Redundancy In Rocketry

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

AndrewW

Well-Known Member
Joined
Oct 30, 2016
Messages
199
Reaction score
91
I would like to get some opinions how many of you incorporate redundancy into your High Power Rockets. My background is in the power industry where redundancy is considered an absolute necessity but does have to be weighed against the possible risks of being over complicated, i.e. Failure to clear a faulted transmission line is really bad but alternatively tripping a line for no reason has its own consequences. I fly a lot of dual deploy and since day one I built a sled with redundant altimeters, batteries and ejection charges that I share among several of my rockets. I have never had a rocket come in ballistic but have had at least two ejection charges fail to fire that checked out OK during pre-flight. I even tend to leave in the motor ejection charge as a tertiary just in case. So I wanted to see when others deem redundant systems "required." I am not specifically talking about just electronics but it could be anything from igniters to chutes.
 
Consider that you're lofting something into the air that can come down with deadly force.

For my L1 and L2 models where the motor delay supports it, I run with the following redundancy:

Apogee:
- Primary Eggtimer Quantum deploys drogue
- Secondary Eggtimer Quantum deploys drogue at +1 seconds (+20% BP charge)
- Motor Delay deploys drogue usually around apogee +2-3 seconds

At 600-1000':
- Primary Eggtimer Quantum deploys main
- Secondary Eggtimer Quantum deploys main at -100' (+20% BP charge)

I like to get my expensive models back in one piece, but more than that I like to bring it down safely.

For my L3, the motor delay doesn't last long enough for a failsafe deploy using motor eject, so I'm running primary plus backup.
 
I run a very similar setup. I just love the Quantums. I really like the ability to arm them remotely as well as being able to adjust my delays and ejection altitudes on the fly. I still use screw switches for power and fairly large 1000mah batteries but I usually swap them between rockets and fly them all day. I am in the process of setting up a second sled to help with prepping and just in case I lose this one I am not shut down.
 
I am not familiar with them but do four channel altimeters use redundant processors or allow separate batteries for primary and backup? I understand that ejection charges are one of the weakest elements in the deployment system but having everything on one board with one battery does not appear to be truly redundant.
 
I have a 4 channel Raven, so Apogee, 1 sec past apogee, Main at altitude, 1 sec past main using the power perch with magnetic switch and lipo
Have some Missile Works altimeters. I will use one with a 9V battery and mechanical switch. This is set also for 1 sec past apogee and lower main

2 Apogee charges. First for Raven primary. Second charge has 2 matches - one from delayed Raven output and the other from Missile Works.
Same for the main - 2 charges, total of 3 e-matches.
Two charges each, but 3 means to set them off...

Depending on the motor/rocket combo, I may even leave that set with an excessive delay for a third backup for the apogee event.

I work for a company that designs/builds the computers that fly aircraft. There almost everything flight critical is triple if not quad redundant.
My approach adds a little complexity, and my checklist may be a bit longer to help avoid human error, but I do believe in redundancy

Some people do feel that modern altimeters are sufficiently safe and the extra redundancy just leads to possible human error that could cause a catastrophic return.
This discussion has occurred before
I doubt anyone has firm data one way or the other to prove which way is really best. To get the data we would need to get info on all altimeter based flights.
- How many of these were single altimeters versus redundant systems
- How many had all events occur (fire) vs how many had only the primary or secondary work? (even though a successful recovery there was still a deployment failure)
- How many failed to ever deploy due the the charge not firing (either apogee or main)?
 
Last edited:
If you have a single power supply or a single arming switch to an altimeter then those are points of failure, even if redundant charges/channels are used. I used to use motor backup but then had an ez forward closure fail due to manufacturing problem, so that was redundancy that became a failure mechanism, however the altimeter ejection charge worked and the chute deployed and saved the rocket. I now trust my altimeters more than I trust motor ejection/forward assemblies...I go with sealed forward closures now when I can. I have had an altimeter have a capacitor come off on the main deployment channel so a backup channel is definitely a good idea.

Frank
 
weakest elements in the deployment system but having everything on one board with one battery does not appear to be truly redundant.

Who cares?
Redundant everything is just asking for problems.
Who says a "redundant" failure is a good failure? For instance, as an extreme example, if your SPARE catches fire, is that OK?
Plus, I believe most "failures" are pilot error and piloting twice the electronics is FAR beyond most people and NONE of our altimeters are validated for redundant use.

So ... my view is be redundant where it buys you something and avoid it where it costs you something.....
Electronics DO NOT FAIL unless you abuse them.

BTW - I too work for a company that designs/builds the avionics that fly aircraft. I'm the avionics lead. We try to be SMART about how we partition systems that can fail and those that can't. Redundancy is NOT the answer....more like a crutch in my mind.
 
Last edited:
Electronics DO NOT FAIL unless you abuse them.

Mostly, BUT NOT ALWAYS. There are some failure modes that creep in and are induced by bad manufacturing by the silicon vendors. We have had a few of these over the past two years that have cost the company dearly with warranty costs. In each case the silicon companies denied there was a problem. When we investigated, including decapsulation and electron microscopy, process defects were shown to be the root cause of our company losing about $1M off our profit.

These are mainstream big names in integrated circuits and power devices.
 
My idea (not in practice yet) would be to have a primary altimeter fire at apogee, a secondary altimeter (of a different brand) fire a different charge at apogee +1 second, any motor based ejection charge as a 3rd redundancy. The main would be released but as a drogue, along with a pair of JLCRs tethered together and set to release at the desired altitude.

What I don't know is if there is a way that the primary and secondary altimeters you could fire a 2nd main should the JLCRs fail to release by detecting the altitude being too low AND the speed too high.
 
That's not what "redundancy" is...



:rofl:

Huh? Sure is if you use two 4-channel altimeters! That's entirely possible with a large enough project.
If one flies small, there is no choice but to use a single altimeter. If one has room for additional terminals on the bulkhead by all means other channels can be utilized. An absolutely secure battery and wiring harness is a must in that situation.
There is also the potential discussion about serial vs. Parallel wiring of redundant ematches to guard against single match failure. One can consider redundant ematches with a single altimeter system where there is no room for any thing else. Kurt
 
If one flies small, there is no choice but to use a single altimeter. If one has room for additional terminals on the bulkhead by all means other channels can be utilized
When really tight you don't get the luxury of terminal blocks. I'm doing something like that currently.

One can consider redundant ematches with a single altimeter system where there is no room for any thing else.
Or two ematches in a single charge (like when using an AARD).
 
Mostly, BUT NOT ALWAYS. There are some failure modes that creep in and are induced by bad manufacturing by the silicon vendors. We have had a few of these over the past two years that have cost the company dearly with warranty costs. In each case the silicon companies denied there was a problem. When we investigated, including decapsulation and electron microscopy, process defects were shown to be the root cause of our company losing about $1M off our profit.

Everybody has horror stories.....but we're talking HOBBY electronics here.
Something that gets used for a few hours a year.
Something that is very un-likely to wear out, especially with PWM'ing pyro's.
So - unless you abuse them - what's the failure mechanism?

If you worried about flakey parts then you better use dissimilar altimeters.
Most people can't master wiring and programming one, which opens the door wide open for pilot error.

Then, of course, that mixed pair has undergone how much validation????
 
Last edited:
I understand that ejection charges are one of the weakest elements in the deployment system but having everything on one board with one battery does not appear to be truly redundant.

Actually the weakest element in the system in the human. Electronic failures do and can occur but that rate is probably an order of magnitude or 2-3 lower than human root causes.

Flying (safely) with a single altimeter for a while is the best way to develop your best practices in construction, wiring and configuration choices.
 
Flying (safely) with a single altimeter for a while is the best way to develop your best practices in construction, wiring and configuration choices.

Once you've been "flying safely on a single for a while" why would you want/need to add more?
The only reason I can see is to get past the [silly] rules for an L3 attempt.
 
Last edited:
My idea (not in practice yet) would be to have a primary altimeter fire at apogee, a secondary altimeter (of a different brand) fire a different charge at apogee +1 second, any motor based ejection charge as a 3rd redundancy. The main would be released but as a drogue, along with a pair of JLCRs tethered together and set to release at the desired altitude.

What I don't know is if there is a way that the primary and secondary altimeters you could fire a 2nd main should the JLCRs fail to release by detecting the altitude being too low AND the speed too high.

I used two JLCRs to hold a single chute for my L2 flight. It worked great.


Sent from my iPhone using Rocketry Forum
 
Redundancy is to increase the chance of a safe descent rate, Be it human, electrical mechanical etc. So if it makes you feel better then do it, I personally do simply from my lack of experience even though my failures have mostly been of my own making. However I have had other failures such as primary blowing a charge upon arming at the pad when a big puff of wind hit. My point is it's ultimately the fliers responsibility for safe descent whatever it takes.

I see what Fred A is saying, build and test techniques take precedence. If you do it right and have 100% successful flights do you really need redundancy? For example, I see people continually testing ejection charges until they have just enough charge to separate rocket - this leaves no room for margin or long left over shear pins holding laundry in and more. Testing definitely sheds light on potential issues.


Sent from my iPhone using Rocketry Forum
 
As far as electronics go, I dont believe the low cost altimeters we are using have parts that are truly stressed for infant mortality as that takes time and that costs $$, I have had output xistors go bad twice, one was new and I caught in testing, one went bad in flight even when continuity check was working, and the second channel apogee+1s saved the day so I'm not a believer that electronics dont fail unless abused. I've also had one of the output caps come off the board in flight causing a brownout as stated above. None of these were abused.

Frank
 
Last edited:
When really tight you don't get the luxury of terminal blocks. I'm doing something like that currently.


Or two ematches in a single charge (like when using an AARD).


Yup. That's about as much redundancy as I can pack into the Transitions of my converted PSII's.
I'm planning to fly 2 altimeters in my L2 since it's got the room.

I think being able to successfully fly with redundancy is a good skill to have in any case. And if you can successfully fly with only one two-channel alt with series or parallel matches, good for you too.
 
I would like to get some opinions how many of you incorporate redundancy into your High Power Rockets. My background is in the power industry where redundancy is considered an absolute necessity but does have to be weighed against the possible risks of being over complicated, i.e. Failure to clear a faulted transmission line is really bad but alternatively tripping a line for no reason has its own consequences. I fly a lot of dual deploy and since day one I built a sled with redundant altimeters, batteries and ejection charges that I share among several of my rockets. I have never had a rocket come in ballistic but have had at least two ejection charges fail to fire that checked out OK during pre-flight. I even tend to leave in the motor ejection charge as a tertiary just in case. So I wanted to see when others deem redundant systems "required." I am not specifically talking about just electronics but it could be anything from igniters to chutes.

Hi Andrew,
As you can tell there are lots of ideas about when to use redundant recovery systems as well as arguing about what it truly means.
I come from probably the same background as you. My group maintained and programmed the energy management system for a balancing authority. Depending on the system we would use identical hot swap masters, or a breaker failure system that relied on diversity. I watched a beautiful and expensive rocket destroy itself in spite of redundant (but identical) altimeters because of an algorithm that inappropriately integrated the thrust of the hybrid motor.
For rocketry I have used both types - diversely redundant and identically redundant. For my L3 flight I used two different altimeters, one barometric and one accelerometer based.
Nowadays I just use identical altimeters for projects that cost me too much to take a chance. Smaller projects (3 inch diameter or less) I usually just use a single altimeter that I have great confidence in. But, I use a brand of electric match that I've never had fail; I use only Duracell batteries, and I use parachutes that I'm very comfortable with.
I guess what I'm saying is your confidence in yourself and whatever you use is the most important part.
And always use a checklist.
 
Steve -- in your work, how much TIME and EFFORT was spent designing, reviewing and validating the functionality [both in improved fault tolerance and bug insertion and overall quality] in the HW and SW in those systems? I'm guessing many man-years of "pro's" working the problem.

How's that compare with the collection of parts your average flier puts in their EBay?
 
On my setups that have the room for it, I prefer two altimeters, each with their own power source and switch. This preference comes from my years in professional aviation where full redundancy saves lives, including my own.
 
On smaller rockets where space is tight, I will use 1 altimeter and motor backup as redundancy for the drogue. On the big rockets I have two diverse fully redundant systems, separate switches, power source (Even type, though that is a matter of convenience, 9v alkaline and a lipo), altimeters, and charges. I do not believe this added complexity adds any risk, as it is the same process done twice, one altimeter after the other.
 
Back
Top