FMECA Volume 1: Top Level
Contents
1. Level related used FMECA V6 Risk 11 4 Diver Pivo A Diver Emergency Switch for the commercial Y Y Y 0000712 ited YSIO 09Y diver using a helmet shall be provided FMECA V6 Risk 18 11 A Safety certification body shall have a strong YI Y Y 0000723 Safety Process shical and moral responsible FMECA V6 Risk related 20 3 Rebreather s electronic or programmed part Y Y Y 0000725 Safety Process failure to meet Safety standard to be lt lt related incompetence and negligence FMECA V6 Risk 20 3 Safet Process Manufacturers shall have a responsibility to Y Y Y 0000724 Se ensure the Safety certification body is fully informed FMECA V6 Risk 20 3 IEE BCS grades shall be applied increasing Y Y Y 0000722 Safety Process vit increasing SIL level FMECA V6 Risk related 20 1 LL 0000721 Safety Process FMECA shall be reviewed annualy FMECA V6 Y Y Y related Risk 20 1 0000720 Diver Physiology Counter diffusion hazard shall be stated clearly Y Y Y a related in training manuals FMECA V6 Risk 18 13 0000719 Diver Physiology N2 shall be measured with an alarm if less than Y Y Y related 500mbar of N2 FMECA V6 Risk 18 13 Instruction and information on pulmonary Y Y Y 0000718 peice ogy exposure risks shall be provided FMECA V6 related Risk 18 12 00007172. related Oxygen Level Visual feedback in PFD in addition to audible Y Y 0000556 Monitoring alarms or vibrating mouthpiece shall be used related FMECA V6 Risk 10 10 Oxygen Level O2 sensor fusion algorithm shall be used that Y Y 0000553 Monitoring can detect one good sensor among faulty related sensors FMECA V6 Risk 10 9 10 10 0000554 a eave A fault assessment of O2 Cell failure modes il See g shall be carried out FMECA V6 Risk 10 9 related Oxygen Level O2 cells shall be loaded to produce the lowest Y Y 0000552 Monitoring output voltage consistent with achieving the related desired SNR FMECA V6 Risk 10 8 Oxygen Level O2 sensor ceiling shall be tested by injecting al Y Y 0000551 Monitoring charge into the sensor to simulate PPO2 of 2 5 related atm FMECA V6 Risk 10 8 Oxygen Level eee YAM NE oe SMB connector shall be used to minimise risk 0000548 Monitoring rained FMECA V6 Risk 10 6 Oxygen Level The electronics shall check that the correct O2 Y Y 0000541 Monitoring sensor type is fitted and the fixed load is related present FMECA V6 Risk 10 1 10 5 Oxygen Level The temperature compensation circuit shall be Y Y 0000540 Monitoring removed from O2 sensor and replaced with a related fixed load FMECA V6 Risk 10 1 10 5 Oxygen Level System shall check for O2 sensor drift durin
3. related 6 17 Oxygen ne Auto bailout and shutoff valve to be fitted 0000432 Insufficiency related FMECA V6 Risks 6 6 6 7 6 11 Oxygen ae a A Oxygen injector to be a variable orifice valve 0000431 Insufficiency aad FMECA V6 Risks 6 6 6 7 6 12 Oxygen os OPV to be placed between the inhale CL and 0000449 jInsufficiency mouthpiece FMECA V6 Risk 6 16 6 17 related Oxygen Manual gas injection shall be eliminated when 0000446 Insufficiency Make Up Gas used during ascent to surface related FMECA V6 Risk 6 16 Oxygen 0000444 Insufficiency ene gases to be detected FMECA related l Oxygen User to be required to Flush or ascend if PPO2 0000443 Insufficiency increases over set point if second motor driver related is connected FMECA V6 Risk 6 13 Oxygen Second driver to be connected in case of O2 0000442 Insufficiency orifice motor driver failure FMECA V6 risk related 6 13 Oxygen be ee O2 orifice motor driver failure to be detected 0000441 Insufficiency automatically FMECA V6 Risk 6 13 related Oxygen Oxygen injector shall operate with both 0000440 Insufficiency compensated and non compensated regulators related FMECA V6 Risk 6 12 Oxygen Full safety verification and assessment to be 0000439 Insufficiency carried out to ensure O2 injector operates related correctly FMECA V6 Risk 6 12 Oxygen Oxygen injector and oxygen cylinder pressure 0000426 Insufficiency to be monitored by the system FMECA V6 Ri
4. related FMECA V6 Risk 9 11 0000738 cance ane The primary information device shall not be a AEA E e related handset FMECA V6 Risk 9 11 0000519 PAE me Multiple annunciation shall be provided Te ee ae relon FMECA V6 Risk 9 11 Umbilical User manual shall require diver to check one Y Y Y 0000737 Supplied Dives way valve before every dive FMECA V6 Risk related 17 14 Controller and The Functional Safety process or the Y Y Y 0000736 Information Functional Safety of the design shall be audited related FMECA V6 Risk 9 12 0000735 Sse ang All staff working on software shall meet CASS PAET e Competency Levels FMECA V6 Risk 9 12 related Controller and Normal practices for non safety related Y Y Y 0000521 Information software such as automated GUI checks shall related not be applied FMECA V6 Risk 9 12 0000732 Diver Physiology Equivalent Air Depths E A D shall be Y Y Y related monitored FMECA V6 Risk 18 14 18 15 Narcosis hazard shall be stated clearly in Y Y Y 0000734 re pea training manuals of contributory factors FMECA V6 Risk 18 14 0000733 Diver Physiology User manual shall warn clearly of Argon risks Y YI Y E related in oxygen FMECA V6 Risk 18 14 0000727 on aime Three power sources shall be provided E SOE Hated FMECA V6 Risk 9 1 9 2 0000576 Carbon _Dioxide Granular material packed by users shall not be Y Y Y Rev B2 Page 10 of 33 PASSED FOR PUBLICATION
5. shall be fitted FMECA V6 Risk 12 1 0000604 Carbon Dioxide Level related Loop operation under all plausible fault conditions and pressures using formal methods shall be verified FMECA V6 Risk 11 1 0000603 Carbon Dioxide Any structure that can bypass the scrubber Rev B2 Page 18 of 33 PASSED FOR PUBLICATION Level related under any circumstances shall not be used FMECA V6 Risk 11 14 __ WOB shall be verified not to increase suddenly Y Y Y ooooso2 Carbon Dioxide it negative loop pressures FMECA V6 Risk Level related 11 13 _ Counterlung material performance shall be Y Y Y 0000601 ee ia verified under a wider range of conditions FMECA V6 Risk 11 12 0000600 Carbon Dioxide Effect of reversed flow shall be assessed Y Y Y oe Level related FMECA V6 Risk 11 11 Connectors and hose lengths shall bej Y Y Y 0000599 eee designed so it is not possible to swap the hoses accidentally FMECA V6 Risk 11 11 One way valve assembles shall be designed Y Y Y 0000598 ee ae so it is impossible to swap webs from inhale to exhale FMECA V6 Risk 11 11 One way valve assembly shall be designed soj Y Y Y 0000597 a err taiad it is impossible to insert mushrooms from wrong side of web FMECA V6 Risk 11 11
6. 0000596 Carbon Dioxide Hoses shall not kink or pinch FMECA V6 Risk Y Y Y Se Level related 11 10 0000595 Carbon Dioxide Audible warning of flood shall be provided Y Y Y Level related FMECA V6 Risk 11 9 _ Electronic flood warnings where within ALARP Y Y Y 0000594 Carbon Dioxide do so shall be provided FMECA V6 Risk Level related 11 9 Water traps in mouthpiece as well as in Y Y Y oooosg3 fCarbon Dioxide counterlungs shall be provided FMECA V6 Level related Risk 11 9 _ User manual shall explain caustic risk and Y Y Y oooos92 Carbon Dipxide avoid diver having scrubber liquid touch lips face or tongue FMECA V6 Risk 11 9 0000591 Carbon Dioxide EACs to minimse risk of caustic cocktail shall Y Y Y Level related be used FMECA V6 Risk 11 9 The rebreather shall be highly resistant toj Y Y Y 0000590 ee ace flooding using double seals where reasonable possible FMECA V6 Risk 11 9 0000589 Carbon Dioxide The flapper valve shall not seal shut if one Y Y Y a Level related small area is frozen FMECA V6 Risk 11 8 0000588 Carbon Dioxide Water shall not collect around the flapper valve Y Y Y oe Level related FMECA V6 Risk 11 8 Rev B2 Page 19 of 33 PASSED FOR PUBLICATION Carbon Dioxide The holes in the web sh
7. 9 8 Controller and PFD shall be provided which also switches on 0000511 Information automatically and cannot switch off when unit related is operational FMECA V6 Risk 9 8 san rollia aime All possibility that the unit can hang FMECA 0000510 Information V6 Risk 9 8 related Controller and The circuit shall have multiple clocks power 0000508 Information supplies and other circuits FMECA V6 Risk related 9 7 0000507 Controller and Any device hang failure shall be logged and the ea Information unit permanently locked out on the surface Rev B2 Page 24 of 33 PASSED FOR PUBLICATION related FMECA V6 Risk 9 7 Controller and The start up sequence should detect if an 0000506 Information abnormal shutdown occurs FMECA V6 Risk related 9 7 Controller and aes Routines shall apply predicates in input data 0000505 Information berated FMECA V6 Risk 9 7 0000504 hae atan andl all unused memory locations shall be filled with a related recovery code FMECA V6 Risk 9 7 Controller andilt shall be ensured state machines have 0000503 Information redundant states to detect failure and return related unit to safe operation FMECA V6 Risk 9 7 Controller andilt shall be ensured Brown Out circuit is 0000502 Information operating by power cycle test FMECA V6 Risk related 9 7 Controller andlit shall be ensu
8. Diver Physiology Respiratory parameters shall be measured Y Y Y ES related FMECA V6 Risk 18 11 0000716 Diver Physiology WOB shall be measured actively pre dive and Y Y Y SEERA related during the dive FMECA V6 Risk 18 11 0000715 Diver Physiology EAC scrubber shall be used FMECA V6 Risk Y Y Y related 18 11 0000714 Diver Physiology All scrims shall be eliminated in the design Y Y Y ar related FMECA V6 Risk 18 11 0000713 Diver Physiology There shall be no measurable loss of lung Y Y Y related surficant during a dive FMECA V6 Risk 18 11 0000711 Diver Physiology CCR controller shall track CNS and maintain Y Y Y related within safe limit FMECA V6 Risk 18 11 0000710 Diver Physiology Modified CNS algorithm with margin to reduce Y Y Y related statistical incidence of measurable CNS Rev B2 Page 11 of 33 PASSED FOR PUBLICATION damage shall be used FMECA V6 Risk 18 11 Diver Physiology Divers shall be advised that below 7C gas 0000709 ralated heating is required and particularly below 4C FMECA V6 Risk 18 10 0000708 Diver Physiology The lowest practicable Work of Breathing shall ame related be achieved FMECA V6 Risk 18 9 Deco algorithm shall be verified to be 0000707 m eae implemented correctly using formal methods FMECA V6 Ris
9. Page 8 of 33 PASSED FOR PUBLICATION 5 SAFETY TRACEABILITY All safety requirements are maintained on a Mantis issue tracking system Each issue has been reviewed for each of the following three models of the Open Revolution family of rebreathers e OR Umbilical Commercial Diving Dual Scrubber eCCR eSCR e OR_Incursion Military Rebreather eCCR e OR _Apocalypse_TypelV Recreational iCCR These are represented in the Compliance column of the table on the right as U and A respectively The Minute of the review is recorded below Oxygen Leveljlt shall be ensured O2 cells calibration Y Y Y 0000561 Monitoring calibration is not carried out in cells with water related on their faces FMECA V6 Risk 10 13 Oxygen Level The training manual shall emphasise the Y Y Y 0000562 Monitoring checking of the unit by a Make Up Gas flush related FMECA V6 Risk 10 13 Oxygen Level System shall withstand multiple O2 cell failures Y Y Y 0000549 Monitoring FMECA V6 Risk 10 7 10 8 10 12 10 13 related 10 14 Oxygen Level The flow of gas across the cell face shall be Y Y Y 0000753 Monitoring checked directly or indirectly during the dive related FMECA V6 Risk 10 13 Oxygen Level Cells shall be positioned so water cannot drip Y Y Y 0000752 Monitoring onto their faces in any normal diver position related FMECA V6 Risk 10 13 Oxygen Level Walls or rings around the membrane that c
10. ensure there is 0000566 Monitoring no electrolyte leakage if dropped FMECA V6 related Risk 10 15 Oxygen Level Operators shall be warned to wash the sensor 0000565 Monitoring and hands in warm water immediately if an O2 related Cell feels wet FMECA V6 Risk 10 15 Osan L yel It shall be verified that O2 sensors specified not 0000564 eta produce shrapnel when suddenly g decompressed Torpedo test FMECA V6 related 10 15 Oxygen Level lt shall be ensured the design allows adequate 0000563 Monitoring gas flow to rear of cells FMECA V6 Risk related 10 14 Oxygen Level The O2 cells shall be engineered so all failures 0000550 Monitoring are in the same direction FMECA V6 Risk related 10 7 10 8 10 12 10 14 PSE Bevel O2 sensors shall be calibrated on air FMECA 0000560 Monitoring V6 Risk 10 11 related Oxygen Level Means to check sensors automatically when a 0000555 Monitoring sensor failure occurs shall be provided related FMECA V6 Risk 10 9 10 10 Oxygen Level Diff POEN h 0000559 Monitoring ifferent colour sensor bodies for each year a shall be used FMECA V6 Risk 10 10 related Oxygen Level O2 sensors shall be marked very clearly in 0000558 Monitoring large letters with a date code FMECA V6 Risk related 10 10 0000557 Oxygen Level Pre dive checks shall force the checking of the cor caer Monitoring O2 sensors FMECA V6 Risk 10 10 Rev B2 Page 21 of 33 PASSED FOR PUBLICATION
11. gel technology is available This provides an additional degree of diversity that would enable the products to move from SIL 3 to SIL 4 4 2 Number of other redundant systems required All other components except the O2 sensor and CO2 sensor either do not lead to a critical failure or have a life of more than 100 000 hours In this case triple redundancy with check sums on each data have been determined to tolerate 2 worst case faults whilst still meeting achieve the billion hour critical failure target at an electronic level It is noted that it is not within ALARP to provide flood protection for more than one breathing loop 4 3 Redundancy of Communication It is noted that all communications between subsystem in the design are dual redundant In particular an optical communication link and an electrical link is used the latter being data over power The use of two different forms of communication is correct as a failure mode such as from EMI that affects one channel will not affect the other channel All data has CRC bits added so any corruption on a data channel can be detected and the data source excluded Loss of all communication would result in the handset PFD continuing to operate and the base unit continuing to operate The former would assume a fixed PPO2 of 1 0 depth correct to PPO2 of 0 7 at the surface each solenoid would take over control and maintain PPO2 at 1 0 unless within 10m of the surface whereupon it would s
12. the Y duration related Scrubber Stick to predict scrubber life Temperature sensors are required on the Y Environment 0000374 conditions Sensors Card for ambient temperature measurements 0000376 Interface related Communications requirements Environment Carbon Monoxide sensor is required for the 0000378 F ts conditions umbilical rebreather Operating Factory service interval shall be one year and Y 0000380 duration related enforced Environment All connectors outside the rebreather shall be Y 0000394 Si conditions wet mateable Environment Power supplies batteries shall be Y alas i conditions disconnectable Power supplies batteries shall either not be Y 0000392 H oni an pressurised or shall be under 5mm thick and conditions characterised for extreme pressure Environment Power supplies cells thicker than 5mm shall be Y 0000391 ie Sp conditions Lithium Phosphate type Environment Y 0000381 conditions Power supply duration Electronic modules on rebreathers shall detect Y 8000367 mlbompreveniion when the rebreather is open 0000388 PPO2 Related When PPO2 level is controlled it shall have a Y Rev B2 Page 31 of 33 PASSED FOR PUBLICATION maximum error of 0 09 bar at constant depth PPO2 level shall be limited to 0 2 lt PPO2 lt 2 0 Y 0000389 PPO2 Related always Flood detection is required on all rebreathers Y pogase Pood pevantion with electronics i e within ALARP Every independent electronic
13. unit shall log Y 0000383 Interface related every second of every dive for all dives between factory service intervals PPO2 level shall be reported to the PPO2 Y 0000387 PPO2 Related controller with a resolution of 0 001 ATM PPO2 level shall be reported to the Y 0000385 PPO2 Related diver supervisor with an resolution of 0 05 ATM with recourse to a display with 0 01 ATM PPO2 level reporting frequency to the Y 0000386 PPO2 Related diver supervisor shall be every second with over ride for on demand displays Operating Base Unit electronics shall have MTBCF of 1 Y 0000379 duration related billion hours ALVBOV needs to be actuated electronically by Y 0000358 PPO2 Related ine PFD Ergonomic 0000351 related ALVBOV Requirements Top level ALVBOV in O C mode must comply with Y 0000350 PPCO2 Related EN250 at 50msw ALVBOV must completely close the rebreather Y OE P DO PEENEMION breathing loop when ALVBOV is in O C mode ALVBOV must have auto close to shut Y pounga OOA PrEVENtON rebreather loop when out of the mouth PPO2 level shall be reported to the diver or Y eS FPOe RERE supervisor with an accuracy of 0 0243 ATM PPO2 level shall be reported to the diver or Y WES WOE We Ree supervisor over the range 0 to 2 5 ATM 0000375 Environment Ambient pressure sensors on the Sensors Card Y S conditions and in the Base Unit Other gas i Y 0000372 sensing Make Up Gas pressure measuring Environment bi Y 0000371 co di
14. 0000644 Equipment risk significantly shall be avoided FMECA V6 related Risk 13 6 Other Rebreather Silicone shall be used for seals that are not in 0000643 Equipment contact with high pressure oxygen FMECA V6 related Risk 13 5 Other Rebreather PTFE to be used for high pressure valve seat 0000642 Equipment material and high pressure oxygen hose related liners FMECA V6 Risk 13 5 Other Rebreather Fully reacted Thermoplastic PUs formed from 0000641 Equipment polyether polyols to be used for strong and related flexible parts FMECA V6 Risk 13 5 Other Rebreather TPEE polyester free of plasticizers and 0000640 Equipment softeners shall not be used for high pressure related gas FMECA V6 Risk 13 5 Other Rebreather TPEE polyester free of plasticizers and 0000639 Equipment softeners to be used for medium pressure hose related core material FMECA V6 Risk 13 5 Other Rebreather Natural rubber and latex shall not be used due 0000638 Equipment toprevalence of an allergenic response to these related materials FMECA V6 Risk 13 5 Other Rebreather 0000637 Equipment Paice te PU shall not be used FMECA related l Other Rebreather The number of different plastics used shall be 0000636 Equipment kept to the absolute minimum FMECA V6 Risk related 13 5 Other Rebreather The failure modes of the pressure sensors 0000635 Equipment shall be determined and failure actively related detected FMECA V6 Risk 13 4 0000634 Other Rebreather Multiple
15. 1 Fitment of one pressure sensor only instead of multiple ambient sensors This is possible if the unit is not used for decompression diving therefore pressure is not a critical factor 2 Fitment of one O2 injector only instead of two or four the bail out device will still provide a degree of fault tolerance 3 Fitment of one scrubber sensor into the scrubber than expires first on the basis that when that scrubber has expired the dive should already have been aborted 4 Fitment of fewer oxygen sensors 4 REDUNDANCY REVIEW 4 1 Number of O2 Sensors Required The only oxygen sensing technology known to be suitable for this application is galvanic oxygen cells Other methods that have been considered include MEM paramagnetic sensors Zirconia oxide sensors Sol gel sensors high pressure unique species mass spectrometry A very detailed study of galvanic sensors was conducted Experiments on galvanic oxygen sensors indicate they have a minimum life of 18 months at a PPO2 of 0 2 and this degrades linearly with PPO2 above this for example at a PPO2 of 1 2 some sensors have a life of just three months In a worst case dive that is one which lasts as long as the maximum scrubber life 5 hours with an average PPO2 of 1 2 the chance of a failure is 1 in 0 2 1 2 24 1 5 365 5 which is around 1 in 438 per dive The chance of two sensors failing at the same time would appear to be 438 2 which is 191 844 If the failures of the sensor c
16. 3 of 33 PASSED FOR PUBLICATION related or mishandled FMECA V6 Risk 9 14 Controller and Software to be fail safe including a code CRC 0000523 Information check as part of startup sequence FMECA V6 related Risk 9 13 Controller and Software shall be formally verified FMECA V6 0000522 Information Risk 9 12 related Controller and s An automatic bail out valve shall be provided 0000520 Information related FMECA V6 Risk 9 11 Controller and Components liable to explode shall be moved 0000518 Information to to a 1 ATM environment outside the related rebreather FMECA V6 Risk 9 10 Controller and All components liable to explode shall be es olalen eliminated FMECA V6 Risk 9 10 related Controller and All components liable to offgas shall be 0000516 Information removed from the the oil filled volume FMECA related V6 Risk 9 9 0000515 F ane Food grade silicone oil shall be used to avoid a health hazard FMECA V6 Risk 9 9 related Controller and Waxes solid paraffins shall not be used edL n mnei FMECA V6 Risk 9 9 related Controller and pe i Hydrocarbon filling oils shall not be used 0000513 Information flaten FMECA V6 Risk 9 9 Controller and Monitoring or control shall provide device 0000512 Information switches on automatically when unit is used related FMECA V6 Risk
17. 6 Risk 12 4 0000625 Flooding or lt shall be ensured ports and counterlungs A Drowning related withstand a 100kg pull FMECA V6 Risk 12 4 It shall be ensure the mouthpiece can 0000623 roe ateg Withstand the weight of a diver 100kg for 1 9 minute FMECA V6 Risk 12 3 0000622 Flooding orA mouthpiece retainer shall be fitted as a Drowning related standard FMECA V6 Risk 12 2 12 3 Sodi Or It shall be ensure all hoses and connectors can 0000624 Eri elated Withstand the weight of a diver 100kg for 1 g minute FMECA V6 Risk 12 3 Floodin or The breathing loop shall shut automatically if 0000606 FUAR related the mouthpiece is not in the divers mouth 9 FMECA V6 Risk 12 1 12 2 0000621 Flooding ori It shall be ensured the BC is big enough to lift a o Drowning related flooded rebreather FMECA V6 Risk 12 2 0000620 Flooding or Double seals shall be used to minimise the Drowning related leak risk where within ALARP FMECA V6 Risk Rev B2 Page 17 of 33 PASSED FOR PUBLICATION 12 1 0000619 Flooding or Drowning related Connectors to be secure and not detach accidentally FMECA V6 Risk 12 1 0000618 Flooding or Drowning related Double layer Counterlungs shall be avoided FMECA V6 Risk 12 1 0000617 Flooding or Drowning related Lip seals shall be used for protected moving surfaces FMECA V6 Risk 12 1 0000616 Flooding or D
18. 8 3 0000695 Diver Physiology Exhaled CO2 shall be monitored to monitor related retained CO2 FMECA V6 Risk 18 3 Rev B2 Page 12 of 33 PASSED FOR PUBLICATION 0000694 Diver Physiology Diver s CNS and Pulmonary O2 exposure shall Y Y Y eons related be tracked FMECA V6 Risk 18 2 Diver Physiology PPO2 shall be controlled FMECA V6 Risk Y Y Y 0000693 related 18 2 Functional Safety life cycle process appropriate Y Y Y 0000691 mae E to SIL assessment shall be applied FMECA V6 Risk 18 1 Umbilical YIYIY 0000690 Supplied Dives aay shall be used FMECA V6 Risk related Umbilical YE IN NE Ie The operation of the one way valves shall be a anes ee Dives e dive check FMECA V6 Risk 17 15 zmona The one way valve shall be properly EE a ae A a IWee characterised FMECA V6 Risk 17 15 related Umbilical YIYI IY Two one way valves in series shall be used 0000687 Supplied Dives related FMECA V6 Risk 17 15 Umbilical Liquid crystal electrolytic materials for the Y Y Y 0000686 Supplied Dives electronics shell shall be considered for use related FMECA V6 Risk 17 13 Umbilical Internal electronics shall be shielded for Y Y Y 0000685 Supplied Dives magnetically induced currents FMECA V6 related Risk 17 13 Umbilical The highest possible c
19. 9 LOOP Volume OPV membrane diaphragm FMECA V6 Relief related Risk 8 3 Loop Volume OPV shall be a dual membrane FMECA V6 0000478 Relief related Risk 8 3 0000477 Loop Volume OPV to be fully characterised FMECA V6 Risk e Relief related 8 2 8 3 Rev B2 Page 26 of 33 PASSED FOR PUBLICATION 0000476 Loop Volume Active control over pre dive positive pressure Relief related checks shall be indicated FMECA V6 Risk 8 1 Loop Volume Counterlungs shall be fixed down so they 0000475 Sufficiency cannot trap themselves or kink FMECA V6 related Risk 7 10 Loop Volume Gas paths in the counterlung to be protected 0000474 Sufficiency such that the counterlung cannot block the gas related exit ports FMECA V6 Risk 7 10 Loop Volume ae Counterlung capacity shall be between 51 and 0000473 Sufficiency related 6l FMECA V6 Risk 7 10 BOOP volume ALV and BOV should not have any means to 0000472 Sufficiency fdlaiad turn it off FMECA V6 Risk 7 9 Loop Volume Make Up Gas contents shall be monitored and 0000466 Sufficiency checked for leakage pre dive FMECA V6 Risk related 7 5 7 8 7 9 Loop Volume Diver to be advised not to use gas with a CNS 0000471 Sufficiency or narcosis risk at the greatest depth FMECA related V6 Risk 7 7 Loop Volume ek 0000470 Sufficiency Gas switch blocks shall be el
20. EAG shall be used FMECA V6 Risk 11 4 K ls Level related 0000570 Carbon Dioxide Scrubber health shall be monitored FMECA Y Y Y Level related V6 Risk 11 1 11 2 11 3 11 4 0000572 Carbon Dioxide It shall be monitored when the scrubber is Y Y Y Level related changed FMECA V6 Risk 11 1 11 3 11 4 0000571 Carbon Dioxide Scrubber life shall be monitored FMECA V6 Y Y Y EER Level related Risk 11 1 11 3 11 4 0000573 Carbon Dioxide PPCO2 shall be monitored FMECA V6 Risk Y Y Y Level related 11 1 11 3 11 4 Monitoring of expired CO2 in iCCR and Y Y Y 0000575 Carbon Dioxide sors eSCRs shall be provided FMECA V6 Level related Risk 10 12 Rev B2 Page 20 of 33 PASSED FOR PUBLICATION It shall be ensured scrubber seals can tolerate 0000574 ei aa a large degree of scrubber damage FMECA V6 Risk 11 2 Oxygen Level H A h 0000569 Monitoring ypoxia risk alarm that does not use oxygen saa sensors shall be used FMECA V6 Risk 10 18 related Oxygen Leveljlt shall be ensure manuals state risk caustic 0000568 Monitoring burn from leaking electrolyte clearly and action related to be taken FMECA V6 Risk 10 17 Oxygen Level 0000567 Monitoring Very thorough O2 cell screening shall be used related FMECA V6 Risk 10 16 Oxygen Level O2 sensors shall be verified to
21. LUSION a eh etl telat uae aaa raaa ass hale ek el eataa 33 Rev CO Page 3 of 33 Released for publication 1 PURPOSE AND SCOPE This is the FMECA of Deep Life s first Open Revolution Submission For ease of update and use the complete FMECA is divided into volumes of which this document is Volume One The FMECA is a key part of the safey case along with user focus reviews test and verification reports accident studies engineering reviews This documentation is managed within a safety and product lifecycle management process designed to comply with IEC EN 61508 2004 for all aspects of the product the end to end scope of IEC EN 61508 is applied to mechanics pneumatics and ergonomics as well as the electrical electronic and programmed systems The FMECA is one part of the safety case for the rebreather along with the Colour Books provide a detailed design description of the project the standards compliance data field test data and other documents as set down in Quality Procedure QP20 The FMECA volumes are Volume 1 This document stating the scope of the project providing the top level architectural description of how failures are managed Volume 2 Electronics MTBF and MTBCF Calculation Volume 3 Bottom Up Electronics Review FMECA Volume 4 Bottom Up Mechanical FMECA Volume 5 Bottom Up Software Firmware and Operational FMECA Volume 6 Top Down HAZID Volume 7 Hierarchical Top Down Fault Tree Analysis Volume 8 Commun
22. MECA V6 Risk 17 9 Umbilical YY 0000675 Supplied Dives Breathing gas heating shall be heated FMECA ea V6 Risk 17 9 related Umbilical pa YI Y Communication to bell shall be provided 0000674 Supplied Dives relied FMECA V6 Risk 17 8 Umbilical Pet YIY 0000673 Supplied Dives Two communication paths to be used FMECA ae V6 Risk 17 8 related Umbilical Strict control of breathing gas and RoHS Y Y 0000669 Supplied Dives compliant components in the dive system shall related be provided FMECA V6 Risk 17 7 Umbilical 7 sees yeu OY Active HC and VOC monitoring on the diver 0000668 Supplied Dives hail be provided FMECA V6 Risk 17 7 related Umbilical ai YI Y Diver training shall cover awareness of the 0000667 Supplied Dives toms of CO FMECA V6 Risk 17 6 related Umbilical TE Y IO Active CO monitoring on the diver for very long 0000666 Supplied Dives es shall be provided FMECA V6 Risk 17 6 related Umbilical is ne wa YTY Use only certified diving gas shall be explicit in 0000665 Supplied Dives ne user manual FMECA V6 Risk 17 6 related Umbilical Y IY f Diver shall be trained to descend slow enough 0000664 Supplied Dives the SCR to fill loop FMECA V6 Risk 17 5 related Assosiated Every fault against every unit from the RB Y Y 0000663 Equipment history shall be checked to ensure it is not realted repeated FMECA V6 Risk 14 3 0000662 Umbilical The system shall have an underpressure va
23. Released for publication DEEP LIFE OPEN REVOLUTION FAMILY OF REBREATHERS Failure Mode Effect and Criticality Analysis Volume 1 Root Document DOCUMENT FMECA_OR_V1_Top_090529 NUMBER Filename ORIGINATOR Review team comprising Dr Alex Deas Marat Yevtukhov Alexei Bogatchov Dr Bob Davidov Vladimir Komarov Dr Sergei Malyutin Dr Oleg Zagreblenny Dr Alexander Kudriashov Igor Abrosimov Dr Sergei Pyko DEPARTMENT Engineering LAST UPDATED 29 May 2009 REVISION co APPROVALS AD __29 May 2009 Project Manager Date NK __29 May 2009 Quality Officer Date Controlled Document if XI Classified Document RED DO NOT COPY Copyright 2005 2006 2009 Deep Life Ltd All rights reserved Rev CO Page 1 of 33 Released for publication Revision History Revision Date Description A 18 May 2005 Update to DL RB upon project moving from R amp D to Engineering phase B and B1 18 Nov 2005 Checked for material covered by NDAs removed and 16 Oct 2006 passed for publication B1 Update of volume titles Oct 2006 and inclusion of Commercial SCR Co 29 May 2009 Revisions to comply fully with IEC EN 61508 2004 following audit by SIRA Certification with updates for OR_Umbilical OR_Incursion and OR_Apocalypse_TypelV models This document is maintained on a SVN source control system and is under Revision control The Revision Number is marked on every page along
24. all be of sufficient size Y Y Y 0000587 Level related to let small particulate through and not jam FMECA V6 Risk 11 7 11 8 The web shall be tested to ensure the Y Y Y 0000586 E mushroom cannot fold into the web regardless of shock FMECA V6 Risk 11 7 11 8 The valve shall preferably be designed to make Y Y Y 0000585 E E a soft click sound each time it closes FMECA V6 Risk 11 7 11 8 Cabon Dioxide Two webs shall be different size or keyed to Y Y Y 0000584 Level related prevent inhale valve being inserted in exhale valve FMECA V6 Risk 11 7 11 8 The web supporting the mushroom shall have Y Y Y 0000583 et ia means to prevent it being assembled on wrong side of web FMECA V6 Risk 11 7 11 8 0000582 Carbon Dioxide The flapper valve assembly shall be colour Y Y Y ea ee Level related coded FMECA V6 Risk 11 7 11 8 _ One way valve Flapper valve design shall be Y Y Y 0000581 Po Ta of a type that shall not stick by itself FMECA V6 Risk 11 7 11 8 0000580 Carbon Dioxide Active monitoring of respiratory parameters Y Y Y EREN Level related shall be provided FMECA V6 Risk 11 6 Carbon Dioxide Counterlungs shall be fixed down so that user Y Y Y 0000579 Leveltelated cannot disconnect one end or fail to attach counterlungs FMECA V6 Risk 11 6 0000578 Carbon Dioxide WOB shall be measured actively during dive Y Y Y ENT Level related FMECA V6 Risk 11 5 0000577 Carbon Dioxide
25. an Y Y Y 0000751 Monitoring retain water in any orientation of the diver shall related be avoided FMECA V6 Risk 10 13 Controller and The main monitoring or control device shall Y Y Y 0000524 Information have the largest display which it is practical to related carry FMECA V6 Risk 9 14 Controller and 0000526 Information related Alphanumeric displays shall be backlit FMECA V6 Risk 9 14 Controller andilf alphanumeric displays are used at all they Y Y Y 0000743 Information shall be supplemented by other annunciation related devices FMECA V6 Risk 9 14 Rev B2 Page 9 of 33 PASSED FOR PUBLICATION Controller and A vibrating device or a very bright LED close to Y Y Y 0000742 Information the divers mask shall be used FMECA V6 related Risk 9 11 Controller and If voice annunciation is used then the problem Y Y Y 0000741 Information shall be announced and the action shall be related emphasised FMECA V6 Risk 9 11 Controller and If an alphanumeric display is used then thej Y Y Y 0000740 Information failure and the action shall be displayed related FMECA V6 Risk 9 11 Controller and lf the diver is monitoring himself then the Y Y Y 0000739 Information actual monitoring rate shall itself be monitored
26. an be identified consistently then three sensors are needed to meet SIL 3 requirements for MTBCF and MTBF This problem is exacerbated by the fact that towards the end of their life all sensors will fail within a month of each other During this period the probability of two sensors failing during a three hour period is reduced to one in 0 2 1 2 24 1 5 365 5 12 2 which is 1 in 1332 dives This means it is essential that effective self test is applied at the start of every dive and during the dive to confirm the sensors are working with the desired accuracy It is noted that to use three sensors the system must not use voting logic but the ability to operate with one working sensor out of three as described under the O2 sensing scheme including detecting accurately any sensor failure regardless of the failure mode The Rev B2 Page 6 of 33 Released for publication probability of a critical failure in this case on a five hour dive with average PPO2 of 1 2 is 0 2 1 2 24 1 5 365 5 3 5 12 43 or 35 billion hours This assumes all failures are independent this is not the case with galvanic sensors Efforts are made to increase sensor diversity by using sensors from different batches and where possible from different vendors All Open Revolution rebreathers with oxygen sensing OR_Umbilical OR_Incursion and OR_Apocalypse_TypelV iCCR have provision in the hardware for sol gel sensors by simply a firmware upgrade when the sol
27. attachment points for the harness shall DAA Equipment be used FMECA V6 Risk 13 3 Rev B2 Page 16 of 33 PASSED FOR PUBLICATION related Other Rebreather BC to be selled with rebreather where a BC ae Euipment will be used FMECA V6 Risk 13 2 related Other Rebreather The test systems shall be designed to subject 0000632 Equipment the equipment to twice the maximum operating related depth FMECA V6 Risk 13 1 Other Rebreather It shall be ensure equipment is designed and 0000631 Equipment verified to operate to at twice the maximum related operating depth FMECA V6 Risk 13 1 0000630 Flooding or OPV to be vented at a sufficient rate for the Drowning related worst case ascent FMECA V6 Risk 12 5 Floodin or It shall be ensured rebreather can withstand 0000627 Sa related underpressure or overpressure by one bar 9 FMECA V6 Risk 12 5 Floodin or The effect of compressing a rebreather all ports 0000629 are related closed and gas off shall be assest to the 9 maximum depth FMECA V6 Risk 12 5 Floodin or t shall be ensure rebreather can withstand a 0000628 pau related total pressure of double the maximum diving 9 depth FMECA V6 Risk 12 5 Floodin or A reinforcing ring to the counterlung that 0000626 eae related positively latches the port mouldings shall be g fitted FMECA V
28. cale to a PPO2 of 0 7 Rev B2 Page 7 of 33 PASSED FOR PUBLICATION cen ly DE a o O2 Injector Display Coder Temp w CoH A pines Pressure 4 Sensor ROM RAM lt lt l 5 l Temperature Data Verifier Stick x2 Flow AN and local iti Rate aut Z control x2 i e E oe bledek oon MUX neontroller G Direct Drive E F x3 A LCD Displa B 3 Non critical O2 4 sensors lt gt a F Direct Drive T ture R emperature M 5 Text Display pressure P Tra oe A Differential _ gt Buzzer Pressure Coder SS 4 Humidity Moisture G Drivers lt l Handset co2 02 He cS l SZ f Voice annunciator Audio 2 wire l HUD Sensors in Light guide O O I Scrubber i A Aight guide Housing aia Electronics in Hermetic Well Figure 1 The fundamental electronic architecture of the Open Revolution family of products showing connectivity and major redundant and fault tolerant sections Electronics in hermetic well is shown as a single board where in practice it is two boards partitioned as described in the Project Green Book Specification at the outset The Handset is implemented in the form of a PFD and on the supervisor display All displays are now AMOLED for greater visibility underwater than LCD The Monitors on the Apocalypse implement this same architecture of diverse channels Rev B2
29. d FMECA V6 Risk 6 1 related Oxygen o os Diving with oxygen cylinders empty shall be HNISUIIGIENCY managed and avoided FMECA V6 Risk 6 1 related Cylinder regulator O ring shall be oxygen 0000419 Cylinder related ompatible material FMECA V6 Risk 5 7 Cylinder valve O ring shall be oxygen 00004718 Cylinder related Compatible material FMECA V6 Risk 5 7 The loss of gas from cylinder during dive 0000417 Cylinder related recovery action shall be in the user manual FMECA V6 Risk 5 6 Cylinder valves compliance to ISO 10297 0000416 Cylinder related 599 6 e FMECA V6 Risk 5 6 Cylinders shall be protected from detritus 0000415 Cylinder related EMECA V6 Risk 5 5 Helium shall not be stored in the carbon 0000414 Cylinder related wrapped cylinders for a long periods FMECA V6 Risk 5 4 Rev B2 Page 30 of 33 PASSED FOR PUBLICATION Carbon wrapped cylinders annual inspection Y 0000413 Cylinder related requirement to be in the user manual FMECA V6 Risk 5 4 Plastic cored cylinders shall not be used Y 0000412 Cylinder related FMECA V6 Risk 5 3 0000410 Cylinder related Carbon wrapped cylinder coating FMECA V6 Y Risk 5 2 0000370 Other gas Oxygen Cylinder Contents Pressure Y a sensing measurement Environment Y 0000397 sondilon Helium tolerance Other gas Y 0000368 sensing Helium measurement Environment Y 0000390 conditions EMC Requirements 0000369 Operating Temperature sensors are required on
30. eased for publication These terms combine to describe the safety needed by systems For example most biomedical equipment is only critical and often another identical piece of equipment is nearby so it can be merely probabilistically fail safe Train signals can cause catastrophic accidents imagine chemical releases from tank cars and are usually inherently safe Aircraft failures are catastrophic at least for their passengers and crew so aircraft are usually probabilistically fault tolerant Without any safety features nuclear reactors would have catastrophic failures so real nuclear reactors are required to be at least probabilistically fail safe and some are inherently fault tolerant The appropriate level for a rebreather is probabailistically fail safe probabilistically fault tolerant to achieve probability of a critical failure less than one per billion hours The latter requires a MTBF calculation for each component path and the probability of failure must be better than one in a billion hours of operation Where this is not the case redundancy and fail safe subsystems must be introduced to achieve at least a billion hours Mean Time Between Critical Failure The mode of the failure must also be determined and means put in place to ensure that all failures are in a fail safe state or a state that does not immediately endanger the life of the user 3 BENCHMARKS The first issue to resolve is what l
31. evel of performance must be met This is normally set by existing companies and standards In the case of rebreathers this is not possible for the reasons described below 3 1 1 Competitive Benchmark and Statutory Standards as Benchmarks Existing equipment from a market leader would normally be taken as the competitive benchmark Some manufacturers are CE approved and appear to work closely with BSAC who had a large input to EN14143 standard Much of EN14143 appears to be written around the APD Inspiration Unfortunately no existing equipment meets any Functional Safety standard This statements covers a wide range of situations in the market in extremis electronically controlled rebreathers are designed and sold widely yet the designer had never had any engineering training whatsoever No contemporary rebreather meets the competency requirements of IEC EN 61508 2004 as defined by the CASS Scheme for EN 61508 certification A long list of single point potentially fatal failures can be given of most contemporary rebreather products existing equipment is clearly not fail safe and none can tolerate a single worst case fault This means that no existing rebreather can be classified as a Dependable System nor a Fault Tolerant System All three factors fail safe dependable and fault tolerant are normally fundamental requirements of any life critical system For these reasons no contemporary benchmark is used for the electronic and programmed s
32. g Y Y 0000547 Monitoring successive calibration cycles FMECA V6 Risk related 10 4 0000546 Tenn sel System shall check for need for O2 sensor ale a related replacement FMECA V6 Risk 10 4 Oxygen Level All O2 sensors shall not be wired to one chip Y Y 0000545 Monitoring whether one ADC one MUX or one op amp related block FMECA V6 Risk 10 3 Oxygen Level A connector which mates ground before signal Y Y 0000544 Monitoring and protects the connections from corrosion related shall be used FMECA V6 Risk 10 3 Oxygen Level O2 flush under start up sequence control shall Y Y 0000542 Monitoring be done to detect O2 sensors have CO2 related contamination FMECA V6 Risk 10 2 0000539 Controller and Bail out valve to be produced from durable Y Y Saunas Information materials FMECA V6 Risk 9 23 Rev B2 Page 22 of 33 PASSED FOR PUBLICATION related 0000538 o ane It shall be ensured diver can reach tank valves Tip in SCUBA applications FMECA V6 Risk 9 23 related 0000537 eee eine Separate annunciation shall be provided as ue crane well as bail out actuator FMECA V6 Risk 9 23 related 0000536 EA ae Actuator shall be protected from user el es 4 r lated tampering FMECA V6 Risk 9 23 0000535 PAER eine Actuator shall be achieved with just one ale ee ralated moving
33. ication and will certify this equipment when certified to do so by SIRA as implementing best practice and meeting ALARP based on the evidence here in the other volumes of the FMECA and on the whole of the safety case for the three models of the Open Revolution family of rebreather products 7 CONCLUSION The Open Revolution family of rebreather products implement best practice and implements ALARP principles Diving is an inherently hazardous and high risk activity The equipment itself reduces those risks compared to contemporary state of the art equipment and methods and provides broad spectrum protection to the diver Deep Life is seeking certification of the product to EC PPE Directives and EN 14143 2003 from SGS UK Ltd as a PPE Notified Body Rev B2 Page 33 of 33
34. ications from Rebreather The purpose here is to provide an overview of the failure modes effect redundancy fault tolerance and criticality for review purposes during the design process 2 CLASSIFICATION Safety Engineers distinguish different degrees of defective operation A fault is deemed to occur when some piece of equipment does not operate as designed A failure only occurs if person other than a repairman has to cope with the situation A critical failure endangers one or more people and catastrophic failures kill more than 6 people or 100 people depending on the industry Safety engineers also identify different modes of safe operation A probabilistically safe system has no single point of failure and enough redundant sensors logic processors and effectors that it is very unlikely to cause harm Very unlikely to a Safety Engineer means less than one human life lost or serious injury in a billion hours of operation An inherently safe system is a clever arrangement usually mechanical that cannot be made to cause harm obviously the best arrangement but this is not always possible For example inherently safe airplanes are not possible A fail safe system is one that cannot cause harm when it fails A fault tolerant system can continue to operate with faults though its operation may be degraded in some fashion but which does not affect the safety of the user significantly Rev B2 Page 4 of 33 Rel
35. ied Dives loss umbilical FMECA V6 Risk 17 1 related Divers shall be advised that below 7C gas Y Y Dives in Cold Lite 0000652 Maer rA heating is required and particularly below 4C FMECA V6 Risk 16 2 Dives in Cold Equipment to be tested with storage to minus Y Y 0000651 Waterrelated Eo for material suitability FMECA V6 Risk 0000650 Dives in Cold Equipment shall be stored in a warm location Y Y e Water related FMECA V6 Risk 16 1 SIL rated heating system in the counterlungs Y Y 0000649 rete as as shall be used for diving in very cold water FMECA V6 Risk 16 1 0000648 Assosiated Hooks and lines that increase the entrapment Y Y ae ee Equipment risk significantly shall be avoided FMECA V6 Rev B2 Page 15 of 33 PASSED FOR PUBLICATION realted Risk 14 2 Assosiated Active suit heating using self regulating carbon 0000647 Equipment monomers shall be provided FMECA V6 Risk realted 14 1 Assosiated Dry gloves that allow entire suit to flood shall 0000646 Equipment not be used for decompression diving without realted suit heating FMECA V6 Risk 14 1 Other Rebreather Divers shall be trained not to fix rebreather to 0000645 Equipment their body except using harness that came with related rebreather FMECA V6 Risk 13 6 Other Rebreather Hooks and lines that increase the entrapment
36. iminated FMECA V6 Risk 7 7 related Loop Volume Make Up Gas_ shall be monitored during 0000469 Sufficiency descent and END shall be monitored FMECA related V6 Risk 7 7 Loop Volume 0000468 Sufficiency Sn a bail out to be used FMECA V6 related i Loop Volume 0000467 Sufficiency ALV shall be used FMECA V6 Risk 7 6 related Loop Volume 0000463 euiiciene A rapid drop of Make Up Gas pressure to be ees y detected by the system FMECA V6 Risk 7 3 related Oxygen Hypoxic Make Up Gas shall be run via a 0000454 Insufficiency manifold and not used near the surface related FMECA V6 Risk 6 20 Oxygen Make Up Gas gases to be detected and 0000455 Insufficiency decline the dive if hypoxic on surface FMECA related V6 Risk 6 20 Rev B2 Page 27 of 33 PASSED FOR PUBLICATION Oxygen me PPO2 shall be 0 7 or above to start dive 0000456 Insufficiency FMECA V6 Risk 6 20 related Oxygen SEE AN e ALV injection rate shall be limited to 12l min 0000457 Insufficiency i related FMECA V6 Risk 6 20 Oxygen l 0000459 Insufficiency Right to left loop flow to be used FMECA V6 T Risk 6 22 related Oxygen PPO2 level to be monitored and automatic bail 0000461 Insufficiency out shall be provided if the PPO2 cannot be related maintained FMECA V6 Risk 6 24 OPV shall be fitted only to the inhale 0000460 ee counterl
37. k 18 8 0000706 Diver Physiology O2 Cells shall be calibrated in air when the unit related is open FMECA V6 Risk 18 7 The number of fingers in the web around the 0000705 peepee mushroom valve shall be kept to the minimum FMECA V6 Risk 18 6 Breathing hose shall be of sufficient diameter 0000704 Piver Physiology So as not to be blocked by vomit FMECA V6 related Risk 18 6 0000703 Diver Physiology A combined ALV BOV shall be always in the related loop FMECA V6 Risk 18 6 Diver PHYSIBIS All materials shall be checked for off gassing 0000702 related y Ylboth from the MSDS and from rigorous materials testing FMECA V6 Risk 18 5 0000701 Diver Physiology All allergenic materials shall be eliminated from o related loop FMECA V6 Risk 18 5 0000700 Diver Physiology 2kPa scrubber endurance ratings shall be ee related provided FMECA V6 Risk 18 3 Scrubber shall have uniform endurance with 0000699 med O depth and temperature with the application of ALARP FMECA V6 Risk 18 3 0000692 ae Dives A fail safe automatic shut off valve shall be Luva pp implemented FMECA V6 Risk 18 1 18 4 related 0000698 Diver Physiology WOB shall be minimised with the application of oo related ALARP FMECA V6 Risk 18 3 0000697 Diver Physiology Scrubber health shall be monitored with the related application of ALARP FMECA V6 Risk 18 3 0000696 Diver Physiology Scrubber life shall be monitored with the a related application of ALARP FMECA V6 Risk 1
38. lve Y Y Rev B2 Page 14 of 33 PASSED FOR PUBLICATION Supplied Dives related on the helmet and this shall allow flooding of the suit FMECA V6 Risk 17 5 Umbilical YI Y 0000657 Supplied Dives Adequate bail out is required FMECA V6 Risk 17 2 17 5 related Umbilical YY 0000656 Supplied Dives o is required FMECA V6 Risk related SN 0000661 alleles Dives Whether a helmet is attached correctly shall be les eee PP monitored electronically FMECA V6 Risk 17 4 related Umbilical a YY 0000660 Supplied Dives Weight of umbilical shall be controlled FMECA ae V6 Risk 17 3 related Umbilical ia i YY Procedures to avoid diver entrapment shall be 0000659 Supplied Dives sed FMECA V6 Risk 17 3 related Umbilical Umbilical shall be either disconnectable or Y Y 0000658 Supplied Dives diver shall carry means to cut the umbilical to related free himself FMECA V6 Risk 17 3 Umbilical Protection to avoid reduction in diameter from Y Y 0000655 Supplied Dives increasing risk of it being severed shall be related considered FMECA V6 Risk 17 1 Umbilical Neal axe A transponder separated to the rebreather shall 0000654 Supplied Dives put onto the diver FMECA V6 Risk 17 1 related Umbilical YI Y Bail out carried by diver shall be used in case 0000653 Suppl
39. part FMECA V6 Risk 9 23 Controller and All electronics and programmed parts of the Y Y 0000534 Information rebreather shall comply with functional safety related standards FMECA V6 Risk 9 21 0000533 T eine MTBCF shall be calculated for entire Tee ae electronics system FMECA V6 Risk 9 21 related Controller andilt shall be ensured unit powers onj Y Y 0000509 Information automatically whenever the PPO2 is less than related 0 16 FMECA V6 Risk 9 8 9 20 0000532 ene and Failure modes due to cycling of brown out LAE a events shall be verified FMECA V6 Risk 9 19 related 0000531 EA Aig High degree of data line protection is required F related FMECA V6 Risk 6 18 Controller and Y IY 0000530 information aoe shall be avoided FMECA V6 Risk related l Controller and Effect of watchdog and brown out circuits firing Y Y 0000529 Information repeatedly and blocking other actions shall be related considered FMECA V6 Risk 9 17 Controller and Electronics particularly monitoring or control Y Y 0000527 Information devices shall be Functional Safety compliant related FMECA V6 Risk 9 15 9 17 Controller and When monitoring or control device has two Y Y 0000528 Information sets then a failure of one shall not cause related failure of the whole FMECA V6 Risk 9 15 0000525 Controller and Suitable materials to be chosen to minimise Y Y aes Information risk of displays damaged due to being dropped Rev B2 Page 2
40. red Watchdog circuit is 0000501 Information operating by halting the clock for the Watchdog related period FMECA V6 Risk 9 7 Controller and All electronics and software shall meet EN 0000500 Information 61508 2004 Parts 1 to 3 to at least SIL 2 related FMECA V6 Risk 9 6 Controller and Base unit shall be made to at least automotive 0000499 Information SQA 9002 standards and controls FMECA V6 related Risk 9 6 0000498 EA ang PFD in addition to monitoring or control device r lated to be provided FMECA V6 Risk 9 6 0000497 PARNA ang Multiple devices shall be used in monitoring or al control device FMECA V6 Risk 9 6 related Controller and Full electrical self test testing to be performed 0000496 Information during power up sequence FMECA V6 Risk related 9 6 9 10 9 15 9 16 0000495 ree eine Optimum period to be around 30 hours er ar between recharges FMECA V6 Risk 9 4 related 0000494 a anig Secondary cells must not be used shall not be a related used FMECA V6 Risk 9 4 0000493 Controller and Batteries to be properly characterised for TOR Information diving including the error in predicting battery Rev B2 Page 25 of 33 PASSED FOR PUBLICATION related life FMECA V6 Risk 9 4 Controller and Swept power drop out test to shall be used to 0000492 Information check Bro
41. rowning related Seals around scrubber shall stand over pressure and under pressure FMECA V6 Risk 12 1 0000615 Flooding or Drowning related Counterlung fittings require a welded retainer ring to prevent them pulling out of the counterlung FMECA V6 Risk 12 1 0000614 Flooding or Drowning related It shall be ensure ALV diaphragm does not fold and is tear resistant FMECA V6 Risk 12 1 0000613 Flooding or Drowning related It shall be ensure OPV diaphragm does not fold and is tear resistant FMECA V6 Risk 12 1 0000612 Flooding or Drowning related Full hose connector as an integral part of the scrubber canister shall be provided FMECA V6 Risk 12 1 0000611 Flooding or Drowning related Hoses shall be made from EPDM FMECA V6 Risk 12 1 0000610 Flooding or Drowning related It shall be ensure counterlung can withstand shock pressures of 500mbar FMECA V6 Risk 12 1 0000609 Flooding or Drowning related Positive identification and colouring shall be used for the connectors FMECA V6 Risk 12 1 0000608 Flooding or Drowning related Moisture and WOB shall be monitored FMECA V6 Risk 12 1 0000607 Flooding or Drowning related A buoyancy device shall be fitted to SCUBA rebreathers with enough lift for the diver FMECA V6 Risk 12 1 0000605 Flooding or Drowning related A mouthpiece retainer gag strap as standard
42. sk related 6 2 Oxygen a ae Voice annunciationof the resulting low PPO2 0000438 Insufficiency level to be used FMEGA V6 Risk 6 11 related Oxygen ey Bie Oxygen composition to be checked before 0000437 Insufficiency related every dive FMECA V6 Risk 6 11 Oxygen Oxygen assesment to be verified FMECA V6 0000436 Insufficiency Risk 6 10 Rev B2 Page 29 of 33 PASSED FOR PUBLICATION related Oxygen All materials flows and components in contact 0000435 Insufficiency with oxygen to have full oxygen assesment related FMECA V6 Risk 6 10 Oxygen y l z te Oxygen injector to be checked during positive DOE Pei pressure test at startup FMECA V6 Risk 6 9 Oxygen N 0000433 Insufficiency e sensors to be calibrated in air FMECA related Oxygen re z ee Umbilical UBA shall have umbilical gas or gas 0000430 Insufficiency related supply sensor FMECA V6 Risk 6 5 Oxygen 0000429 Insufficiency Oxygen usage to be monitored FMECA V6 E Risk 6 5 related Oxygen Hard plastic knobs with a surface that is less 0000427 Insufficiency likely to move with friction shall be used on related oxygen cylinders FMECA V6 Risk 6 2 Oxygen Oxygen cylinder cannot be switched off prior to 0000425 Insufficiency the unit being switched on FMECA V6 Risk related 6 2 Oxygen ret Diver shall be warned when hypoxic Make Up 0000424 Insufficiency Gas is use
43. tions Humidity sensor is required 0000366 PPCO2 Related CO2 Measuring Initial requirements Y Rev B2 Page 32 of 33 PASSED FOR PUBLICATION 0000364 Environment All electronics with batteries must be chargeable via a USB 2 0 connector with both condens low and high current sources Environment 0000359 ane Storage temperature range 30C to 70C Enviiomineni Subset Operating Temperature range in of 0000363 eendiions electronics is 30C to 70C to error that rebreather is outside operating range Environnisat Operating Temperature range in air of Y Y Y 0000361 Sonditions electronics is 2C to 70C under which conditions electronics shall be in full calibration Environm nt Operating temperature range underwater of Y Y Y 0000362 eonditians Surface Supplied rebreather with gas heating is 4C to 34C 0000360 Environment Operating temperature range underwater Y Y Y ae eae conditions without gas heating is 4C to 34C 0000311 PPO2 Related O2 cell fault tolerance Y Y Y 6 EN61508 AUDIT An extensive audit was carried out on Deep Life s lifecycle processes using the Open Revolution family of products as the case study by a team of auditors from SIRA Certification from December 2008 to April 2009 The opinion of the auditors familiar with the dive industry and the application is the equipment is safe certifiable and is likely to provide a substantial increase in safety Deep Life is completing an EN 61508 process compliance qualif
44. ung or inhale hose between inhale ar y counterlung and mouthpiece FMECA V6 Risk related 6 23 0000462 eee VOE Make Up Gas pressure shall be monitored by a y the system FMECA V6 Risk 7 1 7 2 7 3 related Oxygen Hyperoxic Make Up Gass shall be run via a 0000458 Insufficiency manifold and be switched out at depth FMECA related V6 Risk 6 21 Oxygen ae ra O2 injector shall provide 12I min of O2 0000453 Insufficiency related FMECA V6 Risk 6 19 6 20 6 21 Oxygen Rebreather shall run as pure O2 rebreather 0000445 Insufficiency automatically when above 6m FMECA V6 Risk related 6 15 6 19 Oxygen Manual flush rate shall be limited so that user 0000452 Insufficiency cannot reduce the PPO2 to below 0 2 FMECA related V6 Risk 6 18 Oxygen O2 injector shall keep breathing loop at full 0000447 Insufficiency pressure at maximum rate of ascent related 120m min FMECA V6 Risk 6 16 6 17 6 18 Oxygen l HR Suit and BCD supplies to be quick release 0000451 Insufficiency related FMECA V6 Risk 6 17 Oxygen PPO2 set points which are lower than the 0000450 Insufficiency corresponding fraction of O2 in air shall not be related allowed FMECA V6 6 17 0000448 Oxygen Torpedo and fast ascent tests to be included in EER Insufficiency rebreather verification FMECA V6 Risk 6 16 Rev B2 Page 28 of 33 PASSED FOR PUBLICATION
45. urrent density with the Y Y Y 0000684 Supplied Dives unit in water to be used during testing FMECA related V6 Risk 17 13 Umbilical Equipment shall be tested for operation Y Y Y 0000683 Supplied Dives between a pair of underwater burning system related electrodes in use FMECA V6 Risk 17 13 Umbilical Active current monitoring shall be used to Y Y Y 0000682 Supplied Dives detect shorts or excess current drain FMECA related V6 Risk 17 12 0000681 eee Dives Failure mode to be eliminated by use of self pe wet pp regulating materials FMECA V6 Risk 17 12 related Umbilical Gas heating shall be treated as a SIL 4 Y Y Y 0000680 Supplied Dives requirement for very deep diving FMECA V6 related Risk 17 11 0000679 Umbilical A requirement shall be stated for passive Y Y Y Rev B2 Page 13 of 33 PASSED FOR PUBLICATION Supplied Dives undersuit thermal protection in user manuals related and training FMECA V6 Risk 17 11 Umbilical l YI Y Special considerations to be used in warm 0000678 Supplied Dives ater conditions FMECA V6 Risk 17 10 related Umbilical even leave Full safety case is required for diver thermal 0000677 Supplied Dives stance FMECA V6 Risk 17 10 related Umbilical YI Y A dry suit shall be used with a rebreather 0000676 Supplied Dives r lated F
46. with the date of the entire document The Revision Numbering comprises an Alphabetic Letter A B C D etc for all major rewrites and a letter for edits of sections of this document 0 1 2 3 etc Where an update is made that does not involve reissue of the entire document then the Revision History sets out which pages are affected Rev CO Page 2 of 33 Released for publication Tabl e of Contents T PURPOSE AND SCOPE i iisiciatiseacessaiwsduntaivacaceateacantanepdasmareidesbaiadasaadwbdessalacank 4 2 CLASSIFICATION iscvcececacvewsviciswececeus ve weceusvewcdeusvenuduusvs nidewsveuiveneweoivaeeneeaveaenes 4 3 BENCHMARKS a e a aaae aa eaaa aa aea Laia 5 3 1 1 Competitive Benchmark and Statutory Standards as Benchmarks s es 5 31 2 Primary Benchmarks evier aea e a a E naive a TOS E 6 4 REDUNDANCY REVIEW sssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn ennnen 6 4 1 Number of O2 Sensors Required cscsssscssssccsssscsssscssssccssccsssssssssecsssssscssssssessessass 6 4 2 Number of other redundant systems required sscssssccsssscsssscssssccsssccsessssssesssssecs 7 4 3 Redundancy of Communication ccsscssssccsssscssscssssscssssccssccsssssssssescssscscsssssssescsssaes 7 5 SAFETY TRACEABILUDY vesisnsiccsscucusssiasshecativaisvsisustasatsuaiaseudutkeustsuabeesteucbenas 9 6 EN 61508 AUDIT ivsieccvccssincweesseiistecssiniwtceusstnccuwanawiseusvsaiswecweatnvwentessaneseeataale 33 T CONC
47. wn Out Circuit activation FMECA V6 related Risk 9 3 Controller and Batteries shall be soldered contacts are not 0000491 Information acceptable FMECA V6 Risk 9 3 related 0000490 EA ang Batteries state shall be shown during power up E r lated sequence FMECA V6 Risk 9 2 Controller and Dives with an adequate batteries capacity 10 0000489 Information hours minumum shall not be allowed FMECA related V6 Risk 9 1 9 2 0000488 Loop Volume User shall not switch OPV with ALV a Relief related accidentally FMECA V6 Risk 8 11 0000487 Loop Volume OPVs_ shall not be used as water traps a Relief related FMECA V6 Risk 8 10 Loop Volume OPV operation to be verified FMECA V6 Risk 0000486 Relief related 18 9 Loop Volume 0000485 Bellet related OPV shall be robust FMECA V6 Risk 8 8 0000484 Loop Volume OPV shall be positioned as close to the lung Relief related centroid as possible FMECA V6 Risk 8 7 OPV cracking pressure shall be checked as 0000483 ae Briere part of pre dive positive pressure check FMECA V6 Risk 8 6 0000482 Loop Volume OPV to be positioned so it cannot be adjusted a Relief related accidentally during dive FMECA V6 Risk 8 6 0000481 Loop Volume OPV to be located where it cannot be changed E Relief related accidentally during dive FMECA V6 Risk 8 5 All O ring designs shall be checked as part of 0000480 a aa mechanical design review checklist FMECA V6 Risk 8 4 A filter to be fitted to both inside and outside 000047
48. ystems that form part of the Open Revolution family of rebreathers However there is a body of expertise for the respiratory performance Benchmarks for respiratory performance are taken from the APD Inspiration APD Evolution ISC Megalodon Draeger Dolphin and CCRB Ouroboros rebreathers as well as compliance with standards regulations and guidelines that relate to respiratory and general performance These standards are listed in the EC PPE Technical File for the products Rev B2 Page 5 of 33 Released for publication 3 1 2 Primary Benchmark The entire design of the OPEN REVOLUTION rebreather has set as its benchmark e Fail Safe for both electrical and mechanical systems e Fault tolerant able to operate as a rebreather with two worst case faults of random faults e Dependable This means it must monitor using redundant systems every factor that affects the well being of the user This requires total gas monitoring with a means to remove failure modes caused by the user forums suggest that users fail to bail out when this is indicated and most deaths result from this For reasons of economy a unit may be fitted with fewer components than is needed for the primary benchmark in which case the system must meet the basic benchmark which is simply better than 1 billion hours between critical failures of the system This is done for reasons of cost in some cost sensitive applications Examples of such cost reduction include
Download Pdf Manuals
Related Search