[NSRCA-discussion] How to safely arm/disarm your motor packs?

[Vicente Bortone]

I agree 100% with John's analysis.

Vicente "Vince" Bortone

On Monday, February 23, 2015, John Ford via NSRCA-discussion <
nsrca-discussion at lists.nsrca.org> wrote:

> In my experience, the fact that I have a physical wire and bullets hanging
> out in the breeze on the side of the plane makes it even easier for the
> caller to remember to disconnect it before picking the plane up. As stated
> previously, it also displays very obviously to even the layperson spectator
> that the plane isn't going anywhere and is safe to walk around…which can't
> be said about internal disconnects, or even arming plugs.
>
> Speaking of Safety Engineering, if the NSRCA were to call ANY specialized
> safety engineering firm, or ask someone from IEEE, for instance, for expert
> advice on how to do Energy Isolation on our planes, they would all say the
> same things…first, create some standard design of internal wiring…second,
> that the wiring terminates in a physical, visible, accessible, positive
> isolation device. Thirdly, that there is a means of demonstrating that the
> energy isolation path cannot be defeated, short of reversing the isolation
> device itself.
> These basic concepts come from decades of electrical engineering
> experiences where, unfortunately, thousands of individuals have been
> injured or killed due to lack of adequate energy isolation. These accidents
> range from as little as simple low DC-level shocks all the way to ugly
> high-hp drives.
> We aren't debating anything new here.
>
> On another note, I agree totally with the fail-safe check prior to a
> contest. At least, it reduces the likelihood of a radio cause-factor as a
> factor in a rogue plane incident. But, to me, that is totally outside of
> the energy isolation equation. Even if the chief designer of the Futaba,
> JR, or JETI firmware were to set up my plane to "lock out" the motor
> circuit by means of the firmware, I'd not put my own son (who flies Masters
> with me) in front of the plane to "test" it. What right do I then have to
> endanger anyone else with that same illusion of "control"?
>
> Regardless of what technology we use, I will treat every plane like a
> loaded gun, regardless of what the pilot says or does. If someone shows up
> with a plane that has external disconnect and I take a peak inside to
> confirm that the disconnect is in fact in the battery circuit, then I might
> relax a little and trust that person's plane more than anyone else's.
> Short of that, every plane is a random chain of widgets with a set of 5hp
> electric knives on the front end. Nothing more, nothing less.
>
> J
>
>
> On Feb 22, 2015, at 11:59 PM, Budd Engineering via NSRCA-discussion <
> nsrca-discussion at lists.nsrca.org
> <javascript:_e(%7B%7D,'cvml','nsrca-discussion at lists.nsrca.org');>> wrote:
>
> Except when the caller forgets to pull the plug after a flight, which by
> my observation is about 1/2 to 1/3 of the time.  There is nothing absolute
> about it.
>
> There are those who will argue that’s just a training issue but
> considering how often someone other than a “dedicated" caller gets asked to
> retrieve a plane (that same 1/2 to 1/3 of the time, think there’s a
> correlation there?) it becomes clear that using an arming plug isn’t
> completely fool proof (go figure, virtually nothing is).
>
> In the engineering safety world the first, preferred method of eliminating
> a hazard is to change the system design so that the hazard cannot occur
> (the use of procedures or processes for someone to follow to prevent the
> hazard is the second method of choice, and the use of warning signs or
> placards warning individuals about the presence of a hazard is the least
> desirable or last method chosen).
>
> There are those in this community who think that the use of an arming plug
> eliminates the hazard through a change in the system design, however as
> long as the arming plug has to be removed after the flight.  It doesn’t, as
> it still relies on someone to follow a process (e.g., remembering to remove
> the arming plug).  For some airplanes (not all) it may make it easier to
> access the break in the electrical system.  All of my electric airplanes to
> date have had canopies that were easy to quickly remove allowing me to
> mechanically arm the system at the batteries immediately before the
> aircraft is carried out to the runway (and is under positive control).
>
> The post-flight process I follow (because I haven’t found a way to design
> the hazard completely out of the system either) is to ask whomever
> retrieves my plane to push “in" the external switch on the side of the
> plane, removing power from the receiver, rendering the system inoperative.
> One could argue that if my Jaccio Perfect Switch fails there will still be
> power applied to the receiver (which is true) and that is why I wiggle the
> rudder stick as the plane is being retrieved until I see the caller push
> the switch in AND the rudder stops moving with my stick command.  If the
> rudder continues to move, I walk directly towards the
> caller/helper retrieving the my plane instructing them to “push the switch
> in” until the rudder is no longer moving.  At that point I know the power
> has been disconnected from the radio system.  I then turn OFF my
> transmitter which would (if the receiver switch did somehow become
> re-energized) leave the speed controller commanded to a zero power fail
> safe state, both at the controller and the receiver (all of the speed
> controllers I’ve used default to that condition and I program and test my
> receiver fail-safe to that condition).  The other reason I turn off the
> transmitter as soon as I can is that it “eliminates" the risk of me bumping
> the throttle stick to a high power setting while the system is still
> energized (which from my limited observations is most often the cause of
> electric system mishaps on the ground).
>
> As soon as the plane has been retrieved and set down (preferably while
> still on the flight line) I remove the canopy and disconnect the battery.
>
> I’ve heard people state that they’ve seen or heard of electric planes that
> were armed but where the receiver and transmitter were powered off but
> the electric motor just “start running” uncommanded, on it’s own.  Based on
> my knowledge of electronics, failure modes and effects logic, and
> engineering system safety I don’t believe those are credible events and I
> see no reason to take steps to mitigate the causes of a hazard that simply
> aren’t credible.  I also believe the use of arming plugs have their place,
> but there’s certainly an emotional aspect to this among many who don’t
> trust electronics or software or anything they can’t see with their eyes.
> The use of arming plugs in and of themselves does NOT make the system any
> safer than other methods of removing power from the electric
> motor/controller system, it just makes it more convenient to physically do
> so on some airplanes (which isn’t a bad thing btw).  However, one can make
> the case that that the use of arming plugs can lull some into a false sense
> of security as nearly all of the cases of runaway electric planes in/around
> the pits I’ve seen were with planes that had arming plugs that
> we inadvertently “left in” after a flight and the pilot either bumped the
> throttle stick or turned off the transmitter with the receiver fail-safe
> programmed to high throttle (very bad).  Which bring us to another point.
>
> *Want to make things safer?  Have every pilot, *prior to their first
> flight of the day, *demonstrate to the judges that the power is cut to
> the motor when their transmitter is turned off.*  It would only take a
> moment to demonstrate and I think it’d open eyes at the number of planes
> already flying at contests these days that would fail this simple yet
> effective test.  Here’s a question for those reading this.  Do YOU program
> your radios and speed controllers to go to “zero” power if the radio is
> turned off or loses link?  Have you tested it?  If not, why not?  And if
> you have, do you periodically re-test it after making a physical change
> such as replacing a controller or changing receivers?
>
> I digress.  Why do I use a layered approach of processes that I’m
> responsible for executing vs having someone else remove an arming plug?
> There’s several reasons why.  One is that I (like everyone else) haven’t
> figured out yet how to completely design the hazard out of the system,
> fully mitigating the risk.  Another is that introducing additional
> components into a system increases the likelihood of a component failing,
> something I’d rather avoid.  Lastly, I have simply found that you can’t
> consistently rely on others to remember to execute a safety critical action
> (in this case 8-10 minutes after you remind them to do it), no matter how
> simple the task.  People aren’t that reliable, especially uninvolved
> participants frequently asked at the last minute to help out
> with retrieving a plane after a flight   What I’ve done is to set up a
> series of mitigation events that I am responsible for doing such that my
> enacting any ONE of them will mitigate the risk to at least the same level
> of probability of occurrence as someone remembering to remove an arming
> plug.  And by doing additional or ALL of the steps I outlined the risk is
> far less than that as the residual risk is the product of the probability
> of failure of each mitigation step (e.g., it’s the same as a series of OR
> gates in a logic diagram).
>
> That’s why I chose not to use an arming plug.
>
> Anyway, as always, Caveat Emptor, YMMV, etc…
>
> Jerry
>
>
> On Feb 22, 2015, at 3:20 PM, James Hiller via NSRCA-discussion <
> nsrca-discussion at lists.nsrca.org
> <javascript:_e(%7B%7D,'cvml','nsrca-discussion at lists.nsrca.org');>> wrote:
>
> I use an arming plug. It is the third and absolute level of safety in a
> properly setup system. When my caller pulls the plug before picking up the
> airplane he is assured that there is nothing I can do from the transmitter
> accidentally or otherwise, or any electronic failure will cause the motor
> to run unexpectedly.
> Jim
>
>
> _______________________________________________
> NSRCA-discussion mailing list
> NSRCA-discussion at lists.nsrca.org
> <javascript:_e(%7B%7D,'cvml','NSRCA-discussion at lists.nsrca.org');>
> http://lists.nsrca.org/mailman/listinfo/nsrca-discussion
>
>
>

-- 
Vicente "Vince" Bortone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nsrca.org/pipermail/nsrca-discussion/attachments/20150223/9b170d58/attachment.html>