Revision to Tripoli Rule Regarding Wireless Remote Switches

The Rocketry Forum

Help Support The Rocketry Forum:

warnerr

Lifetime Supporter
TRF Lifetime Supporter
Joined
Jan 4, 2011
Messages
349
Reaction score
41
I think we can all agree the horse has been beaten into a buttery smooth paste at this point. There were plenty of us helping.
You can only beat the horse using Ebony Wood Whips. No other whips are permitted.
 

Voyager1

Well-Known Member
TRF Supporter
Joined
Oct 23, 2015
Messages
439
Reaction score
121
Location
Oz
Keep in mind that altimeters are already solid-state. Should we be expecting a directive from the BOD next that we can only use mechanical altimeters? Or we can't use radio tracking? You'll have a hard time closing that box if you open it.
That's not helpful!
 

manixFan

Not a rocket scientist
Joined
Feb 15, 2009
Messages
1,623
Reaction score
633
Location
TX
Safety agencies , ul, tuv, ce etc trust semiconductors. What they do not trust is software. Also safety agencies require devices to safely withstand 8kv electrostatic discharge while operating to stay safe.

It's not the reliability of the pn junction that is the risk here.
Of course there is no software in the magnetic switch. Would it meet UL safety standards?


Tony
 

jderimig

Sponsor
TRF Sponsor
Joined
Jan 23, 2009
Messages
3,112
Reaction score
528
Of course there is no software in the magnetic switch. Would it meet UL safety standards?


Tony
UL would require a physical disconnect in the system but it would not specify when it must be used.
 

Adrian A

Sponsor
TRF Sponsor
TRF Lifetime Supporter
Joined
Jan 22, 2009
Messages
2,258
Reaction score
233
I sure hope there aren't altimeters on the market that randomly glitch and fire their outputs at power-on. I've never encountered one and if I did I would toss it. Though let's not talk about how dirty and glitchy the power-on sequence could be for the industry standard "twist-and-tape" method.
Just last week I had a potential customer email me, asking the specific questions about what I do to prevent power-up glitches for the Raven altimeters, because he had an experience with two different units of an altimeter from another manufacturer that did behave this way. I don't know if this flyer had something odd about his power source that the other manufacturer hadn't accounted for, or what might have been a contributing cause for that other manufacturer's altimeter, but after the first rev of the Raven I added an external part that holds the microcontroller in reset until the voltage is in the nominal range. I know there were some multi-million dollar spacecraft power output boards driven by Actel 1280 FPGAs in the late 90s (you might recall them too) that had glitches at power-up, too.
 
Last edited:

UhClem

Well-Known Member
Joined
Feb 6, 2009
Messages
1,547
Reaction score
117
I know there were some multi-million dollar spacecraft power output boards driven by Actel 1280 FPGAs in the late 90s (you might recall them too) that had glitches at power-up, too.
A flight termination safe and arm that I am familiar with used an FPGA and had two safety systems to prevent this sort of thing. The static safety (MOSFET trigger of spark gap was of course vulnerable to this sort of thing. Which is why they had a dynamic safety. The FPGA had to toggle the gates of a couple of MOSFETs in a DC to DC converter to charge the 2,500V firing capacitor. Until that was charged the thing was safe. After it was charged it had many single point failure modes. Which is why WSMR ground safety insisted that it not be charged until several seconds after launch.

But to bring this back to hobby rocketry, the Adept ALTS2 (I owned one for a while) was notorious for firing its outputs at power up.
 

Steve Shannon

Well-Known Member
TRF Supporter
Joined
Jul 23, 2011
Messages
6,219
Reaction score
2,725
Location
Butte, Montana
A flight termination safe and arm that I am familiar with used an FPGA and had two safety systems to prevent this sort of thing. The static safety (MOSFET trigger of spark gap was of course vulnerable to this sort of thing. Which is why they had a dynamic safety. The FPGA had to toggle the gates of a couple of MOSFETs in a DC to DC converter to charge the 2,500V firing capacitor. Until that was charged the thing was safe. After it was charged it had many single point failure modes. Which is why WSMR ground safety insisted that it not be charged until several seconds after launch.

But to bring this back to hobby rocketry, the Adept ALTS2 (I owned one for a while) was notorious for firing its outputs at power up.
Way to pull me back in, David.

We determined that an AltAcc would fire its output if you connected the battery three times quickly. It was repeatable.

Please explain the difference between static and dynamic inhibits.
 

UhClem

Well-Known Member
Joined
Feb 6, 2009
Messages
1,547
Reaction score
117
Way to pull me back in, David.

We determined that an AltAcc would fire its output if you connected the battery three times quickly. It was repeatable.

Please explain the difference between static and dynamic inhibits.
Since the safe/arm screw in the AltAcc is in series with its outputs that requires a failure in that switch. Or an operator connecting the battery with the switch closed.

Static safety: simple MOSFET switch.
Dynamic: requires repeated and coordinated operation. In other words, a failed pin on the FPGA would have no effect.
 

Steve Shannon

Well-Known Member
TRF Supporter
Joined
Jul 23, 2011
Messages
6,219
Reaction score
2,725
Location
Butte, Montana
Since the safe/arm screw in the AltAcc is in series with its outputs that requires a failure in that switch. Or an operator connecting the battery with the switch closed.

Static safety: simple MOSFET switch.
Dynamic: requires repeated and coordinated operation. In other words, a failed pin on the FPGA would have no effect.
Agreed, that the AltAcc either had a closed switch or a failed switch.

Thanks for the explanation about static vs. dynamic safeties.
 

cerving

Owner, Eggtimer Rocketry
TRF Sponsor
TRF Supporter
Joined
Feb 3, 2012
Messages
3,590
Reaction score
831
Since the safe/arm screw in the AltAcc is in series with its outputs that requires a failure in that switch. Or an operator connecting the battery with the switch closed.

Static safety: simple MOSFET switch.
Dynamic: requires repeated and coordinated operation. In other words, a failed pin on the FPGA would have no effect.
What about two switching device in series, each one triggered by a different component on the same board (like the Proton)? Or two switching device in series, triggered by two separate pins on the same processor (like the Quantum)? In the former case, two devices that are electrically "off" at power-up would have to fail "on" to fire, in the latter case two pins on the same device that are normally "off" at power-up would have to fail "on". (This is strictly a hardware discussion... we're taking software off the table here, because I KNOW that it's a potential {albeit low} source of failure. Not trying to contradict you... I respect your knowledge.)
 
  • Like
Reactions: MGL

jderimig

Sponsor
TRF Sponsor
Joined
Jan 23, 2009
Messages
3,112
Reaction score
528
I once saw a design where the output gates were driven by a charge-pump circult. To fire the charges required a stream of pulses from the processor so that you had to pump up the voltage on the gates against a constant drain resistor.
 

UhClem

Well-Known Member
Joined
Feb 6, 2009
Messages
1,547
Reaction score
117
What about two switching device in series, each one triggered by a different component on the same board (like the Proton)?
It is kind of an apple and oranges kind of thing. Unintended operation of a flight termination system falls squarely in the catastrophic hazard class. By using an EFI and the dynamic safety system they could do away with the complicated mechanical safe and arm.

I have thought about using that idea for an altimeter but it would still have a screw switch to control power.

The thing to focus on is single point failure modes. You can tolerate those to some extent (at low likelihood) when at the pad. But not while walking around.

The Quantum still has a single point failure mode in the ESP8266. The I2C data expander (and bit banged I2C) helps with the Proton. (No schematics or code available so the best I can do is guess based on parts lists.)
 

cerving

Owner, Eggtimer Rocketry
TRF Sponsor
TRF Supporter
Joined
Feb 3, 2012
Messages
3,590
Reaction score
831
I2C on the ESP8266 isn't bit banged... it's in the on-chip I/O subsystem. I HAVE done bit-banged I2C (the Quark uses it), it's actually pretty reliable as long as you account for the "no response" cases from the peripheral when you send it a command. Either way, the failure mode for the peripheral controller would be to NOT fire the FET, since the output is reset to "off" at power up, and it's going to take a very specific set of events to make that output turn "on".

The failure mode on the Quantum would be that the processor's I/O subsystem either sends a "1" to both the FET and the BJT's at power-up (not likely) or that there's a software glitch that sends the registers the wrong data (also not likely). "Not likely" is not the same as "impossible", but it's also not "impossible" for a power switch to accidentally power "on" as well, unless there's some kind of positive mechanical lock.
 

UhClem

Well-Known Member
Joined
Feb 6, 2009
Messages
1,547
Reaction score
117
I2C on the ESP8266 isn't bit banged... it's in the on-chip I/O subsystem.
Then you have unique hardware. The official datasheet says "ESP8266EX has one I2C, which is realized via software programming," I even dug down into the Espressif SDK and Arduino libraries. Software all the way down.
 

David Schwantz

Well-Known Member
Joined
Jul 23, 2018
Messages
1,357
Reaction score
479
Location
MN
I just have one more question. Steve has stated that pull pin switches are valid. Does it matter if the switch is rocker, toggle, push button, slide, as long as it physically breaks the circuit?
 

rrobe99999

Well-Known Member
Joined
Mar 5, 2009
Messages
107
Reaction score
9
That’s a good question, Vern. Because I knew he works with missiles as a day job, I made the assumption that it came from that perspective. I’ll ask.
Please do not pursue this with the government. Yes, someone who works with missiles knows the difference between an inhibit and an interrupt. The current NFPA rule allows us to pursue our hobby in a safe manner, while allowing us to integrate designs that meet our reliability and performance requirements. TRA BOD can make all the rules that they want, but we don't want the Gov to make stricter rules that nobody else wants.
 

boatgeek

Well-Known Member
Joined
Dec 27, 2014
Messages
2,568
Reaction score
1,005
NAR just came out with a similar rule in their Electronic Rocketeer. Hopefully, they will follow suit on what TRA does after discussions with manufacturers.
 

cerving

Owner, Eggtimer Rocketry
TRF Sponsor
TRF Supporter
Joined
Feb 3, 2012
Messages
3,590
Reaction score
831
NAR just came out with a similar rule in their Electronic Rocketeer. Hopefully, they will follow suit on what TRA does after discussions with manufacturers.
Don't count on it. NAR used to make you put six switches on a L3 rocket... one on each altimeter's power, and one on each charge.
 

Nytrunner

Pop lugs, not drugs
Joined
Oct 15, 2016
Messages
6,554
Reaction score
1,981
Location
Huntsville AL
NAR just came out with a similar rule in their Electronic Rocketeer. Hopefully, they will follow suit on what TRA does after discussions with manufacturers.
Are the E-Rocketeer email blurbs an official rule? I've always considered them safety tips and instructional with safety mindset.
 

rharshberger

Well-Known Member
Joined
Oct 13, 2014
Messages
9,269
Reaction score
1,371
Location
Pasco, WA
Are the E-Rocketeer email blurbs an official rule? I've always considered them safety tips and instructional with safety mindset.
Its an official newsletter from NAR. It really not surprising that NAR would follow along as most of their L3CC's are TRA TAPS as well and many members are dual membership.
 

UhClem

Well-Known Member
Joined
Feb 6, 2009
Messages
1,547
Reaction score
117
NAR just came out with a similar rule in their Electronic Rocketeer. Hopefully, they will follow suit on what TRA does after discussions with manufacturers.
Not a rule. They used the word "should" rather than "shall" and it isn't part of the safety code or an official policy. Worse is that it misunderstands the RFI problem.

RFI could result in your being unable to communicate with a wireless switch but it can't cause it to do things. At least if the communications are properly encrypted. If they really do have a problem with wireless switches then they also have a problem with wireless launch systems.

Magnetic switches require field strengths unlikely to be produced by anything other than powerful magnets. Items which are in short supply on the field.

Since relays have been mentioned I thought someone might be interested in a high dollar MIL-SPEC relay (rated for high vibration and shock environments) at BGMicro. $1.50 each today which is way less than the original price.
 

cerving

Owner, Eggtimer Rocketry
TRF Sponsor
TRF Supporter
Joined
Feb 3, 2012
Messages
3,590
Reaction score
831
The blurb from our manuals is in the FCC Part 15 disclaimer, we state the "official" verbage then paraphrase it so that it's intelligible for most people. It does not mean that an WiFi Switch is likely to get zapped by outside interference... it just states that unlicensed devices have no regulatory protection against it, unlike licensed devices. Of course, the laws of physics don't care much about regulations...
 

Steve Shannon

Well-Known Member
TRF Supporter
Joined
Jul 23, 2011
Messages
6,219
Reaction score
2,725
Location
Butte, Montana
Not a rule. They used the word "should" rather than "shall" and it isn't part of the safety code or an official policy. Worse is that it misunderstands the RFI problem.

RFI could result in your being unable to communicate with a wireless switch but it can't cause it to do things. At least if the communications are properly encrypted. If they really do have a problem with wireless switches then they also have a problem with wireless launch systems.

Magnetic switches require field strengths unlikely to be produced by anything other than powerful magnets. Items which are in short supply on the field.

Since relays have been mentioned I thought someone might be interested in a high dollar MIL-SPEC relay (rated for high vibration and shock environments) at BGMicro. $1.50 each today which is way less than the original price.
My interpretation was that Steve’s mention of RFI was more closely related to the possibility of a strong transmitter resulting in an accident similar those experienced by some who put Garmin Astro dog transmitters into their av-bays only to have their altimeters fire an ejection charge, not spoofing a transmitted command.
And yes, he said “should” rather than “shall”.
I’ll check those relays out. Thanks!
 
2
Top