Safety First: The "Dead Man's Switch"

The Danger of "Stale" Data

In standard GPS operations, a signal doesn't just "cut out" instantly. It fades. As satellites slip behind buildings or trees, the HDOP (Horizontal Dilution of Precision) spikes, and the position estimate starts to wander.

If an external app (like MAVLink GPS) simply stops updating the position but keeps the connection open, the Flight Controller might think the drone is perfectly stationary.

• The Scenario: You minimize the app to check a text message.
• The Result: The app pauses. The last sent coordinate was "Lat: X, Lon: Y". The Flight Controller receives nothing new.
• The Crash: The EKF (Extended Kalman Filter) sees the drone physically drifting (via accelerometers) but the GPS says "Still at X,Y". The EKF fights the IMU, potentially causing a "Toilet Bowl" oscillation or a fly-away as it tries to correct a phantom error.

ArduPilot's Failsafe Logic

ArduPilot is designed to handle a complete loss of signal better than a frozen signal.

1. The 10-Second Rule (GCS Failsafe)

If you are sending data via MAVLink (simulating a Ground Control Station), ArduPilot has a FS_GCS_ENABLE parameter.

• Timeout: 5.0 seconds (default).
• Action: RTL or LAND.
• Problem: 5 seconds is an eternity for an indoor drone. It will hit a wall before this triggers.

2. The EKF Data Gate

The EKF3 is much faster. It monitors the "age" of the GPS data.

• Logic: If GPS_INPUT data is older than ~500ms (variable based on settings), the EKF stops fusing it to prevent state divergence.
• Goal: We want to trigger this immediately when confidence is lost.

The Android Solution: "Kill on Sight"

To align with ArduPilot's safety architecture, MAVLink GPS implements a ruthless "Dead Man's Switch."

1. Foreground Service Necessity

Android destroys background processes aggressively to save battery (Doze Mode). To guarantee real-time delivery:

• The app runs a Foreground Service with a persistent notification.
• This forces the Android Scheduler to treat the GPS thread with the same priority as a voice call.

2. The Screen-Off Kill Switch

If the user turns off the screen or minimizes the app, we cannot guarantee the 10Hz update rate required for stable hover.

• Action: The app proactively closes the USB Serial port or terminates the UDP stream.
• Result: ArduPilot immediately sees a "No GPS" state (not a "Frozen GPS" state).
• Outcome: The drone switches to AltHold (Altitude Hold) or Land instantly, preventing a fly-away. It is safer to drift slowly in AltHold than to violently correct for frozen GPS data.

Best Practice

Never fly with the screen off. Always keep the app in the foreground. If you need to switch apps, land the drone first.

Source Code Reference

• ArduPilot Failsafe: ArduCopter/failsafe.cpp - Logic for GCS and GPS loss handling.
• EKF Fusion: libraries/AP_NavEKF3/AP_NavEKF3_PosVelFusion.cpp - See fusingGPS logic and data age checks.