Safety
Last updated
Last updated
PX4 has a number of safety features to protect and recover your vehicle if something goes wrong:
Failsafes allow you to specify areas and conditions under which you can safely fly, and the that will be performed if a failsafe is triggered (for example, landing, holding position, or returning to a specified point). The most important failsafe settings are configured in the QGroundControl page. Others must be configured via .
on the remote control can be used to immediately stop motors or return the vehicle in the event of a problem.
When a failsafe is triggered, the default behavior (for most failsafes) is to enter Hold for seconds before performing an associated failsafe action. This gives the user time to notice what is happening and override the failsafe if needed. In most cases this can be done by using RC or a GCS to switch modes (note that during the failsafe-hold, moving the RC sticks does not trigger an override).
The list below shows the set of all failsafe actions, ordered in increasing severity. Note that different types of failsafe may not support all of these actions.
None/Disabled
No action. The failsafe will be ignored.
Warning
A warning message will be sent (i.e. to QGroundControl).
The vehicle will enter Hold mode. For multicopters this means the vehicle will hover, while for fixed/wing the vehicle will circle.
The vehicle will enter Land mode, and lands immediately.
Disarm
Stops the motors immediately.
If multiple failsafes are triggered, the more severe action is taken. For example if both RC and GPS are lost, and manual control loss is set to and GCS link loss to , Land is executed.
:::tip The exact behavior when different failsafes are triggered can be tested with the . :::
The QGroundControl Safety Setup page is accessed by clicking the QGroundControl icon, Vehicle Setup, and then Safety in the sidebar). This includes the most important failsafe settings (battery, RC loss etc.) and the settings for the triggered actions Return and Land.
The low battery failsafe is triggered when the battery capacity drops below one (or more warning) level values.
The most common configuration is to set the values and action as above (with Warn > Failsafe > Emergency). With this configuration the failsafe will trigger warning, then return, and finally landing if capacity drops below the respective levels.
The settings and underlying parameters are shown below.
Failsafe Action
Battery Warn Level
Percentage capacity for warnings (or other actions).
Battery Failsafe Level
Percentage capacity for Return action (or other actions if a single action selected).
Battery Emergency Level
Percentage capacity for triggering Land (immediately) action.
The RC Loss failsafe may be triggered if the RC transmitter link is lost.
Additional (and underlying) parameter settings are shown below.
RC Loss Timeout
Time after RC stops updating supplied data that the RC link is considered lost. This must be kept short because the vehicle will continue to fly using the old RC data until the timeout triggers.
Failsafe Reaction Delay
Delay in seconds between failsafe condition being triggered (COM_RC_LOSS_T) and failsafe action (RTL, Land, Hold). In this state the vehicle waits in hold mode for the RC system to reconnect. This might be set longer for long-range flights so that intermittent connection loss doesn't immediately invoke the failsafe. It can be to zero so that the failsafe triggers immediately.
Failsafe Action
Disabled, Loiter, Return, Land, Disarm, Terminate.
RC Loss Exceptions
Set the modes in which RC loss is ignored: Mission, Hold, Offboard.
The settings and underlying parameters are shown below.
Data Link Loss Timeout
Amount of time after losing the data connection before the failsafe will trigger.
Failsafe Action
Disabled, Hold mode, Return mode, Land mode, Disarm, Terminate.
The Geofence Failsafe is a "virtual" cylinder centered around the home position. If the vehicle moves outside the radius or above the altitude the specified Failsafe Action will trigger.
Action on breach
None, Warning, Hold mode, Return mode, Terminate, Land.
Max Radius
Horizontal radius of geofence cylinder. Geofence disabled if 0.
Max Altitude
Height of geofence cylinder. Geofence disabled if 0.
The following settings also apply, but are not displayed in the QGC UI.
Geofence altitude mode
Altitude reference used: 0 = WGS84, 1 = AMSL.
Geofence counter limit
Set how many subsequent position measurements outside of the fence are needed before geofence violation is triggered.
Geofence source
Set whether position source is estimated global position or direct from the GPS device.
Preemptive geofence triggering
(Experimental) Trigger geofence if current motion of the vehicle is predicted to trigger the breach (rather than late triggering after the breach).
Circuit breaker for flight termination
Enables/Disables flight termination action (disabled by default).
The settings and underlying parameters are shown below:
Climb to altitude
Vehicle ascend to this minimum height (if below it) for the return flight.
Return behaviour
Choice list of Return then: Land, Loiter and do not land, or Loiter and land after a specified time.
Loiter Altitude
If return with loiter is selected you can also specify the altitude at which the vehicle hold.
Loiter Time
If return with loiter then land is selected you can also specify how long the vehicle will hold.
The settings and underlying parameters are shown below:
Disarm After
Select checkbox to specify that the vehicle will disarm after landing. The value must be non-zero but can be a fraction of a second.
Landing Descent Rate
Rate of descent (MC only).
The Position Loss Failsafe is triggered if the quality of the PX4 position estimate falls below acceptable levels (this might be caused by GPS loss) while in a mode that requires an acceptable position estimate.
0: Remote control available. Switch to Altitude mode if a height estimate is available, otherwise Stabilized mode.
1: Remote control not available. Switch to Land mode if a height estimate is available, otherwise enter flight termination.
The relevant parameters for all vehicles shown below.
Delay after loss of position before the failsafe is triggered.
Position control navigation loss response during mission. Values: 0 - assume use of RC, 1 - Assume no RC.
Parameters that only affect Fixed-wing vehicles:
Loiter time (waiting for GPS recovery before it goes into land or flight termination). Set to 0 to disable.
Fixed roll/bank angle while circling.
The Offboard Loss Failsafe is triggered if the offboard link is lost while under Offboard control. Different failsafe behaviour can be specified based on whether or not there is also an RC connection available.
The relevant parameters are shown below:
Delay after loss of offboard connection before the failsafe is triggered.
Failsafe action if RC is available: Position mode, Altitude mode, Manual mode, Return mode, Land mode, Hold mode.
A number of checks are run to ensure that a mission can only be started if it is feasible. For example, the checks ensures that the first waypoint isn't too far away, and that the mission flight path doesn't conflict with any geofences.
The relevant parameters are shown below:
Set the failsafe action: Disabled, Warn, Return mode, Land mode.
The parameters that control when the quad-chute will trigger are listed in the table below.
Maximum quad-chute height, below which the quad-chute failsafe cannot trigger. This prevents high altitude quad-chute descent, which can drain the battery (and itself cause a crash). The height is relative to ground, home, or the local origin (in preference order, depending on what is available).
Altitude loss threshold for quad-chute triggering during VTOL transition to fixed-wing flight. The quad-chute is triggered if the vehicle falls this far below its initial altitude before completing the transition.
Minimum altitude above Home for fixed-wing flight. When the altitude drops below this value in fixed-wing flight the vehicle a quad-chute is triggered.
Absolute roll threshold for quad-chute triggering in FW mode.
Absolute pitch threshold for quad-chute triggering in FW mode.
The failure detector allows a vehicle to take protective action(s) if it unexpectedly flips, or if it is notified by an external failure detection system.
The failure detector can be configured to trigger if the vehicle attitude exceeds predefined pitch and roll values for longer than a specified time.
The relevant parameters are shown below:
Flight termination circuit breaker. Unset from 121212 (default) to enable flight termination due to FailureDetector or FMU loss.
Maximum allowed pitch (in degrees).
Maximum allowed roll (in degrees).
Enable PWM input on AUX5 or MAIN5 (depending on board) for engaging failsafe from an external automatic trigger system (ATS). Default: Disabled.
The PWM threshold from external automatic trigger system for engaging failsafe. Default: 1900 ms.
This section lists the available emergency switches.
A kill switch immediately stops all motor outputs (and if flying, the vehicle will start to fall)! The motors will restart if the switch is reverted within 5 seconds. After 5 seconds the vehicle will automatically disarm; you will need to arm it again in order to start the motors.
The arm/disarm switch is a direct replacement for the default stick-based arming/disarming mechanism (and serves the same purpose: making sure there is an intentional step involved before the motors start/stop). It might be used in preference to the default mechanism because:
Of a preference of a switch over a stick motion.
It avoids accidentally triggering arming/disarming in-air with a certain stick motion.
There is no delay (it reacts immediately).
Manual mode
Acro mode
Stabilized
For modes that do not support disarming in flight, the switch is ignored during flight, but may be used after landing is detected. This includes Position mode and autonomous modes (e.g. Mission, Land etc.).
You can set timeouts to automatically disarm a vehicle if it is too slow to takeoff, and/or after landing (disarming the vehicle removes power to the motors, so the propellers won't spin).
Timeout for auto-disarm after landing.
Timeout for auto disarm if vehicle is too slow to takeoff.
The vehicle will enter Return mode. Return behaviour can be set in the (below).
Turns off all controllers and sets all PWM outputs to their failsafe values (e.g. , ). The failsafe outputs can be used to deploy a parachute, landing gear or perform another operation. For a fixed-wing vehicle this might allow you to glide the vehicle to safety.
It is also possible to set the Failsafe Action to warn, return, or land when the failsafe level is reached.
Warn, Return, or Land based when capacity drops below , OR Warn, then return, then land based on each of the level settings below.
:::note PX4 and the receiver may also need to be configured in order to detect RC loss: . :::
The QGCroundControl Safety UI allows you to set the and . Users that want to disable the RC loss failsafe in specific automatic modes (mission, hold, offboard) can do so using the parameter .
The Data Link Loss failsafe is triggered if a telemetry link (connection to ground station) is lost when flying a .
:::tip PX4 separately supports more complicated GeoFence geometries with multiple arbitrary polygonal and circular inclusion and exclusion areas: . :::
The settings and underlying are shown below.
:::note Setting GF_ACTION to terminate will kill the vehicle on violation of the fence. Due to the inherent danger of this, this function is disabled using , which needs to be reset to 0 to really shut down the system. :::
Return is a common that engages to return the vehicle to the home position. This section shows how to set the land/loiter behaviour after returning.
:::note The return behaviour is defined by . If negative the vehicle will land immediately. Additional information can be found in . :::
Land at the current position is a common that engages . This section shows how to control when and if the vehicle automatically disarms after landing. For Multicopters (only) you can additionally set the descent rate.
This section contains information about failsafe settings that cannot be configured through the QGroundControl page.
The failure action is controlled by , based on whether RC control is assumed to be available (and altitude information):
Fixed-wing vehicles and VTOLs in fixed-wing flight additionally have a parameter () that defines how long they will loiter (circle with a constant roll angle () at the current altitude) after losing position before attempting to land. If VTOLs have are configured to switch to hover for landing () then they will first transition and then descend.
As these are not strictly speaking "failsafes" they are documented in .
The Traffic Avoidance Failsafe allows PX4 to respond to transponder data (e.g. from ) during missions.
Failsafe for when a VTOL vehicle can no longer fly in fixed-wing mode, perhaps due to the failure of a pusher motor, airspeed sensor, or control surface. If the failsafe is triggered, the vehicle will immediately switch to multicopter mode and execute the action defined in parameter .
:::note The quad-chute can also be triggered by sending a MAVLINK message with param2 set to 1. :::
Quad-chute action after switching to multicopter flight. Can be set to: , , , .
Uncommanded descent quad-chute altitude threshold. In altitude controlled modes, such as , , , or , a vehicle should track its current "commanded" altitude setpoint. The quad chute failsafe is triggered if the vehicle falls too far below the commanded setpoint (by the amount defined in this parameter). Note that the quad-chute is only triggered if the vehicle continuously loses altitude below the commanded setpoint; it is not triggered if the commanded altitude setpoint increases faster than the vehicle can follow.
During flight, the failure detector can be used to trigger if failure conditions are met, which may then launch a or perform some other action.
:::note Failure detection during flight is deactivated by default (enable by setting the parameter: ). :::
During takeoff the failure detector invokes the if the vehicle flips (disarm kills the motors but, unlike flight termination, will not launch a parachute or perform other failure actions). Note that this check is always enabled on takeoff, irrespective of the CBRK_FLIGHTTERM parameter.
The failure detector is active in all vehicle types and modes, except for those where the vehicle is expected to do flips (i.e. , , and ).
Time to exceed for failure detection (default 0.3s).
Time to exceed for failure detection (default 0.3s).
The , if , can also be triggered by an external ATS system. The external trigger system must be connected to flight controller port AUX5 (or MAIN5 on boards that do not have AUX ports), and is configured using the parameters below.
:::note External ATS is required by . One example of an ATS device is the . :::
Remote control switches can be configured (as part of QGroundControl ) to allow you to take rapid corrective action in the event of a problem or emergency; for example, to stop all motors, or activate .
The arm/disarm switch immediately disarms (stop) motors for those that support disarming in flight. This includes:
:::note (e.g. via ) are independent of the arm/disarm switch - ie even if the switch is armed the timeouts will still work. :::
A return switch can be used to immediately engage .
The are shown below:
