I N T HE L O O P DESIGNING A REDUNDANT LIFE-SUPPORT SYSTEM by William C. Stone “A truly redundant system is one in which any component or sub-system— no matter how critical—can fail and yet still leave the system in an operational state.” aquaCorps Journal N12 29 Redundancy has long been the watchword in technical diving circles. For good reason. Murphy loves divers of all kinds, particularly tekkies, and the ability to recover from an equip­ ment failure underwater is generally paramount to survival. No one knows this better than underground explorer and rebreather designer Dr. Bill Stone. A mechanical engineer by training, Stone designed his first fully-redundant rebreather, the Cis-Lunar MK1, in 1987 as part of the milestone Wakulla Springs Project. Now, five generations and thousands of underwater hours later, Stone's Cis-Lunar Development Labs is preparing to introduce the fully-redundant MK5 system—an upgrade from the system that Stone's team used to explore the Huautla Plateau in Central Mexico [see "Stoned," N7/C2]—that will be used for the Wakulla 2 project [see p 62]. Here in his classic 1989 treatise on life-support systems, Stone explains some of the basic con­ cepts, methodology, and philosophy behind the design of redundant systems that has guided the development of Cis-Lunar's rebreathers. Survival Probability The chief means of achieving true death of the user unless he or she is able dependability and safety in life-support to effect an immediate abort to a safe COMPONENT RELATIVE equipment is by building redundancy into haven. A safe haven could be taken, for FAILURE PROBABILITY the system. Redundancy implies that sev­ example, to be the water’s surface, a diving eral critical components in a life-support habitat, or a submarine. In the design of The percentage listed for each component system can fail and still leave the user with life-support apparatus used in critical loca­ is an absolute failure probability. In normal a functional system. tions (such as cave diving), we would like to fault-tree analyses, these numbers are assigned a lifetime as well, such that we Just what do we mean by redundancy, keep the probability of a system failure to might have a 1% probability of failure in ten and where is it needed? To begin, we need an extremely low value. years. These can then be used to evaluate to define a few terms. In general, the more remote we are the “mean time between failure” statistic The first is System Failure. By this we from the safe haven, the more unaccept­ that is the general measure of reliability in mean that the portable life-support system able the prospect for a system failure. In the aerospace industry. For this simplified has ceased to function and will result in the fact, we would like to be able to tolerate life-support reliability study, I assigned - a few parts failing and still be able to go these probabilities to the overall lifetime of on with our job, since in such locations the rig, which most would assume at one has likely invested considerable around five years (the depreciation rate for sums of money, time, and effort to train a high-tech gear). specialized person or team and place them in the field. t tank (o-ring seal) 1.0% This brings rise to the term Mission ie isolation element 0.1% Failure. Here we refer to the state of i instrument (gauge, etc.) 1.0% affairs where the system is still opera­ j hard-lined junction 0.5% tional, but some parts of sub-systems V manual valve 1.5% have failed in such a manner as to limit vm manual bypass valve 1.5% the range of the device. In other words, the mission has to be scrubbed because vs servo valve 3.0% the individual cannot reach his objective va auto add valve 1.5% or finish his task because the duration of sc scrubber stack 1.0% his life-support device has been short­ h flex breathing hose 1.0% ened. While mission failures are certain­ m mouthpiece (regulator) 1.0% ly not as serious as system failures, it is fs first stage regulator 2.0% desirable that they too have a low proba­ bility of occurrence. s second stage regulator 2.0% 30 aquaCORPS Journal N12 \Ne can now define redundan­ complexity and integration. For cy in terms of the failure modes example, it may be assumed that just described. A redundant sys­ a 20,000 psi-rated stainless tem is simply one in which a mis­ Swagelok tube junction will, for all sion failure is practical pur­ possible. To poses, have a state that more A detailed fault tree component fail­ precisely, a ure probability analysis involves truly redundant of approximate­ system is one establishing proba­ ly zero when in which any bility distributions the gas pres­ component or for each component sure it normally sub-system, no carries is limited matter how crit­ —not so easy in to 150 psi. On ical, can fail reality—and using the other hand, and yet still this data to derive certain compo­ leave the sys­ confidence intervals nents such as tem in an oper­ tank o-rings, for ational state. on a likely outcome. example, have Furthermore, it been known to will be shown blow, although that by certain arrangements of the likelihood of that occurring is components, it is also possible to small. As the complexity increases, minimize the probability of a mis­ one can, for example, assign a sion failure for any given system. higher probability of failure to a first or second stage regulator. A servo valve, typically used in closed sys­ System Failure tems, is assigned a still higher Probability Analysis probability, since it involves both mechanical moving parts and an In order to examine the charac­ electronics interface which can teristics of life-support systems, a also fail. Although these values are few probability laws need to be arbitrary, they will serve as suitable introduced. In this discussion, it is relative probabilities for comparing assumed that a life-support appa­ different systems. The table on ratus consists of a network of inter­ page 30 gives the probability val­ connected components whose ues used for the evaluation. individual probabilities of failure are independent and otherwise unaffected by the failure of any Open-Circuit other component in the system. A sub-system consisting of a string System Analysis of linearly-connected components The principals of redundant has a probability of failure equal to design can be best illustrated with one minus the product of the com­ a few examples in which familiar plement failure probabilities—in open-circuit systems are ana­ other words, the probability of lyzed. Figure 2 shows a probabili­ success—for each part in that ty schematic for the simple one- sub-system. A parallel system of tank, one-regulator situation, de­ components has a joint probabili­ scribed above as “unsafe” for cave ty of failure equal to the product of diving. The schematic shown in the individual failure probabilities Figure 2 consists of a linear net­ (see Figure 1). These techniques work of components. The resultant can be used to condense complex system failure probability is simply systems to a series of equivalent one minus the product of the com­ nodes, which can then be plement failure probabilities for all reduced to a system failure prob­ components. The shape of the ability. network, i.e., a straight line, gives For the sake of comparison an effective visual picture of its with other systems, it is neces­ safety shortcomings: a break at sary to define failure probabilities any point will cause the device to for certain types of system com­ cease to carry out its function of ponents. These can be assigned delivering air to the diver. This is proportional to their degree of known as a linear system. aquaCORPS Journal N12 31 it is complex to use. one-third from one tank, switch regulators, In order to understand and breathe one-third down from the other, this last statement, it is and then promptly return, usually effecting necessary to digress for another switch on the way out. If this pro­ a moment to consider cedure is not used, one runs the risk of the subject of consum­ breathing down the supply in one tank, only ables management. to find a problem with the remaining tank. Theoretically, if a tank On the other hand, a regulator switch is had an hour’s worth of never a simple maneuver on a cave dive. At air in it, one could travel any moment a number of stress risers may from a safe haven to a also be present: an entanglement with a point a half hour away, safety guideline or a load of equipment; The fundamental attribute of a linear and safely return. In practice, however, this zero visibility from either silting or a total system is that failure in any part of the does not work. Any delay on the return trip lighting system failure; and narcosis effects, apparatus causes a system failure. The would result in death. So, how much margin to name a few. redundancy level for this system is thus do you give yourself? The rule which has For this reason, a great deal of thought equal to zero. There are several methods become universally accepted by cave has gone into the design of redundant sys­ for increasing the survival during a cave divers is to use no more than one-third of tems where both output sub-systems can dive when this type of system is used.