System Failure Injection

System failure injection allows you to induce different types of sensor and system failures, either programmatically using the MAVSDK failure plugin, or "manually" via a PX4 console like the MAVLink shell. This enables easier testing of safety failsafe behaviour, and more generally, of how PX4 behaves when systems and sensors stop working correctly.

Failure injection is disabled by default, and can be enabled using the SYS_FAILURE_EN parameter.

WARNING

Failure injection still in development. At time of writing (PX4 v1.14):

• Support may vary by failure type and between simulatiors and real vehicle.
• It requires support in the simulator. It is supported in Gazebo Classic
• Many failure types are not broadly implemented. In those cases the command will return with an "unsupported" message.

Failure System Command

Failures can be injected using the failure system command from any PX4 console/shell (such as the QGC MAVLink Console or SITL pxh shell), specifying both the target and type of the failure.

Syntax

The full syntax of the failure command is:

failure <component> <failure_type> [-i <instance_number>]

where:

• component:
  • 传感器：
    • gyro: Gyroscope
    • accel: Accelerometer
    • mag: Magnetometer
    • baro: Barometer
    • gps: Global navigation satellite system
    • optical_flow: Optical flow.
    • vio: Visual inertial odometry
    • distance_sensor: Distance sensor (rangefinder).
    • airspeed: Airspeed sensor
  • Systems:
    • battery: Battery
    • motor: Motor
    • servo: Servo
    • avoidance: Avoidance
    • rc_signal: RC Signal
    • mavlink_signal: MAVLink data telemetry connection
• failure_type:
  • ok: Publish as normal (Disable failure injection)
  • off: Stop publishing
  • stuck: Constantly report the same value which can happen on a malfunctioning sensor
  • garbage: Publish random noise. This looks like reading uninitialized memory
  • wrong: Publish invalid values that still look reasonable/aren't "garbage"
  • slow: Publish at a reduced rate
  • delayed: Publish valid data with a significant delay
  • intermittent: Publish intermittently
• instance number (optional): Instance number of affected sensor. 0 (default) indicates all sensors of specified type.

MAVSDK Failure Plugin

The MAVSDK failure plugin can be used to programmatically inject failures. It is used in PX4 Integration Testing to simulate failure cases (for example, see PX4-Autopilot/test/mavsdk_tests/autopilot_tester.cpp).

The plugin API is a direct mapping of the failure command shown above, with a few additional error signals related to the connection.

Example: RC signal

To simulate losing RC signal without having to turn off your RC controller:

1. Enable the SYS_FAILURE_EN parameter.

2. Enter the following commands on the MAVLink console or SITL pxh shell:

   # Fail RC (turn publishing off)
   failure rc_signal off
   
   # Restart RC publishing
   failure rc_signal ok

Example: Motor

To stop a motor mid-flight without the system anticipating it or excluding it from allocation effectiveness:

1. Enable the SYS_FAILURE_EN parameter.

2. Enable CA_FAILURE_MODE parameter to allow turning off motors.

3. Enter the following commands on the MAVLink console or SITL pxh shell:

   # Turn off first motor
   failure motor off -i 1
   
   # Turn it back on
   failure motor ok -i 1