Revision to Tripoli Rule Regarding Wireless Remote Switches

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Status
Not open for further replies.

Steve Shannon

Well-Known Member
TRF Supporter
Joined
Jul 23, 2011
Messages
9,092
Reaction score
8,247
Location
Butte, Montana
The adoption of remotely switched avionics can greatly reduce the risk of user injury caused by the ignition of a sustainer motor or deployment charge when a staging controller or altimeter is turned on.
Recent discussions have reminded us of situations we failed to consider, such as when the rocket is being transported or when it’s presented for pre-flight inspection. The Tripoli Board of Directors has revised a decision which allowed the use of a wireless remote switch instead of a physical switch with staging devices or deployment controllers:
This revision, which takes place immediately, requires that all devices which control staging or energetic charges must be physically disconnected from power or must have their initiators mechanically disconnected from potential power sources while being transported or when presented for pre-flight inspection. Such disconnection may be done between the pyrotechnic battery and the device or between the device and any pyrotechnic initiator device(s). Either mechanical switches or complete physical disconnections may be used.
Those circuits which include Tripoli approved wireless remote switches may have the physical disconnections reconnected once the rocket is out on the range (either near the pad or at a special preparation area), thus transferring control to the remote switch.. Although the rocket must be pointed in a safe direction at all times, it is not required to have the rocket on the pad and vertical when the mechanical connections are made if the wireless remote switch is in its safe state. The rocket must be on the pad and upright and all personnel must be at a safe distance away from the pad when the wireless remote switch is commanded closed.
The current list of Tripoli approved wireless remote switches includes:
• The Eggfinder WiFi Switch,
• The Eggfinder Proton,
• The Eggfinder Quantum, and
• Multitronix Kate 2.0.
Important: Circuits for staging or deployment charges that do not have an approved wireless remote switch may not be switched on until the rocket is upright on the pad and pointed in a safe direction as required by NFPA 1127.
Please note that this only applies to circuits that contain energetic charges, igniters, electric matches, or rocket motors. Tracking devices, cameras, telemetry, or other electronics that do not include energetics are not subject to this limitation but it is the responsibility of the flyer to verify that those devices do not affect nearby energetic electronics.
Please also note that this is not because of any failure or perceived risk from any of the wireless remote switches.
Other manufacturers wishing to have their wireless remote switches considered for approval by the Tripoli Board of Directors, should submit via the following form: https://www.tripoli.org/contact
Thanks,
Steve
 
Last edited:
@Steve Shannon What about the Eggtimer TRS, is it an approved device? Also, what about the featherweight magnetic switch, is this affected by this change?

Have there been a number of documented incidents regarding these devices? What are the potential failure modes that cause these switches to close and arm electronics at the wrong time?

Unless I am reading this wrong, which I more than likely am, so please correct me, we have two options to utilize these switches going forward:
1. An inline switch that switches the remote switch... (This to me seems to defeat the purpose of the remote switch). If I need to actuate a screw switch or some other switch within my airframe, it defeats the purpose.
2. Special preparation area, this seems like it could work. I'm sure there's more to come but a few questions:
a. what are the safe distances?
b. Is this done before or after RSO and pad assignment?
c. How many people are allowed in this area at a time?
d. What is allowed in this area? If I don't want to add another switch like option 1, can I essentially prep my avionics bay in this area(hooking my charges to the remote switch), and once my rocket is OK'd to go out the the pads, bring it out and set it up and arm it out there?

Thanks,
Dave
 
What about Featherweight magnetic switches? Are they a "physical switch"?
 
That really sucks. And requires me to modify half of my fleet. Has something changed with the electronic disconnect ability of the Eggtimer Wi-Fi system?
 
Since the Proton has a substantial accelerometer stabilization time (at least in terms of pad time) it kind of forces a two battery connection solution. Also defeating most of the intent.

Unless I’m misreading this and the ‘arming’ step is what’s meant.
 
Alright, @Steve Shannon , I'm told that I should put down the implements of insurgency for the moment.

If the design of the electronics is fundamentally sound, then I'm deducing that problems have happen, or have been anticipated, -around- the electronics such that near pad power-up is determined to be the appropriate mitigation.

The Board press release is light on background. Discussions are mentioned, but only mentioned. Can you provide more details about what scenarios were discussed? Are the failure modes perceived -actually- unique to the wireless devices? Possible alternate mitigation approaches?

I happen to fly mostly midpower - where space for extra batteries and switches is very limited. And motors and charges are smaller. I happen to build my Protons with a 2 pin header/jumper rather than a short to deployment power. Replacing the jumper with a plug with wire leads to twist closed isn't hard - just annoying. Id rather not have to. I'd really like to know about failure modes I haven't considered and am at risk from.
 
Good call IMHO.
Better safe than sorry.

Sorta-armed while transporting never sounded like a good idea.
 
Sorta-armed while transporting never sounded like a good idea.

It's not 'sort of armed'. Deployment power is disconnected both (+) and (-), but not mechanically.

This change doesn't require pointy-end-up/flamey-end-down to connect power. So these altimeters are NFPA-compliant enough for that.

So what failure modes are being mitigated? I'd like to know what I haven't thought of! Should I be carrying the battery for -any- kind of altimeter out to the pad in my pocket? (but not the pocket with the starter!)
 
Good call IMHO.
Better safe than sorry.

Sorta-armed while transporting never sounded like a good idea.

Hi Fred,
How are any of the affected devices partially armed? There is a switch preventing the charges from being armed. The same as with a screw switch. How is any of this different than a magnetic switch? Those have been used for longer. But in essence, they are switches, their mode of closure is the only difference. Now if there is data that proves that these are unreliable or that something needs to change.

If that’s the case, it makes almost more sense to outright ban the devices. Adding more switches in line is asking for trouble. More points of failure and added confusion when preparing. More things to go wrong, more failures.

I haven’t gone looking, but I also haven’t seen an issue on here or Facebook where one of these devices was the cause of an incident.
Thanks,
Dave
 
FYI, the current running through the load on a disarmed WiFi Switch is zero. Quantums and Protons maintain a trickle current for continuity testing, so you can check it on your phone (along with the battery voltage). Assuming a fully-charged 8.4V 2S LiPo (the "worst case" for current), the trickle current on each channel of a Quantum is approximately 800 uA, on the Proton it's about 80 uA. That's 1/1000th and 1/10,000th of the typical all-fire current of a typical ematch, respectively.
 
There are never any magnets anywhere close to your rockets at all times....and you are 100% sure that you bet your life and the life of others.....
 
There are never any magnets anywhere close to your rockets at all times....and you are 100% sure that you bet your life and the life of others.....

But the magnet is not supplying the energy to starters/charges. The battery is - and the battery is still present in the rocket at all times.

Until we know what new risks were identified, or new info caused old risks to be re-evaluated, this discussion can't be complete.

And I believe playing the 'life card' is premature.
 
Those Tripoli approved wireless remote switches do not really satisfy the requirements. They use mosfets or SSRs. When those switches open, there is nothing in them that gets “physically disconnected”. There are just some charges moving around.
Is a similar DIY switch with mosfets acceptable or should there be used something like a mechanical switch or a mechanical relay?
 
The whole point of having a WiFi switch for example is so you can avoid having to mechanically disconnect ejection charges outside of the airframe. This is an aggravating change and unneeded IMHO. I am using a WiFi switch to turn off and on a timer for an ejection charge. Its easy to verify that the timer is on because it beeps. No beeping = not armed. Why must there be a mechanical disconnection? I think an exception needs to be made for systems where you can audibly verify whether or not the controlling device is on or off.
 
So a magnetic switch and even the built in switch circuit on say a stratologger, does not physically disconnect the battery from the pyrotechnics. So this makes everything to a level 3 certification standard.
 
@Steve Shannon What about the Eggtimer TRS, is it an approved device? Also, what about the featherweight magnetic switch, is this affected by this change?

Have there been a number of documented incidents regarding these devices? What are the potential failure modes that cause these switches to close and arm electronics at the wrong time?

Unless I am reading this wrong, which I more than likely am, so please correct me, we have two options to utilize these switches going forward:
1. An inline switch that switches the remote switch... (This to me seems to defeat the purpose of the remote switch). If I need to actuate a screw switch or some other switch within my airframe, it defeats the purpose.
2. Special preparation area, this seems like it could work. I'm sure there's more to come but a few questions:
a. what are the safe distances?
b. Is this done before or after RSO and pad assignment?
c. How many people are allowed in this area at a time?
d. What is allowed in this area? If I don't want to add another switch like option 1, can I essentially prep my avionics bay in this area(hooking my charges to the remote switch), and once my rocket is OK'd to go out the the pads, bring it out and set it up and arm it out there?

Thanks,
Dave

The TRS is not on the list.
The Featherweight magnetic switch never was submitted nor approved by the Tripoli Board to be used instead of a physical switch.
Using your numbers:
1. An in-line switch to power would be fine, or just leaving the batteries or charges disconnected until you’re on the range. However, the switches can be closed or connections can be made before placing the rocket on the pad.
2. a. For the safe distance to activate the wireless remote switch that’s currently up to the judgement of the flyer.
2. b. After RSO (pre-flight inspection).
2. c. At every step when arming the number of people should always be minimum necessary.
2. d. Yes. Do whatever you can at your own table, get your rocket okayed and pad assigned, then go to a prep area or even right next to the pad and complete the avionics setup including connecting the batteries to the wireless remote switches . Then, put the rocket on the pad, raise it up, and do the rest of your arming the way you normally would.
 
How are any of the affected devices partially armed? There is a switch preventing the charges from being armed.
The problem is that while they have transistors controlling both the high and low side they didn't control all single point failure modes. The micro-controller is still a single point which could fail and activate both transistors.

If the altimeter firing its outputs on power up is a problem, then the outputs are not inhibited and you shouldn't be doing that until the pointy end is up.
 
That really sucks. And requires me to modify half of my fleet. Has something changed with the electronic disconnect ability of the Eggtimer Wi-Fi system?

I’m sorry.

No, nothing has changed with the Eggtimer product and I want to emphasize, this was not done due to any problems or incidents involving any Eggtimer products.
 
Those Tripoli approved wireless remote switches do not really satisfy the requirements. They use mosfets or SSRs. When those switches open, there is nothing in them that gets “physically disconnected”. There are just some charges moving around.
Is a similar DIY switch with mosfets acceptable or should there be used something like a mechanical switch or a mechanical relay?

If they aren't NFPA compliant, then why allow the half-measure of designated areas?
'Charges moving around' are still moved by physics, not magic.
Is a single-sided mechanical solution -really- more reliable than a redundant solid state solution? Mechanics can fail, too.
If they haven't already, the TRA Board could publish guidance on acceptable solid state solution design - but we aren't talking about DIY at the moment.
 
The TRS is not on the list because it uses a common-to-battery architecture, the same as most other altimeters (including the Eggtimer Classic and Quark). This means that one leg of the battery is connected directly to the ematches... the other is switched to fire the charges. The Quantum and Proton do not have either leg connected directly to the battery... they connect through resistors that limit the possible current flow through the initiator to a very low value. TWO electronic switches are required to fire the charge... one on the "high" side and one on the "low" side.
 
Alright, @Steve Shannon , I'm told that I should put down the implements of insurgency for the moment.

If the design of the electronics is fundamentally sound, then I'm deducing that problems have happen, or have been anticipated, -around- the electronics such that near pad power-up is determined to be the appropriate mitigation.

The Board press release is light on background. Discussions are mentioned, but only mentioned. Can you provide more details about what scenarios were discussed? Are the failure modes perceived -actually- unique to the wireless devices? Possible alternate mitigation approaches?

I happen to fly mostly midpower - where space for extra batteries and switches is very limited. And motors and charges are smaller. I happen to build my Protons with a 2 pin header/jumper rather than a short to deployment power. Replacing the jumper with a plug with wire leads to twist closed isn't hard - just annoying. Id rather not have to. I'd really like to know about failure modes I haven't considered and am at risk from.

Charles,
I believe the electronics have sound designs. We’re just looking at reducing risk during the situations where people are most exposed to injuries if something were to happen, specifically when they are inspecting the rocket and when they are carrying them onto the field.
How do you use the header/jumper now?
 
If the altimeter firing its outputs on power up is a problem, then the outputs are not inhibited and you shouldn't be doing that until the pointy end is up.

Best point I've seen so far. This isn't unique to the wireless devices, but does argue that the wireless devices shouldn't get any special treatment at all.

I was going to ask if this has actually happened - but I've seen it myself, but on a traditional altimeter with single isolation rather than double. I can't assess if the risk of two-output fail on for these microprocessors is lower than single channel fail on. Outside my magisterium.

(Answered by Cris in post 29 https://www.rocketryforum.com/threa...wireless-remote-switches.157373/#post-1959670)
 
Last edited:
Charles,
I believe the electronics have sound designs. We’re just looking at reducing risk during the situations where people are most exposed to injuries if something were to happen, specifically when they are inspecting the rocket and when they are carrying them onto the field.
How do you use the header/jumper now?

In the 'management of change' sense, I think the board announcement leaves a bit to be desired. We're not factory drones, we will attempt to read between the lines. With no detailed justification, that's a lot of blank lines to be second guessing. If you don't have a 'something happening' in mind, then how do you know you are acting in the right direction?

I assembled my Protons anticipating that I might want to add a deployment battery someday, and I reckoned that I'd rather have pins to connect to than unsoldering/resoldering when the time came. The headers Cris uses happen to -just- fit the holes for B+/DP+. So I currently fly with a simple push jumper (same as the selection jumpers on a Quark) shorting the pins. I have a box of header parts, so it's easy for me to wire up a pigtail that goes on those pins and serves as a switch - though I'll likely twist/tape instead of putting in an actual switch.
 
General question- has a formal fault analysis ever been done on hobby rocketry? I'm thinking of something like an FMEA or other statistical analysis tool.

I'm thinking of the NAR report from about a decade ago where the biggest failure mode is "no chute" or something similar. Based on my personal observations, this is probably the same for today.

Which leads me to thinking- "No chute" is a potentially more dangerous failure because it's more unpredictable... rocket is moving faster and it's location is somewhat unknowable. Whereas charges going off, unplanned ignition happens on the pads or at the RSO, where most people are at least aware of the rockets location.

I'm also thinking about- more rules = more likely someone will forget to do something or do it incorrectly. So in this case, we could risk "electronics are safe on the pad, but not armed correctly".. and create a new problem while trying to solve an old one.
 
The problem is that while they have transistors controlling both the high and low side they didn't control all single point failure modes. The micro-controller is still a single point which could fail and activate both transistors.
Actually, not for the Proton. The switches are controlled by two different devices... the "low" side is controlled by the processor, the "high" side by an I/O expander that requires the correct I2C sequence to be sent to it to change the outputs. This was done intentionally for just that reason, so no single device failure could trigger a deployment.
 
The Featherweight magnetic switch never was submitted nor approved by the Tripoli Board to be used instead of a physical switch.
Your response makes it sound like the magnetic switch is some kind of outlaw device.

Where is it written down that any particular device for any purpose has to be submitted for approval by the TRA BOD?

What does that approval process look like? Is there testing involved? How are the results documented?
 
Status
Not open for further replies.
Back
Top