Comprehensive list of all accidents

AD_ward9 · 2nd December 2007, 08:13

Updated list. Tally 152.

Thanks to those who have provided corrections and details.

Still working on getting the package to panel members.

Alex

AD_ward9 · 2nd December 2007, 08:41

Quote: (Originally Posted by UWSojourner)

Who could possibly view that as inflammatory?

Are scuba cylinder manufacturers incompetent when a diver has an accident after mixing their own gas? Are reg manufacturer's incompetent if an accident occurs after a diver repairs their own regs?

Your "accuracy" is a point of view in which diver's bear little responsibility for their own safety. If you can't change a battery, then be smart enough to have your unit serviced. It's not incompetent for manufacturers to allow choice -- that's another "accuracy" (i.e. point of view).

The examples you give are fundamentally different in nature to the battery issue.

A dive cylinder is recognised to be a safety critical product so is controlled by legislation, as is the gas that goes into it (at least in Europe). Regs are also recognised as a safety critical component, the performance is controlled by regulations, and service is restricted to trained technicians (I know, how many are monkeys, but this is the ALARP way the manufacturer deals with reg service issues).

Very different situation to the battery running a rebreather: the battery was never designed to run an unstable life critical system, they come in a lot of variations of size, lots of different discharge characteristics (only a small proportion of which are tolerated by the equipment), they do offgas toxic products yet are in the breathing loop in most instances, they are not designed to work under pressure in a moist environment. These factors alone make the design of the primary cell battery incompetent in a safety system, but there is a further factor: MTBF/MTBCF.

The power system is a critical failure point and a designer is obliged to ensure it has the required reliability to meet the overall MTBCF target. To achieve the MTBCF for an unstable life critical system requires multiple power sources for each master node (voting system, in this case a processor). Failure to provide that is incompetent design. Simple as that.

The result of this incompetent design is brownouts that can put controllers into unsafe states, that can hang processors, the solenoid may be cycled during reset power up and down loops, etc.

Incompetent power system design is the root cause of at least three fatal accidents that have been fully investigated, and I have reasonable cause to believe it is the critical event in a fair few others.

Let us not be complacent. There are lessons we can learn already if people want to learn them, that will save diver's lives. Use of falling PPO2 to switch on the rebreather and inject O2 would avoid many accidents, including divers not switching the unit on, it reseting underwater or divers not noticing the handset has gone into in the "wrong mode". Use of competent safety design techniques to ensure there is sufficient power to operate would save some more. Use of Time Triggered Architecture in the software instead of interrupts would reduce the chance of software bugs killing the diver.

There is still a myth going about that "it has never been proven that a rebreather design fault has ever killed a diver". One rebreather (EDO4) has had a prosecutor's office order a complete recall due to a mushroom and spider design defect after a fatal accident where the fault was the root cause: I put it in the list as it is a black and white issue. There are other full accident investigations that prove the rebreather fault has killed the diver, but justice generally works very slowly in getting manufacturers to fix their mistakes. Of course, equipment issues are not all design. The scrubber repacking thread is an excellent example of where there is a gap in training.

Supressing the lessons behind these accidents rather than acting on them causes another family to lose their breadwinner. Another widow/widower. More children without a parent. Trauma and grief. What great benefit to society is there that we should tolerate this? So some companies can save money (i.e. make more profit), by ignoring the standards? Let us get these safety issues identified, recognised and fixed with celerity. If we do this rebreathers will eventually shed their dangerous reputation and the whole industry will grow. The small mindedness in companies dabling in safety products without competent safety engineering is crippling this industry and killing people. Which two divers will it be this month? Getting rid of primary cells powering rebreather controllers, or any other single power source, is a very small first step. A thorough review of the causes of accidents by the training agencies is another.

Alex

**Freef** · 2nd December 2007, 18:32

Disclaimer: I'm an SCR diver!

ECCR controller design.

Here’s my idea for an eCCR controller that self monitors and has as many double checks as I can think of.

Main controller.

Rather than being responsible for all the functions of the Rebreather, it only controls the firing of the solonoid and has a watchdog function to monitor the time since switch on that is also counted by the handsets. If there is a big enough disagree between the three counters the master caution alarms and the eCCR forces the diver into mCCR/bailout mode.

The rechargeable battery can be replaced for a new one, or recharged in situ. It runs at a high enough voltage to maintain the rechargeable batteries in the handsets. Possibly the solonoid is powered by a separate battery.

Solonoid

Has an inbuilt sensor that confirms firing.

Handsets

The handsets carry a lot of safety information and have a redundant system for monitoring the pO2 levels-they do not repeat information from the main controller, but instead monitor the O2 cells themselves.

The dive details are also provided by an inbuilt dive timer-each handset has its own timer and depth sensor for redundancy. If the readings disagree then the Master Caution alarms, but doesn’t force the diver into bailout.

The watchdog system is a simple timer. Each handset, and the main controller, has an inbuilt counter that counts minutes and seconds, then hours and minutes and seconds, since the unit was turned on, and compares them with the other handset and main controller. If the figures disagree by a set amount then the Master Caution goes into alarm.

The firing of the solonoid also resets a counter on the handsets. This is to alert the diver if the solonoid firing is excessive. A ‘last fire’ counter shows when the solonoid last added O2, and the average time between the last 5 or so times the solonoid has operated.

HUD

The HUD is a simple Master Caution device. The LED lights, and audible alarm and vibrating alarm also kick off. Once the alarm has gone off, one handset displays the problem, the other still displays the dive data, but if the normal displays are at fault then the reading that is suspect is replaced by a warning.

Well, that’s the mark 1, and other refinements like CO2 monitoring can also be added.

AD_ward9 · 3rd December 2007, 09:15

There are lots of possible architectures that can be used. TTA is probably the best (safest). The architecture should be reviewed properly, such that the MTBCF is known, and not surprise anyone when units in the field have a MTBCF of under 20 hours (as was the case with two manufacturers).

Incidentally, the architecture you show would have a maximum MTBCF of 100k hours under EN61508: probably a lot less due to the single power source. An acceptable architecture (to EN61508 SIL 3 to 4) would need 100,000,000 to a billion hours.

You may want to debate this on the O.R. thread. The current O.R. units have independent O2 channels, feeding intelligent HUD, Monitor and Controller. They also have injector position monitoring (variable orifice).

My point on this thrad here was simply to emphasise that there are surprising numbers of hypoxia accidents, that do not seem to be down to hardware failure but are due to basic issues that would have been picked up if a proper HAZOP had been done. Some of these lessons can be applied immediately, just by software changes. Others require changes to the power supplies. Others need to be dealt with by the training agencies.

Alex

Quote: (Originally Posted by Freef)

Disclaimer: I'm an SCR diver!

ECCR controller design.

Here’s my idea for an eCCR controller that self monitors and has as many double checks as I can think of.

Main controller.

Rather than being responsible for all the functions of the Rebreather, it only controls the firing of the solonoid and has a watchdog function to monitor the time since switch on that is also counted by the handsets. If there is a big enough disagree between the three counters the master caution alarms and the eCCR forces the diver into mCCR/bailout mode.

The rechargeable battery can be replaced for a new one, or recharged in situ. It runs at a high enough voltage to maintain the rechargeable batteries in the handsets. Possibly the solonoid is powered by a separate battery.

Solonoid

Has an inbuilt sensor that confirms firing.

Handsets

The handsets carry a lot of safety information and have a redundant system for monitoring the pO2 levels-they do not repeat information from the main controller, but instead monitor the O2 cells themselves.

The dive details are also provided by an inbuilt dive timer-each handset has its own timer and depth sensor for redundancy. If the readings disagree then the Master Caution alarms, but doesn’t force the diver into bailout.

The watchdog system is a simple timer. Each handset, and the main controller, has an inbuilt counter that counts minutes and seconds, then hours and minutes and seconds, since the unit was turned on, and compares them with the other handset and main controller. If the figures disagree by a set amount then the Master Caution goes into alarm.

The firing of the solonoid also resets a counter on the handsets. This is to alert the diver if the solonoid firing is excessive. A ‘last fire’ counter shows when the solonoid last added O2, and the average time between the last 5 or so times the solonoid has operated.

HUD

The HUD is a simple Master Caution device. The LED lights, and audible alarm and vibrating alarm also kick off. Once the alarm has gone off, one handset displays the problem, the other still displays the dive data, but if the normal displays are at fault then the reading that is suspect is replaced by a warning.

Well, that’s the mark 1, and other refinements like CO2 monitoring can also be added.

**Freef** · 3rd December 2007, 15:58

Quote: (Originally Posted by AD_ward9)

Incidentally, the architecture you show would have a maximum MTBCF of 100k hours under EN61508: probably a lot less due to the single power source. An acceptable architecture (to EN61508 SIL 3 to 4) would need 100,000,000 to a billion hours.

There are four power sources, or two if you can't count the rechargable batteries in the handsets [the main battery powers the handsets, the ones inbuilt are for backup only]. The solonoid is seperately powered as I understand that there can be an undervolt for the split second it fires

The main point is to prevent hypoxia and to alert the diver to an electronics failure. To that end each handset monitors the cells independently, and independent of the main controller. The other feature is the watchdog counter that begins to count once all three counters are initialises [two on the handsets, one on the controller].

I think that with the watchdog and last fire counters and a seperate pO2 reading from that which controls the solonoid then the controller would become safer. How much safer I don't know.

**UWSojourner** · 3rd December 2007, 16:31

Quote: (Originally Posted by AD_ward9)

The examples you give are fundamentally different ...

A dive cylinder is ... controlled by legislation

the gas that goes into it (at least in Europe) is controlled by legislation.

Regs are ... controlled by regulations

service is ... restricted.

Let us get these safety issues identified, recognised and fixed.

It's your "us" that worries me.

Get your Rebreather on the market and compete. Don't hide behind altruism if your marketing plan is to support your product with governmental authority.

schuka · 3rd December 2007, 20:24

According to the list there has been 10 accidents involving a Megalodon. Are any of these on a Megalodon Copis?

Keep up the good works!

Schuka

AD_ward9 · 3rd December 2007, 21:47

Quote: (Originally Posted by Freef)

There are four power sources, or two if you can't count the rechargable batteries in the handsets [the main battery powers the handsets, the ones inbuilt are for backup only]. The solonoid is seperately powered as I understand that there can be an undervolt for the split second it fires

It is the solenoid power that gives the 100k MTBCF. I did not see the second power source for that controller.

Alex

**Dave Sutton** · 3rd December 2007, 21:48

Quote: (Originally Posted by AD_ward9)

Updated list. Tally 152.

Thanks to those who have provided corrections and details.

Still working on getting the package to panel members.

Alex

Line item 85 (Azimuth) was in Pennsylvania (PA), not NY. I have the rig here in the shop. USN EDU Panama City did forensic investigation of the rig.

Line items 123 & 124 were open circuit aboard the USCGC HEALY. Not rebreather mishaps. Have friends who were aboard the science cruise.

Corrections appreciated.

Dave

AD_ward9 · 3rd December 2007, 21:51

Quote: (Originally Posted by UWSojourner)

It's your "us" that worries me.

Get your Rebreather on the market and compete. Don't hide behind altruism if your marketing plan is to support your product with governmental authority.

"us" there is all rebreather divers.

We have deliberately issued the commercial rebreather to production but declined to release the sports units, and will probably not release them for a couple of years. Our marketing plan is to meet the standards and let customers choose. It has no bearing on this thread other than we require to demonstrate adequate accident review as part of the EN61508 case (which we meet already). This thread is about making sure we, and other manufacturers, as well as training agencies, do not miss anything and cause repeat accidents.

Alex

2nd December 2007, 08:41	#282 (permalink)
AD_ward9 - Current Rebreather/s: Other CCR Other Rebreather/s: Other CCR Join Date: Jun 2005 Location: Scotland Posts: 2,007	Re: Comprehensive list of all accidents Quote: (Originally Posted by UWSojourner) Who could possibly view that as inflammatory? Are scuba cylinder manufacturers incompetent when a diver has an accident after mixing their own gas? Are reg manufacturer's incompetent if an accident occurs after a diver repairs their own regs? Your "accuracy" is a point of view in which diver's bear little responsibility for their own safety. If you can't change a battery, then be smart enough to have your unit serviced. It's not incompetent for manufacturers to allow choice -- that's another "accuracy" (i.e. point of view). The examples you give are fundamentally different in nature to the battery issue. A dive cylinder is recognised to be a safety critical product so is controlled by legislation, as is the gas that goes into it (at least in Europe). Regs are also recognised as a safety critical component, the performance is controlled by regulations, and service is restricted to trained technicians (I know, how many are monkeys, but this is the ALARP way the manufacturer deals with reg service issues). Very different situation to the battery running a rebreather: the battery was never designed to run an unstable life critical system, they come in a lot of variations of size, lots of different discharge characteristics (only a small proportion of which are tolerated by the equipment), they do offgas toxic products yet are in the breathing loop in most instances, they are not designed to work under pressure in a moist environment. These factors alone make the design of the primary cell battery incompetent in a safety system, but there is a further factor: MTBF/MTBCF. The power system is a critical failure point and a designer is obliged to ensure it has the required reliability to meet the overall MTBCF target. To achieve the MTBCF for an unstable life critical system requires multiple power sources for each master node (voting system, in this case a processor). Failure to provide that is incompetent design. Simple as that. The result of this incompetent design is brownouts that can put controllers into unsafe states, that can hang processors, the solenoid may be cycled during reset power up and down loops, etc. Incompetent power system design is the root cause of at least three fatal accidents that have been fully investigated, and I have reasonable cause to believe it is the critical event in a fair few others. Let us not be complacent. There are lessons we can learn already if people want to learn them, that will save diver's lives. Use of falling PPO2 to switch on the rebreather and inject O2 would avoid many accidents, including divers not switching the unit on, it reseting underwater or divers not noticing the handset has gone into in the "wrong mode". Use of competent safety design techniques to ensure there is sufficient power to operate would save some more. Use of Time Triggered Architecture in the software instead of interrupts would reduce the chance of software bugs killing the diver. There is still a myth going about that "it has never been proven that a rebreather design fault has ever killed a diver". One rebreather (EDO4) has had a prosecutor's office order a complete recall due to a mushroom and spider design defect after a fatal accident where the fault was the root cause: I put it in the list as it is a black and white issue. There are other full accident investigations that prove the rebreather fault has killed the diver, but justice generally works very slowly in getting manufacturers to fix their mistakes. Of course, equipment issues are not all design. The scrubber repacking thread is an excellent example of where there is a gap in training. Supressing the lessons behind these accidents rather than acting on them causes another family to lose their breadwinner. Another widow/widower. More children without a parent. Trauma and grief. What great benefit to society is there that we should tolerate this? So some companies can save money (i.e. make more profit), by ignoring the standards? Let us get these safety issues identified, recognised and fixed with celerity. If we do this rebreathers will eventually shed their dangerous reputation and the whole industry will grow. The small mindedness in companies dabling in safety products without competent safety engineering is crippling this industry and killing people. Which two divers will it be this month? Getting rid of primary cells powering rebreather controllers, or any other single power source, is a very small first step. A thorough review of the causes of accidents by the training agencies is another. Alex Last edited by AD_ward9 : 4th December 2007 at 09:22.
(Offline)

3rd December 2007, 09:15	#284 (permalink)
AD_ward9 - Current Rebreather/s: Other CCR Other Rebreather/s: Other CCR Join Date: Jun 2005 Location: Scotland Posts: 2,007	Re: Comprehensive list of all accidents There are lots of possible architectures that can be used. TTA is probably the best (safest). The architecture should be reviewed properly, such that the MTBCF is known, and not surprise anyone when units in the field have a MTBCF of under 20 hours (as was the case with two manufacturers). Incidentally, the architecture you show would have a maximum MTBCF of 100k hours under EN61508: probably a lot less due to the single power source. An acceptable architecture (to EN61508 SIL 3 to 4) would need 100,000,000 to a billion hours. You may want to debate this on the O.R. thread. The current O.R. units have independent O2 channels, feeding intelligent HUD, Monitor and Controller. They also have injector position monitoring (variable orifice). My point on this thrad here was simply to emphasise that there are surprising numbers of hypoxia accidents, that do not seem to be down to hardware failure but are due to basic issues that would have been picked up if a proper HAZOP had been done. Some of these lessons can be applied immediately, just by software changes. Others require changes to the power supplies. Others need to be dealt with by the training agencies. Alex Quote: (Originally Posted by Freef) Disclaimer: I'm an SCR diver! ECCR controller design. Here’s my idea for an eCCR controller that self monitors and has as many double checks as I can think of. Main controller. Rather than being responsible for all the functions of the Rebreather, it only controls the firing of the solonoid and has a watchdog function to monitor the time since switch on that is also counted by the handsets. If there is a big enough disagree between the three counters the master caution alarms and the eCCR forces the diver into mCCR/bailout mode. The rechargeable battery can be replaced for a new one, or recharged in situ. It runs at a high enough voltage to maintain the rechargeable batteries in the handsets. Possibly the solonoid is powered by a separate battery. Solonoid Has an inbuilt sensor that confirms firing. Handsets The handsets carry a lot of safety information and have a redundant system for monitoring the pO2 levels-they do not repeat information from the main controller, but instead monitor the O2 cells themselves. The dive details are also provided by an inbuilt dive timer-each handset has its own timer and depth sensor for redundancy. If the readings disagree then the Master Caution alarms, but doesn’t force the diver into bailout. The watchdog system is a simple timer. Each handset, and the main controller, has an inbuilt counter that counts minutes and seconds, then hours and minutes and seconds, since the unit was turned on, and compares them with the other handset and main controller. If the figures disagree by a set amount then the Master Caution goes into alarm. The firing of the solonoid also resets a counter on the handsets. This is to alert the diver if the solonoid firing is excessive. A ‘last fire’ counter shows when the solonoid last added O2, and the average time between the last 5 or so times the solonoid has operated. HUD The HUD is a simple Master Caution device. The LED lights, and audible alarm and vibrating alarm also kick off. Once the alarm has gone off, one handset displays the problem, the other still displays the dive data, but if the normal displays are at fault then the reading that is suspect is replaced by a warning. Well, that’s the mark 1, and other refinements like CO2 monitoring can also be added.
(Offline)

3rd December 2007, 15:58	#285 (permalink)
Freef Custom Title Disallowed! Current Rebreather/s: Dolphin Other Rebreather/s: Dolphin Join Date: Jan 2006 Location: Land of the Freef, UK. Posts: 1,424	Re: Comprehensive list of all accidents Quote: (Originally Posted by AD_ward9) Incidentally, the architecture you show would have a maximum MTBCF of 100k hours under EN61508: probably a lot less due to the single power source. An acceptable architecture (to EN61508 SIL 3 to 4) would need 100,000,000 to a billion hours. There are four power sources, or two if you can't count the rechargable batteries in the handsets [the main battery powers the handsets, the ones inbuilt are for backup only]. The solonoid is seperately powered as I understand that there can be an undervolt for the split second it fires The main point is to prevent hypoxia and to alert the diver to an electronics failure. To that end each handset monitors the cells independently, and independent of the main controller. The other feature is the watchdog counter that begins to count once all three counters are initialises [two on the handsets, one on the controller]. I think that with the watchdog and last fire counters and a seperate pO2 reading from that which controls the solonoid then the controller would become safer. How much safer I don't know. __________________ David. Diving the mahogany rebreather.
(Offline)

3rd December 2007, 16:31	#286 (permalink)
UWSojourner Pacific Northwest Current Rebreather/s: Megalodon Other Rebreather/s: Join Date: Feb 2005 Location: Portland Oregon Posts: 558	Re: Comprehensive list of all accidents Quote: (Originally Posted by AD_ward9) The examples you give are fundamentally different ... A dive cylinder is ... controlled by legislation the gas that goes into it (at least in Europe) is controlled by legislation. Regs are ... controlled by regulations service is ... restricted. Let us get these safety issues identified, recognised and fixed. It's your "us" that worries me. Get your Rebreather on the market and compete. Don't hide behind altruism if your marketing plan is to support your product with governmental authority.
(Offline)

3rd December 2007, 20:24	#287 (permalink)
schuka New Member Current Rebreather/s: Megalodon Other Rebreather/s: Megalodon Join Date: Nov 2007 Location: Stockholm Posts: 7	Re: Comprehensive list of all accidents According to the list there has been 10 accidents involving a Megalodon. Are any of these on a Megalodon Copis? Keep up the good works! Schuka
(Offline)

3rd December 2007, 21:47	#288 (permalink)
AD_ward9 - Current Rebreather/s: Other CCR Other Rebreather/s: Other CCR Join Date: Jun 2005 Location: Scotland Posts: 2,007	Re: Comprehensive list of all accidents Quote: (Originally Posted by Freef) There are four power sources, or two if you can't count the rechargable batteries in the handsets [the main battery powers the handsets, the ones inbuilt are for backup only]. The solonoid is seperately powered as I understand that there can be an undervolt for the split second it fires It is the solenoid power that gives the 100k MTBCF. I did not see the second power source for that controller. Alex
(Offline)

3rd December 2007, 21:48	#289 (permalink)
Dave Sutton Diveshop of Horrors Current Rebreather/s: Sport Kiss MK 15.X rEvo Other CCR Azimuth Home Build Other Rebreather/s: Evolution Megalodon rEvo Other CCR Azimuth Home Build Join Date: Jun 2006 Location: Narragansett, Rhode Island and Hackettstown, New Jersey Posts: 2,907	Re: Comprehensive list of all accidents Quote: (Originally Posted by AD_ward9) Updated list. Tally 152. Thanks to those who have provided corrections and details. Still working on getting the package to panel members. Alex Line item 85 (Azimuth) was in Pennsylvania (PA), not NY. I have the rig here in the shop. USN EDU Panama City did forensic investigation of the rig. Line items 123 & 124 were open circuit aboard the USCGC HEALY. Not rebreather mishaps. Have friends who were aboard the science cruise. Corrections appreciated. Dave __________________ "Silent Diving with No Bubbles and No Politics".... www.nobubblediving.com Last edited by Dave Sutton : 3rd December 2007 at 21:52.
(Offline)

3rd December 2007, 21:51	#290 (permalink)
AD_ward9 - Current Rebreather/s: Other CCR Other Rebreather/s: Other CCR Join Date: Jun 2005 Location: Scotland Posts: 2,007	Re: Comprehensive list of all accidents Quote: (Originally Posted by UWSojourner) It's your "us" that worries me. Get your Rebreather on the market and compete. Don't hide behind altruism if your marketing plan is to support your product with governmental authority. "us" there is all rebreather divers. We have deliberately issued the commercial rebreather to production but declined to release the sports units, and will probably not release them for a couple of years. Our marketing plan is to meet the standards and let customers choose. It has no bearing on this thread other than we require to demonstrate adequate accident review as part of the EN61508 case (which we meet already). This thread is about making sure we, and other manufacturers, as well as training agencies, do not miss anything and cause repeat accidents. Alex
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode