Unintentional parachute release, due to Sbus glitch:

ArduCopter
1

I have suffered two unintentional parachute release, the cause of these deploys is a high pulse (greater than 1800) on channel 7, which is assigned the function of “parachute release”.
These pulses have a very short duration. In the dataflash logs, which sample RCIN values at 10Hz, these errors are represented by a single sample I’m guessing they can be “glitches” in a single package of the Sbus frame.

Months ago, I experienced problems with FailSafes and Sbus frames. If the receiver FailSafe was set to “no pulse” it could happen that some channels “returned” from the failsafe before others causing low pulses of short duration that could change the flight mode, disarm the equipment etc. Same problems as #9389 #9400 #10139 which were fixed with #10216. At that moment I fixed it by configuring the failsafe of the receivers in hold mode.

The problem I’m experiencing now is somewhat similar. I have periodic glitches in which one of the 8 channels changes to a low value during a very short period, but this low value is not necessarily less than 900. But also, although it is a stranger event, I have had glitches in which one of the 8 channels changes to a high value, not necessarily higher than 2200. If this happens on channel 7 with a pulse greater than 1800, the parachute fires immediately.

These glitches are not very frequent, I may have many flights in which none are observed. This makes it very difficult to do a bench tests to determine the exact cause of the problem. it may be wireless corrupted packets, a problem in de RX generating the Sbus frame or a bad handling of the Sbus frame and failsafes by the autopilot.

In addition, I have tried different combinations of Frsky radios and receivers (X9D plus, QX7) (XM+, X8R) and I experience the same problem with everyone.

On the other hand, most of the radio protocols used in the sector are not reliable enough and do not include functionalities such as ECC or EDC, so I think that critical flight and safety functions such as “Parachute Release”, “Disarm” or “Emergency Stop Motors” should have some extra security layer for their activation. A combination of different channels, a minimum pulse duration (Ex: 1s) for activation or both.

Attached some photos of the RCIN graphics of the dataflash logs.

Two glitches that fired the parachute:

Disparo1
Disparo1.PNG1292×429 18.9 KB

Disparo2
Disparo2.PNG1289×427 15.6 KB

Other observed glitches:

Error%202%20(ch%207%20down)
Error 2 (ch 7 down).PNG1282×429 12.8 KB

Error%201%20(ch%205%20up)
Error 1 (ch 5 up).PNG1290×447 14 KB

Error%203%20(ch%203%20y%204%20down)
Error 3 (ch 3 y 4 down).PNG1286×414 13.7 KB
Error%204%20(ch%201%20y%206%20down%2C%20ch%205%20up)
Error 4 (ch 1 y 6 down, ch 5 up).PNG1288×444 14.8 KB
Error%205%20(ch%203%20y%206%20down)
Error 5 (ch 3 y 6 down).PNG1281×418 14.4 KB

2

Yes, that’s a known situation. Because of this, the HOLD FS mode is the only right option for SBUS connection.

just for that reason some time ago I did a PR that introduced a debounce time parameter (per channel). So for example you can set the debounce time for your parachute channel to let’s say 500 or 1000 ms. And any spikes that are shorter will be ignored.

1 Like
3

That’s very interesting and can be an elegant solution to this problem. I have been looking at this PR you did. Has it been implemented in any stable version? Is the debouncing parameter configurable or is it a fixed value of 200ms for all channels?

4

In Copter 4 it is a fixed 200ms for all channels.
But it is easy to move that to the parameters (and compile FW binary then)

5

Why was the fixed value of 200ms chosen? I suppose that can be enough since these “glitches” are of a very short duration, but for something so critical I would feel safer with a larger margin.

6

200ms looks like reasonable value to be fast enough for any function and to protect against a bounce.