research report 436 - health and safety executive · the tree if event a and event b is true. an or...
TRANSCRIPT
HSE Health & Safety
Executive
Formal risk identification inprofessional SCUBA (FRIPS)
Prepared by Cranfield University for the Health and Safety Executive 2006
RESEARCH REPORT 436
HSE Health & Safety
Executive
Formal risk identification inprofessional SCUBA (FRIPS)
Dr Stephen Tetlow Offshore Technology Centre
Cranfield University College Road
Cranfield Bedfordshire
MK43 0AL
This report describes how fault tree analysis and failure modes and effects criticality analysis (FMECA) can be carried out on activities and hardware typical of a professional SCUBA diving activity. The methodologies are described and conclusions drawn from each technique. Examples are given of how the techniques can be used to assess diver risk in a quantitative way to aid assessing equipment configurations.
This report and the work it describes were funded by the Health and Safety Executive (HSE). Its contents, including any opinions and/or conclusions expressed, are those of the author alone and do not necessarily reflect HSE policy.
HSE BOOKS
© Crown copyright 2006
First published 2006
All rights reserved. No part of this publication may bereproduced, stored in a retrieval system, or transmitted inany form or by any means (electronic, mechanical,photocopying, recording or otherwise) without the priorwritten permission of the copyright owner.
Applications for reproduction should be made in writing to: Licensing Division, Her Majesty's Stationery Office, St Clements House, 2-16 Colegate, Norwich NR3 1BQ or by e-mail to [email protected]
ii
Acknowledgments
Much work for this report was taken from two Cranfield University MSc Research Projects:
G. M. E. Little (2004) Professional SCUBA Diving – When does the risk increase?
and
S. L. Hardy (2001) Risk based design considerations for the Cranfield ‘home build’ closed circuit rebreather
iii
iv
CONTENTS
SUMMARY
1 INTRODUCTION 1
1.1 Aims 1 1.2 Background 1
2 FAULT TREE ANALYSIS (FTA) 3
2.1 Introduction 3 2.1.1 Topology 3 2.1.2 SCUBA Configuration adopted 4
2.2 List of fault trees 5
2.3 Discussion 27 2.3.1 Human factors 27 2.3.2 Pre-dive checks and maintenance 27 2.3.3 Training 28 2.3.4 Stress and panic 29 2.3.5 Design 29 2.3.6 Accident investigation 30
2.4 Quantitative use of fault trees 31
3 FAILURE MODES AND EFFECT CRITICALITY ANALYSIS (FMECA) 35
3.1 High level FMECA 35 3.2 Detailed FMECA 38 3.3 List of FMECA work sheets 39
3.4 FMECA Discussion 57
4 CONCLUSIONS 58
Fault trees 6
FMECA tables 40 Risk Matrix 56
References
v
59
vi
SUMMARY
Fault tree analysis (FTA) and failure mode and effects criticality analysis (FMECA) are two commonly used risk identification techniques. In this report, each technique is used in detail to identify risks encountered by professional SCUBA divers.
The methodology to perform a fault tree analysis (FTA) with the top event being a ‘dead diver’ is described. The topology developed for this particular FTA is explained. Each branch of the tree is evaluated until an end termination is reached which is attributable to a human factor event such as poor training, poor pre-dive checks or poor maintenance. The value of understanding the significance of these events is then described in detail. In addition, stress, design and accident investigation is discussed in relation to the fault tree.
The full fault tree is not evaluated in a quantitative manner. However, in order to demonstrate this aspect of the technique, a quantitative FTA is carried out for two different SCUBA configurations, namely an octopus regulator and pony cylinder with regulator as an alternative air source. A fault tree is developed for each and the Boolean logic applied with some hypothetical failure rates to show that the probability of failure to provide gas with the octopus configuration is greater than that for the pony configuration.
The methodology to perform a failure mode and effects criticality analysis (FMECA) is also described. Both a high level and low level FMECA are given with associated frequency and criticality estimates, together with the resultant risk matrix. A hardware approach is taken and demonstrates that SCUBA equipment is safe if serviced and maintained properly.
In conclusion, risk can be reduced by using pre-dive checks, maintenance and training to minimise the effects of human failure. It is recommended that checklists are adopted, emergency drills practised routinely and design used to minimise confusion. FMECA provides a way to prioritise risk reduction in SCUBA hardware. Finally, it is noted that these techniques are not appropriate to evaluate the cause of most SCUBA fatalities which are usually a sequence of several often unrelated events.
vii
viii
1 INTRODUCTION
1.1 AIMS
The aim of this report is to show how two formal risk identification techniques can be used for commercial SCUBA operations. Fault tree analysis is used to highlight the influence of human factors and FMECA is used to identify hardware risks.
1.2 BACKGROUND
In the UK, the Health and Safety Executive (HSE) regulate commercial diving through the Diving at Work Regulations (DWR) 1997 (SI 1997 No 2776) and its associated ACoPs (Approved Codes of Practices). There are six ACoPs for professional diving and they are as follows:
1. Offshore Diving (Oil & Gas) 2. Inshore Diving (Civil Engineering, Aquaculture) 3. Media Diving (TV etc.) 4. Recreational Diving (Paid Recreational Instructors) & Guides 5. Scientific and Archaeological Diving 6. Police Diving
All these professional sectors except the Offshore Industry use SCUBA. The other five groups employ open circuit SCUBA systems in different configurations regularly. A standard scuba system and diving method does not exist for commercial purposes. In other words, the SCUBA system worn by a professional recreational instructor would bear no relationship to the system worn by a police diver. This situation is understandable as both divers face different circumstances and risks when at work. However, the police diver and the recreational instructor both face the same hyperbaric and physiological risks irrespective of their SCUBA equipment.
Military SCUBA divers in Britain are not regulated by the DWR 1997 but the BR 2806Military Diving Manual; however they must comply with the Health & Safety at Work Act 1974.
Assessing the risk to commercial SCUBA divers in Britain is difficult due to few accidents having taken place and the strict regulations that have to be adhered to while diving. This is not the case in recreational diving where there are a large number of fatalities each year across the globe, and in the USA alone there were 83 deaths in 2002 (DAN, 2004).
In 1997, the HSE commissioned a quantitative risk assessment of SCUBA diving, which was carried out by PARAS Consulting Ltd. The data used for this study came from recreational accident reports produced by the British Sub Aqua Club (BSAC) and the Divers Alert Network (DAN). This recreational diving data analysed by PARAS represented Commercial SCUBA by proxy. In all, one thousand diving accidents were analysed of which there were 286 fatalities. The study revealed that the majority of fatalities resulted from two or more sequential events or ‘contributory causes’ where a contributory cause was defined as either a procedural error or an equipment failure. Of the 269 diving fatalities for which cause information is available, only 12 (4.46%) were attributable to a single contributory cause. The remaining two hundred and fifty seven fatalities probably arose as a result of a progressive sequence of events. Since all of the procedural errors are avoidable by a well-trained, intelligent and alert diver, working in an organised structure, it may be concluded that the low
1
accident rate in commercial SCUBA diving, is due to this factor. It would be impossible to eliminate absolutely all-minor contra-indications of SCUBA diving. This would be a hopeless task, would result in overwhelming bureaucracy and would bring all diving to a halt (HSEPARAS, 1997).
Nevertheless, SCUBA divers are at risk when they are underwater and this report uses two forms of formal risk identification that can be used for SCUBA configurations. Fault tree analysis is used to show the importance of human factors to the ultimate safety of divers. The fault tree is also used to quantify the difference with differing equipment configurations. Failure mode and effects and criticality analysis (FMECA) is used to demonstrate how a formal risk assessment can be carried out on SCUBA hardware.
2
2 FAULT TREE ANALYSIS (FTA)
2.1 INTRODUCTION
Fault tree analysis (FTA) is just one technique for risk identification and assessment. Other methods include brainstorming, Failure Mode and Effects Criticality Analysis (FMECA), Hazard and Operability Studies (HAZOPS), event tree analysis to name a few, all of which are well documented (Billington 1983). A good introduction to the use of FMECA, FTA and reliability block diagrams (RBD) to identify risk in a simple diving life support system can be found in Strutt and Tetlow (1999). In this report, only the fault tree and FMECA will be considered.
For the purposes of the fault tree in this report, the top event considered will be ‘death of the diver’. The analyst then asks the question ‘How does the diver end up dead?’ The response might be EITHER by ‘drowning’ OR by an ‘uncontrolled ascent’ (the assumption is made that a rapid uncontrolled ascent leads to death by barotrauma or severe DCS). The analyst then asks how each event occurs in turn and uses AND and OR gates to link the events into a tree until further resolution of the problem is not possible. An AND gate allows progress up the tree if event A AND event B is true. An OR gate allows progress up the tree if event A OR event B is true.
OR gate AND gate
2.1.1 Topology
As with any fault tree, the topology can vary significantly for each analyst. That is not to say that each fault tree gives a different result since differing topologies can result in the same ‘cut sets’. Cut sets are a combination of components in a system which, when failed, cause a system to fail. They are usually derived using a Boolean expression once the combination of AND and OR gates for a particular fault tree is known.
In this report, we will not be concerned with the Boolean output of the tree but rather the nature of the end events. In this case, it is the process of carrying out a formal risk assessment and seeing the consequences rather than any quantitative result that is our main concern. However, a limited application of the Boolean logic will be applied to compare two forms of alternative air source. See section 2.4.
The topology developed in section 2.2 is based on a number of assumptions which effect its logic. For instance, it will be noticed that many items of ancillary equipment do not feature in the fault tree although they are known to lead to the top event of dead diver. The topology has been chosen such that if good maintenance, pre-dive checks and training are rigorously applied, the top event will not occur. It is known that many accidents occur as a result of a cascade of events from a single failure. The fault tree does not deal with this situation but this is discussed further in Section 2.3.6 ‘Accident investigation’. For instance, loss of a fin strap cannot result in a dead diver since there are 2 buoyancy methods available for a well trained diver to use to gain the surface in a controlled manner. Incorrect use of a delayed surface marker buoy (DSMB) can be considered as a sudden buoyancy event but will not be considered since a DSMB is not considered as primary life support equipment. In situations
3
where a DSMB was part of the basic equipment, it might be included. An alternative tree structure incorporating ancillary equipment can be found in Little (2004).
2.1.2 SCUBA configuration adopted
For the purpose of this report, a simple SCUBA configuration typical of a professional diving instructor has been adopted. Hence, the analysis is based on a diver using a half mask and regulator with no communication. The diver is assumed to have a dry suit and a buoyancy compensator device (BCD). A secondary air source is carried in the form of a pony cylinder and associated regulator.
4
2.2 LIST OF FAULT TREES
Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21
Dead diver Excess positive Buoyancy Loss of weight belt Dry suit ‘blow up’ BCD ‘blow up’ Panic No gas No gas in cylinder Demand valve free flow Diver used all gas First stage failure Second stage failure Can’t make surface Diver unable to release weights Unable to inflate BCD Unable to inflate Dry suit Unable to push dry suit inflation button Dry suit seals too loose Toxic gas Too deep and wrong mix Stress
5
Figu
re 1
D
ead
Div
er
asce
nt
buoy
ancy
Pa
nic
1 2
5
surf
ace
No
gas
34
NPa
nic
32
Unc
ontro
lled
Sudd
en
Dro
wni
ng
Toxi
c ga
s C
an’t
mak
e o
Gas
Dea
d D
iver
6
Fig
ure
2 Su
dden
buo
yanc
y
1
Loss
of w
eigh
t bel
t D
ry su
it bl
ow u
p B
CD
blo
w u
p
87
6
7
Figu
re 3
L
oss o
f wei
ght b
elt
6
Bel
t Buc
kle
Ope
ns
Lead
wei
ghts
sl
ip
Poor
M
aint
enan
ce
chec
ksch
ecks
chec
ks
Web
bing
Tea
rs Po
or p
re d
ive
Poor
pre
div
e Po
or T
rain
ing
Poor
pre
div
e Po
or T
rain
ing
8
Figu
re 4
D
ry su
it ‘b
low
up’
7
Infla
tion
But
ton
stic
ks
Dum
p V
alve
fails
Poor
Mai
nten
ance
Po
or p
re d
ive
chec
ks
Poor
pre
div
e ch
ecks
Po
or M
aint
enan
ce
9
Figu
re 5
B
CD
‘blo
w u
p’
8
infla
tion
& d
efla
tion
butto
ns
stic
ks
Con
fusi
on o
ver
Infla
tion
butto
n D
ump
Val
ves F
ail
Poor
pre
div
e ch
ecks
Po
or T
rain
ing
Poor
pre
div
e ch
ecks
Po
or M
aint
enan
ce
Poor
pre
div
e ch
ecks
Po
or m
aint
enan
ce
Poor
Des
ign
10
Fig
ure
6 Pa
nic
Pani
c
Uns
uita
ble
2 21
Stre
ss
Poor
trai
ning
te
mpe
ram
ent (
Stre
ss)
11
Figu
re 7
N
o ga
s 3
No
gas
Prim
ary
fails
Se
cond
ary
fails
No
gas i
n R
egul
ator
fails
N
o ga
s in
Reg
ulat
or fa
ils
cylin
der
cylin
der
9 9
1st S
tage
fails
2nd
stag
e fa
ils
1st S
tage
fails
2nd
stag
e fa
ils
11
10
1011
12
failu
re
12
13
Figu
re 8
N
o ga
s in
cylin
der
9
Nr
Free
flow
D
iver
use
d al
l gas
R
egul
ator
/ ho
se
Poor
mai
nten
ance
Po
or p
re d
ive
chec
ks
o ga
s in
cylin
de
13
Figu
re 9
D
eman
d va
lve
free
flow
12
for c
old
wat
er
chec
ks
chec
ks
Reg
ulat
or n
ot fi
t ‘D
ial a
Bre
ath’
Sc
rew
ed o
ut
Poor
pre
div
e Po
or M
aint
enan
ce
Poor
trai
ning
Po
or p
re d
ive
14
Poor
plan
ning
dive
13
Figu
re 1
0 D
iver
use
d al
l gas
pre
div
e ch
ecks
Po
or tr
aini
ng
Poor
trai
ning
Po
or tr
aini
ng
Poor
div
e In
suff
icie
nt g
as a
t sta
rt of
Po
or g
as m
onito
ring
Div
er u
sed
all g
as
15
Figu
re 1
1 Fi
rst s
tage
failu
re
10
Firs
t sta
ge fi
tted
valv
e Fa
ils
chec
ks
Poor
ch
ecks
ch
ecks
Po
or
inco
rrec
tly to
pill
ar
Hig
h Pr
essu
re S
eat
O-r
ing
fails
Poor
Tra
inin
g Po
or p
re d
ive
mai
nten
ance
Po
or p
re d
ive
Poor
pre
div
e m
aint
enan
ce
16
Figu
re 1
2 Se
cond
stag
e fa
ilure
11
Mou
thpi
ece
fails
fa
ils
Poor
M
aint
enan
ce
chec
ks
Poor
M
aint
enan
ce
chec
ks
Poor
M
aint
enan
ce
chec
ks
Poor
M
aint
enan
ce
chec
ks
Sepa
ratio
n Lo
w P
ress
ure
Hos
e Ex
haus
t mus
hroo
m
Dia
phra
gm fa
ils
Poor
pre
div
e Po
or p
re d
ive
Poor
pre
div
e Po
or p
re d
ive
17
Figu
re 1
3
Una
ble
to
4
wei
ght b
elt
Can
’t es
tabl
ish
buoy
ancy
Una
ble
to
infla
te B
C
14
15
16
Can
’t m
ake
surf
ace
infla
te d
ry su
it
Can
’t m
ake
surf
ace
Can
’t re
leas
e
18
Figu
re 1
4 D
iver
una
ble
to r
elea
se w
eigh
ts
14
BC
D p
ocke
ts
Poor
ch
ecks
Wei
ghts
put
in
Poor
trai
ning
m
aint
enan
ce
Poor
pre
div
e
Wei
ght b
elt c
augh
t un
der B
CD
W
eigh
t bel
t buc
kle
dam
aged
In
tegr
ated
wei
ghts
ca
ught
in B
CD
chec
ks
Poor
pre
div
e Po
or tr
aini
ng
chec
ks
Poor
pre
div
e Po
or tr
aini
ng
19
Figu
re 1
5 U
nabl
e to
infla
te B
CD
15
No
gas t
o in
flate
B
CD
Poor
M
aint
enan
ce
chec
ks
3
Poor
M
aint
enan
ce
chec
ks
valv
e 17
Bro
ken
infla
tion
mec
hani
sm
BC
D p
unct
ured
Poor
pre
div
e Po
or p
re d
ive
Div
er u
nabl
e to
pu
sh in
flatio
n In
corr
ect h
ose
Con
fusi
on o
ver
conn
ectio
n in
flatio
n/de
flatio
n bu
ttons
chec
ks
Poor
ch
ecks
Po
or tr
aini
ng
Poor
pre
div
e tra
inin
g Po
or p
re d
ive
20
Figu
re 1
6 U
nabl
e to
infla
te d
rysu
it
No
gas t
o in
flate
su
it
3
16
Inco
rrec
t hos
e co
nnec
tion
Poor
di
ve c
heck
s Po
or
dive
che
cks
Infla
tion
valv
e br
oken
train
ing
Poor
pre
m
aint
enan
ce
Poor
pre
Una
ble
to p
ush
infla
tion
valv
e D
ry su
it pu
nctu
red
Suit
seal
s too
loos
e
17
Poor
di
ve c
heck
sm
aint
enan
ce
Poor
pre
18
21
Figu
re 1
7 U
nabl
e to
pus
h dr
y su
it in
flatio
n bu
tton
17
stuc
k C
an n
ot a
cces
s bu
tton
Infla
tion
butto
n
Poor
mai
nten
ance
Po
or p
re d
ive
chec
ks
Poor
pre
dive
che
cks
Poor
trai
ning
22
Figu
re 1
8 D
ry su
it se
als t
oo lo
ose
18
Seal
s per
ishe
d
chec
ks
chec
ks
Poor
M
aint
enan
ce
Inco
rrec
t siz
e se
al
Poor
trai
ning
Po
or p
re d
ive
Poor
pre
div
e
23
Figu
re 1
9 T
oxic
gas
5
Nitr
ogen
H
ypox
ia
Hyp
erox
ia
Car
bon
Hyp
erca
pnia
N
arco
sis
Mon
oxid
e po
ison
ing
Con
tam
inat
ed
Und
erve
ntila
tion
gas
Too
Wro
ng
Wro
ng
Too
Wro
ng
deep
m
ix
mix
de
ep
mix
Po
or
train
ing
Poor
tra
inin
g
19
20
20
1920
24
Figu
re 2
0 T
oo D
eep,
Wro
ng m
ix 19
Poor
tra
inin
g Po
or d
ive
plan
ning
Poor
tra
inin
g
20
Poor
pre
-di
ve c
heck
s Po
or
train
ing
25
21
Figu
re 2
1 Fa
ctor
s lea
ding
to d
iver
stre
ss
2
Loss
of
Red
uced
vis
ibili
ty
Peer
pre
ssur
e
Task
load
ing
)
Col
dSe
asic
knes
s Ill
ness
/inju
ry Ex
erci
se
Loss
of
Red
uced
vis
ibili
ty
Peer
pre
ssur
e
Task
load
ing
)
#
Low
ered
phy
sica
l com
pete
nce*
Phys
ical
fact
ors
Psyc
holo
gica
l fac
tors
Low
ered
men
tal a
bilit
y to
cop
e*
Emot
iona
l sta
te
com
mun
icat
ion M
arin
e ha
zard
s (R
eal o
r per
ceiv
edUnf
amili
ar
surr
ound
ings
Ill fi
tting
/ mal
func
tioni
ng
equi
pmen
t Ef
fect
s of b
reat
hing
ga
s und
er p
ress
ure
Deh
ydra
tion
Dru
gs/a
lcoh
ol
Emot
iona
l sta
te
com
mun
icat
ion M
arin
e ha
zard
s (R
eal o
r per
ceiv
edUnf
amili
ar
surr
ound
ings
Psyc
holo
gica
l fac
tors
26
2.3 DISCUSSION
It should be appreciated that the OR gate provides no defence to propagation of a failure through the fault tree. Hence, for an event such as ‘BCD (or dry suit) inflation button sticks’ (due to poor maintenance)(Figure 5), the failure will result in sudden buoyancy and uncontrolled ascent resulting in death as defined. Of course, in most case the maintenance failure is unlikely to lead to the end event but it does illustrate one limitation of the fault tree, namely that it is time independent and does not account for subsequent actions of the diver. Unlike the OR gate, the AND gate will arrest propagation of an event since it requires the failure of 2 or most events simultaneously. It will be noticed that AND gates feature in the ‘out of gas’ situations shown in the tree because a pony cylinder configuration has been considered.
2.3.1 Human factors
It will be seen that the majority of branches of the tree terminate in either poor dive planning, poor maintenance or poor training. These 3 events often occur together in different combinations but it should be recognized that there are inter-relationships between these events. For instance, poor training will lead to poor pre-dive checks. Nevertheless, some effort has been made to separate them out and in the fault tree shown the end events can be broken down as follows.
Table 1 Summary of end events from the fault tree End event Number of occurrences Poor pre-dive checks 103 Poor maintenance 73 Poor training 47
2.3.2 Pre-dive checks and maintenance
The above table shows the importance of pre-dive checks to open water SCUBA. The following points can be highlighted.
• Although some items end in pre-dive checks, they might not normally be part of a pre-dive check to all divers – an example might be visual inspection of low pressure hoses. This is an example of where maintenance might replace the role of pre-dive checks.
• Some items ending in pre-dive checks cannot be functionally checked such as dump valves.
• The thoroughness of some pre-dive checks might depend on both training and experience. Checks can often depend on how the diver was taught to carry them out and they will be further modified based on his subsequent experiences. For instance, a diver might have experienced a BCD or dry suit inflation hose coming off during a dive and check it is properly connected during pre-dive checks on subsequent dives. One way to overcome some of these problems is to use a checklist as adopted routinely by other professionals such as airline pilots. This would act as a defence not only to failing part of a pre-dive check but would also prevent poor training leading to poor pre-dive checks.
The value of the fault tree is that it identifies items to be checked prior to the dive which could be included on a pre-dive check list and if an item cannot be checked in this way, it should be covered as a maintenance item with a suitable inspection interval or an alternative defense against failure should be put in place.
27
2.3.3 Training
Training has a number of roles for the diver. Firstly, it teaches the diver an understanding of the environment they are operating in. It is essential that training adequately and sufficiently familiarize the diver with the equipment. Finally, emergency responses are especially important in diving and training prepares a diver by providing the correct response and allowing practise in a safe environment.
One of the main aims of training is to maximize the time available to deal with a situation by removing as many processes as possible from working memory. Working memory is a temporary ‘storage unit’ that retains information until it is used or stored in long-term memory. It is also used as a workspace where information retrieved from long-term memory can be compared, evaluated and examined (Wickens, 1992).
Utilizing working memory requires use of limited ‘attention resources’. The more resources that an individual process requires, the less that remains available for the remaining processes. The more resources required by sensory processing, perception, response selection and execution, the less remains available for working memory. This can be seen in rule- and knowledge-based behaviors. Rule-based behaviour requires a hierarchy of rules to be brought into working memory until a decision and response selection is made. Knowledge-based behaviour is even more demanding due to the complete absence of pre-determined rules or response patterns. In order for a plan of action to be devised, as much information as possible pertaining to the situation, such as environmental conditions, equipment capabilities, etc. must first be collated into working memory and analysed. As well as taking up valuable resources, these two forms of response behaviour also take time, which may not be available in an emergency situation. To minimize the dependency on working memory, behaviour needs to be skill-based, whereby a response stored in long-term memory is triggered automatically by a specific stimuli (Wickens, 2000) such as an out of air situation for example. The degree of automaticity is determined by the amount of practise acquired by the diver in a particular situation as a result of training and experience.
The advantages of this reduced dependency on working memory becomes particularly apparent in an emergency situation. Just as stress has been shown to have a narrowing effect on perception and selective attention (Wickens, 2000), stress of perceived danger, anxiety and even noise have been consistently shown to reduce the capacity of working memory (Wickens, 2000). This reduction in capacity severely restricts the utilization of both rule- and knowledge-based behaviour and may also affect the performance of any behaviour that is derived from these processes. Actions may become prone to error and accuracy reduced. Unless information has been well- or over-learned, retrieval of information (i.e. behavioural responses) from long-term memory is also restricted by the effects of stress (Wickens, 2000). Wickens (Wickens, 1992) identifies a number of studies that have demonstrated the minimal effect of stress in direct retrieval of information from long-term memory, including Wickens, Stokes, Barnett and Hyman (1991), Stokes, Belger and Zhang (1990) and Berkun (1964).
It therefore follows that as stress will be experienced to the greatest extent in the event of a failure, training should ensure that sufficient and adequate attention is paid to emergency procedures. These should be performed to the extent that corrective responses become extremely well learned and firmly implanted into long-term memory. Not only will this ensure that a diver has the greatest possible chance of reacting positively in a given situation, but will also increase the diver’s confidence in his or her own knowledge and ability. This will reduce feelings of stress and anxiety in an emergency situation also helping to improve performance.
28
If a diver is made to experience all potential failures and can perform corrective measures in conditions of varying visibility, temperature and depth, then the probability of panic occurring during a real failure event can be reduced. If training shows a diver to be incapable of dealing with a failure event in less than ideal situations, then thought should be given as to the suitability of the individual for diving.
As a final thought on training, SCUBA divers rarely practise self- rescue skills in a habitual manner. The exceptions are those who take part in the training of others where the need to impart their skills requires them to reinforce their own. For divers not involved in regular training consideration should be given to practising some of these skills on a regular basis so they also derive the benefit of reinforcing a reaction to an emergency situation.
2.3.4 Stress and Panic
For the purpose of this report, the fault tree was developed to emphasis the importance of human factors to the top event. It will be recognized that many external and environmental factors can also contribute to an accident. In this case, these external issues have been included in a sub-tree referred to as ‘stress’ (Figure 21). In the fault tree, stress can lead to panic. There is no way to completely avoid or prevent stress during diving. The question is how the diver will react when stressful situations do occur (Bachrach, 1982). Most investigators in the field of diving highlight that successfully dealing with stress begins during training. Nevo & Breitstein, 1999, suggested that panic might be prevented in the following ways:
• Improving physical fitness - Divers who are fit and have no medical contra indications may combat cold and fatigue more easily.
• Acquiring solid professional knowledge of diving, diving equipment and ‘watermanship’ - knowing the real risks of diving prevents unrealistic fears from taking over.
• Practicing responses to emergency situations until this response becomes automatic. Divers should practice emergency response techniques such as buddy breathing, out-of-air scenarios and emergency ascents until they are ‘over learned’.
• Improving psychological fitness – Spigolon & Dell’oro (1985) proposed that autogenic training might be useful to divers. This involves learning techniques that break the vicious circle that goes from difficult situation to anxiety to panic. A diver who, when confronted by difficulties, can direct himself to ‘Relax-Breathe easily-Think’ will be in a better frame of mind to help himself and others. Also, Griffith et al. (1985) showed that, by using techniques, which combine relaxation and cognitive rehearsal, it is possible to reduce state anxiety among diving students and to improve their execution of diving skills.
The reader will recognize that the above can be attributed ultimately to human factors and would be greatly reduced with good training, maintenance, pre-dive checks and diver fitness.
2.3.5 Design
Poor design has not been widely included in the fault trees but is worth consideration. To reduce the amount of required training and yet still maintain or increase user safety, consideration must be given to the design of equipment and its ease of use by the diver. Ergonomics plays a vital role in human/machine interaction success, and failure modes arising from poor design could easily be added to the FTA to complement or even replace some of those faults currently attributed to poor training. For instance, confusion over
29
inflation/deflation of a BCD (Fig 5 and 15) can occur but can arguably be taken away by design as well as training. Similarly, an inadvertent opening of a weight belt buckle could be due to design.
In human factors terms errors fall into three categories; slips, lapses and mistakes. Slips and lapses occur in very familiar tasks that are often carried out with little conscious attention. These ‘skill-base’ tasks are vulnerable to errors especially when attention is diverted elsewhere even momentarily. Mistakes are either knowledge- or rule-based. Mistakes can be reduced by increasing knowledge through training, but slips are prevented by improving both system and task design, which in this case would be ensuring the process of BCD inflation is sufficiently dissimilar to deflation to capture a possible error.
Norman (1988) identified four key points relating to ideal equipment design as a defence against an error.
• Minimise perceptual confusions • Make the execution of action and the response of the system visible to the operator • Use constraints to lock out the possible cause of errors • Avoid multimode systems
Some BCD inflation and deflation arrangements clearly contradicts some of the above.
2.3.6 Accident investigation
The fault tree identifies single failures that might propagate to a more serious incident – such as inflation button sticks. In fact, unsurprisingly, the topology of the fault tree used in this report reflects well the finding of the PARAS report for fatalities resulting from a single contributory cause. These are listed in Table 2 and it will be noted that air embolism due to breath-hold ascent is represented as uncontrolled ascent in the fault tree. Hence, despite being ‘backward looking’ accident investigation can affect both the understanding to produce a fault tree but also allow some degree of checking that all past accidents feature in the fault tree in some way.
Table 2. Fatalities resulting from a single contributory cause (from PARAS 1997). Air embolism due to breath-hold ascent 6 Loss of consciousness 3 Difficulty with buoyancy control 2 Carbon monoxide poisoning 1 Total 12
As an observation, it should be noted that the fault tree topology was derived by an experienced diver reflecting on what leads to the death of a diver rather than initially using the PARAS data to derive it. It is conforting however, to see PARAS data confirm the topology to some extent.
The limitation of the fault tree is that many fatalities are a result of a number of causative factors as concluded in the PARAS report. When a number of causative factors are involved, other risk techniques might be more appropriate such as the ‘Bow tie diagram’ (Miles 2005) which can be used to identify defences that can be put in place to minimize escalation of the initial event to further consequences.
30
2.4 QUANTITATIVE USE OF FAULT TREES
The fault tree shown links a number of actions through a network of logical gates. If the probability of failure of the actions is known, Boolean logic allows the probability of the top event to be calculated. Although this has not been done for the whole tree in this case, it might be useful to consider the technique for a smaller part of the tree.
It should be noticed that loss of gas is critical at both a high and lower level in the fault tree. At a high level it can lead both to drowning and to a rapid ascent to the surface but at a lower level it can result in a failure of buoyancy mechanisms. As a demonstration of the use of Boolean, a situation where the diver has no breathable air is considered with two common scenarios, namely the use of the octopus and the pony cylinder to provide redundancy.
An octopus setup is shown in Figure 22 and the pony setup in Figure 23. Both trees have the same top event of ‘no gas’ and terminate in the same events namely failure of first and second stages or no gas in the cylinder. Obviously the pony configuration has an extra cylinder and first stage and the logic of the tree is slightly different.
Boolean for Octopus setup (Figure 22)
X = A + Y Y = B +Z Z = C.C
X = A + (B + Z) X = A + B + C.C
Boolean for Pony setup (Figure 23)
X = Y.Y Y = A + Z Z = B + C
X = (A + B + C)2
X = A2 + B2 + C2 + 2AB + 2AC + 2BC
Note the squared terms are not reduced because they are the different pieces of equipment with the same functionality.
Calculation of probability of out of air situation
If we assume the probability of no gas in cylinder is quite high and for the purposes of this example a value of 0.1 can be adopted (A = 0.1). The probability of a first or second stage failure is less than the above and for the purpose of this example a value of 0.01 will be adopted for both cases (B = 0.01, C = 0.01).
Based on the above probabilities put into the Boolean statements above, the probability of no gas with the Octopus setup is 0.1 while the probability of no gas from the pony setup is 0.01, an order of magnitude less. Of course, great care should be exercised in the use of these numbers. They are for a specific case of providing gas to one diver and do not consider providing gas to buoyancy devices or to a second diver. However, they do provide an illustration of how the Boolean can be used in a fault tree.
31
No
gas
No
gas i
n cy
linde
r O
ctop
us
Reg
ulat
or fa
ils
1st S
tage
fails
2nd
stag
e fa
ils
X
A
Y
B
Z
C
Oct
o1 fa
ils
Oct
o2 fa
ils
Figu
re 2
2 F
ault
tree
for a
n oc
topu
s ar
rang
emen
t
32
C
A
No
gas N
o ga
s in
cylin
der
Reg
ulat
or fa
ils
1st S
tage
fails
2nd
stag
e fa
ils
No
gas i
n cy
linde
r R
egul
ator
fails
1st S
tage
fails
2nd
stag
e fa
ils
Seco
ndar
y fa
ils
X
Y
Y
Z A
Z
B
C
B
Prim
ary
fails
Figu
re 2
3 F
ault
tree
for p
ony
arra
ngem
ent
33
C
If quantitative analysis was to be carried out for the whole tree, there are techniques available to derive a value for a human factors based activity. These techniques include HEART, THERP, ASEP, TESEO and SHARP.
34
3 FAILURE MODES AND EFFECT CRITICALITY ANALYSIS
3.1 HIGH LEVEL FMECA
Failure modes and effect criticality analysis (FMECA) is a widely used risk identification methodology. The three stages to the analysis are self evident perhaps contributing to its wide spread use.
FMECA can be carried out at differing levels of complexity from a high levels system analysis to a low level hardware analysis where individual items are considered. Often a fault tree analysis will be carried out prior to the FMECA to help identify all the risks to be evaluated and whereas the FT in this report was taken down to human factor end events, it could equally have terminated in hardware items that could be used in the FMECA.
The first example shown below is for a high level FMECA. In the first task, the analyst must attribute values to frequency and criticality for the task to be carried out. For the purpose of this study, the following 5 level frequency and criticality values were established.
Table 3 Frequency ranking and definition Number Frequency 1 Possible but never experienced 2 Occurs once in a divers career 3 Expected to occur 2-5 times in a career 4 Likely to occur 1/year 5 A common event
Table 4 Criticality ranking and definition Number Criticality 1 No impact on dive 2 Inconvenience 3 Serious incident 4 Diver seriously injured 5 Diver dies
The number of levels and how these are attributed is entirely up to the analyst and will often depend on his experience in a particular field. It will be noted that the above definitions are very general. However, the definitions given for the more detailed FMECA later in this report are more highly focused.
In the second stage of the FMECA process the analyst uses worksheets to consider each hardware component, assess the failure mode and effect of the failure and then attribute a frequency and criticality as defined above. For a high level analysis, equipment is considered at a high level of functionality.
The final stage of the FMECA process is the input of the frequency and criticality values into a risk matrix as shown in Figure 24. The risk matrix provides a graphical view of comparative risk and allows the analyst to identify which items should be considered in order to reduce the risk. In this case items 1.1, 4.1, 6.1 and 6.2 might be considered in priority to the others.
35
3.1.
1 H
igh
leve
l FM
ECA
wor
kshe
et
Com
pone
nt
Failu
re M
ode
Eff
ect
Fre
q.
Cri
t.
1.
Cyl
inde
r
2.
Reg
ulat
or
3.
Con
tent
s gau
ge
4.
BC
D
5.
Fins
6.
Mas
k
1.1
Expl
odes
1.
2 V
alve
com
es o
ff
1.3
Val
ve st
uck
clos
ed
1.4
Val
ve st
uck
open
1.
5 U
nsec
ured
to B
CD
2.1
Free
flow
2.
2 Fa
lls a
part
2.3
Leak
s 2.
4 B
urst
hos
e
3.1
No
read
ing
3.2
Inco
rrec
t rea
ding
3.
3 B
urst
hos
e
4.1
Infla
tion
stuc
k op
en
4.2
Infla
tion
brok
en
4.3
Can
not r
etai
n ai
r 4.
4 D
ump
brok
en
5.1
Stra
p/bu
ckle
bre
aks
5.2
Foot
poc
ket r
ippe
d
6.1
Stra
p br
eaks
6.
2 Le
aks
Expl
osiv
e re
leas
e of
gas
Ex
plos
ive
rele
ase
of g
as
Not
abl
e to
acc
ess g
as
Can
not r
emov
e re
gula
tor
May
pul
l reg
ulat
or o
ut
Rap
idly
use
s gas
, diff
icul
t to
brea
the
May
not
pro
vide
air
Air
and
wat
er m
ix
Less
air
prov
ided
Div
er u
naw
are
of c
onte
nts
Div
er m
isin
form
ed o
f the
ir ai
r sta
tus
Gau
ge m
ay n
ot fu
nctio
n, lo
osin
g ai
r
Sudd
en b
uoya
ncy
Can
not u
se B
CD
C
anno
t ret
ain
buoy
ancy
C
anno
t dum
p ai
r
Loos
e fin
, los
s of p
ropu
lsio
n/st
abili
ty/li
ft Im
paire
d pr
opul
sion
/sta
bilit
y/lif
t
Poss
ible
loss
of m
ask
and
sigh
t Ir
ritat
ion,
pos
sibl
e pa
nic
with
oth
er
circ
umst
ance
s
1 1 2 3 3 3 3 3 3 2 2 3 3 2 3 3 4 3 4 5
5 4 2 1 3 3 3 3 3 3 3 2 4 3 3 2 2 2 3 2
36
Freq
uenc
y
5 6.
2
4 5.
1 6.
1
3 1.
4 3.
3, 4
.4,
5.2
1.5,
2.1
, 2.
2, 2
.3,
2.4,
4.3
4.1
2 1.
3 3.
1, 3
.2,
4.2
1 1.
2 1.
1
1 2
3 4
5
Crit
ical
ity
Figu
re 2
4 H
igh
leve
l FM
ECA
risk
mat
rix
37
3.2 DETAILED FMECA
In the following pages a more detailed FMECA is considered. The frequency and criticality definitions shown below are less general than previously.
Table 5 Frequency ranking and definition. Number Frequency 1 Failure 1 in every 5000 dives 2 Failure 1 in every 2000 dives 3 Failure 1 in every 1000 dives 4 Failure 1 in every 100 dives 5 Failure 1 in every 10 dives
Table 6 Criticality ranking and definition. Number Criticality 1 No significance 2 Minor discomfort 3 Major discomfort 4 Failure of diving operation 5 Immediate threat to diver’s life
In the FMECA considered, equipment was chosen that would be deemed to fulfill a range of HSE ACoPs. It would be impossible to complete a thorough FMECA of all SCUBA used in Britain due to the number of different regulators, dry suits, full-face masks etc. that are available for retail. Components common to all SCUBA hardware were analysed and ranked according to frequency and criticality in worksheets.
38
3.3 LIST OF FMECA WORKSHEETS
3.3.1 FMECA worksheet: BCD 3.3.2 FMECA worksheet: Lifeline 3.3.3 FMECA worksheet: Fins 3.3.4 FMECA worksheet: Drysuit 3.3.5 FMECA worksheet: Full face mask (AGA) 3.3.6 FMECA worksheet: Full face mask (AGA) Demand Valve
(Positive & Negative Pressure Version) 3.3.7 FMECA worksheet: First stage regulator (Diaphragm) Poseidon or
Apeks Part 1 3.3.8 FMECA worksheet: Communications ‘Hard Wire’ or ‘Thru-water’ 3.3.9 FMECA worksheet: Low pressure hoses 3.3.10 FMECA worksheet: Submersible Pressure Gauge 3.3.11 FMECA worksheet: Depth Gauge (Analogue or Digital) 3.3.12 FMECA worksheet: Diving cylinder 3.3.13 FMECA worksheet: Bailout side block
3.3.14 FMECA Risk Matrix
39
3.3.
1 FM
ECA
WO
RK
SHEE
T 1:
BC
D
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
1.1
Bla
dder
1.2
Infla
tor U
nit
1.3
Web
bing
stra
ps &
Q
uick
rele
ase
buck
les
1.4
Low
pre
ssur
e In
flatio
n ho
se
1.5
Gas
Dum
p V
alve
s
1.6
Mal
e/Fe
mal
e qu
ick
conn
ecto
r bet
wee
n ho
se
and
infla
tor
Punc
ture
/Tea
r
Infla
tor s
eize
s ope
n In
flato
r sei
zes c
lose
d
Web
bing
tear
s
Bur
sts
Bec
omes
blo
cked
O
-rin
g fa
ils
Seiz
e op
en
Seiz
e cl
osed
Fails
to c
onne
ct
Div
er lo
ses c
ontro
l of b
uoya
ncy
Too
muc
h ga
s in
the
blad
der,
exce
ssiv
e bu
oyan
cy, r
apid
asc
ent,
DC
S, E
mbo
lism
et
c.
No
gas i
njec
ted
into
bla
dder
, no
buoy
ancy
pr
ovid
ed.
BC
D b
ecom
es lo
ose-
stre
ss o
n th
e di
ver.
BC
D c
ould
be
pote
ntia
lly lo
st-
unco
ntro
lled
buoy
ancy
.
No
gas s
uppl
ied
from
firs
t sta
ge re
gula
tor
to th
e bu
oyan
cy b
ladd
er.
Gas
lost
from
BC
D, n
o bu
oyan
cy, H
2O
will
ent
er b
ladd
er.
Too
muc
h ga
s in
the
blad
der,
exce
ssiv
e bu
oyan
cy, r
apid
asc
ent,
DC
S, E
mbo
lism
et
c.
No
gas t
o in
flate
bla
dder
.
2 2 2 2 2 2 2 2 2
4 4 4 4 4 4 4 4 4
40
3.3.
2 FM
ECA
WO
RK
SHEE
T 2:
LIF
ELIN
E
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
2.1
Car
abin
eer
2.2
Kno
t at t
he c
arab
inee
r
2.3
Rop
e M
ater
ial
Lock
ing
gate
scre
wed
ope
n C
arab
inee
r met
al fa
ils
Kno
t tie
d in
corr
ectly
R
ope
mat
eria
l fai
ls
Rop
e no
t stro
ng e
noug
h R
ope
fray
ed
(i) P
hysi
cal c
onta
ct lo
st w
ith d
iver
(ii
) Rop
e si
gnal
s (co
mm
unic
atio
ns) l
ost
(i) P
hysi
cal c
onta
ct lo
st w
ith d
iver
(ii
) Rop
e si
gnal
s (co
mm
unic
atio
ns) l
ost
(i) P
hysi
cal c
onta
ct lo
st w
ith d
iver
(ii
) Rop
e si
gnal
s (co
mm
unic
atio
ns) l
ost
1 1 1 1 1 1
4 4 4 4 4 4
41
3.3.
3 FM
ECA
WO
RK
SHEE
T 3:
FIN
S
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
3.1
Rub
ber S
trap
3.2
Mal
e/Fe
mal
e Q
uick
re
leas
e bu
ckle
3.3
Fin
Bla
de
3.4
Foot
Poc
ket
Rub
ber p
eris
hed
Rub
ber c
ut/s
ever
ed
Buc
kle
brea
ks
Fails
to k
eep
stra
p ta
ut
Rub
ber/P
last
ic b
reak
s fac
ture
s
Cra
cked
Pe
rishe
d
Fin
lost
, pro
puls
ion
is lo
st, a
nd b
uoya
ncy
may
bec
ome
unco
ntro
llabl
e in
sea
with
cu
rren
ts, t
ide
and
swel
l.
Fin
lost
, pro
puls
ion
is lo
st, a
nd b
uoya
ncy
may
bec
ome
unco
ntro
llabl
e in
sea
with
cu
rren
ts, t
ide
and
swel
l
Inef
ficie
nt P
ropu
lsio
n
Fin
beco
mes
loos
e, in
effic
ient
pro
puls
ion,
po
tent
ial l
oss o
f fin
.
3 3 2 2
3 3 3 3
42
3.3.
4 FM
ECA
WO
RK
SHEE
T 4:
DR
Y SU
IT
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
4.1
Vul
cani
sed
rubb
er.
4.2
Neo
pren
e/La
tex
seal
s
4.3
Infla
tion
Val
ve
4.4
Dry
Zip
4.5
Def
latio
n V
alve
(a
utom
atic
/cuf
f dum
p)
Suit
punc
ture
d
Tear
in se
al a
t the
nec
k or
wris
t
No
infla
tion
Seiz
es w
hile
infla
ting
Zip
brea
ks, b
ecom
es u
ndon
e or
par
ts fr
om su
it m
ater
ial
Fails
to d
ump
gas
Leak
s wat
er
Leak
s gas
Ingr
ess o
f wat
er in
to su
it, lo
ss o
f bu
oyan
cy, l
oss o
f the
rmal
insu
latio
n.
Pote
ntia
l pro
blem
s with
hyp
othe
rmia
, D
CS,
Nar
cosi
s and
stre
ss. P
oten
tial h
ealth
ris
k if
dive
r is i
n po
llute
d w
ater
.
Wat
er in
gres
s is s
ubje
ct to
size
of t
ear
Suit
sque
eze,
loss
of b
uoya
ncy
maj
or
disc
omfo
rt.
Ove
r inf
latio
n of
suit,
loss
of b
reat
hing
ga
s, ra
pid
asce
nt. P
oten
tial f
or D
CS,
em
bolis
m e
tc.
Wat
er in
gres
s is s
ubje
ct to
size
of b
reak
Ove
r inf
latio
n, ra
pid
buoy
ancy
etc
. W
ater
Ingr
ess e
tc.
Suit
sque
eze,
loss
of b
reat
hing
gas
thro
ugh
cont
inua
l inf
latio
n
3 2 2 2 2 3 2 2
3 3 3 4 3 4 3 3
43
3.3.
5 FM
ECA
WO
RK
SHEE
T 5:
FU
LL F
AC
E M
ASK
(AG
A) P
art 1
C
ompo
nent
Fa
ilure
Mod
e E
ffec
t Fr
eq.
Cri
t.
5.1
Stra
p/Sp
ider
5.2
Stra
p/Sp
ider
Buc
kle
5.3
Rub
ber S
eal/S
kirt
5.4
Lens
5.5
Dem
and
Val
ve st
ainl
ess
stee
l jub
ilee
clip
Rub
ber b
reak
s
Clip
fails
Punc
ture
or t
ear i
n sk
irt, f
ailu
re o
f joi
nt
betw
een
rubb
er a
nd p
last
ic le
ns fr
ame.
Lens
cra
cked
or b
roke
n
Join
bet
wee
n le
ns a
nd fr
ame
fails
Dem
and
Val
ve lo
st fr
om m
ask
Pote
ntia
l for
mas
k lo
ss a
nd fl
oodi
ng. L
oss
of v
isio
n an
d co
mm
unic
atio
ns w
ith
surf
ace.
Una
ble
to re
ad d
epth
/pre
ssur
e ga
uge.
Mas
k be
com
es lo
ose,
liab
le to
floo
d,
disc
omfo
rt fo
r div
er
Leak
age
of w
ater
into
the
mas
k, lo
ss o
f vi
sion
, dis
com
fort
for t
he d
iver
, bre
athi
ng
gas c
onsu
med
in c
lear
ing
mas
k
Leak
age
of w
ater
into
the
mas
k, lo
ss o
f vi
sion
, dis
com
fort
for t
he d
iver
, bre
athi
ng
gas c
onsu
med
in c
lear
ing
mas
k
Leak
age
of w
ater
into
the
mas
k, lo
ss o
f vi
sion
, dis
com
fort
for t
he d
iver
, bre
athi
ng
gas c
onsu
med
in c
lear
ing
mas
k
Wat
er fl
oods
into
the
mas
k, lo
ss o
f vis
ion,
di
scom
fort
for t
he d
iver
, bre
athi
ng g
as
cons
umed
in c
lear
ing
mas
k
3 2 2 2 2 2
4 4 4 4 4 5
44
3.3.
5 FM
ECA
WO
RK
SHEE
T 5:
FU
LL F
AC
E M
ASK
(AG
A) P
art 2
C
ompo
nent
Fa
ilure
Mod
e E
ffec
t Fr
eq.
Cri
t.
5.6
Nos
e Eq
ualis
atio
n Pa
d
5.7
Plas
tic fr
ame
mou
ldin
g ar
ound
lens
5.8
Plas
tic F
ram
e se
curin
g sc
rew
s
5.9
Ora
l nas
al a
ssem
bly
Pad
brea
ks o
r is l
ost
Bre
ak/c
rack
Lens
may
fall
out o
f the
fram
e du
e to
lost
or
loos
e sc
rew
s.
Mus
hroo
m v
alve
s fai
l or t
ear i
n as
sem
bly
Div
er h
as tr
oubl
e in
equ
alis
ing
ears
, un
able
to d
esce
nd, p
oten
tial t
o bu
rst a
n ea
rdru
m e
tc.
Leak
age
of w
ater
into
the
mas
k, lo
ss o
f vi
sion
, dis
com
fort
for t
he d
iver
, bre
athi
ng
gas c
onsu
med
in c
lear
ing
mas
k
Leak
age
of w
ater
into
the
mas
k, lo
ss o
f vi
sion
, dis
com
fort
for t
he d
iver
, bre
athi
ng
gas c
onsu
med
in c
lear
ing
mas
k
Bre
athi
ng d
ead
spac
e is
incr
ease
d. R
isk
of
hype
rcap
nia
etc.
2 2 2 2
4 4 4 5
45
3.3.
6 FM
ECA
WO
RK
SHEE
T 6:
FU
LL F
AC
E M
ASK
(AG
A) D
eman
d Va
lve
(Pos
itive
& N
egat
ive
Pres
sure
Ver
sion
) Par
t 1
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
6.1
Low
pre
ssur
e ho
se
6.2
Val
ve S
eat
6.3
Val
ve O
rific
e
6.4
Cou
nter
Pre
ssur
e A
ssem
bly
6.5
Seal
ing
Sprin
g
6.6
Leve
r Ass
embl
y
Blo
cked
by
debr
is e
tc.
Rup
ture
/leak
of h
ose
Can
not o
pen
Can
not c
lose
Blo
cked
by
debr
is o
r mec
hani
cal d
amag
e
Exce
ssiv
e op
enin
g of
val
ve se
at
Insu
ffic
ient
ope
ning
of v
alve
seat
Exce
ssiv
e fo
rce
on c
ount
er p
ress
ure
Ass
embl
y
Insu
ffic
ient
forc
e on
cou
nter
pre
ssur
e as
sem
bly
Ben
t/Bro
ken
Fails
to o
pera
te w
hen
dive
r dem
ands
gas
Failu
re o
f gas
supp
ly to
dem
and
valv
e Lo
ss o
f bre
athi
ng g
as a
nd b
ailo
ut g
as
depe
ndin
g on
FFM
bai
lout
syst
em.
Lack
of b
reat
hing
gas
Lo
ss o
f bre
athi
ng g
as to
am
bien
t wat
er.
No
brea
thin
g ga
s
Too
muc
h ga
s sup
plie
d an
d lo
st
Insu
ffic
ient
bre
athi
ng g
as su
pplie
d
Exce
ssiv
e re
sist
ance
to in
hala
tion,
in
suff
icie
nt g
as su
pplie
d to
the
dive
r and
po
tent
ial C
O2 b
uild
up
Loss
of b
reat
hing
thro
ugh
free
flow
.
Con
tinua
lly lo
ss o
f bre
athi
ng g
as
Bre
athi
ng g
as n
ot su
pplie
d on
dem
and
1 1 1 1 1 1 1 1 1 1 1
5 5 4 4 5 4 4 5 5 2 5
46
3.3.
6 FM
ECA
WO
RK
SHEE
T 6:
FU
LL F
AC
E M
ASK
(AG
A) D
eman
d Va
lve
(Pos
itive
& N
egat
ive
Pres
sure
Ver
sion
) Par
t 2
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
6.7
Dem
and
Val
ve H
ousi
ng
6.8
Exha
ust D
iaph
ragm
Seal
not
cre
ated
aga
inst
am
bien
t wat
er.
Fails
to se
al, m
ay b
e to
rn, p
eris
hed.
Air
cann
ot b
e su
pplie
d on
dem
and
and
hous
ing
flood
s, di
ver m
ay a
spira
te w
ater
.
Air
cann
ot b
e su
pplie
d on
dem
and
and
hous
ing
flood
s, di
ver m
ay a
spira
te w
ater
1 1
4 4
47
3.3.
7 FM
ECA
WO
RK
SHEE
T 7:
Firs
t sta
ge re
gula
tor (
Dia
phra
gm) P
osei
don
or A
peks
Par
t 1
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
7.1
Cap
ture
d O
-rin
g at
mal
e D
IN c
onne
ctio
n.
7.2
DIN
thre
ads
7.3
Seal
ing
Sprin
g
7.4
Dia
phra
gm
7.5
Val
ve S
eat
O-r
ing
is p
eris
hed/
torn
etc
.
Thre
ads a
re d
amag
ed/ri
vete
d
No
pres
sure
on
diap
hrag
m d
ue to
mec
hani
cal
failu
re.
Exce
ssiv
e pr
essu
re o
n di
aphr
agm
due
to d
ebris
or
free
zing
. Sp
ring
lose
s mec
hani
cal t
ensi
on
Dia
phra
gm is
split
/torn
Dia
phra
gm o
bstru
cted
by
debr
is
Seat
fails
due
to w
ear a
nd te
ar
Seat
fails
to o
pen
Hig
h-pr
essu
re g
as is
lost
to a
mbi
ent
wat
er.
Firs
t sta
ge n
ot c
onne
cted
pro
perly
, po
tent
ial f
or fi
rst s
tage
to b
low
from
pi
llar v
alve
.
Dia
phra
gm d
oesn
’t cl
ose,
no
brea
thin
g ga
s sup
plie
d to
div
er o
r for
buo
yanc
y.
Inte
r sta
ge p
ress
ure
incr
ease
s, fr
ee fl
ow
will
occ
ur, b
reat
hing
gas
lost
. R
educ
ed g
as fl
ow to
the
dive
r
Gas
not
regu
late
d w
hich
will
lead
to fr
ee
flow
In
ter-
stag
e pr
essu
re c
anno
t inc
reas
e w
ith
ambi
ent p
ress
ure,
redu
ced
gas f
low
to
dive
r
Hig
h in
ter-
stag
e pr
essu
re, f
ree
flow
N
o br
eath
ing
gas s
uppl
ied
1 1 1 1 1 2 2 2 1
4 4 5 5 5 4 4 4 5
48
3.3.
7 FM
ECA
WO
RK
SHEE
T 7:
Firs
t sta
ge re
gula
tor (
Dia
phra
gm) P
osei
don
or A
peks
Par
t 2
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
7.6
Push
Rod
7.7
Popp
et
7.8
Low
pre
ssur
e po
rts (x
4)
7.9
Hig
h Pr
essu
re P
orts
(x 2
)
7.10
Pop
pet O
-rin
g
7.11
UN
F B
lank
por
ts
Mec
hani
cal f
ailu
re
Fails
to c
lose
, val
ve re
mai
ns o
pen
Fails
to o
pen,
val
ve re
mai
ns c
lose
d
Blo
cked
by
debr
is
Leak
age
of g
as d
ue to
faile
d O
-rin
g
Blo
cked
by
debr
is
Leak
age
of g
as d
ue to
faile
d O
-rin
g
Ove
r sea
l pop
pet
Und
er se
al p
oppe
t due
to w
ear a
nd te
ar.
O-r
ing
peris
hed
or sp
lit
Can
not p
ress
uris
e po
ppet
. No
gas s
uppl
ied
to th
e di
ver
Hig
h in
ter s
tage
pre
ssur
e le
ads t
o fr
ee
flow
Lo
w in
ter s
tage
pre
ssur
e, n
o ga
s sup
plie
d to
div
er
Gas
not
supp
lied
to d
iver
, BC
D o
r dry
su
it.
Loss
of g
as to
am
bien
t wat
er
Gas
not
supp
lied
to S
PG
Hig
h Pr
essu
re g
as lo
st to
am
bien
t wat
er
Popp
et is
jam
med
uns
tabl
e in
ter s
tage
pr
essu
re
Hig
h Pr
essu
re a
ir le
aks i
nto
low
pre
ssur
e ch
ambe
r, fr
ee fl
ow
Loss
of b
reat
hing
gas
1 1 1 1 1 1 3 3 1
5 5 4 4 4 5 3 4 4
49
3.3.
8 FM
ECA
WO
RK
SHEE
T 8:
Com
mun
icat
ions
‘Har
d W
ire’ o
r ‘Th
ru-w
ater
’ C
ompo
nent
Fa
ilure
Mod
e E
ffec
t Fr
eq.
Cri
t.
8.1
‘Com
ms.’
Rop
e
8.2
Div
ers M
icro
phon
e
8.3
Div
ers e
arpi
ece
8.4
Mar
sh M
arin
e C
onne
ctor
8.5
Surf
ace
Uni
t
8.6
Surf
ace
Tran
sduc
er U
nit
(thru
-wat
er c
omm
s)
8.7
Div
ers T
rans
duce
r Uni
t
Seve
red/
dam
aged
Fails
due
to w
ater
ingr
ess
Fails
due
to w
ater
ingr
ess
Fails
due
to w
ater
ingr
ess o
r wire
s dam
aged
Fails
due
ele
ctric
al d
amag
e or
pow
er fa
ilure
Fails
due
ele
ctric
al d
amag
e or
pow
er fa
ilure
Fails
due
to e
lect
rical
dam
age
or p
ower
fa
ilure
Fa
ils d
ue to
wat
er in
gres
s
Voi
ce a
nd p
hysi
cal c
omm
unic
atio
n lo
st to
th
e di
ver
Voi
ce c
omm
unic
atio
n lo
st in
one
dire
ctio
n
Voi
ce c
omm
unic
atio
n lo
st in
one
dire
ctio
n
All
com
mun
icat
ions
lost
All
com
mun
icat
ions
lost
All
com
mun
icat
ions
lost
All
com
mun
icat
ions
lost
2 1 1 1 1 1 1
4 3 3 4 4 4 4
50
3.3.
9 FM
ECA
WO
RK
SHEE
T 9:
Low
pre
ssur
e ho
ses
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
9.1
Dry
suit
hose
9.2
BC
D In
flatio
n ho
se
9.3
BC
D a
uto-
air h
ose
9.4
Dem
and
Val
ve h
ose
Hos
e ru
ptur
es, s
ever
ed, p
eris
hes
Mal
e/fe
mal
e qu
ick
disc
onne
ct c
oupl
ing
fails
(i)
Hos
e ru
ptur
es, s
ever
ed, p
eris
hes
(ii)
Mal
e/fe
mal
e qu
ick
disc
onne
ct
coup
ling
fails
(see
wor
kshe
et 1
)
(i)
Hos
e ru
ptur
es, s
ever
ed, p
eris
hes
(ii)
Mal
e/fe
mal
e qu
ick
disc
onne
ct
coup
ling
fails
(see
wor
kshe
et 1
) (ii
i) Lo
ss o
f gas
to A
AS
See
wor
kshe
et 6
(i)
Low
pre
ssur
e br
eath
ing
gas
lost
(ii
) Su
it ca
nnot
be
infla
ted,
suit
sque
eze,
loss
of b
uoya
ncy.
(i)
Low
pre
ssur
e br
eath
ing
gas
lost
(ii
) Lo
ss o
f buo
yanc
y et
c. (s
ee
wor
kshe
et 1
)
(i)
Low
pre
ssur
e br
eath
ing
gas
lost
(ii
) Lo
ss o
f buo
yanc
y et
c. (s
ee
wor
kshe
et 1
) (ii
i) A
AS
is m
ade
redu
ndan
t
See
wor
kshe
et 6
1 1 1 1 1 1 1
4 4 4 4 4 4 4
51
3.3.
10 F
MEC
A W
OR
KSH
EET
10: S
ubm
ersi
ble
Pres
sure
Gau
ge
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
10.1
Hig
h Pr
essu
re H
ose
10.2
Sw
ivel
Cou
plin
g
10.3
Ana
logu
e G
auge
10.4
Ana
logu
e G
auge
Fac
e
Hos
e ru
ptur
es, s
ever
ed, p
eris
hed,
scre
w th
read
s fa
il
(i)
Mec
hani
cal F
ailu
re o
f cou
plin
g (ii
) O
-rin
g fa
ils
Not
cal
ibra
ted
corr
ectly
Cra
ck o
r Mec
hani
cal f
ailu
re o
f gau
ge
Cat
astro
phic
loss
of b
reat
hing
gas
.
(i)
Cat
astro
phic
loss
of b
reat
hing
ga
s. (ii
) B
reat
hing
gas
lost
but
not
ca
tast
roph
ic
Div
er u
naw
are
of re
mai
ning
gas
supp
ly
Cat
astro
phic
loss
of b
reat
hing
gas
1 1 1 2 1
5 5 4 3 5
52
3.3.
11 F
MEC
A W
OR
KSH
EET
11: D
epth
Gau
ge (A
nalo
gue
or D
igita
l) C
ompo
nent
Fa
ilure
Mod
e E
ffec
t Fr
eq.
Cri
t.
11.1
Rub
ber w
rist s
trap
11.2
Buc
kle
(sta
inle
ss/p
last
ic)
11.3
Bat
tery
11.4
Dep
th G
auge
Fac
e
Rub
ber t
orn/
seve
red
Mec
hani
cal f
ailu
re o
f buc
kle
Pow
er su
pply
to d
igita
l gau
ge fa
ils
Face
is c
rack
ed/m
echa
nica
lly fa
ils
Dep
th G
auge
is lo
st
Dep
th G
auge
is lo
st
Dep
th c
anno
t be
mea
sure
d by
the
dive
r
Div
er c
anno
t see
dep
th m
easu
rem
ent
2 2 1 1
3 3 3 3
53
3.3.
12 F
MEC
A W
OR
KSH
EET
12: D
ivin
g C
ylin
der
Com
pone
nt
Failu
re M
ode
Eff
ect
Freq
. C
rit.
12.1
Ste
el V
esse
l
12.2
Pill
ar/C
ross
flow
val
ve
12.3
O-r
ing
at c
ylin
der n
eck
12.4
Nee
dle
Val
ve
12.5
O-r
ing
with
in n
eedl
e va
lve
12.6
DIN
thre
ads i
n cr
oss f
low
va
lve
Frac
ture
/rupt
ure
of c
ylin
der b
ody
Failu
re o
f scr
ew th
read
s on
cylin
der n
eck
or
pilla
r/cro
ss fl
ow b
ody
Failu
re o
f sea
l due
to p
eris
hing
/spl
ittin
g.
(i)
Lock
s ope
n (ii
) Lo
cks c
lose
d
Failu
re o
f sea
l due
to p
eris
hing
/spl
ittin
g
DIN
thre
ads f
ail d
ue to
wea
r and
tear
Expl
osiv
e re
leas
e of
bre
athi
ng g
as
Expl
osiv
e re
leas
e of
bre
athi
ng g
as
Gas
rele
ase
may
slow
or e
xplo
sive
(i)
Bre
athi
ng g
as su
pply
can
not b
e ac
cess
ed
(ii)
Gas
supp
ly c
anno
t be
isol
ated
if
requ
ired
Gas
flow
to re
gula
tor i
sn’t
seal
ed, g
as
leak
s to
ambi
ent w
ater
Expl
osiv
e re
leas
e of
bre
athi
ng g
as
1 1 1 1 1 2 1
5 5 5 4 4 4 5
54
3.3.
13 F
MEC
A W
OR
KSH
EET
13: B
ailo
ut s
ide
bloc
k C
ompo
nent
Fa
ilure
Mod
e E
ffec
t Fr
eq.
Cri
t.
13.1
Non
retu
rn v
alve
13.2
Nee
dle
Val
ve
13.3
Nee
dle
Val
ve o
-rin
g
13.4
UN
F sc
rew
thre
ads
13.5
UN
F B
lank
Por
ts
Mec
hani
cal f
ailu
re o
f non
retu
rn v
alve
(i)
Nee
dle
Val
ve lo
cks s
hut
(ii)
Nee
dle
Val
ve lo
cks o
pen
Peris
hed
or sp
lit
LP h
oses
cou
plin
gs n
ot g
as-ti
ght
O-r
ing
peris
hed
or sp
lit
Bai
lout
gas
may
lost
thro
ugh
seve
red
prim
ary
first
stag
e ho
se
(i)
Emer
genc
y br
eath
ing
gas c
anno
t be
acce
ssed
from
bai
lout
bot
tle
(ii)
Emer
genc
y br
eath
ing
gas c
anno
t be
isol
ated
if n
ot re
quire
d
Fails
to se
al g
as fl
ow, g
as le
aks
Loss
of b
reat
hing
gas
Loss
of b
reat
hing
gas
1 1 1 1 1 1
5 5 4 4 4 4
55
3.3.
14 F
MEC
A C
RIT
ICA
LITY
MA
TRIX
5 4 3 2 1 13
.2.
1 2
3 4
5
3.1,
3.2
, 4.1
, 7.1
0.
4.5,
5.1
, 7.1
0.
3.3,
3.4
, 4.2
, 4.3
, 4.4
, 4.5
, 10.
3,
11.1
, 11.
2.
1.1,
1.2
, 1.3
, 1.4
, 1.5
, 1.6
, 4.3
, 5.
2, 5
.3, 5
.4, 5
.6, 5
.7, 5
.8, 7
.4,
7.5,
8.1
, 12.
5.
5.5,
5.9
.
8.2,
8.3
, 11.
3, 1
1.4.
2.
1, 2
.2, 2
.3, 6
.2, 6
.4, 6
.6, 6
.7,
6.8,
7.1
, 7.2
, 7.8
, 7.9
, 7.1
1, 8
.4,
8.5,
8.6
, 8.7
, 9.1
, 9.2
, 9.3
, 10.
2,
12.4
, 13.
2, 1
3.3,
13.
4, 1
3.5.
6.1,
6.3
, 6.5
, 6.6
, 7.3
, 7.5
, 7.6
, 7.
7, 7
.9, 1
0.1,
10.
2, 1
0.4,
12
.1, 1
2.2,
12.
3, 1
2.6,
13.
1,
FRE QUE NCY OF OCCUR ANCE
CR
ITIC
ALI
TY L
EV
EL
56
3.4 FMECA DISCUSSION
FMECA is a useful technique for formal risk assessment of hardware at both a high and low level. At the high level, a single piece of hardware such as a regulator is taken and its failure modes are considered. The obvious high level failure would be failure to provide gas. At a low level as seen in the work sheets, it is possible to take a piece of diving equipment such as a regulator and break it down into its constituent parts.
Several observations of FMECA can be seen from the high level analysis. • Even though the full range of values for frequency and criticality are used, most failures
occupy the mid range. • The technique does not differentiate hardware and human failures. Although both can be
defined in a similar way, in reality there are differences. For instance, a hardware failure may clearly occur once in a divers life time or several times in a divers lifetime. However, a diver can influence a failure rate once he has had the first failure of a particular kind. Awareness and ‘experience’ may then prevent this happening several times in a life time.
• FMECA does not account for when the failure occurs. Consequences of the dump valve not working are different when on the surface prior to a dive and when making a rapid ascent.
• A failure of an individual item might not in itself have a high consequence. For instance, loss of a fin strap in itself should not be catastrophic, but with a series of other events, the outcome could be significantly different.
The FMECA matrix (Section 3.3.14) clearly shows that SCUBA equipment has a high level of criticality but low frequency of occurrence as one would expect for life support equipment. It is difficult to ascertain the actual failure rates of SCUBA equipment, as manufacturers are very reluctant to divulge such details if they exist at all. Training organizations have incident reporting systems which include equipment failure but this is not the same as evaluation of a piece of equipment by a trained technician.
The main conclusion that can be drawn from the FMECA is that SCUBA hardware is inherently safe if serviced and maintained properly. Groups such as the MoD and Police forces dive SCUBA everyday and have a policy of maintaining their equipment to the highest standards. This practice should eliminate all potential equipment failure modes.
57
4 CONCLUSIONS
Fault tree analyst and failure modes effect criticality analysis (FMECA) provide an easy to use formal risk identification techniques for diving experts not specialized in risk analysis.
Fault trees can be used to visualise the effects of human factors to a serious end event in professional SCUBA diving. Upon analysis, pre-dive check are the most important issue followed by maintenance and training.
Human factors are inter-related but the following should be considered. • Checklists can aid pre-dive checks and offset failings in training. • Emergency drills should be practiced routinely to minimize use of working memory in
stressful situations. • Equipment design can minimize confusion
The Bolean relationship in fault trees can be used to quantitatively compare different SCUBA configurations. The probability of a octopus configuration not providing air was compared with a secondary pony configuration.
FMECA provides a way to risk identification at both a high functional level and a low hardware based level.
FMECA allows the analyst to produce a risk matrix to prioritise failure modes.
One of the weaknesses of both FTA and FMECA is that they do not deal with multiple contributory causes and consequences well. Previous studies based on accidents have found a sequence of events have led to fatal situations. Other risk analysis techniques might be more appropriate to analysing these situations.
58
References
Bachrach, A J (1982) ‘The human in extreme environments’, Environment and Health, Vol. 4, Chapter 8, pp 211-236, New Jersey, USA.
Berkun M M (1964) Performance decrement under psychological stress. Human Factors 6:21-30
Billington R Allen R N (1983) Reliability evaluation of engineering systems – concepts and techniques. Pitman publishing. London
DAN (2004) ‘Report on Decompression Illness, Diving Fatalities and Project Dive Exploration’, DAN’s Annual Review of Recreational Scuba Diving Injuries and Fatalities Based on 2002 Data, Divers Alert Network, North Carolina, USA.
Griffiths T J et al. (1985) ‘The effects of relaxation and cognitive rehearsal on the anxiety levels and performance of scuba students’, International Journal of Sports Psychology, Vol.16, pp113-119.
Hardy S L (2001) Risk based design considerations for the Cranfield ‘home build’ closed circuit rebreather
HSE-PARAS (1997) A Quantitative risk assessment SCUBA Diving, PARAS, Isle of Wight, England.
Little G (2004) Professional SCUBA Diving – When does the risk increase? MSc thesis. Cranfield University
Miles (2005) ‘The visual and diagrammatic representation of safety’ Cranfield University Lecture notes.
Nevo B Breitstein S (1999) Psychological and Behavioral Aspects of Diving, Best Publishing Company, USA.
Norman D (1988) The psychology of everyday things Harpur and Row. New York
Spigolon L Dell’oro A (1985) ‘Autogenic Training in Frogmen’, International Journal of Sports Psychology. Vol. 16, No. 4, pp 312-320.
Strutt J Tetlow S (1994) Risk and reliability analysis of a diving bell life support system: a workshop exercise SUT Underwater Technology Vol 20 Number 1
Stokes A Belger A F and K Zhang K (1990) Investigating factors comprising a model of pilot decision II: Anxiety and cognitive strategies in expert and novice aviators. Savoy II. University of Illinois aviation research technical report no. ARC 90-8/SCEEE 90-2
Wickens C D Stokes A F Barnett B and Hyman F (1991) The effects of stress on pilot judgement in a MIDIS simulator. In: O. Svenson and J. Maule (eds.), Time Pressure and Stress in Human Judgement and Decision Making. Cambridge University press.
Wickens C D (1992) Engineering Psychology and Human Performance. 2nd Edition. Harpur Collins
Wickens C D Holland J G (2000) Engineering Psychology and Human Performance. 3rd Edition. Prentice-Hall Inc.
59
Printed and published by the Health and Safety ExecutiveC30 1/98
Published by the Health and Safety Executive 04/06
RR 436