Redundancy In Rocketry

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
From just the equipment point of view:

Primary issue would be EMI from one device affecting the other. The could occur due to proximity of the units themselves or via the wires to the charges/batteries.
While this could be an issue you would find this in ground testing, with all systems active and setting off real ematches EMI wise the system will be very similar to in the air
Agree you should find it during ground test. There is a remote possibility that wires could shift under G forces and cause a problem but probably unlikely

Due to the differences in the units (Hardware and/or algorithms), while they are set to operate at different times/altitudes they could operate at the same time. With both charges being activated at the same time the rocket could over-pressurize (like - blow up).

The time frame for the ejection charges is in milliseconds, this is statistically very unlikely to happen. If you throw two darts at a target with 2000 possible locations determined completely random, what are the chances the two will hit at the same spot? Plus thisd wouldn't even been an even distribution like that, only the overlap time would be possible.
Again agree. I'm not sure about the exact timing of the pressure wave to the separation of the body/nosecone. My gut says to get the parts moving, including breaking shear pins may take more than a few milliseconds. And One altimeter I have only gives you the option for a 1 sec delay, not 2. But still probably remote

Minor risks could be a part from one falls off due to G forces and hits the other.
If you mount the altimeters per the instructions (Usually 4 4-40 screws) properly you would have to be pulling serious G's to cause those to fail.
I was more thinking of a large storage cap, such as on a Raven tearing off due to G forces. I know it is suggested to epoxy it to the card if you are going to hit high G's I don't know if other units could have a similar issue

Combined heating from the two units could impact operation - although I would think thermal heating from the sun would have a much greater impact
Mass of one unit versus two would change the resonance frequency of the sled which could cause a problem.
Most of these are running processors that are using less than 2 watts, these things will run on tiny batteries for hours. Overheating is not an issue, ambient airflow will be more than enough to prevent heating.
I did say this was a minor risk and just sitting in the sun is a much bigger impact

May be other failure modes.......
There are always other failure modes. That's why redundancy is important, a one point of failure system get increasingly unacceptable as danger from the rocket increases (complexity and size)
Agreed - that's why I will typically use 2 different altimeters, switches, power sources and 3 e-matches (see previous post to this thread)

Then from the human/operator issue, (which I believe is a bigger concern....)
Having more units means more wiring and complexity which can lead to erroneous connections (such as accidentally connection the main charge to the drogue channel).
Different units typically need to be set/programmed differently which could lead to errors.
These are absolutely the number one cause of errors, the correct solution is to properly checklist and verify working conditions pre-flight.
ABSOLUTELY - but I still once cross wired the drogue and main - hey - I'm human. It meant a longer walk but the rocket had a safe recovery

And since most units beep out continuity or other info having 2 units could make hearing one over the other a problem
You should be at the very least able to turn one altimeter on, check it, turn it off, turn the second on and check it then turn the first back on. In my case I turn the stratologger on and wait for continuity beeps, then turn on the Telemetrum and look for my phone to connect and verify continuity.
One of my units allows me to set the "beep" to either a low or high tone. I am able to set it to be different from the other and I can discern which is which

Bottom line - you can run into issues either way - with or without redundancy
Process, such as check lists can help minimize the human errors (but not totally eliminate them)
Redundant systems can help with both equipment failures (bad FET, wire, weak battery, whatever) and in some ways can HELP the human error. You may make a mistake on one system that prevents it from operating correctly. But hopefully you don't make 2 mistakes, one on each system.

I strongly believe in a redundant system -As I've stated - 2 different altimeter, 2 different power sources, 2 different switches PLUS using 3 e-matches.

I will admit I plan to build a 38mm min diameter rocket, and there just isn't the space for a tracker and 2 altimeters. I will probably use my Raven to make use of its backup, but I have to admit I am concerned by the lack of redundancy since I have a single point failure for the altimeter system
 
From personal experience I can state that all the redundant electronics won't help you if you forget to attach a quicklink.

Solution: Don't chat with spectators while you are prepping a rocket.
 
I use a 7.4V 800mAh 2s Lipo (30C). That Lipo is the reason I looked into series matches in the first place. It has less internal resistance than a 9V and has the possibility of pumping an unhealthy amount of current through the Stratologger in the case of a shorted match. Wiring in series gives me some short protection and a smidge of match redundancy. To mitigate the risk of open circuit, I test the resistance of the match combination and perform an Alt continuity bench test the day before launch.

Thanks.
 
+1 for FMEA. +1 for pre-flight checklist.

I run two independent setups in any rocket 54mm diameter or more: Battery, altimeter (different manufacturers, if possible), one charge for main and one for drogue. I tend to be extremely detail-oriented, so this works well for me.

In my 38mm rocket, I am only able to manage one set. I haven't tried using dual charges, but may investigate, based on this thread.

I have replaced deployment transistors on two separate altimeters due to failures identified prior to flight. These altimeters initially tested OK, but died at some point between flights. Components do fail, from time to time, but it's not common.

My greatest concern regarding deployment is ballistic return of the rocket. This is to be avoided at all costs, even if it costs the rocket. Most other failures will result in non-ideal flight profile, or even sky-writing due to early separation, but rockets/parts are replaceable, people are not. Blow it out or blow it up. (I tend to replace parachutes and Nomex with some frequency)

This is not to say that I've never had failures. My first L3 cert attempt came in hot, but not quite ballistic, after the NC separated, but redundant cable cutters on the main failed to sever the restraint (traced to a marginal amount of BP or possibly bad/wet BP). My only ballistic recoveries, to date - knock on wood - have been on a motor-eject, single deployment rocket (a Jart - life is ironic, isn't it?).

YMMV. Simplify where possible. Learn from your mistakes. Learn from the mistakes of others. Prepare ahead of time and watch out for "go-fever". If something isn't cooperating, better to fix it properly at home than to try to jury-rig something in the field.

my :2:
 
I think I might be able to see a bit of Freda's reasoning behind his position. (Or I totally missed the mark)

If he considers redundancy at it's most basic to be "Throw two altimeters in there and hook them up to charges" with no extra consideration, planning, or risk mitigation, then he could be correct: redundancy alone won't help you out and could leave more room for mistakes. An attitude of "I did redundancy so I'm safe".

When I had to setup the redundant ebay for my 1st IREC rocket (35 lbs loaded on an M), I was googling and researching like crazy to find the failure modes and mitigation methods that could lead us to success because that was the first time any of us had touched dual deployment altimeters. Our team definitely couldn't afford some multitronix super altimeter system to solve all our problems (and the competition required redundancy lol)

My hope is that whoever does approach redundancy with such a cursory attitude will be caught before they do something dangerous, talked through improvements, and (even better) get in touch with a mentor or resources that can help them execute their flights properly.

Not everyone has the rocket budget for intelligent 4-channel wonder boards.
I'd argue that a well thought out (and verified) set of two little sport altimeters with secure mountings and batteries, a simple male-female connector scheme to prevent main@drogue incidents, and necessary ematch setup (for once I'm in crazy jim's camp) can be just as effective and reliable.

One good setup is better than two guesses? Absolutely. But what guarantees your one setup isn't a guess either? The cost of your toy? I don't buy it.
Redundancy isn't "Well, I don't know if this one will work, I better put another one in." If you know someone like that, find them and help them to improve!
Redundancy should be "I'm pretty confident this altimeter setup will bring my rocket down safely, but I will install another one as well Because Crap Happens!"
 
For those wondering about doubling up on matches.......
View attachment 328487
Twist wires from both together, & tape around metal part of 1 match head.....stick both into charge/holder.

I assume this does not take into account something like series-wired ematches where one goes open (similar for shorted case as well) and causes the other not to fire?
 
Hi Guys,

Being an instrument rated pilot I am very familiar with redundant systems. One of the reasons that aircraft cost so much today is the fact that the FAA has a very complicated certification system for any equipment or avionics that go into a certified aircraft.

Even with all of the FAA's rigorous testing and certification procedures I have had $15,000 avionics boxes fail in IMC, flying in the clouds. If expensive certified avionics can fail, what can we expect from hobby grade electronics that cost anywhere from fifty to a few hundred dollars?

We are lucky that we have so many manufacturers making a wide range of very reliable inexpensive altimeters. Nevertheless I think that it only makes common sense to double up on everything. I fly with two Missile Works RRC3's with seperate batteries, switches, ematches, and charges on everything high power.

With a a little effort you can figure out how to stuff a lot of avionics into a small space. The Wildman 3" two stage high power kit that I am currently building only has a 9" 54 mm AV Bay in the booster. With some advice and suggestions from members of this forum I was able to fit the following electronics into that small 54 mm Bay. Two Missile Works RRC2 altimeters, one Missile Works RTx GPS Tracker, two nine volt batteries, one 750 ma LiPo battery, and one rotary switch. The two altimeters just have externally mounted twisted wires in place of switches.

Safety is the main concern. Another concern is the amount of time and work we all spend building these high power rockets. Isn't it worth a little more effort and expense so that you can be sure to get your rocket back in flyable condition?

Tim at Apogee produced a very long series of videos demonstrating his build of a MadCow Level 2 rocket kit. The videos are a great instructional aid for anyone new to this sport. I give Tim a lot of credit. The video demonstration flight was a failure. Tim didn't erase the failed flight video. Tim made another video that showed how a electrical wire strap had broken in flight. This allowed the battery to break loose. The battery pulled the power lead out of the altimeter. Thus there was no main parachute charge to deploy the main. The rocket crashed. A second altimeter in this large 4" kit would have saved the day.

All the best,
Bob
 
H If expensive certified avionics can fail, what can we expect from hobby grade electronics that cost anywhere from fifty to a few hundred dollars? Bob

You can expect higher reliability from "hobby grade" electronics because they are an order of magnitude or 2 simpler in complexity and component count and use the same components than the expensive certified avionics (just a few hundred or thousand less of them).
 
I came on this thread with 69 posts already. I didn't read every one completely, but I scanned enough to see that there is a big difference of opinion on what is safe and what is less safe and strong opinions on how much safety is acceptable. I think a ballistic recovery is a SAFE recovery if it occurs in an area away from people when you plan and set up your launch to have ballistic recovery occur in those areas.

I don't have actuary type numbers, but rocketry is a hobby that is much safer than most. The safe distance tables and basic safety practices of always angling pads away from spectators along with the fact there aren't large crowds of spectators at most launches make launches inherently safe based on historic injury data. Even if there are ballistic recoveries, the chances of injury is very small because of the method of operation at a launch. Add to that the reliability of a single altimeter and commercial matches and the life/personal injury safety of rocket launches is very very high. Probably much safer to be at a launch then driving to or from a launch!

So my question is, what does all the redundant altimeters, e-matches, etc. actually gain you when it comes to safety of a launch? Yes, the idea of someone laying dead in the parking area with rocket through their chest is a horrible thought, but if that what is scaring you, then you should never get behind the wheel of a car and be driving on the roads either because the chance of causing a death or dying there is likely higher.

I tend to agree with Fred A on this subject. Fly what you are familiar with and can operate correctly and then follow all the other safety practices like safe distances, pad angles, warning horns, etc. I believe those will add much more to reducing the chance of not injuring someone then redundant electronics will.

Now, if you want to increase the chance of not losing your expensive rocket, that is a completely different discussion. That is the difference between a successful chute deployment and a lawn dart 1000 ft out past the away cell. Both are non-personal injury (safe) recoveries, but one costs you money and the other doesn't.

From what I'm seeing on this thread, that seems to be the difference in opinions that is going on here. Once side doesn't see any significant increase in personal safety with all the redundant setups (they are probably right) and the other is seeing benefit that isn't based on personal safety (and they are right too). It's all in how you coach the question.
 
Don't be fooled or provide sympathy, FredA is dead wrong. I posted a dependency diagram (https://en.m.wikipedia.org/wiki/Reliability_block_diagram) like a decade ago comparing single vs dual deploy scenarios illustrating the vastly superior second scenario. FredA either chose to ignore it or didn't understand it. I will try to find it, or heck, redo the analysis for one or two of our newer altimeters.

Sent from my Moto G (5) Plus using Rocketry Forum mobile app
 
I usually fly 2 altimeters not because I don't trust the electronics, its because I don't trust me.... :wink:
 
I assume this does not take into account something like series-wired ematches where one goes open (similar for shorted case as well) and causes the other not to fire?

Series or parallel on the ematches Jim? Kurt


I run them parallel, 2 -per-charge. Using 9v or 3.7 Lipo's. Seeing that I do use 4, for both Apogee/Main, I worry not about match failure, and that leaves pretty much my own user error. I am guaranteed a success rate of 99.999 % or 1 in almost 2 million.

Over time...Missleworks RRC3/RRC2-Adept 22-Stratologger 100/CF's--TeleMega--R-Das, all function fine.

I saved that match failure document from a lengthily thread some time ago that dealt with matches in great depth.
Included in the thread were posts specifying running matches in series was the best way to go & the juice travels so fast, they would all fire , even 10 in series.

You will have to find that thread to decide for yourselves how the chart was meant relative to series/parallel. I just do what has worked for me, without fail for many years & thought some of you might enjoy data as to failure rates.
 
Last edited:
Series or parallel on the ematches Jim? Kurt

I wire my 2 e-matches in parallel for the Adept22 that I have in my Intimidator 3. I have not experienced an issue. All other DD rockets that I fly (4" and larger), I use redundant altimeters. With smaller and cheaper altimeters being available, I plan to use dual altimeters in future builds. My "go to" set up is to use a mechanical switch (like a Schurter) on the primary and use a wi-fi switch or Quantum (Eggtimer) for the backup. I have 2 rockets that use dual Schurter switches. I have a couple of magnetic switches that I have in my electronics box that I have yet to put into service.
 
From personal experience I can state that all the redundant electronics won't help you if you forget to attach a quicklink.

Solution: Don't chat with spectators while you are prepping a rocket.

Ditto: [video=youtube;3JRnwRA6Wx0]https://www.youtube.com/watch?v=3JRnwRA6Wx0[/video]

How the upper bay with the main chute didn't zipper is beyond me. I glassed the kink and the rocket still flies. Kurt
 
Whatever..............fly whatever you want................for the sake of the hobby hope you get lucky.

Ummmmm. Fred is right. If the first time you test something is the first time you fly it you don't know what the hell is going to happen. Rf interference? Interference between two dissimilar devices? You don't know unless it's flown.
I've been bit myself and afterwords I realized I might have been able to avoid a problem with an all up ground test with all the electronics on with contained ematches and the other situation as drogue deployment on ascent with a rocket
that was definitely subsonic and a Mach delay of 5 seconds was chosen anyways. No way to know there but the flight was concluded safely as the main event occurred and the rocket came in "safe".

My sentiments exactly when discussing shunts for staging "protection". I contend unless one tests a setup you don't know whether or not it's fail safe. I didn't say it "wouldn't" work but if you don't prove it, it's an empty promise.
Some real smart people started talking about a scientific way of being certain a shunt would do the job it's supposed to do. I found that refreshing.

Bottom line is in my book, if it can make a big hole, redundancy is good especially if you already know the chosen electronics play well together. I'm not going to put two deployment devices in a 38mm minimum diameter bird but two ematches on each channel might be a decent idea. Kurt
 
Don't be fooled or provide sympathy, FredA is dead wrong. I posted a dependency diagram (https://en.m.wikipedia.org/wiki/Reliability_block_diagram) like a decade ago comparing single vs dual deploy scenarios illustrating the vastly superior second scenario. FredA either chose to ignore it or didn't understand it. I will try to find it, or heck, redo the analysis for one or two of our newer altimeters.

Sent from my Moto G (5) Plus using Rocketry Forum mobile app

I think what Fred is trying to get across is that your diagram only looks at parts reliability. He is saying the user knowledge, skill, and experience, or lack there of, can be a much bigger contributor to system failure then component failure rates and that it becomes a bigger and bigger factor the more complicated the system and the less experience the user has of the system. A single altimeter with single matches will be less reliable then dual altimeters of different brands and dual matches based on component fail rates and the dependency diagrams. But if the user has flown the single altimeter setup 50+ times and never flown the dual altimeter system or used those brands of altimeters, the chance of a user mistake that could cause a failure is much, much higher on the dual altimeter setup. Possible making the chance of failure of the redundant system higher then the chance of failure on the single system. Your dependency diagrams do not take human factors into account. It usually the human factor that causes issues.

My point on this whole single vs. redundant debate is, how much does the higher component reliability of the redundant really get you? It will improve your chance of not damaging your rocket during flight, but is there really much improvement of the safety or reduction in the risk of someone being injured? If using the safe launch distances, tilting away from spectators, etc. give you a 1:1,000,000 chance of causing an injury with a single altimeter setup, what do you get with the redundant system? 1:1,000,010?

The personal safety is primarily in the safe distances and range operations, not the rocket hardware.

If you want to do redundant hardware to increase chances of non-damaging recovery, fine, but to say it is to decrease the chance of someone being injured, then you're only talking a very small decrease in risk. Kind like reducing your chance of winning the Powerball lottery by only buying one ticket instead of two.
 
Last edited:
Yes, with a redundant setup, there is twice the risk of a single failure happening. However, the point of a redundant system is that a single failure will not affect the outcome of the recovery.
 
Yes, with a redundant setup, there is twice the risk of a single failure happening. However, the point of a redundant system is that a single failure will not affect the outcome of the recovery.

Unless the single failure is an early deployment which rips apart your laundry..... 2 altimeters doubles the probability of that failure mode:wink:
 
I have to respectfully disagree with handeman. Level 1 & Level 2 ratings should have taught flyers how to properly use an altimeter. The use of a secondary altimeter system in no way reduces the effectiveness of the first altimeter. Systems fail. The use of a totally redundant system, altimeter, switch, battery, ematch and charge totally eliminates a single point failure in a one altimeter setup.

If user error caused the failure, the user might not have duplicated their mistake on the second unit. In any event the second unit does no harm. Every launch that I have attended has one or more rockets drift over the spectator line. That is why a fog horn is used for a warning. The distance and angle setup rules certainly help. However there is no way anyone can say that a redundant system doesn't increase safety. Safety may only be increased by a small amount but it is increased.

Has as anyone ever been in court? An attorney will grill a flyer for not using the safest possible methods if there ever is an accident. This will increase everyone's insurance costs.

Using redundant systems hurts no one. It increases safety even if it is only by a small amount. Redundancy may keep attorneys in check. Redundancy certainly increasings your chance of getting your rocket back in one piece. Why wouldn't anyone take advantage of it?

All the best,
Bob
 
Unless the single failure is an early deployment which rips apart your laundry..... 2 altimeters doubles the probability of that failure mode:wink:

That is true, however that failure mode will still prevent the single most dangerous event we are trying to avoid recovery-wise: a ballistic recovery.
 
I have to respectfully disagree with handeman. Level 1 & Level 2 ratings should have taught flyers how to properly use an altimeter. The use of a secondary altimeter system in no way reduces the effectiveness of the first altimeter. Systems fail. The use of a totally redundant system, altimeter, switch, battery, ematch and charge totally eliminates a single point failure in a one altimeter setup.

If user error caused the failure, the user might not have duplicated their mistake on the second unit. In any event the second unit does no harm. Every launch that I have attended has one or more rockets drift over the spectator line. That is why a fog horn is used for a warning. The distance and angle setup rules certainly help. However there is no way anyone can say that a redundant system doesn't increase safety. Safety may only be increased by a small amount but it is increased.

Has as anyone ever been in court? An attorney will grill a flyer for not using the safest possible methods if there ever is an accident. This will increase everyone's insurance costs.

Using redundant systems hurts no one. It increases safety even if it is only by a small amount. Redundancy may keep attorneys in check. Redundancy certainly increasings your chance of getting your rocket back in one piece. Why wouldn't anyone take advantage of it?

All the best,
Bob

I don't disagree with what you say about redundant systems adding to safety. That is a given.
What I don't like is the perceived attitude some posters put across that anyone who doesn't use redundant altimeters is somehow being reckless and disregarding safety. That is certainly not the case. I believe the safety of specators of a single altimeter flight is so close to the safety of a redundant system to be insignificant.

As for court, I've never heard of any rocket flier ever being in court because of a rocketry accident. It certainly could have happened, but I've never heard of one. I think you are very much more likely to be in court explaining why you didn't see the car or motorcycle and turned left in front of it or some similar reason you caused an accident.

As for L1 & L2 teaching fliers how to use altimeters, I don't think you can make that assumption. The only requirement for use of altimeters is in L3 and Tripoli requires only one successful electronic deployment flight at L2 before doing L3. Agreed, most fliers do altimeter flights in L2, but that might drop with the availability of the JLCR. Which from comments on this forum seems to be much more susceptible to user error than altimeters.
 
Last edited:
Ah, the chute release!

Biggest failure mode is forgetting to turn it on!
Quickly followed by not folding the chute properly.
 
Ah, the chute release!

Biggest failure mode is forgetting to turn it on!
Quickly followed by not folding the chute properly.

At SouthernThunder 2008 my first attempt at TRA L3 ended in failure due to an improperly folded chute... Got more direction from my TAP member that evening, and aced the flight the following day!
 
Back
Top