Improve APA safety: pitot validation, reduced gains, safe defaults #11222
Conversation
PR Compliance Guide 🔍All compliance sections have been disabled in the configurations. |
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
sensei-hacker
force-pushed
the
implement-pitot-sensor-validation
branch
2 times, most recently
from
d38c246 to
9afef93
Compare
Implements pitot sensor validation by comparing hardware pitot readings against virtual airspeed (GPS + wind estimator). Detects blocked or failed pitot tubes and automatically falls back to GPS-based airspeed. Features: - Compares pitot against virtual airspeed (wind-corrected, not raw GPS) - Wide thresholds (30%-200%) catch gross failures while avoiding false positives - Sustained failure detection (1 second) before declaring sensor failed - Automatic fallback to GPS airspeed when pitot fails validation - OSD warning displays "PITOT FAIL" when sensor invalid - Automatic recovery after 0.5 seconds of good readings - Conservative approach: only validates when GPS available and moving >7 m/s Safety improvements: - Detects blocked pitot tubes (forgotten cover, insects, ice) - Prevents dangerous high gains with invalid pitot data - Maintains aircraft controllability when pitot fails - Clear pilot awareness via OSD warning Addresses GitHub issue #11208
Changes to Airspeed-based PID Attenuation (APA) for fixed-wing aircraft: 1. Reduced I-term scaling aggressiveness - I-term now scales with (apa_pow/100 - 1) instead of apa_pow/100 - Example: apa_pow=120 → I uses 0.20 exponent vs 1.20 for P/D/FF - Prevents integral windup and overshoot - Follows industry best practice (Betaflight, ArduPilot) - Maintains trim stability across speed range 2. Reduced maximum gain increase from 200% to 150% - Changed upper constraint from 2.0 to 1.5 - Prevents excessive gain multiplication at low speeds - More conservative approach reduces control sensitivity spikes - Still provides adequate authority for slow-speed flight 3. Changed default apa_pow from 120 to 0 (disabled) - APA now opt-in for safety - Users must explicitly enable after validating pitot sensor - Updated description to reflect new behavior - Safer default for new users Control theory rationale: - P/D/FF scaling compensates for dynamic pressure (½ρV²) - I-term serves different purpose (steady-state trim) - Aggressive I scaling causes windup and oscillation - Conservative I scaling improves control stability Combined with pitot validation (previous commit), these changes provide comprehensive safety improvements for APA feature. Addresses GitHub issue #11208
sensei-hacker
force-pushed
the
implement-pitot-sensor-validation
branch
from
9afef93 to
80ec5cd
Compare
Clamp airspeed to 100-20000 cm/s (3.6-720 km/h) before using in power calculations to prevent: - Division by zero or near-zero values - NaN results from invalid airspeed readings - Overflow from extreme values The constrainf() output clamps are still in place as the final safeguard, but this prevents bad intermediate calculations.
|
I have a couple of questions:
I agree with |
|
Excellent questions, thank you!
This is what I'm seeing; please tell me if you see anywhere I am mistaken: getVirtualAirspeedEstimate() returns 0 if GPS is not available So the pitot reading is treated as plausible and the failure counter in pitotValidForAirspeed() does not increase -- APA is used. I am also attaching a PDF with flowcharts and a decision table. That document is of course not authoritative - the code is.
wind_estimator.c will virtually never deem the wind estimate unreliable while the aircraft is moving, so let's consider the case where the wind estimator calls itself reliable, but the data isn't great. Suppose the following actual speeds: The pitot will be treated as plausible if reading is between 30-200% of the estimate. Let's try another: Still not even close to being treated as implausible. What if we fly really slow, only 10 km/h actual airspeed, with a strong tailwind? (With the wind being stronger than our airspeed, which will mess up other things) NOW it wouldn't be trusted and would revert to the existing TPA behavior, if the stale wind estimate is four times higher than our airspeed.
What gains (and therefore effective P-term and D-term) are "required" is of course a bit subjective and hard to measure - the PID loop will make things work with a range of PID/FF values. So this is an area it would be good to get feedback from testers - preferably with very clear observations of behavior, and blackbox logs would be wonderful. The earlier testing (RC4) improperly scaled the I-term changes, probably overdriving I and making the low-speed tests no longer applicable. 150 (50% increase) is conservative, IMHO. But 0% flew just fine for years before we had TPA. |
Shouldn't this instead be false; as there is no way to validate the airspeed sensor? So we don't know if it's reading is plausible or not. Erring on the side of caution, but it is a safety feature. It does tie having an airspeed sensor to needing a GPS. But we could always make an explicit parameter, with a warning, to bypass that safety check if no GPS is found. Then it's the pilot's responsibility if they disable the safety feature and things go wrong.
I seem to recall that the wind estimate is marked as stale (unreliable) after 10 minutes of flying in the same direction. It will show an X in the OSD to warn that the wind speed reading is stale.
Honestly, I'd have expected that to start being close to implausible. 200% seems like a big difference. If I'm seeing 20km/h difference at those sorts of speeds. I start not trusting the airspeed sensor. Usually calibration could be out. But not that the tube is blocked (unless it's reading wildly under). I'm visually looking at +/- ~30% difference at most for my known flying speed. Usually it is much closer, easily within 5-10%. Perhaps this could issue a calibration warning on the OSD. Then not fully trust the airspeed at higher values?
I'll trust the opinions of the @Jetrell and the guys who were testing this extensively with regard to this. I just wouldn't want to make this feature inapplicable in some applications. Especially when it's the result of one guy, who likely had his PIDs tuned too tightly. |
I'm showing 15 minutes without a combined change in pitch and yaw, 11.5 degrees. A bit higher than I was thinking. #define WINDESTIMATOR_TIMEOUT 60*15 // 15min with out altitude change
Let's consider what we do with other sensors. If the gyro is giving reasonable readings, maybe 30 degrees per second, and we have no other sensor to cross-validate, do we throw out the gyro reading, mark it as untrusted? If the GPS is giving reasonable location and speed readings, and we have no other location sensor to cross-validate, do we throw out the GPS reading, mark it as untrusted? Heck, if the RC commands from the receiver are reasonable values 1000us-2000us and we have no other source to cross-validate ... If every source of input required two independent sources -- well we'd be Ardupilot. 😀
Would you rather trust that the ground speed is the same as the airspeed? (Which will never be true for an airplane in flight). So long as the airspeed sensor isn't giving clearly questionable readings (-1, or INT16_MAX), I would treat it as the most reliable source of airspeed data, barring clear reason not to. Full scale pilots are trained that if your pitot says one thing and your eyes say another, trust your instruments more than your eyes. Given reasonable readings, I would certainly trust it more than the alternatives, which are guaranteed to be wrong.
Jetrell is amazing. And cross-validation is always good when can get it, so I'd also love to hear from anyone else who has some data. Especially with blackbox data. "Data is king." |
|
To be honest, with ground speed + wind speed available. I would use that as a pretty good indicator within reason. Certainly enough for a sanity check. If it's more than +/-50% off. Something is wrong. I completely agree with not trusting your eyes. Anyone who's flown lowish over water knows how deceiving that is. But, I would also say there are big differences between full size pitots and the size most people are using. The hole is tiny on the hobby tubes. I've seen a couple of occurrences of them getting foreign matter in there. It doesn't always completely block the tube too. So you still get readings. They're just off. We actually moved to a larger pitot tube to get away from this issue. But people in the hobby wouldn't. Mainly because of thse size. So would I 100% trust a pitot tube over everything else at the hobby scale? No. |
I would love to see those blackbox logs and see if higher-frequency components of the reading fluctuate a lot more than a clear tube, or any other signs we could pay attention to. I suppose a sudden drop in reported airspeed that doesn't correlate with either accelerometer or GPS could be a clue. If the airspeed drops from 60 km/h to 20 km/h in just 20 milliseconds, something is wrong. That would be a deceleration of 30G. I'm more comfortable looking at things like that. A bug strike or similar would be a sudden event, a sudden big change in reported speed. We pretty much know the aircraft didn't decelerate at 30G and remain in one piece, so that gives us a solid reason to say something is wrong with that pitot data. |
|
After again reviewing the changes @sensei-hacker made in these commits. It seems like it now accounts for far more failure conditions.
@MrD-RC I think that tuning the PID's too tight could always be a point of concern. Because it leaves little room for sensor deviation. I made a few notes about that in the Wiki. Edit : @sensei-hacker we are heading off soon. But I'll have a quick look and see if I can find that log to DM it to you. |
|
I started to write a draft for these changes to update the wiki once this is tested and merged. You may say. Isn't it the same attenuation/boost scaling as before. And the answer is yes. But now the base gains are tuned much tighter than they ever were with the old TPA/B method. And the dynamic gain control over TPA is much smoother and more incremental than before. With it always making adjustments as the planes pitch attitude changes. I'll explain. The defaults for TPA + Pitch angle are as followed -
And when it comes to the APA side of things. I consider the default of |
|
Thanks, Jetrell. That all makes sense about the default TPA + Pitch angle settings. Some of this comes back to a fundamental oversight in how TPA is currently implemented. The fundamental problem is that it currently treats a commanded change of setpoint from pilot input the same as a uncommanded change of attitude from a wind gust or from pitch-roll coupling. Treats trying to change the attitude the same as resisting a change of attitude. The proper response is different between those two. Between a command to change the setpoint vs an uncommanded disturbance to attitude. Trying to treat them as the same is what makes the tuning and settings necessary - trying to balance two things that shouldn't be mixed together at all. It's same thing that was discussed with the exponent for pow_apa. I'll have a PR for that in a future version. The exponent should actually be 1, 2, or 0, depending on what you're trying to accomplish (the term). Are you trying to change course (commanding a change to the setpoint, feed-forward FF), or are you trying to resist the force of the camera gimbal acting as a rudder (uncommanded disturbance, the P-term)? The setting exists only because the current *PA code mixes these different things together, requiring a compromise between the correct value of 1 and the correct value of 2, for the different things. Trying to find a value you can live with for both when the correct value is 1 for the first thing and 2 for the second thing. Separating them will especially help for tailless planes ("flying wings"). If you command pitch, TPA should be applied at ^2 to the pitch commmand. But you will also get uncommanded roll and yaw because elevons. That correction should either not be TPAed at all, or arguably linearly. Treating them the same as why you have to do the testing and tuning to try to find a balance you can live with. So the to account for the fact that the pilot is WANTING the attitude to change. But that's for future work. For now, we can adjust the default settings to work best with the TPA code we have. |
|
Gave this branch a try, quick first flight locally to test compile and flashing, had no issues and gave it the beans on 6s. Went out to a spot with some more room to test failures and first test with pitot sock left on failed. The code did not detect the poor data and did not display a OSD warning and I felt the impact of the increased gains almost immediately, could not test for long however as I had an ESC failure about 20sec into the flight so not much log data. Had to land some distance away from me that took a while to retrieve, so most of the log is just me fiddling the sticks on my walk to collect the airframe. Worth noting I set the TPA rate to 0 and breakpoint to 2000 so it would not come into play during the simulated airspeed sensor data failure. |
User description
Summary
Improves safety of Airspeed-based PID Attenuation (APA) feature with automatic pitot sensor validation and more conservative gain limits.
Changes
Pitot Sensor Validation:
Safer Gain Limits:
Safe Defaults:
Testing
Related Issues
Closes #11208