I N T HE L O O P DESIGNING A REDUNDANT

LIFE-SUPPORT SYSTEM

by William C. Stone

“A truly redundant system is one in which any component or sub-system— no matter how critical—can fail and yet still leave the system in an operational state.”

aquaCorps Journal N12 29 has long been the watchword in circles. For good reason.

Murphy loves divers of all kinds, particularly tekkies, and the ability to recover from an equip­ ment failure underwater is generally paramount to survival. No one knows this better than underground explorer and designer Dr. Bill Stone. A mechanical engineer by training, Stone designed his first fully-redundant rebreather, the Cis-Lunar MK1, in 1987 as part of the milestone Project. Now, five generations and thousands of underwater hours later, Stone's Cis-Lunar Development Labs is preparing to introduce the fully-redundant MK5 system—an upgrade from the system that Stone's team used to explore the Huautla Plateau in Central Mexico [see "Stoned," N7/C2]—that will be used for the Wakulla 2 project [see p 62]. Here in his classic 1989 treatise on life-support systems, Stone explains some of the basic con­ cepts, methodology, and philosophy behind the design of redundant systems that has guided the development of Cis-Lunar's .

Survival Probability The chief means of achieving true death of the user unless he or she is able dependability and safety in life-support to effect an immediate abort to a safe COMPONENT RELATIVE equipment is by building redundancy into haven. A safe haven could be taken, for FAILURE PROBABILITY the system. Redundancy implies that sev­ example, to be the water’s surface, a diving eral critical components in a life-support habitat, or a submarine. In the design of The percentage listed for each component system can fail and still leave the user with life-support apparatus used in critical loca­ is an absolute failure probability. In normal a functional system. tions (such as diving), we would like to fault-tree analyses, these numbers are assigned a lifetime as well, such that we Just what do we mean by redundancy, keep the probability of a system failure to might have a 1% probability of failure in ten and where is it needed? To begin, we need an extremely low value. years. These can then be used to evaluate to define a few terms. In general, the more remote we are the “mean time between failure” statistic The first is System Failure. By this we from the safe haven, the more unaccept­ that is the general measure of reliability in mean that the portable life-support system able the prospect for a system failure. In the aerospace industry. For this simplified has ceased to function and will result in the fact, we would like to be able to tolerate life-support reliability study, I assigned - a few parts failing and still be able to go these probabilities to the overall lifetime of on with our job, since in such locations the rig, which most would assume at one has likely invested considerable around five years (the depreciation rate for sums of money, time, and effort to train a high-tech gear). specialized person or team and place them in the field. t tank (o-ring seal) 1.0% This brings rise to the term Mission ie isolation element 0.1% Failure. Here we refer to the state of i instrument (gauge, etc.) 1.0% affairs where the system is still opera­ j hard-lined junction 0.5% tional, but some parts of sub-systems V manual valve 1.5% have failed in such a manner as to limit vm manual bypass valve 1.5% the range of the device. In other words, the mission has to be scrubbed because vs servo valve 3.0% the individual cannot reach his objective va auto add valve 1.5% or finish his task because the duration of sc scrubber stack 1.0% his life-support device has been short­ h flex hose 1.0% ened. While mission failures are certain­ m mouthpiece (regulator) 1.0% ly not as serious as system failures, it is fs first stage regulator 2.0% desirable that they too have a low proba­ bility of occurrence. s second stage regulator 2.0%

30 aquaCORPS Journal N12 \Ne can now define redundan­ complexity and integration. For cy in terms of the failure modes example, it may be assumed that just described. A redundant sys­ a 20,000 psi-rated stainless tem is simply one in which a mis­ Swagelok tube junction will, for all sion failure is practical pur­ possible. To poses, have a state that more A detailed fault tree component fail­ precisely, a analysis involves ure probability truly redundant of approximate­ system is one establishing proba­ ly zero when in which any bility distributions the gas pres­ component or for each component sure it normally sub-system, no carries is limited matter how crit­ —not so easy in to 150 psi. On ical, can fail reality—and using the other hand, and yet still this data to derive certain compo­ leave the sys­ confidence intervals nents such as tem in an oper­ tank o-rings, for ational state. on a likely outcome. example, have Furthermore, it been known to will be shown blow, although that by certain arrangements of the likelihood of that occurring is components, it is also possible to small. As the complexity increases, minimize the probability of a mis­ one can, for example, assign a sion failure for any given system. higher probability of failure to a first or second stage regulator. A servo valve, typically used in closed sys­ System Failure tems, is assigned a still higher Probability Analysis probability, since it involves both mechanical moving parts and an In order to examine the charac­ electronics interface which can teristics of life-support systems, a also fail. Although these values are few probability laws need to be arbitrary, they will serve as suitable introduced. In this discussion, it is relative probabilities for comparing assumed that a life-support appa­ different systems. The table on ratus consists of a network of inter­ page 30 gives the probability val­ connected components whose ues used for the evaluation. individual probabilities of failure are independent and otherwise unaffected by the failure of any Open-Circuit other component in the system. A sub-system consisting of a string System Analysis of linearly-connected components The principals of redundant has a probability of failure equal to design can be best illustrated with one minus the product of the com­ a few examples in which familiar plement failure probabilities—in open-circuit systems are ana­ other words, the probability of lyzed. Figure 2 shows a probabili­ success—for each part in that ty schematic for the simple one- sub-system. A parallel system of tank, one-regulator situation, de­ components has a joint probabili­ scribed above as “unsafe” for cave ty of failure equal to the product of diving. The schematic shown in the individual failure probabilities Figure 2 consists of a linear net­ (see Figure 1). These techniques work of components. The resultant can be used to condense complex system failure probability is simply systems to a series of equivalent one minus the product of the com­ nodes, which can then be plement failure probabilities for all reduced to a system failure prob­ components. The shape of the ability. network, i.e., a straight line, gives For the sake of comparison an effective visual picture of its with other systems, it is neces­ safety shortcomings: a break at sary to define failure probabilities any point will cause the device to for certain types of system com­ cease to carry out its function of ponents. These can be assigned delivering air to . This is proportional to their degree of known as a linear system.

aquaCORPS Journal N12 31 it is complex to use. one-third from one tank, switch regulators, In order to understand and breathe one-third down from the other, this last statement, it is and then promptly return, usually effecting necessary to digress for another switch on the way out. If this pro­ a moment to consider cedure is not used, one runs the risk of the subject of consum­ breathing down the supply in one tank, only ables management. to find a problem with the remaining tank. Theoretically, if a tank On the other hand, a regulator switch is had an hour’s worth of never a simple maneuver on a cave dive. At air in it, one could travel any moment a number of stress risers may from a safe haven to a also be present: an entanglement with a point a half hour away, safety guideline or a load of equipment; The fundamental attribute of a linear and safely return. In practice, however, this zero visibility from either silting or a total system is that failure in any part of the does not work. Any delay on the return trip lighting system failure; and narcosis effects, apparatus causes a system failure. The would result in death. So, how much margin to name a few. redundancy level for this system is thus do you give yourself? The rule which has For this reason, a great deal of thought equal to zero. There are several methods become universally accepted by cave has gone into the design of redundant sys­ for increasing the survival during a cave divers is to use no more than one-third of tems where both output sub-systems can dive when this type of system is used. One the initial starting supply for exploratory access the entire gas supply. Several such method would be to simply employ two sep­ work [see “Blueprint For Survival 2.0,” p designs are summarized in Figure 4. The arate independent systems. This “bi-linear” 37]. The remaining two-thirds is reserved “Dual Manifold, 2 Supply” system is the system (Figure 3) is simply the British cave for exit. The rationale is that if a partner’s Benjamin “Dual Valve Manifold,” still in com­ diver’s “sidemount” rig (or the “Twin K” or life-support apparatus suffers a system fail­ mon use by cave divers. However, independent cylinders system used by ure at the point of maximum distance from from a system failure standpoint, it is not as some US wreck and sump divers). The the safe haven, there must be sufficient good as a bi-linear system, since any fail­ probability of a system failure is theoretical­ reserves to get both divers out. ure in the hard-lined supply will drop the ly sixteen times less than for the linear sys­ Employing a gas consumption rule with a entire system. This is not as unlikely as it tem, and it can tolerate a sub-system fail­ bi-linear system is difficult, since one cannot may sound: several cases have been ure. For later reference, we will define the breathe out of both tanks simultaneously. To reported in which such a failure was trig­ level of redundancy for this system to be really achieve a system failure probability gered by impact with the ceiling while riding equal to one. The drawback to this rig is that decrease of sixteen, one must first breathe a DPV. Thus, what would at first appear to

32 aquaCORPS Journal N12 be a redundant system is, in fact, a modi­ for a simple rebreather. From the fied linear system. principles just discussed, it is immediately In the early 1980s, Sherwood Selpac apparent that this is a linear system, since introduced a variation of the dual-valve failure of any part will cause failure of the BLUE manifold, known as the “Y” valve (see “Dual system. Likewise, because there are more Manifold, 1 Supply” in Figure 4). This also components in the system, the probability permitted the attachment of two output reg­ of failure is higher than for a simple linear WATER ulators, but eliminated several o-rings and open system. The probability schematic for hard joint connections by means of a mono- a typical mixed-gas rebreather is shown in lithically-cast housing. While this is an Figure 6. Once again, this is a fundamen­ DIVERS improvement over the dual-valve manifold in tally linear system, with the exception of the I terms of safety, it is nonetheless still a linear parallel sub-systems which bypass the sec­ system. In addition, it can only be connect­ ond stage diluent regulator and oxygen ed to a single tank, and thus the system is solenoid valve. These bypass valves are a usually range-limited. The best open-circuit definite step in the right direction, but architecture yet devised, from the viewpoint because failure in any sub-system—that is of both system and mission failure, is the to say either of the two supplies, or the “Bi-Linear Cross-Connect” system (Fig-ure processor—can cause a system failure, 4). This is a bi-linear system with a flexible this is not a redundant system. As such, high- manifold and a series of iso­ it cannot be considered safe for cave lation elements. Provided that the isolation diving missions. elements have a low probability of failure (e.g., an extremely reliable shut-off valve), this system combines the best features of dual manifold design and bi-linear supply. Fully-Redundant The resulting system is ten times less likely Rebreathers to suffer a mission failure than a simple bi­ To begin a discussion of fully-redundant linear system. It is, in fact, the first truly closed-circuit scuba, the lessons learned redundant system that has been discussed, from the design of open-circuit systems in that any system output component can may be recalled. The first factor to consider access any gas supply. Further, any faulty is that true redundancy is only achieved component can be isolated from the system when there are multiple output paths which in the event of a failure. can independently access any of at least two independent supply systems. Addi-tion- ally, all sub-systems must be capable of TECH GEAR Closed-Circuit System being isolated from the overall system in the event of their failure. This can be Failure Probability achieved on a sub-system basis by using TECH TRAINING Figure 5 shows a probability schematic the previously developed “Bi-Linear Cross- EANx& CONTINOUS BLENDING SYSTEM A BIT OF REDUNDANCY

System failure probability can be decreased by providing multiple, independent life-support systems (consisting of a gas supply and POSEIDON ’ DUI ’ UWATEC access and control path to the user) within the context of a single-user OMS ’ CRESSI SUB ’ US DIVERS 1device. Increasing the number of paths (gas supplies and output lines) UK ’ DIVE RITE ’ COCHRAN ’ SEA QUEST ’ decreases system failure probability in proportion to the product of the indi­ IKELITE ’ SHERWOOD vidual path failure probabilities. However, system management becomes HENDERSON ’ APOLLO overly complex when more than two independent output paths are employed.

Mission failure probability can be minimized by providing full cross- connections between the gas supplies and output paths. Each cross­ 806 RT 17 N. connect node must be capable of being isolated from the system in the 2event of a component failure. RAMSEY, NJ

The simplest fully-redundant life-support architecture is the Bi-linear 07446-1608 Cross-connect, in which two gas supplies drive dual, independent out­ put lines, which are joined by means of a high pressure cross-connect CALL 3line. Each end of the cross-connect line contains a three-way junction in which each output path from the junction can be closed. 201.32.SCUBA

aquaCORPS Journal N12 33 For serious cove Connect” architecture. For a Type I diluent one considers that the mixed gas system is (e.g., or Trimix) supply, this is shown diving, where on substantially more complex. There is no as in Figure 7. Here a bi-linear cross-con­ comparison with existing Naval rebreathers nected open system has been integrated open-circuit abort on a mission failure basis, since none are with two independent processor circuits. redundant. Note that the second-stage manual bypass scenario is not The fully-redundant architecture de­ circuit has been retained in order to reduce scribed above was implemented by Cis- the probability of a system failure should a possible, full closed- Lunar Development Laboratories, Inc. in failure occur in the second stage. Further­ its MK1 experimental rebreather which more, note that there are two independent was tested at Wakulla Springs during the delivery lines to each of the two proces­ circuit redundancy project. sors. A similar design can be used to con­ struct a Type II oxygen supply for this sys­ is mandatory. tem. The principle difference between Type Bill Stone is Chairman of Cis-Lunar Develop­ II and Type I supplies, again, is that the sec­ ment Laboratories, Inc. He holds seven ond stage regulators used in the Type I (in this case applied to scrubber duration). patents and has been responsible for the supply have been replaced with servo­ However, turning a directional valve is sub­ design of five generations of fully-closed-cir- valves. stantially less stressful than having to cuit life-support backpacks, including the The next step involves the construction switch mouthpieces, as would be the case MK5 system which will make its debut at 96 of a parallel processor output system (right with a bi-linear system. tek. He has organized 27 expeditions related half, Figure 7). Unfortunately, in closed-cir­ The system survival probability for the to cave exploration and was the leader of the cuit diving operations one cannot make use redundant rebreather is approximately four­ 1987 Wakulla Springs Project. In 1994, he of a cross-connect system, since a leak in teen times greater than that for existing used the Cis-Lunar MK4 system to crack the active output line would subsequently mixed-gas rebreathers. Moreover, the mis­ Mexico's Son Agustin Sump, at a depth of flood both scrubbers. Therefore, to safely sion success rate represents a four-fold 4,347 f/1,325 m beneath the surface. This achieve mission range, the user must increase over that for a simple bi-linear article is excerpted from The Wakulla switch processors during the dive and open-circuit (British sidemount) architec­ Springs Project, edited by (US make use of the “thirds” consumption rule ture, and that is a strong statement when Deep Team).

QUALITY TO REMOTE PROBLEMS...

Perry Tritech offers a full range of subsea products and services: • Concept & Design Studies • Product Development • Standard ROV Systems: • Voyager™ - Inspection/Video/Survey • Viper™ - Light Work Class System • Scorpion™ - 75 Shp Work System • Scorpio Cobra™ - Survey Specialist • Triton™ - The Work ROV Standard • Triton™ XL - Heavy Work Class ROV

Perry Tritech, Inc., Jupiter, Florida, Phone: (407) 743-7000, Fax: (407) 743-1313, 24-Hour "Hotline": (407) 346-1522. PERRY TRITECH Perry Tritech, Ltd., Aberdeen, Scotland, Phone: (224) 877 111, Fax: (224) 898 811 Member of the Perry Tritech Asia Pacific, Singapore, Phone: (65) 542 2553, Fax: (65) 542 2464 COFLEXIP STENA OFFSHORE Group

34 aquaCORPS Journal N12