Some Design History for the LV2 recovery node
The recovery electronics for LV2 have been completely redesigned. The circuitry previously used in LV1 obviously worked, but it had some problems. This is a brief exposition of the lessons learned from LV1, and how those lessons were incorporated in LV2's new design.
LV1 had redundant power, sort of. It had a lithium primary battery dedicated to the recovery circuits, completely independent of any other power sources. This was a good and reasonable system but it had several drawbacks. The primary battery had to be changed more or less every time we launched. Since no battery holder satisfied our reliability concerns, the batteries had to be soldered in and out. Further the batteries were buried pretty deeply in the payload, requiring some assembly and disassembly each time.
Changing batteries was time consuming, and made the avionics team grumpy. It also prevented us from launching or re-launching quickly, which is a project goal.
The new design uses a rechargeable battery. This introduces some design complexity and lowers the reliability of the battery itself. Of course it completely avoids frequent battery changes. It also has the potential to raise the overall power system reliability.
Increased reliability is possible because the number of critical operations is minimized. Every time the primary battery was soldered on in the old system each new solder joint became a new, potentially critical, failure point. We of course tested the system, but the test was necessarily a quick one. In addition to the batteries, some part of the payload had to be taken apart and reassembled creating more potential problems.
Further, the old approach put time pressure on the pre-launch phase. The old recovery system was controlled by mechanical switches, which for aerodynamic reasons were hard to get at. Once the switches were thrown, from that moment on only a finite and somewhat uncertain amount of battery life remained. The only way to turn the system off was to be in direct contact with the rocket on the pad, a potentially dangerous situation. Also the switches themselves were reliability concerns as they had to survive possibly rough handling and a high gee, high vibration environment.
Because of the concern about the mechanical switches we decided to go to (almost) all electronic power control. This means that the flight computer, and possibly the backup 2 meter uplink, can electronically control the power to all the various systems. The exceptions to this are an electrical "turn on" command that can be sent through the shore power umbilical, and a pyrotechnic shorting screw that can be physically installed into the airframe skin to completely disable the PYRO igniter circuits. Significantly, it also means that there are no mechanical switches in the power bus at all. Like some personal computers, soft-off is all you get.
In summary we now believe that:
- Safety requires that, when possible, all moments of inherent danger must be designed out.
Clearly there is unavoidable danger that the parachutes will fail and the rocket will be destroyed, but prior to the actual deployment of the chutes no single failure should be capable of harming or destroying either the people or the vehicle.
- It's important to make the critical systems as hassle-free as possible.
If a lot of work or a great deal of expertise or focused attention is required to make a system work reliably, then the chances are good that eventually a mistake will be made.
- The state of the critical system should be as plain as possible.
For LV2 we intend to estimate the state of the battery using a firmware algorithm, so that it will always be available in the status display. Automated testing of the system allows for reliable and rapid go/no-go indication. A shorting screw with an attached big orange flag provides a clear visual indication whether or not the recovery system is in a safe state.
These key functions of the LV1 design have been retained in LV2:
Independent power supply for the recovery system
Redundant radio communications to the recovery system using both the flight computer uplink and a separate dedicated 2 meter uplink
Independent software implementing a simple timer as a failsafe to deploy the parachutes
Automated self-check to test the recovery system just prior to launch
Redundant pyrotechnic circuits
These points represent things which were changed in the LV2 design because the LV1 methods were not satisfactory:
Mechanical switches eliminated
Primary battery replaced by rechargeable battery
Recovery system also draws power from the main bus
Added separate mechanical interlock (shorting screw) to "Safe" the pyrotechnic system
Changed the low voltage ignition system to a high voltage system