Fault-tolerant rebreather

What would happen if you were exploring a deep wreck and a jagged piece of steel tore away one of the computers circled in red? Nothing. And what if a shark snatched the other one? Again, nothing. You would just simply finish your dive as usual and then order two new handsets (product no. 7019). The actual diving computers are safely housed under robust covers in the head of the CCR Liberty. The handsets serve only as displays and keypads and play no role in controlling the supply of oxygen.


The CCR Liberty is designed to be fault-tolerant, which means that no single malfunction in the electronic system can cause a breakdown of the whole apparatus. And in many cases, not even multiple malfunctions can cause a complete breakdown. The apparatus is designed and programmed so that it is able to cope with even a combination of malfunctions as long as at least one control computer and any sensor are still operational.

In the case of damage to a cable, the control computer will detect a short in that cable and disconnect the respective handset’s power supply. You needn’t worry that water would leak through the cable jacket into the control computer, which is protected by a specially developed connector that remains watertight even when a cable is damaged. And if both handsets are lost, the control computers will continue regulating the supply of oxygen according to the most recently selected setpoint. And the CCR Liberty will keep working even if one of the control computers fails.

Each computer has its own battery, depth sensor, two oxygen sensors and electrically controlled oxygen supply valve (solenoid). In normal circumstances, the two computers communicate with each other and exchange data from the sensors and agree on which of them will add oxygen to the loop. If necessary, either computer can perform this function independently.

Let’s continue in our catastrophic scenario. We have already lost both handsets, and now one of the computers has shut down. More than half of the electronic systems are inoperable, but the CCR Liberty keeps working. The mechanism for regulating oxygen supply handles this situation with no problems.

Could anything else go wrong? Yes, it could. One of the oxygen sensors could malfunction. And not that it would stop sending a signal, as if it had gotten flooded. That would be too simple. The sensor would show “only” an incorrect value and it would appear that the control computer now cannot know which of the sensors to believe. This is a miserable situation. It could fail when you are at one hundred meters below the surface….which, however, would be an advantage. After all, for a hundred-meter dive, you have trimix. The computer is well aware of that, even if you forgot to set the diluent composition before the dive. The built-in helium concentration sensor diligently measures the mixture composition during the dive and stores it in the computer’s memory. Thanks to this, the computer can now calculate the oxygen content based on the measured helium concentration and decide which of the oxygen sensors is in working order. The dive continues.  And now it is already clear that even if the last oxygen sensor breaks down, such an event will not put the computer out of action. Based on the last known correct oxygen value, it will switch to indirect measuring of oxygen using the helium sensor and safely continue regulating the supply of oxygen.

See also Control system, Software and The final decision is up to you

This is a unique website which will require a more modern browser to work! Please upgrade today!