An appropriate safety critical software architecture, such as Time Triggered Architecture (TTA), would avoid this fault, by allocating a time slice where the fundamental life support functions are executed, regardless of the activity level in other routines. However no such architecture is used. Put in simple terms: these handsets should never have a mode whereby they sit waiting for input from the diver and ignore the fact the oxygen level is plummeting.
Non-redundant power supplies. The slave handset can jump from a normal operating mode into one where it does not maintain oxygen levels due to an electrical power system disturbance that triggers the brown-out reset circuit. This disturbance propagated to the supplies running the processor due to use of a single power supply instead of the redundant supplies used as a matter of course in safety systems. The use of a single user replaceable battery to power a controller in an unstable life support system is a grossly incompetent design. The manufacturer was urged to replace this with a redundant rechargeable design for safety reasons, but ignored that advice. This problem of power disturbance causing the unit to go into an inappropriate piece of code, directly or via the operation on brown-out circuit, occurs very frequently on some units.
Battery contacts. The battery contacts used in the Inspiration Classic are totally unsuitable for the purpose: they are prone to stick and they allow the battery to make and break contact while the unit is operating. This creates a micro-arc, evaporating the gold coating off the contacts, and causes short interruptions or disturbances in the power supply. The manufacturer knew of this problem and the risk it posed to safety since 1998, but only replaced the battery contacts with a design less prone to interruptions in late 2003 after a series of hypoxic deaths. Many Inspirations inspected after fatalities show very clear signs of battery interruption having occurred. This fault has been investigated recently, and confirmed by the UK's Health and Safety Executive.
Unsuitable power source. The battery concerned is designed to power a camera at normal atmospheric pressures. It was never designed for use in
life support systems, especially ones that undergo rapid changes in pressure and temperature. The battery is inside the breathing loop, where it off-gasses small amounts of toxic compounds and can change its characteristics suddenly due to changes in pressure or temperature. The use of a single user replaceable cell to power the controller of an unstable life support system is simply a grossly incompetent design. The manufacturer was advised of this in July 2000, and of the solution, but failed to act. This is a serious safety issue. Had the manufacturer incorporated redundancy or used a properly
characterized power system, master handsets would not fail so suddenly.
*Battery related faults had been reported to APD by users since 1998.
*The specific problem of not maintaining PPO2 in all modes was identified in 2000 and a solution was recommended.
*The manufacturer has neglected to take reasonable and timely actions when advised of these critical design faults by users, and had neglected to respond adequately to previous fatal accidents on their own equipment.
*It is possible to remove all these fault modes within the ALARP principle.
*There are reports that known and relevant safety defects were not disclosed to coroners and others investigating the fatal accidents on the Inspiration rebreather even after they had been identified. As aresult, legal processes to prevent or avoid many of these accidents have been stymied.
A very small proportion of the Inspiration design faults have been addressed by APD since 2002, such as electronic design faults, the use of inappropriate oxygen sensor connectors and date labelling of the O2 sensors, but the unit has never been recalled so the corrections can be made to
units already sold.
Divers that return their Inspirations for repair or service receive some safety upgrades, but the user manual does not require divers to send the unit back to the factory for service: they are trained to service it themselves. None of the user manuals obtained, including one as late as 2005, contain a requirement for factory service. APD has not followed the example of its competitors to include a countdown timer to flag factory service intervals. This means that for APD to wait until users return units for service to implement safety corrections is totally inadequate as a recall process. APD charge for the majority of these upgrades, and the charge is often substantial, and there are widespread reports on Internet forum that this cost coupled with the failure to
disclose the importance of the upgrade, dissuades some users from sending their units back to APD or its US distributor for service.
FAILURE OF CONSUMER PROTECTION PROVISIONS
This investigation would not be complete without a consideration of how this unreasonably dangerous equipment is managing to circumvent regulations designed to protect consumers from equipment like this. A huge effort has been expended in the creation of an extensive body of safety standards, regulations and guidelines that apply to this equipment, to prevent these sort of accidents.
The Buddy Inspiration rebreather does not comply with guidelines for safety critical equipment in the USA at the time it was designed or imported: the NASA Safety Critical Software Guidelines are adopted across the safety industry in the USA (now the guidelines for safety critical software under the American Association of Computing Machinery). Nor does it comply with European safety standards in that it completely ignores EN61508, which is required under EN14143:2001 (now EN14143:2003, a Harmonised Standard describing the minimum safety level for rebreathers, meaning compliance with this is required under the EU Personal Protective Equipment Directive)
The failure to comply with EN61508 was checked with the sole accredited EN61508 auditors for this equipment in the UK, and it is also obvious that it does not comply from a detailed examination of the equipment. APD may have obtained CE certification of the Inspiration under provisions for existing equipment, however, there is still a requirement to take reasonable measures to ensure the safety of equipment and these standards and guidelines state clearly the height of that bar, under the European Personal Protective Equipment regulations.
The Notified Body issuing the CE compliance certificate to APD was contacted (SGS UK Ltd), and they confirmed that they simply filed EN61508 safety data if there was any, rather asking for a qualified auditor to audit it. SGS UK Ltd should be obliged to disclose the safety data pertaining to the EN61508 standard or the electrical, electronic and program safety data on the Inspiration rebreather with the Classic handsets, on the basis of which SGS issued its safety certification. In EN61508 such a disclosure is not allowed to be a commercial secret: disclosure of the data is intrinsic to how EN61508 certification
operates under the CASS scheme.