Revision to Tripoli Rule Regarding Wireless Remote Switches

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Status
Not open for further replies.
How scandalous right? Using current industry safety terms and evaluation criteria in seeking to determine truly effective and safe operational protocols. The nerve.

There is nothing new about "frequency and severity criteria" safety terms. I worked for the major US aircraft company for the last 15 years of my employment. I fully understand the application of the root cause analysis process, used to help determine potential safety hazards in operational protocols.
 
That they know about.
Of course. But no one designs, produces, and sells in a vacuum. And every designer I have used personally has been nothing but helpful with sale, questions, set up, and trouble shooting. Some issues are small and go undetected for a while, but major issues (like channel firing upon power up) are caught and remedied (and actively prevented by hardware design and software) on the designer test bench. Major issues like that never make it to the user.
 
Such a problem just made it to users of the EasyTimer from AltusMetrum. See notice for version 1.9.6 of AltOS.
Interesting. I think I might have experienced that error on an EasyTimer and just assumed I set the velocity threshold too high.
And while this is a sign significant error that impacts performance, I wouldn't put that error on the same level as charges unintentionally firing on power up.
 
Given that multiple examples have already been provided, why would anyone continue down this rabbit trail?
I'm asking for legitimate production altimeter errors/issues that fundamentally made a product unsafe (in the area if charges firing on power up). So far I haven't seen one listed.
 
Post deleted.
Decided to continue just reading this thread and to stay out of the discussion.
 
Last edited:
I'm asking for legitimate production altimeter errors/issues that fundamentally made a product unsafe (in the area if charges firing on power up). So far I haven't seen one listed.
Not a production issue but I've seen an altimeter fire charges at power-on, after it was loaded vertically on the rail. IIRC the guy it happened to said it was a water damaged altimeter.

Incidentally though, in that particular case the fiberglass nosecone nearly came back down on the guy's head. IMO this particular situation would have been safer if the rocket had been powered on (edit: temporarily, to test) horizontally first, with the nosecone pointed in a safe direction (or better yet, with charges connected but rocket not assembled). Since that incident I have been test powering on my av-bays in exactly that manner prior to coming to the launch site (i.e. charges connected but rocket entirely unassembled).
 
Last edited:
Given that multiple examples have already been provided, why would anyone continue down this rabbit trail?

Bingo... I don't have the inclination or time to research the specifics, but they are out their for those to find, if so inclined. However, the requirement to not power up in the pit area with live BP charges installed is a well established safety practice... Those whom wish to test fate, do so at their on peril and regrettably the peril of others. I do not believe I have any additional information to contribute to this thread. Fair winds and successful launches to all.
 
Not a production issue but I've seen an altimeter fire charges at power-on, after it was loaded vertically on the rail. IIRC the guy it happened to said it was a water damaged altimeter.

Incidentally though, in that particular case the fiberglass nosecone nearly came back down on the guy's head. IMO this particular situation would have been safer if the rocket had been powered on horizontally first, with the nosecone pointed in a safe direction (or better yet, with charges connected but rocket not assembled). Since that incident I have been test powering on my av-bays in exactly that manner prior to coming to the launch site (i.e. charges connected but rocket entirely unassembled).
Arming an altimeter horizontally and then going vertical is a horrendously bad idea with lots of examples why not to do it...going flat to vertical can easily trigger launch detection logic in may altimeters. Best case you just blow a nose cone...worst case you ignite a sustainer motor and land shark a rocket into your friends.
 
Arming an altimeter horizontally and then going vertical is a horrendously bad idea with lots of examples why not to do it...going flat to vertical can easily trigger launch detection logic in may altimeters. Best case you just blow a nose cone...worst case you ignite a sustainer motor and land shark a rocket into your friends.
That was NOT what I was suggesting at all. Power on altimeter with rocket horizontal, pointed in safe direction, to check that all charges are good and the altimeter isn't gonna blow any of the charges prematurely. Then, power off altimeters. Then, load rocket as normal, only power on altimeters with rocket vertical. And again, like I said in the previous comment, it's even more preferable to do this test without the rocket assembled, so that no pieces are there to shoot off in any direction.

I see how my previous comment may have been ambiguous.
 
Arming an altimeter horizontally and then going vertical is a horrendously bad idea with lots of examples why not to do it...going flat to vertical can easily trigger launch detection logic in may altimeters. Best case you just blow a nose cone...worst case you ignite a sustainer motor and land shark a rocket into your friends.
Which contemporary altimeters can trigger like that? I don't know of any... maybe this was an issue in some vintage hardware, back when they had G-switches and manual "mach lockout" timers, but anything designed in the past 10 years should have a robust launch detect that isn't going to be fooled by tilting it up, or by gusts of wind either.
 
Which contemporary altimeters can trigger like that? I don't know of any... maybe this was an issue in some vintage hardware, back when they had G-switches and manual "mach lockout" timers, but anything designed in the past 10 years should have a robust launch detect that isn't going to be fooled by tilting it up, or by gusts of wind either.
Which contemporary altimeters can trigger like that? I don't know of any... maybe this was an issue in some vintage hardware, back when they had G-switches and manual "mach lockout" timers, but anything designed in the past 10 years should have a robust launch detect that isn't going to be fooled by tilting it up, or by gusts of wind either.
BALLS 2018, University of Virginia (Virginia Tech?) two stage land sharked due to raising/lowering while armed. Not sure what they were using but that's probably the most public example.
 
BALLS 2018, University of Virginia (Virginia Tech?) two stage land sharked due to raising/lowering while armed. Not sure what they were using but that's probably the most public example.
From what I heard, that example was caused by "percussive maintenance" that was taking place, not due to being raised/lowered.
 
From what I heard, that example was caused by "percussive maintenance" that was taking place, not due to being raised/lowered.
I wish I still had the after action review to confirm but I'm 99% sure the sustsiner fired after the rocket was loaded, taken vertical, armed, lowered while armed, and then cooked off when it was being raised again.
 
I wish I still had the after action review to confirm but I'm 99% sure the sustsiner fired after the rocket was loaded, taken vertical, armed, lowered while armed, and then cooked off when it was being raised again.
Remote arming and disarming would prevent these types of incidents. If you have a switch that requires intimate contact with the rocket and your booster misfires, you have to get up on a ladder to disarm your sustainer (and possibly your booster depending on the size of the launcher). I don't know about you guys, but I'm not real confident sticking my face next to a live "J", nevermind a live "N" or whatever the university team was launching. As Steve Shannon stated at the beginning of this thread, "The adoption of remotely switched avionics can greatly reduce the risk of user injury caused by the ignition of a sustainer motor or deployment charge when a staging controller or altimeter is turned on. " That was what drove us to create the WiFi switches, and add the separate deployment power switch into the Quantum and Proton.
 
I wish I still had the after action review to confirm but I'm 99% sure the sustsiner fired after the rocket was loaded, taken vertical, armed, lowered while armed, and then cooked off when it was being raised again.
Yes, it had been raised and lowered multiple times, but the thing that ultimately caused the flight system to trigger was an impact, not the raising/lowering. This was according to someone I know who was at that BALLS who spoke to the team after the incident.

And regardless of what the actual cause was, by the time you're doing a Q to Q space shot your avionics should darn well be able to tell the difference between being raised/lowered and being launched.
 
Last edited:
Not a production issue but I've seen an altimeter fire charges at power-on, after it was loaded vertically on the rail. IIRC the guy it happened to said it was a water damaged altimeter.

Incidentally though, in that particular case the fiberglass nosecone nearly came back down on the guy's head. IMO this particular situation would have been safer if the rocket had been powered on (edit: temporarily, to test) horizontally first, with the nosecone pointed in a safe direction (or better yet, with charges connected but rocket not assembled). Since that incident I have been test powering on my av-bays in exactly that manner prior to coming to the launch site (i.e. charges connected but rocket entirely unassembled).

I will relate that 14 years ago, I had an altimeter firing on ascent and firing on the pad before two launches. I had just armed the altimeter and was beginning to walk away when the beeping stopped. Thank heavens I knew what that meant and stepped away quickly. I was the only one out there as this was a small launch. The apogee blew and I ran back to put try to put the key in the switch with the nosecone faced away from me. Didn’t make it and the main blew. It was a 4 inch diameter thin walled cardboard Loc tubed rocket that was scratch built.

In both cases above it was a low powered tracking transmitter that dorked the deployment electronics that were kit built available at that time. The kits are no longer made. I didn’t know enough about Rf interference at the time. I had bench tested the altimeters and they responded in a normal fashion BUT I didn’t test them in the presence of a tracking transmitter. That said I believe most modern altimeters are immune to this though I know of one where the maker specifically puts in the instructions not to fly it with an Rf tracker. I have one and fly it in a neat rocket on an H123. It goes to ~1300 feet, doesn’t need a tracker with all the events easily seen. Wows, the non-rocketry laity out there the first time they see a dual deploy. Most certainly, the combined deployment altimeters/trackers were fleshed out and tested by the makers before release and I’ve not heard of a problem with any particular brand.

Other events I heard of is indeed when a defective altimeter, ie. either takes a hard hit or was underwater for awhile, is not tested and blows at the next flight. Some of these stories I read were from some very experienced, respected fliers too. Beware of deployment devices that have taken some hard knocks. I‘d say it’s best to test them a few times on the bench. Doesn’t matter if a mechanical switch is present or not in these situations. Turn it on at the mechanical switch and the charges blow.

Only other issue I’ve read about and are the situations back in the old days (like prior to 2006) where deployment devices would immediately blow the charges if the battery was connected up backwards.
I suspect there are not any of the newer electronics that do that but read the manual of said device from front to cover. If it’s a known characteristic, the maker usually mentions it. Mechanical switch on, charges blow.

As far as Mag switches go. I flew them before the rules came out “locked and loaded”. What I mean is I would have charges connected and connect the battery. With the Featherweight Mag switch I’d then take the magnet to put it into the “off” or I like to call it a standby mode because the switch does draw a tiny bit of current. The Featherweight switch defaults to the “on” mode with the battery connected. I then take it to the RSO table, get it cleared and incidentally there were no issues back then because none had come up yet. Take rocket to pad, swipe the magnet and if all the “beeps” were right, go fly. I have to iterate that since I have the bay open, I have the magnet at the ready in my hand and the second I see that blue LED come on, I swipe it off.

The Eggtimer TRS I did similarly thusly: Connect charges, connect battery, put in standby mode and go to the RSO table. Rocket is totally quiet. Get cleared, did pad setup, activate the TRS from the receiver and go fly.

Again, I did this procedure before any rules were in place and these rockets were 38mm minimum diameter ships where a switch installation would be very hard to do. (Outside of twist and tape!) All my larger rockets have switches as it’s not that hard to install.

I haven’t read the amended rule but I understand with the prior iteration one would get a rocket cleared at the RSO table, proceed to a table in a safe spot just past the RSO table, connect up the battery and initialize the electronics to their safe mode then go fly.

I haven’t flown since the rule change so will have to take a peak at it eventually. If it’s still hard to use Mag switches, I’ll probably retire the two rockets I’ve flown a few times and stick with larger ones.

Let it be known my views on staging are all bets are off. With an electronic device that has a motor igniter on the channel there needs to be a mechanical switch for control. If I was going to do it, I’d also use an altimeter that allowed remote activation by Rf means too. Engage the manual switch, get the heck out of the way, make sure everyone is safe, then activate the staging device to standby for launch mode remotely by Rf.

If one wants to be cautious, do what I do. I’ll start to prep rockets in advance, sometimes a week or so and will put contained ematches (no BP) on the altimeter channels, stand the rocket up and turn on the switch. If the altimeter cycles properly, am reassured the electronics are behaving properly. I will do this before every launch as sometimes I don’t get to fly all that often. This will avoid pad hijinks with the electronics. If Rf tracking is involved and I don’t know if the deployment altimeter is compatible, I’ll set everything up with contained ematches and let the electronics run for up to an hour to see if anything adverse happens. I do know the AIM usb and the Adept 22’s don’t take to Rf well and care must be taken to fly them in the presence of a tracker.
(Obviously, if I know already the tracker/altimeters are compatible, I don’t test them before every flight!)

Kurt Savegnago
 
I
Seriously? Any examples?
I have heard of several smaller issues, but nothing as serious as what I suggested.

im not reading this thread but engineering errors do show up on a finished product. Boeing's 737 Max software errors killed hundreds of passengers on two separate airplane crashes.
 
The VT rocket was never raised or lowered. It wasn’t even fully assembled. The booster was assembled with an igniter in it. The sustainer was being assembled. The motor was in it and had its igniter in it which was connected to the outputs of an accelerometer. There was no switch of any kind in series with the battery, which is a violation of NFPA and common sense. Because there was no switch the accelerometer was running.
The sustainer bottom was laying on its side ahead of the booster. Eight students were clustered around it trying to put it together. One student held a wooden block while another pounded it against the parachute trying to assemble the sustainer. We believe the repeated impacts triggered the accelerometer and timer, which then ignited the motor.
One student heard air hissing and thought the rocket was sliding together. Another noticed smoke escaping from a hole and started running. The Q motor caused the sustainer to launch horizontally directly towards another far pad that had people clustered around it. Fortunately the sustainer flew 75-100 feet and then catoed. Had it catoed where the students were assembling the rocket I’m convinced we would have had fatalities. Had it not catoed it might have struck people at the other far pad.
This is why I will always believe that the way an altimeter or other firing circuits should be inhibited until in a firing position is with a completely independent switching device, rather than logic built into the altimeter or firing circuit.
 
Last edited:
I love the old timer attitude that permeates TRF and the hobby as a whole.

Anything anyone calls "safe" is immune from further discussion. It's the sign of an intellectually weak point.

That is how we ended up with the BOD (who cut their teeth on breakwire timers soldered in their garages and have the audacity to question technology they don't understand) passing a bogus wireless switch rule.

Wow.

Every person on the board (and I know them all personally) take the responsibility extremely seriously. They tend to be early adopters of every new rocket device that hits the market and they also tend to be the people who see incidents at Launches.
Several of us have been engineers. I am a Professional Engineer with experience in controls, software, and compliance. Almost without exception every bad incident I’ve investigated or witnessed has intimately involved someone saying “That should never have happened.” It’s our job to imagine what might happen rather than waiting until someone gets killed before making a decision. If you believe that’s us “having the audacity to question technology that (we) don’t understand” that reflects more on you than us.
 
Last edited:
so this current discussion makes me stupid and non understanding

as I read it earlier, wifi altimeters form eggtimer were now allowed without having an extra power switch to turn off the eggtimer as the firing circuits are disabled until enabled with the proper codes
 
The VT rocket was never raised or lowered. It wasn’t even fully assembled. The booster was assembled with an igniter in it. The sustainer was being assembled. The motor was in it and had its igniter in it which was connected to the outputs of an accelerometer. There was no switch of any kind in series with the battery, which is a violation of NFPA and common sense. Because there was no switch the accelerometer was running.
The sustainer bottom was laying on its side ahead of the booster. Eight students were clustered around it trying to put it together. One student held a wooden block while another pounded it against the parachute trying to assemble the sustainer. We believe the repeated impacts triggered the accelerometer and timer, which then ignited the motor.
One student heard air hissing and thought the rocket was sliding together. Another noticed smoke escaping from a hole and started running. The Q motor caused the sustainer to launch horizontally directly towards another far pad that had people clustered around it. Fortunately the sustainer flew 75-100 feet and then catoed. Had it catoed where the students were assembling the rocket I’m convinced we would have had fatalities. Had it not catoed it might have struck people at the other far pad.
This is why I will always believe that the way an altimeter or other firing circuits should be inhibited until in a firing position is with a completely independent switching device, rather than logic built into the altimeter or firing circuit.
So they were assembling the rocket with installed motors and igniters, connected to armed electronics, at the pit area? Wow... all they had to do was to follow NFPA rules and they might have been fine. At the very least, the cato would have been at the pad. No igniters until you're at the pad, and no arming until you're vertical. Pretty simple, really. It's unfortunate that whomever was their mentor didn't drive safety into their heads...
 
so this current discussion makes me stupid and non understanding

as I read it earlier, wifi altimeters form eggtimer were now allowed without having an extra power switch to turn off the eggtimer as the firing circuits are disabled until enabled with the proper codes
It’s water under the bridge now anyway (because it has been overturned by the Tripoli BoD), but the February rule simply required that power be physically disconnected somewhere in the current path between the battery and the igniters or ematches until the rocket was on the field and away from anyone else. Solid state switches like the magnetic switch or WiFi switch could be connected to power as soon as the rocket was on the range.
NFPA 1127 requires that firing circuits for any energetics be inhibited until the rocket is on the pad and in launch position. The underlying NFPA rule has never changed.
 
Last edited:
Status
Not open for further replies.
Back
Top