Revision to Tripoli Rule Regarding Wireless Remote Switches

[jderimig]

If my job was setting explosives in a building I would insist the ignition system be totally electrically dead (zero potential energy). I would never accept my safety or other's safety to depend on a properly operating PN junction, firmware, construction quality and the use history of the live electronics. But hey, that's just me.

 

[Steve Shannon]

In the 'management of change' sense, I think the board announcement leaves a bit to be desired. We're not factory drones, we will attempt to read between the lines. With no detailed justification, that's a lot of blank lines to be second guessing. If you don't have a 'something happening' in mind, then how do you know you are acting in the right direction?

I assembled my Protons anticipating that I might want to add a deployment battery someday, and I reckoned that I'd rather have pins to connect to than unsoldering/resoldering when the time came. The headers Cris uses happen to -just- fit the holes for B+/DP+. So I currently fly with a simple push jumper (same as the selection jumpers on a Quark) shorting the pins. I have a box of header parts, so it's easy for me to wire up a pigtail that goes on those pins and serves as a switch - though I'll likely twist/tape instead of putting in an actual switch.

I can’t help that you read between the lines, but it doesn’t seem to me to be smart for me to add more lines for you to read between. [emoji851]

That’s a smart use of the header!

 

[ksaves2]

No, they are not.

As I recall, when power is applied to the featherweight switch it defaults to power on which may not be a good idea. I had to magnet ready to turn it off. Plus one can't store the connected battery to a featherweight as it draws a low amount of current even in the off position so the battery will die over time. I thought the TRS defaults to off when power is applied and can only be armed by the transmitter? Perhaps Cris might comment. I've setup MD rockets switchless with a TRS and in standby mode there is nothing beeping or indicating power on.

Oooops, Never mind. I missed #23 above. Kurt

 

[Steve Shannon]

General question- has a formal fault analysis ever been done on hobby rocketry? I'm thinking of something like an FMEA or other statistical analysis tool.

I'm thinking of the NAR report from about a decade ago where the biggest failure mode is "no chute" or something similar. Based on my personal observations, this is probably the same for today.

Which leads me to thinking- "No chute" is a potentially more dangerous failure because it's more unpredictable... rocket is moving faster and it's location is somewhat unknowable. Whereas charges going off, unplanned ignition happens on the pads or at the RSO, where most people are at least aware of the rockets location.

I'm also thinking about- more rules = more likely someone will forget to do something or do it incorrectly. So in this case, we could risk "electronics are safe on the pad, but not armed correctly".. and create a new problem while trying to solve an old one.

The safety reports that Dr. Jay Apt did for NAR are all I know of. I agree that failed recovery is a problem. This added rule only affects people who have adopted wireless remote switches, but it should also be obvious if you don’t have the battery connected; the wireless remote switch won’t be available. It’s not as if you can enable the wireless remote switch but forget to connect the battery.

 

[Charles_McG]

It’s not as if you can enable the wireless remote switch but forget to connect the battery.

If you are now switching a second battery for deployment power, or using a switch to power the deployment side while the microprocessor side is already up and running (like the Quantum or Proton) then this is -exactly- the new failure mode that's been introduced.

 

[JimJarvis50]

If my job was setting explosives in a building I would insist the ignition system be totally electrically dead (zero potential energy). I would never accept my safety or other's safety to depend on a properly operating PN junction, firmware, construction quality and the use history of the live electronics. But hey, that's just me.

Sort of along the same lines, for staging, I use a WiFi "switch" to provide switched power into another altimeter (let's say an EasyMega) in combination with an igniter shunt or a disconnect. I'm OK with powering up the wifi switch with the rocket horizontal because I can verify that the EasyMega doesn't turn on. After raising the rocket, I can "arm" the wifi switch and verify that the EasyMega boots up correctly. Finally, I arange so that the shunt or disconnect can be removed or closed from the ground or on first motion of the rocket. (My magnet shunt was an example of exactly this approach)

I am much less comfortable with the idea of a WiFi switch when turning on the power to the WiFi switch also powers up the staging electronics. I'll mention the Telemega as an example, and perhaps some of the Eggtimer products (although I don't know the specifics of their design). If Tripoli is saying that such "combination" electronics are OK, and that the disconnects to the igniter can be closed prior to raising the rocket, then I would say this is a glaring oversight. It may have been a glaring oversight prior to the action of the Board, but the action now implies that it is acceptable.

Jim

 

[Steve Shannon]

Your response makes it sound like the magnetic switch is some kind of outlaw device.

Where is it written down that any particular device for any purpose has to be submitted for approval by the TRA BOD?

What does that approval process look like? Is there testing involved? How are the results documented?

Certainly, none of the Featherweight devices are outlaw devices. I’m not sure why you would make such an association. I’ve been impressed by Adrian and his various devices since before I first met him in Colorado more than ten years ago.

Our rules always required that electronics be physically disconnected until placed on the pad. At LDRS 36, the board received a request to allow the Eggtimer WiFi switch to be used without a physical disconnection. After reviewing how it worked and receiving input from Cris Erving we agreed to allow that specific device to be used. That was an exception. Until recently nobody else has requested such an exception.

A manufacturer simply needs to write to me asking to be considered. Either I or someone on the board or designated by the board will then discuss it with the manufacturer in email and report back to the board. The board will vote on it and either add it to the list or not. I don’t anticipate us doing independent testing. This is the first time we created the list but it will be placed on the Tripoli website.

 

[Eric]

This added rule only affects people who have adopted wireless remote switches,

It also brings to light, that everyone using only a magnetic switch is violating the safety code.

It also brings to light, that anyone using just the "switch" terminals on your altimeter, does not have a physical break between the pyrotechnics and the battery.

 

[Charles_McG]

Certainly, none of the Featherweight devices are outlaw devices. I’m not sure why you would make such an association.

If the purely solid state isolation that the Eggtimer devices provide (haven't met a Kate to know to include it or not) aren't sufficient, then by logic, the purely solid state featherweight magnetic switch MUST fall into the same rules. It can't count as 'disconnecting' from power - the switch is powered, 'awake', and controlling current.

 

[Steve Shannon]

Sort of along the same lines, for staging, I use a WiFi "switch" to provide switched power into another altimeter (let's say an EasyMega) in combination with an igniter shunt or a disconnect. I'm OK with powering up the wifi switch with the rocket horizontal because I can verify that the EasyMega doesn't turn on. After raising the rocket, I can "arm" the wifi switch and verify that the EasyMega boots up correctly. Finally, I arange so that the shunt or disconnect can be removed or closed from the ground or on first motion of the rocket. (My magnet shunt was an example of exactly this approach)

I am much less comfortable with the idea of a WiFi switch when turning on the power to the WiFi switch also powers up the staging electronics. I'll mention the Telemega as an example, and perhaps some of the Eggtimer products (although I don't know the specifics of their design). If Tripoli is saying that such "combination" electronics are OK, and that the disconnects to the igniter can be closed prior to raising the rocket, then I would say this is a glaring oversight. It may have been a glaring oversight prior to the action of the Board, but the action now implies that it is acceptable.

Jim

I’m just getting ready to travel, but I’d like to understand this better, Jim. I don’t believe anything we’re saying should be taken to mean that a person should eliminate any disconnects. We’re just saying the power to the WiFi switch must be dead when taking it up to be inspected and carried out onto the range. We’re okay with the power to the WiFi switch being reconnected at a prep area before the rocket is raised vertical.
Would you not allow the use of a wireless remote switch to switch power to your staging electronics after your rocket is vertical?

 

[Steve Shannon]

If the purely solid state isolation that the Eggtimer devices provide (haven't met a Kate to know to include it or not) aren't sufficient, then by logic, the purely solid state featherweight magnetic switch MUST fall into the same rules. It can't count as 'disconnecting' from power - the switch is powered, 'awake', and controlling current.

I completely agree. I was objecting to him saying that I made the magnetic switch sound like an “outlaw”, which is a negative connotation that I didn’t imply.

 

[Steve Shannon]

It also brings to light, that everyone using only a magnetic switch is violating the safety code.

It also brings to light, that anyone using just the "switch" terminals on your altimeter, does not have a physical break between the pyrotechnics and the battery.

The first one, yes, I think it does.
The second one, it depends on how the switch terminals are used by the circuit.

 

[Charles_McG]

I completely agree. I was objecting to him saying that I made the magnetic switch sound like an “outlaw”, which is a negative connotation that I didn’t imply.

And your reply in the very next post goes on to say exactly that.

The first one, yes, I think it does.
The second one, it depends on how the switch terminals are used by the circuit.

I actually think you did imply it, even if you didn't mean to. And I know the 'you' isn't 'Steve Shannon the individual person', but 'The TRA BoD, or representative(s) thereof'.

But at least it's being teased out from implicit to explicit - disconnected from energy source means a mechanically broken connection - by connector or mechanical switch. Electronic equivalents of functionality will not suffice. And to clarify your note to JimJ - it's energy to pyro that's important. The Wifi part can be on anywhere if the pyro-side has the mechanical disconnects.

 

[markg]

All of my rockets are designed to use wireless remote Eggtimer switches. I don't have any physical switches on them. My two stage rockets use proton/quantum for staging. I have the sustainer igniter physically disconnected until the rocket is vertical on the pad, then I connect it.

I will have to rework my rockets to now include a switch or disassemble my AV bays at the pad in order to connect the battery.

hmm

 

[Eric]

The first one, yes, I think it does.
The second one, it depends on how the switch terminals are used by the circuit.

Got it. So the use of only a featherweight magnetic switch or featherweight powerperch would violate the safety code.

So has the Tripoli board reviewed how commercial altimeters use their switch circuits? The other half of my fleet use a stratologger cf, RRC3 and and ARTS. I assumed they met the safety code. But this has brought to light that they all physically connect the battery to the pyrotechnics.

 

[jderimig]

But this has brought to light that they all physically connect the battery to the pyrotechnics.

No, you can't conclude that.

 

[Eljay]

I'd definitely appreciate clarification on if we can use the "switch" terminals on popular altimeters.

 

[cerving]

It would depend on whether or not the "switch" terminals cut all power to the deployment circuitry.

 

[Charles_McG]

I just took a look through the manuals of the three altimeters mentioned above.

Caveat - I haven't looked at the wiring or the traces on the boards for confirmation - this is just based on the manuals.

For the SLCF, it really looks like the switch handles main and deployment power together. Especially because it calls out requiring the same current handling specs for any switch. It comes jumpered - that's not good for flight.

For the RRC3, it also looks like main and pyro power are not separated. BUT the manually explicitly calls out using a magnetic switch as an option - and that's not a mechanical disconnect.

The ARTS2 looks more like the Eggtimer products, in having separate processor and pyro battery options. It has a header to jumper across for single battery use, but the manual I found -doesn't- explain just what the switch terminals do. That one is undetermined, to me.

 

[UhClem]

Actually, not for the Proton. The switches are controlled by two different devices... the "low" side is controlled by the processor, the "high" side by an I/O expander that requires the correct I2C sequence to be sent to it to change the outputs. This was done intentionally for just that reason, so no single device failure could trigger a deployment.

This helps with hardware failures but only a little with software. Which still represents a single point failure mode.

If you had the ESP8266 controlling one side (arming) and a completely separate MCU controlling the other side, you might have something.

What we really want, but the rules don't make clear, is for there to be no single point failure modes that would result in an unintended output. Then once the rocket is at the pad and pointed up you can expose those single point modes. Carefully.

 

[Eric]

No, you can't conclude that.

Yes, I can conclude that my pyrotechnic charges are physically connected to the altimeter, that is physically connected to the battery.

But what the altimeter circuitry does from my physical connection, I do not know. Here's a schematic from Altus Metrum. Does that switch circuit show that it physically remove power from the charges? Should I just assume that it does? Does the Tripoli board have a list of altimeters that are approved and meet their safety code?

 

[cerving]

Can you get deployment status with the switch disconnected? If so, then there is necessarily SOME power going to the deployment initiators at SOME time... maybe not all the time, but at least when it's doing the continuity check.

 

[Charles_McG]

What we really want, but the rules don't make clear, is for there to be no single point failure modes that would result in an unintended output. Then once the rocket is at the pad and pointed up you can expose those single point modes. Carefully.

I'm not sure that I agree that software counts as a single point. But I'm not a Board Member. Heck, I'm not a member at all. I just want to fly safely and not unintentionally trip over your rules when I fly with you. Software is harder to verify, I'll grant that.

Is a mechanical switch not a single failure point? They can fail closed, can't they?

 

[tollyman]

If I were to have the output of the remote wifi style switch connected to a mechanical relay switch, which would then power the altimiter, would that be something that would be allowed? There is a physical break between the battery and the deployment charge via the mechanical switch. This does add another point of failure, but would provide a solution for those who have only wifi switches as a means to arm electronics.

Using the configuration above, would I be able to have the wifi switch powered on during LCO check off and before mounted vertically on the rail?

 

[cerving]

Yes, but usually switches fail open, or "bounce" (fail open for a relatively short period of time, maybe a few milliseconds).

 

[cerving]

If I were to have the output of the remote wifi style switch connected to a mechanical relay switch, which would then power the altimiter, would that be something that would be allowed? There is a physical break between the battery and the deployment charge via the mechanical switch. This does add another point of failure, but would provide a solution for those who have only wifi switches as a means to arm electronics.

Using the configuration above, would I be able to have the wifi switch powered on during LCO check off and before mounted vertically on the rail?

Relays unfortunately do not do well in high-G and/or high-vibration environments.

 

[Charles_McG]

Yes, but usually they fail open, or "bounce" (fail open for a relatively short period of time, maybe a few milliseconds).

I think we're talking possibilities here, not probabilities. If we were talking probability, then adding another switch into the system that can lead to a failed deployment (altimeter powered on, deploy power left open), increases the probability of a ballistic return.

Or we can talk about the probability of a switch failing closed compared to the probability of a microprocessor failing with one analog channel set wrong while simultaneously forming and sending the proper string down a serial comms path, while also appearing to be working in the first place (sending lights, beeps, web pages, etc).

I think this discussion is -possibility- driven.

 

[UhClem]

Is a mechanical switch not a single failure point? They can fail closed, can't they?

It depends on what the switch is connected to. If the switch is the only thing preventing an output, then yes, it is a single point failure mode. But if something else has to have failed, no.

 

[jderimig]

Yes, I can conclude that my pyrotechnic charges are physically connected to the altimeter, that is physically connected to the battery.

But what the altimeter circuitry does from my physical connection, I do not know. Here's a schematic from Altus Metrum. Does that switch circuit show that it physically remove power from the charges? Should I just assume that it does? Does the Tripoli board have a list of altimeters that are approved and meet their safety code?View attachment 405546

With that schematic battery is disconnected from your charges if the switch terminals are open.

 

[cerving]

...assuming that there is no connection between the always-on "Battery +" terminal and the Main+/Apogee+ terminals; there may be something in between (resistors, buffers, etc.) that's not shown in this schematic fragment.