Improve APA safety: pitot validation, reduced gains, safe defaults #11222
Conversation
PR Compliance Guide 🔍All compliance sections have been disabled in the configurations. |
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
sensei-hacker
force-pushed
the
implement-pitot-sensor-validation
branch
2 times, most recently
from
d38c246 to
9afef93
Compare
Implements pitot sensor validation by comparing hardware pitot readings against virtual airspeed (GPS + wind estimator). Detects blocked or failed pitot tubes and automatically falls back to GPS-based airspeed. Features: - Compares pitot against virtual airspeed (wind-corrected, not raw GPS) - Wide thresholds (30%-200%) catch gross failures while avoiding false positives - Sustained failure detection (1 second) before declaring sensor failed - Automatic fallback to GPS airspeed when pitot fails validation - OSD warning displays "PITOT FAIL" when sensor invalid - Automatic recovery after 0.5 seconds of good readings - Conservative approach: only validates when GPS available and moving >7 m/s Safety improvements: - Detects blocked pitot tubes (forgotten cover, insects, ice) - Prevents dangerous high gains with invalid pitot data - Maintains aircraft controllability when pitot fails - Clear pilot awareness via OSD warning Addresses GitHub issue #11208
Changes to Airspeed-based PID Attenuation (APA) for fixed-wing aircraft: 1. Reduced I-term scaling aggressiveness - I-term now scales with (apa_pow/100 - 1) instead of apa_pow/100 - Example: apa_pow=120 → I uses 0.20 exponent vs 1.20 for P/D/FF - Prevents integral windup and overshoot - Follows industry best practice (Betaflight, ArduPilot) - Maintains trim stability across speed range 2. Reduced maximum gain increase from 200% to 150% - Changed upper constraint from 2.0 to 1.5 - Prevents excessive gain multiplication at low speeds - More conservative approach reduces control sensitivity spikes - Still provides adequate authority for slow-speed flight 3. Changed default apa_pow from 120 to 0 (disabled) - APA now opt-in for safety - Users must explicitly enable after validating pitot sensor - Updated description to reflect new behavior - Safer default for new users Control theory rationale: - P/D/FF scaling compensates for dynamic pressure (½ρV²) - I-term serves different purpose (steady-state trim) - Aggressive I scaling causes windup and oscillation - Conservative I scaling improves control stability Combined with pitot validation (previous commit), these changes provide comprehensive safety improvements for APA feature. Addresses GitHub issue #11208
sensei-hacker
force-pushed
the
implement-pitot-sensor-validation
branch
from
9afef93 to
80ec5cd
Compare
Clamp airspeed to 100-20000 cm/s (3.6-720 km/h) before using in power calculations to prevent: - Division by zero or near-zero values - NaN results from invalid airspeed readings - Overflow from extreme values The constrainf() output clamps are still in place as the final safeguard, but this prevents bad intermediate calculations.
|
I have a couple of questions:
I agree with |
|
Excellent questions, thank you!
This is what I'm seeing; please tell me if you see anywhere I am mistaken: getVirtualAirspeedEstimate() returns 0 if GPS is not available So the pitot reading is treated as plausible and the failure counter in pitotValidForAirspeed() does not increase -- APA is used. I am also attaching a PDF with flowcharts and a decision table. That document is of course not authoritative - the code is.
wind_estimator.c will virtually never deem the wind estimate unreliable while the aircraft is moving, so let's consider the case where the wind estimator calls itself reliable, but the data isn't great. Suppose the following actual speeds: The pitot will be treated as plausible if reading is between 30-200% of the estimate. Let's try another: Still not even close to being treated as implausible. What if we fly really slow, only 10 km/h actual airspeed, with a strong tailwind? (With the wind being stronger than our airspeed, which will mess up other things) NOW it wouldn't be trusted and would revert to the existing TPA behavior, if the stale wind estimate is four times higher than our airspeed.
What gains (and therefore effective P-term and D-term) are "required" is of course a bit subjective and hard to measure - the PID loop will make things work with a range of PID/FF values. So this is an area it would be good to get feedback from testers - preferably with very clear observations of behavior, and blackbox logs would be wonderful. The earlier testing (RC4) improperly scaled the I-term changes, probably overdriving I and making the low-speed tests no longer applicable. 150 (50% increase) is conservative, IMHO. But 0% flew just fine for years before we had TPA. |
Shouldn't this instead be false; as there is no way to validate the airspeed sensor? So we don't know if it's reading is plausible or not. Erring on the side of caution, but it is a safety feature. It does tie having an airspeed sensor to needing a GPS. But we could always make an explicit parameter, with a warning, to bypass that safety check if no GPS is found. Then it's the pilot's responsibility if they disable the safety feature and things go wrong.
I seem to recall that the wind estimate is marked as stale (unreliable) after 10 minutes of flying in the same direction. It will show an X in the OSD to warn that the wind speed reading is stale.
Honestly, I'd have expected that to start being close to implausible. 200% seems like a big difference. If I'm seeing 20km/h difference at those sorts of speeds. I start not trusting the airspeed sensor. Usually calibration could be out. But not that the tube is blocked (unless it's reading wildly under). I'm visually looking at +/- ~30% difference at most for my known flying speed. Usually it is much closer, easily within 5-10%. Perhaps this could issue a calibration warning on the OSD. Then not fully trust the airspeed at higher values?
I'll trust the opinions of the @Jetrell and the guys who were testing this extensively with regard to this. I just wouldn't want to make this feature inapplicable in some applications. Especially when it's the result of one guy, who likely had his PIDs tuned too tightly. |
I'm showing 15 minutes without a combined change in pitch and yaw, 11.5 degrees. A bit higher than I was thinking. #define WINDESTIMATOR_TIMEOUT 60*15 // 15min with out altitude change
Let's consider what we do with other sensors. If the gyro is giving reasonable readings, maybe 30 degrees per second, and we have no other sensor to cross-validate, do we throw out the gyro reading, mark it as untrusted? If the GPS is giving reasonable location and speed readings, and we have no other location sensor to cross-validate, do we throw out the GPS reading, mark it as untrusted? Heck, if the RC commands from the receiver are reasonable values 1000us-2000us and we have no other source to cross-validate ... If every source of input required two independent sources -- well we'd be Ardupilot. 😀
Would you rather trust that the ground speed is the same as the airspeed? (Which will never be true for an airplane in flight). So long as the airspeed sensor isn't giving clearly questionable readings (-1, or INT16_MAX), I would treat it as the most reliable source of airspeed data, barring clear reason not to. Full scale pilots are trained that if your pitot says one thing and your eyes say another, trust your instruments more than your eyes. Given reasonable readings, I would certainly trust it more than the alternatives, which are guaranteed to be wrong.
Jetrell is amazing. And cross-validation is always good when can get it, so I'd also love to hear from anyone else who has some data. Especially with blackbox data. "Data is king." |
|
To be honest, with ground speed + wind speed available. I would use that as a pretty good indicator within reason. Certainly enough for a sanity check. If it's more than +/-50% off. Something is wrong. I completely agree with not trusting your eyes. Anyone who's flown lowish over water knows how deceiving that is. But, I would also say there are big differences between full size pitots and the size most people are using. The hole is tiny on the hobby tubes. I've seen a couple of occurrences of them getting foreign matter in there. It doesn't always completely block the tube too. So you still get readings. They're just off. We actually moved to a larger pitot tube to get away from this issue. But people in the hobby wouldn't. Mainly because of thse size. So would I 100% trust a pitot tube over everything else at the hobby scale? No. |
I would love to see those blackbox logs and see if higher-frequency components of the reading fluctuate a lot more than a clear tube, or any other signs we could pay attention to. I suppose a sudden drop in reported airspeed that doesn't correlate with either accelerometer or GPS could be a clue. If the airspeed drops from 60 km/h to 20 km/h in just 20 milliseconds, something is wrong. That would be a deceleration of 30G. I'm more comfortable looking at things like that. A bug strike or similar would be a sudden event, a sudden big change in reported speed. We pretty much know the aircraft didn't decelerate at 30G and remain in one piece, so that gives us a solid reason to say something is wrong with that pitot data. |
|
After again reviewing the changes @sensei-hacker made in these commits. It seems like it now accounts for far more failure conditions.
@MrD-RC I think that tuning the PID's too tight could always be a point of concern. Because it leaves little room for sensor deviation. I made a few notes about that in the Wiki. Edit : @sensei-hacker we are heading off soon. But I'll have a quick look and see if I can find that log to DM it to you. |
User description
Summary
Improves safety of Airspeed-based PID Attenuation (APA) feature with automatic pitot sensor validation and more conservative gain limits.
Changes
Pitot Sensor Validation:
Safer Gain Limits:
Safe Defaults:
Testing
Related Issues
Closes #11208