RC Failsafe Testing vs. Reality

I just had a rather unfortunate incident involving an RC failsafe triggering while in AUTO, and I wanted to make sure I’m not missing the forest for the trees here, and/or serve as a cautionary tale.

I was running GCS-based operation with a known-good quad (Orange Cube, Copter 4.3.2 beta), with tested radio failsafe (i.e. radio off = prompt RC failsafe - a Frsky DJT module, with a Radiomaster R81 SBus-output receiver). FS_OPTIONS was set to continue in AUTO in the event of an RC failsafe. I still had the RC radio on, with switches set for arm and AUTO and throttle fully lowered, but after each (AUTO) landing/disarm, I’d rearm from the Actions tab in Mission Planner, rather than by cycling the switches on the RC transmitter.

At one point, I lost RC comms (fortunately quite close to the LZ, but at speed and height). The log shows that the receiver switched CH5 to STAB just before the flight controller failsafe kicked in, and since the throttle was fully lowered, the flight controller then proceeded to disarm in mid-flight, rather than continue in AUTO. Needless to say, the results were not good.

I initially assumed that the receiver’s failsafe was the root cause, but watching the outputs in the radio calibration tool, switching the transmitter off did not cause CH5 output to change (nor would the mode change, if I did it when armed in AUTO), so if it was a receiver failsafe event, it couldn’t be replicated by simply turning off the transmitter, which would reliably trip the Ardupilot RC failsafe, as normal.

I then tried to replicate loss of signal by putting the transmitter in a microwave oven (ad-hoc faraday cage) - this also would produce a normal Ardupilot RC failsafe, with no change to the CH5 output, so whatever happened is not easily reproduced - everything I try results in nominal behavior.

Based on a very cursory code review, I can’t see any way that the use of the GCS to arm would affect the RCIN values, so I’m guessing that this isn’t a bug, so much as I just got very unlucky, and had the receiver get a couple garbled frames, just before it triggered the failsafe…? If that is the case, I guess the logical conclusion is that the R81 may be junk, despite passing the usual battery of failsafe checks.

Log for reference:

Regards,
-Luke

Just spitballing here, and I have not yet looked at the logs (which, by your description, sound like they may not reveal much), but it sounds like it’s not a case of RC failsafe so much as inadvertent RC control, where the transmitter either booted into or had been switched to stabilize mode and then took control at an unanticipated point during flight.

Not that I’m being too presumptive, but I know I’ve been the victim of unexpected yet mercilessly predictable autopilot behavior due to some newly discovered error on my own part!

EDIT: I have another kind of half-baked theory: the receiver may have been set to output low (1000us) signals rather than no signals on signal loss. Some combination of events may have triggered the autopilot to accept those signals as valid.

It looks like your analysis is correct. The only thing I can add here is if you had your FS_THR_VALUE set to 1000 PWM you would have entered the throttle failsafe due to the unusualy low throttle value of 996 where it looks like most of the channels went to as a result of the “garbled frames”.

It is always difficult with these black box radio’s to know what is happening and find and fix problems like this.

I am sorry to hear about your crash!

Thanks, yeah, ironically, not all of the outputs went low, but Murphy’s Law apparently was in full effect, haha.

I’ll fix the throttle failsafe values - I seem to recall I set them a bit lower to prevent accidental throttle failsafe triggers with fully-lowered throttle. 20/20 hindsight, I guess endpoint adjustment on the radio would have been a smarter way to go there, duh. – And apparently my memory is terrible, since obviously the low throttle value in the current setup is 1026. Doh!

All things considered, it wasn’t terrible - I’m one six-hour print away from being able to reassemble things… And then go and find a decent receiver, ha!