The Crash Checker
Executive Summary
The Crash Check is a software safety mechanism designed to detect if the vehicle is out of control and impacting the ground. If a crash is confirmed, it immediately disarms the motors to prevent damage to the propellers, ESCs, and motors, and to reduce the risk of injury.
Theory & Concepts
1. Disarm Safety Protocol
In the early days of drones, a crash would often lead to a "Fireball" or "Meltdown." This is because the flight controller, sensing it wasn't level, would spin the blocked motors to 100% to try and fix the attitude.
- The Problem: High current into a stalled motor = Fire.
- The Logic: The Crash Checker acts as a Supervisor. It has the power to override the Attitude Controller and the Mixer. It is the "Kill Switch" of the operating system.
2. Time-Averaged Confidence
Why does ArduPilot wait for 2 seconds before disarming?
- The Hazard: Momentary impacts or "bumps" in the air shouldn't kill the power.
- The Math: It uses a Confidence Window. The crash criteria must be met consistently. This prevents "False Disarms" during aggressive flight or hard landings.
Detection Architecture (The Engineer's View)
The logic runs at 400Hz (or main loop rate) inside Copter::crash_check().
It requires ALL of the following conditions to be true for 2 continuous seconds:
- Massive Attitude Error:
- The difference between Desired Angle and Actual Angle exceeds 30 degrees (
CRASH_CHECK_ANGLE_DEVIATION_DEG). - Meaning: The autopilot is commanding "Level", but the drone is tilted > 30 degrees. It has lost control authority.
- The difference between Desired Angle and Actual Angle exceeds 30 degrees (
- IMU Confirmation:
- The vehicle is accelerating at < 3 m/s/s (0.3G).
- Meaning: It isn't pulling a high-G maneuver; it's likely tumbling or stationary on its side.
- Not Landed:
- The Land Detector says we are still "Flying".
Why Disarm?
If the drone is upside down on the ground, the Attitude Controller will try to "flip it over" by applying Max Throttle to the low side.
- Result: The props are blocked by the ground. The motors stall. The ESCs overheat and catch fire.
- Crash Check: Recognizes this futile struggle and kills the power.
Troubleshooting False Positives
- "Crash Disarm" on Landing:
- Scenario: You land hard and bounce. The drone tilts 40 degrees. You jam the throttle down.
- Problem: The Land Detector takes ~1 second to decide "Landed". In that 1 second, the Crash Checker sees a large angle error and Disarms.
- Fix: Improve landing gear or land smoother.
- Acro Mode: Crash check is often disabled or relaxed in Acro to allow for tumbling maneuvers.
Key Parameters
| Parameter | Default | Description |
|---|---|---|
FS_CRASH_CHECK |
1 | 0=Disabled, 1=Disarm, 2=Disarm & Baro Check. |
Source Code Reference
- Logic:
Copter::crash_check()