Timer Staging Discussion

[Steve Shannon]

Cameron,
Let me ask you this: which has the ability to do more damage, a rocket falling vertically downward within the COA area accelerated only by gravity or a rocket flying horizontally and possibly off the range while accelerated by a rocket motor?

 

[boatgeek]

OK, Let's break this down analytically and do some risk analysis work. For starters, let's assume a good range setup, where the rockets are launched away from the crowd and any weathercocking does not result in the rocket being over the crowd. While you can't assume that always happens, it should happen at every launch regardless of whether the rockets are staged or not. If it is important, we can assume that the wind may bring rockets under chute back over the crowd.

I see a few basic failure modes:
Instability of the stack during boost
Structural failure of the stack during boost
Instability of the sustainer after staging
Failure to light sustainer
Recovery failure on booster
Recovery failure on sustainer

Please feel free to add failure scenarios since I've likely missed some. The way I look at it, the last four are basically independent of the sustainer lighting method. The failure is not more likely with a timer vs. an inhibited altimeter, nor are the consequences likely to be any more severe. The first two are where I have issues. In both, an inhibit should stop the sustainer from lighting, leading to the sustainer either recovering normally under chutes or lawn darting away from the crowd. In both, a timer will light the sustainer in a random direction. Granted, for most flights, only a small range of aim directions when the sustainer lights will result in catastrophe, but that number is not zero.

I recognize that looks like using speculation and not data. However, I can also assure you that when professionals do risk assessments, they get people with a lot of experience in the room to talk about what risks they think are likely and/or likely to have extreme consequences. The process doesn't look much different from this. They then talk about how to mitigate those risks.

 

[jderimig]

I see a few basic failure modes:
Instability of the stack during boost
Structural failure of the stack during boost
Instability of the sustainer after staging
Failure to light sustainer
Recovery failure on booster
Recovery failure on sustainer

Please feel free to add failure scenarios since I've likely missed some.

Let's add:
Commanded Ignition of sustainer on the pad

 

[JimJarvis50]

OK, Let's break this down analytically and do some risk analysis work. For starters, let's assume a good range setup, where the rockets are launched away from the crowd and any weathercocking does not result in the rocket being over the crowd. While you can't assume that always happens, it should happen at every launch regardless of whether the rockets are staged or not. If it is important, we can assume that the wind may bring rockets under chute back over the crowd.

I see a few basic failure modes:
Instability of the stack during boost
Structural failure of the stack during boost
Instability of the sustainer after staging
Failure to light sustainer
Recovery failure on booster
Recovery failure on sustainer

Please feel free to add failure scenarios since I've likely missed some. The way I look at it, the last four are basically independent of the sustainer lighting method. The failure is not more likely with a timer vs. an inhibited altimeter, nor are the consequences likely to be any more severe. The first two are where I have issues. In both, an inhibit should stop the sustainer from lighting, leading to the sustainer either recovering normally under chutes or lawn darting away from the crowd. In both, a timer will light the sustainer in a random direction. Granted, for most flights, only a small range of aim directions when the sustainer lights will result in catastrophe, but that number is not zero.

I recognize that looks like using speculation and not data. However, I can also assure you that when professionals do risk assessments, they get people with a lot of experience in the room to talk about what risks they think are likely and/or likely to have extreme consequences. The process doesn't look much different from this. They then talk about how to mitigate those risks.

You also need to include failures on the ground (i.e., the sustainer lighting on the pad). The use of an altitude check helps after a launch by requiring a mostly nominal flight, but equally or maybe more important is the safety it provides prior to launch. Assuming that the failure is not a malfunction, then including an altitude check as one of the permissives for ignition should prevent the sustainer from lighting on the pad. I suspect most people have seen sustainers go off prematurely (I've seen that somewhere between 5 and 10 times, roughly), and I have a friend who was burned on his hand and arm when it happened to him (K motor with the rocket horizontal). The VT incident is another example of an accident that probably would not have occurred (at least at the point where it happened) if they had used an altimeter with altitude check rather than a timer.

Jim

 

[Cameron Anderson]

Your hypothesis is incorrect. It’s that simple.

Where is your evidence? If I'm wrong, show me. But you can't, and that is my point. We can infer and offer supposition but the days doesn't exist to prove or disprove my hypothesis.

 

[Cameron Anderson]

You also need to include failures on the ground (i.e., the sustainer lighting on the pad). The use of an altitude check helps after a launch by requiring a mostly nominal flight, but equally or maybe more important is the safety it provides prior to launch. Assuming that the failure is not a malfunction, then including an altitude check as one of the permissives for ignition should prevent the sustainer from lighting on the pad. I suspect most people have seen sustainers go off prematurely (I've seen that somewhere between 5 and 10 times, roughly), and I have a friend who was burned on his hand and arm when it happened to him (K motor with the rocket horizontal). The VT incident is another example of an accident that probably would not have occurred (at least at the point where it happened) if they had used an altimeter with altitude check rather than a timer.

Jim

There was plenty that went wrong with VT, lots of points of failure. Inhibits are one solution, but so would have been a better wiring schematic.

 

[Cameron Anderson]

Cameron,
Let me ask you this: which has the ability to do more damage, a rocket falling vertically downward within the COA area accelerated only by gravity or a rocket flying horizontally and possibly off the range while accelerated by a rocket motor?

Depending on how we play the "what if" game, either scenario could be worse than the other. Which again, is my point - insufficient, VALID data exists to make a call either way. We can make straw man arguments all day, but meaningful comparisons require data.

 

[JimJarvis50]

There was plenty that went wrong with VT, lots of points of failure. Inhibits are one solution, but so would have been a better wiring schematic.

You miss the point, or rather, you make mine. The altitude check helps you when YOU screw up or something happens that you don’t anticipate. If VT didn’t screw things up, then they wouldn’t need an altitude check.

Jim

 

[Steve Shannon]

Depending on how we play the "what if" game, either scenario could be worse than the other. Which again, is my point - insufficient, VALID data exists to make a call either way. We can make straw man arguments all day, but meaningful comparisons require data.

No, you’re saying different situations could result in different answers. I’m asking which has the greatest potential for harm.

Let’s start with a single simple example, which has plenty of data: of those two (horizontal under thrust or free falling vertically) which is more likely to violate the COA?

Another single simple example: of those two, which would probably injure the greater number of people? As real life examples, consider a car flying off the track and into the bleachers at the races versus a car slipping off a jack stand while someone is underneath.
What data are you looking for?

 

[jderimig]

As real life examples, consider a car flying off the track and into the bleachers at the races versus a car slipping off a jack stand while someone is underneath.
What data are you looking for?

I can understand Cameron's point of view as someone who may not approach reliability and safety practice from a probabilistic basis.

The "data" is simply counting the number of un-prevented failure modes of each system, the one with more is more hazardous, QED. "What ifs" and "strawmans" ARE the basis of reliability and safety practice.

I think Cameron's hypothesis is summarized:
"Even though inhibited systems are more safe in theory, that safety advantage hasn't been demonstrated (yet) in practice"

The problem with that stance is once that a severe accident happens with the "theoretically unsafe" system someone or some organization will be sued into oblivion because they knew apriori that the system had "theoretically" unaddressed failure modes.

 

[mikec]

I have a fair amount of sympathy with Cameron's stance and with all of the counterarguments. The only way for a rocket flight to be perfectly safe is to never fly it at all. Anything else is wishful thinking.

I've flown many staged flights, nearly always with a Raven with altitude gating. I have never had an issue with the gating saving me from an unsafe flight, although I have had the gating, set incorrectly, not ignite when it should have.

Many of the examples of staging accidents I've heard of were caused by poor choice of booster motor, an unstable rocket, or badly designed structure. Those should have all been caught by the flyer, although inhibits might have caught them, they shouldn't have had to.

Adding complex systems and redundancy can as easily cause problems as mitigate them, so should always be viewed with suspicion.

In general I'm opposed to the hobby being highly regulated.

All that said, it would be great if someone made a timer-based system that at least had an accelerometer-derived altitude gate. I think there's a good chance that existing timers like the Perfectflite and MWC products could do this with nothing but software mods.

 

[mikec]

All that said, it would be great if someone made a timer-based system that at least had an accelerometer-derived altitude gate.

BTW, I'm well aware that this is not as complete a solution as a barometric altitude gate, much less a tilt measurement. But it would catch some errors, like booster motor underperformance, hanging up on the rail, and some classes of structural failure, and be an improvement over the much coarser launch detection methods that are being used in current timers.

BTW, John Derimiggio has a nice study of the limits of baro/accel methods at https://www.marsasystems.com/index.php/tech-info/can-an-accelerometer-and-baro-sensor-detect-tilt -- it's not great, but could detect 45-degree off-vertical flights.

 

[JoeG]

This sounds like the argument about whether to put up a traffic light or not at a specific intersection. Do we install one that might prevent accidents or do we just wait until X number of people are killed so one is warranted?

How many staging failures on timers alone do we need before we put restrictions on them? No matter what figure we come up with I'm sure there have been enough through the years. I have seen many. Steve's reference to "please light.......please don't light" used to be a common mantra back in the days of crude inaccurate timers. Why not use mercury switches? They work...occasionally. Usually on the way down but I don't think anyone has been killed.

Ever see a motor chuff and slide halfway up the rail and back down again and continue chuffing for a few more seconds and finally lighting? When did the timer for the sustainer start? I don't hav to witness it to know what will happen.

I have seen numerous staged flights, an advantage of being able to attend Air Fest and BALLS where staging abounds, with the sustainer ignition intentionally being disabled by the electronics due to unexpected problems. Using only a timer would have been a bad thing in my opinion.

 

[Steve Shannon]

Very well said, Joe.
I guess it’s this next quote from Cameron that bothers me the most.

I guess this is a better statement of my hypothesis...

Two-stage flight with timers (without inhibits) is equally as risky (in terms of flight failure and injury potential) as staging electronics (with inhibits). Ergo, a blanket prohibition on timer use is not supported by flight record data and does not make staged flights statistically safer than alternative methods.

What’s needed from all high power flyers is the ability to imagine how things can fail, to connect the dots to see where we can improve our own flights and eliminate those technologies or actions which add risk. The use of simple timers for staging, especially for high altitude or high impulse flights, should be discouraged for that reason. Some local clubs do so already, and Tripoli supports those local decisions.
As MikeC said, (please forgive me for paraphrasing; if I get it wrong, tell me) many of the instances where an inhibit circuit might save the day happen because of user errors. (Poor booster choice, stability problems, etc.)
I agree completely. When flyers do everything correctly, the risks go way down. We should constantly be striving to improve that aspect of our hobby, and most people do.
But sometimes, there is a technological advance, which is effective in protecting us from ourselves, which should be adopted in the same way as seat belts or child seats for cars. I understand the desire not to require inhibit circuits organization wide. But understand this, right now we have the ability to write our own organizational requirement based on our own experience and knowledge. If something bad happens and the FAA determines that they must add something in the FARs about staged flights, they might not write a requirement that we would like.
For those who think that’s a stretch, keep in mind that an FAA representative from Washington D.C. attended BALLS this year and observed what we do and how we react. FAA is generally impressed with how we self-police, but as one of them said point blank to me this last year “We’ve mostly been hands off with rocketry because you have a good record, but it would only take one major accident and that would have to change.”

 

[0011001100]

This sounds like the argument about whether to put up a traffic light or not at a specific intersection. Do we install one that might prevent accidents or do we just wait until X number of people are killed so one is warranted?

“We’ve mostly been hands off with rocketry because you have a good record, but it would only take one major accident and that would have to change.”

Personally I think that this is the attitude we need. We need to prevent things before they happen not respond after they happened.

 

[WFWalby]

Very well said, Joe.
I guess it’s this next quote from Cameron that bothers me the most.



What’s needed from all high power flyers is the ability to imagine how things can fail, to connect the dots to see where we can improve our own flights and eliminate those technologies or actions which add risk. The use of simple timers for staging, especially for high altitude or high impulse flights, should be discouraged for that reason. Some local clubs do so already, and Tripoli supports those local decisions.
As MikeC said, (please forgive me for paraphrasing; if I get it wrong, tell me) many of the instances where an inhibit circuit might save the day happen because of user errors. (Poor booster choice, stability problems, etc.)
I agree completely. When flyers do everything correctly, the risks go way down. We should constantly be striving to improve that aspect of our hobby, and most people do.
But sometimes, there is a technological advance, which is effective in protecting us from ourselves, which should be adopted in the same way as seat belts or child seats for cars. I understand the desire not to require inhibit circuits organization wide. But understand this, right now we have the ability to write our own organizational requirement based on our own experience and knowledge. If something bad happens and the FAA determines that they must add something in the FARs about staged flights, they might not write a requirement that we would like.
For those who think that’s a stretch, keep in mind that an FAA representative from Washington D.C. attended BALLS this year and observed what we do and how we react. FAA is generally impressed with how we self-police, but as one of them said point blank to me this last year “We’ve mostly been hands off with rocketry because you have a good record, but it would only take one major accident and that would have to change.”

Well said Steve. I think we barely dodged a bullet at Balls this year. The old adage "Better safe than sorry" comes to mind. YMMV
William

 

[Steve Shannon]

Well said Steve. I think we barely dodged a bullet at Balls this year. The old adage "Better safe than sorry" comes to mind. YMMV
William

Thank you, William. The other old adage (being old I relate) is “An ounce of prevention is better than a pound of cure.”
We’re in kind of a sweet spot right now. We have available technology that can help prevent off axis staging and we haven’t had a major incident resulting from being struck by an off axis staged rocket.

 

[Steve Shannon]

Personally I think that this is the attitude we need. We need to prevent things before they happen not respond after they happened.

Thank you!

 

[Cameron Anderson]

You miss the point, or rather, you make mine. The altitude check helps you when YOU screw up or something happens that you don’t anticipate. If VT didn’t screw things up, then they wouldn’t need an altitude check.

Jim

If I rear end someone, I don't say "I wish I had automatic breaking commission collission control," I say "I messed up."

VT messed up. That doesn't mean their system was bad. A different group with a better checklist and the same set up doesn't havr an issue.

 

[Cameron Anderson]

No, you’re saying different situations could result in different answers. I’m asking which has the greatest potential for harm.

Let’s start with a single simple example, which has plenty of data: of those two (horizontal under thrust or free falling vertically) which is more likely to violate the COA?

Another single simple example: of those two, which would probably injure the greater number of people? As real life examples, consider a car flying off the track and into the bleachers at the races versus a car slipping off a jack stand while someone is underneath.
What data are you looking for?

Your question still has too many variables, it is still just a "what if" game. Assuming both scenarios are identical (same airframe, motor, flight profile), I think the likelihood for injury is the same, or negligibly different for, let's assume, a 3" FG airframe in a full K.

The velocity of a K under thirst down and one falling from 10,000 feet is different, say 800 vs 500 mph, but at impact in only affects a small area. Likelihood of injury in that small area is small and the injuries are equally as severe. Therefore, it doesn't matter if it is under thrust or freaking, the risk is the same.

 

[Cameron Anderson]

I can understand Cameron's point of view as someone who may not approach reliability and safety practice from a probabilistic basis.

The "data" is simply counting the number of un-prevented failure modes of each system, the one with more is more hazardous, QED. "What ifs" and "strawmans" ARE the basis of reliability and safety practice.

I think Cameron's hypothesis is summarized:
"Even though inhibited systems are more safe in theory, that safety advantage hasn't been demonstrated (yet) in practice"

The problem with that stance is once that a severe accident happens with the "theoretically unsafe" system someone or some organization will be sued into oblivion because they knew apriori that the system had "theoretically" unaddressed failure modes.

I wouldnt even go so far as to say that inhibit features are more safe, I would say they allow for a more controllable flight profile.

If this is a legal argument and not a scientific one, ban timers, but also ban single electronic deployment and motor ejection as well.

To me, the legal boogie man and the safety boogie man are bedfellows, based on dear and not science.

Safety protocols the world over are based on simple math...likelihood of failure X times severity of injury Y equals absolute danger Z. Not hypotheticalss or anecdotal evidence. Fact. And certainly no fear.

 

[Cameron Anderson]

I have a fair amount of sympathy with Cameron's stance and with all of the counterarguments. The only way for a rocket flight to be perfectly safe is to never fly it at all. Anything else is wishful thinking.

I've flown many staged flights, nearly always with a Raven with altitude gating. I have never had an issue with the gating saving me from an unsafe flight, although I have had the gating, set incorrectly, not ignite when it should have.

Many of the examples of staging accidents I've heard of were caused by poor choice of booster motor, an unstable rocket, or badly designed structure. Those should have all been caught by the flyer, although inhibits might have caught them, they shouldn't have had to.

Adding complex systems and redundancy can as easily cause problems as mitigate them, so should always be viewed with suspicion.

In general I'm opposed to the hobby being highly regulated.

All that said, it would be great if someone made a timer-based system that at least had an accelerometer-derived altitude gate. I think there's a good chance that existing timers like the Perfectflite and MWC products could do this with nothing but software mods.

I wish MW made a PET3 with a tilt inhibit from the acceletometet already on the PET2.

And you got my point exactly, staged flight is very complex and failures of all kinds occur with all sorts of systems. People are erroneously pointing to timers as the root of all staging evil and the most unsafe component of staging, which as ive said before, is an opinion not borne out by the data.

 

[Cameron Anderson]

This sounds like the argument about whether to put up a traffic light or not at a specific intersection. Do we install one that might prevent accidents or do we just wait until X number of people are killed so one is warranted?

How many staging failures on timers alone do we need before we put restrictions on them? No matter what figure we come up with I'm sure there have been enough through the years. I have seen many. Steve's reference to "please light.......please don't light" used to be a common mantra back in the days of crude inaccurate timers. Why not use mercury switches? They work...occasionally. Usually on the way down but I don't think anyone has been killed.

Ever see a motor chuff and slide halfway up the rail and back down again and continue chuffing for a few more seconds and finally lighting? When did the timer for the sustainer start? I don't hav to witness it to know what will happen.

I have seen numerous staged flights, an advantage of being able to attend Air Fest and BALLS where staging abounds, with the sustainer ignition intentionally being disabled by the electronics due to unexpected problems. Using only a timer would have been a bad thing in my opinion.

How many unintended ignitions have occurred with timer only use, that is the second question.

Third question is how many unintended ignition have occurred with inhibited systems.

The first question, still remains, what is the largest fail point in staged flight? And I still don't see it as sustainer ignition.

Until we evaluate and categorize all failures, it is folly to blame timers. If it is timers and the data proves it, I'll throw mine away tomorrow. But I'd bet a buffalo nickel timer bans have more to do with ago/personal preference than science that says timers are the most unsafe component of staged flight.

 

[Cameron Anderson]

Very well said, Joe.
I guess it’s this next quote from Cameron that bothers me the most.



What’s needed from all high power flyers is the ability to imagine how things can fail, to connect the dots to see where we can improve our own flights and eliminate those technologies or actions which add risk. The use of simple timers for staging, especially for high altitude or high impulse flights, should be discouraged for that reason. Some local clubs do so already, and Tripoli supports those local decisions.
As MikeC said, (please forgive me for paraphrasing; if I get it wrong, tell me) many of the instances where an inhibit circuit might save the day happen because of user errors. (Poor booster choice, stability problems, etc.)
I agree completely. When flyers do everything correctly, the risks go way down. We should constantly be striving to improve that aspect of our hobby, and most people do.
But sometimes, there is a technological advance, which is effective in protecting us from ourselves, which should be adopted in the same way as seat belts or child seats for cars. I understand the desire not to require inhibit circuits organization wide. But understand this, right now we have the ability to write our own organizational requirement based on our own experience and knowledge. If something bad happens and the FAA determines that they must add something in the FARs about staged flights, they might not write a requirement that we would like.
For those who think that’s a stretch, keep in mind that an FAA representative from Washington D.C. attended BALLS this year and observed what we do and how we react. FAA is generally impressed with how we self-police, but as one of them said point blank to me this last year “We’ve mostly been hands off with rocketry because you have a good record, but it would only take one major accident and that would have to change.”

Self-policing is the futute of the hobby. You are totally right. And we, as an organization need to create the policies and procedures that ensure safety. But a timer ban is capricious and not backed by data. The only thing worse than doing nothing is doing the wrong thing based on fear and incomplete data. If we act too hastily because "safety" based on aassumptions, we may act too quickly and miss a real risk, and that would be terrible.

I'm not a "timer or death" guy, but I am asking for a more structured decision process than an anecdotal review of several events without science.

We are rocketeers! Sciencr is what we do. You can't tell me the professional expertise doesn't exist to answer this question.

 

[Cameron Anderson]

Personally I think that this is the attitude we need. We need to prevent things before they happen not respond after they happened.

So let's prevent the right thing and allow science and data to determine the safest course of action and not personal opinion. Logical fallacies abound in the safety world - let's identify the correct fail points and apply the correct remedy.

 

[Cameron Anderson]

Well said Steve. I think we barely dodged a bullet at Balls this year. The old adage "Better safe than sorry" comes to mind. YMMV
William

Wrong. There is no science in "better safe than sorry." Wishful thinking and unsupported conclusions can be more dangerous than doing nothing at all.

 

[Steve Shannon]

Your question still has too many variables, it is still just a "what if" game. Assuming both scenarios are identical (same airframe, motor, flight profile), I think the likelihood for injury is the same, or negligibly different for, let's assume, a 3" FG airframe in a full K.

The velocity of a K under thirst down and one falling from 10,000 feet is different, say 800 vs 500 mph, but at impact in only affects a small area. Likelihood of injury in that small area is small and the injuries are equally as severe. Therefore, it doesn't matter if it is under thrust or freaking, the risk is the same.

Except that if it’s flying through a crowd horizontally it’ll strike several people. You keep ignoring the word “potential.”

 

[tim cubbedge]

This one would not have lit if it had some type of inhibition such as altitude lock out.

 

[Cameron Anderson]

Thank you, William. The other old adage (being old I relate) is “An ounce of prevention is better than a pound of cure.”
We’re in kind of a sweet spot right now. We have available technology that can help prevent off axis staging and we haven’t had a major incident resulting from being struck by an off axis staged rocket.

But is off axis firing, or any firing of a sustainer in less than optimal conditions, the largest safety issue in staged flight? And if so, is a timer ban the way to remedy it?

The simple answer is no, we don't.

So let's science this thing, collect data, and do real fault analysis.

That's all I'm.asking for and the resistance to a scientific process in the name of "safety!" is quite discouraging.

 

[Cameron Anderson]

Except that if it’s flying through a crowd horizontally it’ll strike several people. You keep ignoring the word “potential.”

So what is the potential?
How about we go one better - what is the rate?
How many rockets have gone horizontal through a crowd? Not across the field, and near the flight line...through the crowd. That gives us one number for our formula. And gets us closer to the answer.