diff --git a/src/modules/redundancy/CMakeLists.txt b/src/modules/redundancy/CMakeLists.txt new file mode 100644 index 000000000000..c40e3ee6a084 --- /dev/null +++ b/src/modules/redundancy/CMakeLists.txt @@ -0,0 +1,40 @@ +############################################################################ +# +# Copyright (c) 2024 Technology Innovation Institute. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# 3. Neither the name PX4 nor the names of its contributors may be +# used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED +# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# +############################################################################ + +px4_add_module( + MODULE modules__redundancy + MAIN redundancy + COMPILE_FLAGS + SRCS + redundancy.cpp + ) diff --git a/src/modules/redundancy/Kconfig b/src/modules/redundancy/Kconfig new file mode 100644 index 000000000000..281270ca09c7 --- /dev/null +++ b/src/modules/redundancy/Kconfig @@ -0,0 +1,12 @@ +menuconfig MODULES_REDUNDANCY + bool "Redundant FCs present" + default n + ---help--- + Enable support for FC redundancy, i.e. multiple FCs on the drone + +menuconfig USER_REDUNDANCY + bool "Redundancy running as userspace module" + default y + depends on BOARD_PROTECTED && MODULES_REDUNDANCY + ---help--- + Put redundancy in userspace memory diff --git a/src/modules/redundancy/redundancy.cpp b/src/modules/redundancy/redundancy.cpp new file mode 100644 index 000000000000..5764d11c4c99 --- /dev/null +++ b/src/modules/redundancy/redundancy.cpp @@ -0,0 +1,365 @@ +/**************************************************************************** + * + * Copyright (c) 2024 Technology Innovation Institute. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * 3. Neither the name PX4 nor the names of its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + ****************************************************************************/ + +#include +#include "redundancy.hpp" +#include +#include +#include +#include + +using namespace time_literals; + +const unsigned REDUNDANCY_INTERVAL_US = 10_ms; + +Redundancy::Redundancy() : + ScheduledWorkItem(MODULE_NAME, px4::wq_configurations::nav_and_controllers) +{ +} + +Redundancy::~Redundancy() +{ +} + +bool Redundancy::send_vehicle_command(uint16_t cmd, float param1 = NAN, float param2 = NAN) +{ + vehicle_command_s vcmd = {}; + vcmd.timestamp = hrt_absolute_time(); + vcmd.param1 = param1; + vcmd.param2 = param2; + vcmd.param3 = NAN; + vcmd.param4 = NAN; + vcmd.param5 = (double)NAN; + vcmd.param6 = (double)NAN; + vcmd.param7 = NAN; + vcmd.command = cmd; + vcmd.target_system = _status[_controller_idx].system_id; + vcmd.target_component = _status[_controller_idx].component_id; + + /* publish the vehicle command */ + return _pub_vehicle_command.publish(vcmd); +} + +void Redundancy::force_arm() +{ + /* 21196: force arming/disarming (e.g. allow arming to override preflight checks and disarming in flight) */ + send_vehicle_command(vehicle_command_s::VEHICLE_CMD_COMPONENT_ARM_DISARM, + static_cast(vehicle_command_s::ARMING_ACTION_ARM), + 21196.f); +} + +void Redundancy::force_disarm() +{ + /* 21196: force arming/disarming (e.g. allow arming to override preflight checks and disarming in flight) */ + send_vehicle_command(vehicle_command_s::VEHICLE_CMD_COMPONENT_ARM_DISARM, + static_cast(vehicle_command_s::ARMING_ACTION_DISARM), + 21196.f); +} + +void Redundancy::manage_primary_arming() +{ + static int redundant_controllers_arming; + const int wait_max = 1_s / REDUNDANCY_INTERVAL_US; + bool armed = _status[PRIMARY_FC_IDX].arming_state == vehicle_status_s::ARMING_STATE_ARMED; + + if (!armed) { + redundant_controllers_arming = 0; + } + + bool spares_armed = true; + + for (int i = 1; i < _n_autopilots; i++) { + if (_status[PRIMARY_FC_IDX + i].arming_state != vehicle_status_s::ARMING_STATE_ARMED) { + spares_armed = false; + } + } + + if (!spares_armed && + redundant_controllers_arming == wait_max) { + PX4_ERR("Spare controller not functional, disarming!"); + + force_disarm(); + } + + /* Armed; wait for secondary FCs to arm */ + + if (armed && redundant_controllers_arming < wait_max) { + /* Check that all the configured redundant controllers are armed */ + + if (spares_armed) { + PX4_INFO("Spare controllers armed OK"); + + /* Set the counter to wait_max + 1. This prevents + * disarming the primary in case the secondary disarms + * during flight + */ + + redundant_controllers_arming = wait_max + 1; + + } else { + redundant_controllers_arming++; + } + } +} + +void Redundancy::manage_spare_arming() +{ + bool armed = _status[_controller_idx].arming_state == vehicle_status_s::ARMING_STATE_ARMED; + + /* Arm if primary FC is armed */ + + if (!armed && _status[PRIMARY_FC_IDX].arming_state == vehicle_status_s::ARMING_STATE_ARMED) { + PX4_INFO("Arming as primary FC armed"); + + force_arm(); + } +} + +void Redundancy::manage_spare_disarming() +{ + static bool armed = false; + static int landed = -1; + + /* Auto-disarm for spare controllers disabled? */ + + if (_auto_disarm_min_time < 0) { + return; + } + + const int landed_max = _auto_disarm_min_time * 1000000 / REDUNDANCY_INTERVAL_US; + + /* Auto-disarm in 4 seconds after landing if primary is + * disarmed. TODO: Separate parameter for redundant FC auto disarm delay + */ + + /* Reset counter if we are airborne or we just armed */ + + if (!_landed.landed || + (!armed && _status[_controller_idx].arming_state == vehicle_status_s::ARMING_STATE_ARMED)) { + landed = landed_max; + } + + armed = _status[_controller_idx].arming_state == vehicle_status_s::ARMING_STATE_ARMED; + + /* If we are landed, decrement counter */ + + if (_landed.landed && landed > 0) { + landed--; + } + + /* We have been landed the needed time, allowed to disarm as soon as primary is disarmed. + * Primary FC timeout is handled as if it was disarmed. This enables auto-disarm + * in case primary FC is completely died + */ + + if (landed == 0 && armed && + (_status[PRIMARY_FC_IDX].arming_state != vehicle_status_s::ARMING_STATE_ARMED || + _autopilot_timeout[PRIMARY_FC_IDX])) { + PX4_INFO("Disarming as landed and primary disarmed"); + force_disarm(); + landed = -1; + } +} + +void Redundancy::manage_primary() +{ + manage_primary_arming(); +} + +void Redundancy::manage_spare() +{ + manage_spare_arming(); + manage_spare_disarming(); +} + +void Redundancy::update_subs() +{ + const hrt_abstime timeout_time = 500_ms; + static unsigned autopilot_timeout_hysteresis[vehicle_status_s::MAX_REDUNDANT_CONTROLLERS] {}; + const unsigned recovery_count = 1_s / REDUNDANCY_INTERVAL_US; + + /* Manage heartbeats and update timeouts */ + + for (int i = 0; i < _n_autopilots; i++) { + if (i != _controller_idx) { + /* Some other controller */ + _redundant_status_sub[i].copy(&_status[i]); + + /* Timeout when we haven't received any heartbeats in "timeout_time" */ + + if (hrt_elapsed_time(&_status[i].timestamp) > timeout_time) { + if (!_autopilot_timeout[i]) { + PX4_ERR("Controller %d timed out!\n", i); + } + + _autopilot_timeout[i] = true; + } + + /* Recover from timeout when we have received regular heartbeats for the "recovery_count" time */ + if (_autopilot_timeout[i]) { + + if (hrt_elapsed_time(&_status[i].timestamp) < 100_ms) { + autopilot_timeout_hysteresis[i]++; + + } else { + autopilot_timeout_hysteresis[i] = 0; + } + + if (autopilot_timeout_hysteresis[i] >= recovery_count) { + PX4_INFO("Heartbeat from %d recovered\n", i); + _autopilot_timeout[i] = false; + } + } + + } else { + /* This controller */ + _vehicle_status_sub.copy(&_status[i]); + } + } + + /* Copy landed status */ + + _landed_sub.copy(&_landed); +} + +void Redundancy::Run() +{ + update_subs(); + + if (_controller_idx == PRIMARY_FC_IDX) { + manage_primary(); + + } else { + manage_spare(); + } + + if (should_exit()) { + exit_and_cleanup(); + return; + } + + ScheduleDelayed(REDUNDANCY_INTERVAL_US); +} + +int Redundancy::init(int32_t spare_autopilots) +{ + int ret; + int32_t mav_comp_id; + ret = param_get(param_find("MAV_COMP_ID"), &mav_comp_id); + + _controller_idx = mav_comp_id - 1; // - MAV_COMP_ID_AUTOPILOT1 + _n_autopilots = spare_autopilots + 1; // primary + spares + + if (param_get(param_find("FT_DISARM_TO"), &_auto_disarm_min_time) != PX4_OK) { + _auto_disarm_min_time = -1; + } + + if (ret == PX4_OK && _controller_idx >= 0 && _controller_idx <= _n_autopilots) { + + ScheduleNow(); + + PX4_INFO("Redundancy module started"); + + } else { + ret = PX4_ERROR; + } + + /* Initially consider all controllers as timed out */ + + for (int i = 0; i < _n_autopilots; i++) { + _autopilot_timeout[i] = true; + } + + return ret; +} + +int Redundancy::task_spawn(int argc, char *argv[]) +{ + Redundancy *instance; + + int32_t spare_autopilots; + + if (param_get(param_find("FT_N_SPARE_FCS"), &spare_autopilots) == PX4_OK && spare_autopilots > 0 + && spare_autopilots < vehicle_status_s::MAX_REDUNDANT_CONTROLLERS) { + instance = new Redundancy(); + + if (instance) { + _object.store(instance); + _task_id = task_id_is_work_queue; + + return instance->init(spare_autopilots); + + } else { + PX4_ERR("alloc failed"); + } + } + + _object.store(nullptr); + _task_id = -1; + + return PX4_ERROR; +} + +int Redundancy::custom_command(int argc, char *argv[]) +{ + print_usage("unrecognized command"); + + return 0; +} + +int Redundancy::print_usage(const char *reason) +{ + if (reason) { + printf("%s\n\n", reason); + } + + PRINT_MODULE_DESCRIPTION( + R"DESCR_STR( +### Description +Background process running periodically to perform redundancy related tasks, +such as arming / disarming redundant FCs and doing fault detection and handling + +The tasks can be started via CLI +)DESCR_STR"); + + PRINT_MODULE_USAGE_NAME("redundancy", "system"); + PRINT_MODULE_USAGE_COMMAND("start"); + PRINT_MODULE_USAGE_DEFAULT_COMMANDS(); + + return 0; +} + +extern "C" __EXPORT int redundancy_main(int argc, char *argv[]) +{ + return Redundancy::main(argc, argv); +} diff --git a/src/modules/redundancy/redundancy.hpp b/src/modules/redundancy/redundancy.hpp new file mode 100644 index 000000000000..0e0eefbb32f1 --- /dev/null +++ b/src/modules/redundancy/redundancy.hpp @@ -0,0 +1,94 @@ +/**************************************************************************** + * + * Copyright (c) 2024 Technology Innovation Institute. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * 3. Neither the name PX4 nor the names of its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + ****************************************************************************/ + +#pragma once + +#include +#include +#include + +#include +#include +#include +#include +#include + +#define PRIMARY_FC_IDX 0 //MAV_COMP_ID_AUTOPILOT1 - 1 + +class Redundancy final : public ModuleBase, public px4::ScheduledWorkItem +{ +public: + Redundancy(); + ~Redundancy() override; + + /** @see ModuleBase */ + static int task_spawn(int argc, char *argv[]); + + /** @see ModuleBase */ + static int custom_command(int argc, char *argv[]); + + /** @see ModuleBase */ + static int print_usage(const char *reason = nullptr); + + /** @see ModuleBase::run() */ + void Run() override; + +private: + uORB::Subscription _vehicle_status_sub{ORB_ID(vehicle_status)}; + uORB::Subscription _redundant_status_sub[vehicle_status_s::MAX_REDUNDANT_CONTROLLERS] {ORB_ID(redundant_status0), ORB_ID(redundant_status1)}; + vehicle_status_s _status[vehicle_status_s::MAX_REDUNDANT_CONTROLLERS]; + + uORB::Subscription _landed_sub{ORB_ID(vehicle_land_detected)}; + vehicle_land_detected_s _landed; + + uORB::Publication _pub_vehicle_command{ORB_ID(vehicle_command)}; + + bool _autopilot_timeout[vehicle_status_s::MAX_REDUNDANT_CONTROLLERS] {}; + int _n_autopilots; + int _controller_idx; + int _auto_disarm_min_time; + + int init(int spare_autopilots); + + bool send_vehicle_command(uint16_t cmd, float param1, float param2); + + void force_arm(); + void force_disarm(); + + void update_subs(); + void manage_primary(); + void manage_spare(); + void manage_primary_arming(); + void manage_spare_arming(); + void manage_spare_disarming(); +}; diff --git a/src/modules/redundancy/redundancy_params.c b/src/modules/redundancy/redundancy_params.c new file mode 100644 index 000000000000..1106e8ac91c0 --- /dev/null +++ b/src/modules/redundancy/redundancy_params.c @@ -0,0 +1,44 @@ +/**************************************************************************** + * + * Copyright (c) 2024 Technology Innovation Institute. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * 3. Neither the name PX4 nor the names of its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + ****************************************************************************/ + +/** + * Number of spare Flight Controllers in addition to primary one + */ + +PARAM_DEFINE_INT32(FT_N_SPARE_FCS, 0); + +/** + * Auto-disarm timeout for spare flight controllers (in s). Disable with -1 + */ + +PARAM_DEFINE_INT32(FT_DISARM_TO, 4);