6 replies to this topic

[lmz]

Hi all,

I'm implementing a binary HITL protocol and dived for this into the OP code. It seems that the current HITL approach depends on the UAVObjects for all actuators to be set to read-only to prevent motors and servos from starting to move during HITL.

Given my experience with adding a new HITL comm protocol it seems however like this choice is kind of dangerous, especially if you would e.g. add a new type of actuator and the HITL developers fail to set all required output objects to read-only.
Given the huge health risk an electric airplane going at full speed on your office table poses, I would like to propose to add a flag that system-wide announces HITL.

To enforce that this flag is checked by actuator drivers, I would propose to add a new state to FLIGHTSTATUS_ARMED, namely FLIGHTSTATUS_ARMED_HIL. All actuators should anyway check the armed status and should only be enabled if the status is FLIGHTSTATUS_ARMED_ARMED. So the new state does not change the current behaviour, but makes sure HIL is safe.

Higher-level software such as mission scripts could then check if the state is either FLIGHTSTATUS_ARMED_ARMED or FLIGHTSTATUS_ARMED_HIL and act in both modes. Only the last actuator layer should consider HIL as DISARMED, the higher levels should consider it as ARMED.

This approach is also better than using a dedicated HIL state flag, because it makes sure it is checked and implemented at the critical locations.

-Lorenz

[peabody124]

That sounds reasonable to me.  Can the guys that do more of the simulation stuff comment please?

[Corvus Corax]

Yeah, we could make the Armed flag Tri-state with states:

- Disarmed
- Armed
- HITL

Only in true "Armed" state are Motors or similar dangerous output channels allowed to move, while other modules (Stabilization, Guidance) should treat HiTL as they do armed.

Personally I think it's quite nice though to have servo's move in hitl as long as they control non-dangerous control surfaces. It's nice to have for debugging.

[peabody124]

Corvus Corax, on 30 August 2011 - 02:50 PM, said:

Yeah, we could make the Armed flag Tri-state with states:

- Disarmed
- Armed
- HITL

Only in true "Armed" state are Motors or similar dangerous output channels allowed to move, while other modules (Stabilization, Guidance) should treat HiTL as they do armed.

Personally I think it's quite nice though to have servo's move in hitl as long as they control non-dangerous control surfaces. It's nice to have for debugging.

We'd need to make a decision about that.  I can see the utility although I would say if we are doing this we go whole-hog and shut down all outputs.

[dankers]

peabody124, on 30 August 2011 - 03:44 PM, said:

We'd need to make a decision about that.  I can see the utility although I would say if we are doing this we go whole-hog and shut down all outputs.

I agree, I totally understand how cool it is to see the servos move but there is a huge risk involved as well. Shutting down all outputs is the safest approach to be honest.

[Corvus Corax]

agreed

[peabody124]

Yeah this change is in review but it needs a bit of GCS love to make sure it really is safe and not pretending