Revision to Tripoli Rule Regarding Wireless Remote Switches

cerving said:

FYI, the three Eggtimer devices named in this TRA rule break power to the attached device (WiFi Switch) or the deployment circuitry (Quantum, Proton) until explicitly armed, by entering a 4-digit arming code that changes every 60 seconds. You can't "pocket arm" them.

Click to expand...

This is what I was missing in the conversation. In order to have the Egg devices blow the ejection charge, you would need three failures:

Arm altimeter
Electrical/software failures on both legs of the ejection charge

That's pretty danged unlikely (technical term), particularly with a 4-digit code entry required to arm the altimeter.

On the other side, I have personally had one failure in a couple of dozen flights on a twist and tape connection (saved by a redundant altimeter), two failures in three installations with Schurter switches, and no failures in three installations with screw switches. I can re-jigger my procedures to connect charges on the pad, but my own limited experience indicates we're trading an extremely unlikely event (altimeter accidentally firing the ejection charge) with a somewhat more likely event (failure of the switch/T&T on the ejection charge). Considering the relative hazard of an ejection charge blowing versus a rocket coming in ballistic, I don't see this as a safety improvement. Nobody wants to have an ejection charge blow in their face, but I'm having real trouble with equating a 0.2g separation charge with a lawn dart.

All of that said, most of the people on the thread opposed to the rules are just saying they don't like the rules. To counter that a bit, here's a counterproposal from Some Dude on the Internet (worth exactly what you paid for it ). In my dream world, the rules would be:

On staged flights with AP motors, don't connect the sustainer igniter before getting to the pad and don't insert igniter until the deployment altimeter is armed.
You may connect small ejection charges (<3-5g?) to a Wifi-controlled altimeter (WCA) and turn the WCA on before going to the pad, but the rocket must be carried vertical or pointed in a safe direction at all times. The WCA must require an entered code to arm (or equivalent that prevents pocket dialing).
For larger ejection charges, altimeter may not be turned on before reaching the pad.
Wifi switches OK as long as they require an entered code to arm. I like the concept of the mag switches but I haven't actually used one so I can't comment on how to use it safely.
Do not arm the altimeter or turn on non-WCA altimeters until the rocket is vertical on the pad.

I feel like this is a good balance between simplicity for smaller rockets and better procedures. I'm probably wrong in some respects. Tell me why, and what your alternative would be.

Lost in all this so far is the word 'inhibit' as defined by TRA vs. the NFPA. If the TRA is doing this to be compliant with the NFPS guidelines, as I think is some of the reasoning behind it, has anyone from TRA talked to the NFPA about this issue?

When the mag switch is off, there is no power to the altimeter, it is not 'energized', as so many folks seem to think. The switch may be energized, but the altimeter isn't. The same is true using a wifi switch, switch off, altimeter off. Everyone talking about folks walking around with 'energized' circuits seem to forget that the altimeter isn't energized. (The Protron is a slightly different beast, but still inhibits power to the firing circuits.)

This is what hasn't been answered: if there is no power to the altimeter when the switch is off, how is an electronic switch more inherently dangerous than a mechanical one. What analysis or survey shows this is the case?


Tony

cerving said:

Note that the PROTON has two different controllers... the ESP32 part controls the power FET on the low side, while an I2C expander controls the outputs on the high side. For a channel to fire, BOTH of them would have to send a signal to the outputs simultaneously.

Click to expand...

The ESP8266 controls the power FET and the I2C port expander. Making the software a critical part of the safety system.

I have been looking through the NASA guide book on the subject and it is interesting.

UhClem said:

You want me to test the code used by a mechanical switch?

Click to expand...

Ha, great attempt at a diversion. Obviously I meant the code used by the controller you mentioned, "I am sticking with the AltAcc2. Simple (runs on a 8 bit PIC) and includes an arming switch which disconnects the outputs from the battery." You knocked the wifi switch as being written by someone else and possibly full of bugs. In the above post you are clearly obsessed with software safety. So I assumed you dissembled the code on the AltAcc2 and are confident it does not have any bugs. And I'm still waiting on that link as to where we can all buy one so we too can meet the new rule.

Do all altimeter makers now have to post their software so we can inspect it for bugs? A failure to deploy chutes due to a bug is in many cases far more dangerous than the charge going off on the ground, no?


Tony

cerving said:

Note that the PROTON has two different controllers... the ESP32 part controls the power FET on the low side, while an I2C expander controls the outputs on the high side. For a channel to fire, BOTH of them would have to send a signal to the outputs simultaneously.

Click to expand...

I spent my commute home thinking about this and I've changed my answer. Because there are 2 controllers, the ESP and the deployment controller, and both have to be enabled, then this meets the requirements for inhibited events.

I still add a physical switch on the battery leed but it shouldn't be required for the Eggtimer stuff. I don't know how Kate II works.

manixFan said:

Ha, great attempt at a diversion. Obviously I meant the code used by the controller you mentioned,

Click to expand...

The subject is ground safety. Stick to it.

heada said:

I spent my commute home thinking about this and I've changed my answer. Because there are 2 controllers, the ESP and the deployment controller, and both have to be enabled, then this meets the requirements for inhibited events.

Click to expand...

There is only one controller. The ESP8266 runs all of the code. The networking stack and the altimeter code that twiddles the GPIOs that talk to the I2C port expander.

UhClem said:

The subject is ground safety. Stick to it.

Click to expand...

I was just pointing out how ridiculous your statement was about relying on code written by others. But I'm still waiting on that link to the AltAcc2.


Tony

Voyager1 said:

Adding an extra mechanical switch might introduce another point of failure, as many have suggested, but it doesn’t increase the probability of a simultaneous failure of all switches in the system, electronic or mechanical. It actually decreases.

Click to expand...

Correct, it reduces the probability of an unintended firing of an ejection charge or motor ignition. But it increases the probability of an unsuccessful firing of an ejection charge or motor ignition when intended.

These last few comments bring up a good point. What is inhibit? And how is software involved in all modern avionics designs? There are hobby vendors that offer networked devices that remotely control charges inside the rocket (heck, and I suppose it could be more than one airframe). In that case software transversing the network and I assume an error checking/validation algorithm work to either fire or inhibit the initiator. I guess in theory, within this discussion, this is OK since it is all activated when the flight systems are turned on. My point is that electronics continue to advance and there are some smart folks designing what we use. Let's be open to innovation and allow vendors to provide quality and reliability data to support their designs. If we had a reasonable amount of standardized validation and consensus upon what is an official release of a product, maybe this would stop the after-the-fact second guessing and pondering on "what if" scenarios from surprising us all.

heada said:

If the switch, be it wifi, mag, screw, key, slide, etc., breaks the circuit between the controller and the battery, I understand it as complying with the new rule. If the switch, regardless of type, doesn't break that circuit then it doesn't comply. This is why the devices that were called out are on that list. The switch doesn't break the circuit to the controller, it only arms/disarms the events.

Click to expand...

I wish your interpretation was correct but I don't think it is. I tried to get clarification earlier in the thread but nobody replied.

As I understand it, according to the new rule you must have the power physically isolated from the charges or ignitors. Magnetic or electrically actuated means of disconnection are not considered valid means of isolation. So a battery connected to a WiFi switch (in the open state) that is connected a quark (no power applied) then connected to ejection charges is not allowed at the RSO table. To conform with the new rule you have to either disconnect the battery from the wifi switch, install a non-magnetic switch to interrupt the power to the wifi switch or disconnect the charge leads from the quark. Once you are on the pad you can reconnect everything but the WiFi switch must remain open until the rocket is on the rail in an upright position. Then you can close the Wifi switch and power the quark.

Bottom line, if your charges or ignitors are connected to something the battery cannot also be connected to that same device. If you are using switches to disconnect the battery they cannot be magnetically or electrically actuated. That is how I read the new rule. Please correct me if I have misread the new rule.

heada said:

I've swapped out the 150mah battery that the perch comes with for my own 450mah battery and added a SPDT slide switch. I don't have a photo of it but I can pull that rocket out and get it out of the av bay and take one if you really want.<...snipped for brevity>...

Click to expand...

So now you have an extra battery connection (cable from the bigger battery to the perch), a break in one of the lines for a switch that you have to mount somewhere, and you still have to activate the magnetic switch? I realize it's a pain, but a picture would be great, thanks.


Tony

NFPA says inhibit. Inhibit does not require physical disconnect. TRA BoD says it must be a physical disconnect to be considered inhibited.

Prepping your rocket at a "special prep table" by the pad and then moving it to the rail. TRA BoD now considers your rocket charges not inhibited. That is a violation of NFPA to move a rocket with enabled charges.

"NFPA 1127


4.13.7

The function of firing circuits and onboard energetics shall be inhibited until the high power rocket is in the launching position.


4.13.8

The function of firing circuits and onboard energetics shall be inhibited prior to removing the high power rocket from the launching position.


NAR HPR Safety Code

(4)

The function of onboard energetics and firing circuits will be inhibited except when my rocket is in the launching position.


TRA HPR Code

Nothing specified.. generally references NFPA 1127."

So the TRA BoD say that a plugged in Quantum is not inhibited. Then they want me to move my "un-inhibited" rocket to the pad? So the TRA BoD want me to violate NFPA?

Steve Shannon, when will you make an announcement about magnetic switches not being allowed? Or any altimeters the have built in switch terminals? Unless we can just guess and assume that the altimeter circuitry physically disconnect the energetics.

Eric said:

...<snipped for brevity>...Steve Shannon, when will you make an announcement about magnetic switches not being allowed? Or any altimeters the have built in switch terminals? Unless we can just guess and assume that the altimeter circuitry physically disconnect the energetics.

Click to expand...

The magnetic switches were never approved, so have never been allowed. I have unknowing been violating TRA rules for years, and spend a lot of money doing so.

I was a prefect and did not know that TRA approved switches. This rule is new so I don't know under what rule or consideration the magnetic switch was not approved. There was a comment in a TRA forum thread that the switch was never submitted for approval. That got me even more confused. Are we supposed to submit the switches we use in our builds for approval? (Asking in all seriousness.)

EDIT: It was pointed out early in this thread that TRA has always required a open circuit for pyrotechnics. Yet I was unable to find that reference in the safety code. Perhaps someone can point it out for me.


Tony

cerving said:

That's actually a pretty good point... the trick is how to do it with an existing AV bay that was built wirelessly. I predict that we're going to be seeing a lot of twist and tape this Spring... which honestly is not a good thing from a reliability point of view.

Click to expand...

Any data to back that up?

What forces during a nominal flight could possibly take apart twisted wires?

DAllen said:

Any data to back that up?

What forces during a nominal flight could possibly take apart twisted wires?

Click to expand...

Recognizing that the plural of anecdote is not data, I have had a twist and tape connection fail in flight. The connection was made in the wiring to the ejection charge from the altimeter so that I could connect the charge after assembling the AV bay. I don't know why it lost continuity, but it did. The e-match was still good--it fired and popped the charge just fine after being pulled out of the landed rocket. The backup altimeter saved the flight.

wsume99 said:

Correct, it reduces the probability of an unintended firing of an ejection charge or motor ignition. But it increases the probability of an unsuccessful firing of an ejection charge or motor ignition when intended.

Click to expand...

Yes, I do agree with your point! I had thought about that after I posted. However, in all my dual deploy flights I use redundancy which will hopefully reduce the probability of that failure. Either way, I still believe that a suitable mechanical disconnect is less likely to fail than a powered electronic switch in its 'OFF' state.

I'll probably take heat over this.

Anyhow I'm not trying to suggest that there's anything wrong with any egg product, however....

all of those products are made by the rocketeer, who may or may not have any experience with electronics. There's a lot of little parts, and I'm not sure of the possible failure modes (I don't egg). However, this rule is good because it prevents someone with no experience making a switch incorrectly causing it to fire a ejection charge inappropriately. I'm not certain how that would happen, but I worry it could...I for one think it's good that we have this rule Keeps us safer. we either police ourselves or others will....

cbrarick said:

I'll probably take heat over this.

Anyhow I'm not trying to suggest that there's anything wrong with any egg product, however....

all of those products are made by the rocketeer, who may or may not have any experience with electronics. There's a lot of little parts, and I'm not sure of the possible failure modes (I don't egg). However, this rule is good because it prevents someone with no experience making a switch incorrectly causing it to fire a ejection charge inappropriately. I'm not certain how that would happen, but I worry it could...I for one think it's good that we have this rule Keeps us safer. we either police ourselves or others will....

Click to expand...

At LDRS this year I witnessed 3 different events where ejection charges fired while in the prep area. None used electronic switches. Two were the result of user error, the third is unknown. You are somehow assuming that what you describe is not already happening. Who builds all the mechanical switch circuits? At least with an electronic device you can test it with software and a POST. With a bunch of switches bought off e-bay and wired up by every individual flyer, what testing is done to ensure we are all safe from the flyer prepping at the next table?


Tony

cerving said:

FYI, the three Eggtimer devices named in this TRA rule break power to the attached device (WiFi Switch) or the deployment circuitry (Quantum, Proton) until explicitly armed, by entering a 4-digit arming code that changes every 60 seconds. You can't "pocket arm" them.

Click to expand...

Cris,

I asked this question very early in this thread but either didn’t see a response or one wasn’t given.

Has a failure modes and effects analysis (FMEA) been performed on the three devices listed in the rule change. By that I mean what are all the ways that a fault could cause an inadvertent deployment event. The reason I ask this is because in a real airplane we determine the severity of the failure event. There are 5 levels: Catastrophic (loss of aircraft & death), Hazardous (increase in crew workload beyond their ability to cope, potential injury/death of passengers), Major (increased crew work load but not so much they can’t cope), Minor (slight increased work load), No Safety Effect. My definitions of each level are paraphrased.

So once the FMEA is completed then each failure is assigned one of the severity levels. Each level has a specific probability associated with it. To keep this somewhat short the Catastrophic level much have a probability of 1x10-9. Highly improbable. I don’t have a good fuzzy feeling that this level of analysis has/was performed for the board to make this immediate change to the rules. Worst case I would think that an inadvertent deployment would be hazardous but most likely major and a single point failure is still ok. Only a hazardous or catastrophic failure would require two failures.

If Cris could provide me with the failure modes and effects I would be happy to (with some help with smarter folks at work) perform the final safety analysis.

That sounds like a fun excercise... probably a bit of destructive testing in the process. No, I have not done that, although I know the effects of various things breaking in various ways. AFAIK this information is not available for any of the other hobby electronics, either.

If the intent is that there is going to be some kind of TRA certification of electronics, similar to motors, I'm game... where are the standards and test procedures?

davdue said:

Cris,

I asked this question very early in this thread but either didn’t see a response or one wasn’t given.

Has a failure modes and effects analysis (FMEA) been performed on the three devices listed in the rule change. By that I mean what are all the ways that a fault could cause an inadvertent deployment event. The reason I ask this is because in a real airplane we determine the severity of the failure event. There are 5 levels: Catastrophic (loss of aircraft & death), Hazardous (increase in crew workload beyond their ability to cope, potential injury/death of passengers), Major (increased crew work load but not so much they can’t cope), Minor (slight increased work load), No Safety Effect. My definitions of each level are paraphrased.

So once the FMEA is completed then each failure is assigned one of the severity levels. Each level has a specific probability associated with it. To keep this somewhat short the Catastrophic level much have a probability of 1x10-9. Highly improbable. I don’t have a good fuzzy feeling that this level of analysis has/was performed for the board to make this immediate change to the rules. Worst case I would think that an inadvertent deployment would be hazardous but most likely major and a single point failure is still ok. Only a hazardous or catastrophic failure would require two failures.

If Cris could provide me with the failure modes and effects I would be happy to (with some help with smarter folks at work) perform the final safety analysis.

Click to expand...

All indications thus far have been that this change was made without any actual data that served as the basis for determining a change was needed to reduce a known risk. Why assume that actual data would change the decision????

You know while we're on the topic of safety and making everything safer...Know what would be REALLY safe? Just not flying rockets at all.

I would say I apologize for my cynicism but...not really.

cerving said:

That sounds like a fun excercise... probably a bit of destructive testing in the process. No, I have not done that, although I know the effects of various things breaking in various ways. AFAIK this information is not available for any of the other hobby electronics, either.

If the intent is that there is going to be some kind of TRA certification of electronics, similar to motors, I'm game... where are the standards and test procedures?

Click to expand...

Cris

Sent you and email about this.

What about those who make their own Arduino altimeters and fly at launches? Those surely should be under more scrutiny than any Wifi switch!

DAllen said:

What forces during a nominal flight could possibly take apart twisted wires?

Click to expand...

The same ones that can cause a fiberglass fin to flutter and rip right off the rocket.

timbucktoo said:

What about those who make their own Arduino altimeters and fly at launches? Those surely should be under more scrutiny than any Wifi switch!

Click to expand...

The only way those experimentals fly is to have a commercial backup like a RRC3, SLCF, MARSA, Eggtimer product etc. IMO, at least if I am RSO at an organized launch, again its MY OPINION.

Lots of folks have been arguing about this or that with the new ruling, and only four devices are CURRENTLY approved, maybe the solution is that the other manufacturers of wireless switches whether Wifi, magnetic or whatever need to submit their products for approval.

rharshberger said:

The only way those experimentals fly is to have a commercial backup like a RRC3, SLCF, MARSA, Eggtimer product etc. IMO, at least if I am RSO at an organized launch, again its MY OPINION.

Click to expand...

Maybe at your club but I’ve seen more than a few fly solo at several clubs & im not even an rso.

manixFan said:

(Asking in all seriousness.)

EDIT: It was pointed out early in this thread that TRA has always required a open circuit for pyrotechnics. Yet I was unable to find that reference in the safety code. Perhaps someone can point it out for me.

Click to expand...

With the warning that this definitely is up to interpretation: I’m not looking to argue, just saying this kinda looks like what you’re looking for... if one is super literal/technical in interpretation.

From the Tripoli RSO Guideline Document

Flight Safety Review
Safety First –
At all times prior to a safe firing position on the rod, rail, tower, or other suitable ground support facility, the igniter shall not be inside the motor, and all ejection charge related electronics must be off!

Click to expand...

(I think I got the emphasis right from the original... bbcode ain’t perfect)

If you’re literal enough (maybe squint the wrong way?), the 3μA current to power the featherweight switch means the circuit is not actually off. Clearly, that technicality is controversial, and I have no more desire to express my own opinion. If I was a butthead yesterday, I apologize.

Reading through responses on avbay disconnects I see comments such as ‘one battery physical disconnect’ I wish it were that easy but on most all my rockets i have Two independent systems for a total of FOUR BATTERIES! That is eight legs that must disconnect! I am not aware yet of a small enough gang switch that handles the current let alone not have any ‘bounce’ due to charges or liftoff forces. Silicone IS A SWITCH- that is the basis of modern systems. This poorly thought out decision seeks to outlaw proven systems. It takes me almost 30 min to close up an avbay , hook chutes, assemble rocket. Its as safe as I can make it. My rockets have met 100% of NFPA’s thoughtful definition of INHIBITING all energetics. I know of no safe method to retrofit these rockets to meet Tripoli’s creative interpretation.