Redundancy – a Life Saver in Diving and Aviation

Photo taken from the author’s aircraft one stormy Florida Panhandle morning. (click to enlarge)

I was recently flying a private aircraft down the Florida Peninsula to Ft. Lauderdale to give a presentation on diving safety. As I continually checked the cockpit instruments, radios and navigation devices, it occurred to me that the redundancy that I insist upon in my aircraft could benefit divers as well.

In technical and saturation diving, making a free ascent to the surface is just as dangerous as making a free descent to the ground in an airplane, at night, in the clouds. In both aviation and diving, adequate redundancy in equipment and procedures just might make life-threatening emergencies a thing of the past.


As I took inventory of the redundancy in my simple single engine, retractable gear Piper, I found the following power plant redundancies: dual ignitions systems, including dual magnetos each feeding their own set of spark plug wires and redundant spark plugs (two per cylinder). There are two sources of air for the fuel-injected 200 hp engine.

There are two ways to lower the landing gear, and both alarms and automatic systems for minimizing the odds of pilot error — landing with wheels up instead of down. (I’ve already posted about how concerning that prospect can be.)

I also counted three independent sources of weather information, including lightning detection, and two powerful communication  radios and one handheld backup radio. For navigation there is a compass and four electronic navigation devices: one instrument approach (in the clouds) approved panel mount GPS with separate panel-mounted indicator, an independent panel mounted approach certified navigation radio, plus two portable GPS with moving map displays and superimposed weather. Even the portable radio has the ability to perform simple navigation.

photo (17) - no Exif
There’s two of just about everything in this Arrow panel.

The primary aircraft control gyro, the artificial horizon or attitude indicator, also has a fully independent backup. One gyro operates off the engine-powered vacuum pump, and the second gyro horizon is electrically driven. Although by no means ideal, the portable GPS devices also provide attitude indicators based upon GPS signals. In a pinch in the clouds, it’s far better than nothing. Of course, even if all else fails, the plane can still be flown by primary instruments like rate of climb, altimeter, and compass.

There is only one sensitive altimeter, but two GPS devices also provide approximate altitude based on GPS satellite information.


But what about divers? How are we set for redundancy?

Starting with scuba (self-contained underwater breathing apparatus), gas supplies are like the fuel tanks in an aircraft. I typically dive with one gas bottle, but diving with two or more bottles is common, especially in technical diving. In a similar fashion, most small general aviation aircraft have at least two independent fuel tanks, one in each wing.

The scuba’s engine is the first stage regulator, the machine that converts high pressure air into lower pressure air. Most scuba operations depend on one of those “engines”, but in extreme diving, such as low temperature diving, redundant engines can be a life saver. While most divers carry dual second stage regulators attached to a single first stage, for better redundancy polar divers carry two independent first stages and second stages. Two first stage regulators can be placed on a single tank.

An H-valve for a single scuba bottle. Two independent regulators can be attached.
Two Regs
A Y-valve for Antarctic diving with two independent scuba regulators attached.













Even then, I’ve witnessed dual regulator failures under thick Antarctic ice. The only thing saving that very experienced diver was a nearby buddy diver with his own redundant system.

There is a lot to be gained by protecting the face in cold water by using a full face mask. But should the primary first or second stage regulator freeze or free flow, the diver would normally have to remove the full face mask to place the second regulator in his mouth.

Two regulators, one full face mask. Photo courtesy of Michael Lang and Scuba Pro.

Reportedly, sudden exposure of the face to cold water can cause abnormal heart rhythms, an exceedingly rare but potentially dangerous event in diving. If the backup or bail out regulator could be incorporated into the full face mask, that problem would be eliminated. The photo on the right shows one such implementation of that idea.


Inner Space 2014_Divetech _Nikki Smith_Rosemary E Lunn__Roz Lunn_The Underwater Marketing Company_Nancy Easterbrook_rebreather diving_2014-05-27 22.30.47
Nikki Smith, rebreather diver with open circuit bailout in her right hand. Photo courtesy of Rosemary E Lunn (Roz), The Underwater Marketing Company.

Rebreathers are a different matter. Most rebreather divers carry a bailout system in case their primary rebreather fails or floods. For most technical divers, that redundancy is an open circuit regulator and bailout bottle. However, there are options for the bail-out to be an independent, and perhaps small rebreather. (One option for a bail-out semiclosed rebreather is found here.) Such a bail-out plan should provide greater duration than open-circuit bailout, especially if the divers are deep when they go “off the loop”.

U.S. Navy photo by Bernie Campoli.

For some military rebreather divers, there is at least one complete closed-circuit rebreather available where a diver can reach it in case of a rebreather flood-out.

A commercial saturation diver with semi-closed rebreather backpack as emergency bail-out gas.

For deep sea helmet diving, the bail-out rebreather is on their back and a simple valve twist will remove the diver from umbilical-supplied helmet gas to fresh rebreather gas.

The most common worry for electronically controlled rebreather divers is failure of the rig’s oxygen sensors. For that reason it is common for rebreathers to carry three oxygen sensors. Unfortunately, as the Navy and others have noted, triple redundancy really isn’t. Electronic rebreathers are largely computer controlled, and computer algorithms can allow the oxygen controller to become confused, resulting in oxygen control using bad sensors, and ignoring a correctly functioning oxygen sensor.

The U.S. Navy has performed more than one diving accident investigation where that occurred. Safety in this case can be improved by adding an independent, redundant sensor, by improving sensor voting algorithms, by better maintenance, or by methods for testing all oxygen sensors throughout a dive.

In summary, safe divers and safe pilots are always asking themselves, “What would I do if something bad happens right now?” Unfortunately, private pilots and divers quickly discover that redundancy is not cheap. However, long ago I decided that if something unexpected happened during a flight or a dive, I wouldn’t want my last thoughts to be, “If only I’d spent a little more money on redundant systems, I wouldn’t be running out of time.”

Time, like fuel and breathing air, is a commodity you can only buy before you run out of it.

Separator smallDisclaimer: This blog post is not an endorsement of any diving product. Diving products shown or mentioned merely serve as examples of redundancy, and are mentioned only to further diver safety. A search of the internet by interested readers will reveal a panoply of alternative and equally capable products to enhance diver safety.

Going to HEVVN

I know where HEVVN is. I have coordinates for it.

I’m serious.

“HEVVN” is the politically correct, government approved spelling for a place pronounced, as you might expect, “Heaven”.  I’ve been there, and I could go again today if I wanted. But since I’m still a living, breathing person I can’t stay there.

It should come as no surprise to you that HEVVN is not a town or city; it’s nowhere on land. It’s not an island: it’s not on the water. It can best be described as an ephemeral place somewhere in the “air”; in space if you will.

Theoretically, an infinite number of people could be at HEVVN all at the same time, without actually being at the exact same place at the same time. There is, in other words, considerable spatial ambiguity, uncertainty, about where one might be in HEVVN. In an earthly sense, two people at HEVVN might be miles apart, not even able to see each other, not even aware of each other’s presence.

I would guess that on a typical day, thousands arrive at HEVVN: on a slow day, maybe merely hundreds.

If the government admits to a HEVVN, does it admit to a HELL? Well, not exactly. But it does admit to a SATAN.

But don’t worry – if you’re at HEVVN, you won’t be anywhere near SATAN. HEVVN and SATAN are a thousand miles apart.

I’m still being serious…really.



HEVVN intersection lies in the center of the blue donut. Click for a larger image.

Are you confused? Well, here’s an explanation. HEVVN is a Federal Aviation Administration defined airway intersection used, along with an assigned altitude, to define an aircraft’s position. HEVVN lies roughly ten miles off the coast of the Florida Panhandle, and connects the major flyways of the Florida Panhandle and the north-south air corridors of the Florida penisula. Theoretically many aircraft can simultaneously be at HEVVN, as long as they are separated by at least 500 feet in altitude.

SATAN is a wicked sounding GPS fix a few miles north of the Portsmouth International Airport at Pease Tradeport near Portsmouth, New Hampshire. I am surprised Portsmouth would allow itself to be associated with such a diabolical name, but perhaps the government never told the city elders before it was too late to change the name. Or perhaps the word SATAN no longer engenders the fear and loathing it used to.
SATAN intersection (red triangle). Click for larger image.

Oddly enough, SATAN is included in a much more innocent sounding group of GPS fixes, those defining a GPS approach to runway 16 at Pease Airport.  When cleared for the GPS 16 approach coming from the west, the aircraft is expected to follow sequentially a route to the airport using up to five GPS fixes. Those five fixes, including the two “missed approach” fixes used in case a pilot can’t find the runway due to low clouds, are named thusly:


Apparently someone at the FAA has a sense of humor.

If you’re not laughing, you might want to say those five words in quick succession. If you’re still puzzled, try repeating it with your best Tweety Bird impression.

After the FAA named a point in space SATAN, someone must have decided some comic relief, à la Warner Brothers, was needed. And a famous quotation from the canary named Tweety Bird somehow seemed appropriate.

After all, Tweety Bird can fly. Right?