FMECA Volume 6: Top Down Rebreather Faults
Contents
1. Functional Safety Implication Covered by end to end clause ALVBOV should not have any means to turn it off other than turning off the supply cylinder or umbilical supply Duplicate the ALV e g ALV and ALVBOV and provide a means for these to be supplied by separate gas sources on dives with a decompression obligation Monitor Make Up Gas contents FMECA_OR_V6_141201 doc Rev C6 45 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 7 10 Counterlungs unable to provide gas Cause Counterlungs insufficient volume for diver Counterlungs collapse such that gas cannot be supplied to ports on the counterlung Counterlungs trapped Counterlungs kinked Lack of gas channel from where the gas is in the counterlung to the gas port out of the counterlung Counterlungs are flat that is not box or tube structures that are fixed such that the counterlung is under tension preventing it filling Counterlungs stick together inside due to inappropriate materials or contamination Symptoms Surface Diver cannot inhale without ALV firing Dive As on surface Recovery action during Dive Abort dive Bail out Preventative action Avoid faults by design Functional Safety Implication2. Cause Poor design or poor maintenance In some cases mal adjustment by diver With valve accessible externally it may be moved accidentally by rubbing with hawsers or ropes Granular scrubbers have resulted in a granule becoming stuck in the OPV during the dive with serious close miss mishap as a result Symptoms Surface Should show up in the pre dive check positive pressure test Dive Venting gas continuously or on every breath Water ingress Breathing resistance CO2 hit Recovery action during Dive Reset the valve to correct position and if that does not work then bail out Preventative action Position valve so it cannot be adjusted accidentally during dive Check OPV cracking pressure as part of pre dive positive pressure check Functional Safety Implication Locate valve where it cannot be changed accidentally during dive 8 7 OPV cracking pressure relative to diver changes with attitude Cause Incorrect placement of OPV Symptoms Surface FMECA_OR_V6_141201 doc Rev C6 52 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC None Dive Loop volume changes as a function of diver attitude as does Work of Breathing OPV may vent or freeflow in some positions Reco
3. e High and low thermal shutdown for charging or discharge battery capacity is higher at low temperature for most lithium chemistries so charging at a low temperature the charge shall stop at the capacity the battery would have at high temperature otherwise the excess charge results in over heating of the battery when the battery is warmed up f Charge over current protection g Discharge over current protection h Battery state shall be shown during power up sequence and operation i Provide 3 power sources for SIL 3 with different drain rates and do not allow dive unless adequate capacity 10 hours minimum j Provide fail safe PPO2 injection in eCCRs that does not require power e g ALVBOV or needle valve or variable orifice not a normally closed solenoid k Provide failure evident indication e g diver reinforcement of active states using a device that requires regular attention to prevent an alarm state Provide buddy display and warning of failure on buddy display m Where 9 3 Power Drop out or Battery Bounce Cause Poor battery and contact design Manifest when entering water by an automatic bail out device fails due to lack of power ensure diver can operate it manually and the failure is evident rolling backwards on to turtle shell Momentarily disconnects batteries Battery failure FMECA_OR_V6_141201 doc Rev C6 58 of 163 This document is the property of Deep Life De
4. e Malfunction of the electronic controller e Absence of function of the electronic controller Symptoms Surface Anaethesia Reduced awareness Loss of consciousness Dive Anaesthesia Reduced awareness Loss of consciousness Recovery action during Dive Bail out Preventative action Force bail out automatically if user should not act on warnings Eliminate electronic controller failures modes that are not fail to safe state Functional Safety Implication Implement a fail safe automatic shut off valve bail out is essential 18 5 Allergic Reaction to Material Cause Use of latex or other allergenic material Repeated exposure to latex can trigger severe allergic reactions and sensitivity to other materials Foreign matter in loop especially mouthpiece such as from jelly fish Off gassing of noxious compounds has been identified as the cause for nausea in deep saturation dives Symptoms Surface Can vary from difficulty breathing burning around mouth through to toxic shock which can be fatal on the surface Dive FMECA_OR_V6_141201 doc Rev C6 136 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Same as on surface Nausea Loss of consciousness death Recovery action
5. 10 4 O2 Cell Contamination Cause Organic material in O2 Cell KOH solution Symptoms Surface Drift of 02 Cell readings Dive FMECA_OR_V6_141201 doc Rev C6 80 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC May manifest as a ceiling fault during the dive Recovery action during Dive Eliminate the sensor from the PPO2 calculation Preventative action Check sensors for drift Replace sensors that drift Functional Safety Implication Requires that the system check for need for sensor replacement and for sensor drift during successive calibration cycles 10 5 O2 Cell Thermal compensation failure Cause Manufacturing fault design fault or component failure in 02 cell See also fault 6 28 Symptoms Surface Not apparent Dive If the diver flushes the loop the PPO2 will be different from that expected Recovery action during Dive Bail out Preventative action Careful inspection of sensors It is unreasonable to expect the user to do this on every dive Functional Safety Implication 1 This is a serious failure in that it causes the O2 Cell reading to fluctuate both high and low depending on temperature 2 Solution adopted is to change the sensor design to allow this pr
6. Bail out Preventative action FMECA_OR_V6_141201 doc Rev C6 70 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Design out the problem Use fail safe injectors and put into safe mode on detecting brown out or power down requires sufficient capacitance to operate valve Functional Safety Implication Requires design verification of this failure mode and cycling of brown out events 9 20 Failure to turn on Cause Design error failure to use an appropriate safety critical architecture such as TTA Note this fault Is also covered elsewhere Symptoms Surface Diver is breathing from equipment that is turned off Diver passes out Dive Ditto but diver drowns Recovery action during Dive Inject gas immediately Preventative action Design out the problem Rebreathers need to switch on automatically with falling PPO2 Functional Safety Implication Requires an auto on feature to turn unit on preferably automatic switch on with falling PPO2 See also Fault 9 25 9 21 Single points of failure Cause Design error a single short open or component failure causes controller failure leaving it in a unreasonably dangerous state Symptoms Surface Hung controller Dive Ditto but di
7. PVC and partially reacted polymers should not be used due to their continuous off gassing of highly toxic substances Polyoxymethylene POM also known as Acetal Polyacetal and Polyformaldehyde is sold under tradenames such as Delrin and Histaform POM should not be used in any significant quantity or at all in the breathing loop This restriction applies to all similar Acetyl plastics due to its decomposition and heavy contamination when new offgasing formaldehydes POM oxidises in chlorine including by exposure to the chlorine in training pools resulting in further offgasing and causing stress fractures The lung burn reported above was due to Delrin and POM offgasing Polycarbonate including Lexan normally contains Bisphenol A as a key building block this offgases in a diving environment and exposes the diver to this carcinogen Polycarbonate free of Bisphenol A is available but is uncommon A second problem with polycarbonate is that it is weakened by exposure to strong bases as may be present in a rebreather after a flood Polybutyleneterephthalate PBT has an UL94 V 0 rating low offgasing and low water absorption PBT can fail suddenly after exposure to strong bases as may be present in a rebreather Aromatic Polyurethane contains aromatic isocyanates isocyanates are known skin and respiratory sensitizers Aromatic urethane turns yellow under exposure to UV light to release further isocyanates and can lose mec
8. ce eseec cece eee ec cece ee eeeeeeeeeeeeeneeeeeeeeeeees 110 13 2 Rebreather BG Failure 2 cccccsccccssscccessccccsssesseusvevewesionsnsvevsrsvsrecevereses 110 13 3 Harness Failures 3 0 s secssssessssesdessesdessaanseessssesessseescecevectsevecasneas 111 13 4 Pressure Sensor Failure acccccsscccssssccnsecdccnsccestarssaseesshesoeebeseeeaeeeeuates 111 13 5 Noxious Chemical off gassing sssesssesssesesssecssscessecssseosseessseessee 112 13 6 Entrapment Hazard wsivissiessseisnsasesiacsbabasabasiaeesesesssseetscsectssossssesesaesce 115 13 7 BOV or DSV Guillotines Diver s Tongue ccc ee ee cee eee eeeeeeeeeneeeeeneee 116 13 8 Infective Bacteria Fungi Yeasts and Viruses s ssssssssesssecsssessseeees 117 13 9 Insects INSIDE LOOP iiveees ead dacs veces ead AEEA ESSEET EEEE EEEE EE 118 13 10 Argon Narcosis from using less than 99 pure OXygen eeeeeeeeeeeeeee 119 14 Associated Equipment Failures cccccceeeensec eee eenneeeceeeeeenseeeeeeeeessaaees 120 14 1 Gross dry SUIELEAK s weescccscecccsssscsesescsseesesieucessssisasessseeoecececececucectenes 120 14 2 Entrapment HaZard isscssscescees toeseeeees nies sees tetaessseesccessmessseseeesenauass 121 14 3 Polarised or Filter Mask Prevents Reading of LCD displays 206 121 15 Decompression Computer Failures ce eccee eee e ence ee eeceeeeeeeeeeeeeeenarees 122 16 Failures Specific to Dives in Cold Water
9. 11 16 Very low diver tidal volume v v v 11 17 Sensory system false alarm V v v 12 Flooding and Drowning v v v 12 1 Loop Flood v v v 12 2 Mouthpiece floods rebreather V 4 v 12 3 Mouthpiece failure i e failure V v v to allow diver to breathe from loop when this is desirable FMECA_OR_V6_141201 doc Rev C6 158 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 12 4 Counterlung ports pull out v v v from counterlung 12 5 Implosion or explosion on v v v compression or decompression 12 6 Counterlung or hose pinched 12 7 Counterlung or rebreather v component pierced 12 8 Lack of water drain 12 9 Water Drain Failure 13 Other Rebreather Equipment Failures 13 1 Pressure causing implosion v v v 13 2 Rebreather BC Failure v v v 13 3 Harness Failure v v v 13 4 Pressure Sensor Failure v v v 13 5 Noxious chemical off gassing VW v v 13 6 Entrapment Hazard v v v 13 7 BOV or DSV Guillotines v v v Diver s Tongue 13 8 Infective Bacteria Fungi v v v Yeasts and Viruses 13 9 Insects inside
10. Bail out Preventative action Inspect OPV diaphragm regularly during dive checks Functional Safety Implication Active control over pre dive positive pressure checks indicated 8 2 OPV diaphragm folded causing flood Cause OPV diaphragm of improper type or design with sudden pressure change such as with diver entering the water Symptoms Surface None Dive Gurgling and other signs of water in loop Breathing resistance CO2 hit Recovery action during Dive Bail out Preventative action Ensure OPV diaphragm does not fold and remain deformed under conditions of extremely high gas flow or gas pulses FMECA_OR_V6_141201 doc Rev C6 49 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Functional Safety Implication OPV needs to be fully characterised Example Incident http www rebreatherworld com rebreather accidents incidents 20066 why c02 scares dave incident report 2 html post1 94733 8 3 Foreign material trapped under OPV diaphragm Cause Diving in silt poor maintenance Symptoms Surface May appear in a pre dive positive pressure check Dive Gurgling and other signs of water in loop Breathing resistance CO2 hit Recovery action during Dive Bail out Preventati
11. Fit a one way valve to the umbilical at the point where it feeds into the diver s helmet Functional Safety Implication One way valve is required Adequate bail out is required Should be survivable by use of bail out carried by diver Maximum depth and maximum 02 concentration in bail out gas determines bail out size FMECA_OR_V6_141201 doc Rev C6 125 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 17 3 Entrapment of Umbilical Commercial diver Cause Heavy object falling on umbilical Umbilical floats and is caught by propellers or other moving objects in the water causing impact between the diver and the object That is the umbilical becomes a fishing line for divers Preventative action Reduce umbilical services to the minimum power communications and umbilical gas feed so it can be moved more easily Diver should be trained to safeguard umbilical Functional Safety Implication Umbilical should be either disconnectable or the diver should carry means to cut the umbilical to free himself Procedures to avoid diver entrapment Accidents where this has occurred the procedures were not followed Control weight of umbilical is important such as a line to flood 17 4
12. Fungi infection risks include Aspergillus fumigatus see below Bacterial risk infections include TB Yeasts include Canditis Virus infection risks are likely to be extensive Symptoms See the tragic case of Mike Firth on www divernet com other diving topics medical health 682407 think_twi ce before breathing off_a_bag html and then www diveoz com au discussion forums topic aso TOPIC ID 24651 both with capture dates of 13th February 2011 Two breaths from a wing resulted in Mike Firth losing 70 of his lungs from Aspergillus fumigatus fungi infection requiring oxygen continuously To quote Mike before he died It s like having your face blown away and it makes my mouth and nose tissues very sore having to settle for being able to walk no more than about 15 metres and my buddy is a long line with piped 02 Recovery action during Dive Not applicable Preventative action See UK HSE Information Sheet 12 Cleaning of Diving Equipment www hse gov uk pubs dvis 1 2 pdf Clean all wings rebreather counterlungs and respiratory components in clean water after every dive and at least once a week preferably daily clean using Virkon solution Functional Safety Implication Ensure all rebreather and wing user manuals contain instructions on cleaning the rebreather Ensure all training courses include instructions on cleaning the rebreather and the effect of not cleaning Publish the accident above in the rebreather
13. PPO2 should not equal 0 7ATA Should be detected automatically as PPO2 level changes but the output of the position sensor is constant Dive Should be detected automatically as PPO2 level changes but the output of the position sensor is constant Recovery action during Dive None required if system recovery is sufficient If second unit fails then bail out Preventative action Check motor operational range during self check sequence Functional Safety Implication 1 Should be detected automatically as PPO2 level changes but the output of the position sensor is constant 2 System should connect the second driver to the control loop and user is advised of this action 3 Urgent when PPO2 level increases beyond the set point after the connection of the second driver user should be required to Flush or ascend 4 Use direct orifice imaging to ensure orifice is not blocked or shifted 6 14 Use of O2 instead of Make Up Gas Cause Diver injecting 02 instead of Make Up Gas Preventative action Eliminate manual O2 inject Functional Safety Implication Eliminate manual O2 injection 6 15 Use of hypoxic Make Up Gas when entering water Cause FMECA_OR_V6_141201 doc Rev C6 30 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark o
14. Preventative action Always dive with a buddy On rebreathers bail out to open circuit on ascent On rebreathers in an emergency ascent do not inhale from the breathing loop Functional Safety Implication The cause of sudden blackout is almost always hypoxia though underlying health issues should always be considered Most people become unconscious when the PPOQ2 in their lungs normally 0 21 atm falls below 0 075atm the alveolar PPO2 is around FMECA_OR_V6_141201 doc Rev C6 143 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 2 3 of this level due to the oxygen cascade whereby there is a reduction in PPO2 as the gas is warmed and humidified in the trachea and is under a slight vacuum for simplicity we shall refer to the PPO2 in the inhale gas as that is what is relevant for the SCUBA diver This mechanism by which the PPO2 falls below 0 075 atm equal to 0 04 atm at the alvaeoli is different between freedivers SCUBA divers and rebreather divers For the freediver ten metres of water effectively doubles the minimum PPQ2 to avoid LOC to 0 15atm then when the diver ascends the PPO2 falls putting them below the 0 075 atm limit A PPO2 of 0 12 atm at ten metres in a freediver s lungs will
15. There are training operational and design actions required See Respiratory Collapse General Functional Safety Implication 1 A dry breathing regulator shall not suddenly give a wet breath 2 Exhaust valves need to be of the mushroom type not the flat type to ensure they do not allow water into the DSV 3 The training material should explain the imperative of checking that exhaust valve diaphragms are not folded or otherwise compromised Follow recommendations for Respiratory Collapse General 18 13 Respiratory collapse from pressure surge Cause Hitting the purge button from a high flow regulator or DSV when it is in the diver s mouth Preventative action See Respiratory Collapse General Functional Safety Implication Limit the purge flow rate on rebreather DSVs and regulators FMECA_OR_V6_141201 doc Rev C6 140 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 18 14 Respiratory Collapse General Cause Multifactorial see Respiratory Collapse from water inhalation asthma pressure WOB Immersion Pulmonary Oedema or directly to cardiac arrest from hypoxia and death Preventative action There are training operational and design actions required to handle resp
16. amp R E Moon 1 All long term health risks appear to originate from an event that can also give rise to a short term risk such as an untreated DCS or barotrauma In some cases the long term risk is due to a succession of minor insults in other cases from the effect of cellular damage from a single insult which may at the time have appeared insignificant Short term risks are compiled from D H Elliott amp P B Bennet 2 DAN and BSAC accident reports as follows Health Risk Cause and effects FMECA_OR_V6_141201 doc Rev C6 146 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Respiratory Gases Contaminated breathing gas with effect of narcosis anaesthesia illness Divers who feel normal on the surface and feel nausea underwater may have CO poisoning Unsuitable breathing gas for depth hypoxic or hyperoxic with effect of loss of consciousness convulsions Narcotic breathing gas with effect of loss of judgement time perception consciousness Insufficient gas with effect of drowning Gas switch between gases with large difference in anaesthetic effect with effect of loss of consciousness Counter diffusion with effect of DCI Diving Reflex and Sudden Water contact on fo
17. being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 5 8 High Pressure Burst Disk Related Hazards Cause Failure of burst disk to open or no burst disk Unwanted opening of the burst disk Symptoms Surface Failure to open does not seem to be a hazard other than as listed below Unwanted opening results in a loss of gas and a loud noise Dive Loss of gas Recovery action during Dive Abort dive Preventative action Unless required by regulation burst disks and over pressure valves should not be fitted to dive cylinders their safety function is to prevent an over pressure This can occur only because of Over filling Dive filling stations should have a working over pressure cut off Over Heating Dive cylinders have a burst pressure over twice the working pressure This means the dangerous over pressure is reached only in a fire with a full tank It will be apparent to all that such a fire has occurred and the tank can be handled once the fire has been extinguished and all tanks have cooled down A cylinder that has been in a fire is condemned Internal Fire A fire inside a cylinder will generally result in the destruction of the cylinder The risk of unwanted burst disks opening far outweighs the above risks Burst disks fail not infrequently during dives Some of the contributors have suffered burst disk failures on t
18. 1 Counterlungs need to be between 4 5 and 6 litres tidal volume to cater for the largest diver and also for divers to adjust buoyancy slightly by varying their loop volume The theoretical volume will always be larger than this and in some cases significantly larger 2 All gas paths in the counterlung need to be protected such that the counterlung cannot block the gas exit ports when partially full in any orientation of the diver This generally means a spring mechanism of some sort is needed The diameter of the spring should be the same as the port otherwise the port may become partially blocked 3 Counterlungs should be fixed down so they cannot trap themselves or kink including if the diver chooses to dive with covers off or loses a cover 4 Counterlung material needs to be of a material that does not stick together when wetted with water FMECA_OR_V6_141201 doc Rev C6 46 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 7 11 BOV seal leaking emptying loop volume Cause BOV barrel seal leaking Expansion or contraction of the DSV BOV or ALVBOV housing or barrel Symptoms Surface Breathing from Open Circuit Dive As diver exhales from the rebreather loop the gas is vented into t
19. 4 SIL Compliance ObDjective 0 cece c cece eee cece cence eee eeeeeeeneeeeeseeeeetssereraeers 11 5 Gas Supply Containment Failures see ee ee eeeecee eee ee eee eeeeeeeeceeeeteeeereeeeers 12 5 1 Cylinder Explosions cccucvcncksecccevevecsesvecceseedessysiieesveeeesseeeeeeeeeseeeseeeeeese ete 12 5 2 Carbon Wrapped Cylinder Electrolysis cece cece e cece cece eee eeeeeeeeeceeeeeee 12 5 3 Plastic Core DECOMPOSItiON eee ee eee cece cece stss eee eeeeeeeeeeeeeneeeeeaee 12 5 4 Carbon Wrapped Cylinder Core Delamination cece cece cence eee eee erence 13 5 5 Oxygen fire from detritus in cylinder eee e cece eee eee e cette eeeeeeeeeeeee 13 5 6 Cylinder Valve Failure cece ec eee cece eee cc tence eee eeeeeeeeeeeeeeeeeeeneeeeeneee 14 5 7 Cylinder Valve O ring or Regulator O Ring Failure 2 cee eee ee eee eee e ee eeee 14 5 8 High Pressure Burst Disk Related Hazards ccccccceeesssccccceeeesseeeeeeesens 15 5 9 Intermediate Pressure Relief Device Related Hazards eeeeeeeeeeeeeeees 15 5 10 Valve Outlet Profile Specification Error in DIN 477 amp EN 144 se eee e ee eee 17 5 11 SCUBA Regulator Hose O ring Retention Fault ccc cece cece e ence erence 18 5 12 First Stage Regulator O ring Retention Design Fault eee eeeeeeee eee ees 18 5 13 Hose sheath expands and DUISts cccccceesccccceeeeenseeeeeeeeseese
20. 47 7 12 Flapper Valve Stuck SNU sisissssisississssisiiisiisserccosecercesrerreccroorrercecser tts 47 7 13 Foreign Material in Breathing Hoses sssssssssesssesssscssscsssscesscosseeees 48 7 14 Breathing Hoses Kinked orrera reir EEEE EENE e 48 8 Loop Volume Relief Failures eessesessesosescssecocsseeosescsseeoseccsseeosesosseeoseeo 49 8 1 OPV diaphragm damaged cece cece cece cece eect EEEE EET 49 8 2 OPV diaphragm folded causing flood sce eee ee eee eee e ee ee eee eeeeeeeeeeeeees 49 8 3 Foreign material trapped under OPV diaphragm ceeeeeeeeeeeeeeeeeeeees 50 8 4 Incorrect O ring tolerance cee cece cece eect eee e eee eeeeeeeeeeeeeeeeeeeseeerens 50 8 5 OPV Stuck ShUtsisssiviesssecesseceessaserescscereaeeeesasseedseecesseetecescetersrecesseesess s 51 8 6 OPV stuck OPEN vasa ssisiassissseeissseessebbia rob eus Hse lee ebereeseereseenereseneteteeereesesis 52 8 7 OPV cracking pressure relative to diver changes with attitude 52 8 8 OPV housing failUre ssiissssssssssssssccssssisssssissssteesoerereesoesrerceeesrerecroute reest 53 8 9 OPV fails to shut sufficiently for positive pressure check eeeee eee e eens 53 8 10 OPV interacts with water drain sc cece cece cece eee eeeee eee eeeeeeeeeeeeeeeee 54 8 11 OPV is on exhale CL instead of inhale CL where it should be 2 4 54 8 12 OPV is set incorrectly sac cscetecnces
21. 5 It is a requirement to verify the O2 injector works for all possible 02 intermediate pressures from near zero to in excess of the burst pressure for the hose 6 All O R implement meet all these requirements and implement all features listed as preventative no N C solenoids are used variable orifice is used 6 5 Oxygen Hose Leaks Cause Wear poor maintenance Symptoms Surface Failure to calibrate Failure to hold set point during pre breathe Low 02 Alarm Sounding Oxygen contents gauge showing low or audible air loss from cylinder Dive Failure to hold set point Low O2 Alarm sounding Oxygen contents gauge may show empty Bubbles in water Recovery action during Dive Urgent Bail out to open circuit or Make Up Gas flush and fly unit in semi closed mode SSUBA rebreathers continue using Bail Out Gas Preventative action Pre dive checks Functional Safety Implication Monitor O2 usage requires 02 contents gauge and declaration of tank size Give specific warning of leaking hose SSUBA should have sensor to detect umbilical gas pressure or gas supply pressure as each source has a different pressure the supervisor can identify a drop in pressure 6 6 Oxygen Solenoid or Injector Stuck Open Cause e Corrosion e Poor maintenance allowing salt crystals or contaminates in unit e High Interstage pressure Solenoid injectors may become unreliable at pressures above as little as 8 5 bar e Low
22. 9 One Way Valve missing from one side of the loop Cause Design fault allows mouthpiece to be reversed such that the one way valves face each other this prevents gas flow around the loop but allows the diver to breathe in and out of one of the counterlungs One way valve fell out or lost or not fitted The valve on one side of the DSV is reversed Symptoms Surface No obvious problem unless the diver pre breathers the loop for 10 minutes or more Dive Hypercapnia Recovery action during Dive Bail out Preventative action Pre dive check for one way valve operation is an essential check Novice divers should not be assumed to be able to carry out this check Functional Safety Implication Compliance with EN 14143 which requires that the mouthpiece is not reversible unless the rebreather operates safely with the reversal Webs should be designed such that the diver cannot reverse the valve direction on one side of the DSV for example by using mating dimples on the fittings and ensuring the active side of the valve only is accessible by the diver Highlight the need to carry out one way valve tests before every dive FMECA_OR_V6_141201 doc Rev C6 99 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Desi
23. Battery FMECA_OR_V6_141201 doc Rev C6 24 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC e Oil contamination resulting in carbonized deposits in the solenoid or injector e Oxygen being exhausted at depth rebreather then returns to the surface sucking contamination into the injector or solenoid in the process e Failure of the spring in the solenoid valve or injector Symptoms Surface Failure to calibrate Failure to hold set point during pre breathe High O2 Alarm Sounding Counter lungs full Dive Failure to hold set point High O2 Alarm sounding Excessive buoyancy Can hear gas being injected at all times Recovery action during Dive Urgent Close 02 valve Bail out or Make Up Gas flush Option to fly manually using 02 valve or to go semi closed Preventative action Regular service Lube and ensure solenoid clean Check mesh filter above solenoid Recharge Batteries Functional Safety Implication 1 The oxygen injector should not be a solenoid but a variable orifice valve so that when it fails the failure state maintains the average oxygen consumption 2 Fit an Auto bailout and shutoff valve 3 The gas supply should have a normally open shut off valve fitted such that if
24. Cause amp Prevention Use of empty cylinder will not pass pre dive checks but user could dive anyway Diving with not enough O2 for the dive system enforces dive abort when O2 consumption and 02 remaining do not allow user to reach surface with 50 bar in tank A leak System enforces abort when insufficient O2 Hose failure from O2 Forces bail out and abort of dive First Stage Failure including over pressure relief O2 ring failure Forces bail out and abort of dive Dive abort can be on Semi Closed This situation is the worst case test case for Auto ShutOff valve control Safety Implication 1 System manages each failure mode and where not recoverable forces Bail out to open circuit or Make Up Gas flush and fly unit in semi closed mode Important that user is not allowed to dive unless there is enough 02 to reach the surface including deco System should monitor Make Up Gas and 02 levels O2 fraction should not be allowed to drop below that of air at the same depth and projection should use a 1 76l min of O2 in calculating this availability plus the loss of gas during ascent using the known maximum dead volume of the loop 2 Issue where hypoxic Make Up Gas is used is a serious one diver should be warned FMECA_OR_V6_141201 doc Rev C6 20 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reprod
25. Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 6 22 Left to Right Flow instead of safer Right to Left loop flow Cause Rebreather uses left to right flow so oxygen addition is on right counterlung if diver keeps to convention of Rich on Right When a problem occurs this means Make Up Gas is added to gas being inhaled instead of oxygen because oxygen has to pass right around the loop as it si plumbed into the exhale counterlung This can be hazardous if Make Up Gas is hypoxic Right to left flow follows a maritime convention for colours Port and Starboard lighting so boat skippers or dive masters can identify easily the direction a diver is heading assuming breathing hoses are marked Preventative action 1 Use Right to Left loop flow with Rich O2 on right Make Up Gas on left 2 Redon left green on right also keeps with the maritime convention of 3 the use of colours to designate port and starboard which may bea 4 slight safety benefit in recognising divers heading towards or away 5 from a vessel under some circumstances Functional Safety Implication Covered by end to end scope use right to left flow 6 23 Hypoxia when OPV is on exhale counterlung during fast ascent Cause Under conditions of fast ascent the expansion
26. Loss of Helmet Commercial diver Cause Inadequate attachment Preventative action Use helmet that requires at least two actions using two hands to detach Functional Safety Implication Entire helmet comes within Functional Safety by virtue of it containing electronic functions microphone etc Monitor electronically whether a helmet is attached correctly Require at least two operations using two hands to detach helmet 17 5 Sudden change in depth Commercial diver Cause Falling into a hole or uncontrolled rise causing intermediate pressure from umbilical gas to be either excessive or insufficient In bail out the SCR has no means to add gas to the suit or the loop If there is a depth excursion downwards then the diver will have squeeze Snagging an umbilical on lifting parachutes thrusters ROVs cranes etc Preventative action System should bleed off excess umbilical pressure FMECA_OR_V6_141201 doc Rev C6 126 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group One way valve needed in case of negative pressure Functional Safety Implication 1 1 41 1 Same as for umbilical being cut near surface 1 1 41 2 The system should have an underpressure valve on the helmet and
27. and hands in warm water immediately Requires note in training manual 3 Verify the O2 sensors to ensure there is no electrolyte leakage if dropped from 1 5m repeatedly and from 3 0m 10 16 Oscillating sensor Cause Peculiar O2 sensor failure mode where 02 cell value oscillates Symptoms Surface Not obvious Dive PPO2 is poorly controlled Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 89 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Switch to manual control Preventative action Well designed electronics should detect this case Functional Safety Implication Very thorough 02 cell screening is required 10 17 Caustic Burn from leaking electrolyte Cause 02 cells contain Lithium Hydroxide as an electrolyte which has a pH of 14 This is extremely caustic Diver handles an 02 cell with leaking electrolyte If diver touches his face or eye the caustic burn may become a serious accident Symptoms Surface Burning sensation Dive Unlikely Recovery action during Dive Not applicable Preventative action Divers should wash hands after handling O2 sensors Functional Safety Implication Ensure manuals state risk clearly and action to be taken 10 18 Diver fail
28. annum carried out by the median rebreather diver compared to the median Open Circuit diver This work focuses on rebreather failures but also includes fundamental risks of diving P Denoble J Caruso G de L Dear C Pieper and R D Vann COMMON CAUSES OF OPEN CIRCUIT RECREATIONAL DIVING FATALITIES April 2008 accepted for publication in the Journal of Underwater and Hyperbaric Medicine 2 A Deas V Komarov Acceptable Risk Targets for Rebreather Diving 2009 Paper in peer review for publication FMECA_OR_V6_141201 doc Rev C6 11 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 5 GAS SUPPLY CONTAINMENT FAILURES 5 1 Cylinder explosion Cause Unsuitable cylinders damaged cylinders or defective cylinders Poor filling technique Contamination Safety Implication This results in catastrophic cylinder failure Prevention Prevention is by using certified cylinders with hydrostatic and visual tests as stipulated by a national authority filled by trained gas technicians under clean conditions Functional Safety Implication Explain safe gas handling in the user manual Use only certified cylinders 5 2 Carbon Wrapped Cylinder Electrolysis Cause Electrolytic action be
29. architecture and validate it effectively under the range of EMC conditions Functional Safety Implication EN14143 2003 Section 5 13 3 requires the rebreather meet EN 61000 6 1 This is very poorly worded as EN 61000 6 1 covers a wide variety of tests and it is not clear which tests apply RF Field Immunity Magnetic Field immunity and cable Transient Surge Tests as these are a legal requirment those tests need to be carried out by an accredited ISO 17025 laboratory appointed by an ILAC registered body All other tests can be carried out in a traceable and witnessed manner some are specialised The following Immunity and Susceptibility test requirements are applied to Deep Life designs FMECA_OR_V6_141201 doc Rev C6 72 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Ye GP 2 10 11 12 13 14 15 16 17 EN 61000 6 3 2007 Radiated Emissions EN 61000 6 3 2007 Conducted Emissions EN 61000 3 2 2006 Powerline Harmonics EN 61000 3 3 2005 Powerline voltage fluctuation and flicker EN 61000 4 2 2001 ESD Immunity to requirement EN 61000 6 1 2007 Criteria B 8KV air 4KV contact ESD EN 61000 4 3 2006 RF Field Immunity to requirement EN 61000 6 1 2007 Criteria A 3V M 80M
30. be related to diver fitness O C or CCR hydration levels work levels blood hypertension or medication such as beta blockers but is connected with diving The cause of pulmonary edema in the presence of a hypertensive crisis is thought to be due to a combination of increased pressures in the right ventricle and pulmonary circulation and also increased systemic vascular resistance and left ventricle contractility increasing the hydrostatic pressure within the pulmonary capillaries leading to extravasation of fluid and oedema IPO can be caused by an upper airway obstruction negative pressure pulmonary oedema such as a high WOB or a high hydrostatic pressure IPO appears to be related to the heart having a high pre load or post load In diving this can occur because of 1 The centralisation of the blood volume at the same time as a reduction in the hydrostatic resistance in the body instead of blood having to be pumped up and down a column which may be 2m in height when a person is diving the hydrostatic differences across the body is very low However the condition does not seem to be triggered by a person sleeping in a prone position in a cold environment which similarly centralises the blood volume and reduces hydrostatic load 2 Increased WOB 3 Increased hydrostatic load a front mounted counterlung is preferred to a back mounted counterlung Preventative action j Hampson NB Dunford RG 1997 Pu
31. cavity with effect of acute pain DCS As per CCR hazards Dehydration Serious sea sickness or alcohol abuse drugs poor hydration practice with effect of increased DCS risk and may have effect of loss of consciousness in extreme cases Heart Attack or Stroke May be induced by Dive Reflex May be induced by CO2 induced by unaccustomed retention or a combination of these two phenomena exercise Risk is higher with dry suits or hot water suits Trimix carrying multiple tanks on a RIB or ice diving compared to diving from a hard boat and in cold water Effect is invariably drowning Military Sonar Sports divers have been attacked by the military sonar of nuclear submarines when carrying out a dive and a submarine has been in the facility in the English Channel Divers felt very nauseous to the point of passing out Evidence that nuclear submarines view any diver in the vicinity as an attack and have a policy of killing the diver A fatal accident in 1998 of a diver on a rebreather implicated military sonar from a nuclear submarine as one of two possible causes Video footage from 1998 North Pole Expedition supplied FMECA_OR_V6_141201 doc Rev C6 148 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Dee
32. ccenasccdesetiiadesteiosstetesesceeichetesetetessise t 55 FMECA_OR_V6_141201 doc Rev C6 4 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 8 13 OPV or drain admits water as it operates eee eee cece e eee e cence eeneee 55 8 14 Lack of means to vent loop manually when bailed OUut eeeeeee eee ees 56 9 Controller and Information Failures cece ee ce eee e ence eee eee eee eeeeeeeeeeeeenaeees 56 9A Battery LOW csssescssenenns sss aciviennnvsaesecccnnannassecensetseeieeesaesseeeceeesneeoineaeeees 56 9 2 Battery Failure srera rasna EE E sree esssersdasgverscccereseneessrccsrseeeeeeredecegs 57 9 3 Power Drop out or Battery BOUNCe ssssesssesesssesssecssseosseesssecssecoesseessee 58 9 4 Battery life Error ccc cee c cece cece eens cece ee nneeeeeeeeseeseeeeseeesesseeeeeeees 59 9 5 Battery OVErhEating seisieccescseccccsecccccececstedeacdeeeeeeseceessedeeeeseeeessederseseees 60 9 6 Monitoring or control device failure not apparent to user ee eee ee eee eee 61 9 7 Monitoring or control device Hangs cc ceeeeeeeeec cence eee eeceeeeeeeeeetseeeers 62 9 8 Monitoring or control devices switched Off ee ceeeeeee cece ee eeeeeeee
33. cells with ceiling limits that may fall momentarily within the range of PPO2s that occur during diving After the ceiling has been reached the cell transfer function often becomes negative causing catastrophic failure of the PPO2 control system as increases in PPO2 cause a reduction in cell output this event has occurred in more than one fatal accident and can be seen in cell characterisation tests such as Sensor B in the test run overleaf 6 Use of cells unsuited to rebreather applications These are often apparent on visual inspection using Molex type connectors non sealing with a single wiping contact having a well or pit around the sensing membrane and simple analogue temperature compensation FMECA_OR_V6_141201 doc Rev C6 83 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC The rebreather should indicate cell status to the diver to avoid a reliance on a group of failing or failed sensors 10 8 O2 Cell Failures Tracked Incorrectly Cause Multiple O2 Cell failures with voting logic Preventative action Do not use voting logic Functional Safety Implication Eliminate problem by carrying out a fault assessment of O2 Cell failure modes then test of O2 Cells to a Test Plan to
34. display Recovery action during Dive Bail out or die Preventative action Pre dive checks and basic monitoring of unit Functional Safety Implication 1 Occurs in units where there is a failure of the electronics and user switches the monitoring or control device off to try and bring the unit back up Several cases where user has died before unit has come back up 2 Solution adopted is to design out the problem ensure unit powers on automatically whenever the PPO2 is less than 0 16 3 Eliminate all possibility that the unit can hang 4 Provide an PFD which also switches on automatically when PPO2 is less than 0 16 and cannot switch off when unit is under pressure or is being breathed from FMECA_OR_V6_141201 doc Rev C6 63 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 5 Functional Safety requirements would demand monitoring or control device switches on automatically when unit is used 9 9 Oil Filled Chamber Leaks Oil Cause Mechanical damage Poor servicing or maintenance Reservoir piston to accommodate thermal expansion is stuck Reservoir for thermal expansion is too small Symptoms Surface Filling oil visible inside unit Dive Smell of the filling oil inside the lo
35. diver Noted that some inorganic compounds such as hydrogen sulphide or mercury compounds are highly toxic and may also be in the breathing FMECA_OR_V6_141201 doc Rev C6 127 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group gas Requires strict control of breathing gas and RoHS compliant components in the dive system 17 8 Loss of communications Commercial Diver Cause Equipment failure Inattentive operator Collision on surface Failure of umbilical link Preventative action Use multiple communication paths Functional Safety Implication SIL 0 failure Occurs very frequently with current systems more often than once in 1000 hours without escallation of safety issues Requires at least two communication paths Provide communications to bell in addition to comms to surface Question on through water ultrasonic comms desirable 17 9 Loss of Gas Heating Commercial diver Cause Electrical failure or overheating of heating element component failure ESA member advised that in trials at 500m loss of breathing gas heating resulted in the diver not being able to return the bell which was 2metres away Another member advised that at 450m there was hypothermia to the extent
36. during Dive Check monitoring or control device more carefully Preventative action Check monitoring or control device carefully Functional Safety Implication The main monitoring or control device should have the largest display which it is practical to carry Large displays carry an increased risk of damage due to being dropped or mishandled Suitable materials should be chosen to minimise this risk Displays should be backlit 9 15 Cracked Electronics Housing Cause Housing subject to excessive mechanical stress before dive or from pressure Inappropriate materials or stresses in monitoring or control device design Symptoms Surface Electronics malfunction Dive Any electronics malfunction Recovery action during Dive Bail out Preventative action Service correctly and pre dive checks Functional Safety Implication 1 This problem occurs with electronics particularly monitoring or control devices that are not Functional Safety compliant 2 If the monitoring or control device has two sets of electronics then a failure of any one part should not cause failure of the whole This is a natural product of any design meeting SIL 4 3 The electronics should perform a JTAG test on start up this would identify the problem prior to dive FMECA_OR_V6_141201 doc Rev C6 68 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made
37. during filling processes FMECA_OR_V6_141201 doc Rev C6 13 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Considered further herein under oxygen fire risks 5 6 Cylinder Valve Failure Cause Failure of valve from wear impact oxygen shock heat thread Detachment of seat Symptoms Surface Unwanted opening results in a loss of gas and a loud noise Dive Loss of gas Recovery action during Dive Abort dive Preventative action Valves should comply to ISO 10297 2006 e Functional Safety Implication Valves should comply to ISO 10297 2006 e 5 7 Cylinder Valve O ring or Regulator O Ring Failure Cause Damaged O ring damaged thread poor handling O ring wrong size O ring contaminated Symptoms Surface A loss of gas Dive Loss of gas Recovery action during Dive Abort dive Preventative action Handle O rings carefully and check for damage Functional Safety Implication O ring should be EPDM or an oxygen compatible material User manual should give guidance to user on handling O rings and threads FMECA_OR_V6_141201 doc Rev C6 14 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification
38. edge causes wear on Counterlung 6 Connectors may not be installed correctly FMECA_OR_V6_141201 doc Rev C6 103 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 7 Connectors have inadequate keying particularly where these penetrate the scrubber canister or counterlungs 8 OPV diaphragm damaged deformed or foreign material under diaphragm 9 Mouthpiece is lost from diver s mouth including due to LOC or disability hypoxia hyperoxia hypercapnia trauma or other medical condition 10 Some types of hose clamp e g cable ties do not apply pressure underneath the locking mechanism in the tie allowing water ingress into the hose 11 Flooding results in a loss of buoyancy Fatal accidents have occurred where the diver cannot achieve positive buoyancy after a flood 12 Failure to carry out positive and negative pressure checks prior to diving 13 OPV lets water into the loop when it operates Symptoms Surface Pre dive check failure Unable to hold set point Dive Gurgling and other signs of water in loop Breathing resistance Loss of mouthpiece Recovery action dur Preventative action Perform positive and negative pressure checks Minimise risk by good design Fit mouthpi
39. have been as low as 48 Result was Cat III DCI Preventative action All O2 Cells should calibrate in air when the unit is open users should not be asked to calibrate with a gas supply which may not in itself be calibrated injecting an uncalibrated amount of gas into an uncalibrated loop volume the procedure used by the manufacturer Functional Safety Implication Eliminate problem by calibrating on air and check cells are within normal range and that the cells are likely to be in air e g by sensing exposure to light Provide a calibration check interface to enable the diver to check that the calibration has been carried out and the results are correct 10 12 O2 Cells show different reading to independent PPO2 monitor Make Up Gas flush to check which sensors respond correctly Bail out Abandon dive Unit will maintain O2 limits on the 2 bad cells as they out vote the good one 02 will be high Preventative action Replace cells at correct intervals every 12 months At start of dive drive cells above set point to ensure they can respond fully Functional Safety Implication Withstand multiple cell failures Engineer the cells so all failures are in the same direction low where possible 10 13 O02 Cells have condensation or vapour on sensor face Cause Moist warm saturated gas condensing on objects in the gas flow Symptoms Surface Normally none FMECA_OR_V6_141201 doc Rev C6 87 of 163 This document is th
40. narcosis Recovery action during Dive Bail out Preventative action Use only pure oxygen with at least 99 oxygen on the oxygen side of CCRs Functional Safety Implication Ensure this information is in the training manuals and user manual 14 ASSOCIATED EQUIPMENT FAILURES The associated equipment is equipment used in conjunction with a rebreather but that does not form part of the rebreather or its monitoring 14 1 Gross dry suit leak Cause Poor maintenance Zipper failure Ripped suit material Dry suit over pressure valve is single mushroom type and the mushroom catches on the web supporting it Use of dry gloves and the dry gloves are punctured Preventative action Check dry suit carefully before use Handle zippers carefully Use proper maintenance and inspection Use double valve OPVs on dry suits FMECA_OR_V6_141201 doc Rev C6 120 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication Covered by end to end clause Use of dry gloves that allow the entire suit to flood are unsuitable for decompression diving without active suit heating or good surface support e g a diving bell Provide active suit heating using self regulating carb
41. of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC sintered filters on the inlets of first stage regulators and where there is a possibility of a negative pressure reverse pressure being applied then an outlet filter should be fitted to the first stage regulator or the system it connects to this is mostly an issue for commercial diving gas manifolds Overall the pressure relief device should relieve at least 1 litre per minute with a 50 over pressure The devices used on the Open Revolution rebreathers have a relief rate of 1 litre per second 60 times higher This meets the above requirement The high flow rate does not appear to be a hazard as it would take several minutes for a cylinder to empty and a SCUBA diver would turn off the cylinder within about 10s a SSUBA diver would simply use an alternative bailout source 2 bail out cylinders are fitted to the SSUBA system with one way valves so a loss of gas from one cylinder does not cause a drain on the other cylinder 5 10 Valve Outlet Profile Specification Error in DIN 477 amp EN 144 Cause Symptoms The square profile specified in EN 144 2 1998 and DIN 477 1963 allows the O ring on the end of the regulator to be extruded into the square pr
42. of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Preventative action All decompression software should be formally verified to prove that the algorithm implemented is actually that intended Full regular health check up Screen for health problems known to increase DCS risk Functional Safety Implication Verify the deco algorithm is implemented correctly using formal methods 18 9 Respiratory collapse from WOB Cause Excessive Work of Breathing or breathing resistance Preventative action Work of Breathing should be well within the standards required by standards It is noted that the permitted Work of Breathing is being reduced in future standards as a result of work by NEDU and Qinetiq on the physiological effects of work of breathing on divers Functional Safety Implication Achieve lowest practicable Work of Breathing 18 10 Respiratory collapse from thermal respiratory shock Cause Gas in dive cylinder is cooled by 30C by expansion from first stage which can result in cold gas being inhaled when the ambient temperature is below 7C See B Morgan P Ryan T Schultz and M Ward Solving Cold Water Breathing Problems Underwater Magazine July 2001 Preventative action Warn divers of risk and to manage it in the s
43. of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC suitable perfume has been found that does not cause a reaction to some people when concentrated under pressure 11 The current solution used in the Open Revolution project is to use a non setting PU gel instead of silicone oil as the expansion of a gel is considerably less than oil and the ingress of small amounts of water does not lead to an immediate failure 9 10 Electronic Component Explodes Cause Use of inappropriate components Failure becomes critical if component is not completely separated from the breathing loop Symptoms Surface Odour inside breathing loop Dive One off noise Odour inside breathing loop Recovery action during Dive Bail out Preventative action Eliminate risk by design Functional Safety Implication 1 Perform full self test on power up 2 Eliminate all components liable to explode tantalum or electrolytic capacitors all components incorporating a gel or a gas all components incorporating an electrolyte 3 Components that cannot be eliminated such as the batteries to be moved to a 1 ATM environment outside the rebreather that can physically withstand the pressure rise from the component being vapourised That is the 1 ATM environment should withst
44. of the diver foaming at the mouth when the breathing gas temperature was reduced but still above 20C This affect should be reduced considerably if the diver is on a rebreather and in a dry suit Massive reduction of thermal balance when diving at extreme depth if gas heating is lost Preventative action Should be redundant systems for breathing gas heating Functional Safety Implication Breathing gas heating should be considered as a SIL 1 action for a diver using a rebreather with a dry suit Use a dry suit with a rebreather so loss of heating is not catastrophic 17 10 Overheating Commercial diver Cause Helmet overheating or suit from insufficient thermal losses Thelma AS report 06 20 simulations show in 4C sea water hard working diver FMECA_OR_V6_141201 doc Rev C6 128 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group in 250gm undersuit with clo value of 4 5 overheats to body temperature above 44C in 200 minutes Preventative action Diver should be able to flush the helmet and suit Functional Safety Implication Full safety case required for diver thermal balance Special consideration in warm water conditions Severe problem in Persian Gulf and other near tropical conditions
45. off all ports when not in use Wash rebreathers thoroughly after periods in storage FMECA_OR_V6_141201 doc Rev C6 118 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication Caps need to be available for ports commonly disconnected by the user 13 10 Argon Narcosis from using less than 99 pure Oxygen Cause Use of oxygen less than 99 pure in a CCR results in the rebreather filling gradually with argon Argon is 2 3 times more narcotic than nitrogen and the form of the narcosis is reported to be more disabling Almost all the impurity in oxygen is argon As the oxygen is metabolized the rebreather gradually becomes full of argon For example a cylinder with 95 5 oxygen will contain around 4 5 of argon because when the nitrogen is removed from air the 20 9 Oxygen becomes 4 7 times enriched and so is the argon Oxygen is produced by three main processes For a summary of the separation processes see Air Products A review of air separation technologies 10 The main processes for producing oxygen are cryogenic distillation membrane separation and molecular sieves In cryogenic separation the boiling points of the various gases are e Oxygen h
46. optimised Functional Safety Implication O iB WOB counterlung elastance and hydrostatic imbalance should be optimised Ban If the primary rebreather is a back mounted counterlung then a rescue rebreather should use a front mounted counterlung 19 GENERAL DIVING HAZARDS Sports diving in general seems to have a risk of accident of between one in 10 000 hours to one in 100 000 hours depending on the type of diving being carried out 3 4 Some of these accidents are due to equipment failure 6 most are due to lack of training lack of attention poor judgement or the effect of an underlying illness or predisposition Use of rebreathers has considerably higher risks based on the same accident figures and the population of rebreather divers The increase appears to be associated with failures to meet Functional Safety in the equipment design the rebreathers with the shortest MTBCF have the highest rates of fatal accidents and rebreathers with the best MTBCFs have the lowest rate of fatal accidents Commercial rebreather diving seems to have a significantly lower accident rate than sport rebreather diving based on IMCA accident reports 5 and the amount of commercial diving carried out Commercial diving has had a much larger amount of research carried out into the health and safety of divers than is the case for sports divers All diving carries some short and long term risks to health Long term risks are described by D H Elliott
47. pretty much ensure a blackout between four metres and the surface Although comfortable on the bottom the diver may actually be trapped and unaware that it is now no longer possible to ascend without becoming unconscious without warning before the diver can reach the surface For the Open Circuit SCUBA diver in a free ascent i e emergency ascent exhaling the limits are similar to those of the freediver If the gas inhaled is air then if the SCUBA diver were to return instantly to the surface their lungs would contain an alveolar pressure equal to that when a gas is inhaled having a PPO2 of 0 21 atm However during the ascent the diver metabolises some of the gas causing the PPO2 to fall If the ascent is less than a minute this effect is not sufficient to cause hypoxia but it does become and issue if the ascent is slow Fortunately for the SCUBA diver if the regulator is kept in the mouth the reductions in ambient pressure on ascent will give the diver the ability to take a few breaths of gas while ascending avoiding any hypoxia risks For the Closed Circuit SCUBA doing an ascent where the PPO2 is the same as that of air at the same depth a much greater risk exists because the diver may not feel the urgency to ascend as there is still a breathable loop volume If the diver takes a minute to ascend from 10m and is breathing normally during the ascent the reduction in PPO2 will be sufficient for the diver to lose consciousness just b
48. required SIAT SISS S Re Re Re Re 9 24 Auto Bail Out operates when v not required S K 9 25 Auto On Encourages v Reckless Diver Behaviour 9 26 Water Ingress into v Electronics 10 Oxygen Level Monitoring Failures v 10 1 O2 Cell Decompression Failure FMECA_OR_V6_141201 doc Rev C6 156 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 10 2 O2 Cell has CO2 V v v Contamination 10 3 Load Resistor Failure in O2 v v v Cell 10 4 O2 Cell Contamination 10 5 O2 Cell Thermal compensation failure 10 6 O2 Cell Loose Connection v 10 7 O2 Single Cell Failure 10 8 O2 Cell Failures Tracked v Incorrectly 10 9 O2 Two Cell Failure 10 10 Majority of O2 cells fail v during dive 10 11 O2 Cell Calibration v v v Incorrect 10 12 O2 Cells show different v v v reading to independent PPO2 monitor 10 13 O2 Cells have condensation Y v v ot vapour on sensor face 10 14 O2 Cells have differential v v v pressure applied 10 15 O2 Cell Explodes or Leaks W v v 10
49. scrubber under any circumstances Verify the loop operates correctly under all plausible fault conditions and pressures using formal methods 11 16 Very low diver tidal volume Cause Incapacity of the diver unconscious or nearly so Poor respiratory habits Symptoms Diver will likely exhibit symptoms of hypercapnia because gas exchange will be poor so will have very rapid breathing Preventative action During diver training ensure diver breaths normally from the rebreather Functional Safety Implication Where the diver is incapacitated when breathing from a rebreather loop the balance of probabilities based on accident data and HAZOPs is that the rebreather loop is likely to be contributory The rebreather should therefore bail out the diver onto a known good gas The WOB of that alternative source is not a factor provided that WOB implements ALARP principles Monitor the diver s respiratory rate Where the rate falls outside safe limits provide a warning and an alarm Appropriate limits appear to be 20 to 25 bpm for a warning and 25 to 30 bpm for an alarm with hypercapnia that is a feature of this fault the diver s respiratory rate will increase significantly In this event an alarm should bail out the FMECA_OR_V6_141201 doc Rev C6 102 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being repr
50. should be at least 50 higher than their maximum service pressure Fire and off gassing will likely result otherwise K Rosales M Shoffstall J Stoltzfus NASA TM 2007 213740 Guide for Oxygen Compatibility Assessments of Oxygen Components and Systems NASA March 2007 available from http ston jsc nasa gov collections TRS 4 FMECA_OR_V6_141201 doc Rev C6 28 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC e The pressure gauges should not have an oil or silicone oil fill to avoid the risk of the oil leaking into the hose or contaminating the hose 6 11 Calibration using wrong gas Cause User error and design omission allowed user to dive with 60 O2 in cylinder used as 100 02 Almost a fatality in both cases Preventative action Calibrate using air when scrubber is open then check during descent near surface Functional Safety Implication 1 Rebreather itself should check the 02 composition before every dive It has calibrated O2 Cells if the recommendation to force calibration in air is followed and can inject 02 and check the composition of the loop gas on the surface to give an injector call It is not complex to compensate the injector call for depth so that no gas switch
51. should be determined and failure actively detected The appropriate warning can then be raised Ambient pressure sensor failures can cause critical errors in oxygen sensor calibration processes where the pressure sensor is used to determine ambient pressure It is essential that the user be prompted to check the ambient pressure is the same as the indicated pressure when sensors are used for this purpose and to use appropriate limits to the sensor values Ambient pressure sensor failures can result in a critical increase in decompression risks redundant sensors would mitigate this Cylinder contents pressure sensor failure can result in the loss of gas during a dive 13 5 Noxious chemical off gassing Hazard Many materials off gas toxic chemicals when decompressed at levels far above the permitted occupational exposure limits Sports Instructor G Stanton Wakulla Dive Centre has reported lung burns from a month using a rebreather making extensive use of Delrin and POM Note that offgasing in a dive environment is different to outgasing in vacuum the helium content of breathing gas appears to purge gas from the volume of the plastic and the high PPO2 causes an accelerated ageing of the plastic Moreover many plastics used in vacuum applications absorb water or are too brittle for use in marine applications The US Navy prohibits Delrin and POM for rebreather applications Cause Unsuitable materials in breathing lo
52. than a tone Provide strong tactile feedback on the dosing button that is present only when gas is connected 6 26 Oxygen addition button seized or stuck Cause Corrosion Silt behind the button preventing it being depressed Salt crystalisation around or in the button mechanism Foreign material entrapped in mechanism Hydraulic lock Spring action insufficient to overcome friction Spring develops a set after a long period of compression Preventative action Button should be plastic and metals should be of a type that does not corrode Diver should be trained to wash equipment thoroughly after each dive Functional Safety Implication Assess all buttons in silt saturated conditions with worst case salt crystalisation and for foreign material Provide silt washout ports on buttons Provide ports for water to escape from button Assess gas addition buttons for both fully lubricated and dry conditions Larger than normal safety margin should be used for the springs in injectors FMECA_OR_V6_141201 doc Rev C6 36 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC User manual should instruct user to check for injector faults in use 6 27 Inaccessibility of oxygen addition button
53. the PPO2 is too high then it shuts off the gas supply to the injector That shut off valve may be a solenoid or another type of valve the principle of diversity means that it should be a different type of valve than the main oxygen injector it is protecting 4 Injectors and solenoid should be protected from contamination by both sintered and membrane type filters before and after the injector 6 7 Oxygen Solenoid or Injector Stuck Closed Cause e Corrosion e Poor maintenance salt crystals or contaminates in unit e Low battery FMECA_OR_V6_141201 doc Rev C6 25 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC e High interstage pressure Solenoid injectors may become unreliable at pressures above as little as 8 5 bar e The solenoid injector on one contemporary rebreather fails to operate when cold and the controller has a low battery Symptoms Surface Failure to calibrate Failure to hold set point during pre breathe Low 02 Alarm Sounding Dive Failure to hold set point Low O2 Alarm sounding Recovery action during Dive Urgent Switch to SCR mode then near surface to pure 02 mode Consider bail out Preventative action Regular service Lube and ensure solenoid clean Check mesh fil
54. the descent The less accurate sensors are rejected immediately by the sensor fusion system The small ticks in the response is the oxygen injector self test which is also used to test the sensors FMECA_OR_V6_141201 doc Rev C4 85 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 10 9 O2 Two Cell Failure Cause Exhausted or out of date cells Insufficient ions to produce voltages representing high 02 above set point Sensors exposed to CO2 following scrubber breakthrough Symptoms Surface Intermittent Out of Range messages on a SINGLE cell the good one Failure to calibrate Dive Intermittent Out of Range messages on a SINGLE cell the good one Failure to calibrate Functional Safety Implication PPO2 controller should withstand multiple cell failures Engineer the cells so all failures are in the same direction low Test the sensor ceiling by applying a higher load while the sensor is in pure O2 during pre dive checks For example if normal load internal to the sensor is 100 Ohms then apply 50 Ohms to check ceiling is not lower than a PPO2 of 2 0 10 10 Majority of O2 cells fail during dive Cause Fatality occurred where more than two 02 cells failed but system allowed di
55. this should allow flooding of the suit 1 1 41 3 Train diver to descend slow enough for the SCR to fill loop 17 6 CO in loop Commercial diver Cause Contaminated breathing gas Metabolism product Preventative action Flush loop periodically and test for CO Use only certified diving gas Functional Safety Implication Use only certified diving gas should be explicit in the user manual Requires active CO monitoring on the diver for very long dives Statoil Commercial Dive Doctor consulted specifically on this point and advised that over a 4 hour dive the CO from metabolism products is not a safety hazard General diver training should cover awareness of the symptoms of CO headache tightness across the head nausea then LOC Tainted gas smell that is apparent to the diver only after a period of breathing from the gas is a strong sign of CO gas smells normal to divers with only brief exposure divers should be aware of this 17 7 HC or Volatile Organic Compounds in Loop Commercial diver Cause Contaminated breathing gas Metabolism product Offgasing of plastics or cleaning agents in rebreather Detailed presentation available on this topic Hazard depends on which HC or VOC is involved some are only midly anesthetic others are highly carcenoginc or hazardous to health Preventative action Flush loop periodically and test for VOCs Functional Safety Implication Requires active HC and VOC monitoring on the
56. to differentiate between effects in diving almost all failures can result in death through drowning if the failure is not recognised and handled promptly Failures tend to create or perpetuate a chain of events spiralling down an incident pit until the diver is able to either arrest the sequence or dies This means that what may be small FMECA_OR_V6_141201 doc Rev C6 10 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC insignificant events can take on critical importance when least expected The emphasis shall therefore be For equipment design the emphasis need to be on elimination or mitigating risks i e prevention For operations the emphasis need to be on equipment maintenance awareness and monitoring For training and dive practice the emphasis need to be on continuous checking and failure management 4 SIL COMPLIANCE OBJECTIVE The objective of this system is compliance with SIL 3 to 4 of EN 61508 2004 Parts 1 to 3 Parts 4 to 7 are informative only This requires a mean time between critical failure better than one billion hours and a system availability of 100 000 hours subject to routine maintenance and preparation The SIL 3 to 4 objective has been concluded by applying the pr
57. to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 10 10 Majority of O2 cells fail during dive ccc cece cece e eee eeeeeeeeeeeeeers 86 10 11 O2Cell Calibration Incorrect cece eee e eee ssr Cess ESETET TEENETE AS 87 10 12 02 Cells show different reading to independent PPO2 monitor 87 10 13 02 Cells have condensation or vapour on sensor face eeee eee eeeeeees 87 10 14 02 Cells have differential pressure applied eee eeeee eee e ee eeeeeeeeeees 88 10 15 02 Cell Explodes or Leaks ccc c eee eeee cece eee e ee eeceeeeeeeeeeeeeeeeteeeeeteeees 89 10 16 Oscillating SENSOF eee cece c cece cece eee e eee eee neeeeeeeceeeeeseeeeteerenaeees 89 10 17 Caustic Burn from leaking electrolyte cece eee cece e eee eeeeneeeeeteeees 90 10 18 Diver fails to monitor PPO2Z 2 eee eee cece e cece ee ee eee e cece eeeeeeeeteeeeenaeees 90 10 19 Oxygen cells sensitive to CO2 eee cece cece cere cece ee eeceeeeeeeeeeteeeeenaeers 91 11 Carbon Dioxide Level Failures ce eece ee eec cece e cence eee n naa n D R E n RR Ai 91 11 1 Scrubber NOt Fittedss ccccstsccuseeccccsscccvececcusesseeceveveccvevescotereccevecctecenss 91 11 2 Scrubber Physically Damaged affecting gas X Section ee eeee eee e eee ee 94 11 3 Scrubber
58. with use of a rebreather SO OO OY BON Soe Or tS ee oe e DAs E nD FMECA_OR_V6_141201 doc Rev C6 9 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Every one of these requirements are listed under Mantis the tool used by Deep Life to control specifications and verify in the design verification process that every requirement is met Where there are many functional safety implications under one fault these are enumerated to support unambiguous cross referencing by Mantis 2 SOURCE DATA The failure modes listed in this document are drawn from numerous sources The prime sources are listed in 1 to 7 in the references Other sources include HAZID and HAZOP studies FMECA studies on contemporary equipment Faults and incidents reported on rebreather internet forums Coroner reports Equipment failure reports issued by public health laboratories Warnings issued by rebreather manufacturers Accident appraisal advice from accident investigators Accident investigations Faults found by Formal Modelling or verification Each fault mode attributable to equipment has been encoded in a formal fault model in the Open Revolution rebreather environment This model is a Matl
59. 16 Oscillating sensor 10 17 Caustic Burn from leaking vV v v electrolyte 10 18 Diver fails to monitor PPO2 v v v 10 19 Oxygen cells sensitive to CO2 11 Carbon Dioxide Level Failures v 11 1 Scrubber Not Fitted FMECA_OR_V6_141201 doc Rev C6 157 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 11 2 Scrubber Physically v v v Damaged affecting gas X section 11 3 Scrubber Exhausted v v v 11 4 Scrubber Bypass v v v 11 5 Excess Work of Breathing v v v 11 6 Counterlungs change v v v position causing CO2 hit 11 7 One Way Valve Flapper v v v valve Stuck Open or Partially Open 11 8 One Way Valve Flapper v v v valve Stuck Shut or Partially Shut 11 9 One Way Valves missingon v v v one side 11 10 Caustic cocktail from CO2 v v v sctubber 11 11 Hoses pinched or kinked v 11 12 Loop Flow Direction Swapped Accidentally 11 13 Premature Counterlung v v v Failure 11 14 Counterlung blocks ports 11 15 Structures that bypass the sctubber
60. 17 11 Loss of Suit Heating Commercial diver Cause Electrical failure Preventative action Use sufficient passive thermal protection to return to the bell Functional Safety Implication State requirement for passive undersuit thermal protection in user manuals and training Treat gas heating as a SIL 4 requirement for very deep diving 17 12 Excess suit heating Commercial diver Cause Electrical failure or excessive water temperature hot water suits Extensive reports of 3 degree burns in divers using electrically heated suits in the early 1970s Divers do not realise they are burning when under pressure divers involved in use of these suits interviewed Hot water suits have uneven heating and divers are not aware of the high water temperatures Many divers report burns Top side operator error Divers in bell overheat while waiting to go diving Preventative action Electrical use a SIL 4 rated heating system Functional Safety Implication Eliminate failure mode by use of self regulating materials and use of active current monitoring to detect shorts or excess current drain ina SIL 4 design 17 13 Tools and Equipment Commercial diver Cause Any cutting or grinding tool slipping onto the diver or his equipment Burning and welding causing hot residue FMECA_OR_V6_141201 doc Rev C6 129 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution su
61. 3 12 1 LOOP FlOOd 5 cc sciasesieecixcesaeeeesereeeneee eee e eee eee vee ee eee e eevee ev ee er ceive serves 103 12 2 Mouthpiece floods rebreather ee eee cece ee eeceeeeceeeeneeeeeeeeeeteeerees 106 12 3 Mouthpiece failure i e failure to allow diver to breathe from loop when this is desirable wtvatvucsves oe caeesecauess rs e Ter r ot ESS OC cress sare s sass ssusidessusisibousteususeGviesesen 106 12 4 Counterlung ports pull out from counterlUng eee ee eee eee eee e eee eeeee 107 12 5 Implosion or explosion on compression or decompression eeeeeeeees 107 12 6 Counterlung or hose pinched ee ceee eee e cece e ee eeceeeeeeeeeeneeeeeteeerers 108 12 7 Counterlung or rebreather component pierced eeeeeeeeee ee eee eens 108 12 8 Lack of Water drain vec ccsccucckascncacesccusesadiuasscsteesisesceseeseeeeseseeuseeeetes ss 109 12 9 Water Drain Failutesssisssis isesesveeeveveveseveeeaies eevewssvensesvsesesveveeeiereeeds 109 13 Other Rebreather Equipment Failures ec ce eeee cece cece eee eeeeeeeneeeeeeeee 110 FMECA_OR_V6_141201 doc Rev C6 6 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 13 1 Pressure CAUSING IMPLOSION
62. DL Web Site and on Rebreather World with formal model to enable implementation to be verified CCR controller should track CNS and maintain within safe limit by adjusting PPO2 set point if necessary Provide a Chicken Switch for the commercial diver using a helmet as loss of speech is one of the first indicators of CNS from interviews with CNS tox victims There should be no measurable loss of lung surficant during a dive This requires downrating the CNS clock as above This is a critical failure that has caused more than one death Eliminate all scrims in the design Eliminate scrubber packing variance Use EAC scrubber to eliminate change in breathing resistance during use Measure WOB actively pre dive and during the dive and warn user Measure respiratory parameters and warn the user when these move outside normal or safe ranges 18 16 Pulmonary O2 Toxicity Cause High PPO2 for long period multiple dives or extremely long dives Preventative action Diver should monitor pulmonary O2 toxicity when doing large numbers of dives Instruct diver to take a day off every fifth day covers most recreational settings FMECA_OR_V6_141201 doc Rev C6 142 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep
63. Deep Life Design Group REBREATHER SAFETY FMECA Volume 6 Top Down Faults DOCUMENT NUMBER FMECA_OR_V6_141201 doc CONTRIBUTORS Dr Alex Deas Dr Bob Davidov Marat Evtukov Alexei Bogatchov Dr Sergei Malyutin Dr Vladimir Komarov Dr Oleg Zabgreblenny Dr Sergei Pyko Dr Alexander Kudriashov Teoman Naskali Brad Horn Walter Ciscato and client reviewers DEPARTMENT Engineering LAST UPDATE 1st December 2014 REVISION C6 APPROVALS Dr Alex Deas ___ 1 December 2014 Project Leader Date KB ___1 December 2014 Quality Officer Date Controlled N Classified Document Document Unclassified if clear Copyright 2014 Deep Life Ltd IBC FMECA_OR_V6_141201 doc Rev C6 1 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Revision History Revision Date Description A 1 Aug 2004 Cases collated from earlier documents BO 11 B12 18 24 Aug 2006 14 Mar 2009 22 May 2009 26 Aug 2010 BO Independent Review 2 Aug 2006 Inclusion of section for Umbilical supplied Diving B1 added item 7 13 B2 added Commercial dive tool hazards and O2 cells due to fatal accident due to diver not hearing alarm B3 added submarine sonar h
64. Design Group Functional Safety Implication The Functional Safety processes involving this fault mode are complex and extensive This included Accident Studies numerous fatal accidents and serious incidents have occurred on rebreathers due to scrubbers being omitted User Focus Groups to understand the side effects of adding measures to mitigate this risk HAZOPs on the mitigation measures The conclusions from these studies are itemised below 1 It is a Functional Safety requirement for all rebreathers that a means be fitted to enable the diver and supervisor to positively confirm that a scrubber is fitted without disassembly This can be achieved using a scrubber viewing port on the scrubber assembly with a colour contrast scrubber material is white so a black background should be used If the scrubber window appears white then a scrubber is fitted and if black then no scrubber is fitted It is within ALARP to fit a device that shuts the breathing loop if no scrubber is fitted For example on the Open Revolution rebreathers a spring loaded plate that fits under the flow cone was considered this closes the gas path by pressing against the flow cone unless it is depressed by the physical presence of the scrubber There are two factors that led to the Deep Life Design Team not fitting these plates to the Open Revolution rebreathers e User Focus studies found that divers would rely on the plate to confirm a scrubbe
65. Even normal practices for non safety related software such as automated GUI checks are not applied 3 No software or hardware control meeting Functional Safety should encounter these issues at a safety critical level The software should be formally verified 9 13 Faulty Software by ageing Cause EPROM Flash memory or DRAM corrupted by charge decay over time or by alpha particules Symptoms Surface Any software malfunction including hanging or jumping between states Existence of states where software does not maintain life Dive As per surface symptoms Recovery action during Dive Bail out Preventative action Ensure design meets Functional Safety Functional Safety Implication Software needs to be fail safe including a code CRC check as part of startup sequence 9 14 Monitoring or control devices Misread Cause Poor visibility in halocline or thermocline with small font size on monitoring or control devices Lack of back light Symptoms Surface FMECA_OR_V6_141201 doc Rev C6 67 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Error in reading monitoring or control device Dive Error in reading critical information on monitoring or control device Recovery action
66. Exhaustedic sciessvesessacererardssasrersarceerercesecccevevecesevenensvensesses 94 11 4 Scr bber BYPaSSissesseeeisaseseaeeesaaakeaeaaesaedaaade ces EEE T TEET ETE TET ETE E o 95 11 5 Excess Work Of Breathing 0scsssvevevseevsveusssctedevsscscevesecersveterereesessedes 96 11 6 Counterlungs change position causing CO2 hit eee ee eee eee e ee eeee 96 11 7 One Way Valve Flapper valve Stuck Open or Partially Open 6 97 11 8 One Way Valve Flapper valve Stuck Shut or Partially Shut 98 11 9 One Way Valve missing from one side of the loop eee eeeeeeee ence e ee eeee 99 11 10 Caustic cocktail from CO2 scrubber 2 eee eee ee eee eee e eee eeeeeeeeeeeeneee 100 11311 Hoses pinched orekinked sc2c0 lt ceed ernan EEEE seen eee eee eee 100 11 12 Loop Flow Direction Swapped Accidentally cece ee eee cece e ee eeeeeeeeee 101 11 13 Premature Counterlung Failure 2 cece cece ee eee eee eeeeeeeeeeeeeeeeeneee 101 11 14 Counterlung blocks ports eee ee cee cece e eee cence eee eeeeeeeeeeeeeteeeenaee 101 11 15 Structures that bypass the scrubber cece ee eee cence eeeeeeeeeeeeeneee 102 11 16 Very low diver tidal volume 0 eee cece cece cence eee eeeeeeeeeeeeneeeeeneee 102 11 17 Sensory system false alarM eee ccee eee eeeee ee eec eee eeceeeeeeeeeeneeeeetaee 103 12 Flooding anc Drowning resserre E rrr 10
67. Hz to 1GHz EN 61000 4 4 2006 Electrical Fast Transient Burst EFT to requirement EN 61000 6 1 2007 Criteria B EN 61000 4 5 2005 Electrical Slow Transient Surge Immunity to requirement EN 61000 6 1 2007 Criteria B EN 61000 4 6 2006 RF Conducted Immunity to requirement EN 61000 6 1 2007 Criteria A EN 61000 4 8 2001 Magnetic Field Immunity to requirement EN 61000 6 1 Criteria A 3 A M 50 and 60 Hz EN 61000 4 11 2004 Voltage Interruption Immunity to requirement EN 61000 6 1 2007 Criteria B and C FCC Part 15 Subsection A A 30 000 Amps per square meter DC test shall be applied to all electronics in view of the extremely high current environment in underwater welding and cutting operations A review of processor susceptibility has resulted in a conclusion that power disturbance susceptibility shall be assessed using a full sweep of full scale power interrupts shall be applied from 100us to 1s in 50us increments without malfunction to supplement electrical transient tests A full sweep of brownout conditions for all power supply combinations shall be applied A full sweep of power noise from 1us to 100us shall be applied in 1us increments All units with power supplied by cables longer than 10m shall have a 500VDC pulse applied to the power supplies in accord with ship electronics regulations including diver umbilicals No malfunction shall be observed under any of the above conditions All self contained electronic assemblies shal
68. Life Design Group Functional Safety Implication Provide instruction and information on pulmonary exposure risks 18 17 Counter diffusion hazard Cause Use of breathing gases with END less than Omsw Use of different gases between suit and breathing loop Switching between gases with different constituents Preventative action Training on hazards of counter diffusion Functional Safety Implication Measure N2 by deduction of other gases and give alarm if less than 500mbar of N2 State hazard clearly in training manuals 18 18 Sudden Underwater Blackout Cause Shallow water blackout and Deep water blackout are phenomena which occur due to hypoxia or hypocapnia in breath hold divers freediving and is outside the scope here other than for a comparison of the process with the SCUBA equivalent Hypoxia and hypercapnia are by far the predominant causes of sudden loss of consciousness on rebreathers however there are rare occurrences on Open Circuit These may be due to gas expanding in decompression sufficiently to block blood supply and can occur in very poor decompression management such as in emergency ascents where the diver has a large decompression obligation Underlying health issues are very unlikely to cause blackout underwater but should be considered in each case it occurs Shunts can reduce the PPO2 in the oxygen cascade from inhalation to the tissues as does hypoventilation each can exacerbate hypoxia risks
69. O2 as it detects many other fault conditions such as missing or damaged one way valves in the DSV The means to monitor exhaled CO2 has been disclosed with reasonable detail Measure breathing resistance across scrubber to detect a missing scrubber failure automatically This is not within ALARP at present as it involves a complex differential sensor arrangement which if it fails could result in a CO2 bypass A further factor is the potential again for the user to rely on this sensor rather than use a checklist 11 2 Scrubber Physically Damaged affecting gas X section Cause Symptoms Surface Dive Poor handling with poor user check when installing scrubber Rapid breathing headache Hypercapnia Stuffiness rapid breathing confusion Hypercapnia Recovery action during Dive Bail out Preventative action Check scrubber visually before installation If granular scrubber weigh the scrubber Functional Safety Implication Ensure scrubber seals can tolerate a large degree of scrubber damage Provide monitoring of expired CO2 in iCCR and eCCRs eSCRs Provide scrubber health monitoring in eCCRs 11 3 Scrubber Exhausted Cause Overuse or improper storage Out of date Symptoms Surface FMECA_OR_V6_141201 doc Rev C6 94 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduc
70. ORING FAILURES Control and information failures are considered above this section is concerned about the oxygen level sensing 10 1 O2 Cell Decompression Failure Cause Differential pressure on 02 cell Decompression of O2 cells faster than is safe for a human Rupture of rear membrane inside 02 Cell causes KOH to be deposited on to temperature compensation board Symptoms FMECA_OR_V6_141201 doc Rev C6 78 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Surface Not apparent Dive If the diver flushes the loop the PPO2 will be different from that expected Recovery action during Dive Bail out Preventative action Careful inspection of sensors It is unreasonable to expect the user to do this on every dive Functional Safety Implication This is a serious failure in that it causes the O2 Cell reading to fluctuate both high and low depending on temperature Clear advice on care and maintenance of O2 Cells shall be in the user manuals for the rebreather including avoiding rapid decompression shock temperature extremes or mechanical damage Solution adopted is to change the sensor design to allow this problem to be detected The temperature compensation circuit is removed
71. Reports from http www bsac org safety index html 5 International Marine Contractors Association reports from http www imca int com divisions marine publications dpsi html 6 UK Health and Safety Laboratory Research Report 424 Performance of Diving Equipment by N Bailey J Bolsover C Parker and A Hughes 2006 7 A Deas How Rebreathers Kill People available from http www deeplife co uk 8 Stephen Hawkings Diver Mole Web Site at http www btinternet com madmole divemole htm and available long term through www archive org 9 S Tetlow J Jenkins The use of fault tree analysis to visualise the importance of human factors for safe diving with closed circuit rebreathers CCR International Journal of the Society for Underwater Technology Vol 26 No 3 pp 51 59 2005 ISSN 0141 0814 10 Air Products A review of air separation technologies Available for download from http www airproducts com media downloads white papers A en a review of air separation technologies whitepaper pdf Capture date of 12th June 2013 FMECA_OR_V6_141201 doc Rev C6 162 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 71 NASA data on Outgassing Data for Selecting Sp
72. Surface None Dive Freeflow or excessive loop pressure Recovery action during Dive Abort dive or vent manually through the nose if excessive loop pressure Preventative action OPV should not be adjustable Functional Safety Implication OPV should have fixed pressure e g 35mbar 8 13 OPV or drain admits water as it operates Cause Single membrane OPV Symptoms Surface None Dive Gradual flooding or loss of loop gas Recovery action during Dive Abort dive Preventative action Avoid by design FMECA_OR_V6_141201 doc Rev C6 55 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Functional Safety Implication OPV and all valves venting the loop should have one way valves and be double valves 8 14 Lack of means to vent loop manually when bailed out Cause No manual water dumps or manual venting fitted Symptoms Surface None Dive After bail out considerable increase in positive buoyancy during ascent Recovery action during Dive Deliberately flood the breathing loop e g by opening DSV Preventative action Avoid by design Functional Safety Implication All rebreathers must be fitted with a means to vent the loop manually following bail out for example a w
73. Symptoms Surface Freeflow from regulator end of the hose Dive Freeflow from regulator end of the hose losing gas Recovery action during Dive Use a bail out gas source Preventative action Use SCUBA hoses fitted with retained O rings these can be identified easily because they generally use a double O ring Functional Safety Implication Consider all SCUBA seals under the condition where the ambient pressure exceeds the line pressure Use a double O ring with each O ring retained by a groove for the regulator connection 5 12 First Stage Regulator O ring Retention Design Fault Cause O rings on the seat assembly of some regulators are retained when the line pressure is the same or more than ambient pressure but are extruded inwards otherwise because there is no groove or retainer for the O ring Fault usually needs an ambient pressure gt 10 bar to manifest itself Symptoms Surface Freeflow from first stage regulator Dive FMECA_OR_V6_141201 doc Rev C6 18 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Freeflow from first stasge regulator Recovery action during Dive Use a bail out gas source Preventative action Check all regulator assemblies to ensure O rings are retai
74. ab model which has been published by Deep Life Ltd to enable the safety of new rebreather designs to be verified The formal verification environment allows any of these faults to be selected combined with any other s and then applied to verify the safety performance of the equipment under these fault conditions Efforts have been made to encourage other manufacturers to use critique and extend these formal models There has been some independent review of the models by others working on rebreather design The objective is to create an industry wide consensus on the formal fault models needed to verify the safe operation of rebreather apparatus 3 STRUCTURE This report classifies faults into groups based on the section of the equipment associated with the failure There is an inevitable duplication of some failures For example counterlungs becoming detached is one failure but it is also listed under WOB increase in the section on PPCO2 Control as counterlung detachment is one cause of such an increase The view was taken that it is better to include duplication than miss critical failure modes This approach also simplifies the use of the fault list in HAZOP reviews No attempt is made to quantify the probability of the event occurring as most risks can be removed or mitigated by design and other depend too much on maintenance and use factors to make a quantitive risk probability assessment meaningful Similarly no attempt is made
75. able Monitor scrubber life with the application of ALARP Monitor scrubber health with the application of ALARP Minimise WOB with the application of ALARP Reduce variation in scrubber duration from filling method or variation in scrubber chemistry e g different granules Design scrubber to have uniform endurance with depth and temperature with the application of ALARP Provide 2kPa scrubber endurance ratings in addition to 0 5kPa and any other regulatory levels so diver knows the practical duration of the scrubber and does not extrapolate from a figure which is meaninglessly low from a diver s standpoint 18 4 Breathing off loop that otherwise cannot sustain life Cause User fails to bail out Frequent cause of fatalities on CCRs Diver may not see be aware of or be able to react to alarms because they are impaired by e Narcosis e Hypoxia before LOC e Barotrauma e Stress e CO2 retention e User may be deaf and not hear the alarms implicated in a dive fatality e Training on an SCR that does not require the user to monitor the PPO2 in the FMECA_OR_V6_141201 doc Rev C6 135 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group breathing loop implicated in an eCCR dive fatality
76. acecraft Materials http outgassing nsa gov Capture date of 3rd September 2008 12 Boedeker Plastics Outgasing of Engineering Plastics in High Vacuum Applications www boedeker com outgas htm Capture date of 4 April 2012 13 Polymer Data Handbook 1999 Edited by James Mark 109 Authors Published Oxford University Press Available from www oup usa org with a Capture date of 15 March 2007 FMECA_OR_V6_141201 doc Rev C6 163 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC
77. al Safety Implication i Some battery types are much more liable to overheat or explode than others for example Lithium cobalt cells can explode easily whereas Lithium phosphate cells cannot Unfortunately the power density of Lithium phosphate chemistry is half that of Lithium cobalt ii Monitor of recharge cycles to indicate battery service required before battery reaches recharge cycle lift iii Water in battery compartment iv Cell balancing where multiple cells are used FMECA_OR_V6_141201 doc Rev C6 60 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC v Bad cell detection particularly where multiple cells are used cells should not be simply connected in parallel vi High and low thermal shutdown for charging or discharge battery capacity is higher at low temperature for most lithium chemistries so charging at a low temperature the charge shall stop at the capacity the battery would have at high temperature otherwise the excess charge results in over heating of the battery when the battery is warmed up vii Charge over current protection viii Discharge over current protection x The risk of cells being shorted is very much higher in a marine application than on land applic
78. all be fitted only to the inhale counterlung or inhale hose between inhale counterlung and mouthpiece It shall NOT be fitted to any position in the breathing loop that is between the mouthpiece exhale one way valve and the input to the inhale counterlung following the direction of the normal gas flow 6 24 SCR has insufficient oxygen in gas Cause Poor training or lack of training SCR has insufficient oxygen in the gas to support the diver s metabolism and ascent rate Preventative action 1 Ensure gas mix is correct If not the diver should shut it off and use an alternative gas source 2 Monitor PPO2 3 Mark SCR oxygen cylinders clearly stating that use of gases with an oxygen content less than X will result in hypoxia and death Functional Safety Implication Monitor the PPO2 and provide automatic bail out if the PPO2 cannot be maintained on the mixture A SSUBA rebreather will not switch over to bail out automatically so the diver shall either switch off the umbilical supply so the bail out gas is used or bail out Due to the delay in switch over to a bail out gas it is safer for the SSUBA diver to go to freeflow or open circuit 6 25 Passive oxygen addition rate incorrect mCCRs PA SCR Cause Design fault with the oxygen dosing valve Damage to the oxygen dosing valve Use of incorrect Intermediate Pressure Valve blockage Mechanical damage Salt water ingress drying and salt deposition Damage to the va
79. ally and the dive cannot inhale Recovery action during Dive Bail out Preventative action Perform full hose flapper valve checks before the dive Functional Safety Implication Ensure seals are available for relevant countries which cannot be left on accidentally 7 14 Breathing Hoses Kinked See also Fault 11 11 Cause Poor breathing hose design Symptoms Surface Unable to breathe Dive As diver exhales from the rebreather loop the gas is vented into the water either fully or partially and the dive cannot inhale or vise versa Recovery action during Dive Bail out Preventative action Use non kinking hoses Functional Safety Implication Ensure hoses cannot kink under any plausible condition FMECA_OR_V6_141201 doc Rev C6 48 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 8 LOOP VOLUME RELIEF FAILURES OPV refers to the loop over pressure valve Burst disk or intermediate pressure over pressure valves are considered under oxygen supply failures 8 1 OPV diaphragm damaged Cause OPV diaphragm torn or displaced Symptoms Surface Pre dive positive pressure check failure Dive Gurgling and other signs of water in loop Breathing resistance Recovery action during Dive
80. ame manner as respiratory collapse from water inhalation below Use gas heaters for diving below 7C and particularly below 4C Functional Safety Implication Advise divers that below 7C gas heating is required and particularly below 4C 18 11 Respiratory collapse from asthma Cause Diver asthmatic attack Preventative action People with known asthma should not dive FMECA_OR_V6_141201 doc Rev C6 139 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group However asthmatic attacks can occur for the first time in diving the result is very similar to that of respiratory collapse from water inhalation and should be handled in the same manner underwater Functional Safety Implication Follow recommendations for Respiratory Collapse General 18 12 Respiratory collapse from water inhalation Cause Even in snorkelling inhalation of water can cause a respiratory collapse the diver inhales a small amount of water and feels like he is suffocating or drowning with wheezing inhalation The risk is much higher where water salinity is high for example in the Red Sea a few drops of salt water inhaled can cause the diver s throat to constrict with the diver coughing out water Preventative action
81. and recovered The start up sequence should detect if an abnormal shutdown occurs so immediate recovery can be carried out FMECA_OR_V6_141201 doc Rev C6 62 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 8 Any such failure should be logged and the unit permanently locked out on the surface 9 The circuit should have multiple clocks power supplies and other circuits so that the MTBCF of the circuit exceeds the SIL 3 requirement by sufficient margin to ensure that when coupled with the MTBCF of the mechanical components the overall MTBCF is still above 1 billion hours 9 8 Monitoring or control devices switched off Cause Design fails to keep monitoring or control devices switched on when unit is being used User often switches monitoring or control device off if it fails in an obvious or dangerous manner underwater For example if keeps injecting 02 despite PPO2 being sufficient or enters calibration mode Be very careful to analyse all failures where user surfaces with monitoring or control devices switched off especially with experienced users Symptoms Surface Pre dive check failure Blank monitoring or control devices No pre breathe Dive No monitoring or control device
82. and replaced with a 1000hm load The electronics check for the existence of the 1000hm load to verify that the correct sensor type is fitted and the load is there then tests the cell by charge injection Only then will it use that sensor reading otherwise it will report a faulty sensor and will also report a fault when the cell has a decompression fault because the charge relaxation time will differ significantly from that of a good cell This method of automatic self test before and during the dive detects the problem and can provide cell screening 10 2 O2 Cell has CO2 Contamination Cause High level of CO2 such as from pre breathing without a scrubber causes CO2 to migrate across 02 cell membrane into KOH where it converts KOH into water Symptoms Surface Not apparent Dive If the diver flushes the loop the PPO2 will be different from that expected Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 79 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Bail out Preventative action If CO2 level high on start up check cells for droop Functional Safety Implication This is a serious failure in that it causes all O2 Cell readings to read low This should be detected automat
83. and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 9 16 Corroded wiring Cause Caustic cocktail Unit left in flooded condition No or inadequate conformal coating to wiring Use of inappropriate cable such as non plated cable Symptoms Surface Electronics malfunction Visible corrosion Dive Any electronics malfunction Recovery action during Dive Bail out Preventative action Service correctly and pre dive checks Functional Safety Implication This problem occurs with electronics that are not Functional Safety compliant The electronics should perform a JTAG test on start up this would identify the problem prior to dive 9 17 System Looping on Interrupts raising PPO2 Cause FMECA on a contemporary system no battery level indicator using primary cells i e user replaceable where the monitoring or control devices resets over and over if the battery is low and the monitoring or control device will fire the solenoid every time it resets Preventative Action Competent design Functional Safety Implication 1 Consider effect of watchdog timers and brown out circuits firing repeatedly blocking other actions 2 NASA Software Safety Guidelines Functional Safety and ISO 12207 recommends avoidance of interrupts in Cat A High SIL safety systems Any departure from that recommendation should be fully supported by a detailed
84. and the vapour pressure from boiling off the electrolyte 9 11 Controller fails to handle situation where diver does not understand failure message or is unable to act Cause User does not understand the warning User is injured and not able to actuate unit e g CNS toxicity User is entrapped by netting or cable limiting mobility FMECA_OR_V6_141201 doc Rev C6 65 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Failure of back light on monitoring or control device where user relies totally on the monitoring or control device and is using the monitoring or control device in a dark environment Failure of voice annunciation system where user relies totally on the voice annunciation Failure of buzzer where user relies totally on buzzer Failure of Head Up Display Recovery action during Dive Read the warning message using a torch if necessary If not clear bail out Preventative action Proper design procedures Proper maintenance and training Functional Safety Implication O B Provide a reference in the Open Revolution submission this is the text display under the main monitoring or control device display This displays the failure and the action required If in doubt the user can look
85. as a boiling point of 183 0 C e Argon has a boiling point of 185 85 C e Nitrogen has a boiling point of 195 76 C Hence the cryogenic separator removes nitrogen easily but the separation of argon from oxygen requires extremely tight control or frequently use of a separate process For non diving grade oxygen e g welding oxygen there is no benefit from this extra cost so the argon is left in the gas Membrane separation and molecular filters produce the same result because nitrogen is absorbed much more readily than oxygen and argon FMECA_OR_V6_141201 doc Rev C6 119 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group The argon in oxygen in a rebreather does not act like a make up gas a k a diluent because it is added continuously through the dive It gradually displaces the intended make up gas with argon This is a risk in CCRs of all types it is nota significant risk in SCRs because the EAN of the main gas will contain enough nitrogen to enable the breathing loop to vent regularly Symptoms Narcosis at shallow depth argon is 2 3 times more narcotic than nitrogen at any given depth LSD like hallucinations argon narcosis is reported to be not the same as nitrogen
86. at material Poor maintenance of regulator Corrosion particularly of sintered filters causing breakup of the filter Poor design of regulator Icing of regulator Structural failure of regulator Poor adjustment of regulator Foreign material under valve seat from tank or from reverse flow into regulator Wear of valve seat Failure of valve seat O rings not retained with negative pressure Symptoms Surface In mCCRs and iCCRs with over pressure less than the intermediate hose rupture pressure and below that at which an over pressure release triggers an over pressure causes an excess oxygen flow The magnitude of the possible excess flow can be severely limited see Functional Safety implications In eCCRs using solenoids the injector can seize If a solenoid is used very small deviations of intermediate pressure can result in the solenoid becoming stuck open or stuck shut both are safety critical failures At a higher pressure an over pressure valve should lift and at higher pressures still the intermediate pressure hose can burst or creep out of its fitting In eCCRs using variable orifice valves there can be a high tolerance of intermediate pressure variations maintaining the operation of the PPO2 control system to pressures up to and above the hose With large increases in over pressure that may not be limited by an over pressure valve in tests with over pressure gauges venting 600 lpm with just a 4 ba
87. ated breathing gas US FDA Federal Notice Register Final Rule Natural Rubber Containing Medical Devices User Labelling 62 FR 189 51021 51030 30 Sept 1997 6 OSHA Technical Information Bulletin Potential for Allergy to Natural Rubber Latex Gloves and other Natural Rubber Products 12 April 1991 7 Unified Agenda of the Consumer Product Safety Commission Federal Register 65 FR 231 74830 74839 30 Nov 2000 FMECA_OR_V6_141201 doc Rev C6 137 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Sea sickness Alcohol drugs or ill health Divers being sick underwater occurs frequently Preventative action Use certified breathing gas Do not dive under influence of alcohol or drugs Do not dive in case of bad health Maintain an O C regulator to be sick through Functional Safety Implication It is beneficial to have an O C regulator in the system This would require a breathable gas at all times A combined ALV BOV which is always in the loop is highly desirable It would enable the diver to be sick with switching gas supplies This will not be able to be cleared as an O C regulator can be but gives a large path for material to be purged It is desirable that there be a method for intr
88. ater dump with manual activation All safety requirements relating to water dumps shall be included 9 CONTROLLER AND INFORMATION FAILURES 9 1 Battery Low Cause Over use or internal failure lack of charge Symptoms Surface Low Bat warning on monitoring or control device Solenoid not functioning Cannot maintain set point Dive Low Bat warning on monitoring or control device O2 Injector not functioning Cannot maintain set point Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 56 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Abort dive Variable orifice valve should maintain PPO2 if ascent rate is slow otherwise activate Auto Bail out and Shut Off valve Preventative action Pre Dive checks and measure battery voltage before dives Recharge when warning is shown or before big dive Fault incidence reduced by design O R submission includes 3 independent power sources two of which are maintained at 1 ATM Functional Safety Implication Lack of power is the Achilles Heal of electronics Provide 3 power sources with different drain rates and do not allow dive unless adequate capacity 10 hours minimum See all actions for Battery Failure below 9 2 Battery Fail
89. ather to their body except using the harness that came with the rebreather 13 7 BOV or DSV Guillotines Diver s Tongue Cause BOV or DSV where the shut off action moves a blade or edge across the mouthpiece If diver s tongue is in that space then it can be guillotined This is particularly important in automatic shut off valves but has occurred ona manual DSV Symptoms Surface Diver s tongue is either caught in the DSV or BOV or a section of the end of his tongue is cut off Dive As surface but likely to escalate into a serious dive accident Recovery action during Dive Do not put body parts into the DSV or BOV Preventative action Avoid by design DSVs with spring powered action and BOVs in particular should orient the moving barrel to rotate around the mouthpiece rather than cross the mouthpiece Functional Safety Implication Barrel of DSVs BOVs and ALVBOVs should rotate in the axis of the tongue not across it to eliminate any possibility of this fault FMECA_OR_V6_141201 doc Rev C6 116 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 13 8 Infective Bacteria Fungi Yeasts and Viruses Cause Failure to clean diving equipment particular counterlungs and wings
90. ation 1 Covered by end to end clause 2 Ensure PPO2 can be maintained with 120m min ascent rates by specific inclusion in 02 injector verification plan FMECA_OR_V6_141201 doc Rev C6 31 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 3 To avoid this fault the rebreather should not allow PPO2 set points which are lower than the corresponding fraction of O2 in air until it becomes necessary to limit CNS exposure Use of PPO2 not less than air to at least 30m is recommended 4 Note OPV should be fitted to inhale counterlung not exhale counterlung If the OPV is fitted to any point between the diver s exhale flapper valve and the inhale counterlung a reverse gas flow occurs on very fast ascents during which all injected oxygen is swept out of the rebreather as the flow moves from the inhale counterlung towards the OPV This is recorded as a separate fault mode to ensure it is not missed 5 Suit and BCD supplies should be quick release 6 18 PPO2 low due to injection not keeping up with demand Cause User error and design limitation User flushes loop with hypoxic Make Up Gas Overlap with some other errors such as running out of O2 or injector failure Symptoms Dive Counterlu
91. ations xi Where the cell is large enough to cause rupture of a housing equivalent to an AA cell or larger the only viable solution is to use Lithium phosphate cells e g Valence Saphion cells xii An alternative solution for very low applications is to use Lithium mixed oxide cells smaller than AA of a shape that ruptures easily for example very thin panel cells with a means to control the energy release such as immersion in silicone oil with an expansion bladder or potting in PU and silicone gel xiii Lithium cobalt cells should not be used in any configuration 9 6 Monitoring or control device failure not apparent to user Cause Flooding wiring or mechanical breakage Symptoms Surface Blank screen Dive Blank screen frozen screen Recovery action during Dive Main controller should take over check this occurs Abandon dive Preventative action Protect monitoring or control devices and check wiring during service Functional Safety Implication 1 Perform full JTAG testing during power up sequence FMECA_OR_V6_141201 doc Rev C6 61 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Use multiple devices in monitoring or control device so failure of one clock or one integrated ci
92. azard and ESD hazards B4 added cold water faults B5 Isolating ALV faults B6 4 April 2007 ALV fault added to fault 6 1 B7 21 May 2008 Added ALV failure incidents and connector failures Hypoxia monitor added B8 30 June 2008 OPV failures broken out as a separate section and detailed Helmet oro nasal valve failure added Water drain faults added B9 28 Nov 2008 Diver thermal and respiratory shock added commercial diver one way valves added safety process fault section added Deco risks added B10 28 Dec 2008 Cylinder risks separated B11 14 Mar 2009 Expansion of Sections 6 3 Oxygen First Stage Overpressure hazards p12 and Section 7 4 p24 Make up gas First Stage Overpressure hazards p23 Section 7 7 Wrong Make up gas expanded as a result of an accident study Section 6 7 Uncontrolled ascent expanded Numeration of requirements expanded so these can be audited using Mantis Mantis uses the same enumeration B12 86 10 812 13 812 14 8512 2 812 3 86 8 810 10 86 23 18 Sections reorganised by their safety functions B13 28 May 2009 Review improvements B14 29 May 2009 Proofread and further review comments included B15 23 Aug 2009 ALVBOV and Manual O2 injector FMECA top down merged into this document Material safety excludes Delrin and POMs based on reports of lung burns from divers diving new rebreathers making extensive use of these materials Fault 6 28 added from a field failure B17 17 D
93. bject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Oxy arc cutting blowback pushes out the lexian glass in the helmet or cracks the helmet Oxy arc cutting blowback Hydraulic pulse on membranes and on hoses Oxy arc cutting blowback Igniting oxygen pockets while burning Sand and grit blocking valves and orifices for equalisation Electrical currents increasing corrosion through electolysis Do the EMS limits in CE directives cover high current densities seen in diving The current is enough to strip the chrome from the brass regulators used on Kirby Morgan helmets and enough to shutdown the microphone circuits in the helmet while these operations are carried out Mechanical vibration from a jack hammer transmitted through the diver to the equipment Noise from high pressure water jets Towing heavy weights over the shoulders rubbing on the suit and counterlungs UV from diving welding or the ozone this creates in a habitat that has had recent welding Dressing on and off in a safe manner in a habitat Diving in extremely oily conditions where the diver has to undress in the water then move with the helmet into a decontamination bell Concern over nooks and crannies making it difficult to decontaminate Contamination in the wind of the umbilical Preventative action Electrical use a SIL 4 rated
94. can introduce a low FOQ2 gas 2 Auto Shut Off Valve would have prevented the problem affecting the diver s safety 3 Voice annunciation of the resulting low PPO2 level would have prevented the problem affecting the diver s safety 6 12 Solenoid Stuck Shut due to rise in Intermediate Pressure Cause Rapid ascent in combination with O2 solenoid having narrow operating range Preventative action 1 Ideally eliminate O2 solenoids they have no place as a rebreather injector because both their failure modes are non fail safe 2 If solenoids are used ensure all failure modes are minimised and protected by suitable monitoring and shutoffs Functional Safety Implication 1 Carry out a full safety verification and assessment of the 02 injector to ensure it operates correctly with all possible intermediate pressures 2 In any case solenoids should operate with both compensated and non compensated regulators as divers frequently change regulators FMECA_OR_V6_141201 doc Rev C6 29 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 6 13 O2 orifice motor driver failure orifice type injectors Cause Poor maintenance or failure of component motor position sensor etc Symptoms Surface
95. cation being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Preventative action Service correctly and pre dive checks Diver should be trained to be aware of the importance of fixing down the counterlungs Functional Safety Implication Counterlungs should be fixed down so that user cannot disconnect one end or fail to attach counterlungs Active monitoring of respiratory parameters is needed 11 7 One Way Valve Flapper valve Stuck Open or Partially Open The term flapper valve refers to the whole one way valve assembly The assembly comprises a web and a mushroom Cause Valve not fitted Valve stuck open due to debris in the valve particularly following a flood or vomiting into the loop Some valve designs allow them to jam open with pulses in the gas stream Incorrect assembly mushroom is inserted on to the wrong side of the web or the webs are swapped The wrong mushroom is inserted Web profile incorrect Valve form incorrect Valve material inappropriate e g EPDM such that it forms a set over time Symptoms Surface Same as scrubber breakthrough Dive Same as scrubber breakthrough Recovery action during Dive Bail out Preventative action Pre dive check for valve operation FMECA_OR_V6_141201 doc Rev C6 97 of 163 This document is the property of Deep Life Design Group and is rel
96. cece eee e cece eeeeeceeeeeeeeeeneeees 123 16 1 Effect of cold on the rebreather cece cee cece ee eee eee ee eee eeeeeeeneeeeeneee 123 16 2 Thermal respiratory SHOCK ceeceeeeeec cece cence eee eeceeeeeceeeensereraeees 124 17 Failures Specific To Umbilical Supplied Dives ccc ee eeee ence eeeeeeeeteeees 125 17 1 Loss of Umbilical Commercial diver eccceeeeee cece eeeeeeeeeeeeeeeeeee 125 17 2 Cut of umbilical near surface Commercial Diver sc cee eeeee ence eeees 125 17 3 Entrapment of Umbilical Commercial diver eeeeee eee e ence eeeeeee 126 17 4 Loss of Helmet Commercial diver sce cece eeeeeeeeec eee eeeeeeeneeeeeneee 126 17 5 Sudden change in depth Commercial diver cece eeeeee cece ee eeeeeeees 126 17 6 CO in loop Commercial diver cc cceeeeee cece c cence eee eeceeeeteeeeeteeerers 127 17 7 HC or Volatile Organic Compounds in Loop Commercial diver 127 17 8 Loss of communications Commercial Diver ccs eeeee eee ee eeeeeeeeees 128 17 9 Loss of Gas Heating Commercial diver cee eeeee cece ee eeeeeeeeeeeeeees 128 17 10 Overheating Commercial diver cece cee cece ee ece ee eeceeeeeeeeeeneeeeeeeee 128 17 11 Loss of Suit Heating Commercial diver cee cece eee eeeeeeeeeeeeeeeeeee 129 17 12 Excess suit heating Commercial diver cee e
97. d any engineering course managed by Project Leaders who never had any formal education after the age of 16 have been sold by the thousand There is strong statistical and case evidence that this has resulted in deaths comparable to the world s worst serial killers FMECA_OR_V6_141201 doc Rev C6 150 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Certification body fails to ensure standards are applied or fails to react to information such as claims that a product complies with a particular standard when that has not been proven by audit resulting in users being misled as to the safety of the product In some cases this has lead to very dangerous equipment being sold to the public in large volumes Implication A Safety certification body has a strong ethical and moral responsible for failures resulting from issuing certification to non compliant equipment Manufacturers have a responsibility to ensure the safety certification body is fully informed of all relevant safety data or absence of it Failure of an electronic or programmed part of a rebreather to meet an international Functional Safety standard such as EN 61508 2004 Parts 1 to 3 is incompetence and negligence from a safety engineering
98. d be able to be bent 180 degrees without kinking Functional Safety Implication 35 Ensure nothing can pinch the counterlung during assembly 36 Emphasise the need to carry out pre dive checks 37 All breathing hoses shall be able to be bent 180 degrees in their minimum possible radius without kinking 38 All breathing hoses shall withstand at least 10kg pressure applied over a 100m length without the internal diameter being shut off 12 7 Counterlung or rebreather component pierced Cause Packing sharp objects on counterlungs Physical abuse FMECA_OR_V6_141201 doc Rev C6 108 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Customs or security or policing by use of sharp probes to piece equipment in order to obtain a gas sample Preventative action Avoid by appropriate design handling and pre dive checks Functional Safety Implication 39 Divers should not pack items on or in the counterlungs 40 Emphasise the need to carry out pre dive checks including visual inspection 41 Shipping label should state clearly that security inspections shall not use sharp probes to sample the gas 12 8 Lack of water drain Cause For technical rebreathers a means to remove water from the breat
99. during Dive Bail out Preventative action Ensure products do not contain any allergenic materials Use mouthpiece retainer or full face mask to mitigate risks if diver is unconscious Functional Safety Implication Eliminate all allergenic materials from loop Check all materials carefully for off gassing components both from the MSDS and from rigorous materials testing Latex is particularly insidious because it appears to be able to create a sensitivity to other materials creating allergies to common materials this is a serious problem for health workers using latex gloves so should be avoided in rebreathers In 1997 the FDA required labelling of medical devices containing NRL FDA also prohibits the use of the word hypoallergenic on labelling of devices containing natural rubber In 1999 OSHA issued a technical information bulletin to alert field personnel to the potential for allergic reactions in some individuals using natural latex gloves and other products made from the material The US Consumer Product Safety Commission CPSC is considering a petition to rule NRL a strong sensitiser under the Federal Hazardous Substances Act That designation indicates that a substance has significant potential for causing hypersensitivity The petition claims that individuals have developed latex allergies or suffered allergic responses through exposure to NRL in consumer products 18 6 Vomiting into breathing loop Cause Contamin
100. dy_110105 pdf Symptoms Surface Intermittent Out of Range or Failure messages on a cell Failure to calibrate Dive Intermittent Out of Range or Failure messages on a cell Recovery action during Dive Make Up Gas flush to check which sensors respond correctly Consider bail out Abandon dive Preventative action Replace cells at correct intervals every 12 months Check linearity and accuracy of cells to 4 atm every 3 months Handle cells carefully keeping away from heat sources freezing conditions Functional Safety Implication 02 Cells are notoriously unreliable and the overwhelming majority are wholly unsuitable for use in a rebreather FMECA_OR_V6_141201 doc Rev C6 82 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC To use galvanic oxygen cells in a rebreather involves a demanding Functional Safety process that includes 1 Proper characterisation of the available cells See an example on the Deep Life web site www deeplife co uk or_dv php as document DV_O2_cell_study_110105 pdf which catalogues both failure modes and mitigation measures to improve cells 2 The cell design and manufacture should be optimised for rebreather use in particular with sufficiently fas
101. e a secondary regulator Octopus regulator Preventative action Avoid by design that connectors hoses and mouthpiece do not fail if the diver snags them on the dive boat or underwater Ensure mouthpiece retainer gag strap is fitted and used Functional Safety Implication 1 1 34 1 Ensure the mouthpiece can withstand the weight of a diver 100kg for 1 minute 1 1 34 2 Ensure all hoses and connectors can withstand the weight of a diver 100kg for 1 minute 1 1 34 3 Fit a mouthpiece retainer as standard 12 4 Counterlung ports pull out from counterlung Cause Failure to reinforce the port cutouts in the counterlung and key the port cutout such that the CL can pull out from the port Preventative action Ensure port reinforcing rings are fitted with strong positive keying If a two layer counterlung is used ensure inner layer is larger than outer layer Functional Safety Implication Ensure ports and counterlungs withstand a 100kg pull the largest plausible force that will be applied and also withstands at least a 300mbar overpressure under these circumstances Fit a reinforcing ring to the counterlung that positively latches the port mouldings 12 5 Implosion or explosion on compression or decompression Cause FMECA_OR_V6_141201 doc Rev C6 107 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the docume
102. e property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Dive Intermittent Out of Range or Failure messages on a cell Recovery action during Dive Make Up Gas flush to check which sensors respond correctly Bail out Abandon dive Preventative action Latest cells have face which is hydrophobic Insulate loop to lower condensation Functional Safety Implication 1 The cells and cell holders shall not allow condensate or vapour to lay on the cell membrane or face 2 Ensure water can run off the face of the membrane i e it shall not be in a well 3 Important issue is to ensure calibration is not carried out in cells with water on their faces This is an issue if the calibration is performed while fitting a new scrubber The calibration should be performed after the scrubber is closed 4 The training manual should emphasise the checking of the unit by a Make Up Gas flush 5 Ensure cells have a hydrophobic membrane Orient cells to avoid water dripping onto cells in normal diver orientations 7 The O2 Cell fusion algorithm should withstand multiple cell failures 10 14 O2 Cells have differential pressure applied Cause Unequal pressure on front and back of sensor cells during dive Symptoms Surface None Dive Intermi
103. eased for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication 1 1 11 1 The function of the two one way valves fitted either side of the mouthpiece is critical to the safe operation of the unit 1 1 11 2 The design should be of a type that shall not stick by itself including material selection and clearances around the mushroom 1 1 11 3 The flapper valve assembly should be colour coded so it is obvious to the user which side each valve is fitted to 1 1 11 4 The web supporting the mushroom should have a means to prevent the mushroom being assembled on to the wrong side of the web 1 1 11 5 The two webs should be of different size or keyed to prevent the inhale valve being inserted in the place of the exhale valve 1 1 11 6 The valve should preferably be designed to make a soft click sound each time it closes which the diver can listen to 1 1 11 7 The web should be tested to ensure the mushroom cannot fold into the web regardless of shock mechanical or from pulses of gas 1 1 11 8 The holes in the web needs to be of sufficient size to let small particulate through and not jam The valve should be assessed for function in the case the diver vomits 1 1 11 9 The flapper valve and web form should be assessed for the pressure at which it passes gas in the inco
104. ec 2009 Off gassing material safety updated with PC B18 Update to 86 7 56 8 6 29 7 9 9 2 80 10 1 10 13 Rev 18B 23 Aug 2010 Added 86 29 Rev 18C 26 Aug 2010 Added 57 13 7 14 89 25 817 17 SRev 18C 85 10 85 11 85 12 85 13 CO C5 C6 To 20 Jan 2014 1st Dec 2014 CO Post PPE certification Added O2 cell failure mode detail C1 Updated Sections 86 10 86 30 813 5 813 8 added Section 13 9 C2 Correction to 817 3 added 818 4 C3 More detailed consideration of respiratory collapses IPO and cardiac events C4 Added 8 corner check requirement 86 7 added detail to 11 1 and to 813 10 C5 Faults added from accident analysis 11 9 One way valve faults separated and clarified 14 3 Polarised or UV filtered mask risk added FMECA_OR_V6_141201 doc Rev C6 2 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Table of Contents 1 PURPOSE and SCOPEs si ssssrsnaersiesSSIASGiOGGSMIAGGSGIIGSNG oa scbs oases eaasesedasesecaseceaaease 9 2 Source Data sasssa sees eee ee ee eee eee aba e eens eee e atone ssseeeotsseectesceotcsseonsueueass 10 E SURUCLUIE scccsebe sees si eeehe sees eed seed seeeeeedeeed seeeeeedededesssasesessceee T 10
105. ece retainer Close the breathing loop when mouthpiece is out of the diver s mouth Protect hoses with covers and service regularly Pre dive checks Ensure buoyancy device can float the diver with a fully flooded rebreather Functional Safety Implication 12 Fit a mouthpiece retainer gag strap as standard 13 Shut the breathing loop automatically if the mouthpiece is not in the diver s mouth 14 Fit a buoyancy device to SCUBA rebreathers i e not umbilical rebreathers with enough lift for the diver with worst case equipment configuration and a flooded rebreather This appears to be 22 5kg for FMECA_OR_V6_141201 doc Rev C6 104 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 20 21 22 23 24 25 26 27 28 29 general diving and 40kg for trimix or heliox diving due to the extra weight of stage bottles Fatal accidents have occurred where insufficient lift has been implicated Monitor moisture and WOB if within ALARP to do so Warn user of flood and give instructions to bail out Design out risk of connectors not being installed correctly by using very positive identification and colouring to show how far the connector should be installed Ensure Coun
106. ed in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Rapid breathing headache Hypercapnia Dive Stuffiness rapid breathing confusion Hypercapnia Recovery action during Dive Bail out Preventative action Change the scrubber every 3 hours or sooner Functional Safety Implication Monitor scrubber health Monitor scrubber life Monitor when the scrubber is changed Monitor PPCO2 11 4 Scrubber Bypass Cause Gas flows rapidly through a single path in the scrubber and CO2 is not removed Bad packing Material published by APD indicates that a large proportion of their user base cannot pack a granular scrubber properly to prevent this problem The most popular axial scrubbers have an endemic by pass of 0 1 to 0 2 CO2 due to poor scrubber design This means the scrubber should be tested flat in these designs Symptoms Surface Rapid breathing headache Hypercapnia Dive Stuffiness rapid breathing confusion Hypercapnia Recovery action during Dive Bail out Preventative action Design out the problem by using an EAC Functional Safety Implication Monitor scrubber health Monitor scrubber life FMECA_OR_V6_141201 doc Rev C6 95 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark
107. ee cece e cence eeeeeeeeeeee 129 17 13 Tools and Equipment Commercial diver ee eeeeeeeec cence eeeeeeeeeee 129 17 14 Oro nasal one way valve failure Commercial diver ee eeee eee e ences 130 17 15 Gas manifold one way valve failure Commercial diver eeeeeeeeeee 131 17 16 Loss of Umbilical Gas wssisisscasssesaebsaeasasasasebedleccdessdecccescoecesccecesecsoeeace 132 17 17 Bail Out Gases Used instead of Oxygen eee eee e cece e eee eeeeeeeeeeeeee 132 18 Diver Physiology Related Faults ccccccccceeesccceeeeeeneeeeeeeeeesnseeeeeeeseees 132 18 1 HY DOX laa ctcceccccceuccccanterccesaccsccereceeecesccoucessuenununnseeceuensuunueeeuueneaoed 133 18 2 HYDCrOXia s ecesssssnseevecsaacananeeesseaaeaneeeeectecccescenaoceeccevecsnocenecsvess 133 18 3 HY Der Capiidcascnanccaccs T tent eeeer ee esees 134 FMECA_OR_V6_141201 doc Rev C6 7 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 18 4 Breathing off loop that otherwise cannot sustain life eee eeee eens eens 135 18 5 Allergic Reaction to Material ccc cee ee ece cece cece e ee eeeeeeeneeeeeneeeeeaeers 136 18 6 Vomiting into breathing lOOP ce cece cece eee e cece ee e
108. eeeeeeeeeeeeteeeeeeeees 137 18 7 Deco dive with incorrect PPO2 level in lOOP es eee eee ee eee teeter eeeeees 138 18 8 DCS risk higher than statistical projection of deco algorithm 138 18 9 Respiratory collapse from WOB eeeceeecee ence eee eeeeeeeeeeeeeteeeeeneee 139 18 10 Respiratory collapse from thermal respiratory shock ceeseeeceeeeeeee 139 18 11 Respiratory collapse from asthma s sssssssssessssesssessssesssessseesssesssee 139 18 12 Respiratory collapse from water inhalation cccccceeeessseeeeeeeeeees 140 18 13 Respiratory collapse from pressure surge ssessssesssessssesssesssecsssesssee 140 18 14 Respiratory Collapse General sssssssssesssssssssesesssssesesssssseeesseseeee 141 18 157 CNS TOKICIUY sss ccccsesbecescsccceeciccseccccsuccciseesiossieiesesibieesiebeestebeeeteb S 141 18 16 Pulmonary O2 TOXiCity cece ec cee cece eee eee ee eee eeeeeeeeeeeeeneeeereee 142 18 17 Counter diffusion hazard cece eceee eee e eee cence eee eeceeeeeeeeeeneeeeeraee 143 18 18 Sudden Underwater Blackout cece ee eee eee ce cece ee eeeeeeeeeeeeeeeeeeeneee 143 18 19 Immersion Pulmonary Oedema IPO eeeeee cece ee eeeeceeeeeeeeeeeeeteee 145 19 General Diving Hazards ssiisisisisancdasasdisaoansbasasebadesscesesoessesaonseotonsessonsese 146 20 Safety Process Failures cccsscsessrcseersrciersrsssasiretorevererseeevecen
109. eeeeeeeeeees 19 6 Oxygen Setpoint Failures cece cece cece e rsrsr eaa n E E EEEE Ea 20 6 1 Oxygen Cylinder Empty ccc cece cece cece cence tence eeneeeeeteeeeeeeseeeeseeerens 20 6 2 Oxygen Cylinder Switched Off cee e cece cece cece eeeeeeeeeeeeeeteeeeeteeerens 21 6 3 Oxygen First Stage Failure ieee cece cece cece e eee e ee eeeeeeeeceeeeneeeeeneeerens 21 6 4 Oxygen First Stage Over Pressure eee cece e cece ence e ee eeeeeeeeeeeeeeeeeeeneerers 22 6 9 sOxysen Hose leaks ss ccscencesssacesuadccnansiennasiedesseisseseeeseasonesomebanaseauntaese 24 6 6 Oxygen Solenoid or Injector Stuck Open cee eeee cece cece eee eeeeeeeeeeeeees 24 6 7 Oxygen Solenoid or Injector Stuck Closed cece cece eeeee eee eeeeeeeeeeeeeeeees 25 6 8 Oxygen Manual Injector Failure Open or Closed eeeeeeeeeeeeeeeeeeeeeeeees 26 6 9 Wrong Gas in Oxygen cylinder eee eee e cece cece cence ee eeeeeeeeeeeeeeteeeens 27 6 10 OXVOEN TEs ep E EEEE CEEE EESE EEEE verered ered TEESE rede deere 27 6 11 Calibration using wrong gas sssssessssssseeseeessseseeeesseseeresseeeeeeesseeeee 29 6 12 Solenoid Stuck Shut due to rise in Intermediate Pressure 000eeeeeee 29 6 13 02 orifice motor driver failure orifice type injectors ssssssssssssssssseeee 30 6 14 Use of O2 instead of Make Up Gas ee cee cece eeece eee ec eee eeeeeeeeeeeeeneeees 30 6 15 Use o
110. eeeeees 63 9 9 Oil Filled Chamber Leaks Oil cece cece cece En ed EE E EEEE ECEE EEEE EEES 64 9 10 Electronic Component Explodes cee cece eee ce ence ee eeceeeeeeeeeeneeeeteeees 65 9 11 Controller fails to handle situation where diver does not understand failure Message or is UNADLE tO ACE eee cece cence tenet ence ee a a e E EE e ia 65 9 12 Faulty Software by design cee eee ee eee ence eee eeceeeeeeeeeeeseeeetaeeeeneeees 66 9 13 Faulty Software by ageing cece cece cece cece ee ee eee eeeeeeeeeeeeeneeeeetaeees 67 9 14 Monitoring or control devices Misread ccc eee ee eee eee eeeeeeteeeeeteeeeees 67 9 15 Cracked Electronics HOUSING ee eee eee eee e cence eee eeeeeeeeeeeeeteeeeenaee 68 9 16 Corroded WINNS tccevue aces ee aead sar eaosegadedeneuneeessileleds cedebieasietecedetacecaatene 69 9 17 System Looping on Interrupts raising PPO2 ee eeeeee eect eee e eee eeeees 69 9 18 High Voltage On Connectors cece ee eee eee e eee eee ee eee eeeeeeeeeeeeeteeeeeeaeees 70 9 19 Brown out CYCLING cece cece cece een e eee e cece eee EEEE aa 70 9 20 Failure to turn ON sveeccesesccvceeccvedeccesveccssecsieestetvesessereeeseseeeseeeseeeer ees 71 9 21 Single points of failUre cee eee e cee ence cence eee eeeeeeeeeeeeeteeeeenaee 71 9 22 EMC failu E aaaea aa EEEE EEEE EEEE E EEA 72 9 23 Auto Bail Out fails to operate when required sssssssssssss
111. elow the surface Fatal accidents have occurred for this reason To avoid this risk the rebreather diver shall bail out onto Open Circuit or simply may a buoyant ascent and exhale if the rebreather is not providing additional oxygen Related risks where oxygen may be lost from incorrect positioning of OPVs on rebreathers further extends this hazard to rebreathers where there is an oxygen supply These accidents require detailed formal modelling to conclude the cause but in some cases it is due to an ascent blackout as the injected oxygen was not conveyed to the diver due to flow reversal as the volume of the gas in the counterlungs expand faster than required to meet the diver s the respiratory volume FMECA_OR_V6_141201 doc Rev C6 144 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 18 19 Immersion Pulmonary Oedema IPO Cause A phenomenon that is not fully understood but seems to be multifactorial in cause the end result of which is is fluid accumulation in the air spaces and parenchyma of the lungs IPO leads to impaired gas exchange and may cause respiratory failure leading to cardiac arrest from hypoxia and death The primary symptom is difficulty in breathing IPO appears not to
112. ent Failures Decompression Computer Faults Thermal Management Related Faults Umbilical supplied Equipment specific Diver Physiology Related Faults General environmental hazards 16 Safety Process failures This document serves a dual purpose namely 1 To provide a check list to ensure that top level failures are managed safely by the rebreather This top down method is matched by a bottom up review of the electronics mechanics software firmware and a hierarchical fault tree analysis down to component level 2 To provide a structured framework for the analysis of equipment after an accident to determine whether or not the equipment contributed to or caused the accident The evidence can be compared with all possible causes to develop a plausible cause list that can be further reduced using formal verification mathematical modelling of the known dive profile to identify the point where the problem occurred All references to the system refer to the Open Revolution submission by Deep Life Ltd References to mandatory checks refer to the pre dive checks performed by that specific rebreather controller However the list of possible faults is that known on any rebreather This document covers the rebreather itself and essential diving equipment to use the rebreather Separate equipment should have a separate FMECA or safety certification and is included here only where the failure may cause a failure that may be associated
113. ep Life Ltd IBC Poor 02 handling Organic contamination Poor maintenance Unsuitable materials Poor design Silicone oil filled pressure gauges oil leaking numerous O2 fires from this source Preventative action Proper design and maintenance procedures Proper training of operators Use gases with 23 less 02 Functional Safety Implication Perform a full oxygen assessment of all materials flows and components in contact with high or medium pressure oxygen in accord with the latest guidelines for oxygen component assessment published by NASA and the American Society for Testing and Materials Specific assessment shall be made with regard to risks of 1 Oe Oe UE Particle impingement Mechanical Impact Pneumatic impact Flow Friction Galling and Frictional Heating Rapid pressurisation Resonance Electrical arcing Adiabatic compression The assessment shall be verified by oxygen surge testing to ISO 10297 2006 e shall be carried out on all high pressure oxygen components and broadly similar tests on medium pressure oxygen components 3 Viton O rings are the only O rings suitable for high pressure oxygen these shall be 90 durometer or greater for high pressure gases and 70 durometer for low pressure Viton has poor performance when exposed to ozone from welding and has poor wear properties All lubricants require an auto ignition pressure to be tested in pure oxygen and that pressure
114. er 17 11 Loss of Suit Heating v v v Commercial diver 17 12 Excess suit heating v v v Commercial diver 17 13 Tools and Equipment v v v Commercial diver 17 14 Oro nasal one way valve v v v failure Commercial diver FMECA_OR_V6_141201 doc Rev C6 160 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 17 15 Gas manifold one way valve Y v v failure Commercial diver 17 16 Loss of Umbilical Gas 17 17 Bail Out Gases Used instead V of Oxygen 18 Diver Physiology Related Faults v v v 18 1 Hypoxia v v v 18 2 Hyperoxia v v v 18 3 Hypercapnia v v v 18 4 Breathing off loop that v v v otherwise cannot sustain life 18 5 Allergic Reaction to Material 18 6 Vomiting into breathing loop W 18 7 Deco dive with incorrect PPO2 level in loop 18 8 DCS risk higher than v v v statistical projection of deco algorithm 18 9 Respiratory collapse from v v v WOB 18 10 Respiratory collapse from v v v thermal respiratory shock 18 11 Respiratory collapse from v v v asthma 18 12 Respiratory collapse from v v v wa
115. er This is not the case Rebreathers are fundamentally unsuitable for very cold water particularly water below freezing unless the rebreather is designed specifically for that purpose and incorporates sufficient safe heating elements to keep the equipment warm and free of ice this requires heating to around 20C due to the speed at which ice can form on barriers such as the breathing hoses or around objects where the gas flow is the fastest such as mushroom valves and gas injectors Diving in water below 4C poses special hazards The risks increase with reducing temperature as shown below Above 4C Low risk Below 4C Significant risk of death Below OC High risk of death Below 4C Almost certain death The risks occur from the following causes 1 The moisture in the breathing loop is almost pure water so freezes at a higher temperature than sea water The water can freeze in the breathing hoses on the mushroom valve or in the scrubber 2 The oxygen sensors do not perform correctly at very low temperatures This will lead to large errors in PPO2 3 The scrubber efficiency drops as the square of the temperature At around ir just below zero granular scrubbers can stop working 4 The expansion of injected gas in the humid environment of the rebreather will cause ice to form on the injector nozzle This can block the injector so the injector is heard to fire click by the user if a solenoid design but is no
116. erate as a pure 02 rebreather above 6m 2 The injector should be able to inject 12l min 6 20 ALV freeflow with hypoxic Make Up Gas near surface Cause ALV leakage or freeflow on entering the water with hypoxic Make Up Gas resulting in diver hypoxia Manual flush where Make Up Gas is hypoxic Preventative action Not to start dive unless PPO2 is 0 7 not to allow hypoxic Make Up Gas on surface unless injectors can achieve at least 12l min of 02 Functional Safety Implication 1 Hypoxic Make Up Gass should be run via a manifold and not used near the surface 2 Detect what the Make Up Gas gases are and decline the dive if hypoxic on surface 3 PPO2 should be 0 7 or above to start dive 4 02 injectors should be able to achieve 12l min 5 ALV injection rate should be limited to 12l min 6 21 ALV freeflow with high PPO2 at depth Cause ALV leakage or freeflow at depth with Make Up Gas having excessive FO2 See also fault 7 1 Manual flush at depth with Make Up Gas having excessive FO2 Switching the wrong gas on a manifold Preventative action Dive training to use appropriate gases for Make Up Gas Functional Safety Implication 1 Hyperoxic Make Up Gass should be run via a manifold and switched out at depth such as by turning the cylinder off and manifold off 2 02 injectors should be able to achieve 12l min FMECA_OR_V6_141201 doc Rev C6 33 of 163 This document is the property of Deep Life
117. ererenerereeenes 150 20 1 FMECA IncompleteneSs eecceeeecc cece ee eeeeeeeeceeeeeeeeeeteeeeeteeerenaee 150 20 2 Incompetent or negligent developer cece ee ceeeeceeeeessseeeeeeeeesseeees 150 20 3 Incompetent or falsified Certification ccc cece ees cece ee enneeeceeeeeenaeees 150 21 Severity and Risk ASSESSMENL eee cece cence eee e eee eee eee eeeeeeeeeeeeeteeeeneee 151 22 REFEENCES niisiis t pa EEE EEEE VEENEV ECKE EEEE ETETE EEEn Errena 162 FMECA_OR_V6_141201 doc Rev C6 8 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 1 PURPOSE AND SCOPE This document is a top down Failure Mode Effect and Criticality Analysis of diving rebreathers that is intended to catch all faults known in any rebreather though with specific attention to the Open Revolution family of rebreathers developed by Deep Life Ltd By Top down it means this FMECA considers each functional requirement of the rebreather system in its fullest sense 1 Gas Supply Containment Failures Provision of Oxygen Loop Volume Sufficiency Loop Volume Relief Control and Information Oxygen Level Monitoring Carbon Dioxide Removal Flooding and Drowning Other Rebreather Related Failures Associated Equipm
118. esign Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Overheating of battery Sudden power off Dive As on surface Recovery action during Dive Bail out Preventative action Mitigate by design Functional Safety Implication It is necessary to vary that each possible cause of flood is eliminated in a design using appropriate design verification tests A feature of new electronic designs tends to be repeated flooding during development each flood needs to be traced and eliminated Functional safety mitigation measures may include e Use a vacuum inside the housing of dive electronics and detect when the vacuum is lost to put the system into a safe mode and shutdown e Use of Gel fill such that if there is water ingress the damage is limited Silicone oil expands by around 10 in volume over the normal operating temperature range for dive equipment so provision needs to be made for that such as use of a diaphragm membrane or compensating piston The amount that gels expand depends on their set viscosity with high durometer near solid gels expanding little and very viscous gels expanding to a similar degree as silicone oil A useful tool in tracing sources of water ingress is Kolor Kut paste this changes colour in the presence of water 10 OXYGEN LEVEL MONIT
119. essure between ALV and OPV less than the OPV cracking pressure Umbilical supply cut disconnected crushed Symptoms Surface Failure of pre dive checks Make Up Gas contents gauge reads zero Diver s freeflow purge check fails Dive Lung squeeze on descent unable to inject Make Up Gas Auto Air Out not functional Dry suit inflate not functional Recovery action during Dive Plug in a reserve gas supply Inflate lungs with manual O2 inject if above 6m Abort dive without descending Preventative action Pre dive checks Functional Safety Implication System should monitor Make Up Gas pressure Where a mismatch the error message should be specifically Make Up Gas Tank Valve is Closed Open it Requires a contents gauge on the Make Up Gas tank 7 2 Make Up Gas Cylinder Switched Off Cause Valve rubbed or forgetfulness Symptoms Surface Failure of pre dive checks Make Up Gas contents gauge reads zero Dive Lung squeeze on descent unable to inject Make Up Gas Auto Air Out not functional Dry suit inflate not functional Recovery action during Dive Open valve Preventative action Pre dive checks Functional Safety Implication System should monitor Make Up Gas pressure Where a mismatch the error message should be specifically Make Up Gas Tank Valve is FMECA_OR_V6_141201 doc Rev C6 39 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subjec
120. f Deep Life Ltd IBC Deep Life Ltd IBC Diver using a gas with a FO2 of less than 16 for dives to less than 80msw breathing from that gas near the surface Preventative action Proper training and instruction in manual to use a FO2 in the Make Up Gas of 16 or more Functional Safety Implication Detect what the Make Up Gas gases are and run as a pure 02 rebreather automatically when above 6m 6 16 Use of hypoxic Make Up Gas in ascent to surface Cause Loss of 02 Use of wrong bail out gas Use of wrong cylinder of gas Poor training Preventative action Monitor O2 and Make Up Gas gases Functional Safety Implication Eliminate manual gas injection Ensure O2 injector can keep breathing loop at full pressure at maximum rate of ascent 120m min Include torpedo test and fast ascent test in O2 injector verification 6 17 Uncontrolled ascent max 120m min with low PPO2 Cause Loss of weight belt Catastrophic failure of buoyancy control device or injector Suit injector stuck on BCD injector stuck on User pressing the wrong button on the BCD inflator Entanglement with a towed object Entanglement with an SMB or lift bag Preventative action Improved training to handle SMBs and Lift Bags properly Keep weight belts to simple belts rather than weight jackets OPV should be fitted to inhale counterlung to ensure gas flow from injectors does get to the inhale counterlung Functional Safety Implic
121. f hypoxic Make Up Gas when entering water eeeeeeeeeeeeeeeeees 30 6 16 Use of hypoxic Make Up Gas in ascent to surface cece eeeee ence eeeeeeees 31 6 17 Uncontrolled ascent max 120m min with low PPO2 cc eee eee eee ees 31 6 18 PPO2 low due to injection not keeping up with demand eeeeeeeees 32 FMECA_OR_V6_141201 doc Rev C6 3 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 6 19 Low PPO2 set point followed by rapid ascent eeeeeeeeeeeeeeeeeeeeeeees 32 6 20 ALV freeflow with hypoxic Make Up Gas near surface eeeeeeeeeee eens 33 6 21 ALV freeflow with high PPO2 at depth cece cece ee eee ee eeeeeeeteeeeees 33 6 22 Left to Right Flow instead of safer Right to Left loop flow 66 34 6 23 Hypoxia when OPV is on exhale counterlung during fast ascent 34 6 24 SCR has insufficient oxygen iN GAS cece e cece cece eect eee eeeeeeeeeeeeeeeeeeee 35 6 25 Passive oxygen addition rate incorrect MCCRs PA SCR ceeeeeeeeeeeees 35 6 26 Oxygen addition button seized or Stuck eee eeeeeeee eee e eee eeeeeeeeeeeeee 36 6 27 Inaccessibility of oxygen addition bu
122. fied FMECA_OR_V6_141201 doc Rev C6 59 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Secondary cells shall not be used they cannot be characterised as they are generally supplied by many different companies each with slightly different characteristics There shall be at least two power sources for SIL 2 and three at SIL 3 Each have to be checked and the dive does not start if one of them is down this can be achieved by signalling to an auto shut off valve for example There is a risk that where the cell has a very long life e g the equipment can operate for hundreds of hours between recharges then the user does not check the battery level The optimum period appears to be around 30 to 40 hours between recharges 9 5 Battery overheating Cause Shorting or mechanical damage to the battery Excessive discharge rate Excessive charge rate Charging in a temperature range where the battery has a higher capacity than at a temperature which occurs during subsequent storage transport or use Symptoms Surface Fire or Explosion risk Dive Explosion risk Risk of sudden loss of battery power Recovery action during Dive Bail out Preventative action Eliminate risk by design Function
123. g Simple weight belts should be encouraged with retainer to prevent accidental loss FMECA_OR_V6_141201 doc Rev C6 147 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Loss of control of dry suit gas may cause diver to by up ended which without training the diver may not recover from Recovery method is simply to form a ball and roll out If diver does not succeed then effect may be drowning Disorientation Illness vertigo reduction in visibility unfamiliar environment with effect of panic or behaviour leading to entrapment or becoming separated underwater Ultimately effect may progress to drowning from insufficient respiratory gas or barotrauma from loss of buoyancy Perceptual Narrowing Stress leading to information essential for safety being ignored Panic Predisposition asthma lack of training with effect of excess use of respiratory gas behaviour contrary to safety Barotrauma Breath holding during ascent from as little as 1 2m with effect of gas embolism Loss of buoyancy leading to pulmonary barotrauma alternobaric vertigo compression barotrauma or any embolism Illness causing gas blockage with effect of embolism on lungs Prostheses or dental
124. gn Group 11 10 Caustic cocktail from CO2 scrubber Cause Flooding of scrubber Water generated by scrubber coming into skin or eye contact Symptoms Burning sensation Respiratory spasm if inhaled Surface Risk of caustic burn from contact with wet scrubber material Dive Risk of respiratory spasm leading to loss of consciousness Recovery action during Dive Listen for sound of flooding Bail out Divers should avoid skin contact with scrubber material Preventative action Use EACs which have greatly reduced caustic risk Positive and negative pressure checks prior to dive Functional Safety Implication 1 1 11 10 The rebreather should be highly resistant to flooding using double seals where reasonable possible and ensuring all fittings are very secure 1 1 11 11 Use EACs to minimse risk of caustic cocktail 1 1 11 12 User manuals should explain caustic risk and avoid diver having liquid from scrubber touch his lips face or tongue 1 1 11 13 Provide water traps in mouthpiece as well as in counterlungs to prevent liquid touching the diver s lips or by inhalation 1 1 11 14 Provide electronic flood warnings where within ALARP to do so 1 1 11 15 Provide audible warning of flood structures that create a clear gurgling sound when a flood starts 11 11 Hoses pinched or kinked Cause Unsuitable hose design allows kink preventing gas being supplied or causing WOB to increase Preventative action N
125. hanical properties long term Neoprene has offgasing hazards Cordura and nylons have leak and resilience hazards when used for counterlungs increasing WOB Black FMECA_OR_V6_141201 doc Rev C6 113 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group polyether TPU free from softeners appears to be the optimal counterlung material see next section Butyl rubber Natural Rubbers and Latex invokes an allergic reaction in a significant proportion of the population so should not be used in rebreathers See Section 18 5 e The following materials are generally acceptable in breathing loops subject to the notes below a Kynar is preferred for hard plastic parts it is the purest of all the synthetic resins is a tough plastic with low water absorption but is heavy and applying ALARP it was found it could not be moulded into many of the desired forms for rebreathers reliably Kynar has a high shrinkage around 4 linear leading to voids and dimensional non conformance in mouldings It is suitable for use in rebreather oxygen lines where a plastic is required Polypropylene PP without any plasticiser or softener is an acceptable alternative to Kynar Shrinkage is high at around 2 4 li
126. he water either fully or partially Recovery action during Dive Bail out Preventative action Perform a positive and negative pressure check before the dive Functional Safety Implication Lip seals appear to be the most suitable for this application Ensure wiping movement is sufficient 7 12 Flapper Valve Stuck Shut Cause Flapper valve fixed shut by sticky detritus Symptoms Surface Unable to breathe Dive As diver exhales from the rebreather loop the gas is vented into the water either fully or partially and the dive cannot inhale Recovery action during Dive Bail out Preventative action Perform flapper valve checks before the dive Functional Safety Implication Lip seals require a very thin seal area to avoid stiction User manual should emphasise the need for cleaning after each dive FMECA_OR_V6_141201 doc Rev C6 47 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 7 13 Foreign Material in Breathing Hoses See also Fault 11 14 and 11 5 Cause Plugs added by diver to prevent roaches getting into hoses are accidentally left in place Symptoms Surface Unable to breathe Dive As diver exhales from the rebreather loop the gas is vented into the water either fully or parti
127. heating system Include extreme induced current test in system evaluation Functional Safety Implication Test the equipment for operation between a pair of underwater burning system electrodes in use actual burning Measure the field The EMS limits in CE directives do not cover the high current densities seen in diving so test using the highest possible current density with the unit in water Shield all internal electronics for magnetically induced currents Consider use of liquid crystal electrolytic materials such Kynar for the electronics shell to form a Faraday shield around the electronics in the presence of intense underwater electrical currents 17 14 Oro nasal one way valve failure Commercial diver Cause Failure to check valve pre dive or umbrella valve stalk failure it may be missing inverted or damaged Preventative action FMECA_OR_V6_141201 doc Rev C6 130 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Check oro nasal one way valve before every dive Functional Safety Implication Retained CO2 issue 17 15 Gas manifold one way valve failure Commercial diver Cause Top gas manifold on a commercial rebreather routes the bail out gas to the injector when the ma
128. hecks so diver simply jumps in knowing the rebreather has auto on This fault mode is separated out in this FMECA as a result of an fatal accident on another rebreather model every rebreather accident is analysed for new fault modes regardless of who makes the rebreather in question this document is a repository of all known top level rebreather faults so they are not repeated with new generations of equipment Symptoms Surface Fails to pass predive checks FMECA_OR_V6_141201 doc Rev C6 75 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Dive Alarms are ignored as diver knows they relate to missing predive checks Recovery action during Dive Bail out Preventative action Mitigate by design Functional Safety Implication This is a very interesting fault and related to the fault in Section 9 23 On one hand the diver needs to be protected from hypoxia as there are many fatal accidents caused by divers diving rebreathers that are switched off on the surface or underwater or that are in a non life support mode underwater but on the other hand needs to be protected from himself exploiting this feature when the rebreather is not safe to dive It is essential to provide auto on given
129. hing loop is required as the risk of flooding in a situation that could escalate is significant Preventative action Design in Functional Safety Implication Rebreather should be fitted with a safe means to drain water during the dive 12 9 Water Drain Failure Cause Either mechanical failure or particularly failure to realign the sealing pad after use Sealing pads may more sideways preventing them sealing some pull dumps do this much more often than others Preventative action Design in Functional Safety Implication One way valves shall be fitted to water dumps on the rebreather loop to prevent excessive water ingress The water dump should be optimised to the extent possible within ALARP to ensure the sealing pad reseats correctly after use FMECA_OR_V6_141201 doc Rev C6 109 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 13 OTHER REBREATHER EQUIPMENT FAILURES 13 1 Pressure causing implosion Cause Gas cavities in the equipment Use of inappropriate materials or materials of insufficient strength Operating equipment beyond the design limits Loss of silicone oil in oil compensated chambers Symptoms Surface Not applicable Dive Sudden loss of function Loud expl
130. ibution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 17 FAILURES SPECIFIC TO UMBILICAL SUPPLIED DIVES 17 1 Loss of Umbilical Commercial diver Means complete cutting of the umbilical or cutting it and losing some of the services on the umbilical such as power or gas Cause Disconnection Heavy object falling on umbilical Cutting of umbilical Failure of topside to provide umbilical support Preventative action Reduce umbilical services to the minimum power communications and umbilical gas feed Functional Safety Implication Should be survivable by use of bail out carried by diver Maximum depth and maximum O2 concentration in bail out gas determines bail out size Put a transponder onto the diver Separate to the rebreather Consider the external protection to avoid the reduction in diameter from increasing the risk of it being severed but diver need to be able to cut the umbilical or disconnect the umbilical using normal diver hand tools if required 17 2 Cut of umbilical near surface Commercial Diver Cause Disconnection Heavy object falling on umbilical top side Cutting of umbilical Failure of topside to provide umbilical support Preventative action Risk is the diver being sucked into the umbilical due to the pressure in the umbilical being much less than the ambient
131. ically by doing the O2 flush under start up sequence control and hence eliminated 02 Cells need to be characterised for degree of droop in CO2 and cells selected that do not suffer from CO2 poisoning Analytical Industries PSR 11 39 DL sensors tolerate pure CO2 exposure for more than 24 hours and no CO2 failures found in tests involving multiple exposures to 4 5 SEV CO2 for up to 8 hours at a time at depths to 400m 10 3 Load Resistor Failure in O2 Cell Cause Cell has a load resistor typically 82 to 390 to bleed off the charge generated by the cell and convert the charge into a current through the resistor so the voltage from the cell can be measured If the resistor becomes open circuit the output voltage on the cell increases until there is another discharge path This can create very high voltages with enough power stored in the capacitance of the cell to destroy 10K HBM input protection Preventative Action 1 Competent design 2 Avoid cells with multiple components in the output more components means a greater failure risk Functional Safety Implication 1 Use a connector which always mates ground before signal and protects the connections from corrosion 2 Do not wire all cells to one chip whether one ADC one MUX or one op amp block e g a quad op amp This affects the redundancy design there needs to be either four sensors so no more than two are routed to a chip or three completely independent ADC channels
132. in umbilical gas supply fails The main umbilical is a breathable gas the bail out gas is not the PPO2 is too high One way valves prevent the bail out gas flowing into the umbilical supply where it would increase the PPO2 of the gas the diver breathes via either helmet freeflow or demand valves or by auto loop volume devices The problem cannot be mitigated by lowering the PPO2 in the bail out without reducing considerably the duration of the bail out at extreme depth For example at 600msw the diver may be breathing a gas with only a few percent of 02 so to add O2 to the loop a lot of Make Up Gas is expelled This means the amount of bail out gas for extreme depths is unreasonably large if the bail out is breathable Instead the problem is mitigated by use of two one way valves in series These one way valves shall operate with a very high absolute pressure but a low differential pressure Most one way valves that can withstand a full tank blowout pressure 300bar rely on 4 bar of more of differential pressure to shut them In this case the valves operate at 2 bar so normal one way gas valves leak Where a commercial rebreather is supplied with pure O2 in the umbilical then leakage of the one way valves would result in the diver being supplied with pure O2 by the ALV a critical failure that requires rapid intervention to prevent the diver s PPO2 rising to dangerous levels such as the ALVBOV switching the diver to open circuit o
133. ing injury or it fails mechanically Symptoms Surface None Dive Rebreather floods through mouthpiece Recovery action during Dive Mechanical failure diver needs to stay on the loop If diver has a disabling injury if the BC does not have enough lift then this is a very serious failure Buddy needs to dump stage cylinders and if this is not enough dump weights Preventative action Avoid by design Ensure mouthpiece retainer gag strap is fitted and used Auto shut off the mouthpiece if it is out of the diver s mouth to prevent a flood Functional Safety Implication 32 Ensure the BC is big enough to lift a flooded rebreather 33 Fit a mouthpiece retainer 34 Design the mouthpiece to shut off automatically if out of the diver s mouth 12 3 Mouthpiece failure i e failure to allow diver to breathe from loop when this is desirable Cause FMECA_OR_V6_141201 doc Rev C6 106 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Mouthpiece bite not well attached to mouthpiece No mouthpiece retainer and diver has LOC or disabling injury Connector failure Symptoms Surface Mouthpiece comes away Dive Diver cannot breathe from loop Recovery action during Dive Us
134. ion Mitigation is by regular review of safety data and supplementation of the FMECA Functional Safety Implication At least annual review of the FMECA is required 20 2 Incompetent or negligent developer Cause amp Prevention Developer not aware of safety requirements and has not accessed or applied Functional Safety standards or neglects to apply the required safety processes there is no bound to the presumption of salesmen that think they are safety engineers and need no training Functional Safety Implication Functional Safety and CASS templates state specifically the qualification requirement for developers CASS templates require the IEE BCS grades be applied increasing with increasing SIL level This implies MIEE may be acceptable for low SIL but FIEE is required for high SIL SIL 2 and above The requirement for FIEE FIET or national equivalent at SIL 3 and above is confirmed by CASS auditors All other competence and training issues are stipulated by EN 61508 2004 Engineering staff working on project need to be assessed against this 20 3 Incompetent or falsified certification Cause amp Prevention y See J Kruger amp D Dunning Unskilled and Unaware of it How Difficulties in Recognising Incompetence Lead to Inflated Self Assessments Journal of Personality and Social Psychology 1999 Vol 77 No 6 pp 1121 1134 Rebreathers electronics and software developed by salesmen who have never attende
135. iratory collapses these appear to occur frequently in divers In training The diver needs to be trained what to do when a respiratory collapse occurs namely 1 Secure themselves so if a loss of consciousness occurs the diver will not sink down or rise up a buddy can be very helpful in this or attachment to a nearby structure 2 The diver shall not ascend rapidly to the surface as without the ability to exhale properly the accident can progress to a fatal embolism very easily 3 The diver shall stop movement to reduce the metabolic demand on oxygen 4 The diver needs to remain calm and breathe in very slow deep breaths in and out until their respiration becomes normal which may be as long as five or ten minutes The diver will feel starved of air but air will be exchanged and the diver can survive so long as the RMV is kept below the amount that can pass through the collapsed trachea A respiratory collapse is a very dangerous event that can progress to drowning panic attack or Immersion Pulmonary Oedema so should be addressed immediately by the above actions In operation exhaust valves and mouthpieces need to be cleaned and inspected after each dive In design implement the Functional Safety Implications listed below Functional Safety Implication 1 Mouthpieces require retainers so they stay in the mouth even if a Loss of Consciousness occurs 2 The training material should describe how to respond if res
136. is document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC h Automatic bail out valve shall be able to be activated manually without any electronic power 9 24 Auto Bail Out operates when not required Cause Mechanism jam electrical failure freezing free flow high ambient temperatures reduce energy available to drive the actuator sliding surfaces stick wear of actuator or related parts mechanical damage corrosion salt deposits failure to service failure to lubricate parts out of tolerance firmware failure sensor failure program failure sensor noise Symptoms Surface Diver is forced onto bail out gas Dive Ditto Recovery action during Dive Operate bail out valve manually to get back on loop If that fails bail out and abort dive Preventative action Mitigate by design and manage by good dive practice carry sufficient bail out gas Functional Safety Implication a Emphasise the need to carry sufficient bail out gas in diver training b Monitor the rate of false alarms and set alarm matrix values accordingly c Automatic bail out valve shall be able to be activated manually without any electronic power 9 25 Auto On Encourages Reckless Diver Behaviour Cause Rebreather does not pass predive c
137. it a sintered bronze filter to the detritus tube in the valve or regulator to prevent foreign material moving from the the cylinder to under the valve seat 5 Fit and use fresh batteries in eCCRs 6 Use as oxygen compatible valve seat material as possible within ALARP Functional Safety Implication 1 Apply all of the preventative actions listed above 2 In mCCRs it is possible to use an intermediate pressure hose that can withstand the full tank pressure for example a 3 8mm O D 0 8mm I D PVDF hose can withstand 300 bar This hose limits the flow rate under over pressure conditions The over pressure valve is not needed under these conditions but need to be fitted for some compliance purposes 3 In eCCRs it is possible to either use a hose that withstands 300bar such as Tungum tube or the PVDF hose or a SCUBA hose with a burst pressure exceeding 120 bar for one minute 4 Some solenoids have only a narrow range of intermediate pressures they tolerate solenoids and injectors should operate correctly from near 0 bar to at least 130 bar to ensure the solenoid or injector does not fail before the hose FMECA_OR_V6_141201 doc Rev C6 23 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC
138. itable BC impairs use of the rebreather such as by moving the breathing hoses Dive As per surface and unable to maintain buoyancy Recovery action during Dive Abandon dive Use alternative buoyancy source Ditch weight belt if necessary Preventative action Service regularly and test inspect Design and test BC to EN1809 Functional Safety Implication Outside eCCR but covered in end to end clause Sell BC with rebreather where a BC will be used 13 3 Harness Failure Cause Structural failure of component Symptoms Surface Back unit swings and becomes loose Dive Unlikely as unit s weight is water supported Recovery action during Dive Tighten other straps Abandon dive if unable to re secure Preventative action Service regularly and test inspect Functional Safety Implication Use multiple attachment points 13 4 Pressure Sensor Failure Cause Any pressure sensor failure gas contents ambient differential FMECA_OR_V6_141201 doc Rev C6 111 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Recovery action during Dive Abort dive Preventative action Monitor pressure monitors frequently Functional Safety Implication The failure modes of the pressure sensors
139. ive Avoid positions causing free flow abort dive Preventative action Do not use an OPV as a water trap that is additional to main OPV they cannot both work unless adjustment is within an extremely tight tolerance Functional Safety Implication Do not use OPVs as water traps use good water blocking and the main OPV instead 8 11 OPV is on exhale CL instead of inhale CL where it should be Cause Bad design failure to carry out full verification and testing User can swap OPV with ALV in error Symptoms Surface None Dive In an uncontrolled ascent gas travels from inhale CL through scrubber to exhale CL as well as from inhale CL to diver This gas movement carries all the injected O2 into the exhale CL where it is vented Asa result the PPO2 in the gas breathed by the diver plummets Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 54 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Slow ascent Empty the inhale CL by deep breath and vent regularly during ascent Preventative action Locate OPV on inhale CL only Functional Safety Implication Ensure user cannot switch OPV with ALV accidentally 8 12 OPV is set incorrectly Cause Variable setting OPVs Symptoms
140. l be tested rebreathers monitors PFD bell boxes and communications units The minimum legal requirement is testing for Radiated emissions ESD Auto Bail Out failure to operate 9 23 Auto Bail Out fails to operate when required Cause Mechanism jam electrical failure freezing free flow high ambient temperatures reduce energy available to drive the actuator sliding surfaces FMECA_OR_V6_141201 doc Rev C6 73 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC stick wear of actuator or related parts mechanical damage corrosion salt deposits failure to service failure to lubricate parts out of tolerance firmware failure Symptoms Surface Failure of safety function to operate Dive Ditto Recovery action during Dive Operate bail out valve manually If free flow bail out to another regulator or feather the cylinder valve Preventative action Mitigate by design Functional Safety Implication The DL ALVBOV electro mechanical actuator was designed for intermittent operation However in the period 2011 to 2013 the continuing accident monitoring identified the need for the actuator to be able to operate on a continuous basis The accident study information involved a respected rebrea
141. lenoid or Injector Stuck Open 6 7 Oxygen Solenoid or Injector V v v Stuck Closed 6 8 Oxygen Manual Injector v v v Failure Open or Closed 6 9 Wrong Gas in Oxygen cylinder VW v v FMECA_OR_V6_141201 doc Rev C6 152 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 6 10 Oxygen fire 6 11 Calibration using wrong gas 6 12 Solenoid Stuck Shut due to v v rise in Intermediate Pressure 6 13 O2 orifice motor driver v v v failure orifice type injectors 6 14 Use of O2 instead of Make v v v Up Gas 6 15 Use of hypoxic Make Up Gas v v when entering water 6 16 Use of hypoxic Make Up Gas v v in ascent to surface 6 17 Uncontrolled ascent max v v v 120m min with low PPO2 6 18 PPO2 low due to injection v v not keeping up with demand 6 19 Low PPO2 set point followed v v by rapid ascent 6 20 ALV freeflow with hypoxic v v v Make Up Gas near surface 6 21 ALV freeflow with high v v v PPO2 at depth 6 22 Left to Right Flow instead of VW v v safer Right to Left loop flow 6 23 Hypoxia when OPV is on
142. list as diver was rebreathing from a wing to make divers aware of the critical importance of cleaning counterlungs and wings FMECA_OR_V6_141201 doc Rev C6 117 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 13 9 Insects inside loop Cause Open ports into a rebreather seem to attract insects During Deep Life test diving there were several incidents where insects were found inside the breathing loop before or worse immediately after a dive a cockroach ants and the spider below identified as female Redback spider Latrodectus hasselti considered one of the most dangerous spiders in Australia Symptoms Surface Surprise for the diver A bite from a venomous spider on the tongue such as the Redback or the related Black Widow can be lethal Dive Unpleasant surprise which may escalate to panic with divers with phobias Possible serious injury to the diver from bites to the mouth or tongue Venomous insects may cause swelling of the tongue and a respiratory collapse or other reaction to the toxins Recovery action during Dive Bail out take mouthpiece out of mouth and flood it then hit the purge button then turn to the breathing loop carefully Preventative action Cap
143. lmonary edema of scuba divers Undersea Hyperb Med 24 1 29 33 PMID 9068153 Retrieved 2008 09 04 Cochard G Arvieux J Lacour JM Madouas G Mongredien H Arvieux CC 2005 Pulmonary edema in scuba divers recurrence and fatal outcome Undersea Hyperb Med 32 1 39 44 PMID 15796313 Retrieved 2008 09 04 1 Papaioannou V Terzi l Dragoumanis C Pneumatikos 2009 Negative pressure acute tracheobronchial hemorrhage and pulmonary edema Journal of Anesthesia 23 3 417 420 doi 10 1007 s00540 009 0757 0 FMECA_OR_V6_141201 doc Rev C6 145 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 1 If a diver has difficulty breathing then they should assume an upright position take very slow and exceptionally deep breaths in and out A diver that cannot breathe properly should NOT ascend 2 Switching to an alternative gas source is recommended 3 If a person has suffered an IPO event then use of a rebreather is counter indicated That is the person should not dive rebreathers 4 Optimisation of parameters that are implicated without waiting for the scientific understanding to confirm these In particular WOB counterlung elastance and hydrostatic imbalance should be
144. looded Preventative action Pre Dive checks Functional Safety Implication Eliminate the failure points assess the manual O2 injector for corrosion under pressure over pressure opportunity for mechanical damage design out the manual O2 injector as a failure point Eliminate the oxygen manual injector unless the rebreather operates using manual injection as a primary PPO2 control method on eCCRs the diver should inject make up gas not oxygen 6 9 Wrong Gas in Oxygen cylinder Cause Nitrox fill or gas other than 100 oxygen Symptoms Surface Failure to calibrate maybe Failure to hold set point Lungs full Dive Failure to hold set point maybe Excessive buoyancy and injector function Recovery action during Dive Bail out diver does not know what gas he is breathing Preventative action ALWAYS analyse your gases after a fill Functional Safety Implication Calibrate the 02 Cells in air by detecting when the scrubber can is open Make provision for saturation environments Check the 02 injector by a positive pressure test during startup and check 02 Cell response is as expected 6 10 Oxygen fire Cause FMECA_OR_V6_141201 doc Rev C6 27 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC De
145. loop v v 13 10 Argon Narcosis from using Y less than 99 pure Oxygen 14 Associated Equipment Failures v 14 1 Gross dry suit leak v 14 2 Entrapment Hazard v 14 2 Polarised Mask Hazard v 15 Decompression Computer v v v Failures 16 Failures Specific to Dives in Cold v v Water FMECA_OR_V6_141201 doc Rev C6 159 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 16 1 Effect of cold on the v v v rebreather 16 2 Thermal respiratory shock v 17 Failures Specific To Umbilical v Supplied Dives 17 1 Loss of Umbilical v v v Commercial diver 17 2 Cut of umbilical near surface VW v v Commercial Diver 17 3 Entrapment of Umbilical v v v Commercial diver 17 4 Loss of Helmet Commercial V v v diver 17 5 Sudden change in depth v v v Commercial diver 17 6 CO in loop Commercial v v v diver 17 7 HC or Volatile Organic v v v Compounds in Loop Commercial diver 17 8 Loss of communications v v v Commercial Diver 17 9 Loss of Gas Heating v v v Commercial diver 17 10 Overheating Commercial v v v div
146. lungs unable to v provide gas 7 11 BOV seal leaking emptying v v v loop volume 7 12 Flapper Valve Stuck Shut v 7 13 Foreign Material in Breathing V Hoses 7 14 Breathing Hoses Kinked v v v 8 Loop Volume Relief Failures v 8 1 OPV diaphragm damaged v FMECA_OR_V6_141201 doc Rev C6 154 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault 8 2 OPV diaphragm folded causing flood Eliminate or Mitigate By Annual Risk After Mitigation Design v Training Maintenance v v Severity 1 Probability Risk 8 3 Foreign material trapped under OPV diaphragm S lt 8 4 Incorrect O ring tolerance 8 5 OPV stuck shut 8 6 OPV stuck open 8 7 OPV cracking pressure relative to diver changes with attitude S NS SSN a Se es SISSI 8 8 OPV housing failure 8 9 OPV fails to shut sufficiently for positive pressure check lt lt 8 10 OPV interacts with water drain 8 11 OPV is on exhale CL instead of inhale CL where it should be 8 12 OPV is set incorrectly 8 13 OPV or drain admits water as it operates 8 14 Lack of means to vent loop manually when bailed out 9 Controller and Information Failures 9 1 Battery L
147. lve through particle impingement adiabatic compression Thermal expansion or contraction outside the design limits FMECA_OR_V6_141201 doc Rev C6 35 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Preventative action Check the flow rates of dosing valves in both passive and active addition modes before every dive Functional Safety Implication 1 2 Assess all oxygen dosing valves stringently Where electronic means to do so exists measure the flow rate of all oxygen add valves before each dive and during the dive Follow up on all reports of any oxygen dosing valve failure to ensure all risks are mitigated to the extent possible Emphasise in training and in manuals the need to monitor PPO2 throughout the dive Emphasise in training and in manuals that if the counterlungs fill unexpectedly to bail out immediately and assess the safety of the loop before going back onto the loop following good procedures when doing so Where within ALARP provide a sound when the dosing button is depressed so diver knows that gas is being injected This can be achieved using a reed across the port that introduces the gas to the rebreather A white noise or pink noise is much more acceptable to divers
148. mCCR iCCR Cause Poor routing of the gas feed to the button Failure to provide a means to fix the button Failure to enable the gas hose to the button to be traced Locating the button in a region that is cluttered e g shoulders Partial incapacity of the diver from dry suit or equipment restrictions on diver movement Preventative action Oxygen addition Functional Safety Implication 1 Assess button location with the widest spectrum of diver sizes 2 Ideal location appears to be just above the crotch all divers can find it and have mobility of their hands just above that region 3 Provision shall be made to properly attach the dosing device such as belt loops 6 28 Oxygen Sensor Temperature Compensation Error Cause Failure of sensor temperature compensation This can result in errors in oxygen readings of 50 or more Temperature compensation circuits are generally not matched to the sensors The sensor has a long thermal time constant typically 30 minutes but the compensation thermistors have a fast time constant If these are not matched digitally then oxygen calibration may be performed using a sensor that is at a very different temperature to the thermistor resulting in errors of 20 or more but most importantly it usually affects all the sensors in the same way that are calibrated at the same time Preventative action Equalise the time constant of the thermal compensation thermistor and the ox
149. managed safely where there is a means to do so at reasonable cost the ALARP principle 18 1 Hypoxia Cause Breathing gas contains less than 16 of 02 Symptoms Surface Anaethesia Reduced awareness Sudden Loss of consciousness time activity and diver dependent but typically around a PPO2 of 0 065 atm Dive As on surface Recovery action during Dive Bail out Preventative action Force bail out automatically if user does not act on warnings Eliminate electronic controller failures modes that are not fail to safe state Functional Safety Implication Apply Functional Safety life cycle process appropriate to SIL assessment Implement a fail safe automatic shut off valve bail out is essential See all faults relating to Hypoxia herein and also Sudden Underwater Blackout Fault 18 18 18 2 Hyperoxia Cause Breathing gas contains excessive PPO2 for exposure duration FMECA_OR_V6_141201 doc Rev C6 133 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Diver s O2 tolerance is compromised by retained C02 Symptoms Surface Visual narrowing muscle spasms twitching followed by seizure Dive As on surface Recovery action during Dive Bail out to a low PPO2 gas No
150. ment is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group has a resin identification code 7 O TPU for recycling Polyester polyols are suitable for use in marine applications due to their accelerated breakdown in chlorinated water only polyether polyols are approved f EPDM normally contains Thiram but can be supplied without it and is the preferred material for breathing hoses and O rings that are dynamic or come into contact with medium pressure oxygen or strong bases EPDM has a resin identification code 7 O EPDM for recycling g Silicone rubber should be injection moulded and not formed using room temperature silicone in solvents Silicone is acceptable for seals that are not in contact with high pressure oxygen Silicone oil and lubricants containing silicone oil shall be kept away from silicone seals Silicone has a resin identification code 7 O Si for recycling h Viton O rings are the only O rings suitable for high pressure oxygen e All lubricants require an auto ignition pressure to be tested in pure oxygen and that pressure should be at least 50 higher than their maximum service pressure Tribolube 71 LP and Tribolube 71 HP are recommended 13 6 Entrapment Hazard Cause Hooks and features that gi
151. mercial diving manifolds fit one way valves and filters to prevent any contamination from being blown back onto the bail out gas seat 5 When the over pressure valve fires it causes a loud noise alerting the diver to the failure 7 5 Make Up Gas Hose Leaks Cause Wear Poor maintenance Symptoms Surface Failure of pre dive checks Audible gas escape Make Up Gas contents decreasing Dive Audible gas escape Make Up Gas contents decreasing FMECA_OR_V6_141201 doc Rev C6 41 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Recovery action during Dive Abort dive Preventative action Pre dive checks and servicing Functional Safety Implication Outside the eCCR but the end to end clause in Functional Safety may encompass this failure Monitor Make Up Gas contents and check for leakage pre dive 7 6 Make Up Gas Manual Injector Failure Cause Poor maintenance Failure to plug hose on properly Symptoms Surface Failure of pre dive checks Dive Loss of gas from loop flooding of loop Recovery action during Dive Urgent Reconnect hose or re screw injector down Bail out if loop flooded Preventative action Pre Dive checks Functional Safety Implication Design out by usi
152. monitor END 2 Eliminate gas switch blocks 3 Advise divers not to use gas with a CNS or narcosis risk at the greatest depth likely to encountered on the dive For example 16 trimix can be used instead of hypoxic gases for dives to 90msw 7 8 Alternate Air Source Free Flow Cause Dirt or high Make Up Gas interstage pressure Symptoms Surface Failure of pre dive checks Audible gas loss Dive Audible gas loss and bubbles Recovery action during Dive Disconnect Auto Air or try shaking to reseat things Consider aborting dive Preventative action Service equipment and pre dive checks Functional Safety Implication Outwith the eCCR but covered by end to end clause Monitor Make Up Gas contents FMECA_OR_V6_141201 doc Rev C6 43 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 7 9 No ALV or ALV Failed Off Cause No ALV or ALV tends to free flow so user switches it off ALV Gas supply off because cylinder valve is turned off or failure of cylinder valve or first stage regulator or intermediate supply hose is kinked ALV Supply failure gas supply exhausted Symptoms Surface None Dive Incident report by Dr Mike Gadd submitted to RebreatherWorld http www rebrea
153. ms Surface None Dive CNS risk Recovery action during Dive Not applicable Preventative action Cells should be checked for CO2 tolerance Functional Safety Implication 02 cells need to be evaluated for tolerance to C02 Fault Study FS_CO2_exposure_of_oxygen_cells_YYMMDD pdf refers published on www deeplife co uk or_fmeca php 11 CARBON DIOXIDE LEVEL FAILURES 11 1 Scrubber Not Fitted Cause FMECA_OR_V6_141201 doc Rev C6 91 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group User error Failure to use checklists Difficulty in checking that a scrubber is fitted Symptoms Surface Rapid breathing headache Hypercapnia Dive Stuffiness rapid breathing confusion Hypercapnia Recovery action during Dive Bail out Preventative action Use checklists to ensure a scrubber is fitted on every dive and is within date Implement Functional Safety recommendations FMECA_OR_V6_141201 doc Rev C6 92 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life
154. near PP has a resin identification code 5 PP for recycling Acrylonitrile Styrene Acrylate ASA with special efforts to purge it of unreacted chemicals and contaminants is acceptable as an alternative to PP where PP shrinkage makes the material unacceptable Some grades offgas formaldehyde the ASA source shall be strictly controlled to ensure the Acrylonitrile is fully reacted PEEK and PTFE are the only approved high pressure valve seats material for oxygen service but the mass shall be kept to the minimum required PEEK is preferred because PTFE is a very weak material with poor wear properties PTFE has a resin identification code 7 O PTFE for recycling PEEK is identification code 7 Polyether Polyurethanes Fully reacted Thermoplastic PUs formed from aliphatic polyether polyols are acceptable for components that need to be strong and flexible but the TPU needs to be black as otherwise it degrades under long term exposure to UV light Vulcanising PU PUR shall not be used unless it is confirmed it is an aliphatic polyurethane and is fully reacted Thermal decomposition products of aliphatic polyether polyols include carbon monoxide oxides of nitrogen and hydrogen cyanide so the TPU may not be used anywhere adiabatic compression is a hazard or in any application where the TPU may be overheated RF welding temperatures shall be tightly controlled TPU FMECA_OR_V6_141201 doc Rev C6 114 of 163 This docu
155. ned with positive and negative ambient pressures with respect to line pressure Functional Safety Implication Use only those regulators that can retain all O rings under positive and negative pressure in applications where negative ambient to line pressures can occur e g saturation diving technical diving decompression diving 5 13 Hose sheath expands and bursts Cause The outer sheath of helium and oxygen hoses need to be vented to allow gas that migrates through the core to dissipate otherwise offgasing will cause the hose to fail after long exposures to pressurized gas See example below gas is OFF and the end of the hose is open as the hose in the photograph expands FMECA_OR_V6_141201 doc Rev C6 19 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Symptoms Surface Gas hose sheath expands and bursts Dive Ditto Hose is still useable Recovery action during Dive None required hose is still useable Preventative action All HP and LP gas hoses should have vented sheaths Functional Safety Implication Use only vented sheath hose these have perforations every centimetre through the sheath on four sides of the hose 6 OXYGEN SETPOINT FAILURES 6 1 Oxygen Cylinder Empty
156. ng an ALV If ALV fails diver should bail out as there is insufficient volume of breathing gas on descent detectable as a negative pressure in the loop compared to ambient Instruct user to bail out Requires independent bail out 7 7 Wrong Gas In Make Up Gas Cylinder Cause Cylinder filled wrongly Incorrect connection of gas at gas switch Incorrect gas switch Symptoms Surface None with normal pre dive checks FMECA_OR_V6_141201 doc Rev C6 42 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Dive Problems maintaining set point during descent Narcosis if too high an N2 content or accidental connection of argon CNS if too high an O2 cont Recovery action during Dive Abandon dive or connect alternate Make Up Gas source not likely to notice during dive Preventative action Analyse ALL gases prior to use Once unit is calibrated you can check the Make Up Gas O2 content by doing a Make Up Gas flush This should be added as part of the pre dive tests Perform rigorous pre dive checks with buddy and do buddy check of every gas switch Stop descent or ascent at any gas switch until buddy confirms correct switch is made Functional Safety Implication 1 Monitor gas during descent and
157. ngs empty Recovery action during Dive Control software should check the rate of the depth sensor and PPO2 cells and reject slow sensors Preventative action User is advised to decrease the ascending rate Service regularly and test inspect Functional Safety Implication 1 Eliminate design limitation injector should be able to provide at least 12l min of 02 2 Manual flush rate should be limited so that with no O2 in Make Up Gas gas user cannot reduce the PPO2 to below 0 2 6 19 Low PPO2 set point followed by rapid ascent Cause User error and design limitation Implicated in several fatalities where user has a PPO2 set point of 0 4 then ascends rapidly This is a special hazard near the surface where the diver does not have time to respond to a failure Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 32 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Control software should check the rate of the depth sensor and PPO2 cells and reject slow sensors Preventative action The min PPO2 set point when shallow should allow the diver to pop to the surface without the PPO2 falling below 0 21 Functional Safety Implication 1 The rebreather should increase PPO2 to op
158. nitor the actual helium content of the gas in heliox or trimix dives All dive computers that have been examined in this study comprise a single unverified processor None appear to be running code that is capable of formal verification due to language or construction Functional Safety Implications 1 Dive computers used by the diver are very unlikely to meet Functional Safety requirements The rebreather should therefore provide warnings and alarms if decompression obligations are being broken in addition to the dive computer these warnings and alarms do not substitute for a dive computer FMECA_OR_V6_141201 doc Rev C6 122 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 2 PPO2 and Helium measurement is required to compute the decompression obligation correctly Accuracy of PPO2 measurement is in the region of 0 1 atm and helium is 20 for alarm purposes though ALARP should be applied 3 Decompression algorithm should be formally modelled and then verified to functional safety standards 16 FAILURES SPECIFIC TO DIVES IN COLD WATER 16 1 Effect of cold on the rebreather The exothermic heating from the scrubber may suggest that a rebreather is a suitable tool for diving in cold wat
159. nk or from reverse flow into regulator Wear of valve seat Failure of valve seat FMECA_OR_V6_141201 doc Rev C6 40 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Symptoms Surface ALVBOV free flow unwanted BC inflation depending on configuration Dive Auto air free flow excessive buoyancy in BC or dry suit or ALV Recovery action during Dive Shut down Make Up Gas valve Manually operate when needed shouldn t need to surface Consider bailout if alternate supply Preventative action 1 Service First Stage regulators annually and check interstage pressure during servicing 2 Inspect First Stages regularly for signs of corrosion or damage 3 An over pressure valve is not required on the make up gas cylinder because the ALVBOV will lift if there is an over pressure Functional Safety Implication 1 Outside the eCCR but the end to end clause in Functional Safety encompasses this failure 2 Apply all of the preventative actions listed above 3 Fit a sintered bronze filter to the detritus tube in the valve or regulator to prevent foreign material moving from the the cylinder to under the valve seat Monitor Make Up Gas contents and check for leakage pre dive 4 For com
160. nt being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group If rebreather is not being breathed from and either compressed or decompressed an implosive or explosive could compromise a seal or damage a part such as in medical chamber interlocks or diving with the diver not breathing from the breathing loop Preventative action Avoid by appropriate design Functional Safety Implication 1 1 34 4 Ensure rebreather can withstand underpressure or overpressure by one bar 1 1 34 5 Ensure rebreather can withstand a total pressure of double the maximum diving depth 1 1 34 6 Assess the effect of compressing a rebreather with all ports closed and gas off to the maximum diving depth in a chamber i e out of the water where implosion or explosion effects will be more severe 1 1 34 7 Perform the same assessment for the rebreather after saturating in helium gas at the maximum diving depth then decompressing 1 1 34 8 OPV needs to vent at a sufficient rate for the worst case ascent to keep the rebreather within the tested maximum loop over pressure 12 6 Counterlung or hose pinched Cause On commercial diving rebreathers the stab plate to the helmet can pinch a counterlung into a port if it they are protected On other rebreathers fixings can pinch counterlungs Preventative action Avoid by appropriate design Hoses should be highly resistant to pinching Hoses shoul
161. o hose should not kink or pinch when bent back on itself FMECA_OR_V6_141201 doc Rev C6 100 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication End to end scope with respect to hoses covered by a requirement in EN14143 2003 Hoses should not kink or pinch 11 12 Loop Flow Direction Swapped Accidentally Cause One way valves swapped Connectors swapped Preventative action It should not be possible to swap the loop flow direction accidentally Functional Safety Implication 1 1 11 16 One way valve assemblies shall be designed so it is impossible to insert the mushrooms from the wrong side of the web 1 1 11 17 One way valve assembles shall be designed so it is impossible to swap webs from inhale to exhale 1 1 11 18 Connectors and hose lengths shall be designed so it is not possible to swap the hoses accidentally from inhale to exhale 1 1 11 19 Effect of reversed flow shall be assessed 11 13 Premature Counterlung Failure Cause Use of inappropriate materials that degrade in sunlight or in salt water Poor welding Poor abrasion resistance Poor puncture resistance Preventative action Use correct materials Functional Safety Implication Verif
162. oblem to be detected The temperature compensation circuit is removed and replaced with a 1000hm load The electronics check for the existence of the 1000hm load to verify that the correct sensor type is fitted and the load is there Only then will it use that sensor reading otherwise it will report a faulty sensor This eliminates the problem at source 3 Essential to ensure the thermistor is properly matched to the oxygen sensor particular at the point the O2 cell is calibrated See fault 6 28 FMECA_OR_V6_141201 doc Rev C6 81 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 10 6 O2 Cell Loose Connection Cause Corrosion or poor maintenance Symptoms Surface Intermittent Out of Range or Failure messages on a cell Failure to calibrate Dive Intermittent Out of Range or Failure messages on a cell Recovery action during Dive Make Up Gas flush to check other 2 sensors respond correctly Consider bail out Abandon dive Preventative action Service carefully Functional Safety Implication Use an SMB connector to minimise risk by having a connector with multiple contact faces 10 7 O2 Single Cell Failure Cause See full list of O2 Cell failure modes in DV_O2_cell_stu
163. ocesses in Functional Safety with the ALARP principle As Low As Reasonably Practicable risk in the context of a rebreather which is supplied as an Open Circuit replacement with more than 10 000 units in use This top level fault list considers plausible failures as any failure with a probability greater than one in a billion hours of diving multiplied by the number of faults listed so the aggregate risk is less than 1 in 10 8 to 1 in 10 9 It is recognised that diving is a hazardous activity and there is a base level of risk which appears to be in the region of one fatal accident per 9 000 diver exposure years for Open circuit diving which is one per 78 million hours in terms of elapsed time but probably nearer to one in 100 000 hours of actual diving exposure Application of Functional Safety principles would keep the contribution from equipment failure to less than 1 in 1000 giving a cumulative target for the equipment itself of 1 in 10 5 10 3 which is 1 in 10 8 Rebreather use is associated with a higher accident rate Analysis of these accidents using Functional Safety processes attribute a majority to equipment issues specifically rebreather issues However an order of magnitude increase in base risk is also observed which appears to be due to increased risk taking by sports rebreather divers solo diving extreme depths cave diving wreck penetration compared to the Open Circuit diver as well as likely more divers per
164. oduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group diver onto a safe gas as in the balance of probabilities based on accident studies is that the diver s low respiration is caused by the rebreather loop Thermal sensing is a low cost method of implementing a respiratory rate sensor so this issue is within ALARP to resolve Where possible monitor tidal volumes This may or may not be within ALARP 11 17 Sensory system false alarm Cause Sensor failure Electrical noise Program error Tradeoff in alarm matrix between false alarms and detecting hazard combinations Symptoms Warning or alarm is triggered inappropriately Preventative action Diver should act as if the alarm is correct Advanced divers or supervisors may fault track to check alarm with special training but dive action should be as if alarm is correct until proven otherwise Functional Safety Implication Electronics and software should comply to EN 61508 to eliminate program faults Other sources are not entirely avoidable detecting hazards in combination will generally require a false alarm rate that is not zero 12 FLOODING AND DROWNING 12 1 Loop Flood Cause 1 Puncture or structural failure in the loop 2 Hoses from EPDM do not split but develop small holes 3 Hoses can separate from their couplings Counterlung could fail catastrophically due to seam failure 5 Sharp
165. oducing water into the loop for this purpose such as from a drinking tube then from the diver to the ALV BOV Requires breathing hose of sufficient diameter so as not to be blocked by vomit Experiments using frozen carrots and sweet corn in yoghurt 20 20 60 indicate that a 36mm diameter hose and fitting is required The web around the mushroom valve is particularly liable to be blocked The number of fingers in the web should be kept to the minimum subject to the mushroom valve not folding under the finger lip 18 7 Deco dive with incorrect PPO2 level in loop Cause User error and design omission allowed the user to calibrate the CCR as if it was 98 02 when PPQ2 level in the loop could have been as low as 48 Result was Cat III DCI Preventative action All O2 Cells should calibrate in air when the unit is open users should not be asked to calibrate with a gas supply which may not in itself be calibrated injecting an uncalibrated amount of gas into an uncalibrated loop volume the procedure used by the manufacturer Functional Safety Implication Eliminate problem by calibrating on air 18 8 DCS risk higher than statistical projection of deco algorithm Cause Bugs in deco software especially in handling constant PPO2 Inherent risk of deco algorithm used not assessed properly Other health problem leading to predisposition to DCS FMECA_OR_V6_141201 doc Rev C6 138 of 163 This document is the property
166. of Deep Life Ltd IBC Deep Life Design Group Monitor when the scrubber is changed Monitor PPCO2 Granular material packed by users will not meet Functional Safety at any SIL level Design out the problem using an EAC 11 5 Excess Work of Breathing Cause Diving to excess depth for the rebreather Use of filter or skrim material to prevent caustic dust Overpacking of scrubber Moisture absorbed by scrubber during use increases breathing resistance and hence WOB Flooding Mushroom valve stuck shut Counterlungs change position Preventative action Diver should be trained to be aware of an increase in breathing rate and bail out Functional Safety Implication Measure WOB actively during dive 11 6 Counterlungs change position causing CO2 hit Cause Possibility to put on rebreather without counterlungs being fixed down A fatal accident occurred where the counterlungs floated above the diver due to not being fixed down correctly causing CO2 retention This can be due to poor range of sizing or failure to fix down the counterlungs either within the counterlung bag or fix down the bag itself Symptoms Surface Not noticeable Dive Increased WOB leading to severe CO2 hit Recovery action during Dive Bail out on to open circuit FMECA_OR_V6_141201 doc Rev C6 96 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modifi
167. of the gas in the inhale counterlung can exceed the breathing rate of the diver Under these circumstances if the rebreather s OPV is on the exhale counterlung then the gas leaving the inhale counterlung flows both through the mouthpiece one way valves into the exhale counterlung During the diver s exhale all the gas expanding from the inhale counterlung flows back through the scrubber In flowing back through the scrubber the gas carries with it the oxygen that is injected between the two counterlungs in most rebreather designs The result is that the majority of the injected oxygen does not flow to the inhale counterlung but out to the exhale counterlung where it is vented This results in the PPO2 in the breathing loop plummeting This fault was found during verification of a rebreather using Functional Safety procedures but since then may be implicated in one or more fatal accidents Preventative action FMECA_OR_V6_141201 doc Rev C6 34 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC The OPV shall not be fitted to any position in the breathing loop that is between the inhale counterlung and the mouthpiece exhale one way valve Functional Safety Implication Basic safety requirement the OPV sh
168. ofile of the valve when the ambient pressure if more than the line pressure This is a design fault with the standard because divers do dive with cylinders turned off for example a Tech diver with 02 for decompression may dive with that cylinder off until it is needed Fault usually needs an ambient pressure gt 10 bar to manifest itself Surface Dive Loss of cylinder contents Freeflow of valve to regulator interface losing gas Recovery action during Dive Use a bail out gas source Preventative action Do not use square profile valves The EN 144 3 M26 profile does not suffer this problem nor do G5 8 valves cut with the same circular profile FMECA_OR_V6_141201 doc Rev C6 17 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Functional Safety Implication Consider all SCUBA seals under the condition where the ambient pressure exceeds the line pressure 5 11 SCUBA Regulator Hose O ring Retention Fault Cause The O ring on common SCUBA hoses is retained when the line pressure is the same or more than ambient pressure but is dislocated otherwise because there is no groove or retainer for the O ring Fault usually needs an ambient pressure gt 10 bar to manifest itself
169. on monomers to maintain the thermal balance for 30 minutes max time for diver to return to bell 14 2 Entrapment Hazard Cause Hooks and features that give rise to an unreasonable risk of dive entrapment Fins accessories tanks valves may all become entrapment hazards Symptoms Surface Snagging on dive benches etc Dive Line entrapment Recovery action during Dive Avoid lines and move slowly when entrapped cutting away line Preventative action Avoid by design Note it is impossible to eliminate entirely except with a naked diver however even naked fish manage to get entrapped in nets Functional Safety Implication Avoid hooks and lines that increase the entrapment risk significantly 14 3 Polarised or Filter Mask Prevents Reading of LCD displays Cause Polarised masks of some types prevent LCDs being read because LCDs rely on a polarisation to display data Some UV filter masks have the same effect Symptoms Surface Unable to see dive computer or rebreather controller FMECA_OR_V6_141201 doc Rev C6 121 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Dive Ditto Recovery action during Dive Switch to a plain mask Preventative action All polarised masks
170. op If the pressure sensor is inside the oil filled volume it will show a lower smaller depth than is the actual depth Recovery action during Dive Bail out Preventative action Check unit for signs of leakage The leakage is usually obvious an oil film outside the rebreather that causes an oil film on the water when the unit is washed Functional Safety Implication 6 Use of hydrocarbon filling oils is a dangerous practice and not recommended as they can contaminate the breathing loop 7 Use of waxes solid paraffins causes serious problems with thermal expansion and act as insulators which can cause components to overheat 8 Loss of oil as a failure could be detected using a differential pressure sensor but this is an expensive solution that is prone to failure due to the thermal expansion of the oil 9 One solution is to use food grade silicone oil to avoid a health hazard and to remove all components liable to offgas from the oil filled volume moving them to a OATM or 1ATM compartment in the sea water Silicone oil has a high rate of thermal expansion up to 10 of its volume over the operating range of the equipment so a bladder bellows or diaphragm shall be fitted to allow the expansion 10 Consideration should be given to adding a perfume to the filling oil so any leakage is apparent from the smell in the loop to date no FMECA_OR_V6_141201 doc Rev C6 64 of 163 This document is the property
171. op Contamination of breathing loop Preventative action Check all plastic materials and coatings used in breathing loop for health hazards by appropriate searches and MSDS checks Functional Safety Implication Checks of plastics used in rebreathers identified a broad spectrum of toxic chemicals used as plasticisers or softeners or are residual products from the manufacturing process FMECA_OR_V6_141201 doc Rev C6 112 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group The plastics listed below as acceptable were chosen after extensive consultation and an exhaustive review of the Polymer Data Handbook listing over 200 commercially available polymers 13 In reviewing MSDS data NASA data on Outgassing Data for Selecting Spacecraft Materials 11 and information from vacuum plastics suppliers including Boedeker Plastics 12 Samples of the plastics chosen were tested by Deep Life using a mass spectrometer to analyse gas from the plastic samples after pressurisation in Heliox The following conclusions are made e The number of different plastics used should be kept to the minimum e The following materials should be banned from use in breathing loops for the reasons noted below a
172. osion Recovery action during Dive Bail out Preventative action Competent design and operation Functional Safety Implication Ensure equipment is designed and verified to operate to at least twice the maximum operating depth any user can use the equipment It is hazardous to set any depth limit except that imposed by human physiology That is if a manufacturer sets a 100m limit some users will take the equipment to 200m or if 200m is set some users are already taking those rebreathers to beyond 300m The human physiology depth limit is 70i1msw without GABA blockers The deepest dive to date has been to 701msw in Comex chamber dive trials Based on this reasoning to verify the equipment does not implode the test systems should be designed to subject the equipment to twice that pressure namely 1402msw for commercial rebreathers and at least 400msw for SCUBA rebreathers preferably 600msw 13 2 Rebreather BC Failure Cause Puncture or structural failure of BC Substitution by a BC not designed for the equipment FMECA_OR_V6_141201 doc Rev C6 110 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Unsuitable BC trapping hoses etc Symptoms Surface Unable to inflate Inflation of unsu
173. ot visible and it may pass a positive pressure test when there is in fact a leak Connectors need to be secure and not detach accidentally Connectors need to minimise the leak risk by using double seals where within ALARP Ensure OPV does not let water into the breathing loop when opening frequently Cable ties should be avoided in any situation where a cable tie without the bridge underneath it would allow a leak as users may replace cable ties in the field without realising the importance of the bridge in the factory installed tie Where possible avoid cable ties using Jubilee claps or similar FMECA_OR_V6_141201 doc Rev C6 105 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 30 Pull dumps on counterlungs or within the breathing loop should be fitted with one way valves to limit water ingress 31 Mitigate against the effect of a flood by 1 1 31 1 Ensuring the scrubber does not produce a caustic cocktail with a short duration flood 1 1 31 2 Fit snorkel tubes to prevent water running directly into the diver s DSV 1 1 31 3 Fit water dumps to allow water to be emptied from the rebreather 12 2 Mouthpiece floods rebreather Cause Mouthpiece cannot be shut either diver has a disabl
174. ow 9 2 Battery Failure 9 3 Power Drop out or Battery Bounce 9 4 Battery life error 9 5 Battery overheating 9 6 Monitoring or control device failure not apparent to user 9 7 Monitoring or control device Hangs FMECA_OR_V6_141201 doc Rev C6 155 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design 9 8 Monitoring or control devices W switched off Training Maintenance v v Severity 1 Probability Risk 9 9 Oil Filled Chamber Leaks Oil v 9 10 Electronic Component Explodes 9 11 Controller fails to handle v situation where diver does not understand failure message or is unable to act 9 12 Faulty Software by design 9 13 Faulty Software by ageing 9 14 Monitoring or control devices Misread 9 15 Cracked Electronics Housing 9 16 Corroded wiring 9 17 System Looping on Interrupts raising PPO2 S lt 9 18 High Voltage on Connectors 9 19 Brown out cycling 9 20 Failure to turn on 9 21 Single points of failure 9 22 EMC failure SISSI Te 9 23 Auto Bail Out fails to operate when
175. p Life Design Group Unconsciousness Asthma epileptic fit insufficient or unsuitable respiratory gas oxygen convulsion CO2 retention illness generally with effect of drowning See Fault 18 18 Underwater explosions Proximity to naval exercises or commercial demolition Effect is pulmonary and intestinal rupture and haemorrhaging Oil exploration using seismic devices can cause severe pain and damage to divers over long distances ten miles or more from the site of the explosion ULONE GARA dg emel ges Commercial operations leading to involuntary spasm and likely drowning Note that where an accident has occurred due to underwater currents the electrical equipment should be checked in an active plating bath in addition to normal swept frequency testing to verify the equipment behaved correctly in that environment so the two causes of accident direct shock and equipment failure due to the current density can be separated A failure of the ground contact during commercial underwater cutting and welding operations can create sufficient electro magnetic fields to be sufficient to super heat teeth fillings even when the diver is inside a commercial helmet electronics should be tested in these conditions fields of 30 000 amps per square metre or more Venomous marine life Contact with any venomous sea life particularly jelly fish stonefish some octopus sea snakes conch shells parasites Effect shock pain ne
176. p Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC e Seal failure wrong seal type or hardness seal damaged seal has inadequate compression seal has excess lateral movement foreign body on seal surface seal extruded by pressure e Plastic porosity many bulk extruded plastics have porous areas in their cross section as the plastic contracts as it cools to form a cavity or sponge like microstructure e Deformation under pressure e Physical damage e g cracks e Inappropriate cable glands plastic cable glands in particular can withstand only low pressure differentials Even BlueGlob glands are limited to 15 bar Cable glands should be avoided where at all possible either wires can be run inside pressure hose or connectors used instead e Poor component fit e Unequal thermal expansion e Flow lines in moulding Figure Example of flow lines in a plastic injection moulding at x50 magnification The flow line is caused by plastic flowing around a feature in the mould and rejoining itself then contracting as it cools leaving a fine gap The recess formed by the flow line allows a path for water through the whole body of the plastic The line itself is just visible to the naked eye Symptoms Surface Water visible under or on display Erratic behaviour Watchdogs activated Excess power drain FMECA_OR_V6_141201 doc Rev C6 77 of 163 This document is the property of Deep Life D
177. perspective 21 SEVERITY AND RISK ASSESSMENT The majority of faults listed can result in severe injury or a fatal accident if not mitigated Some faults can result in fatal accident affecting multiple people a cylinder explosion or oxygen fire are examples Fortunately most faults can be either eliminated entirely by design or mitigated substantially through a combination of design training and maintenance The table overleaf identifies the residual risks following all reasonable mitigating actions There is an inherent risk in diving but from the table the probability is low In assessing probability where a risk can be eliminated by design then the probability of the risk remaining is zero Where the risk must be mitigated by training alone then the risk remaining is taken to be 1 per 10 000 hours due to the human error element of a lone user Where the risk must be mitigated by maintenance alone then the risk is taken to be one per 100 000 hours as the practice is to perform the maintenance and a second person check the maintenance The Risk tabulated is number of diver years per incident The probability is taken from accident studies and incident reports or where there is insufficient data from assessments made using HAZIDs under management by the Safety Review Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 5 Gas Supply Containment Fail
178. piratory collapse occurs from any of the sources 18 15 CNS Toxicity Cause 1 Failure of PPO2 controller not meeting Functional Safety 2 Serious PPO2 spiking during descent 3 Injecting O2 instead of Make Up Gas 4 Diver bailing out on to O2 instead of on to Make Up Gas or off board bailout FMECA_OR_V6_141201 doc Rev C6 141 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 5 Incorrect use of CNS calculation Original papers describing CNS calculation are based on a 4 reduction in vital capacity with 100 CNS loading Oxygen Toxicity Calculations E Baker NUI research paper indicating 1 of users having CNS toxicity effects at 75 CNS loading Despite this users believe they can tolerate 100 CNS loading as a basic plan some report regular dive planning with 175 and 250 CNS loading Preventative action CNS clock in common use has CNS convulsion incidents reported at as low as 25 CNS loading Original paper on CNS measures loss of lung surficant as primary measure of CNS damage with 1 at 75 CNS clock and 4 at 100 Use less CNS clock Functional Safety Implication Modified CNS algorithm with margin to reduce statistical incidence of measurable CNS damage Published on
179. r is fitted instead of a checklist The checklist includes the check of the duration of the scrubber when it was fitted and the time it has been used The plate appears to increase the risk of a diver diving a rebreather with an exhausted scrubber e The plate increases the probability of failure particularly following a caustic cocktail or use in anoxic water where ingress may corrode the stainless steel spring As a result of these considerations a plate was not fitted The balance was a fine one in this instance and alternate conclusions would not be contrary to ALARP Monitor scrubber health This is within ALARP on electronic rebreathers but not otherwise Monitor scrubber life This is within ALARP on electronic rebreathers but not otherwise Monitor when the scrubber is changed This again was found to be contrary to the use of checklists so may have undesirable side effects It is not implemented in Open Revolution rebreathers as a result FMECA_OR_V6_141201 doc Rev C6 93 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Monitor PPCO2 This is within ALARP both for inhaled and exhaled CO2 on electronic rebreathers The exhaled CO2 monitoring is far safer than monitoring inhaled C
180. r overpressure the first stage diaphragm still ruptures violently followed by a rapid release of the tank contents FMECA_OR_V6_141201 doc Rev C6 22 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC In an eCCR if the batteries are low that use a solenoid the solenoid can fail to fire before low battery warning given This may be observed as a failure to calibrate under some conditions or it may fail to failure to hold a set point The high or low 02 Alarm should sound When the over pressure valve fires it causes a loud noise alerting the diver to the failure Dive As per surface symptoms except instead of failure to calibrate a failure to hold set point may be observed in solenoid eCCRs Recovery action during Dive Urgent Bail out to open circuit or Make Up Gas flush and fly unit in semi closed mode Preventative action 1 Service First Stage regulators annually and check interstage pressure during servicing 2 Inspect First Stages regularly for signs of corrosion or damage 3 Fit an over pressure valve to the First Stage regulators that trips within 4 bar of the normal operating pressure Note that too narrow a margin can cause accidental trips when a diver makes a rapid ascent 4 F
181. r the diver switching to freeflow Preventative action Prevent by appropriate design If failure occurs diver shall bail out immediately Functional Safety Implication 1 1 41 4 A singular one way valve would be a single point of failure so there need to be two of them in series 42 The one way valve need to be properly characterised so it operates with the desired pressure drop this is at most 2 bar The ideal valve would operate with 0 1 bar 43 The operation of the one way valves should be a pre dive check 44 An ALVBOV is highly desirable as a rapid bail out system FMECA_OR_V6_141201 doc Rev C6 131 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 17 16 Loss of Umbilical Gas Cause Umbilical cut turned off crushed folded or disconnected Symptoms Surface Diver s free flow test fails Dive Diver should abort dive without descending Functional Safety Implication Same as make up gas gas supply failure 17 17 Bail Out Gases Used instead of Oxygen Cause Flow restriction in oxygen hose causes one way valves to provide bail out gas Rebreather without one way valves or interlocks has switchable manifold which is switched to a position without a gas supply or incorrect ga
182. rcuit should not cause loss of monitoring or control device Provide a PFD in addition to monitoring or control device Base unit should be made to at least automative SQA 9002 standards and controls All electronics and software should meet EN 61508 2004 Parts 1 to 3 to at least SIL 2 9 7 Monitoring or control device Hangs Incompetent design single processor single clock source single power source no heartbeat monitor watchdog circuits no brownout Screen should not change Cause circuit Symptoms Surface Dive Screen should not change no alarms Recovery action during Dive Bail out Preventative action Problem should be eliminated by design Functional Safety Implication 1 This is a problem that occurs with some monitoring or control devices examined during FMECA studies of contemporary equipment The normal design procedures applied for safety critical systems should prevent this The system should check automatically during normal start up that these safety design provisions are operating correctly Ensure Watchdog circuit is operating by halting the clock for the Watchdog period Ensure Brown Out circuit is operating by power cycle test Ensure state machines have redundant states to detect failure and return unit to safe operation Fill all unused memory locations with recovery code Routines should apply predicates in input data so that random jumps to the routine can be detected
183. regained my buoyancy and learnt a good lesson was only in 95m of water Then there was the time after a 100m dive when had to throw the anchor over the pinnacle we d just dived so we could free float deco under the attached buoy The descending anchor chain snagged on my stage tank and pulled me rapidly down again On an Inspo the adv shut off I had to deal with freeing myself from the dropping anchor manually inject gas or switch on the adv so I could breathe couldn t do both at the same time If the adv had been on I would have had both hands free to focus on the snag FMECA_OR_V6_141201 doc Rev C6 44 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Then there was the time i was so wasted on CO2 that I was laying on the seabed doing an impression of a fish waiting and not really caring too much about dying was unable uninterested in moving my arms to find and press the manual add suspect if my adv had been shut off the extra small effort needed to turn it on would have meant I wouldn t As it was my adv saved my life as did the only thing I could be bothered to breathed out my nose My adv fired after a few breaths my mind began to clear to a point could do a manual flush and get m
184. rehead has effect of Whale Diving Death Syndrome Reflex with constriction of blood vessels slowing of heart beat and increase in blood pressure Implicated in Sudden Death Syndrome in older divers Effect also increases probability of acute cardiac illness and of strokes where there is a further increase in blood pressure due to a high retained C02 Thermal Balance Lack of thermal protection with effect of hypothermia or aborted dive with decompression load Suit leaks without means to heat the suit cause hypothermia At extreme depths loss of thermal energy from the lungs Exhaustion Swimming against strong current effect of loss of energy to remain afloat Loss of Buoyancy Control Loss of buoyancy control with effect of uncontrolled ascent or descent Entanglement in surface towed objects with effect of loss of buoyancy control causing DCS barotrauma or drowning Entanglement with object moving towards surface such as a lift bag or SMB reel with effect of loss of buoyancy control causing DCS barotrauma or drowning On surface diver fails to drop weight belt when in difficulty with effect of drowning Failure of BC valves with effect of uncontrolled ascent or descent Confusion by diver causing diver to press inflate button when intends to deflate or vice versa with effect of uncontrolled ascent or descent Weight jackets may redistribute weight causing diver to be up ended with effect of drownin
185. res in diving 700mbar to 1086mbar 3 Redundant pressure sensors to estimate the magnitude of the drift 6 30 Depth Exceeded for Absolute Pressure Regulators Cause The diver dives deeper than the constant flow depth limit determined by the intermediate pressure supplying a constant mass flow injector _ Only occurs with rebreathers that use an absolute pressure regulator Preventative action Check the pressure reading is 2 5 bar above the maximum ambient pressure that may occur during the dive Functional Safety Implication 1 Emphasise the intermediate pressure limits in the user manual 2 Use a high intermediate pressure as factory standard so if the diver has a low pressure then it will be detected during pre dive checks where the flow rate is checked 7 LOOP VOLUME SUFFICIENCY FAILURES These are failures to maintain sufficient loop volume for the diver to breathe 7 1 Make Up Gas Cylinder Empty or Umbilical Supply Lost Cause Someone forgot to fill the cylinder or a bad leak from any part of the cylinder to ALV routing FMECA_OR_V6_141201 doc Rev C6 38 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC ALV freeflow due to poorly designed or adjusted ALV or hydrostatic pr
186. rimix dives when deep Functional Safety Implication Do not fit burst disks to high pressure dive cylinders unless required by national regulations 5 9 Intermediate Pressure Relief Device Related Hazards Cause First stage regulator seat leaks is relieved by pressure relief device if there is no second stage demand valve FMECA_OR_V6_141201 doc Rev C6 15 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC First stage regulator is of a pressure compensated type and diver ascends if there is no second stage demand valve then the pressure relief disk may be needed Symptoms Surface If the relief device bleeds any significant amount of gas then it produces a very loud noise Dive Failure to open or not fitted First Stage failure can be catastrophic in a piston design or diaphragm fails in a diaphragm design causes a loss of that gas source Accidental opening Loss of gas Recovery action during Dive Abort dive Bail out Preventative action Fit an over pressure relief device to all intermediate pressure systems if there is no automatic over pressure relief device such as a second stage demand regulator Functional Safety Implication There are four failure modes that need to be con
187. ring is sealing Consider lip seals 5 Make O rings as thick as possible within ALARP and the ergonomic considerations for that O ring Example Incident http www rebreatherworld com ouroboros rebreathers 19877 opv mods options ideas html post195284 8 5 OPV stuck shut Cause Poor design or poor maintenance In some cases mal adjustment by diver With valve accessible externally it may be moved accidentally by rubbing with hawsers or ropes Symptoms Surface Should show up in the pre dive check as O2 is added to the system it will not vent normally Dive Breathing resistance CO2 hit Recovery action during Dive Reset the valve to correct position and if that does not work then bail out Preventative action Position valve so it cannot be adjusted accidentally during dive FMECA_OR_V6_141201 doc Rev C6 51 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Check OPV cracking pressure as part of pre dive checks checking loop does vent with reasonable pressure Functional Safety Implication Locate valve where it cannot be changed accidentally during dive During testing it was found that some housings are very much more liable to be adjusted than others 8 6 OPV stuck open
188. rrect direction Whilst the rebreather OPV should avoid differentials of more than 40mbar the valve should achieve a minimum of 80mbar and ideally 300mbar 11 8 One Way Valve Flapper valve Stuck Shut or Partially Shut Cause Valve stuck shut due to sticky material on the valve particularly following a flood or vomiting into the loop Some valve designs are prone to jam shut Incorrect assembly mushroom is inserted onto the wrong side of the web The wrong mushroom is inserted to the wrong side of the mouthpiece Symptoms Surface Diver sees a very high breathing resistance Dive Same as on surface It should be obvious what has occurred on the surface Recovery action during Dive Bail out Preventative action FMECA_OR_V6_141201 doc Rev C6 98 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Pre dive check for valve operation Functional Safety Implication Full assessment of one way valve function is required in mechanical FMECA Same requirements as for one way valve flapper valve stuck open or partially open plus the following 7 Water should not collect around the flapper valve 8 The flapper valve should not seal shut if one small area is frozen 11
189. rs with plastic core even with an air fill due to heating effects Safety Implication Cause need to be avoided as it results in catastrophic cylinder failure Prevention Do not use plastic cored cylinders for rebreathers due to risk of them being used with oxygen and general overheating risk Functional Safety Implication User manual should describe the preventative action 5 4 Carbon Wrapped Cylinder Core Delamination Cause Helium gas diffuses through the aluminium core because it is under stress then collects at the interface with the carbon wrap which is under less stress The result is a bubble of helium which spreads and delaminates the wrap from the core Safety Implication This results in catastrophic cylinder failure Prevention Inspect carbon wrapped cylinders annually Do not store helium in carbon wrapped cylinders for long periods Functional Safety Implication User manual should describe the preventative action 5 5 Oxygen fire from detritus in cylinder See also Fault 6 10 Cause Detritus from cylinder striking the valve seat in a high oxygen atmosphere Safety Implication Oxygen fire catastrophic failure of cylinder or valve Prevention Prevent by design Functional Safety Implication Fit a detritus tube to all rebreather cylinder valves Fit a sintered bronze filter to the detritus tube Note ISO 10297 2006 e requires a large filter surface area to prevent heating of the gas
190. rve damage or in case of parasites damage to internal organs or brain months after the dive Predators Rare with bites from large sharks rays squid eels or seals Hard impacts Impact with boats propellers divers falling on divers below on to rocks in surf or heavy waves with effect of trauma DESTE Eo Carrying excessively heavy objects or poor lifting technique Strain to bone with effect of bone fracture breakage or arthritis osteonecrosis muscle strain Stress can greatly increase risk of DCI damage to the bone Cold water can increase risk of stress causing permanent damage due to reduced blood flow Nodules forming on bone particularly the ear neck and spine as a response to cold water exposure may press on nerves or interfere with normal joint movement FMECA_OR_V6_141201 doc Rev C6 149 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 20 SAFETY PROCESS FAILURES 20 1 FMECA Incompleteness Cause All FMECAs are incomplete knowledge is extended gradually and at any point in time there will be failure modes that the most rigorous review will not detect these generally involve interfaces between the operator the environment and the equipment Prevent
191. s Functional Safety Implication 1 System should not allow the oxygen cylinder to be switched off prior to the unit being switched on unless the unit is already underwater when it is switched on in which case the situation is handled as during the dive as described below 2 System should monitor O2 injector and O2 pressure Where a mismatch occurs the error message should be specifically 02 Tank Valve is Closed Open it Requires a digital contents gauge on the 02 and Make Up Gas tanks coupled to the CCR controller 3 It is noted that OMS has have stopped supplying rubber knobs due to their greater risk of grabbing and turning themselves off or on OMS have switched to hard plastic knobs with a surface that is less likely to move with friction 6 3 Oxygen First Stage Failure Same as cylinder contents empty but sudden onset FMECA_OR_V6_141201 doc Rev C6 21 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC This fault mode includes other causes such as the 15 micron filter being blocked prior to the O2 injectors blockage of all 02 injectors All have the same effect 6 4 Oxygen First Stage Over Pressure Cause Wear of regulator Partial oxygen fire of valve se
192. s supply Symptoms Surface PPO2 low Dive PPO2 varies and generally low Recovery action during Dive Bail out Preventative action Check worst case pressure in manifolds Functional Safety Implication Ensure manifolds are checked for pressure with worst case 02 flow Do not use diver switchable manifolds Provide pressure sensors for umbilical 02 gas 18 DIVER PHYSIOLOGY RELATED FAULTS Functional Safety requires that operator failures are managed by the safety system that is the system need to be designed for use by human beings with all their physiological phsycological and idiosyncratic limits FMECA_OR_V6_141201 doc Rev C6 132 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group It is totally unacceptable to design a life support system that works if operated by an automaton but does not manage safely the operator failures that can be identified from accident studies incident studies or are apparent from HAZOPs Unfortunately many divers expect others to be perfect following an accident they may state he should have checked his PPO2 he should have done XXX In expressing this view they are expressing a complete ignorance of safety engineering ALL diver errors need to be
193. s to monitor PPO2 See also Section 18 4 Cause Diver assumes rebreather is managing PPO2 but rebreather has failed Symptoms Surface Sudden Loss of Consciousness from hypoxia Dive Diver drowns after a sudden Loss of Consciousness Recovery action during Dive FMECA_OR_V6_141201 doc Rev C6 90 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Not applicable Preventative action Electronics should time diver to ensure diver observes PPO2 with required frequency Functional Safety Implication 1 Hypoxia risk alarm required that does not use oxygen sensors it can compute potential PPO2 deviation from changes in ambient pressure and metabolism Deviation can be reset to zero when user observes PO2 by forcing user to use switch to see PPO2 2 This is an equipment issue not a diver failure because the diver is human and humans cannot be relied upon to perform every function perfectly all of the time It is unreasonably hazardous to expect them to do so on a life support system 10 19 Oxygen cells sensitive to CO2 See also Section 18 4 Cause Diver shuts breathing loop after dive with the cells exposed to a few percent of CO2 CO2 reacts with electrolyte in the 02 cells Sympto
194. safety case and verification FMECA_OR_V6_141201 doc Rev C6 69 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 9 18 High Voltage on Connectors Cause Poor EMI with static discharge Up to 25KV static discharge can occur in operational environments especially if rebreather is on a trolley or conveyor before being touched or contacting an earthed metal object Connectors that carry power and signal e g commercial rebreathers where there is 24V umbilical power and twisted pair for data Water gets into connector such as when they are unplugged shorting 24V to signal Symptoms Surface Loss of data Dive Loss of data which in a poor design could propagate Recovery action during Dive Return to bell or bail out Preventative action Separate power and data protect data lines from direct connection to highest voltage power source used in connection with the equipment Functional Safety Implication Requires unusually high degree of data line protection 9 19 Brown out cycling Cause Brown out circuit activated rebreather restarts causing increase in power consumption causing repeated brownout Symptoms Surface Can fail to inject O2 Dive Ditto Recovery action during Dive
195. sesessssseeeesssee 73 9 24 Auto Bail Out operates when not required cece eeeee cece ee eeeceeeeeeeeees 75 9 25 Auto On Encourages Reckless Diver Behaviour eceeeeeeeeeeeeeeeeeeees 75 9 26 Water Ingress into Electronics cee cee cece eee e eee ec eee eeeeeeeeeeeeneeerers 76 10 Oxygen Level Monitoring Failures ccc cece cece cece cece eee eeeeeeeeeeeeeteeeeeneeees 78 10 1 O2 Cell Decompression Failure c csveescsvseseeteeseeeseseeesrsseeesiseseseseeeseereuss 78 10 2 02 Cell has CO2 Contamination ccc eee cece cece e ee ee eee eeeeeeeeeeeeeneee 79 10 3 Load Resistor Failure in 02 Cell sec eee cee cece e cece eee ee eee eeeeeeeneeeenaeees 80 10 4 02 Cell Contamination ccc cece e cece eee cece eee eeeeeeeeeeeeeeeeeeetesereneee 80 10 5 02 Cell Thermal compensation failure cece e cece eee cence eeeeeeeneee 81 10 6 O2 Cell Loose CONNECTION cee cece cece ee eee ence cece eect eeeeeeeeeeeeeeeeeeeneee 82 10 7 O2 Single Cell Fal tecns ciscscccsveecsunsecsvseecsesdsuivesteisesveseeseeeuseeesteee esses 82 10 8 O2 Cell Failures Tracked Incorrectly cee cece cece eee ec eee eeeeeeeeeeeeeteee 84 10 9 O2 Two Cell FallUres o cccstecclscebacocececsreeenerseenssusdsveuereresususesususvevedeutese 86 FMECA_OR_V6_141201 doc Rev C6 5 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject
196. should be checked against the LCD displays on the dive computer and the rebreather controller on the surface prior to the dive Functional Safety Implication Highlight risk to the diver of using untested polarised masks Provide an OLED or LED display backup for the HUD or PFD 15 DECOMPRESSION COMPUTER FAILURES Deco risks are inherent to rebreather use therefore in accord with Functional Safety that safety monitors shall monitor all risks deco need to be managed by an electronic rebreather controller or an electronic rebreather monitor Review using same fault list as for rebreather controller Dive computers have been obtained exhibiting the following faults 1 2 8 9 Hanging Reset underwater with restart not apparent to diver with reset of decompression obligations Failure to warn of narcosis risk when it exceeds that of air due to lower PPO2 Failure to computer deco correctly when PPO2 in loop is lower than that of air at the same depth Incorrect implementation of decompression algorithms Note even the example in the original Buhlmann paper has bugs considers only 13 tissue compartments instead of 16 Failure to manage bail out gases correctly causing a reduction in deco time Miscellaneous bugs that cause incorrect decompression computation with particular gas combinations or in excess of a particular depth Displays that are not clear not readable in dark conditions or are too small Failure to mo
197. sidered 1 Thermal rise in the temperature of an intermediate pressure line The line volume is under 100cc including regulators line of up to 6mm internal bore and 1m maximum length A bleed rate of 100cc per minute is sufficient even in a fire situation 2 Over pressure from a compensated valve with reduction in ambient pressure In the worst case of an uncontrolled ascent from 100msw to the surface in 1 minute a line containing 100cc at 10 bar relative intermediate pressure will be over pressurised by 10 bar This is not a significant over pressure and all components should withstand this easily However for correct operation the 10 bar should be relieved This can be achieved within a few minutes by a 0 5 to 1 litre per minute flow 3 Over pressure from first stage regulator valve seat leakage or creep The primary requirement is to signal the diver that the first stage is faulty The over pressure relief device should therefore give off a loud noise when it relieves pressure The amount of leakage that it is reasonable to relieve is 1 litre per minute this is based on ten times the volume of gas that is normally in the line being relieved so a 100cc volume relieving 1 litre of gas per minute 4 It is recognised that a large obstruction to the valve seat will cause a very large gas pulse which will likely burst the first stage diaphragm Large obstructions should be avoided by fitting FMECA_OR_V6_141201 doc Rev C6 16
198. sign Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Symptoms Surface None Dive Hanging Dive Now message and Waiting for Data messages Recovery action during Dive Urgent Perform start up cycle DO NOT CALIBRATE Preventative action Design out the problem Always check monitoring or control devices immediately after entering water Functional Safety Implication 1 Battery contacts cannot meet Functional Safety Design out the problem by using multiple redundant rechargeable Lithium lon Gel batteries soldered in 2 Test using swept power drop out with drop outs from 1us to the time interval needed to activate the Brown Out Circuit 3 In particular where there is a master it SHALL NOT have only one power source Sudden failure of any single power source occur with too great a frequency to assume that a slave function will take over 9 4 Battery life error Cause Error in calculation of battery life causes dive to proceed when there should have been no dive Symptoms Surface None Dive Sudden power loss Recovery action during Dive Bail out Preventative action Eliminate risk by design Functional Safety Implication Batteries shall be properly characterised for diving applications including the error in predicting battery life quanti
199. t injecting gas 5 Dive reflex causes a large increase in blood pressure when the head is in cold water Risk of shock on entering very cold water with inhale auto response 7 Risk of dry suit leaks are much more serious in very cold water FMECA_OR_V6_141201 doc Rev C6 123 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group 8 Risk of mechanical damage due to ice forming and expanding during equipment storage 9 Risk of over contraction of silicone oil used to equalise pressure at depths rupturing electronic housings 10 Risk of inappropriate materials cracking with mechanical shock in a cold environment 11 LCD displays lose contrast in very cold conditions OLED displays are strongly preferred 12 Some integrated circuits particularly Flash memories and DRAM do not function well in cold conditions This can cause corruption of the controller program and data 13 Batteries will go flat much faster in cold conditions than in warm and their internal resistance rises even when fully charged This creates more power supply noise and will cause equipment malfunction if there is any under performance in the power regulators Sudden power loss can occur with some battery types Func
200. t response accuracy shock tolerance water tolerance and be free from vapour trap mechanisms tolerate CO2 helium pressure and in an environment that is subject to rapid temperature changes Engineer the cells so all failures are in the same direction low 3 The 02 cells need adequate calibration and self test circuitry in the rebreather 4 The cells need a very good temperature compensation algorithm An example is in the PPO2 Accuracy report on the above Deep Life web site directory 5 The sensor fusion algorithm needs to withstand multiple cell failures safely An example of an oxygen cell sensor fusion algorithm in a rebreather is available in the document DV_O2_sensor_fusion_YYMMDD pdf located in the same directory as referenced above If these measures are used then the PPO2 can be indicated reliably accurately and be highly tolerant of cell failures Some of the examples of poor functional safety design include 1 Presentation of raw sensor data to the diver without interpretation 2 Use of an averaging process instead of a sensor fusion algorithm tailored to the cell failure modes 3 Use of sensors with integral temperature compensation this can give rise to very large errors from all sensors simultaneously as all sensors are exposed to the same environment and are usually of the same type 4 Use of voting algorithms These are not a safe substitute for a properly designed sensor fusion algorithm 5 Use of
201. t to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Closed Open it Requires a contents gauge on the Make Up Gas tank Force user to inject Make Up Gas in pre dive check 7 3 Make Up Gas First Stage Failure Cause Wear corrosion or structural failure Symptoms Surface Failure of pre dive checks Make Up Gas contents gauge reads zero Dive Lung squeeze on descent unable to inject Make Up Gas Auto Air Out not functional Dry suit inflate not functional Recovery action during Dive Plug in a reserve gas supply Inflate lungs with manual O2 inject if above 6m Preventative action Service correctly and pre dive checks Functional Safety Implication 1 System should monitor Make Up Gas pressure Where a mismatch the error message should be specifically Make Up Gas Tank Valve is Closed Open it Requires a contents gauge on the Make Up Gas tank Valve unlikely to fail totally and suddenly 2 System should detect a rapid drop of pressure 7 4 Make Up Gas First Stage Over Pressure Cause Wear of regulator Poor maintenance of regulator Corrosion particularly of sintered filters causing breakup of the filter Poor design of regulator Icing of regulator Structural failure of regulator Poor adjustment of regulator Foreign material under valve seat from ta
202. te off effect may bring on a seizure Preventative action Force bail out automatically if user does not act on warnings Eliminate electronic controller failures modes that are not fail to safe state Track CNS and Pulmonary 02 exposure weighted for CO2 Functional Safety Implication PPO2 control is a critical function Track diver s CNS and Pulmonary 02 exposure 18 3 Hypercapnia Cause Scrubber failure from unexpected scrubber failure or from diver extrapolating actual scrubber duration Excessive Work of Breathing Poor diver breathing pattern Diver underlying illness Scrubber seal failure Scrubber bypass Symptoms Surface Headache Agitation Hallucinations LOC Dive FMECA_OR_V6_141201 doc Rev C6 134 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group As on surface except there may be no headache LOC often followed by drowning Recovery action during Dive Bail out Preventative action Force bail out automatically if user does not act on warnings Mitigate by design and training Functional Safety Implication 1 Te eS Monitor exhaled CO2 to monitor retained CO2 this is the most direct reading of the diver s blood CO2 level that is practic
203. ter above solenoid Fresh batteries Functional Safety Implication 1 The oxygen injector should not be a solenoid but a variable orifice valve so that when it fails the failure state maintains the average oxygen consumption 2 Fit an Auto bailout and shutoff valve 3 Check the injector operates at all 8 corners of a Temperature High and Low b Battery High and Low c Intermediate Pressure High and Low And ensure alarms are set to ensure equipment operates within those corners 4 Do not allow O2 setpoints below 0 7 atm as they may otherwise be insufficient time for the diver to address this fault mode 6 8 Oxygen Manual Injector Failure Open or Closed Cause Stuck on corrosion salt deposits in moving parts Stuck off poor maintenance internal damage over pressure Supply off Failure to plug hose on properly use of quick disconnects that are accidentally disconnected Either state mechanical shock Symptoms Surface FMECA_OR_V6_141201 doc Rev C6 26 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Failure of pre dive checks Dive Loss of gas from loop flooding of loop Recovery action during Dive Urgent Reconnect Hose or re screw injector down Bail out if loop f
204. ter inhalation 18 13 Respiratory collapse from v v v pressure surge 18 14 Respiratory Collapse v v v General 18 15 CNS Toxicity 18 16 Pulmonary O2 Toxicity v 18 17 Counter diffusion hazard v FMECA_OR_V6_141201 doc Rev C6 161 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 18 18 Sudden Underwater v v v Blackout 18 19 Immersion Pulmonary v v v Oedema IPO 19 General Diving Hazards v v v 1000 Technical Diving 20 Safety Process Failures 20 1 FMECA Incompleteness 20 2 Incompetent or negligent developer 20 3 Incompetent or falsified v v certification 22 REFERENCES 7 D H Elliott amp R E Moon Long Term Health Effects of Diving Ch21 pp585 604 of The Physiology and Medicine of Diving P Bennett amp D Elliott 4 Edition 2 D H Elliott amp P B Bennett Underwater Accidents Ch9 pp238 252 of The Physiology and Medicine of Diving P Bennett amp D Elliott 4 Edition 3 DAN Divers Alert Network Reports available from http www diversalertnetwork org 4 British Sub Aqua Club Accident
205. terlung can withstand shock pressures of 500mbar e g 25 cycles of 1 minute during manufacture as is applied to buoyancy devices manufactured to meet EN 1809 with all 100 production testing Hoses should be made from EPDM not silicone or easily pierced materials It may be better not to have a wrap over the hoses so damage is more immediately apparent Survey of hose leakage on Rebreather World confirms hoses of thick EPDM construction fail with small leaks before any major leak occurs This is not true of thin walled hoses Eliminate all failure points into scrubber by providing full hose connector as an integral part of the scrubber canister rather than using keyed or bonded elements Ensure OPV diaphragm does not fold and is tear resistant Ensure ALV diaphragm does not fold and is tear resistant Counterlung fittings require a welded retainer ring to prevent them pulling out of the counterlung Seals around scrubber shall stand over pressure and under pressure In general a one bar over pressure and one bar under pressure test should be used for the entire rebreather loop as a design integrity check and check there is no flood under these conditions Seals need to be appropriate lip seals should be used for protected moving surfaces due to their ability to adapt to a wider range of tolerances than O rings but lip seals are more delicate so need to be assessed individually Avoid double layer Counterlungs as damage is n
206. the number of fatal accidents due to the absence of this feature but to prevent this arrogant fault mode further safety features are needed that may include 1 To provide a very low set point such that the diver is going to have very long decompression penalties if he does this e g a set point of 0 3 atm Auto on requires an automatic bail out device so the diver cannot go onto the breathing loop if the electronics concludes it is unsafe to do so Alarms need to warn buddies clearly that the diver should not dive such as red displays red buddy displays and messages such as SUICIDAL DIVER ABORT DIVE Injectors that are under electronic control should be wide open so the diver cannot get off the surface after an auto on dive but the injector then needs perform in normal eCCR mode once the rebreather is deeper than the O2 CNS depth limit moving to a lower PPO2 than normal to penalise the diver Logs needs to maintain records of all warnings so after power loss actions of diver are clear Provide only low PPO2 alarm in this mode not the normal PPO2 display to the diver 9 26 Water Ingress into Electronics Cause There are multiple potential causes for water ingress FMECA_OR_V6_141201 doc Rev C6 76 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Dee
207. ther manufacturer who promote a fully automated recreational rebreather The market for that rebreather is primarily divers who would normally use Open Circuit SCUBA A series of fatal accidents and safety incidents have occurred where the diver wilfully ignored warnings from the rebreather The incidence of those mishaps is considerably higher than that of comparable accidents in the technical diving community from 1995 to 2010 It is clear from this change in the pattern of accident data since 2010 that the actuator should meet the requirements for a device suitable for continuous operation used frequently rather than an intermittent operation device with useage once a year or less To achieve the reliability for a continuous operating device i e used frequently the design of the system should endeavour to incorporate the following features a Actuator should be implemented with the absolute minimum of moving parts b Actuator shall be protected from user tampering c Separate annunciation e g voice and LEDs is needed as well as bail out actuator d Ensure diver can reach tank valves in SCUBA applications e Produce bail out valve from durable materials f User manual should require diver to operate bail out manually when a bail out condition occurs and not to rely on an automatic function g Test the bail out valve during the surface preparation on every dive FMECA_OR_V6_141201 doc Rev C6 74 of 163 Th
208. therworld com rebreather accidents incidents 19356 witness to a fatality html post189115 What s so difficult about hitting the manual add Nothing when your sat at your desk or when doing a gentle descent But as a safety feature when muck hits the fan a demand valve will automatically give you enough volume to enable you to breathe when there s an unexpected not a planned issue that effects your loop volume such as rapid descent It will also facilitate and encourage sanity breaths from nose breathing out at first feeling of CO2 which I believe is a good safety feature once jumped in carrying a large stainless steel axe a crow bar and some slings Very negative Unfortunately my adv was turned off and the gear I was carrying obscured my manual add The tank feeding my wing and bov wasn t as the qc wasn t fully connected As plummeted down to the depths like a speeding train my CLs collapsed was totally unable to breathe unsure as to why my wing wasn t inflating fumbling trying to find the manual add buried under all the gear stages i was carrying my ears were in so much pain you cant imagine In my stressed state rapid uncontrolled descent unable to breathe and ear pain simply couldn t locate the manual add or fix the wing inflation issue fast enough It was most unpleasant bailed to OC which was fun because same qc fed the bov so at first no gas from bov which found interesting so went for offboard 2nd stage
209. tional Safety Implications For diving in very cold water it is necessary to have a SIL rated heating system in the counterlungs sufficient to keep the loop temperature above 20C and to have active monitoring of the gas flow so that any blockage can be detected Equipment should be stored in a warm location and at all times when not in the warm location the equipment should be operating to maintain its temperature EN14143 2003 requires the equipment to be tested with storage to minus 30C for material suitability Some dives are in environments colder than this such as in Russia in winter and polar dive expeditions The equipment is wet when it comes out of the water so chill factors become an issue also reducing the effective temperature of the surface of the equipment 16 2 Thermal respiratory shock Cause Gas in dive cylinder is cooled by 30C by expansion from first stage which can result in cold gas being inhaled when the ambient temperature is below 7C See B Morgan P Ryan T Schultz and M Ward Solving Cold Water Breathing Problems Underwater Magazine July 2001 Preventative action Warn divers of risk Use gas heaters for diving below 7C and particularly below 4C Functional Safety Implication Advise divers that below 7C gas heating is required and particularly below 4C FMECA_OR_V6_141201 doc Rev C6 124 of 163 This document is the property of Deep Life Design Group and is released for Open Distr
210. to this display and receive succinct instruction on how to correct the problem and its significance Bf Provide multiple annunciation the four above are included in the sports rebreather configuration in the commercial diving configuration the monitoring or control device functions move to a topside console D Provide an automatic bail out valve so user cannot ignore critical actions 9 12 Faulty Software by design Cause Design not compliant with Functional Safety Symptoms Surface Any software malfunction including hanging or jumping between states Existence of states where software does not maintain life Dive As per surface symptoms Recovery action during Dive Bail out Preventative action Ensure design meets Functional Safety FMECA_OR_V6_141201 doc Rev C6 66 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Functional Safety Implication 1 Software that does not maintain a PPO2 setpoint in some modes is incompetent and does not meet basic safety requirements let alone Functional Safety 2 The industry is using software where nothing is verified non verified code compiled with buggy compiler running on non verified processor in poor hardware environment
211. ttent Out of Range or Failure messages on a cell Recovery action during Dive Make Up Gas flush to check which sensors respond correctly Bail out Abandon dive Preventative action Ensure gas flow to rear of cells Make sure pressure equalisation holes are clear and that the sensor pcb has equalisation holes FMECA_OR_V6_141201 doc Rev C6 88 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication Withstand multiple cell failures 2 Ensure the design allows adequate gas flow to rear of cells to eliminate the source of failure 3 Engineer the cells so all failures are in the same direction low 10 15 O2 Cell Explodes or Leaks Cause Lockout of an 02 Cell in a chamber Dropping an O2 cell causing electrolyte leakage Symptoms Surface Shrapnel injury to operator Strong alkaline spray KOH Dive Not applicable Recovery action during Dive Not applicable Preventative action Do not decompress O2 Cells faster than a human can withstand Functional Safety Implication 1 Verify that sensors specified for product do not produce shrapnel when suddenly decompressed Torpedo test 2 Warn operators that if an O2 Cell feels wet they should wash the sensor
212. tton MCCR iCCR ee eeeee eee eee 37 6 28 Oxygen Sensor Temperature Compensation Error eecee eee eeeeeeeeeeee 37 6 29 PPO2 Error due to Helium Ingress to Pressure Sensor eeeeeeeeeeeeeeeees 38 6 30 Depth Exceeded for Absolute Pressure Regulators cceeeeeeeeeeeeeeeeeees 38 7 Loop Volume Sufficiency Failures cece eee ee eee e cence eee eeeeeeeeeeeeeeeserenaeees 38 7 1 Make Up Gas Cylinder Empty or Umbilical Supply Lost 2 e eee ee eee eee 38 7 2 Make Up Gas Cylinder Switched Off cc cece ec eee eee eee eeeeeeeceeeeneeeeees 39 7 3 Make Up Gas First Stage Failure 0 e cece cece eee e ence ee eeceeeeteeeeeneserens 40 7 4 Make Up Gas First Stage Over Pressure cece eee cence eee eee eee eeeeeeeneeeeens 40 7 5 Make Up Gas Hose Leaks cece cece e ence cee eceeeneeeeeneeeeeteseeeeneeeeereserens 41 7 6 Make Up Gas Manual Injector Failure sssssssessssssseessssssseresssseeresssseeee 42 7 7 Wrong Gas In Make Up Gas Cylinder sssssessesssssssesessssseesessssseresssseeee 42 7 8 Alternate Air Source Free FLOW sssssessussssesseesssseseeeesssseeeessssseressseeeee 43 79s NOALVOrALV Failed Off sscssrosiiseeiscrsiri stissa EEE E a 44 7 10 Counterlungs unable to provide gaS ssssesssssssessssssseeresssseeeeesseeeee 46 7 11 BOV seal leaking emptying loop VOlUME sssssssssssssssssssseseeessssseeeessese
213. tween carbon and aluminium in the presence of sea water due to lack of treatment of the aluminium before wrapping The sea water acts as a battery electrolyte caused very rapid corrosion of the aluminium and a delamination of the carbon wrap Safety Implication This results in catastrophic cylinder failure Functional Safety Implication ms Apply PVD Diamond like Carbon or hard anodising or other suitable coating to aluminium before wrap Ba Ensure users know not to use general carbon wrapped cylinders unless they have been properly assessed for marine use 5 3 Plastic Core Decomposition Cause Plastic cored carbon wrapped cylinders are available Small rebreather cylinders are often filled too quickly resulting in the gas in the cylinder reaching hundreds of degrees Celcius The cylinder itself heats up more slowly due to its thermal mass and its thermal losses to the environment The hot gas causes thermal FMECA_OR_V6_141201 doc Rev C6 12 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC decomposition of the internal cylinder wall if the core is plastic which can run away if the filling gas is oxygen Use of valves with sintered filters are reported by BAM to cause failure of cylinde
214. uced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 6 2 Oxygen Cylinder Switched Off Cause Symptoms Switched off on dive boat after pre dive checks and forgetting to switch on again 02 cylinder accidentally turned off during dive due to handle rubbing on something Use of soft materials elastomers for the cyclinder valve knob makes this problem occur more often than using hard handles as does some ribbing patterns on the handle Handled in case of Low 02 by the Injector led O2 controller finding an imbalance between injected gas and measured gas then going into diagnostic mode finding that injecting gas causes no gas and treats failure first as a cylinder valve shut failure then if user confirms valve is open as an injector failure If second injector has same fault requests user to turn on cylinder valve Recovery action during Dive Urgent Open 02 valve ready to bail out to open circuit or Make Up Gas flush and fly unit in semi closed mode User is advised of this action and system forces it with the Auto ShutOff valve Preventative action This is a common fault as the O2 valve knob sticks out from the cylinder and is easily rubbed The worst position is when the 02 cylinder is hung like a stage when the valve rubs on clothing Check position of valve and ensure it is covered but still accessible Do not use soft materials for cylinder valve knob
215. ure Cause Over use failure recharge cycles Water in battery compartment Lack of cell balancing Lack of bad cell detection Absence of high or low thermal shutdown for charging or discharge Absence of charge over current protection Absence of discharge over current protection Symptoms Surface No monitoring or control device Dive No monitoring or control device Solenoid not functioning Cannot maintain set point Recovery action during Dive Slave should take over Abandon dive If both fail then bail out if you have no alternative means of monitoring PPO2 Preventative action Pre Dive checks and measure battery voltage before dives Functional Safety Implication Lack of power is the Achilles Heal of electronics To address at SIL 3 requires FMECA_OR_V6_141201 doc Rev C6 57 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC a Monitor of recharge cycles to indicate battery service required before battery reaches recharge cycle lift b Water in battery compartment protect by conservative seal design c Cell balancing where multiple cells are used d Bad cell detection particularly where multiple cells are used cells should not be simply connected in parallel
216. ures 5 1 Cylinder explosion v v v 256 10 5 5 2 Carbon Wrapped Cylinder v v 10 6 Electrolysis 5 3 Plastic Core Decomposition V 0 FMECA_OR_V6_141201 doc Rev C6 151 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 5 4 Carbon Wrapped Cylinder v v 10 8 Core Delamination 5 5 Oxygen fire from detritus in v v v 10 8 cylinder 5 6 Cylinder Valve Failure 5 7 Cylinder Valve O ring or v v v Regulator O Ring Failure 5 8 High Pressure Burst Disk v v v Related Hazards 5 9 Intermediate Pressure Relief v v v Device Related Hazards 5 10 Valve Outlet Profile v v v Specification Error in DIN 477 amp EN 144 5 11 SCUBA Regulator Hose O v v v ring Retention Fault 5 12 First Stage Regulator O ring VW v v Retention Design Fault 5 13 Hose sheath expands and v v v bursts 6 Oxygen Setpoint Failures 6 1 Oxygen Cylinder Empty v v 6 2 Oxygen Cylinder Switched Off v v 6 3 Oxygen First Stage Failure v v 6 4 Oxygen First Stage Over v v v Pressure 6 5 Oxygen Hose Leaks v v 6 6 Oxygen So
217. v exhale counterlung during fast ascent 6 24 SCR has insufficient oxygen Y v v in gas 6 25 Passive oxygen addition rate vV v v incorrect mCCRs PA SCR 6 26 Oxygen addition button v v v seized or stuck 6 27 Inaccessibility of oxygen v v v addition button mCCR iCCR FMECA_OR_V6_141201 doc Rev C6 153 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Fault Eliminate or Mitigate By Annual Risk After Mitigation Design Training Maintenance Severity 1 Probability Risk 6 28 Oxygen Sensor Temperature V v v Compensation Error 6 29 PPO2 Error due to Helium v v v Ingress to Pressure Sensor 6 30 Depth Exceeded for v v v Absolute Pressure Regulators 7 Loop Volume Sufficiency Failures v 7 1 Make Up Gas Cylinder Empty V ot Umbilical Supply Lost 7 2 Make Up Gas Cylinder v v v Switched Off 7 3 Make Up Gas First Stage v v v Failure 7 4 Make Up Gas First Stage Over V v v Pressure 7 5 Make Up Gas Hose Leaks v 7 6 Make Up Gas Manual Injector Y Failure 7 7 Wrong Gas In Make Up Gas_ v v Cylinder 7 8 Alternate Air Source Free v v v Flow 7 9 No ALV or ALV Failed Off v 7 10 Counter
218. ve Diver was partially deaf and did not hear alarms 02 sensors were marked with a date code which was not immediately obvious all sensors were around 3 years old Diver was old and may not have recalled change date Preventative action Proper checking of sensors Functional Safety Implication Use sensor fusion algorithm that can detect one good sensor among faulty sensors and detect any faulty sensors Use visual feedback in PFD in addition to audible alarms or use vibrating mouthpiece Pre dive checks should force the checking of the O2 sensors 02 sensors should be marked very clearly in large letters with a date code such as SEPT 06 not J6 in small letters Use different colour sensor bodies for each year FMECA_OR_V6_141201 doc Rev C6 86 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Provide means to check sensors automatically when a sensor failure occurs such as injecting a known quantity of 02 This requires a calibrated O2 injector this can be done automatically during pre dive checks 10 11 O2 Cell Calibration Incorrect Cause User error and design omission allowed the user to calibrate the CCR as if it was 98 02 when PPQ2 level in the loop could
219. ve action Wash out loop between dives allowing water to flow out of OPV Functional Safety Implication OPV needs to be fully characterised including in presence of silt Most OPVs are single membrane a dual membrane would be much safer with a filter on both inside and outside Fit a filter to both inside and outside the OPV membrane diaphragm Example Incident http www rebreatherworld com ouroboros rebreathers 19877 opv mods options ideas html post192902 8 4 Incorrect O ring tolerance Cause Poor O ring groove tolerance or design Symptoms Surface May appear in a pre dive positive pressure check Dive FMECA_OR_V6_141201 doc Rev C6 50 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Gurgling and other signs of water in loop Breathing resistance CO2 hit Recovery action during Dive Bail out Preventative action Design and manufacture O ring groove to be within tolerance specified by manufacturer e g Parker O Ring Handbook Functional Safety Implication 1 Check all O ring designs as part of mechanical design review checklist 2 Consider the effects of ring deformation under pressure 3 Consider the effects of thermal expansion or contraction of the surface the O
220. ve rise to an unreasonable risk of dive entrapment Attachment of rebreather to the diver by secondary points Symptoms Surface Snagging on dive benches etc Dive Line entrapment Fatal accidents have occurred where divers have used other straps then removed rebreather in the water to find the rebreather sinks pulling them down Recovery action during Dive Avoid lines and move slowly when entrapped cutting away line Preventative action FMECA_OR_V6_141201 doc Rev C6 115 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Diver should carry at least two blunt ended line cutters for example a pair of surgical shears and a covered razor line cutter accessible to either hand Avoid by design Jubilee clips should be covered Shackles should be selected for low entrapment risk Note it is impossible to eliminate entirely except with a naked diver however even naked fish manage to get entrapped in nets Functional Safety Implication Every part of the rebreather should be reviewed to determine the line entrapment hazards Avoid hooks and lines that increase the entrapment risk significantly Hoods should be used on all Jubilee clips Divers should be trained not to fix the rebre
221. ver drowns Recovery action during Dive Inject gas immediately bail out FMECA_OR_V6_141201 doc Rev C6 71 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Preventative action Design out the problem Use a competent safety architecture Functional Safety Implication MTBCF required for entire electronics system Pay special attention to connectors where any signal may be shorted to any signal by water For example power may be applied to low level signal lines 9 22 EMC failure Cause Design error failure to protect design from sufficient Electro Static Discharge ESD conducted transients RF fields or magnetic field In commercial diving divers report teeth fillings overheating if an earthing clamp is detached during cutting operations due to the induced field intensity despite the diver s head being inside a helmet Symptoms Surface Hung controller jump to unexpected state I O lines not functioning normally Dive Ditto Recovery action during Dive Inject make up gas immediately to a known PPO2 in the breathing loop bail out if controller then behaves unexpectedly Preventative action Determine appropriate EMC requirements and design out the problem Use a competent safety
222. verify those modes Use sensor fusion algorithm that can detect one good sensor among faulty sensors Provide means to check sensors automatically when a sensor failure occurs such as injecting a known quantity of 02 This requires a calibrated O2 injector this can be done automatically during pre dive checks FMECA_OR_V6_141201 doc Rev C6 84 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group PPO2 measurement and control parameters against Time 1400 po PP from Mass Spec Anbient pressure m PPO Indicated i i i PP Set point 1 I 12000 Sensor A i Sensor B Sensor C ae wh fh Sensor D ao Ne Nyt ett fr PNAS Pressure mbar Absolute Time min Figure 10 1 Example of good functional safety behaviour during a test dive to 100m depth The four O2 cells are 2 years old yet the indicated PPO2 matches that of the mass spectrometer almost perfectly throughout the dive The PPO2 monitor using these cells shows it is accurate to a PPO2 of at least 7 8 atm well beyond that which may occur in diving except one Sensor B which fails with a classical ceiling fault current limiting shortly after
223. very action during Dive Avoid positions causing free flow Preventative action Position the OPV as close to the lung centroid as possible Functional Safety Implication Ensure correct OPV position 8 8 OPV housing failure Cause Flimsy OPV Symptoms Surface None Dive OPV comes apart during dive Recovery action during Dive Bail out Preventative action Position the OPV so it is not exposed Design and manufacture housing from a tough material of sufficient thickness to withstand diver abuse Functional Safety Implication Ensure OPV is robust 8 9 OPV fails to shut sufficiently for positive pressure check Cause Poor OPV design Symptoms Surface Positive pressure check vents via OPV too readily Dive None Recovery action during Dive None FMECA_OR_V6_141201 doc Rev C6 53 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC Preventative action Replace OPV with a design that can maintain a 300mbar pressure when fully shut Functional Safety Implication Verify OPV operation 8 10 OPV interacts with water drain Cause Use of an OPV as a water drain in addition to fitting a normal loop volume OPV Symptoms Surface None Dive Free flow Recovery action during D
224. y s t together my adv saved my life In both the above times not having an adv would have been doable but it adds stress and task loading to an already stressful and task loaded situation that s why I think having an adv is better than not An adv is a simple demand valve hardly rocket science It will give you gas when you need the volume automatically It shouldn t fire unless you have too low a loop volume it shouldn t fire with normal breathing it shouldn t fire too much if your at different angles imo it doesn t need to be that light The only thing worse than not having one is having one but needing to keep it shut off In a separate incident during test at an independent lab of a Deep Life rebreather the ALV supply on the rebreather under test was interrupted cylinder valve seat failure first stage regulator failed closed or a kinked gas hose leading to a 2 bar under pressure of the rebreather This caused no leakage or damage but would be dangerous of it occurred during a manned dive The ALVBOV supply had been plugged in that test Recovery action during Dive Stop descending and ascend to achieve adequate loop volume Pressing the purge button on the ALVBOV will usually not help because the ALBOV is unlikely to be at fault the problem will be the upstream gas supply Check gas is on Consider aborting dive Preventative action No shut off valve should be fitted to ALVs or BOVs Service equipment and pre dive checks
225. y the material performance under a wider range of conditions 11 14 Counterlung blocks ports Cause On negative pressures the counterlung material folds over any of the ports blocking it This increases the breathing resistance considerably and may prevent the ALV from working Preventative action Fit a spring or coil in the counterlung and ensure that sufficient coils are captured by each of the ports to prevent a large reduction of breathing loop cross section from occurring FMECA_OR_V6_141201 doc Rev C6 101 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Design Group Functional Safety Implication Verify the WOB does not increase suddenly with negative loop pressures 11 15 Structures that bypass the scrubber Cause One contemporary rebreather was found to have a water drain valve that runs across the scrubber opens under specific conditions of loop volume and pressure allowing breathing gas to bypassing the scrubber The rebreather also had oxygen sensors across the scrubber if a sensor falls out then again the scrubber is bypassed Preventative action Avoided by applying proper safety design processes Functional Safety Implication Do not use any structure that can bypass the
226. ygen sensor this is not achieved simply by mounting the thermistor on a board with the sensor Functional Safety Implication 1 Check effect of calibration by inserting sensors stored ina refrigerator calibrating then performing a 0 to 2 3 bar PPO2 linearity check 2 Apply digital temperature compensation ensuring that thermistors are not shared between oxygen sensors as it introduces a common mode failure otherwise FMECA_OR_V6_141201 doc Rev C6 37 of 163 This document is the property of Deep Life Design Group and is released for Open Distribution subject to no modification being made and the document being reproduced in full Deep Life Design Group is a trademark of Deep Life Ltd IBC Deep Life Ltd IBC 6 29 PPO2 Error due to Helium Ingress to Pressure Sensor Cause Use of a rebreather in a helium environment results in helium ingress to the reference chamber of the pressure sensors and this produces an offset If oxygen sensors are then calibrated using the ambient pressure data the error can be considerable This error usually affects all the sensors in the same way that are calibrated at the same time Preventative action Check the pressure reading is actually ambient pressure Functional Safety Implication 1 During the calibration process request the user to confirm the ambient pressure 2 Limit the ambient pressure reading to that which actually represents surface atmospheric pressu
Download Pdf Manuals
Related Search