Revision to Tripoli Rule Regarding Wireless Remote Switches

[cerving]

so what it appears is that an eggtimer wifi switch used to enable the power to an eggtimer proton or quantum is approved

and these would be separate devices

That is not a correct interpretation of the rule. You still need to physically disconnect power to either the electronics OR power to the energetics. The only exception that the Eggtimer WiFi products were given is that you are allowed to close the switch (whatever it may be...) before raising the rocket to a vertical position, since the electronic switch controls power to the energetics and it must be explicitly armed for that power to be applied. If you choose to do so, you must ensure that any malfunction would not put any ejected parts of the rocket in the path of anyone.

 

[Speaknoevil]

I hope I'm "established" enough to be in on the call...

I would hope so since you have been so highly impacted.

 

[Frederocket]

so Fred, what did you do to the missileworks screw switches to make them have resistance both on screwing and unscrewing so they don't vibrate closed?
all the ones I have have a loose fit and the screw can vibrate closed, and I have used 5/8" screws instead of the really short ones that come with it

Other than replacing the short screw with longer screws, nothing. Although in addition, speaknoevil suggested use of VC-3 Vibratite is an option I am going to use. Probably order from McMaster Carr, beings I have an account. According to the manufacture email inquiry response, there products are available from Amazon, Grainger, and MC.

 

[Steve Shannon]

so what it appears is that an eggtimer wifi switch used to enable the power to an eggtimer proton or quantum is approved

and these would be separate devices

Not yet approved methodology. I used two WiFi switches as an example in one conversation but that would depend on whether the meetings result in an agreement that we need two independent inhibits and if the WiFi switches meet the standards for use as inhibits.

 

[gtg738w]

I would hope so since you have been so highly impacted.

Agreed, but we should emphasize that solid state switches that can be turned on remotely still offer significant safety benefits. The question is if they are sufficient to use alone or if they should be paired with a mechanical lock out. I would hope people don’t replace WiFi switches with mechanical versions.

 

[Charles_McG]

If it were merely about redundancy around a single point of failure, then this discussion would be much shorter. But there also seems to be an issue with use of solid state isolation vs mechanical isolation. And maybe a lack of appreciation of just -how- many mechanical devices are in use and their various shortcomings.

For single point of failure discussions, magnetic detectors and the ET Wifi Switch are likely in one group, since a failure 'merely' powers an altimeter. It takes two failures to send power to an energetic, be they hardware or software.

The Eggtimer Quantum is the weakest example I've used. Since power and deployment are managed by the same CPU, it's harder to argue for it. If BOTH output channels failed electrically closed, or a software failure closed -both- of them, power goes to the energetic. I have seen a single IO line fail closed on a Quark. Caught during post construction testing. But two? Still - same chip.

The Eggtimer Proton is a bit more robust, since the common side is on a CPU output channel, and the (+) side is on a separate port expander. One electrical failure can't delivery power to an energetic. A single software failure would have to both close the common output line AND formulate a command string and send it to the port expander. Those are very different jobs - it's not like accidentally getting a bit mask wrong. It's one CPU - but can those failures REALLY happen together? It looks like it would have to be multiple software failures to me, but for those unconvinced, It at least points to where software should be carefully reviewed.

(That's my understanding, hopefully I haven't mis-characterized the devices.)

Alas, i have no experience with Kate, nor other systems.

 

[Frederocket]

Thank you, that's all I was looking for. Would you agree that some screw switches are less safe than a magnetic switch? Or do you feel that all screw switches are safer than the magnetic switch in question?


Tony

Tony,
Obviously all screw switches are not equal and some, as a result, are much less than 100% safe. As for as magnetic switches are concerned, I'm not completely on board yet. However, what ever the experts and the TRA BOD decide will be good enough for me. That being said, w-fi switches, should still require a power system switch break of some kind.

Maybe I'm just gun-shy, but while pulling RSO some years back, I experienced, (on the RSO inspection table), an inadvertent apogee and main discharge anomaly . It's an experience to behold and I never want that experience again... When that crap happens, you have no time to react and it is pure luck if no one gets hurt or worse.

 

[Titan II]

so Fred, what did you do to the missileworks screw switches to make them have resistance both on screwing and unscrewing so they don't vibrate closed?
all the ones I have have a loose fit and the screw can vibrate closed, and I have used 5/8" screws instead of the really short ones that come with it

Not Fred, but I use a lot of missileworks screw switches. I have never had a screw vibrate closed by permanently deforming the threads of the screw to provide resistance. This has been discussed in the past regarding screw switches.

 

[jbr]

it seems that very few devices can be used
so we give up launching until this is settled

 

[VernK]

For single point of failure discussions, magnetic detectors and the ET Wifi Switch are likely in one group, since a failure 'merely' powers an altimeter. It takes two failures to send power to an energetic, be they hardware or software.

Something that worries me a little bit about this idea is that two failures might not necessarily be required to fire the energetics if the altimeter is designed to power-up in a "ready to launch" state. As I think most do. In that case, all it takes is a single failure that powers on the altimeter and then for the altimeter to think it detected launch. A poorly designed launch detection algorithm based on an accelerometer can be fooled if the user simply shifts the orientation of the rocket. An altimeter using baro pressure to detect launch could also be fooled by the user taking the rocket apart and causing a slight pressure change. It seems it would be better to use an altimeter that does not power-up into a ready-to-launch state. In other words, one that needs to be specifically told to go into launch detect mode after power-on. Then I would agree, it takes two failures to fire the energetics.

 

[Steve Shannon]

I hope I'm "established" enough to be in on the call...

I think you already know the answer. [emoji851]

 

[cerving]

Both the Quantum and Proton power up disarmed, and the WiFi Switch powers up with the output "off". To ready them for flight, besides having continuity on any enabled output channels, you have to connect to the SSID with an 8-digit unique passkey, and arm it with a 4-digit arming code that changes every 60 seconds. If you have a misfire, you can remotely disarm them as well in a similar manner.

 

[manixFan]

Tony,
Obviously all screw switches are not equal and some, as a result, are much less than 100% safe. As for as magnetic switches are concerned, I'm not completely on board yet. However, what ever the experts and the TRA BOD decide will be good enough for me. That being said, w-fi switches, should still require a power system switch break of some kind.

Maybe I'm just gun-shy, but while pulling RSO some years back, I experienced, (on the RSO inspection table), an inadvertent apogee and main discharge anomaly . It's an experience to behold and I never want that experience again... When that crap happens, you have no time to react and it is pure luck if no one gets hurt or worse.

What kind of switch was being used? Mechanical, magnetic, or wifi?


Tony

 

[Speaknoevil]

it seems that very few devices can be used
so we give up launching until this is settled

Or use a:

 

[Charles_McG]

Something that worries me a little bit about this idea is that two failures might not necessarily be required to fire the energetics if the altimeter is designed to power-up in a "ready to launch" state. As I think most do. In that case, all it takes is a single failure that powers on the altimeter and then for the altimeter to think it detected launch. A poorly designed launch detection algorithm based on an accelerometer can be fooled if the user simply shifts the orientation of the rocket. An altimeter using baro pressure to detect launch could also be fooled by the user taking the rocket apart and causing a slight pressure change. It seems it would be better to use an altimeter that does not power-up into a ready-to-launch state. In other words, one that needs to be specifically told to go into launch detect mode after power-on. Then I would agree, it takes two failures to fire the energetics.

I think we should all distinguish between a WiFi switch and a WiFi enabled altimeter. The possible failure modes are quite different.

The WiFi enabled altimeters being discussed boot into a disarmed, user interaction state. Quite unlike a more traditional flight computer that boots up to ‘waiting for launch’. Heck, with the Proton, you have to enter a 4 digit, constantly changing code as Cris describes. But the code isn’t available unless the accelerometer says the rocket is printed up. It can’t assess that unless the accelerometer is calibrated. It won’t let you calibrate until a power on warmup period has elapsed. Lots of steps.

Even with the traditional flight computer - false launch detect is a second failure. It’s not a normal operation. The launch detection experienced a false positive- that’s a failure that’s different from , oh, the FET failing closed, or a power up transient allowing current through.

Anecdotally, it does seem to be a failure that happens with some frequency. But that doesn’t make it a normal operating state.

 

[Frederocket]

What kind of switch was being used? Mechanical, magnetic, or wifi?


Tony

It was a Black-Sky ALTAC, (1st version). With the battery installed you get the initialization blinking light, (no way to turn it off). To arm the unit on the pad required the use of an onboard mounted screw switch. On the rocket that popped both ends, the screw switch was not engaged, verified after the fact. Something happened internally with the ALTAC. As I had an ALTAC, I removed the board mounted battery on my unit, replacing it with a external battery mount,(not attached to the unit), wired to the unit through a switch so the power could be turned off on the ALTAC. At the pad I turned on the power and then armed the unit with the screw switch. Latter ALTAC units had the capability to install a remote switch board, controlling both power-up and arming via two screw switches mounted on a separate board. Still have several of the newer units and remote switch boards. However, by today's standards there a little clunky for smaller rockets.

 

[jderimig]

It seems it would be better to use an altimeter that does not power-up into a ready-to-launch state.

Vern, thoughtful post but for me that is a Hard No.
The top 5 priorities of a rocketry recovery altimeter are:

• Deploy the recovery system
• Deploy the recovery system
• Deploy the recovery system
• Deploy the recovery system, and finally
• Deploy the recovery system.

An altimeter once powered should be actively on-guard to detect launch and operate, whether the launch was intentional or not. I never want to the system to miss a launch, even if that means erring on the side of detecting a launch that did not exist. You have to choose which error you would rather have.

Creating a power-on, non-operative state creates another error that can happen. The result will be more holes in the ground than before.

 

[cerving]

"The adoption of remotely switched avionics can greatly reduce the risk of user injury caused by the ignition of a sustainer motor or deployment charge when a staging controller or altimeter is turned on."

The words of the TRA BoD, not mine.

 

[jbr]

so it appears that some switches can fail mechanically such as shurter which have a stated 300 duty cycle and I have seen them fail after 10 or 20
the missileworks and like screw switches can vibrate closed with the standard screw unless that screw is modified with a well placed hammer blow to slightly flatten the threads and make it not prone to vibration

since it has been posted that a twist and tape method is good but only if the wires are kept apart until twisted (I have seen one failure in the pits of the wires coming together and blowing the charge)

so to keep the device (whether it be an altimeter or other device) that is connected to the energetic device powered off, we want to have a way to easily power up this device on the pad

1 twist and tape
2 screw switch
3 wifi switch
4 other types of connection methods

if we are to know what is allowed then it needs to be specifically spelled out what is allowed and what is not
and the RSO needs to know what to check for

 

[jderimig]

"The adoption of remotely switched avionics can greatly reduce the risk of user injury caused by the ignition of a sustainer motor or deployment charge when a staging controller or altimeter is turned on."

The words of the TRA BoD, not mine.

Not sure if that was in response to my post but I wasn't arguing against remotely switched avionics. Current state however is that we are putting more holes in the ground than blowing people off ladders....

 

[manixFan]

....<snipped for brevity>....
I am sticking with the AltAcc2. Simple (runs on a 8 bit PIC) and includes an arming switch which disconnects the outputs from the battery.

It was a Black-Sky ALTAC, (1st version). With the battery installed you get the initialization blinking light, (no way to turn it off). To arm the unit on the pad required the use of an onboard mounted screw switch. On the rocket that popped both ends, the screw switch was not engaged, verified after the fact. Something happened internally with the ALTAC. As I had an ALTAC, I removed the board mounted battery on my unit, replacing it with a external battery mount,(not attached to the unit), wired to the unit through a switch so the power could be turned off on the ALTAC. At the pad I turned on the power and then armed the unit with the screw switch. Latter ALTAC units had the capability to install a remote switch board, controlling both power-up and arming via two screw switches mounted on a separate board. Still have several of the newer units and remote switch boards. However, by today's standards there a little clunky for smaller rockets.

Hmmm, according to Dave the AltAcc disconnects the outputs from the battery, which is what is required to be compliant. But you say the it popped the ignitors even with that switch open, which implies that it does not break power to the outputs. Which is correct? I still have at least one working AltAcc 2C altimeter and looking though the manual, I can't find a circuit diagram that expressly shows what the arm switch does.

But on the other hand, we're talking about an altimeter originally designed in the late 1990's so I'm not sure how relevant it is to this discussion.


Tony

 

[Charles_McG]

Not sure if that was in response to my post but I wasn't arguing against remotely switched avionics. Current state however is that we are putting more holes in the ground than blowing people off ladders....

Prove that’s due to the devices in discussion: Eggtimer and Kate.

Really prove it. Spreadsheets and hypothesis testing. What’s the t-ratio?

 

[cerving]

Not disagreeing with you there John, but ladders are evil when you're standing on one while arming an "O" motor or with 10 grams of BP next to your face. How many of the deployment failures that you have seen could be traced to altimeter malfunction? Darn few, I bet. The reality is that the recovery system is just that... a system, made up of many components. All of them have to work properly to get a successful recovery. I've seen just about every part fail at one time or another, but honestly the most robust part is the electronics. Any of the commercial units have been well vetted, and when properly used are highly reliable. There's a lot of other pieces that can fail, though... batteries, connectors, connections (that's why I'm a bigot against screw terminals... one less failure point), bad ematches (seen that!), BP not sufficient or too much and it blows up the payload bay, charge wells fracturing (yes, I've had that happen!), chutes getting stuck in the payload bay (very common), shear pins that don't shear, coupler shoulder getting stuck in the tube (had that happen too...), shock cords breaking, eyebolts opening up... the list is pretty much endless. Virtually all of the deployment failures that I've seen have been mechanical in nature... unfortunately, it's tough to do a post-mortem on a bunch of crushed fiberglass mush that you dug up from 3 feet in the ground.

 

[Frederocket]

Hmmm, according to Dave the AltAcc disconnects the outputs from the battery, which is what is required to be compliant. But you say the it popped the ignitors even with that switch open, which implies that it does not break power to the outputs. Which is correct? I still have at least one working AltAcc 2C altimeter and looking though the manual, I can't find a circuit diagram that expressly shows what the arm switch does.

But on the other hand, we're talking about an altimeter originally designed in the late 1990's so I'm not sure how relevant it is to this discussion.


Tony

The original ALTC, is considerably different than the newer versions. As said earlier the battery was installed; why it malfunctioned I have no idea. Whatever the cause it was internal to the unit with power applied that could not be turned off when brought to the RSO, (Me). Being relevant to the discussion is a matter of opinion. I used the example of what can go wrong when power applied is not broken by a switch and the unit goes to S#$t. Hopefully most folks understand.

 

[jderimig]

Prove that’s due to the devices in discussion: Eggtimer and Kate.

Really prove it. Spreadsheets and hypothesis testing. What’s the t-ratio?

I haven't indicted any specific devices. With that, this will be my last "contribution" to this thread. Cheers.

By the way its p-value.....not t-ratio.

 

[Charles_McG]

I haven't indicted any specific devices. With that, this will be my last "contribution" to this thread. Cheers.

By the way its p-value.....not t-ratio.

Good heavens, I've tried to swear off this thread a couple times. My mental diet keeps failing me. I have to watch. It's like a car wreck.

p, t - interchangeable with the right pieces in place. And which test you're actually doing. I happened to be looking at t-ratios today because JMP hides very small p-values, and I thought the t-ratio told me more about variability that was all significant anyway.

 

[jbr]

Altacc is powered on by the battery but is armed by the screw switch
no power is put to the outputs until it is armed and it trickles to test the ematches

my issue with altacc was you had to provide an extra switch if you wanted to turn it on from outside the ebay

I did help with the download code as it had some bugs as issued

 

[cerving]

Thinking about it on the drive home (this is LA after all, so you generally have a lot of time to think in traffic), I think I misspoke. Most deployment failures are not mechanical... they're PROCUDURAL. Things like: Not properly arming the altimeter (was that two beeps or three?); forgetting the powder in the wells; not closing quick links; being in a hurry and stuffing the chute in too tight; not checking the shock cords for damage after each flight; etc...

I think that was John's point, that having a wireless arming system may increase the chance of somebody forgetting to arm their altimeter for flight. I've seen that done with switches, too... more than once. It all boils down to familiarity with the electronics, and making sure that all the i's are dotted and the t's are crossed. Then again, that's what a checklist is for, right?

So, we're back to ground safety vs flight safety... hopefully we can find a good resolution to this conundrum.

 

[manixFan]

The original ALTC, is considerably different than the newer versions. As said earlier the battery was installed; why it malfunctioned I have no idea. Whatever the cause it was internal to the unit with power applied that could not be turned off when brought to the RSO, (Me). Being relevant to the discussion is a matter of opinion. I used the example of what can go wrong when power applied is not broken by a switch and the unit goes to S#$t. Hopefully most folks understand.

I don't understand how you are equating a powered on altimeter that failed to what we are discussing. In the current situation the altimeters are powered off, the issue is how that power is switched. I think everyone here understands the difference between carrying an altimeter with power actively supplied vs. one that requires a switch of some kind. But maybe I misread that.


Tony

 

[Frederocket]

I don't understand how you are equating a powered on altimeter that failed to what we are discussing. In the current situation the altimeters are powered off, but the issue is how that power is switched. I think everyone here understands the difference between carrying an altimeter with power actively supplied vs. one that requires a switch of some kind. But maybe I misread that.


Tony

It is what it is. I don't understand what you don't understand that has already been explained. I really have nothing at this point to further contribute. I await the decision of the TRA BOD.

Edit: I repeat: Being relevant to the discussion is a matter of opinion. I used the example of what can go wrong when power applied is not broken by a switch and the unit goes to S#$t. Hopefully most folks understand.