Safety Concerns about Lacking Complete Configuration Validataion in Program

Dear community,
I would like to confirm whether the following issue poses a safety concern due to the difficulty in validating the correctness of configuration parameter combinations, even when each configuration value falls within the valid range according to the official documentation.

I have tested the following parameter configuration combination bugs in ArduCopter 4.5 using the SITL simulator with CopterMission from autotest in ArduPilot as the mission. The parameters are configured before mission starting. Each group of parameters, starting with a minus character, leads to one of the following physical impacts: (1) crash, (2) deviation from the strategy (higher than 10 m), or (3) getting stuck (surrounding a waypoint forever without reaching it). The value of each parameter follows the parameter directly, all value are in the valid range according to the ducumentation.

• param set MOT_PWM_MAX 10

• param set MOT_PWM_MIN 10

• param set INS_POS1_X -5

• param set INS_POS1_Y -5

• param set INS_POS2_X -5

• param set INS_POS2_Y -5

• param set INS_POS3_X -5

• param set INS_POS3_Y -5

• param set ATC_RAT_YAW_P 0.005

• param set ATC_RAT_PIT_P 0.005
  param set ATC_RAT_PIT_D 0.002

• param set ATC_RAT_RLL_P 0.01
  param set ATC_RAT_RLL_D 0.001

• param set MOT_PWM_MIN 1500
  param set PSC_ACCZ_D 0.12

• param set PSC_POSXY_P 0.5
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002
  param set PSC_VELXY_IMAX 0

• param set ATC_ANG_RLL_P 3
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set ATC_ANG_YAW_P 3
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set WPNAV_ACCEL_C 10
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set WPNAV_ACCEL 50
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set WPNAV_SPEED 2000
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set ATC_RAT_YAW_D 0.001
  param set ATC_RAT_YAW_I 0.01
  param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002

• param set ATC_ANG_PIT_P 3
  param set MOT_PWM_MAX 1700
  param set MOT_PWM_MIN 1500
  param set ATC_RAT_PIT_P 0.005

• param set PSC_VELXY_P 0.1
  param set PSC_VELXY_D 0.002
  param set PSC_VELXY_I 0.02
  param set WPNAV_RADIUS 950

Hi @jinwenwang,

Safety is really important of course and the AP dev team takes it seriously so thanks for your investigation and question.

One key thing to note here is that these are serious configuration errors. So one of the examples you’ve posted is setting the INS_POS1_X to -5 which means the IMU is 5 meters from the center of rotation the vehicle while the simulated vehicle’s IMU remains at the center of the vehicle. This will lead to the EKF becoming quite unhappy (e.g. large innovations during fusing leading to bad estimates). Other changes you’ve tested are attitude or control gain changes or motor output range changes… these are all very serious.

Given this what you’re really asking is, is it reasonable for a misconfigured vehicle to behave badly including possibly crashing and the answer is “yes”. Keeping a multicopter flying safely means that it must be configured correctly.

I think a better question is perhaps, how can we stop users from inadvertantly modifying the vehicle’s configuration and the answer is to lock-down those critical parameters. We have some information our OEM Customisation wiki page although it is slightly out-of-date because it talks about the APJ Tools when really marking params read-only needs to be done in a default.parm file. Once this is done, the firmware should be re-built and loaded onto the autopilot and the user will not be able to change these parameters. There is a loop-hole in that users could load the standard firmware on the autopilot but this can also be disabled by updating the bootloader.

I’ve created a wiki issue to update our recommendations on how to set parameters to be ready-only.