PX4-Autopilot: Improving Safety Documentation (All Failsafe Scenarios)

Hello,

I’m currently working on safety of PX4. And there are some gaps between documentation and PX4 stack. Especially there is only one mention about what is the scenario when 2 failsafe actions come up.

If a failsafe occurs while the vehicle is responding to another failsafe (e.g. Low battery while in Return mode due to RC Loss), the specified failsafe action for the second trigger is ignored. Instead the action is determined by separate system level and vehicle specific code. This might result in the vehicle being changed to a manual mode so the user can directly manage recovery.

So I tried all scenario between failsafes’ actions on the SiTL. Firstly I simulated 1 failsafe and waited to PX4 perform action of failsafe. Then I simulated another failsafe and I’ve checked to see if it’s override first failsafe action. Table 1 shows this overriding cases and some notes about all failsafes. Table shows that, for example, when “RC Loss” occurs and executes RC failsafe action, if “Low Battery” occurs then PX4 stops “RC Loss” action and executes “Low Battery” failsafe action.

Table 1: 2 failsafe status comparison when they occur together.

NOTE 5: Issue number #4876

Tested on:

HW arch: PX4_SITL
FW git-hash: b8b7527d052a19dd31a51ded7cabd6d821ef67a5
FW version: 1.10.0 80 (17432704)
FW git-branch: master
OS: Linux
OS version: Release 5.0.0 (83886335)
Build datetime: Nov  6 2019 14:49:56
Build uri: localhost
Toolchain: GNU GCC, 7.4.0
PX4GUID: 1006554d49534954414c44494e4f3030303

If there is any specific documentation or issue please let me know.

Thanks!