# Redudant altimeters

### Help Support The Rocketry Forum:

#### jderimig

I can understand having redundant charges for each stage of deployment, but would it really be a good idea to have, say, both apogee charges running off the same altimeter? That would make the altimeter itself a single point of failure. That's one of the advantages of having dual altimeters, where if one goes stooopid on you, the other one will probably still function.
Connections (power and ematch) are by far the root of most electrical system failures of which altimeter failures belong.

I would venture next down the list would be inadequate ignition devices (homemade ematches, non-pyrogen devices, damaged ematches). Commercial ematch failures are exceedingly rare when applied correctly.

Redundant power and redundant deployment channels with a single altimeter most likely will have 90% (99%?) of the reliability of properly implemented totally redundant system. The trouble is that simply hooking up two altimeters in parallel is not necessarily a proper implementation of such.

--john

#### FredA

##### Well-Known Member
John,
You are SO right....

What I see are wiring errors, programming errors, bad charges and bad shear pins.........nothing that adding more electronics helps, only make worse.

Bring on the holy war....
Two altimeters hacked together is not a proper redundant design.

#### DAllen

##### Well-Known Member
John,
You are SO right....

What I see are wiring errors, programming errors, bad charges and bad shear pins.........nothing that adding more electronics helps, only make worse.

Bring on the holy war....
Two altimeters hacked together is not a proper redundant design.
Okay...I have 6 dual deploy flights under my belt so I am pretty green when it comes to this. What would be a proper redundant design?

Not sure I get what you mean by hacking together 2 altimeters. I thought a good redundant setup had 2 alts wired completely separately to completely separate charges with separate arming switches.

I can attest to what John said with my limited experience in the dual-deploy world that all of the failures I've had have been because of some error I've made. I've learned that ground testing is key and simplicity is your friend.

-Dave

#### jderimig

I thought a good redundant setup had 2 alts wired completely separately to completely separate charges with separate arming switches.
The latter is not necessarily terrible practice given what is available commercially. However the above will statistically double the chance of a premature deployment, increase the opportunity for wiring error 2x to 8x over a single system and leave the system vulnerable to EMI induced errors from two altimeters working close together (depending on the design of the individual altimeters).

What would be a proper redundant design?
A proper redundant design has a third module which monitors the 'health' of the individual systems and arbitrates which one to use in case a fault is detected.

Unfortunately such a system is not available commercially and probably never will because not enough people would appreciate this approach to make a viable market for it.

#### kramer714

##### Well-Known Member
this shouldn't be that hard....

In my day job I build airplane and munition stuff, it is very common to do a failure mode analysis for critical parts (and someone considers every part critical!!)

Here is the thing, first you need to look at two different problems, design and operation. For design, does my system have the correct design, has it been tested, do the pieces fit together correctly..etc. For operation, was the rocket prepped correctly, did anything get damaged from the previous flight, did i use the correct components, did I follow the checklist, etc..

You need to assume that the design was done correctly and VALIDATED as best as you could prior to launching. IF you didn't ground test the rocket, it shouldn't be a surprise if something goes wrong in flight. You can have a bad design, if you test for it you should be able to identify the problems.

I have had two rockets come in ballistic both were times I didn't ground test with the exact setup I launched, shame on me, luckily I didn't hurt anyone but the two crashes cost some serious .

Back to failure analysis,
for each possible failure mode, rate them for detectability, criticality, and Frequency. For aircraft we use a one to 10 scale, a 1 is the lowest, a 10 is the highest. Multiply the three numbers together and you get a rik priority number. A 1 (1x1x1) never happens, couldn't possibly miss it before launch, and if it did happen you wouldn't care. A 1000 (10X10X10) will always happen, you never see it coming, and someone gets hurt. Realistically you never have a 1 or a 1000.

Doesn't have to be complicated, in fact you can keep it easy. just rate everything with a low - medium - high rating. Just by doing the FMEA you figure out ways to prevent failure. Lets look at one failure mode, failure of the charge to deploy at apogee. I attached a quick spread sheet that looks at the failure mode, this isn't comprehensive just to give you an idea of how it works. To simplify i used a 1,2,3 scale If the RPN is higher than 4 something has to change. This type of analysis is what helps figure out the value of added features.

View attachment sample rocket fmea.xls

#### DAllen

##### Well-Known Member
The latter is not necessarily terrible practice given what is available commercially. However the above will statistically double the chance of a premature deployment, increase the opportunity for wiring error 2x to 8x over a single system and leave the system vulnerable to EMI induced errors from two altimeters working close together (depending on the design of the individual altimeters).

A proper redundant design has a third module which monitors the 'health' of the individual systems and arbitrates which one to use in case a fault is detected.

Unfortunately such a system is not available commercially and probably never will because not enough people would appreciate this approach to make a viable market for it.
That is a really interesting take on standard operating procedures for a lot of rocketeers.

So if a monitoring module is not available to us average joe rocket guys what is the next best thing we can do to reduce error? In other words, how is your alt-bay setup?

-Dave

#### jderimig

That is a really interesting take on standard operating procedures for a lot of rocketeers.

So if a monitoring module is not available to us average joe rocket guys what is the next best thing we can do to reduce error? In other words, how is your alt-bay setup?

-Dave
Dave,

I think kramer714's post and checklist items in his attached FMEA file is an excellent place to start.

I think that many (not all) jump to the dual altimeter route as a way to tolerate error as opposed to reducing it. It is much better to develop a robust SOP with a single altimeter first THEN employ a second if you feel you must. Don't adopt dual altimeters as a way to skip the former.

My alt-bay for high reliability: A single 4-channel robust altimeter with redundant and incremented apogee charges. Optionally redundant main charges.

As an aside: The NAR and TRA redundant altimeter rule for L3 flights doesn't help the cause either. It teaches the wrong lesson.

--john

#### kramer714

##### Well-Known Member
The latter is not necessarily terrible practice given what is available commercially. However the above will statistically double the chance of a premature deployment, increase the opportunity for wiring error 2x to 8x over a single system and leave the system vulnerable to EMI induced errors from two altimeters working close together (depending on the design of the individual altimeters).
I disagree with the logic here. Again putting it in airplane terms (sorry that's my day job), using that logic a 4 engine airplane would have 4 times (or more?) the failure rates of a singe engine airplane. A 4 engine plane has a higher chance of an engine failure causing an in flight shutdown but less of a chance of a forced landing

Would a ground test find a mis-wired altimeter? IF the main and drogue charges were reversed (easy to prevent but still a possibility) the failure mode would be main deployed at apogee, not great but not as bad as having no event at apogee. If I have 2 IDENTICAL altimeters with 2 independent systems I have reduced the chance of;

A single bad battery causing no event
A single bad e-match causing no event
poor packing in a charge holder causing no event
a loose wire causing no event
a failed altimeter causing no event

Arguably I haven't changed the chance of;
shear pins failing to break
failure to turn on altimeter (if you forget 1 you probably would forget two)
incorrect sample hole size causing too early of a deployment (hard to ground test)

You have increased the chance of
a failure in an altimeter causing a premature event
both charges going off at EXACTLY the same time causing airframe failure

All of the failure modes could be reduced by ground testing. I could even make the argument that a singe altimeter with two batteries would get most of the benefits of having 2 altimeters.

I would argue that a wiring DESIGN failure should be detected during ground testing, a wire installation problem, most likely would be the incorrect wiring of the main / drogue, or a loose wire, the loose wire is less likely to cause failure with redundancy. the chance of miswiring the main / drogue, again should be prevented, but could increase in likelyhood by having 2 altimeter. But what is the criticality? Main at apoge better than nothing at apogee.

The third system that is used in aircraft is to give a correlation of information, in other words 2 altimeters that disagree doesn't give much information, having 3, gives the chance to determine what system is giving potentially false information.

A separate system that monitors the other two is standard with 2 altimeters, the ground check is the third check. Different voltages from two batteries, stop what is the bad battery, resistance in charges the same... stuff like that. Having gone over the failure analysis, in my large rockets I use the same charge size for the main and drogue, this eleimates thechance of suing the wrong size charge.

Sorry, putting away soap box, cracking open a beer, sitting back down now...

#### jderimig

I disagree with the logic here. Again putting it in airplane terms (sorry that's my day job), using that logic a 4 engine airplane would have 4 times (or more?) the failure rates of a singe engine airplane. A 4 engine plane has a higher chance of an engine failure causing an in flight shutdown but less of a chance of a forced landing
We don't disagree, I think you read things in my post I did not say.

I said that using two altimeters increases the opportunities for error. I did not say the failure probability would increase.

A plane with 4 engines all things being equal has 4 times the probability of an engine failure, The consequence of that event is much less severe.
edit: Because of increased opportunities for error multi-engine planes require pilots and mechanics with higher levels of certification not less....

We also agree on your last point, a single altimeter with redundant power and deployment channels is probably the best solution. That was stated in my opening post.

-john

Last edited:

#### FredA

##### Well-Known Member
Agree with John 100%.
Keep it simple -- lowest amount of wiring & programming -- stuff most people think they know but really don't.... IMHO.

Single, robust altimeter with two batteries and four pyro charges (twin apogee and twin low-altitude) are the way to go....

No interference between units.
No ground loops or other wiring faults.

One system to focus on, not two to get confused between.

KNOW WHAT YOU FLY -- FLY WHAT YOU KNOW.

#### cjl

##### Well-Known Member
As far as wiring faults go, I wish more altimeters used the system that the R-DAS uses - it has a wiring harness you solder into the electronics bay, and there is a single (8 pin IIRC) connector that is keyed to only insert one way. It contains power and all deployment connections, so as long as you wire it right the first time (preferably well before launch, with zero stress and far less time pressure), you cannot miswire the altimeter.

As far as wiring faults go, I wish more altimeters used the system that the R-DAS uses - it has a wiring harness you solder into the electronics bay, and there is a single (8 pin IIRC) connector that is keyed to only insert one way. It contains power and all deployment connections, so as long as you wire it right the first time (preferably well before launch, with zero stress and far less time pressure), you cannot miswire the altimeter.
I think there's the same opportunity for other altimeters. If you wire up your av-bay and stake down the wires up close to the altimeter, you can remove and re-install an altimeter without any real risk of mis-wiring. With the Parrot and (soon) Raven screw terminal blocks with 0.1" spacing, you can use a standard 0.1" pitch pin header if you want to, and plug it into the end of the board.

One failure mode that hasn't been discussed yet is the effect of off-nominal flights spoofing the sensors. If a rocket has a bad corkscrew due to an off-center CG, misaligned fins, or fin ripped off, the accelerometer can measure more axial acceleration than actually went into upward motion, leading to a late apogee detection. If the rocket is unstable, apogee detection could be after landing. Baro sensors can be spoofed by Mach transients, sunlight falling on the sensor, or a blocked pressure port. Having different output channels governed by different sensor types can eliminate common-cause failures. The Raven altimeter will have 4 outputs, any of which can be controlled by the user's choice of sensed events. The default setup for the 4 channels will have an accel-based apogee detection with a baro-based apogee backup, and a baro-based main deployment with a time-delay option for a main backup deployment.

#### kramer714

##### Well-Known Member

Hadn't really thought about changes in the dynamics of flight causing a failure. Tough to ground test and could be caused by 'singular events'. I had a rocket get rod whiped once, came off the pad at almost 90 degrees, skipped once off the ground and then proceeded to fly a perfectly stable flight at a 30 degree angle to horizontal (serious crowd points for this one!!).

This was motor deploy but I did think about what if it was electronic deploy? Hitting the ground and then ricocheting up certialy would mess with most sensors.

Question for you, how do you use multiple different sensors to detect something has gone out of the ordinary? Wouldn't the most affected sensor cause the worst failure? In other words wouldn't the sensor that thinks it is time to deploy first going to send off the charge regardless of what it should do?

This is the logic I have used to use two of the SAME altimeters for backup. Figuring if one type of sensor sends off a charge early, it doesn't matter what the second one wants to do. Having two of the same lessens the chance of having a misfire due the logic the sensor uses.

I'm curious about your thoughts on this, you certainly have more experience with the sensors.

Hadn't really thought about changes in the dynamics of flight causing a failure. Tough to ground test and could be caused by 'singular events'. I had a rocket get rod whiped once, came off the pad at almost 90 degrees, skipped once off the ground and then proceeded to fly a perfectly stable flight at a 30 degree angle to horizontal (serious crowd points for this one!!).

This was motor deploy but I did think about what if it was electronic deploy? Hitting the ground and then ricocheting up certialy would mess with most sensors.

Question for you, how do you use multiple different sensors to detect something has gone out of the ordinary? Wouldn't the most affected sensor cause the worst failure? In other words wouldn't the sensor that thinks it is time to deploy first going to send off the charge regardless of what it should do?

This is the logic I have used to use two of the SAME altimeters for backup. Figuring if one type of sensor sends off a charge early, it doesn't matter what the second one wants to do. Having two of the same lessens the chance of having a misfire due the logic the sensor uses.

I'm curious about your thoughts on this, you certainly have more experience with the sensors.
It depends on the specific cases, but in general, once the rocket is off the ground, the worst failure from a safety point of view is a failure to deploy, rather than a premature failure.

For the Featherweight altimeters, there are several flight conditions that are measured on-board that can be used to trigger deployments, like accel-based vertical velocity estimate less than 0 (accel-based apogee), time > a user-specified value, pressure increasing, etc. When all of those conditions are true, the charge fires. The outputs are set up by default to use the most common and useful combinations of these triggers, but you can use the Featherweight Interface Program to change them with an easy-to use GUI.

To prevent a premature deployment from Mach transient effects, you can use the accel-based vertical velocity estimate to ensure the baro is ignored below a user-defined velocity value, say 500 mph. Then even if the accel velocity estimate is affected by a sideways flight, a baro-based apogee detection will still fire right near apogee, as long as the accel-based velocity estimate is within 500 mph of the correct value.

If the baro sensor fails or is out of whack for some reason, you will at least get an apogee deployment based on the accelerometer. If you really want to have a sensor-proof backup, you could assign one or more of the channels to be a straight timer backup, but obviously you would need to adjust it for each flight, and you still need the accelerometer to detect the liftoff.

#### TWRackers

##### Well-Known Member
I think there's the same opportunity for other altimeters. If you wire up your av-bay and stake down the wires up close to the altimeter, you can remove and re-install an altimeter without any real risk of mis-wiring. With the Parrot and (soon) Raven screw terminal blocks with 0.1" spacing, you can use a standard 0.1" pitch pin header if you want to, and plug it into the end of the board.
Ahhh... there's something I can relate to.

On the Rocketry Planet auctions, under Electronics, there are these handy little Altimeter Wiring Kits which will let you equip an altimeter with latching two-conductor connectors for the power and the two output channels of your typical altimeter. I've so equipped both of the altimeters in my Level 3 rocket and clearly labeled both sides of each connector so that the chances of mis-connecting something is pretty close to nil. I don't consider the additional connectors to add any significant risk, they're crimped well onto the wires and they latch positively. Screw terminals worry me a lot more, so I prefer getting them right once and leaving them alone. Of course, these are just my opinions, we'll see in October if I had the right idea.

#### sandmantoy

##### Well-Known Member
With all the things that can go wrong on a flight the quality of you workmanship goes a long way. I have not seen to many altimeter failures more there installation. Taking your time in wiring them so the wires are not flopping around inside the bay. If you are going to swap it from rocket to rocket put the wires so they can not be mixed up. Label harnesses that will be removed all the time. I myself hate to loose a rocket that I put a lot of work into from something I rushed through and slapped together. Build it for success makes the percentage of failure on your side every time

#### Diosces

##### Well-Known Member
Ahhh... there's something I can relate to.

On the Rocketry Planet auctions, under Electronics, there are these handy little Altimeter Wiring Kits which will let you equip an altimeter with latching two-conductor connectors for the power and the two output channels of your typical altimeter. I've so equipped both of the altimeters in my Level 3 rocket and clearly labeled both sides of each connector so that the chances of mis-connecting something is pretty close to nil. I don't consider the additional connectors to add any significant risk, they're crimped well onto the wires and they latch positively. Screw terminals worry me a lot more, so I prefer getting them right once and leaving them alone. Of course, these are just my opinions, we'll see in October if I had the right idea.
I like the wiring kits on RP, all standard Radio shack stuff but all in one nice little package.
BTW one helpful tip when using connectors. I wired the drogue wiring harness to altimter terminal with the female connector and the main wiring to alt with male so they can NOT be mistakenly interchanged.

#### sandmantoy

##### Well-Known Member
I like the wiring kits on RP, all standard Radio shack stuff but all in one nice little package.
BTW one helpful tip when using connectors. I wired the drogue wiring harness to altimter terminal with the female connector and the main wiring to alt with male so they can NOT be mistakenly interchanged.
I do the same with my connectors, it's a good tip I have been using the small RC connectors. All pyro wiring gets yellow heat shrink also.

#### Rocketjunkie

I run the e-match leads directly to the altimeter. The twist and tape down arming wires are made from one of the e-match leads. All wiring is fresh every flight. If using a harness that is reused every flight, stranded wire helps but does not eliminate the possibility of a break under the insulation.

#### quickburst

##### Well-Known Member
The latter is not necessarily terrible practice given what is available commercially. However the above will statistically double the chance of a premature deployment, increase the opportunity for wiring error 2x to 8x over a single system and leave the system vulnerable to EMI induced errors from two altimeters working close together (depending on the design of the individual altimeters).

A proper redundant design has a third module which monitors the 'health' of the individual systems and arbitrates which one to use in case a fault is detected.

Unfortunately such a system is not available commercially and probably never will because not enough people would appreciate this approach to make a viable market for it.
I guess its all in the way you get used to doing things. I have flown dual alts with separate charges many, many times. Including my L-3, which was required by my TAPS. I have flown the Perfectflight HA45, and the MAWD together several times. I have also flown the ARTS2 with the HA45 or the MAWD. I have never seen any kind of problem.

As a matter of fact this set up has saved my bacon once, I was flying the HA45 and the MAWD together and had a battery problem with the HA45. The battery used on the HA45 must have been bad out of the box. The HA45 fired the apogee event on que, then refused to fire the main charge. Fortunately the MAWD took care of business and the rocket recovered with out any problem. Post flight showed that the main event match did not light. Testing showed that the Duracell battery wad dead as a door nail, this explained the failure. This was a 6" X 12 foot Rocket on a "M" motor, saved by the dual alt set up.

I use the redundant alt set up with 100% success .... to date. Further, I know a great many of seasoned flyers that use it as well.

OCYMMV

#### jderimig

As a matter of fact this set up has saved my bacon once, I was flying the HA45 and the MAWD together and had a battery problem with the HA45. The battery used on the HA45 must have been bad out of the box.
OCYMMV
Dave,

Thank you for the example that supports mine (and FredA's) contention that redundant power supplies and a single robust altimeter is the way to go.

#### sandmantoy

##### Well-Known Member
When I have a large investment into a rocket I like to have 2 altimeters, having back up power is good idea also if you have the room. It also seems safer to me, using 2 altimeters. Most of the failures I have seen where Battery related or wiring issues. I have had a battery failure at extreme temps before along with others at the same launch. Pushed out the drogue but didn't have any left for the main, it was 17deg. out on the field and gusts a little past 7mph wind. Seven pound rocket recovered with only drogue into foot and a half of snow with no damage from 3800ft.

I use Nickle metal hydride 9.6 volt rechargeable batteries now. A fresh alkaline battery is still one of the best for power out of the gate though. You have to purchase them from a place where you think they get replaced often to make the odds are better you are getting fresh batteries. The rechargable's I know they are fresh when I charge them. As my rockets get bigger I will probably try out a redundant power supply next.