Risk Reduction

Risk Reduction

If assessed risk exceeds risk acceptance criteria, it is necessary to reduce risk before conducting operations. The specific risk reduction steps will depend on the specific risk and circumstances. However, as we consider risk reduction related to electronic systems used in diving and hyperbaric applications, there are a few general principles that will help frame risk reduction activity.

Functional Safety of the Electronic System

When an electronic system is entrusted with a safety critical task, the Functional Safety of that system is critical. One definition of Functional Safety as provided by the International Electrotechnical Commission (IEC) is “the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs”. An electronic control system which is Functionally Safe is therefore a system whose function has been correctly defined and whose reliability is sufficient to achieve an acceptable level of risk. We will use ADS’s Integrity Surface Supplied Diving Computer (SSDC) as an example.

The SSDC is built on hardware designed for safety and reliability and uses software designed for safety and reliability. On this foundation, the SSDC implements a decompression algorithm which balances decompression time with risk of Decompression Sickness (DCS). The SSDC platform supports a range of algorithms and each algorithm has an inherent risk of DCS for a given dive. If a conservative algorithm is selected, and employed on ADS's highly reliable INTEGRITY platform, a substantial risk reduction can be achieved.

The figure below conceptualizes the risk mitigation for a relatively shallow, no-decompression dive, managed using a reliable INTEGRITY platform with a conservative algorithm. In this example, the unmitigated risk is relatively low and the reliable electronics of the INTEGRITY platform combined with the conservative algorithm provide sufficient risk reduction to produce a residual risk within risk acceptance criteria.

Risk Reduction - Single System

External Risk Reduction

In comparison, a longer and deeper dive, perhaps with decompression requirements, would have greater inherent risk than the shallow no-decompression dive. As a result, it may not be sufficient to rely solely on the reliability of the INTEGRITY platform running a conservative decompression algorithm. Additional risk mitigation may be required. A standard practice would be to provide a recompression chamber at or near the dive site in such a situation. Indeed, many regulatory agencies require a recompression chamber be readily available for deep dives and decompression dives. The figure below conceptualizes how a high integrity electronic system with a conservative algorithm may provide insufficient risk mitigation, but the additional mitigation provided by a recompression chamber with trained personnel could reduce the risk to a tolerable level.

Risk Reduction - Single System

With this Surface Supplied Diving Computer example, an analysis of risk considers the unmitigated risk of the activity, the integrity of the electronic system, the inherent safety of the algorithm being employed, and the risk mitigation provided by other means. These factors are relevant in nearly all risk assessment activities using electronic systems.

Human Factors

It is instructive to note that similar considerations are relevant in risk assessment for operations that do not involve electronic systems. For example, if we take the above example of surface supplied decompression diving but consider an operation involving decompression tables managed by humans instead of a decompression algorithm managed electronically, nearly identical issues must be considered. The only difference is that, rather than considering the reliability with which the electronic system performs the decompression calculations, the reliability with which a human can implement the tables must be considered.

With quality focused modern development practices for electronic systems, such a comparison will make it apparent that automation of decompression management can significantly reduce the probability of errors.

Redundancy

In the deep decompression diving example above, a recompression chamber was used to provide additional risk mitigation. The chamber reduces the severity of the expected outcome from an incident. Another approach, which is often employed with electronic systems in diving and hyperbaric applications, is to use redundant systems. We will use oxygen monitoring and control in a saturation chamber as an example.

The oxygen content of a saturation chamber is monitored to ensure that the oxygen level is maintained within a safe range. When the oxygen level falls due to metabolic consumption, oxygen is automatically added to the chamber. Modern electronic control systems including ADS’s INTEGRITY Saturation Chamber Controller (SCC) automatically control valves to add oxygen. In more traditional systems a technician performs this control function. In either case, the control function has a certain level of reliability which may or may not meet an organization's risk acceptance criteria. If the reliability of the control function does not meet the risk acceptance criteria, then additional mitigation is required. One common mitigation is to regularly calibrate the oxygen sensing system. Each calibration serves as a partial function test, reducing the probability an error will go undetected. Another approach, adopted by some organizations, is to install a redundant or secondary oxygen monitoring system. Such a system might provide an alarm function if the primary control system fails to maintain oxygen levels within correct limits. This arrangement is shown conceptually in the figure below.

Risk Reduction - Single System