So what are people's thoughts on the best way to ensure the sustainer only lights when safe? Obviously a timer is not enough- what about velocity, tiltometer, or altitude lockout?
I was just reading about the CTI accident tonight, which is a sobering reminder that we are participating in an activity that can be dangerous. Two stagers have significantly more issues than single stage rockets, and it is important to consider safety issues at the start of the build and not as an afterthought. Here are some guidelines that I use.
1. Use an altimeter that incorporates an altitude check and not just a timer. There are somewhere around a half-dozen altimeters that can do this. They can help keep the sustainer motor from firing on the pad. And, they can prevent the sustainer motor from firing if the flight is not nominal. Programming the altitude check is not quite as easy as some people think, though, and it is easy to get it wrong. I could provide several examples from my own experience, but my recommendations are to make sure that you understand exactly how your electronics work and to have your setup and underlying simulation reviewed by someone who has done it before.
2. Related to the above, it is also possible to use tilt to inhibit firing of the sustainer. My belief is that the altitude check approach is primarily about safety whereas the tilt check is about staying within the waivered radius. I use an altitude check even if the altimeter provides a tilt check.
3. Use switches to prevent the igniter from firing if the firing circuit activates prematurely. My recent designs use a switch to short-circuit the igniter itself and a second switch to open the circuit between the igniter and the altimeter (or whatever the firing circuit is). This can be done with one switch, but I prefer two. I used to use a shunt only (a switch that shorts out the wires to the igniter). This can provide some protection; however, it is important to recognize that a shunt still allows current to pass through the igniter if the electronics fire. The purpose of the shunt is to reduce that current to below the level that fires the igniter. The current that will pass through the igniter is a function of many things, including the relative wire lengths and gauges, the igniter characteristics, the altimeter design and the type of battery that is used. Thus, a shunt has to be specifically designed and then tested as it would be used. It is not a good idea to use a LiPo or other high-current battery to fire the igniter if you are using a shunt. But again, the best approach is to also physically open the circuit.
4. Do an all-up test of the electronics (ideally) just before setting the rocket on the pad. All of my designs are configured so that I can do an all-up test. In the all-up test, everything is assembled and everything is turned on just as it will be when you arm the rocket, except that the igniter is not inside the motor. This is pretty much your last line of defense against a malfunction. If the all-up test passes, you turn things off, insert the igniter and put the rocket on the pad. There are many design features you might implement in staging that might inadvertently make the all-up test harder to perform. Therefore, it is useful to consider from the start how you will do the all-up test when the time comes.
5. I recommend keeping others away from the pad when it comes time to arm the sustainer. No one has ever actually witnessed me arming a sustainer from closer than a hundred feet or so, and for flights with larger motors, it is further than that. The pic below shows what the pad area looks like when I arm the electronics.
Finally, here's a link to an interesting flight where the N motor in the sustainer ignited upon first motion of the rocket. This would be called dodging a bullet, as it could have as easily lit prior to first motion. Two-stagers are fun, but safety is really important.
https://youtu.be/Jc14BHeuemk
Jim