I have done the first beta release of the 3.9.8 stable release.
This is a minor release with some important safety fixes. The fixes relate to two issues:
implement hardware support to reset the CPU if a software or hardware failure causes the main loop to stop running
fixed a bug in the handling of a failure of the primary IMU in a multi-IMU system
The first fix relates to a flyaway that happened on a RadioLink mini-pix flight controller. The mini-pix suffered a major hardware failure that led to the main loop stopping. As the mini-pix does not have an IO co-processor this resulted in fixed control surface outputs and fixed motor output, which led to a flyaway. The plane was found,
but we want to ensure that if this ever happens again that the motor will stop and that the pilot will regain control of the aircraft.
The fix is to enable an option in the STM32 processor called âIndependent Watchdogâ (IWDG). The IWDG provides a mechanism to automatically reset the CPU on software or hardware failure resulting
in the main loop stopping. When this happens the hardware also provides a mechanism for ArduPilot to know that it is booting after a watchdog reset, in which case it does the following:
if the ChibiOS bootloader has been updated then it skips the normal 5 second delay in the bootloader
it skips baromoter, gyro and airspeed calibration, allowing for very fast boot
the home position and attitude estimate of the vehicle is restored to a point less than 0.3 seconds before the lockup
the pilot regains full control, and if the pilot requests arming then arming checks are automatically bypassed
We have tested this on an aircraft with a deliberately induced full CPU lockup. The aircraft recovered and flew normally within 3 seconds of lockup, with the pilot having full control. This was with a board with no IOMCU. A board that does have an IOMCU (such as a Hex cube) would have had full manual control on FMU lockup without the changes in this new release. For those boards with IOMCU the advantage of the new release is that the pilot will regain the ability to use stabilised and auto modes (including RTL) after a full CPU lockup.
The additional protections of the IWDG support only apply to the ChibiOS builds. The IWDG is not supported in NuttX builds.
The second key fix in this release relates to IMU failure on multi-IMU systems. If the IMU that is associated with the currently active EKF lane failed then the fixed wing attitude controller would lose attitude control and the aircraft will crash unless the pilot takes manual control. This has been fixed to ensure that IMU failover
operates correctly.
Other changes in this release:
added support for the CUAVv5Nano board
added retries to flash storage of parameters
fixed pullups on some fmuv3 based boards that lack hardware pullups on sdcard data lines
fixed fallback to microSD for parameter storage if a board with FRAM storage has a failed FRAM device
@Rolf donât know if iâm really confident enough for that kind of testâŚ
@tridge found it. seems itâs skipping gyro cal on reboot, however FC stays in âinitializeâ after reboot unless kept still for a couple of seconds. how is that handled inflight?
the IOMCU boards have two banks of PWM outputs (eg. âmainâ and âauxâ). For example, pixhawk, cube, CUAVv5, Pixhawk4, Pixhackv3 etc
All others have no IOMCU
well, apart from the possibility that it doesnât work and your plane flies off into the sunset? that wonât happen of course
Right now the only way to induce the lockup is to send a magic mavlink command from mavproxy. I could create you a release that adds a new RC option for locking up the autopilot, so you could put it on a switch. We decided against having that in the normal releases. Would that work for you? If so, what board do you want the build for?
Some notes:
if it is in AUTO it wonât restore the waypoint number its heading for, it would instead restart the mission
it wonât arm on reboot, but it will allow you to arm using the normal methods while flying (eg. GCS button or rudder+throttle)
if you are rolling/pitching rapidly when you reset then it will get confused for a few seconds (at least) and manual mode may be a good idea till it gets sorted out
The problem is the arming sequence if thereâs a rudder installed.
The auto rearm could also be dangerous but more safe in that case, what do you think of using an rc channel for auto rearm after reset? Something like âif in a high state, over 1700 uS, autorearm the system after a resetâ? Only for the testing phase, iâve 6 free rc channels, form 9 to 14.
For the build â3DR Pixhawkâ sounds good, initially I will do some bench tests.
About the risk, if the plane after the board reset work fine in full manual I think itâs minimal, the first tests would be better done in that way.
Everything depends on how many seconds after the reset the servos are back in operation.
For example an FX61 in Cruise at 70 meters AGL it could impact the ground after 6/7 seconds since the board reset.
If the procedure lasts longer it would be useless.
how do i force a lockup?
