I’m attempting to complete a safety analysis for Rover 4.1 on a Cube Orange.
What I’d like to understand (if possible) is how the PWM outputs can “fail” - what can their behaviour be in the event of some sort of coding error?
Their behaviour seems well defined on power loss or reboot, but I’m curious about a few other cases, noting that I’m not concerned about a maths error that results in incorrect behaviour (e.g poor navigation).
How can the system fail such that the AP is not responding to MAVLINK commands, BUT continues to output the last (or some other valid PWM)? This was a mode that we saw at one point - I can’t find the PR, but Tridge may recall - it was due to an overly long I2C cable.
What does the AP do if there is an unhandled exception (divide by zero etc)? If that were to result in a “crash” will that stop the PWM outputs?
Will infinite loops have a similar effect?
Is there different behaviour for the primary vs aux PWM outputs? Does utilising a relay (rather than PWM) output mode for an Aux pin mitigate any relevant failure modes?
Thanks