Energetics Safety Circuits

[jsdemar]

Maybe the Admins can trim this thread and start a new one on Pad Box safety.

Here's my design. It has gone through revisions since 1996. The pad box will work with a wired length of orange extension cord, or as part of a wireless system.

There's an audible screaming alarm if the relay is stuck before arming it. There needs to be an igniter connected, but to test the system before a launch I just connect the clips to make sure there isn't a stuck relay. For the user, if they hear the alarm before arming, disconnect the igniter and tell the RSO/LCO.

The other feature is the autoreset thermal breaker. Cheap automotive part. Protects everything from dead shorts when the button is held down, but has more than enough current for several seconds to light a cluster.

I have a bill-of-materials if anyone is interested.

 

[bjphoenix]

Put one of these in series with the launch leads, especially on an away pad for big stuff...

I had a discussion with a senior member of my club after reading about the stuck relays. Our club has had stuck relays before although I don't believe it caused any problems. I was curious about procedures- our relay boxes do have an "arm" switch that people turn off before connecting igniter leads. However I guessed that in simple form if the relay is stuck when you flip the switch back to "arm" then the starter could fire. I frequently set up an away pad and I've not thought too much about where the relay box is positioned. I move it away from the pad so it won't get engine exhaust on it but it might be only 3' away. I asked if our procedure should be to always put it as far away from the rocket as possible.

Our club apparently has a much more sophisticated system, in a pretty small box at the pad. Besides the arm switch we have continuity indication builtin to the box, safe for any igniter commonly used including electric matches. We also have a buzzer in the box that will sound if the relay is stuck even if the box is not armed. Our wiring is such that the relay box can be positioned at least 5' from the rocket. In 15 years of using this equipment there have been no early launches unless the flier forgot to disarm the relay box and the LCO at the same time selected the wrong pad to launch. I have not witnessed such a thing so I don't know how often it has happened.

 

[StreuB1]

Since most all of the flight computers that are in use now use relatively powerful MCU's, generally with more GPIO than is actually used; i.e. GPIO's are in excess.

Maybe using that excess I/O, and the fact that most all of these I/O are indeed GPIO so they are tri-state. Maybe we can use this and the idea of probability to our advantage and make something akin to a safety circuit.

Imagine that the firing circuit required (2) outputs from the MCU to fire a single output channel. Those MCU outputs take advantage of tri-state (Low-High-HighZ) and say that it requires a high on one output and a low on another output to fire an output channel. That means that at any time, the software (or a glitch) would effectively need to toggle a specific channel high and another specific channel low in order to fire. The chances of that become quite low, especially when the number of overall GPIO count is high, and that each GPIO can have 3 states.

This would be effectively a SAND gate, single-inversion AND gate.

Now imagine applying this logic using a configurable multiple-function gate (CFMG), such as a SN74LVC1G58; page 3 figure 2 of the data sheet.

The MCU uses 2 GPIO wired to inputs A and B of the CMFG where as the GPIO in software are set to be normal low and normal high respectively in the normal NO FIRE state. Output Y of the CMFG then controls a normal FET which provides the high current fire output. In this manner, a fire condition would need to be a 1 0 on AB in order to fire. This would dramatically raise the probability of a good fire condition and lower the chance of a misfire condition.

 

[StreuB1]

As well, the 74LVC1G58 is just one of many CFMG's out there and they are cheap as chips for what they do. Nexperia's version in SOT23 is like $0.30

There's a good one. Less than 30 cents for 10-off.

https://www.digikey.com/en/products...CBcDaIMoDkDsAWAMgNQMIEYDiArABwAiAQhgEogC6AvkA

 

[cerving]

I think this thread on energetics safety is rapidly devolving into a discussion of pad box and altimeter output circuitry... I think it's time for dedicated threads on those. subjects.

https://www.rocketryforum.com/threads/energetics-safety-circuits.182064/

 

[cerving]

To prevent further hijacking of the NSL Incident thread, I've opened up this on on circuits for pad boxes and altimeters. I'll start...

The Eggtimer WiFi-enabled altimeters have a dual-output architecture, both sides of the load are switched separately... there is no battery common. There is over 100K of isolation between the battery and load until both sides have been switched on, the high side by a VN5E160S driver chip and the low-side by a ridiculously over-spec'ed FET that doesn't get turned on until launch detect and the first energetic event is triggered. Having both sides switched helps prevent any one device failure from causing an unintended ground event. In the case of the Proton and Quasar, the high-side isn't triggered by the processor directly... it's triggered by an I2C interface chip, with known states on startup. The FET is connected to the processor, with a 10K pulldown on the gate so it is also in a known state at startup.

 

[cwbullet]

Moved some of the thread here. Please let me know if there are any others.

 

[David Schwantz]

Guess the hijack was my fault, sorry. But in all honesty , I thought this was about motors going off when they shouldn't.
Chuck, do whatever you think best with my posts. Dave.

 

[StreuB1]

In the case of the Proton and Quasar, the high-side isn't triggered by the processor directly... it's triggered by an I2C interface chip, with known states on startup.

And I thought I was tricky when I came up with my 2-state input idea last night!!

This shows the difference between a professional and someone tinkering around at home trying to learn electronics half way through life.

No lie, that is an amazing idea. The chance of the I2C chip false triggering from an erroneous series of inputs is not non-zero, but it is effectively zero.

 

[jderimig]

Another analog method of activating a firing device which I have seen is to use a charge-pump at the output with an RC drain. To charge up the output you would need to send a pulse train at a frequency higher the time constant of the capacitor drain.

 

[David Schwantz]

Kind of thinking it would be a really big PIA to drag a garden hose out to the away cell

 

[Spacedog49Krell]

In the case of the Proton and Quasar, the high-side isn't triggered by the processor directly... it's triggered by an I2C interface chip, with known states on startup. The FET is connected to the processor, with a 10K pulldown on the gate so it is also in a known state at startup.

The Eggtimer 2-bit approach is safer for activating energetic systems. In the past I used a 4-bit nibble to activate energetic devices during flight. A bit overkill, but safe. Two of my electronic mentors had worked on nuclear weapons activation and safety systems and they used nibbles in industrial safety equipment to prevent accidental activation of alarms.

 

[jsdemar]

Another analog method of activating a firing device which I have seen is to use a charge-pump at the output with an RC drain. To charge up the output you would need to send a pulse train at a frequency higher the time constant of the capacitor drain.

I've used the charge pump approach in firing circuits designed to fire NASA standard initiators, in my previous life.

 

[Sooner Boomer]

Knife switch to disconnect pad

 

[boatgeek]

That is not a HPR motor. There are no NAR Model Codes that prevent starters from being the motor before it's on the pad. That is a HPR rule.

That said, there are a lot of clubs that have club rules that G motor starters are to be inserted at the pad and not during prep. Obviously, you'd need to talk to the RSO about the preferred way of doing that.

 

[aerostadt]

There may be one more exception, which is the aerospike motor. Also, I know I have taken the E6 motor apart at the pad and inserted the igniter then. (This can be difficult in cold weather.) This was after I passed the RSO inspection and was beyond the flight line and at the pad. I believe I have done the same thing for the G12. The E6 and G12 are end-burners (often used in gliders) and the igniter needs to be placed in a small slot in the grain for reliable ignition just prior to putting the nozzle back on and turning the end-closer into place.

 

[Banzai88]

No exceptions are needed. Simply establish a special preparation table on the range where these special case motors can be assembled.

Everywhere I fly at I've had the J615 aerospike, which is a HP motor and one of the 'special case' motors......and the RSOs have always said to simply assemble the motor back at my work table by the car and ensure the igniter leads were shorted. As an added precaution I keep the motor out of the rocket so that it can be thrown in the ditch/away from people and NOT make a hand launched flying missile if anything untoward happens.

 

[rcktnut]

Once again, model rocket motors are not included in the rules requiring igniters to only be in place out on the range.

Right! Just adding that besides the motors that need to have the igniters in place before final assembly that there are also others that make it much easier to insert the igniters before sitting on the pad.

 

[Steve Shannon]

Right! Just adding that besides the motors that need to have the igniters in place before final assembly that there are also others that make it much easier to insert the igniters before sitting on the pad.

Absolutely! I’m sorry I sounded exasperated.

 

[Sooner Boomer]

That is not a HPR motor.

I don't think that matters. It's not a G80, where the ignitor can be installed at the pad. The point is, the ignitor has to be built into the motor as part of the manufacturer's instructions. It cannot be installed at the pad. It would have been even more of an issue when Copperheads were used, as they can't easily be shunted.

 

[OzHybrid]

There are a lot of Hobbyline motors that are C-slots also. Trying to insert the igniter in the launch position is not very easy. I insert all my igniters in MPR motors before hitting the launch pad. The chance of an igniter going off without being "hooked up" has to be pretty close to impossible.

Get a bamboo satay skewer. During assembly, you can use it to poke up inside before final tightening to make sure all cores are aligned. After assembly, you can give it a final poke to make sure the ignitor has a clear path.

 

[OzHybrid]

Thank you Steve for that explanation.

7-2	While installing an igniter and at all times afterward, the rocket must remain pointed in a safe direction (away from all people.)

Difficult to see how you can maintain the integrity of the generally applied rule above without having to use an approved area.

 

[Art Upton]

I don't think that matters. It's not a G80, where the ignitor can be installed at the pad. The point is, the ignitor has to be built into the motor as part of the manufacturer's instructions. It cannot be installed at the pad. It would have been even more of an issue when Copperheads were used, as they can't easily be shunted.

I have no idea of what your point is. Under NAR rules you can put the ignitor into the motor of a model rocket engine before the pad or range. Some clubs have other rules but that is fine for them an Am glad they make arrangements for how to do that.

What matters is HPR codes vs Model Codes , that is all. And Club rules trump everything; as Bob Brown about his rules at Airfest. Like take that rocket to the M away cells... He is correct and can say what his club wants to protect them from.

 

[cbrarick]

so far afield, so little time....

bottom line with the thread is follow the safety code for HPR or LPR/MPR as appropriate.
yes, clubs can put additional requirements. that's for them to decide not for us to debate.

 

[cerving]

There may be one more exception, which is the aerospike motor. Also, I know I have taken the E6 motor apart at the pad and inserted the igniter then. (This can be difficult in cold weather.) This was after I passed the RSO inspection and was beyond the flight line and at the pad. I believe I have done the same thing for the G12. The E6 and G12 are end-burners (often used in gliders) and the igniter needs to be placed in a small slot in the grain for reliable ignition just prior to putting the nozzle back on and turning the end-closer into place.

Yeah, I found out about the aerospike igniter thing after I was on the pad... still haven't flown it.

 

[aerostadt]

Yeah, I found out about the aerospike igniter thing after I was on the pad... still haven't flown it.

I've got the same motor, but haven't tried it, yet.

 

[Steve Shannon]

Everywhere I fly at I've had the J615 aerospike, which is a HP motor and one of the 'special case' motors......and the RSOs have always said to simply assemble the motor back at my work table by the car and ensure the igniter leads were shorted. As an added precaution I keep the motor out of the rocket so that it can be thrown in the ditch/away from people and NOT make a hand launched flying missile if anything untoward happens.

1. RSOs are authorized to implement more restrictions than required by the Safety Code, but they may not waive or relax the requirements of the Safety Code.
2. The intent of the Safety Code is that igniters may not be installed in high power motors except at a special preparation area or at the pad. The goal is to only have igniters inside of high power motors when they’re safely on the range. Motors should not have igniters in them when they’re being carried through areas that include spectators or in hotel rooms or in vehicles. What if something happens that causes a person to remove a rocket with an aerospike motor from the pad? Do they then carry the rocket back through the crowd with the igniter in it?
3. Safety Code compliance is a prerequisite to insurance coverage, so any accident that occurs when a requirement of the Safety Code is violated will not be covered.
4. Our Safety Code requirements are intended (maybe hoped is a better word) to work together in layers to provide protection. This is especially true of the rules that limit igniters in motors to the range and igniters connected to a device only at the range.
a. Igniter out of motor except on range.
b. Igniter disconnected from ignition circuit except when vertical.
c. Ignition circuit disarmed except when ready to launch.
The goal is to reduce the risk that one forgotten step can result in a motor firing at the wrong time. When we intentionally decide (for whatever reason) that any of those three rules can be waived, forgetting one or two of the other rules is much more likely to allow an incident to happen.
5. I have left aft closures loose before and inserted igniters at the pad for moonburners. Having a small table and chair on the range side of the flight line certainly makes it easier. Wouldn’t that work for aerospike motors as well?

 

[David Schwantz]

Hell, I had been puttin them some place else. On my helper, of course

 

[David Schwantz]

Thanks OZ, I will suggest that to the member that built them.

 

[bjphoenix]

Irrespective, you're detecting if the channel is live ie. if a relay is stuck closed or if a short has occurred somewhere or the channel's somehow activated inadvertently, so it should be okay to detect in amps. You don't need to over complicate things or introduce false positives to detect a very high % of hazardous scenarios that in themselves only happen very seldom.

We were talking about stuck relays in which case there would be a potential for a lot of current at the clips.

I'm not an electronic expert so I don't know what kind of equipment failures could cause higher current flow. I've been told that the equipment at my club will do a safe check for continuity for any igniter currently in use. What components in that circuit could fail in a way that would allow for higher current to be transmitted during a continuity check?