I have been trying to wrap my head around the way the failsafe is implemented on the Pixhawk Autopilot and how it ends up on the failsafe processor. Could anybody help me with it?
Here is what I understood up to this point: the failsafe is programmed in the function failsafe_check(void). It is handed to PX4Scheduler via the function register_timer_failsafe(AP_HAL::Proc, uint32_t period_us). This function seems to copy the function handle of the failsafe_check function into the _failsafe variable of the PX4Scheduler but what happens now? How does it end up on the STM32F103 failsafe co-processor? Also where is the routine AP_HAL::Proc defined? I could only find the definition for the AP_HAL::MemberProc makro.
I would greatly appreciate any help how this all fits together, as I am kind of lost .
Hi Phil,
Right now we don’t take advantage of the failsafe capability of the Pixhawk IO CPU. Failsafe is handled on the FMU and assumes that at least timer callbacks keep running even if everything else stops.
I do plan on adding support for the Pixhawk failsafe on IO. The main reason this hasn’t been done yet is a mismatch between how the PX4 IO code handles PWM values and the way APM handles them. The failsafe capability on IO assumes you have loaded a mixer file and are doing all mixing on the IO board. So for example if you have an elevon plane then the failsafe code assumes you have a mixer setup that mixes aileron and elevator into the two elevon channels, and takes -1…1 values into the mixer. The APM code does that mixing on the FMU.
To fix this properly we need to construct a PX4 IO compatible mixer structure on FMU based on the APM parameters then send that mixer to the IO board so it knows how to handle inputs when the FMU dies.
Cheers, Tridge
I’m sorry for reviving such old topic, but i’m curious if failsafe processor is NOW used and how it works? I had searched many files in ardupilot/arducopter/px4firmware and couldn’t figure out if STM32F103 is used and how. That’s why i’m asking here about it.
.