System Failure Injection
System failure injection allows you to induce different types of sensor and system failures, either programmatically using the MAVSDK failure plugin, or "manually" via a PX4 console like the MAVLink shell. This enables easier testing of safety failsafe behaviour, and more generally, of how PX4 behaves when systems and sensors stop working correctly.
Failure injection is disabled by default, and can be enabled using the SYS_FAILURE_EN parameter.
Failure injection must also be be supported by the current simulator, and the set of supported failures is simulator-dependent.
INFO
PX4 may accept a command to set a particular failure mode even it that mode is not supported by your simulator.
All MAV_CMD_INJECT_FAILURE commands are handled internally by the failure-injection module, which acknowledges each command and republishes the active failures for the sensor/actuator simulators to apply. The failure-injection module will NACK the command with MAV_RESULT_UNSUPPORTED for failure combinations that are not implemented by PX4 or any simulator. However it the module will accept (respond with MAV_MISSION_ACCEPTED) for any other failure-type, even if it is not supported by your particular simulator.
Failure System Command
Failures can be injected using the failure system command from any PX4 console/shell (such as the QGC MAVLink Console or SITL pxh shell), specifying both the target and type of the failure.
Syntax
The full syntax of the failure command is:
failure <component> <failure_type> [-i <instance_number>]where:
- component:
- Sensors:
gyro: Gyroscopeaccel: Accelerometermag: Magnetometerbaro: Barometergps: Global navigation satellite systemoptical_flow: Optical flow.vio: Visual inertial odometrydistance_sensor: Distance sensor (rangefinder).airspeed: Airspeed sensor
- Systems:
battery: Batterymotor: Motorservo: Servoavoidance: Avoidancerc_signal: RC Signalmavlink_signal: MAVLink data telemetry connection
- Sensors:
- failure_type:
ok: Publish as normal (Disable failure injection)off: Stop publishingstuck: Constantly report the same value which can happen on a malfunctioning sensorgarbage: Publish random noise. This looks like reading uninitialized memorywrong: Publish invalid values that still look reasonable/aren't "garbage"slow: Publish at a reduced ratedelayed: Publish valid data with a significant delayintermittent: Publish intermittently
- instance number (optional): Instance number of affected sensor. 0 (default) indicates all sensors of specified type.
INFO
The simulated GPS (SITL) implements only the off, stuck, and wrong failure modes; the other failure types have no effect on it.
MAVSDK Failure Plugin
The MAVSDK failure plugin can be used to programmatically inject failures. It is used in PX4 Integration Testing to simulate failure cases (for example, see PX4-Autopilot/test/mavsdk_tests/autopilot_tester.cpp).
The plugin API is a direct mapping of the failure command shown above, with a few additional error signals related to the connection.
Example: GPS
To test the GPS failsafe by stopping GPS:
Enable the SYS_FAILURE_EN parameter.
Enter the following commands on the MAVLink console or SITL pxh shell:
sh# Stop GPS publishing failure gps off # Restart GPS publishing failure gps ok
Example: Motor
To stop a motor mid-flight without the system anticipating it or excluding it from allocation effectiveness:
Enable the SYS_FAILURE_EN parameter.
Enable CA_FAILURE_MODE parameter to allow turning off motors.
Enter the following commands on the MAVLink console or SITL pxh shell:
sh# Turn off first motor failure motor off -i 1 # Turn it back on failure motor ok -i 1