Redundancy In Rocketry

" I have two diverse fully redundant systems, separate switches, power source (Even type, though that is a matter of convenience, 9v alkaline and a lipo), altimeters, and charges. I do not believe this added complexity adds any risk, as it is the same process done twice, one altimeter after the other. "

You have two diverse systems that wire and program identically - really? Which altimeters are you using?
And again, what validation did you do to make sure they play nice together and actually improve reliability - PRIOR to flying - flying it does not count.

You can't dump two poorly documented and un-tested [as a pair] black box systems together and have a creditable claim of improved reliability.....

I think that the important thing is to look at the risk from a Boston Square type approach. You focus on high frequency and high consequence failures, and mitigate risk from there.

High consequence failures (likely destruction of rocket, significant risk of injury):
Rocket doesn't separate at apogee

Medium consequence failures:
Drogue doesn't deploy after rocket separates
Main doesn't deploy

High frequency failures:
Altimeter loses power
Ematch failure
Human error in arming/programming altimeter

Low/Medium frequency failure:
Altimeter hardware failure
Ematch fires but black powder doesn't (usually a high altitude problem)
Ejection charge fires but rocket doesn't separate

I realize I'm conflating root causes and frequency of failures here, but it gets the point across. I put a lot more effort into redundancy or other mitigations and "what-if" thinking for apogee charges than I do for main charges. Where a redundant altimeter isn't possible, look for other means of mitigating risk like motor ejection backup, doubling ematches, etc. Doubling the ematches doesn't guarantee against altimeter failure, but it does mostly eliminate ematch failure from the list of possible failures. It adds a risk of overcurrent on altimeter outputs, but that's another entire thread.

Also, risk mitigation doesn't necessarily require redundancy. You can do material testing (trusted ematches and altimeters), rigorous use of checklists, etc.

boatgeek said:

Doubling the ematches doesn't guarantee against altimeter failure, but it does mostly eliminate ematch failure from the list of possible failures. It adds a risk of overcurrent on altimeter outputs, but that's another entire thread.

Also, risk mitigation doesn't necessarily require redundancy. You can do material testing (trusted ematches and altimeters), rigorous use of checklists, etc.

Click to expand...

Thanks for the analysis/analogy. Can you explain the technique of doubling ematches, please? I've never seen this before.

FredA said:

" I have two diverse fully redundant systems, separate switches, power source (Even type, though that is a matter of convenience, 9v alkaline and a lipo), altimeters, and charges. I do not believe this added complexity adds any risk, as it is the same process done twice, one altimeter after the other. "

You have two diverse systems that wire and program identically - really? Which altimeters are you using?
And again, what validation did you do to make sure they play nice together and actually improve reliability - PRIOR to flying - flying it does not count.

You can't dump two poorly documented and un-tested [as a pair] black box systems together and have a creditable claim of improved reliability.....

Click to expand...

The telemetrun has a battery input, switch input, main output, drogue output. The strato logger has a battery input, a switch input, a main output, and a drogue output. Put those on a schematic and thet are wired identically.

Both units are tested at the manufacturer, they are not untested. Thats like saying the software in your car is untested because its a black box to you.

They dont play together at all, none of the wiring is in common, hench two fully redundant systems.

On top of that the units were tested by myself as well via the vacuum method. Litteraly all of your points are wrong.

I don't have a one-size-fits-all philosophy. In my bigger, more expensive rockets, I use two altimeters, and I wire up two e-matches in series* per channel/charge. In smaller rockets, I use a single altimeter with two e-matches in series*. For anything that doesn't have room for an AV bay, I use a JLCR or a cable-cutter.

* E-matches are in series so as not to overload the altimeter's current capacity. If the e-match tests good for continuity, it may still fail to ignite. Regardless, it will still conduct the current to the second match. Odds go way up that at least one of the two will ignite. E-matches wired in series double the current draw from the altimeter, which can be a problem.

Tim51 said:

Thanks for the analysis/analogy. Can you explain the technique of doubling ematches, please? I've never seen this before.

Click to expand...

You can wire two ematches to the same output either in series or parallel.

Parallel has both ematches wired to each terminal of drogue or main. If one ematch faults 'open', the other should fire. This setup may draw more current though, and if one e-match shorts without igniting, then there's a risk that the other won't light.

Series has one leg of one ematch in each terminal, and the other legs tied/wrapped/soldered together. If one shorts, the other may still fire. Conversely, if one of them faults open, then the circuit is broken. I like the series method for single altimeter rockets because the altimeter continuity check lets me know that current is passing through them. I also use a more powerful battery, so two in series gives me extra insurance against a short frying my stratologger.

FredA said:

Steve -- in your work, how much TIME and EFFORT was spent designing, reviewing and validating the functionality [both in improved fault tolerance and bug insertion and overall quality] in the HW and SW in those systems? I'm guessing many man-years of "pro's" working the problem.

How's that compare with the collection of parts your average flier puts in their EBay?

Click to expand...

A ton, both at the manufacturer's level and at our level before going into production and tweaking afterwards. But the stakes were much higher and we had regulatory requirements from NERC and WECC to comply with. Ours were multi million dollar systems with the potential to cause loss of life and billions of dollars in damages and/or lost productivity.

I look at it this way. My electronics protect my investment in my rocket. If the cost of adding redundancy is close to or more than the potential for loss, then I don't do it.
If the my potential for loss is high, then I'll do it. When I do it I keep it simple. Two parallel systems with everything separate. I don't try to get tricky by coordinating them so they don't fire simultaneously or anything like that.



Steve Shannon

Nytrunner said:

You can wire two ematches to the same output either in series or parallel.

Parallel has both ematches wired to each terminal of drogue or main. If one ematch faults 'open', the other should fire. This setup may draw more current though, and if one e-match shorts without igniting, then there's a risk that the other won't light.

Series has one leg of one ematch in each terminal, and the other legs tied/wrapped/soldered together. If one shorts, the other may still fire. Conversely, if one of them faults open, then the circuit is broken. I like the series method for single altimeter rockets because the altimeter continuity check lets me know that current is passing through them. I also use a more powerful battery, so two in series gives me extra insurance against a short frying my stratologger.

Click to expand...

Thanks for the explanation. I'm currently mourning the loss of a 3" that had flown before yet came in ballistic: tried and tested altimeter, (SLCF, flown 5 times previously) fresh Duracell, tightened and checked terminal wiring, clear continuity beeps at the pad, etc etc. I'm not wishing to contradict other more experienced flyers on this thread, but I'm at a loss to explain what happened (the rocket has yet to be found). So wondering if a faulty e-match was the problem. That faint roar-thump isn't something I want to hear again..
Can I ask what sort of battery you use for the series method?

Tim51 said:

Thanks for the explanation. I'm currently mourning the loss of a 3" that had flown before yet came in ballistic: tried and tested altimeter, (SLCF, flown 5 times previously) fresh Duracell, tightened and checked terminal wiring, clear continuity beeps at the pad, etc etc. I'm not wishing to contradict other more experienced flyers on this thread, but I'm at a loss to explain what happened (the rocket has yet to be found). So wondering if a faulty e-match was the problem. That faint roar-thump isn't something I want to hear again..
Can I ask what sort of battery you use for the series method?

Click to expand...

I use a straight-up 9v alkaline.

boatgeek said:

I think that the important thing is to look at the risk from a Boston Square type approach. You focus on high frequency and high consequence failures, and mitigate risk from there.

Also, risk mitigation doesn't necessarily require redundancy. You can do material testing (trusted ematches and altimeters), rigorous use of checklists, etc.

Click to expand...

^This. Otherwise know as a FMEA.

Identify each failure mode (fortunately there are not alot of them), the possible root causes for each, and a preventative and detection action you can do for each (root cause). This activity, which is not that difficult, will take you a long way to having consistently successful recoveries. It will take you farther than just stuffing 2 altimeters in your rocket....

Let redundancy be an output of this analysis not a substitute for it.

The telemetrun has a battery input, switch input, main output, drogue output. The strato logger has a battery input, a switch input, a main output, and a drogue output. Put those on a schematic and thet are wired identically. Schematically, maybe. But just like and NAND-gate looks the same on a schematic, there are dozens of packages and pinouts for a NAND-gate. Again- every wire placement is identical? User interfaces identical? Behavior of the SW identical? To the point you can use the other's documentation for wiring and programming? I think not, thus the door is open for pilot error.

Both units are tested at the manufacturer, they are not untested. Thats like saying the software in your car is untested because its a black box to you. But my brake system was tested with the engine management and the AV system, etc.. They are tested TOGETHER for system interactions. Adhoc pairings of altimeters create an untested PAIR - you don't know how the nuances interact.

They dont play together at all, none of the wiring is in common, hench two fully redundant systems.
They are in the same rocket, interacting in that if one effects the flight the other must handle the unexpected change in flight.

On top of that the units were tested by myself as well via the vacuum method. Litteraly all of your points are wrong.
Literally, non of your points make sense.

It's a hobby. Walk to the pad in whatever configuration makes you feel confident of recovery. No need to jump all over each other.

Bat-mite said:

It's a hobby. Walk to the pad in whatever configuration makes you feel confident of recovery. No need to jump all over each other.

Click to expand...

Rockets crashing into things makes this discussion a bit more complex than that.

pit me in the "one good setup is better than two guesses" camp

Tim51 said:

Thanks for the explanation. I'm currently mourning the loss of a 3" that had flown before yet came in ballistic: tried and tested altimeter, (SLCF, flown 5 times previously) fresh Duracell, tightened and checked terminal wiring, clear continuity beeps at the pad, etc etc. I'm not wishing to contradict other more experienced flyers on this thread, but I'm at a loss to explain what happened (the rocket has yet to be found). So wondering if a faulty e-match was the problem. That faint roar-thump isn't something I want to hear again..
Can I ask what sort of battery you use for the series method?

Click to expand...

I use a 7.4V 800mAh 2s Lipo (30C). That Lipo is the reason I looked into series matches in the first place. It has less internal resistance than a 9V and has the possibility of pumping an unhealthy amount of current through the Stratologger in the case of a shorted match. Wiring in series gives me some short protection and a smidge of match redundancy. To mitigate the risk of open circuit, I test the resistance of the match combination and perform an Alt continuity bench test the day before launch.

pit me in the "one good setup is better than two guesses" camp

That's why I say: Know what you fly, fly what you know."

FredA said:

pit me in the "one good setup is better than two guesses" camp

That's why I say: Know what you fly, fly what you know."

Click to expand...

I can't really speak with any authority here, my failures are numerous and well documented. Power loss, charge failure, double charges, failed matches, etc. There's a lot that can happen. Some things a second setup would save. Some it wouldn't. Even two full setups have issues. They're in the same bay, so anything that affects one, will likely affect the other. If you're using the same battery holders, or BP out of the same can, packed the same way, there are a bunch of problems that having two of the same thing isn't really protecting you much.

I think the more important discussion is learning how to setup to avoid failures. Not that having two setups is the way to avoid failures. sure it'll catch some, but banking on the fact that two high risk setups don't overlap isn't as good as having one low- risk setup. of course....theres two low risk setups...

FredA said:

Electronics DO NOT FAIL unless you abuse them.

BTW - I too work for a company that designs/builds the avionics that fly aircraft. I'm the avionics lead. We try to be SMART about how we partition systems that can fail and those that can't. Redundancy is NOT the answer....more like a crutch in my mind.

Click to expand...

Hmm - BOEING, BELL, Lockheed Martin, Northrup Grumman, Airbus, Embraer, (and Mcdonnell Douglass & General Dynamics before they were bought out) etc. may disagree with the concept that redundancy is NOT the answer.

Our products go through a large series of tests - vibration, temperature cycling, and test on each and every product.
Most commercial electronics don't go through this level of test.
And I've had radios, TV, DVR, phones, remotes, etc all fail without being abused. Most commercial products are actually meant to fail and be replaced every few years.

Electronics fail all the time.....

les said:

Hmm - BOEING, BELL, Lockheed Martin, Northrup Grumman, Airbus, Embraer, (and Mcdonnell Douglass & General Dynamics before they were bought out) etc. may disagree with the concept that redundancy is NOT the answer.

Our products go through a large series of tests - vibration, temperature cycling, and test on each and every product.
Most commercial electronics don't go through this level of test.
And I've had radios, TV, DVR, phones, remotes, etc all fail without being abused. Most commercial products are actually meant to fail and be replaced every few years.

Electronics fail all the time.....

Click to expand...

+1.

FredA has been making this same argument for years. He doesn't know what he's talking about. He clearly has not done any reliability analysis or resiliant, high-availability equipment and network designs for the Government and critical Comms industries like myself and some others here have done. Ignore him.

Sent from my Moto G (5) Plus using Rocketry Forum mobile app

Whatever..............fly whatever you want................for the sake of the hobby hope you get lucky.

FredA said:

Whatever..............fly whatever you want................for the sake of the hobby hope you get lucky.

Click to expand...

Fred, what's got you so burnt up about this?

Jesus F. Christ, it's just a hobby.

FredA said:

Whatever..............fly whatever you want................for the sake of the hobby hope you get lucky.

Click to expand...

I don't understand what potential negative interaction two DD altis on completely separate battery strings w/ different charge cups timed for ~2s intervals could have other than maybe all four charges firing at once.

Is there a specific failure scenario you're worried about?

"For the sake of the hobby"


do you know how many hobbies have multiple deaths a year and are totally unregulated? This arguement drives me insane.

From just the equipment point of view:

Primary issue would be EMI from one device affecting the other. The could occur due to proximity of the units themselves or via the wires to the charges/batteries.

Due to the differences in the units (Hardware and/or algorithms), while they are set to operate at different times/altitudes they could operate at the same time. With both charges being activated at the same time the rocket could over-pressurize (like - blow up).

Minor risks could be a part from one falls off due to G forces and hits the other.
Combined heating from the two units could impact operation - although I would think thermal heating from the sun would have a much greater impact
Mass of one unit versus two would change the resonance frequency of the sled which could cause a problem.

May be other failure modes.......

Then from the human/operator issue, (which I believe is a bigger concern....)
Having more units means more wiring and complexity which can lead to erroneous connections (such as accidentally connection the main charge to the drogue channel).
Different units typically need to be set/programmed differently which could lead to errors.
And since most units beep out continuity or other info having 2 units could make hearing one over the other a problem

les said:

From just the equipment point of view:

Primary issue would be EMI from one device affecting the other. The could occur due to proximity of the units themselves or via the wires to the charges/batteries.

Due to the differences in the units (Hardware and/or algorithms), while they are set to operate at different times/altitudes they could operate at the same time. With both charges being activated at the same time the rocket could over-pressurize (like - blow up).

Minor risks could be a part from one falls off due to G forces and hits the other.
Combined heating from the two units could impact operation - although I would think thermal heating from the sun would have a much greater impact
Mass of one unit versus two would change the resonance frequency of the sled which could cause a problem.

May be other failure modes.......

Then from the human/operator issue, (which I believe is a bigger concern....)
Having more units means more wiring and complexity which can lead to erroneous connections (such as accidentally connection the main charge to the drogue channel).
Different units typically need to be set/programmed differently which could lead to errors.
And since most units beep out continuity or other info having 2 units could make hearing one over the other a problem

Click to expand...

These make sense, but pale in comparison to something potentially coming in ballistic. Most of these can be obviated w/ engineering and/or process controls.

I'm not trying to be obtuse, I'm genuinely enquiring because my planned L3 is a strange duck & I want to have solid answers for my choices.

One of the main things with redundancy, and it has been stated above, is that everything needs to work together as a system. Whether it is duplicated system with identical or disparate internals is not that significant.

Studies by the AIAA have shown that spending about 15% of a project budget on Systems Engineering provides the best outcome for the project. They systems engineering people look at how all the systems work together and make sure the designers have not forgotten to consider aspects of the design. FMEAs (both functional and procedural) are usually outcomes from these considerations and help guide the designers along the way. Sometimes the FMEA will show a particular action is required for something that nobody even considered necessary. Other times it shows that nothing needs to be done for something that the engineers originally perceive as a big problem.

If you do a FMEA and any of the Severity Ratings is likely to cause injury or death (9 or 10), it usually prompts action. Those actions usually result in the addition of redundancy or of other systems to mitigate the risk.


To sumarise, we can say that it is not a "one size fits all" approach. The best outcome needs to be thought about. No point in relying on dogma.

I fly one alt but my rockets are more likely to shred during boost than to come in hot. The only close calls I've had were on the pad from RF triggering deployment charges. Which I would assume to be more likely if I were using two altimeters.

les said:

From just the equipment point of view:

Primary issue would be EMI from one device affecting the other. The could occur due to proximity of the units themselves or via the wires to the charges/batteries.
While this could be an issue you would find this in ground testing, with all systems active and setting off real ematches EMI wise the system will be very similar to in the air

Due to the differences in the units (Hardware and/or algorithms), while they are set to operate at different times/altitudes they could operate at the same time. With both charges being activated at the same time the rocket could over-pressurize (like - blow up).

The time frame for the ejection charges is in milliseconds, this is statistically very unlikely to happen. If you throw two darts at a target with 2000 possible locations determined completely random, what are the chances the two will hit at the same spot? Plus thisd wouldn't even been an even distribution like that, only the overlap time would be possible.

Minor risks could be a part from one falls off due to G forces and hits the other.
If you mount the altimeters per the instructions (Usually 4 4-40 screws) properly you would have to be pulling serious G's to cause those to fail.

Combined heating from the two units could impact operation - although I would think thermal heating from the sun would have a much greater impact
Mass of one unit versus two would change the resonance frequency of the sled which could cause a problem.
Most of these are running processors that are using less than 2 watts, these things will run on tiny batteries for hours. Overheating is not an issue, ambient airflow will be more than enough to prevent heating.

May be other failure modes.......
There are always other failure modes. That's why redundancy is important, a one point of failure system get increasingly unacceptable as danger from the rocket increases (complexity and size)

Then from the human/operator issue, (which I believe is a bigger concern....)
Having more units means more wiring and complexity which can lead to erroneous connections (such as accidentally connection the main charge to the drogue channel).
Different units typically need to be set/programmed differently which could lead to errors.
These are absolutely the number one cause of errors, the correct solution is to properly checklist and verify working conditions pre-flight.

And since most units beep out continuity or other info having 2 units could make hearing one over the other a problem
You should be at the very least able to turn one altimeter on, check it, turn it off, turn the second on and check it then turn the first back on. In my case I turn the stratologger on and wait for continuity beeps, then turn on the Telemetrum and look for my phone to connect and verify continuity.

Click to expand...

A proper check listed procedure is how you deal with complexity in setup, not removing redundancy.

Wow I did not realize that this was such a contentious issue. My original post stated that I was looking for opinions on how many of you incorporate redundancy into your rockets and how. I was not looking for whether or not you should use redundancy or which system is best and I certainly was not looking to start a semantic argument about the definition of "redundancy." As mentioned in my OP I work in the power industry, more specifically in the field of power system protection and control. Although we incorporate a great deal of redundancy in the power system ultimately all the choices that are made are some sort of balance between security, dependability and cost. Unlike the aviation industry which develops and certifies a product to be built in an assembly plant power system protection has to be engineered specifically for each segment of the system individually. One of the the most acknowledged texts on the subject is called "The Art and Science of Protective Relaying" and the many topics covered one of the most relevant to our hobby is evaluating risk and compromise. Four altimeters with separate bays and charges would likely provide a great deal of security but at a high cost not to mention space. A single altimeter with no form of back up in a 75lb L3 monster on a N Motor would save on cost but would likely compromise dependability. As far as the human being the leading cause of failure I would have to agree but both in the hobby and at work I spend a great deal of time developing engineering and procedural controls in an attempt to minimize it.
As far as my opinion goes I believe that I feel most comfortable with two altimeters with separate power sources and charges. I fly the same two altimeters back to back in everything 2.2" and up especially anything that may fly out of sight. I have a pretty solid checklist and by using the same equipment and arming sequence in most of my rockets I feel I have minimized a lot of the human performance issue.

Personally my normal HPR configuration is one altimeter (with two charges) for apogee deployment, and two main deployment altimeters (one charge each). If the apogee charge does not go off there is sufficient energy in either of the main charges to kick everything out. Usually there is a separate battery for each altimeter and each pyro. Sometimes I only use one pyro battery for the apogee, as the main altimeters perform the backup function.

On smaller projects, I use 1 altimeter. But I use 2 matches per charge.
Such as 38mm airframe with 29mm motor

On large or Xtreme projects, 2 complete stand alone sets of electronics.
Even then I double up on matches for charges, 2 per charge or 8 for 2 altimeters.
2 matches inserted in one charge.

Over the years I have experienced multiple altimeter failures.

2 R-Das
3 G-whiz
3 Ravens
1 Missleworks [55 flights and BP residue corroded solder joints. showed flight ready, then crapped the bed during flight.My first altimeter.]

All above [except Missleworks] were true failures due to manufacturing or Q control.
Some failed on first flight, even though continuity was ready for flight, others went bad after several flights. Some were just terrible designs [G-Whiz]
I learned along time ago, always fly a first time altimeter along with a flight proven one. This has payed off several times.

Worst failure was a compound one:
6inch rocket, perfectflight MAWD and R-das.

Apogee total failure;
upon inspection the R-das puked due to bad trace on board, the charge fired when hooked up direct to battery.

The MAWD functioned correctly but match was bad, showed continuity and impedance.
Graph showed voltage drop and firing at apogee.
When charge hook up to battery, no go.

Since that "perfect storm" I started using 2 matches per charge.
Along the way, I have had battery clips go bad during flight. Solder joints from battery fail, and other mishaps. Having a back-up on board saved the day.

Experience can be a cruel teacher.....if you survive, even crueler if you don't! :smile: