- Joined
- Jan 22, 2009
- Messages
- 351
- Reaction score
- 47
Still don't know if it's presently legal to power-on a TeleMega into idle mode while horizontal at the pad, raise it to vertical, and then remotely arm it by rebooting to flight mode.
Well said, Charles. The only thing I'd add is that some have said that the restrictions on magnetic switches were made to be compliant to 1127, not go beyond it. I don't think that's true, because as you point out 1127 uses an ambiguous word that requires interpretation. I presumed that it was that interpretation that kept the magnetic switches allowable since their introduction.NFPA 1127 says ‘inhibited’, not disconnected... Whether [NAR and TRA] wish to establish more than one level of ‘sufficiently inhibited for the different situations’ is completely within their purview.
Fred,Still don't know if it's presently legal to power-on a TeleMega into idle mode while horizontal at the pad, raise it to vertical, and then remotely arm it by rebooting to flight mode.
Still don't know if it's presently legal to power-on a TeleMega into idle mode while horizontal at the pad, raise it to vertical, and then remotely arm it by rebooting to flight mode.
About 900 posts ago, I mentioned that the rule was not only allowing this, but also implying the people could close the switch between the altimeter and the igniter as long as they were "out at the pad". Moving a rocket to vertical, with powered electronics and a clear path to the igniter, is a really bad idea. The "safety" of this is based on the premise that the altimeter will function as designed. I can tell you that with some altimeters, this is a bad assumption. The closest I am personnally willing to get to this is to have a wifi switch separate from the altimeter. The wifi can be powered up while horizontal, and at least you know there isn't power to the altimeter when the rocket is moved. And even with this approach, I still have a disconnect and/or shunt in the igniter path. If it's OK to power up "combo" devices when horizontal, then it can't be OK to have the disconnect switch closed. Just my $0.02.Still don't know if it's presently legal to power-on a TeleMega into idle mode while horizontal at the pad, raise it to vertical, and then remotely arm it by rebooting to flight mode.
What does "completely powered down" mean?
With a rocket with a Featherweight Power Perch, I know the altimeter is powered down because it's not beeping, the same way that I know it's not powered if I were using a mechanical switch. And I trust, because I've used it a lot and I have confidence in the vendor, that the magnetic switch isn't going to turn on and provide power without definite positive action on my part.
About 900 posts ago, I mentioned that the rule was not only allowing this, but also implying the people could close the switch between the altimeter and the igniter as long as they were "out at the pad". Moving a rocket to vertical, with powered electronics and a clear path to the igniter, is a really bad idea. The "safety" of this is based on the premise that the altimeter will function as designed. I can tell you that with some altimeters, this is a bad assumption. The closest I am personnally willing to get to this is to have a wifi switch separate from the altimeter. The wifi can be powered up while horizontal, and at least you know there isn't power to the altimeter when the rocket is moved. And even with this approach, I still have a disconnect and/or shunt in the igniter path. If it's OK to power up "combo" devices when horizontal, then it can't be OK to have the disconnect switch closed. Just my $0.02.
Jim
Yes this is the interpretation that was close to a consensus position at the meeting, though a consensus was not yet reached. The way I would put it is that when any independent switch is in the output-off state to keep the altimeter powered off, that meets the intent of the rule, because it would take 2 independent failures to get the altimeter to fire charges from that condition. (switch failing on, altimeter deciding to fire charges pre-launch). That fault-tolerant condition is required from connection of energetics (e.g. loading of BP) to being in a safe configuration at the pads.
On the "demonstration" idea, I agree that we're just talking about answering questions similar to what an RSO might ask about CP vs CG. "How do you know your altimeter is off?" The answer might be "because it's an altimeter that would be beeping if it were on" or "because this LED isn't on" or "because the status on my phone shows it's off." The answers will depend on the specific hardware being used, but whatever it is, the flyer needs to be aware of their responsibility to have the controller off, and be able to tell when it's off.
At nearly every large launch we see altimeters fire charges on the pad.
I don't know of any modern altimeters that can be programmed to fire anything at power-on without launch detection. In my experience the very rare events of firing at power-on have always been due to shorts or reversed polarity in the wiring, though I have heard of older altimeters being affected by very strong RF fields from some radio systems (the Garmin dog trackers, for example.)...I think that altimeters have too many easy ways to fire their outputs: configuration , programming, wiring, av-bay construction, electrical interference, wind gusts, etc.
About 900 posts ago, I mentioned that the rule was not only allowing this, but also implying the people could close the switch between the altimeter and the igniter as long as they were "out at the pad". Moving a rocket to vertical, with powered electronics and a clear path to the igniter, is a really bad idea. The "safety" of this is based on the premise that the altimeter will function as designed. I can tell you that with some altimeters, this is a bad assumption. The closest I am personnally willing to get to this is to have a wifi switch separate from the altimeter. The wifi can be powered up while horizontal, and at least you know there isn't power to the altimeter when the rocket is moved. And even with this approach, I still have a disconnect and/or shunt in the igniter path. If it's OK to power up "combo" devices when horizontal, then it can't be OK to have the disconnect switch closed. Just my $0.02.
Jim
I don't know of any modern altimeters that can be programmed to fire anything at power-on without launch detection. In my experience the very rare events of firing at power-on have always been due to shorts or reversed polarity in the wiring, though I have heard of older altimeters being affected by very strong RF fields from some radio systems (the Garmin dog trackers, for example.)
And I'm still not seeing what the switch technology has to do with this. Do you honestly think that installing a battery at the pad is safer? It's just going to lead to more mishaps. I always wire up my bays at home and test them beforehand.
That’s a decent summary.On the "demonstration" idea, I agree that we're just talking about answering questions similar to what an RSO might ask about CP vs CG. "How do you know your altimeter is off?" The answer might be "because it's an altimeter that would be beeping if it were on" or "because this LED isn't on" or "because the status on my phone shows it's off." The answers will depend on the specific hardware being used, but whatever it is, the flyer needs to be aware of their responsibility to have the controller off, and be able to tell when it's off.
I assume you mean "inhibited", as that's the language that 1127 uses.3. I honestly think that we need to figure out what we consider completely disconnected...
The NFPA rule also applies to the launching system. ("firing circuits") So you need to think about how this is going to effect those systems.Because it’s possible to get an altimeter to fire a charge at the wrong time while still working as designed, I don’t consider an altimeter firing it’s charges an independent failure.
I assume you mean "inhibited", as that's the language that 1127 uses.
I can't dispute any of your points, but I'm deeply concerned that with the current lack of clarity, there's going to be an accident caused by an effort to comply with the rule that wouldn't have happened otherwise.
Steve, I'm just curious -- have you ever flown a rocket with a Featherweight magnetic switch personally?
Not quite true. There is at least one product from a well-known manufacturer that has a "mirroring" mode where a power-on, in conjunction with a hold-off time (IIRC), will initiate auxiliary channel activity. The mode is there to fit a specific application, but it can bite you as instructions/operation are a bit obscure.I don't know of any modern altimeters that can be programmed to fire anything at power-on without launch detection.
The NFPA rule also applies to the launching system. ("firing circuits") So you need to think about how this is going to effect those systems.
Agreed, but if you have a shorted MOSFET then the airstart igniter is just going to fire when you close the mechanical switch on that channel, unless there is some self-test capability that AFAIK most altimeters don't have. I'm not sure this is an improvement; that switch might be giving you a false sense of confidence for some failure modes.If your altimeter misbehaves when you power it up, you don't want to find that out with the airstart igniter fully connected and ready to go.
Not quite true. There is at least one product from a well-known manufacturer that has a "mirroring" mode where a power-on, in conjunction with on a hold-off time (IIRC), will initiate auxiliary channel activity. The mode is there to fit a specific application, but it can bite you as instructions/operation are a bit obscure.
Agreed. And we had that in NFPA 1127 4.13.7 until "inhibit" was reinterpreted.I want to have some simple rules that everyone can follow...
I don't know of any modern altimeters that can be programmed to fire anything at power-on without launch detection.
Agreed. And we had that in NFPA 1127 4.13.7 until "inhibit" was reinterpreted.
Is your question about process - who owns the DFMEA, or is it whether there is willingness to help out?Would you and others work together to do such an analysis?
In my experience, that's not how regulations work. Once they're written down you don't get to interrogate the author about what they meant, you have to interpret what they actually wrote.But, again, it wasn’t a reinterpretation; we checked with the person who wrote the requirements to see what the correct original interpretation was.
Is your question about process - who owns the DFMEA, or is it whether there is willingness to help out?
The design owner would need to ultimately "own" the analysis since they are accountable for the product they design and/or produce. I'm absolutely willing to help / participate in any way I can be of service.
In my experience, that's not how regulations work. Once they're written down you don't get to interrogate the author about what they meant, you have to interpret what they actually wrote.
My best technical judgement is that the BOD is free to interpret "inhibit" as being satisfied by a magnetic switch.
At any rate, I've said my piece and I don't think I've convinced you of anything or am anywhere close to doing so. But I do appreciate you taking the time to respond.
Hopefully some guidelines will be coming out soon... some of us are waiting so we can provide guidelines to our users, and/or modify our products accordingly.In my professional background we used the word “inhibit” frequently to refer to Boolean conditions that would prevent software functions from activating outputs. In my mind it’s not constrained only to physically disconnected power. I could imagine solid state switches fulfilling that role (including magnetic switches), but I think there must be some common operational requirements that all such devices obey.
That’s what I hope comes out of the meetings we have.
If Tripoli is interested in going down the path of a DFMEA analysis being a part of a "self-certification" process without owning a certification responsibility, I would think that a committee would be formed to put the process together, and the vendors would own the analysis of their designs. Is that what you were thinking as well, or am I off-base? But the offer stands to help in any way I can.The question is would you and the others recommending DFMEA be willing to help perform those risk analyses. I don’t know much about them; I’ve never done them or used them.
Enter your email address to join: