Plane: basic automatic emergency parachute release at critical altitude error in AUTO. #3703
Conversation
…de error in AUTO.
| */ | ||
| void Plane::parachute_emergency_check() | ||
| { | ||
| static uint32_t control_loss_ms; // time when we first lost control and never regained it |
There was a problem hiding this comment.
no statics allowed because it still creates only 1 if you have two classes of Plane (weird, I know, but maybe something will in the future). Please declare it in the class and rename it so it's global friendly.
There was a problem hiding this comment.
Do you mean it will be possible to create two instances of Plane class in the future? Why and how would that work – maybe there's some discussion about this somewhere I could read about it, if it has already been explained? I thought it should be some sort of singleton. Is it going to diverge from Copter architecture?
Static variables are all over the place in Plane, e.g.:
https://github.com/diydrones/ardupilot/blob/master/ArduPlane/navigation.cpp
https://github.com/diydrones/ardupilot/blob/master/ArduPlane/ArduPlane.cpp
https://github.com/diydrones/ardupilot/blob/master/ArduPlane/failsafe.cpp
https://github.com/diydrones/ardupilot/blob/master/ArduPlane/control_modes.cpp
And there are probably even more in Copter code. Is there a plan to refactor them?
I'm interested, because I was just following the existing architecture and not having a singleton Plane just sounds unintuitive (although, of course, might be wrong).
There was a problem hiding this comment.
There is no "plan" but the concern is a relatively new one. Since ArduPilot is moving more and more towards Linux based systems you never know how the class ends up getting used! Not using static variables removes some chances of bugs. If things were to change it's easier to enforce it during development instead of all at once at the end. The other uses of static have been there a long time and should be changed too.
There was a problem hiding this comment.
Why would Linux not allow using a singleton? Can you maybe point me to some existing Plane code where statics were replaced by globals? Is this move from static variables to globals documented anywhere in Ardupilot repository (GitHub issue, mailing list, etc)?
There was a problem hiding this comment.
Is there any example in existing code where this was already done, so I could replicate that?
There was a problem hiding this comment.
Just make a variable in Plane.h and remove the static from here. Take a look at throttle_watt_limit_timer_ms
…ay be false during stall.
|
Thanks for removing is_flying(). The no-statics thing is a request from @tridge because it only has drawbacks (future bugs) where moving it to the class gives flexibility. All static variables in the project need to be eventually moved to the class. Pull-requests welcome! |
| @@ -146,6 +146,8 @@ class Parameters { | |||
| k_param_parachute, | |||
| k_param_arming = 100, | |||
| k_param_parachute_channel, | |||
| k_param_parachute_auto_enabled, | |||
There was a problem hiding this comment.
the order here is extremely important. You can't push down other k_params indexes. You must use an unused index
There was a problem hiding this comment.
OK, I see now. Where should I move these?
There was a problem hiding this comment.
the k_params are not needed if you are within a lib
|
I'm still in favor of all of this going into AP_Parachute. Any params that start with CHUTE_ belong there too, that's why there's a "CHUTE_" prefixed one to sort them. |
|
But since AP_Parachute is used in both Copter and Plane, how do I add plane-specific code to it? Is there any convention for this? |
|
Use AP_Arming as an example |
|
Do you mean the |
|
@magicrub can you please clarify how I should use |
| // @Description: Parachute automatic emergency release enabled or disabled. | ||
| // @Values: 0:Disabled,1:Enabled | ||
| // @User: Standard | ||
| GSCALAR(parachute_auto_enabled, "CHUTE_AUTO_ON", 0), |
There was a problem hiding this comment.
Move these to line 54 of this
https://github.com/diydrones/ardupilot/blob/master/libraries/AP_Parachute/AP_Parachute.cpp
|
I think I have addressed all issues so far. Could someone please have a look once again? |
| // we have lost control for too long | ||
| gcs_send_text_fmt(MAV_SEVERITY_WARNING, "Crash: Critical altitude error %d m", altitude_error_cm * 0.01f); | ||
| parachute_release(); | ||
| parachute.control_loss_ms(0); |
There was a problem hiding this comment.
Won't this message, and the release, happen every second after the first release happens?
There was a problem hiding this comment.
I think that parachute.released() check should kick in after parachute_release() (line 74).
There was a problem hiding this comment.
Ahh yes, my mistake I see it now.
|
What's left to be done for this? |
|
would be nice for @tridge to take a look |
|
@magicrub I've made some changes after your latest suggestions. Let me know if I missed something or if there are other things that need to be fixed. Also, somewhat relevant to these changes (although not strictly blocking) are #3837 (making CHUTE_ALT_MIN above ground, not above home), #3853 (ALT_OFFSET incorporation), and #3861 (parachute deployment timing relative to throttle suppression). |
|
Do we need to change anything else before this can be accepted? |
|
I'd like @tridge to take a look before we merge, but otherwise I think it looks good. |
|
@tridge could you have a look at this at some point? |
|
Still needs some work. Looks way too easy to trigger during normal flight by simply diving downwards |
|
Which trigger do you have in mind – altitude or sink rate? As the parachute only works in AUTO mode, the diving downwards needs to be part of a mission. Sink rate
We've tested a similar functionality (the branch I've mentioned previously) with a Penguin B airframe and it seems to be working fine. One can also switch automatic parachute deployment (or one of the triggers) off. Which scenario are you worried about? |
|
We're just concerned that this will cause chute deployments during normal operation, goal is to make this bulet-proof so that it will only deploy when you're truly in distress.
Waypoints can be at any altitude. Simply being below it, or even having an alt error, does mean you're in distress and need to deploy the chute. What happens if you fly auto, then switch to manual/stab/fbwa to fly around and are in a dive while switching back to auto. Boom, your chute deploys. Remember, if you have a DO_LAND_START in your mission then an RTL switches you to AUTO and switching to RTL is common when trying to recover their aircraft with loss of orientation.
This is good but needs to be strictly enforced in case the aircraft is not configured correctly. something like
A trigger that can only happen when we've truly lost control and are falling out of the sky in AUTO. That is not an easy thing to determine. Perhaps we can draw some ideas from #2933 . |
|
perhaps we could take advantage of the TECS controller's badDescent flag |
|
This was discussed in today's developer's call. We'd like this integrated with the TECS to detect if the aircraft is not achieving the desired pitch/roll values which is a good indicator that the aircraft is in distress. There's also a is_stalled type flag in TECS. The quadplane has (or will have) similar needs where the quad motor kicks in if we begin to stall so detecting a true stall is the hard part. False positives here are bad news so we have to make sure this is done right. |
|
I think if we added a status flag in TECS of "we're in trouble and/or stalling" that could be checked by this feature then we're probably good to bring this in. I'll bring it up at the dev call tomorrow, although @tridge will not be there (he's rock'n ArduPilot at the outback Challenge this week!) |
|
Hello guys, these feature was abandoned? It's a very important feature!! |
|
@viniciusknabben could you give an evaluation as to whether #3703 removes the utility of this PR, or whether an additional check might be worthwhile, please? |
@peterbarker do you mean whether #9506 removes the utility of this PR? |
|
I think there is useful information like the parachute release with an altitude error. in cases the plane is falling with stall prevention it may not trigger the critical sink and end up crashing The general idea i think is pretty much the same @magicrub bring up that the is_flying flag may deny the parachute opening during a stall: #3703 (comment) the delay to remove miss triggering was suggested by @tridge and i've made the changes in 76164cd |
|
does need a rebase now. |
|
I think this could be closed now, and maybe if there's anything in thats 'special' it could use scripting. discussed briefly with tridge and he agreed. |
This is essentially an implementation of what is described in #2553 (comment).