[NSRCA-discussion] How to safely arm/disarm your motor packs?

John Ford jsf106 at gmail.com
Mon Feb 23 04:28:21 AKST 2015 

In my experience, the fact that I have a physical wire and bullets hanging out in the breeze on the side of the plane makes it even easier for the caller to remember to disconnect it before picking the plane up. As stated previously, it also displays very obviously to even the layperson spectator that the plane isn't going anywhere and is safe to walk around…which can't be said about internal disconnects, or even arming plugs. 

Speaking of Safety Engineering, if the NSRCA were to call ANY specialized safety engineering firm, or ask someone from IEEE, for instance, for expert advice on how to do Energy Isolation on our planes, they would all say the same things…first, create some standard design of internal wiring…second, that the wiring terminates in a physical, visible, accessible, positive isolation device. Thirdly, that there is a means of demonstrating that the energy isolation path cannot be defeated, short of reversing the isolation device itself.
These basic concepts come from decades of electrical engineering experiences where, unfortunately, thousands of individuals have been injured or killed due to lack of adequate energy isolation. These accidents range from as little as simple low DC-level shocks all the way to ugly high-hp drives.
We aren't debating anything new here. 

On another note, I agree totally with the fail-safe check prior to a contest. At least, it reduces the likelihood of a radio cause-factor as a factor in a rogue plane incident. But, to me, that is totally outside of the energy isolation equation. Even if the chief designer of the Futaba, JR, or JETI firmware were to set up my plane to "lock out" the motor circuit by means of the firmware, I'd not put my own son (who flies Masters with me) in front of the plane to "test" it. What right do I then have to endanger anyone else with that same illusion of "control"? 

Regardless of what technology we use, I will treat every plane like a loaded gun, regardless of what the pilot says or does. If someone shows up with a plane that has external disconnect and I take a peak inside to confirm that the disconnect is in fact in the battery circuit, then I might relax a little and trust that person's plane more than anyone else's.
Short of that, every plane is a random chain of widgets with a set of 5hp electric knives on the front end. Nothing more, nothing less.

J


On Feb 22, 2015, at 11:59 PM, Budd Engineering via NSRCA-discussion <nsrca-discussion at lists.nsrca.org> wrote:

> Except when the caller forgets to pull the plug after a flight, which by my observation is about 1/2 to 1/3 of the time.  There is nothing absolute about it.
> 
> There are those who will argue that’s just a training issue but considering how often someone other than a “dedicated" caller gets asked to retrieve a plane (that same 1/2 to 1/3 of the time, think there’s a correlation there?) it becomes clear that using an arming plug isn’t completely fool proof (go figure, virtually nothing is).
> 
> In the engineering safety world the first, preferred method of eliminating a hazard is to change the system design so that the hazard cannot occur (the use of procedures or processes for someone to follow to prevent the hazard is the second method of choice, and the use of warning signs or placards warning individuals about the presence of a hazard is the least desirable or last method chosen).
> 
> There are those in this community who think that the use of an arming plug eliminates the hazard through a change in the system design, however as long as the arming plug has to be removed after the flight.  It doesn’t, as it still relies on someone to follow a process (e.g., remembering to remove the arming plug).  For some airplanes (not all) it may make it easier to access the break in the electrical system.  All of my electric airplanes to date have had canopies that were easy to quickly remove allowing me to mechanically arm the system at the batteries immediately before the aircraft is carried out to the runway (and is under positive control).
> 
> The post-flight process I follow (because I haven’t found a way to design the hazard completely out of the system either) is to ask whomever retrieves my plane to push “in" the external switch on the side of the plane, removing power from the receiver, rendering the system inoperative.  One could argue that if my Jaccio Perfect Switch fails there will still be power applied to the receiver (which is true) and that is why I wiggle the rudder stick as the plane is being retrieved until I see the caller push the switch in AND the rudder stops moving with my stick command.  If the rudder continues to move, I walk directly towards the caller/helper retrieving the my plane instructing them to “push the switch in” until the rudder is no longer moving.  At that point I know the power has been disconnected from the radio system.  I then turn OFF my transmitter which would (if the receiver switch did somehow become re-energized) leave the speed controller commanded to a zero power fail safe state, both at the controller and the receiver (all of the speed controllers I’ve used default to that condition and I program and test my receiver fail-safe to that condition).  The other reason I turn off the transmitter as soon as I can is that it “eliminates" the risk of me bumping the throttle stick to a high power setting while the system is still energized (which from my limited observations is most often the cause of electric system mishaps on the ground).
> 
> As soon as the plane has been retrieved and set down (preferably while still on the flight line) I remove the canopy and disconnect the battery.
> 
> I’ve heard people state that they’ve seen or heard of electric planes that were armed but where the receiver and transmitter were powered off but the electric motor just “start running” uncommanded, on it’s own.  Based on my knowledge of electronics, failure modes and effects logic, and engineering system safety I don’t believe those are credible events and I see no reason to take steps to mitigate the causes of a hazard that simply aren’t credible.  I also believe the use of arming plugs have their place, but there’s certainly an emotional aspect to this among many who don’t trust electronics or software or anything they can’t see with their eyes.  The use of arming plugs in and of themselves does NOT make the system any safer than other methods of removing power from the electric motor/controller system, it just makes it more convenient to physically do so on some airplanes (which isn’t a bad thing btw).  However, one can make the case that that the use of arming plugs can lull some into a false sense of security as nearly all of the cases of runaway electric planes in/around the pits I’ve seen were with planes that had arming plugs that we inadvertently “left in” after a flight and the pilot either bumped the throttle stick or turned off the transmitter with the receiver fail-safe programmed to high throttle (very bad).  Which bring us to another point.
> 
> Want to make things safer?  Have every pilot, prior to their first flight of the day, demonstrate to the judges that the power is cut to the motor when their transmitter is turned off.  It would only take a moment to demonstrate and I think it’d open eyes at the number of planes already flying at contests these days that would fail this simple yet effective test.  Here’s a question for those reading this.  Do YOU program your radios and speed controllers to go to “zero” power if the radio is turned off or loses link?  Have you tested it?  If not, why not?  And if you have, do you periodically re-test it after making a physical change such as replacing a controller or changing receivers?
> 
> I digress.  Why do I use a layered approach of processes that I’m responsible for executing vs having someone else remove an arming plug?  There’s several reasons why.  One is that I (like everyone else) haven’t figured out yet how to completely design the hazard out of the system, fully mitigating the risk.  Another is that introducing additional components into a system increases the likelihood of a component failing, something I’d rather avoid.  Lastly, I have simply found that you can’t consistently rely on others to remember to execute a safety critical action (in this case 8-10 minutes after you remind them to do it), no matter how simple the task.  People aren’t that reliable, especially uninvolved participants frequently asked at the last minute to help out with retrieving a plane after a flight   What I’ve done is to set up a series of mitigation events that I am responsible for doing such that my enacting any ONE of them will mitigate the risk to at least the same level of probability of occurrence as someone remembering to remove an arming plug.  And by doing additional or ALL of the steps I outlined the risk is far less than that as the residual risk is the product of the probability of failure of each mitigation step (e.g., it’s the same as a series of OR gates in a logic diagram).
> 
> That’s why I chose not to use an arming plug.
> 
> Anyway, as always, Caveat Emptor, YMMV, etc…
> 
> Jerry
> 
> 
>> On Feb 22, 2015, at 3:20 PM, James Hiller via NSRCA-discussion <nsrca-discussion at lists.nsrca.org> wrote:
>> 
>> I use an arming plug. It is the third and absolute level of safety in a properly setup system. When my caller pulls the plug before picking up the airplane he is assured that there is nothing I can do from the transmitter accidentally or otherwise, or any electronic failure will cause the motor to run unexpectedly.
>> Jim
> 
> _______________________________________________
> NSRCA-discussion mailing list
> NSRCA-discussion at lists.nsrca.org
> http://lists.nsrca.org/mailman/listinfo/nsrca-discussion

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nsrca.org/pipermail/nsrca-discussion/attachments/20150223/223561ec/attachment.html>

More information about the NSRCA-discussion mailing list