Revision to Tripoli Rule Regarding Wireless Remote Switches

Discussion in 'Rocketry Electronics and Software' started by Steve Shannon, Feb 4, 2020.

Help Support The Rocketry Forum by donating:

  1. Feb 4, 2020 #31

    jderimig

    jderimig

    jderimig

    Sponsor TRF Sponsor

    Joined:
    Jan 23, 2009
    Messages:
    3,020
    Likes Received:
    445
    If my job was setting explosives in a building I would insist the ignition system be totally electrically dead (zero potential energy). I would never accept my safety or other's safety to depend on a properly operating PN junction, firmware, construction quality and the use history of the live electronics. But hey, that's just me.
     
  2. Feb 4, 2020 #32

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    I can’t help that you read between the lines, but it doesn’t seem to me to be smart for me to add more lines for you to read between. [emoji851]

    That’s a smart use of the header!
     
    Speaknoevil, Voyager1 and timbucktoo like this.
  3. Feb 4, 2020 #33

    ksaves2

    ksaves2

    ksaves2

    Lifetime Supporter TRF Lifetime Supporter

    Joined:
    Nov 25, 2009
    Messages:
    5,670
    Likes Received:
    127
    As I recall, when power is applied to the featherweight switch it defaults to power on which may not be a good idea. I had to magnet ready to turn it off. Plus one can't store the connected battery to a featherweight as it draws a low amount of current even in the off position so the battery will die over time. I thought the TRS defaults to off when power is applied and can only be armed by the transmitter? Perhaps Cris might comment. I've setup MD rockets switchless with a TRS and in standby mode there is nothing beeping or indicating power on.

    Oooops, Never mind. I missed #23 above. Kurt
     
  4. Feb 4, 2020 #34

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    The safety reports that Dr. Jay Apt did for NAR are all I know of. I agree that failed recovery is a problem. This added rule only affects people who have adopted wireless remote switches, but it should also be obvious if you don’t have the battery connected; the wireless remote switch won’t be available. It’s not as if you can enable the wireless remote switch but forget to connect the battery.
     
  5. Feb 4, 2020 #35

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    If you are now switching a second battery for deployment power, or using a switch to power the deployment side while the microprocessor side is already up and running (like the Quantum or Proton) then this is -exactly- the new failure mode that's been introduced.
     
    davdue and g.pitts like this.
  6. Feb 4, 2020 #36

    JimJarvis50

    JimJarvis50

    JimJarvis50

    Well-Known Member

    Joined:
    Jan 18, 2009
    Messages:
    2,313
    Likes Received:
    485
    Sort of along the same lines, for staging, I use a WiFi "switch" to provide switched power into another altimeter (let's say an EasyMega) in combination with an igniter shunt or a disconnect. I'm OK with powering up the wifi switch with the rocket horizontal because I can verify that the EasyMega doesn't turn on. After raising the rocket, I can "arm" the wifi switch and verify that the EasyMega boots up correctly. Finally, I arange so that the shunt or disconnect can be removed or closed from the ground or on first motion of the rocket. (My magnet shunt was an example of exactly this approach)

    I am much less comfortable with the idea of a WiFi switch when turning on the power to the WiFi switch also powers up the staging electronics. I'll mention the Telemega as an example, and perhaps some of the Eggtimer products (although I don't know the specifics of their design). If Tripoli is saying that such "combination" electronics are OK, and that the disconnects to the igniter can be closed prior to raising the rocket, then I would say this is a glaring oversight. It may have been a glaring oversight prior to the action of the Board, but the action now implies that it is acceptable.

    Jim
     
    Rocket501 and Steve Shannon like this.
  7. Feb 4, 2020 #37

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    Certainly, none of the Featherweight devices are outlaw devices. I’m not sure why you would make such an association. I’ve been impressed by Adrian and his various devices since before I first met him in Colorado more than ten years ago.

    Our rules always required that electronics be physically disconnected until placed on the pad. At LDRS 36, the board received a request to allow the Eggtimer WiFi switch to be used without a physical disconnection. After reviewing how it worked and receiving input from Cris Erving we agreed to allow that specific device to be used. That was an exception. Until recently nobody else has requested such an exception.

    A manufacturer simply needs to write to me asking to be considered. Either I or someone on the board or designated by the board will then discuss it with the manufacturer in email and report back to the board. The board will vote on it and either add it to the list or not. I don’t anticipate us doing independent testing. This is the first time we created the list but it will be placed on the Tripoli website.
     
  8. Feb 4, 2020 #38

    Eric

    Eric

    Eric

    Well-Known Member

    Joined:
    Jun 19, 2017
    Messages:
    1,148
    Likes Received:
    300
    Gender:
    Male
    Location:
    Vacaville, CA
    It also brings to light, that everyone using only a magnetic switch is violating the safety code.

    It also brings to light, that anyone using just the "switch" terminals on your altimeter, does not have a physical break between the pyrotechnics and the battery.
     
    Rocket501 and Charles_McG like this.
  9. Feb 4, 2020 #39

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    If the purely solid state isolation that the Eggtimer devices provide (haven't met a Kate to know to include it or not) aren't sufficient, then by logic, the purely solid state featherweight magnetic switch MUST fall into the same rules. It can't count as 'disconnecting' from power - the switch is powered, 'awake', and controlling current.
     
    dvdsnyd likes this.
  10. Feb 4, 2020 #40

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    I’m just getting ready to travel, but I’d like to understand this better, Jim. I don’t believe anything we’re saying should be taken to mean that a person should eliminate any disconnects. We’re just saying the power to the WiFi switch must be dead when taking it up to be inspected and carried out onto the range. We’re okay with the power to the WiFi switch being reconnected at a prep area before the rocket is raised vertical.
    Would you not allow the use of a wireless remote switch to switch power to your staging electronics after your rocket is vertical?
     
  11. Feb 4, 2020 #41

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    I completely agree. I was objecting to him saying that I made the magnetic switch sound like an “outlaw”, which is a negative connotation that I didn’t imply.
     
  12. Feb 4, 2020 #42

    Steve Shannon

    Steve Shannon

    Steve Shannon

    Well-Known Member

    Joined:
    Jul 23, 2011
    Messages:
    5,676
    Likes Received:
    2,016
    Location:
    Butte, Montana
    The first one, yes, I think it does.
    The second one, it depends on how the switch terminals are used by the circuit.
     
  13. Feb 4, 2020 #43

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    And your reply in the very next post goes on to say exactly that.
    I actually think you did imply it, even if you didn't mean to. And I know the 'you' isn't 'Steve Shannon the individual person', but 'The TRA BoD, or representative(s) thereof'.

    But at least it's being teased out from implicit to explicit - disconnected from energy source means a mechanically broken connection - by connector or mechanical switch. Electronic equivalents of functionality will not suffice. And to clarify your note to JimJ - it's energy to pyro that's important. The Wifi part can be on anywhere if the pyro-side has the mechanical disconnects.
     
    Last edited: Feb 4, 2020
    AeroAggie and mikec like this.
  14. Feb 4, 2020 #44

    markg

    markg

    markg

    Well-Known Member

    Joined:
    Jun 18, 2014
    Messages:
    324
    Likes Received:
    88
    Gender:
    Male
    Location:
    Windsor, Ontario
    All of my rockets are designed to use wireless remote Eggtimer switches. I don't have any physical switches on them. My two stage rockets use proton/quantum for staging. I have the sustainer igniter physically disconnected until the rocket is vertical on the pad, then I connect it.

    I will have to rework my rockets to now include a switch or disassemble my AV bays at the pad in order to connect the battery.

    hmm
     
  15. Feb 4, 2020 #45

    Eric

    Eric

    Eric

    Well-Known Member

    Joined:
    Jun 19, 2017
    Messages:
    1,148
    Likes Received:
    300
    Gender:
    Male
    Location:
    Vacaville, CA
    Got it. So the use of only a featherweight magnetic switch or featherweight powerperch would violate the safety code.

    So has the Tripoli board reviewed how commercial altimeters use their switch circuits? The other half of my fleet use a stratologger cf, RRC3 and and ARTS. I assumed they met the safety code. But this has brought to light that they all physically connect the battery to the pyrotechnics.
     
  16. Feb 4, 2020 #46

    jderimig

    jderimig

    jderimig

    Sponsor TRF Sponsor

    Joined:
    Jan 23, 2009
    Messages:
    3,020
    Likes Received:
    445
    No, you can't conclude that.
     
  17. Feb 4, 2020 #47

    Eljay

    Eljay

    Eljay

    Well-Known Member

    Joined:
    Mar 13, 2018
    Messages:
    152
    Likes Received:
    47
    I'd definitely appreciate clarification on if we can use the "switch" terminals on popular altimeters.
     
  18. Feb 4, 2020 #48

    cerving

    cerving

    cerving

    Owner, Eggtimer Rocketry TRF Sponsor TRF Supporter

    Joined:
    Feb 3, 2012
    Messages:
    3,465
    Likes Received:
    712
    It would depend on whether or not the "switch" terminals cut all power to the deployment circuitry.
     
    caraviator and Steve Shannon like this.
  19. Feb 4, 2020 #49

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    I just took a look through the manuals of the three altimeters mentioned above.

    Caveat - I haven't looked at the wiring or the traces on the boards for confirmation - this is just based on the manuals.

    For the SLCF, it really looks like the switch handles main and deployment power together. Especially because it calls out requiring the same current handling specs for any switch. It comes jumpered - that's not good for flight.

    For the RRC3, it also looks like main and pyro power are not separated. BUT the manually explicitly calls out using a magnetic switch as an option - and that's not a mechanical disconnect.

    The ARTS2 looks more like the Eggtimer products, in having separate processor and pyro battery options. It has a header to jumper across for single battery use, but the manual I found -doesn't- explain just what the switch terminals do. That one is undetermined, to me.
     
    Eric likes this.
  20. Feb 4, 2020 #50

    UhClem

    UhClem

    UhClem

    Well-Known Member

    Joined:
    Feb 6, 2009
    Messages:
    1,501
    Likes Received:
    102
    This helps with hardware failures but only a little with software. Which still represents a single point failure mode.

    If you had the ESP8266 controlling one side (arming) and a completely separate MCU controlling the other side, you might have something.

    What we really want, but the rules don't make clear, is for there to be no single point failure modes that would result in an unintended output. Then once the rocket is at the pad and pointed up you can expose those single point modes. Carefully.
     
    Adrian A likes this.
  21. Feb 4, 2020 #51

    Eric

    Eric

    Eric

    Well-Known Member

    Joined:
    Jun 19, 2017
    Messages:
    1,148
    Likes Received:
    300
    Gender:
    Male
    Location:
    Vacaville, CA
    Yes, I can conclude that my pyrotechnic charges are physically connected to the altimeter, that is physically connected to the battery.

    But what the altimeter circuitry does from my physical connection, I do not know. Here's a schematic from Altus Metrum. Does that switch circuit show that it physically remove power from the charges? Should I just assume that it does? Does the Tripoli board have a list of altimeters that are approved and meet their safety code? Screenshot_2020-02-04-12-09-16.jpg
     
  22. Feb 4, 2020 #52

    cerving

    cerving

    cerving

    Owner, Eggtimer Rocketry TRF Sponsor TRF Supporter

    Joined:
    Feb 3, 2012
    Messages:
    3,465
    Likes Received:
    712
    Can you get deployment status with the switch disconnected? If so, then there is necessarily SOME power going to the deployment initiators at SOME time... maybe not all the time, but at least when it's doing the continuity check.
     
  23. Feb 4, 2020 #53

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    I'm not sure that I agree that software counts as a single point. But I'm not a Board Member. Heck, I'm not a member at all. I just want to fly safely and not unintentionally trip over your rules when I fly with you. Software is harder to verify, I'll grant that.

    Is a mechanical switch not a single failure point? They can fail closed, can't they?
     
    davdue likes this.
  24. Feb 4, 2020 #54

    tollyman

    tollyman

    tollyman

    Well-Known Member

    Joined:
    Oct 9, 2016
    Messages:
    65
    Likes Received:
    14
    Gender:
    Male
    Location:
    Wisconsin
    If I were to have the output of the remote wifi style switch connected to a mechanical relay switch, which would then power the altimiter, would that be something that would be allowed? There is a physical break between the battery and the deployment charge via the mechanical switch. This does add another point of failure, but would provide a solution for those who have only wifi switches as a means to arm electronics.

    Using the configuration above, would I be able to have the wifi switch powered on during LCO check off and before mounted vertically on the rail?
     
  25. Feb 4, 2020 #55

    cerving

    cerving

    cerving

    Owner, Eggtimer Rocketry TRF Sponsor TRF Supporter

    Joined:
    Feb 3, 2012
    Messages:
    3,465
    Likes Received:
    712
    Yes, but usually switches fail open, or "bounce" (fail open for a relatively short period of time, maybe a few milliseconds).
     
    Last edited: Feb 4, 2020
  26. Feb 4, 2020 #56

    cerving

    cerving

    cerving

    Owner, Eggtimer Rocketry TRF Sponsor TRF Supporter

    Joined:
    Feb 3, 2012
    Messages:
    3,465
    Likes Received:
    712
    Relays unfortunately do not do well in high-G and/or high-vibration environments.
     
    caraviator and g.pitts like this.
  27. Feb 4, 2020 #57

    Charles_McG

    Charles_McG

    Charles_McG

    Ciderwright

    Joined:
    Sep 12, 2013
    Messages:
    2,406
    Likes Received:
    497
    Location:
    SE Wisconsin
    I think we're talking possibilities here, not probabilities. If we were talking probability, then adding another switch into the system that can lead to a failed deployment (altimeter powered on, deploy power left open), increases the probability of a ballistic return.

    Or we can talk about the probability of a switch failing closed compared to the probability of a microprocessor failing with one analog channel set wrong while simultaneously forming and sending the proper string down a serial comms path, while also appearing to be working in the first place (sending lights, beeps, web pages, etc).

    I think this discussion is -possibility- driven.
     
    YodaMcFly likes this.
  28. Feb 4, 2020 #58

    UhClem

    UhClem

    UhClem

    Well-Known Member

    Joined:
    Feb 6, 2009
    Messages:
    1,501
    Likes Received:
    102
    It depends on what the switch is connected to. If the switch is the only thing preventing an output, then yes, it is a single point failure mode. But if something else has to have failed, no.
     
    Adrian A likes this.
  29. Feb 4, 2020 #59

    jderimig

    jderimig

    jderimig

    Sponsor TRF Sponsor

    Joined:
    Jan 23, 2009
    Messages:
    3,020
    Likes Received:
    445
    With that schematic battery is disconnected from your charges if the switch terminals are open.
     
  30. Feb 4, 2020 #60

    cerving

    cerving

    cerving

    Owner, Eggtimer Rocketry TRF Sponsor TRF Supporter

    Joined:
    Feb 3, 2012
    Messages:
    3,465
    Likes Received:
    712
    ...assuming that there is no connection between the always-on "Battery +" terminal and the Main+/Apogee+ terminals; there may be something in between (resistors, buffers, etc.) that's not shown in this schematic fragment.
     

Share This Page

Group Builder