BradMilkomeda
Well-Known Member
- Joined
- Feb 26, 2017
- Messages
- 177
- Reaction score
- 28
Revision to Tripoli Rule Regarding Wireless Remote Switches
- Thread starter Steve Shannon
- Start date
Help Support The Rocketry Forum:
- Status
Wow, never saw that one coming!
I have been using Featherweight mag switches for years and a lot of my AV bays have them. I wish this was discussed, tabled, resolved, years ago. But, I get that the Tripoli BoD is just doing their part to ensure we have a hobby, so I thank them for making the hard decisions.
Still this will hurt as it looks like I will have to add redesigning all affected AV bays to my winter maintenance list.
I have been using Featherweight mag switches for years and a lot of my AV bays have them. I wish this was discussed, tabled, resolved, years ago. But, I get that the Tripoli BoD is just doing their part to ensure we have a hobby, so I thank them for making the hard decisions.
Still this will hurt as it looks like I will have to add redesigning all affected AV bays to my winter maintenance list.
Charles_McG
Ciderwright
Ok, to do a little thinking out loud, I'm going to take @UhClem 's points about single point of failure being paramount and break this topic into two issues. Bear with me for a moment.
Consider these cases...
traditional altimeter with plug in battery connected on pad - one point of failure (bad alt fires on startup), but physically disconnected until at pad, pointy-end-up.
traditional altimeter with mechanical switch - same weakness as above when turned on - but mechanically disconnected until PEU.
traditional altimeter with mag switch - not mechanically disconnected, but early fire requires both mag switch AND altimeter failures.
traditional altimeter with ET WIFI Switch - not mechanically disconnected, but early fire requires both wifi AND altimeter failures.
ET Quantum - not mechanically disconnected, early fire requires two output channels on -same- chip to fail or be mis-programmed.
ET Proton - not mechanically disconnected, early fire requires failure on the CPU and a separate failure on the breakout controller (or equivalent miscoding).
I believe the Proton IO Expander needs to be considered a second controller. It's watching a serial line and interpreting commands to change state - not just a dumb circuit amplifying an output line to enough current to light an ematch. That still leaves open the verification of software - which I also don't believe should be counted as a single point of failure. Or at least not the same point as the processor, direct IO lines, or indirectly connected devices.
I don't know enough about Kate to include her.
I find I'm interested in the hypothetical cases of using a Quantum or Proton with a mag switch or wifi switch on the -deployment- power side. That isn't a physical connection, but it -does- provide redundancy. It's back to multiple electronic failures to light something.
So what's the core? The reliability of a physical connector/mechanical switch? Or eliminating single points of failure?
Consider these cases...
traditional altimeter with plug in battery connected on pad - one point of failure (bad alt fires on startup), but physically disconnected until at pad, pointy-end-up.
traditional altimeter with mechanical switch - same weakness as above when turned on - but mechanically disconnected until PEU.
traditional altimeter with mag switch - not mechanically disconnected, but early fire requires both mag switch AND altimeter failures.
traditional altimeter with ET WIFI Switch - not mechanically disconnected, but early fire requires both wifi AND altimeter failures.
ET Quantum - not mechanically disconnected, early fire requires two output channels on -same- chip to fail or be mis-programmed.
ET Proton - not mechanically disconnected, early fire requires failure on the CPU and a separate failure on the breakout controller (or equivalent miscoding).
I believe the Proton IO Expander needs to be considered a second controller. It's watching a serial line and interpreting commands to change state - not just a dumb circuit amplifying an output line to enough current to light an ematch. That still leaves open the verification of software - which I also don't believe should be counted as a single point of failure. Or at least not the same point as the processor, direct IO lines, or indirectly connected devices.
I don't know enough about Kate to include her.
I find I'm interested in the hypothetical cases of using a Quantum or Proton with a mag switch or wifi switch on the -deployment- power side. That isn't a physical connection, but it -does- provide redundancy. It's back to multiple electronic failures to light something.
So what's the core? The reliability of a physical connector/mechanical switch? Or eliminating single points of failure?
Well said Charles. I am not saying that there might be an issue with the remote switches and remote controlled altimeters, but I think the TRA BoD did not do their due diligence in this decision. I think a complete Failure Modes and Effects Analysis (FMEA) for the complete system should have been requested from the manufacturers in question. If this were an aircraft the design assurance level would then be determined. Is this failure result in a catastrophic, hazardous, major, minor, or no safety effect. Once that is determined for all the failure modes. Then the need for failure mitigation solutions need to be determined. If the current designs do not meet that criteria then and only then do further things need to be added to the system. This is the problem that Boeing has with the 737 Max. They assumed the MCAS was only major so no redundancy is necessary. Obviously it should have been catastrophic instead. Since we have safety distances I don’t believe any of our electronics meet the level of catastrophic. With your high level analysis above I see several situations that do not have a single point failure of the system. Like Charles said above the single failure of the remote system in some cases does not result in a deployment event.
I think it should be probability driven. In my other post about design assurance levels (DAL) there are probabilities associated with each level. For instance the probability of catastrophic per standards is 1x10-9. If the probability is less than that then you havent met the requirements for mitigating a catastrophic failure.
DFMEA. I agree! Was this decision made using probabilistic and risk methodologies such as those established by UL and IEC, or was it based on “the unit MAY fail, therefore it may not be used”? I’ve certified multiple commercial products with UL and IEC on the basis of DFMEAs for hardware faults and operational environment requirements for software faults. UL and IEC have established well-documented criteria to establish safe operation of both hardware and software, isn’t it time we do the same across our governing bodies in model rocketry?
I agree but I am still not convinced that this needed to be such a quick change without any input from the membership and detailed analysis. Especially since they can’t point to an actual occurrence of a failure. If that had occurred then by all means it needs to be fixed immediately.
At work this would be called a knee jerk reaction by management without understanding the ramifications and complete risks.
Charles_McG
Ciderwright
The answer to this has been pointed out to me on other channels. But I'm not about to join up and run for office to argue my case.
I had two screw switches on a dual deploy rocket, one for the conventional altimeter, and one for the deployment charges. At the field, I loaded my rocket in the trunk of my car to move it a short distance on a gravel road. The screws were unscrewed several turns (to be off). I was surprised to hear my altimeter beeping when I parked the car, the altimeter screw had vibrated and rotated enough to turn on. Fortunately, the altimeter did not launch detect, and my deployment screw was still off. But now I remove the screws completely. I subjectively feel like my disarmed Proton would have been safer. It was part of my motivation to switch to a Proton.
Last edited:
I can't disagree, and I never had an incident.
Having said that I can see an accidental arming if the flyer doesn't take precautions to keep the rocket away from the magnet in their pocket, or hand, when walking to the RSO or pad.
While I have never had an incident, I have accidentally armed an altimeter. I don't profess to be perfect, but, I am very careful in my procedures.
At the end of the day, the human is the biggest point of failure in our hobby. Although this may be "knee jerk," in regards to magnetic switches, and painful for me personally, I see it as a mitigated step towards a safer hobby.
- Joined
- Jan 3, 2011
- Messages
- 366
- Reaction score
- 50
The NFPA.ORG safety rules are well written, unlike Tripoli’s latest rule. It clearly states that the ‘firing circuits and energetics shall be INHIBITED’ (emphasis added to key word by me) . The idea of PHYSICAL DISCONNECTS is a backwards step and MANDATES one of many possible solutions that takes our high powered rockets back to the 1980’s in technology. There are products in the market such as the magnetic switch that ARE NOT FAILSAFE as they reenergize to last state. This is normally used to energize an altimeter. It soon becomes apparent if it is on and easily remedied so for me not a major issue. Electronics such as the TRS have brought about a much safer way of arming our electronics and PREVENTING LAUNCHES WHEN ANOMALIES ARE DETECTED . Under this new rule this is essentially a dead product and yet is a product that I totally trust and use as one of my systems on high flights. The Tripoli board has endangered us with this new rule by adding more crude failure points and virtually requiring last minute assembly at the pad.
The TRA BoD did not do anything with magnetic switches. This change is strictly for wireless remote switches like some of the Eggtimer products and the Kate system. I had to read the announcement several times to fully understand what it was saying and intending. Please read it again. It is the first post in this thread.
Oy... people already have pitchforks out because the devices they own haven’t been past a review board (yet). I’d hate to think what would happen if UL and/or IEC certification is required.
That said, I’m 100% onboard requiring certification for electronics, pitchforks or no.
I have been sent to the hospital (not rocketry related) because an “impossible” situation with microcontroller controlled machinery - I had physically disconnected the power source that closed an actuator. It was “supposed” to be dead. But the system wasn’t perfect (none is). The actuator couldn’t close, but sure could open! And it crushed my finger. It took weeks to get the rest of the engineering team to see that what they thought was impossible had, in fact, happened.
I definitely understand where Tripoli is coming from - it’s not hard for a random Jane to make their own WiFi/ZigBee/other wireless firing circuit with an Arduino — and it’s quite easy to do it badly. Most microcontroller hobbyists go about splicing completely unrelated pieces of code they found using Google.
I don’t think the RSO should have to trust that some random person they’ve never seen before has well designed electronics & software.
There’s no way the RSO can know prior to inspection if a flyer didn’t just cobble together Arduino scraps before inspection, and he definitely shouldn’t have to blindly trust it won’t fire an engine or charge until it’s on the pad.
I’m 100% behind keeping electronics that light a pyro dead until on the pad.
My entire career in software has been fixing problems caused by software whose designer only thinks of the “happy path,” and whose software can’t handle anything else.
I literally have the scars to prove it. If it can happen, it will. There is no escape from Murphy’s law.
Last edited:
- Joined
- Jan 23, 2009
- Messages
- 5,977
- Reaction score
- 4,091
UL requires physical power disconnects on any system than can use/release more than 200 (or 400 I can't remember) VA of energy. Neanderthals......
- Joined
- Feb 3, 2012
- Messages
- 6,338
- Reaction score
- 5,535
We’re at least an order of magnitude below that standard.
- Joined
- Jan 23, 2009
- Messages
- 5,977
- Reaction score
- 4,091
What the equivalent VA of a motor burning? The "system" is not just the altimeter.
Hmmm... Does it matter how that energy is released? Or does it have to stay electrical?
There isn’t really a precise way to convert a VA to a Watt of propulsive energy unless you have a DC Circuit and an impossible “purely resistive” load...
If we throw that little inconvenience out and use 1V * 1A = 1 Watt, then an Aerotech J250 easily releases more energy than 400 W of propulsive energy... to say nothing of the higher amount of heat energy.
Last edited:
Hi Dave,
I interpreted it differently.
Then for clarification I read post 18
NateB
Well-Known Member
When we set up fireworks displays, the 2-wire systems are not powered up or even connected to power until everyone is clear from mortars for continuity tests. Likewose, wireless systems are powered off at the module until they are ready to be armed and fired. Accidental ignitions with e-matches are unlikely, but have happened, and have killed people. Continuity checks should be far less voltage than would fire an e-match, but accidents can happen and the price of failure is high. I admit, I have been up close to live wired, powered explosives when fixing issues, and only with proper PPE and extreme care to avoid body parts over mortars.
Because of this background, it didn't occur to me that an RSO might be presented a rocket that was powered on, but not armed. Even with wi-fi switches, I assumed the best practice would be to connect batteries at a staging area or at the pad and only arm it when the rocket is stabilized and pointed upright.
Because of this background, it didn't occur to me that an RSO might be presented a rocket that was powered on, but not armed. Even with wi-fi switches, I assumed the best practice would be to connect batteries at a staging area or at the pad and only arm it when the rocket is stabilized and pointed upright.
Accurate reading.
- Joined
- Jan 23, 2009
- Messages
- 5,977
- Reaction score
- 4,091
The intent behind the UL code is the illustration. UL has determined that 200VA is a hazard to life and limb, and the ability to physically disconnect power is required. The comparison to our case is the life and limb hazard standard, not the VA equivalent.
The are similar codes in UL with regards to thermal and overcurrent requirements. Hardware fuses are required. You cannot just rely on firmware and electronics to protect against overtemps and overcurrent faults.
Oh, I’m 100% with you. I’ve seen more than my share of all of the above.
Especially the bit about trusting software. Anybody who engineers software knows the truth: we (software engineers) don’t actually know how to write reliable software. Full stop.
Every once in a while we even crash a billion dollar space probe to cast that fact into sharp relief.
Last edited:
28 years ago I got hired as a software engineer at a company that made a communication monitoring system (CMS) . Over the next few years our systems were installed in every cell site owned by US West New Vector. About 1400 sites as I recall.
While learning the source code I spotted a printf that said “Oh no, Mr. Bill!”
The comment above it said /* This will never happen */
Sure enough, the day came when the customer’s project manager called to ask what that meant.
Never say never.
JimJarvis50
Well-Known Member
- Joined
- Jan 17, 2009
- Messages
- 2,882
- Reaction score
- 1,786
Steve, from Post #1:
Those circuits which include Tripoli approved wireless remote switches may have the physical disconnections reconnected once the rocket is out on the range (either near the pad or at a special preparation area), thus transferring control to the remote switch.. Although the rocket must be pointed in a safe direction at all times, it is not required to have the rocket on the pad and vertical when the mechanical connections are made if the wireless remote switch is in its safe state. The rocket must be on the pad and upright and all personnel must be at a safe distance away from the pad when the wireless remote switch is commanded closed.
The above means that you can have a piece of electronics - a combination of WiFi and altimeter - that can be energized with the rocket horizontal, and with "physical disconnections reconnected". You would then be raising a rocket with energized electronics connected directly to the igniter. Although the "switch", which isn't a switch at all, would be armed remotely from its "safe state" while vertical, raising a rocket in this condition is not something that I would recommend doing. I understand the intent of the rule, but it looks to me like an overly simplistic fix for what is a complex problem. I don't think it is prudent to raise a staged rocket unless the igniter is either properly shunted or disconnected, particularly if it is connected to an energized piece of electronics.
Jim
GrouchoDuke
Well-Known Member
- Joined
- Oct 18, 2016
- Messages
- 1,693
- Reaction score
- 1,537
I've had this happen with screw switches too. I also had a screw switch with a weak factory-solder joint that failed after I turned it on (would have been a core sample if I didn't notice the beeping stopped out at the pad). Because of those issues with them, I moved everything to Adrian's magnetic switches. In my limited experience, they've been way more reliable & predictable than mechanical screw switches.
Steve, just to double-clarify, is there any way to have a magnetic switch (or WiFi, etc) that meets the safety code requirements and the intent of this new ruling? I'm up for designing a new magnetic switch that meets whatever the rule matrix is (if there is a non-mechanical-break way to fit within the rules). Thanks.
- Joined
- Feb 3, 2012
- Messages
- 6,338
- Reaction score
- 5,535
From what Steve has told me, no electronic switch will fit within the scope of the rule. They are also ruling out trickle currents... even under 100 microamps. Now if you had it operate a motor that closed a mechanical switch, that would work...
- Joined
- Feb 3, 2012
- Messages
- 6,338
- Reaction score
- 5,535
Jim, what would be your proposed solution to this problem? Personally, I'd rather not be standing on a ladder fiddling around for some switch with my face inches away from several thousand Newton-seconds of potential energy... which is why I came up with the WiFi stuff in the first place.
GrouchoDuke
Well-Known Member
- Joined
- Oct 18, 2016
- Messages
- 1,693
- Reaction score
- 1,537
Thanks Cris.
- Joined
- Feb 3, 2012
- Messages
- 6,338
- Reaction score
- 5,535
You're welcome. I'm not sure, but I think they use some kind of electromechanical switch when they switch on internal power in "real" rockets... I'm sure some of the aerospace guys can chime in on this.
- Status
