, set THR_FAILSAFE = 2. This prevents the RC failsafe action from being taken, but still detects the failsafe condition and ignores the RC inputs, preventing possible interference to Ground Control Station control of the vehicle. Control via the RC system can be resumed once back into its range.

Configuring for valid RC outputs while in RC Failsafe

Normally, the RC channels are ignored when in RC Failsafe (except the throttle channel, but for failsafe detection exit only). Sometimes it is desirable to allow the preset signal loss values( for receivers capable of this ), to be used in the event of an RC failsafe. For example, parachute activation, or other controls via RC passthrough (see Auxiliary Functions) could be desired when in RC failsafe. For receivers with this capability and which use a FS data bit, setting RC_OPTIONS bit 2 to “1”, can accomplish this. In this case, the FS bit is ignored. Upon RC signal loss the receiver would go to its pre-set channel outputs values, but a failsafe action would not be taken by ArduPilot, since the receiver is still outputting valid data as far as ArduPilot can detect. The fixed RC channel values would processed as normal by ArduPilot.

Note

In this setup, it is usually necessary to make sure that the flight mode channel will force an RTL or AUTO mission to return the vehicle when the receiver loses RC signal, since no failsafe action will be taken, otherwise. The values of the flight control channels for Roll, Pitch, Yaw and Throttle need to be appropriately set also (usually neutral positions).

Warning

Since the autopilot cannot know if the RC link is lost in this configuration, it is possible to get into dangerous situations, especially with QuadPlanes. For example, you are low on battery and far away, and the battery failsafe is active and attempting a VTOL land to prevent a crash. As it drops out of RC range, it will switch to the RC failsafe mode set in the receiver, and attempt to execute that, canceling the battery failsafe action, and ultimately resulting in a crash.

Battery Failsafe

Note

This failsafe requires the vehicle have a working Power Module.

Note

ArduPilot firmware versions 4.0 and later support up to 10 batteries/power monitors. All the discussion below applies to those optional batteries also. Each can trigger a failsafe and each can have different actions and setup values. In addition, a group of batteries can be treated as a single unit, see BATTx_MONITOR = 10.

When the failsafe will trigger

If enabled and set-up correctly the battery failsafe will trigger if the main battery’s

  • voltage drops below the voltage held in the BATT_LOW_VOLT parameter (or FS_BATT_VOLTAGE in older versions) for more than 10 seconds. If set to zero (the Plane default value) the voltage based trigger will be disabled.

  • remaining capacity falls below the BATT_LOW_MAH parameter (or FS_BATT_MAH in older versions) 20% of the battery’s full capacity is a good choice (i.e. “1000” for a 5000mAh battery). If set to zero the capacity based trigger will be disabled (i.e. only voltage will be used)

What will happen

When the failsafe is triggered:

  • Buzzer will play a loud low-battery alarm

  • LEDs will flash yellow

  • A warning message will be displayed on the ground station’s HUD (if telemetry is connected)

  • BATT_FS_LOW_ACT will be executed

Two-Stage Battery Failsafe

Plane 3.9 (and higher) includes a two-layer battery failsafe. This allows setting up a follow-up action if the battery voltage or remaining capacity falls below an even lower threshold.

  • BATT_CRT_VOLT - holds the secondary (lower) voltage threshold. Set to zero to disable. Default is zero.

  • BATT_CRT_MAH - holds the secondary (lower) capacity threshold. Set to zero to disable. Default is zero.

  • BATT_FS_CRT_ACT - holds the secondary action to take. A reasonable setup would be to have BATT_FS_LOW_ACT = 2 (RTL) and BATT_FS_CRT_ACT = 1 (Land)

Advanced Battery Failsafe Settings

  • BATT_FS_VOLTSRC allows configuring whether the raw battery voltage or a sag corrected voltage is used

  • BATT_LOW_TIMER can configure how long the voltage must be below the threshold for the failsafe to trigger

  • BATTx_ parameters can be setup to trigger the failsafe on other batteries

Battery Failsafe Actions

The following is a description of the actions that can be taken for battery failsafes:

Value

Action

Description

0

None

Do nothing except warn

1

RTL

Switch to RTL mode

2

Land

Switch to AUTO mode and execute nearest DO_LAND sequence, if in mission

3

Terminate

Disarm

4

QLAND

If QuadPlane, switch to QLAND Mode, otherwise do nothing

5

Parachute

Trigger Parachute (Critical action only)

6

LOITER_TO_QLAND

If QuadPlane, switch to LOITER_TO_QLAND mode, otherwise do nothing

Failsafe Parameters and their Meanings

Short failsafe action (FS_SHORT_ACTN )

The action to take on a short (FS_SHORT_TIMEOUT seconds) failsafe event . A short failsafe event in plane stabilization modes can be set to change mode to CIRCLE or FBWA, or be disabled completely. In QuadPlane stabilization modes, it will change to QLAND or QRTL, dependent upon which Q_OPTIONS is selected. Short failsafe only occurs on loss of RC, either RC loss or Throttle Failsafe.

In AUTO, LOITER and GUIDED modes you can also choose for it continue with the mission and ignore the short failsafe. If FS_SHORT_ACTN is 0 then it will continue with the mission, if it is 1 then it will enter CIRCLE mode.

VALUE MEANING
0 Continue
1 Circle/ReturnToLaunch
2 FBWA
3 Disabled

Long failsafe action (FS_LONG_ACTN )

The action to take on a long (FS_LONG_TIMEOUT seconds) failsafe event. If the aircraft was in a stabilization or manual mode when failsafe started and a long failsafe occurs then it will change to RTL mode if FS_LONG_ACTN is 0 or 1, and will change to FBWA and idle the throttle if FS_LONG_ACTN is set to 2.

If the aircraft was in an auto mode (such as AUTO or GUIDED) when the failsafe started then it will continue in the auto mode if FS_LONG_ACTN is set to 0, will change to RTL mode if FS_LONG_ACTN is set to 1 and will change to FBWA mode and idle the throttle if FS_LONG_ACTN is set to 2. If FS_LONG_ACTN is set to 3, the parachute will be deployed (make sure the chute is configured and enabled).

VALUE MEANING
0 Continue
1 ReturnToLaunch
2 FBWA Glide
3 Deploy Parachute

In a QuadPlane, if in VTOL operation in modes others than AUTO or GUIDED, the action taken will be either a QRTL or QLAND, depending on the Q_OPTIONS bit mask setting for bit 5. And if in fixed-wing operation, and the long or short failsafe action is a mode change to RTL, then the Q_RTL_MODE will determine behavior at the end of that RTL, just as in the case of a regular mode change to RTL.

GCS failsafe enable (FS_GCS_ENABL )

Enable ground control station telemetry failsafe. Failsafe will trigger after FS_LONG_TIMEOUT seconds of no MAVLink heartbeat or RC Override messages.

Warning

Enabling this option opens up the possibility of your plane going into failsafe mode and running the motor on the ground if it loses contact with your ground station. While the code attempts to verify that the plane is indeed flying and not on the ground before entering this failsafe, it is safer if this option is enabled on an electric plane, to either use a separate motor arming switch or remove the propeller in any ground testing, if possible.

There are three possible enabled settings. Seeing FS_GCS_ENABL to 1 means that GCS failsafe will be triggered when the aircraft has not received a MAVLink HEARTBEAT message. Setting FS_GCS_ENABL to 2 means that GCS failsafe will be triggered on either a loss of HEARTBEAT messages, or a RADIO_STATUS message from a MAVLink enabled telemetry radio indicating that the ground station is not receiving status updates from the aircraft, which is indicated by the RADIO_STATUS.remrssi field being zero (this may happen if you have a one way link due to asymmetric noise on the ground station and aircraft radios).Setting FS_GCS_ENABL to 3 means that GCS failsafe will be triggered by Heartbeat(like option one), but only in AUTO mode. WARNING: Enabling this option opens up the possibility of your plane going into failsafe mode and running the motor on the ground it it loses contact with your ground station. If this option is enabled on an electric plane then you should enable ARMING_REQUIRE.

VALUE MEANING
0 Disabled
1 Heartbeat
2 Heartbeat and REMRSSI
3 Heartbeat and AUTO

Failsafe Diagnosis in Logs or GCS

GCSs will often display text indicating the type of failsafe encountered, such as “Failsafe Short event on: type=1/reason=3”. Type and Reason can be determined using the table below:

TYPE MEANING
0 None
1 Short Failsafe
2 Long Failsafe
3 GCS Failsafe
REASON MEANING
0 Unknown
1 RC Command
2 GCS Command
3 Radio Failsafe
4 Battery Failsafe
5 GCS Failsafe
6 EKF Failsafe
7 GPS Glitch
10 Fence Breached
11 Terrain
19 Crash
25+ General unspecific

Independent Watchdog

See Independent Watchdog for details.