Plane Failsafe Function

Plane has a limited failsafe function which is designed to do four things:

  1. Detect complete loss of RC signal (if the RC receiver is able to generate a predictable signal-loss behavior) or throttle below the minimum value (Throttle Failsafe), and initiate a defined response, such as returning to home. Some RC equipment can do this, and some can’t (see below for details on how to use it if yours supports this function).
  2. Optionally, detect loss of telemetry (GCS Failsafe) and take an programmable action, such as switching to return to launch (RTL) mode.
  3. Detect loss of GPS for more than 20 seconds and switch into Dead Reckoning mode until GPS signal is regained.
  4. Optionally, detect low battery conditions (voltage/remaining capacity) and initiate a programmable response, such as returning to home. ArduPilot supports this on multiple batteries.

Here’s what the failsafe will not do:

  1. Detect if one more more individual RC channel has failed or become disconnected
  2. Detect if you’re flying too far away or are about to hit the ground
  3. Detect autopilot hardware failures, such as low-power brownouts or in-air reboots
  4. Detect if the Plane software is not operating correctly
  5. Detect other problems with the aircraft, such as motor failures
  6. Otherwise stop you from making setup or flight mistakes

Note

See Advanced Failsafe Configuration for extended failsafe configurations.

Plane Failsafe Documentation

Throttle Failsafe

How it works. Your RC transmitter outputs a PWM signal that is captured by your receiver and relayed to the autopilot. Each channel on your transmitter has a PWM range usually between 1100 - 1900 with 1500 being its neutral position. When you start your radio calibration on the mission planner, all your values will be at 1500. By moving your sticks, knobs and switches you will set your PWM range for each channel. The autopilot monitors your throttle channel and if it notices a drop lower than THR_FS_VALUE (Default is 950) it will go into failsafe mode.

RC transmitters usually have a default range for each channel that goes from -100% to 100%, however most transmitters will allow you to extend this to -150% and 150% respectively. In the default setup, bringing your throttle to -100% will translate to a value close to 1100 and bringing it to -150% will translate to a value closer to 900. What we want to achieve is to let your receiver know that the throttle can go as low as -150% but keep the autopilot control range between -100% and 100%. Meaning that when flying, our throttle values will range between 1100 - 1900.

  • If we lose RC communication, the receiver if set up properly, will drop to the lowest known throttle value of ~900. This value falls bellow the THR_FS_VALUE and will trigger the autopilot to go into failsafe mode.
  • First the autopilot will go into short failsafe (FS_SHORT_ACTN ), when it detects loss of signal for more than FS_SHORT_TIMEOUT sec. The default setting for short failsafe is Circle mode.
  • If the RC signal is regained during the short failsafe, the flight will return to the previous mode.
  • If the loss of signal is longer than FS_LONG_TIMEOUT sec the autopilot will go into long failsafe FS_LONG_ACTN .
  • The default setting for long failsafe is RTL (Return to Launch).

Note

Once the long failsafe has been entered at the conclusion of the short failsafe the FS_LONG_ACTN mode will continue even if your RC signal is reacquired. Once reacquired, the mode can only be exited via a mode change. In addition, other failsafes, such as battery failsafe, can also change the mode, if they occur subsequently.

       Ext. Range       Normal Range       Ext. Range
  |-----------------|-----------------|-----------------|
-150%             -100%              100%              150%

  |_________________|
           |
        Failsafe

Setup.

  1. Enable throttle failsafe by setting THR_FAILSAFE to 1 (0=Disabled, 1=Enabled).
  2. First turn on your transmitter and enable the throttle range to extend past -100%, we want to extend the throttle range past its low threshold.
  3. Once this is done, bind with your receiver. This will let your receiver know the lowest possible value for your throttle channel.
  4. Next revert the first change you made to the transmitter to limit the throttle to the original range.
  5. Do the radio calibration using the Mission Planner.
  6. Once the radio calibration is completed, drop the throttle on your transmitter and read what PWM value is being output to the mission planner on that channel.
  7. Turn off the transmitter. You should see the value drop significantly. This will be the PWM value relayed to the autopilot in the event RC link was lost during flight.
  8. Make sure THR_FS_VALUE is an adequate number to trigger the failsafe function on the autopilot.
  9. Make sure FS_SHORT_ACTN or FS_LONG_ACTN , or both are enabled (set to a non-zero value).
  10. Connect on the mission planner with your RC transmitter on. Verify on the bottom right corner of the HUD that you are “flying” in a non auto mode (Manual, Stabilize, FBW are ok).
  11. Turn off your transmitter. After FS_SHORT_TIMEOUT sec , if enabled, the flight mode should switch to FS_SHORT_ACTN. After FS_LONG_TIMEOUT sec, if enabled, the flight mode should switch to FS_LONG_ACTN. If you observe this behavior, your failsafe function has been set up correctly.

Transmitter Tutorials:

Spektrum Setup

GCS Failsafe

How it works. When flying while using telemetry on the GCS, the autopilot can be programmed to trigger into failsafe mode if it loses telemetry. In the event that the autopilot stops receiving MAVlink (telemetry protocol) heartbeat messages. FS_SHORT_ACTN and FS_LONG_ACTN apply just in the case of a Throttle Failsafe.

Setup.

  1. Set FS_GCS_ENABL to 1 to enable it.
  2. Connect to the Mission Planner via telemetry. Verify on the bottom right corner of the HUD that you are “flying” in a non auto mode (Manual, Stabilize, FBW are ok).
  3. Unplug one of the telemetry radios. After a few minutes power off your autopilot. (Remember the autopilot will not go fully into failsafe until FS_LONG_TIMEOUT seconds of MAVlink inactivity have passed).
  4. Connect your autopilot to the mission planner and pull the logs. Verify on the log that the autopilot went into RTL after FS_LONG_TIMEOUT sec of MAVlink inactivity.

Battery Failsafe

Note

This failsafe requires the vehicle have a working Power Module.

Note

ArduPilot firmware versions 4.0 and later support up to 10 batteries/power monitors. All the discussion below applies to those optional batteries also. Each can trigger a failsafe and each can have different actions and setup values. In addition, a group of batteries can be treated as a single unit, see BATTx_MONITOR = 10.

When the failsafe will trigger

If enabled and set-up correctly the battery failsafe will trigger if the main battery’s

  • voltage drops below the voltage held in the BATT_LOW_VOLT parameter (or FS_BATT_VOLTAGE in older versions) for more than 10 seconds. If set to zero (the Plane default value) the voltage based trigger will be disabled.
  • remaining capacity falls below the BATT_LOW_MAH parameter (or FS_BATT_MAH in older versions) 20% of the battery’s full capacity is a good choice (i.e. “1000” for a 5000mAh battery). If set to zero the capacity based trigger will be disabled (i.e. only voltage will be used)

What will happen

When the failsafe is triggered:

  • Buzzer will play a loud low-battery alarm
  • LEDs will flash yellow
  • A warning message will be displayed on the ground station’s HUD (if telemetry is connected)
  • BATT_FS_LOW_ACT will be executed

Two-Stage Battery Failsafe

Plane 3.9 (and higher) includes a two-layer battery failsafe. This allows setting up a follow-up action if the battery voltage or remaining capacity falls below an even lower threshold.

  • BATT_CRT_VOLT - holds the secondary (lower) voltage threshold. Set to zero to disable. Default is zero.
  • BATT_CRT_MAH - holds the secondary (lower) capacity threshold. Set to zero to disable. Default is zero.
  • BATT_FS_CRT_ACT - holds the secondary action to take. A reasonable setup would be to have BATT_FS_LOW_ACT = 2 (RTL) and BATT_FS_CRT_ACT = 1 (Land)

Advanced Battery Failsafe Settings

  • BATT_FS_VOLTSRC allows configuring whether the raw battery voltage or a sag corrected voltage is used
  • BATT_LOW_TIMER can configure how long the voltage must be below the threshold for the failsafe to trigger
  • BATTx_ parameters can be setup to trigger the failsafe on other batteries

Failsafe Parameters and their Meanings

Short failsafe action (FS_SHORT_ACTN )

The action to take on a short (FS_SHORT_TIMEOUT seconds) failsafe event . A short failsafe event in plane stabilization modes can be set to change mode to CIRCLE or FBWA, or be disabled completely. In QuadPlane stabilization modes, it will change to QLAND or QRTL, dependent upon which Q_OPTION is selected.

In AUTO, LOITER and GUIDED modes you can also choose for it continue with the mission and ignore the short failsafe. If FS_SHORT_ACTN is 0 then it will continue with the mission, if it is 1 then it will enter CIRCLE mode.

VALUE MEANING
0 Continue
1 Circle/ReturnToLaunch
2 FBWA
3 Disabled

Long failsafe action (FS_LONG_ACTN )

The action to take on a long (FS_LONG_TIMEOUT seconds) failsafe event. If the aircraft was in a stabilization or manual mode when failsafe started and a long failsafe occurs then it will change to RTL mode if FS_LONG_ACTN is 0 or 1, and will change to FBWA and idle the throttle if FS_LONG_ACTN is set to 2.

If the aircraft was in an auto mode (such as AUTO or GUIDED) when the failsafe started then it will continue in the auto mode if FS_LONG_ACTN is set to 0, will change to RTL mode if FS_LONG_ACTN is set to 1 and will change to FBWA mode and idle the throttle if FS_LONG_ACTN is set to 2. If FS_LONG_ACTN is set to 3, the parachute will be deployed (make sure the chute is configured and enabled).

VALUE MEANING
0 Continue
1 ReturnToLaunch
2 FBWA Glide
3 Deploy Parachute

In a QuadPlane, if in VTOL operation in modes others than AUTO or GUIDED, the action taken will be either a QRTL or QLAND, depending on the Q_RTL_MODE bit mask setting for bit 5. And if in fixed-wing operation, and the long or short failsafe action is a mode change to RTL, then the Q_RTL_MODE will determine behavior at the end of that RTL, just as in the case of a regular mode change to RTL.

GCS failsafe enable (FS_GCS_ENABL )

Enable ground control station telemetry failsafe. Failsafe will trigger after FS_SHORT_TIMEOUT and/or FS_LONG_TIMEOUT seconds of no MAVLink heartbeat or RC Override messages.

Warning

Enabling this option opens up the possibility of your plane going into failsafe mode and running the motor on the ground if it loses contact with your ground station. While the code attempts to verify that the plane is indeed flying and not on the ground before entering this failsafe, it is safer if this option is enabled on an electric plane, to either use a separate motor arming switch or remove the propeller in any ground testing, if possible.

There are three possible enabled settings. Seeing FS_GCS_ENABL to 1 means that GCS failsafe will be triggered when the aircraft has not received a MAVLink HEARTBEAT message. Setting FS_GCS_ENABL to 2 means that GCS failsafe will be triggered on either a loss of HEARTBEAT messages, or a RADIO_STATUS message from a MAVLink enabled telemetry radio indicating that the ground station is not receiving status updates from the aircraft, which is indicated by the RADIO_STATUS.remrssi field being zero (this may happen if you have a one way link due to asymmetric noise on the ground station and aircraft radios).Setting FS_GCS_ENABL to 3 means that GCS failsafe will be triggered by Heartbeat(like option one), but only in AUTO mode. WARNING: Enabling this option opens up the possibility of your plane going into failsafe mode and running the motor on the ground it it loses contact with your ground station. If this option is enabled on an electric plane then you should enable ARMING_REQUIRE .

VALUE MEANING
0 Disabled
1 Heartbeat
2 Heartbeat and REMRSSI
3 Heartbeat and AUTO

Independent Watchdog

See Independent Watchdog for details.