- Joined
- Jan 22, 2009
- Messages
- 351
- Reaction score
- 47
Still don't know if it's presently legal to power-on a TeleMega into idle mode while horizontal at the pad, raise it to vertical, and then remotely arm it by rebooting to flight mode.
Revision to Tripoli Rule Regarding Wireless Remote Switches
- Thread starter Steve Shannon
- Start date
Help Support The Rocketry Forum:
- Status
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
Well said, Charles. The only thing I'd add is that some have said that the restrictions on magnetic switches were made to be compliant to 1127, not go beyond it. I don't think that's true, because as you point out 1127 uses an ambiguous word that requires interpretation. I presumed that it was that interpretation that kept the magnetic switches allowable since their introduction.
I can't argue with Eric's logic in #926 that if a switch doesn't satisfy the definition of inhibit in 4.13.7 it can't be used at all, period. Seems like the board is trying to have their cake and eat it on that.
BBrown
Phoenix Driver
Fred,
I hate to say this but no one knows what’s “legal” and what’s not. I’ve tried to follow along with the explanations and quite frankly I really haven’t a clue. Wearing my AirFest launch directors hat, I’ve tried to figure out how to implement these changes at our launch. Unless I get slapped down by the Tripoli BoD, AirFest is going to look something like this.
Rule 1, don’t power up any electronic devise that has the ability to energize either an ejection charge or a motor in the spectator area. If you want to test your continuity on your ejection charges, ask one of us and we will find you a place well away from your camp neighbor to do so safely (at least for them).
Rule 2, no igniters in staged or clustered rockets until well out on the range. We have a table set up well away from folks for you to do this. From this table you will go directly to the pads.
Rule 3, once at the pads, point your rocket away from the folks around you (and the crowd) and do whatever you have been doing in the past with regard to arming your electronics.
Rule 4, if you are even a little be unsure of what you are doing or are nervous, ask one of the pad managers for help. We have several experienced members roaming around and we collectively will figure it out.
At my day job, there have been times where perhaps we hadn’t thought through every permutation before implementing a policy. We call it “Ready - Fire - Aim”. When we find these mistakes we have to swallow our pride and do the right thing to fix it.
This rule appears to be a bit of “Ready - Fire - Aim” to me.
I think it is but I don’t yet know where this is going.
Edited to add the underlined wording.
Here’s my confusion/ignorance. The Telamega isn’t one of the devices the board has approved but I really want to get away from approving devices. The conversations we’re having with the manufacturers will help us figure out a direction. Until then I don’t want to make things worse than they are now by getting any kind of board approval of anything until we have a direction. So, right now I don’t really know. Until I know more I recommend leaving it powered down until vertical.
Last edited:
- Joined
- Feb 3, 2012
- Messages
- 6,349
- Reaction score
- 5,561
Just like it's "legal" to power up a Quantum/Proton or Kate II horizontally, raise it, then arm it vertically.
JimJarvis50
Well-Known Member
- Joined
- Jan 17, 2009
- Messages
- 2,882
- Reaction score
- 1,786
About 900 posts ago, I mentioned that the rule was not only allowing this, but also implying the people could close the switch between the altimeter and the igniter as long as they were "out at the pad". Moving a rocket to vertical, with powered electronics and a clear path to the igniter, is a really bad idea. The "safety" of this is based on the premise that the altimeter will function as designed. I can tell you that with some altimeters, this is a bad assumption. The closest I am personnally willing to get to this is to have a wifi switch separate from the altimeter. The wifi can be powered up while horizontal, and at least you know there isn't power to the altimeter when the rocket is moved. And even with this approach, I still have a disconnect and/or shunt in the igniter path. If it's OK to power up "combo" devices when horizontal, then it can't be OK to have the disconnect switch closed. Just my $0.02.
Jim
Last edited:
Yes this is the interpretation that was close to a consensus position at the meeting, though a consensus was not yet reached. The way I would put it is that when any independent switch is in the output-off state to keep the altimeter powered off, that meets the intent of the rule, because it would take 2 independent failures to get the altimeter to fire charges from that condition. (switch failing on, altimeter deciding to fire charges pre-launch). That fault-tolerant condition is required from connection of energetics (e.g. loading of BP) to being in a safe configuration at the pads.
On the "demonstration" idea, I agree that we're just talking about answering questions similar to what an RSO might ask about CP vs CG. "How do you know your altimeter is off?" The answer might be "because it's an altimeter that would be beeping if it were on" or "because this LED isn't on" or "because the status on my phone shows it's off." The answers will depend on the specific hardware being used, but whatever it is, the flyer needs to be aware of their responsibility to have the controller off, and be able to tell when it's off.
Last edited:
We also discussed that we wanted to have follow-on discussions focused on airstart safety. I'm very much with you on the above. I would also recommend being able to verify that the deployment charges are connected and armed before a separate step to arm the airstart igniter. This is similar to the principle in single-stage rockets that you want to hear that the altimeter is working and that the deployment charges are ready to go, before connecting your single-stage igniter to the launch system (or better yet, before even inserting it). If your altimeter misbehaves when you power it up, you don't want to find that out with the airstart igniter fully connected and ready to go.
Last edited:
I was one who felt that this was insufficient because I think that altimeters have too many easy ways to fire their outputs: configuration , programming, wiring, av-bay construction, electrical interference, wind gusts, etc. At nearly every large launch we see altimeters fire charges on the pad.
Because it’s possible to get an altimeter to fire a charge at the wrong time while still working as designed, I don’t consider an altimeter firing it’s charges an independent failure.
That’s a decent summary.
I'm surprised at this, because in my personal experience, this is a very rare occurrence.
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
I don't know of any modern altimeters that can be programmed to fire anything at power-on without launch detection. In my experience the very rare events of firing at power-on have always been due to shorts or reversed polarity in the wiring, though I have heard of older altimeters being affected by very strong RF fields from some radio systems (the Garmin dog trackers, for example.)
And I'm still not seeing what the switch technology has to do with this. Do you honestly think that installing a battery at the pad is safer? It's just going to lead to more mishaps. I always wire up my bays at home and test them beforehand, then install charges at the launch site.
Last edited:
- Joined
- Jan 22, 2009
- Messages
- 351
- Reaction score
- 47
I appreciate the response and point-of-view. But there is also a risk involved with climbing a ladder or launch tower, as would be required to clear shunts or physically enable igniter connections.
Without getting deep into my safety analysis, I find this to be particularly the case with the 3 and 4 stage rockets I fly: the more stages the more unlikely it is that the altimeter would be tricked into firing the stage motor igniter. Of course it is imperative to assure no one is directly in front of or directly behind when power is applied.
It's all a matter of how to manage all the risks involved.
I know we both practice and strongly advocate the most important multistage safety procedure; the stage-by-stage, igniters-out full-up test just prior to loading the rocket on the rail. Just can't overstate how important this is.
...Fred
Without getting deep into my safety analysis, I find this to be particularly the case with the 3 and 4 stage rockets I fly: the more stages the more unlikely it is that the altimeter would be tricked into firing the stage motor igniter. Of course it is imperative to assure no one is directly in front of or directly behind when power is applied.
It's all a matter of how to manage all the risks involved.
I know we both practice and strongly advocate the most important multistage safety procedure; the stage-by-stage, igniters-out full-up test just prior to loading the rocket on the rail. Just can't overstate how important this is.
...Fred
1. I honestly think that if an accidental deployment happens it will be safer at the pad than if it happens at the RSO table or amongst spectators behind the flight line.
2. I honestly think that having the power completely disconnected until the rocket is at the pad eliminates the possibility of an accidental deployment anywhere other than the pad.
3. I honestly think that we need to figure out what we consider completely disconnected, but we’resure that physically disconnected is completely disconnected so that’s what the board has required for now. We’ll continue to work with the manufacturers to figure this out.
4. I honestly think that using a remote switch at the pad also reduces risk for the flyer.
Kelly
Usually remembers to get the pointy end up
Thanks Adrian, Steve. That sounds very reasonable. I interpreted "Demonstrate" to mean something more invasive, thanks for the clarification.
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
I assume you mean "inhibited", as that's the language that 1127 uses.
I can't dispute any of your points, but I'm deeply concerned that with the current lack of clarity, there's going to be an accident caused by an effort to comply with the rule that wouldn't have happened otherwise.
Steve, I'm just curious -- have you ever flown a rocket with a Featherweight magnetic switch personally?
UhClem
Well-Known Member
- Joined
- Feb 6, 2009
- Messages
- 2,052
- Reaction score
- 443
The NFPA rule also applies to the launching system. ("firing circuits") So you need to think about how this is going to effect those systems.
I have not.
Speaknoevil
Well-Known Member
- Joined
- Mar 18, 2018
- Messages
- 1,144
- Reaction score
- 551
Not quite true. There is at least one product from a well-known manufacturer that has a "mirroring" mode where a power-on, in conjunction with a hold-off time (IIRC), will initiate auxiliary channel activity. The mode is there to fit a specific application, but it can bite you as instructions/operation are a bit obscure.
Last edited:
Agreed
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
Agreed, but if you have a shorted MOSFET then the airstart igniter is just going to fire when you close the mechanical switch on that channel, unless there is some self-test capability that AFAIK most altimeters don't have. I'm not sure this is an improvement; that switch might be giving you a false sense of confidence for some failure modes.
I sure hope there aren't altimeters on the market that randomly glitch and fire their outputs at power-on. I've never encountered one and if I did I would toss it. Though let's not talk about how dirty and glitchy the power-on sequence could be for the industry standard "twist-and-tape" method.
I always test my altimeter ignition channels as part of my at-home assembly process.
Last edited:
Thank you.
That’s part of the problem; we have a wide variety of devices that can be programmed by the flyers to work in an even much wider variety of ways. It’s terrific from the perspective of being able to do just what you want, but can be overwhelming in the number of ways to be programmed incorrectly. I don’t wish to have the limited choices we had twenty years ago, but I want to have some simple rules that everyone can follow and which are easy to check. One of my friends says we’ve already made the rule too flexible; that we should have just required that all manufacturers include a switch port or screw switch on their devices that physically interrupts all power.
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
Agreed. And we had that in NFPA 1127 4.13.7 until "inhibit" was reinterpreted.
- Joined
- Jan 23, 2009
- Messages
- 5,989
- Reaction score
- 4,097
An altimeter has one prime job, to detect launch, fire the charges and deploy the recovery system. Around launch detection an altimeter can make two errors:
1. Detecting a launch falsely. (detecting a launch when one doesn't occur).
2. Failing to detect a launch.
An algorithm designer has a choice on which error is to be biased again. In my opinion the choice should be to avoid error 2 at all costs, which means that there will be some bias toward error 1.
We have a wide diversity of altimeter maturity at our launches, from designs that have been in use for over a decade to homemade DIY'ers writing virgin algorithms with little to no flight history (and everything in between).
So once an altimeter is powered on they can be susceptible to error 1, which makes the risk of firing charges real and indeterminate.
But, again, it wasn’t a reinterpretation; we checked with the person who wrote the requirements to see what the correct original interpretation was.
Is your question about process - who owns the DFMEA, or is it whether there is willingness to help out?
The design owner would need to ultimately "own" the analysis since they are accountable for the product they design and/or produce. I'm absolutely willing to help / participate in any way I can be of service.
mikec
Well-Known Member
- Joined
- May 9, 2009
- Messages
- 3,029
- Reaction score
- 839
In my experience, that's not how regulations work. Once they're written down you don't get to interrogate the author about what they meant, you have to interpret what they actually wrote.
My best technical judgement is that the BOD is free to interpret "inhibit" as being satisfied by a magnetic switch.
At any rate, I've said my piece and I don't think I've convinced you of anything or am anywhere close to doing so. But I do appreciate you taking the time to respond.
The question is would you and the others recommending DFMEA be willing to help perform those risk analyses. I don’t know much about them; I’ve never done them or used them.
In my professional background we used the word “inhibit” frequently to refer to Boolean conditions that would prevent software functions from activating outputs. In my mind it’s not constrained only to physically disconnected power. I could imagine solid state switches fulfilling that role (including magnetic switches), but I think there must be some common operational requirements that all such devices obey.
That’s what I hope comes out of the meetings we have.
- Joined
- Feb 3, 2012
- Messages
- 6,349
- Reaction score
- 5,561
Hopefully some guidelines will be coming out soon... some of us are waiting so we can provide guidelines to our users, and/or modify our products accordingly.
If Tripoli is interested in going down the path of a DFMEA analysis being a part of a "self-certification" process without owning a certification responsibility, I would think that a committee would be formed to put the process together, and the vendors would own the analysis of their designs. Is that what you were thinking as well, or am I off-base? But the offer stands to help in any way I can.
- Status
