Our Remote Launch Control System (RLCS) is the electronic system that controls the automatic valves and actuators to remotely fill and ignite the rocket. It is composed of two boxes:
"Clientside" houses a number of switches to control the actuators. It sends commands to
"Towerside", which receives commands from clientside and actually controls the actuators.
In addition to controlling various actuators, RLCS has a few other responsibilities.
Towerside must collect critical information such as its battery voltages and the current draw of the ignition wires (which we use to determine if the ignition succeeded) and broadcast that data to clientside.
Clientside must receive this critical information from towerside and display it on a built in LCD.
Towerside must additionally collect simple external sensor data at competition. Since we can only rely on RLCS to have a working radio link, we must pass critical sensor data (such as the mass of the rocket, to determine how full of oxidizer it is) through RLCS rather than DAQ.
Clientside must both display this additional sensor data and broadcast it over a usb connection to a computer that will plot and log it.
Towerside must be able to, instead of directly controlling an actuator, issue CAN commands to the rocket via its live telemetry breakout. This is used for actions such as arming the recovery pyrotechnics (via remote arming) or opening the injector valve to launch the rocket.
Towerside must be able to receive CAN messages from the rocket, parse important status information out of them (such as the status of the recovery pyrotechnics), and pass this information on to clientside.
Clientside and Towerside communicate over a UART link. We used to use a pair of XBee S3Bs but after we saw some reliability issues at SF5 we switched to using a pair of UART/Ethernet converters and running RLCS over the same long-range ethernet antennas that DAQ uses.
Safety
Since RLCS is responsible for handling the dangerous parts of launching the rocket, it must be extremely fail-safe and well-tested. Under no circumstances should there be any possibility of actuators changing state when there are personnel near the engine.
The first component of this safety assurance is the double lockout system. Both clientside and towerside have keyed-alike key switches which prevent the key from being removed when activated. On towerside, this keyswitch being activated disarms the system, and on clientside the
key is required to arm the system. When personnel have to approach the tower, they first remove the key from clientside (disarming it) and take the key with them to insert into towerside (disarming it as well). This removes any possibility of clientside being armed while there are are personnel at the tower.
Towerside is also designed to fail safely. For any actuator to actuate two separate actions must be taken: first a relay determining the direction to actuate must be set and then a second relay must be enabled to provide power to the actuator. This design prevents any single component failure from being able to perform an undesired actuation.