Bug: EKF failsafe not triggering in SITL with VISO-only (no GPS) during odometry outage

General
1

Summary

I am testing VISO-only navigation (no GPS) in SITL by injecting MAVLink ODOMETRY messages. While normal operation works correctly, the EKF failsafe does not trigger during extended outages, and the EKF variance does not increase as expected.

This behavior differs significantly from real flight results.

Test Setup

  • Platform: SITL (ArduCopter)

  • Navigation input: External Vision only (VISO via MAVLink ODOMETRY)

  • GPS: Disabled

  • ODOMETRY messages injected via custom Python script (stable and working)

Relevant Parameters

AHRS_EKF_TYPE = 3
EK3_ENABLE = 1
EK2_ENABLE = 0
GPS1_TYPE = 0
VISO_TYPE = 3

EK3_SRC1_POSXY = 6
EK3_SRC1_POSZ  = 6
EK3_SRC1_VELXY = 0
EK3_SRC1_VELZ  = 0
EK3_SRC1_YAW   = 1

FS_EKF_ACTION = 3   # Land
FS_EKF_THRESH = 0.8 (also tested with 0.6, 0.4 and 0.2)

Normal Behaviour (Baseline)

  • Continuous ODOMETRY injection (~20 Hz)

  • ~331 MAVLink ODOMETRY messages observed

  • EKF initializes and tracks position correctly

  • Vehicle behaves as expected in SITL

Failure Test (Outage Injection)

I created a second script to simulate sensor dropout:

  • Stop sending ODOMETRY messages for 30–50 seconds

  • No GPS fallback (GPS disabled)

  • No other position source available

Observed Behaviour

  1. EKF variance does NOT increase

    • pos_h_var stays around 0.1 – 0.22

    • Does not grow over time despite complete loss of measurements (Tried up to 60 seconds of no message)

    • This suggests the EKF is not properly degrading confidence

  2. Failsafe does NOT trigger

    • Even after 30–50 seconds with no input

    • Even when forcing:

      FS_EKF_THRESH = 0.2

    • No mode change, no failsafe action (LAND), no warning

  3. Vehicle continues flying as if nothing happened

Expected Behaviour

Based on EKF design and real-world testing:

  • With no position updates (VISO outage + no GPS):

    • EKF uncertainty should increase over time

    • Position variance should grow significantly

  • After threshold exceeded:

    • EKF failsafe should trigger within seconds

In real flight tests:

  • Failsafe triggered within ~3–4 seconds

  • EKF quickly lost confidence

Key Issues Identified

1. :red_exclamation_mark: EKF does not degrade without measurements

  • No increase in variance during complete sensor outage

  • Suggests SITL EKF may not model uncertainty growth correctly when inputs stop

2. :red_exclamation_mark: EKF failsafe never triggers

  • Even with very low threshold (0.2)

  • Suggests failsafe condition is never met internally

Hypothesis

Possible causes:

  • EKF in SITL continues propagating using IMU but does not inflate covariance properly

  • External vision source loss is not treated as measurement loss

  • Failsafe condition (2 variances > threshold for 1s) is never satisfied because:

    • Variances remain artificially low

Additional Notes

  • ODOMETRY injection works correctly when active

  • Issue only appears when messages stop completely

  • Behavior is reproducible

  • No errors or warnings shown in SITL logs

What I Need Help With

  • Is this expected SITL behavior?

  • Is EKF supposed to increase variance without measurements in this setup?

  • Is there any additional configuration required for EKF failsafe with External Vision only?

  • Could this be a limitation or bug in SITL EKF modelling?

Impact

This makes SITL unreliable for validating:

  • EKF robustness

  • Failsafe triggering

  • Sensor outage scenarios (critical for real-world safety)