diff --git a/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 1.md b/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 1.md deleted file mode 100644 index 21f1f395..00000000 --- a/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 1.md +++ /dev/null @@ -1,39 +0,0 @@ -## Wheelchair Cushion Testing Rig Destroys Itself -### Introduction -Recently I have begun hosting a poker game. Poker is a beautiful game, as it connects people in conversation that is fulfilling and informative, as people discuss their life experiences. At my poker game, I learned about a somewhat comical cyber-physical system failure. A player at my poker game is a bioengineer who interned at [Pitt's Wheelchair and Cushion Standards Group](https://www.wheelchairstandards.pitt.edu/). She was responsible for configuring an immersion testing fixture to perform evaluations for a set of wheelchair cushions. She did not engineer the control program for the automated testing fixture, but soon found out one of her first days that the control program had a destructive mode of operation that was not intended. - -Alex sought out the position at the Wheelchair and Cushion Standards Group as an summer internship that was conveniently located in the East Liberty neighborhood. Her job would be multifaceted: as part of a small laboratory group, he responsibilities would change upon the day and she would be expected to wear many hats. One of her first tasks was running experiments on sets of wheelchair cushions using an expensive test fixture. - -### Wheelchair Cushion Standards -Wheelchair cushions are a surprisingly sophisticated device, and far from only a piece of foam. Wheelchair cushions are critical for users who spend a large amount of time in their wheelchair, and an effective cushion can play a significant role in the overall health of the user. Cushions redistribute the weight of a wheelchair user evenly across their buttocks, while an insufficient cushion can create problems for wheelchair-bound individuals including ulcers, posture issues, and blood flow restrictions. These problems are even further magnified for individuals who have loss of feeling in their legs, as they can not detect the development of injuries until they are visibly apparent or manifest in greater health issues. For these reasons, regulatory standards exist for wheelchair cushions. Standards such as [ISO 16840-2](https://www.iso.org/standard/84862.html) exist to protect wheelchair users by providing a standard to which cushions can be tested. By using wheelchair cushions that meet these standards, users can have a degree of assurance that the product they're using will minimize risks associated with prolonged wheelchair use. - -For a wheelchair cushion to pass this standard, it must be experimentally tested. This testing is commonly done by companies that specialize in standards testing. The sensors and equipment required to do ISO testing can be very expensive, and prohibitive for individual manufacturers of items like wheelchair cushions to create test fixtures of their own. Pitt's Wheelchair and Cushion Standards group does such testing for this particular wheelchair cushion standard using a testing rig that is described in the following image. -### Testing Setup - -![[press.png]] - -This testing fixture consists of a hydraulic press with a specific CNC-machined wooden buttocks model attached. These buttocks integrate an array of pressure sensors at a speckling of locations in order to gather a holistic understanding of the distribution of pressure on the buttocks surface. A cushion is fixed to the lower part of the hydraulic press frame. The whole system measures two main quantities: the pressure distribution on the wooden buttocks, and the total displacement of the hydraulic press. - -The positions of sensors on the wooden buttocks are of particular interest. These sensors are spread throughout the surface of the contoured shape. Ideally, these sensors should have similar values of pressure for a given load if the cushion is doing a good job supporting the load. These sensors have different heights relative to the displacement of the press. As a result, the sensors on the very bottom of the buttocks model first experience pressure, while the sensors on the sides of the buttocks eventually catch up in pressure measurement as displacement is increased. - -### The Failure - -The testing procedure Alex was specifically performing when the failure occurred was a fatigue failure test. In this test, the buttocks would descend upon the cushion until a proscribed pressure is achieved on all sensors, hold for a certain amount of time, and then ascend until zero pressure is achieved again. This cycle is then repeated for a very large number of cycles. Performance of the cushion is then determined as to how the pressure distribution changes over time--more performant cushions will retain their cushioning properties for longer than less performant cushions. - -One of the first cushions Alex was tasked with testing was a cushion that was described as being similar construction of a cheap air-mattress. Alex was instructed on how to start the test, where the E-Stop button lived, and what should be expected. Once the person instructing her left, the test began. - -The press began depression the cushion with the wooden buttocks when the air-mattress-like construction gave only a whimper of support. The press continued to descend until the wooden buttocks were separated from the lower steel frame by only the thin rubber membrane of the cushion. At this point, the force on the lower sensors skyrockets while the circumferential sensors slowly accumulate load. The controller realizes that there is an extreme load on some of the sensors, however, and retracts the buttocks from the cushion. This safety feature was designed to protect the sensors in this exact event. Whoever designed this controller did not account for the fatigue testing mode, however, and once the buttocks were raised momentarily, the controller decided to return to the previous displacement. To Alex as an observer, the resulted in a violent ramming of the wooden buttocks into the steel frame, which repeated with cacophony as the air-mattress cushion sabotaged the testing fixture. - -After the first repetition, the lower sensors in the buttocks were broken. Instead of accurately reading the pressure on the wooden model, the pressure sensors instead read a much lower value. This results in the test fixture applying more displacement to continually try to reach the optimal test pressure. The sensors continue to read nonsensically low values as they are repeated slammed into the metal lower frame as they are slowly disintegrating. Each time they make contact with the frame they return with an even lower reported value, resulting in an even higher force applied to the buttocks model with each cycle. - -This whole process has happened in a time span of about 5 seconds. At this point, Alex realizes this is definitely not supposed to be happening and reaches for the E-Stop button. Before she could activate the E-Stop, the press descended the wooden buttocks with such ferocity that the wooden model splits in half as if the cushion itself were an axe. The ideal testing force is supposed to be around 400 lbf, but it was estimated that the fixture applied over a thousand pounds of force when the buttocks were destroyed. Finally, the E-Stop was activated before further damage was created. - -### Reflection - -The part of this failure that makes it a cyber-physical failure is the fact that while a pressure based controller was implemented, it was never validated for a use-case where the cushion does not achieve a sufficient pressure on all of the buttock sensors. This case was realized when the buttocks made contact with the steel frame with this particular low quality cushion. - -Another control was implemented in case of extreme pressure readings on the buttocks sensors, but that control also experienced a cyber-physical failure. The controller assumed a model of the sensors that would continuously report correct values even in the case of extreme loading. This assumption proved to be incorrect, which essentially nullified the over-pressure control once the model of the sensors was invalidated. - -Fortunately, this comedy of errors did not injure anyone, but this failure incurred significant business costs. The wooden buttocks had to be replaced with a new model, which required expensive CNC machining. The damaged sensors had to also be replaced which were never cheap to begin with. And finally, the group paid Alex dozens of hours to recalibrate the system when the new sensors and buttocks model were installed, and to reperform all previous testing that was now invalidated by the broken sensors. - -Cyber-physical system failures can be sneaky. It is not always clear while coding if a control will actually prevent a mitigated failure from actually occurring. Because of this opacity, other tools such as proof-based methods have to be used to ensure high-assurance. In this case, a proof could have been developed to determine that an unsafe force could not be applied to the lower sensors regardless of their reported value. By perhaps investigating this possible mode, the controller designer could be informed that only relying on the lower sensors as protection would have been insufficient to protect them. These proofs require extra effort to create, but if they prevent such expensive failures, it is worth it to create them. \ No newline at end of file diff --git a/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 Complete.md b/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 Complete.md new file mode 100644 index 00000000..7f645bef --- /dev/null +++ b/300s School/ME 2150 - High Assurance Cyber-Physical Systems/ME 2150 - High-Assurance Cyber-Physical Systems Homework 1 Complete.md @@ -0,0 +1,48 @@ +## Wheelchair Cushion Testing Rig Destroys Itself + +### Introduction + +Recently, I started hosting a poker game. Poker is a beautiful game, connecting people through conversation that is both fulfilling and enlightening. At one of these games, I learned about a comical yet costly cyber-physical system failure. A player in the game, a bioengineer, shared an experience from her internship at [Pitt's Wheelchair and Cushion Standards Group](https://www.wheelchairstandards.pitt.edu/). She was tasked with configuring an immersion testing fixture for evaluating wheelchair cushions. While she didn’t design the control program for the automated rig, she discovered early on that it had a catastrophic and unintended failure mode. + +Alex had taken the internship at the Wheelchair and Cushion Standards Group as a convenient summer opportunity in Pittsburgh’s East Liberty neighborhood. As part of a small laboratory team, her role was multifaceted—every day brought new tasks, and she had to wear many hats. One of her first responsibilities was running experiments on wheelchair cushions using a highly specialized, expensive test rig. + +### Wheelchair Cushion Standards + +Wheelchair cushions are surprisingly sophisticated devices—far more than simple pieces of foam. For individuals who spend extended periods in a wheelchair, cushions play a critical role in their health. Proper cushions redistribute weight evenly, minimizing the risks of ulcers, poor posture, and restricted blood flow. For people with reduced sensation in their legs, these risks are magnified, as they might not notice injuries until they escalate into serious health issues. + +To ensure safety and effectiveness, wheelchair cushions are subjected to rigorous regulatory standards, such as [ISO 16840-2](https://www.iso.org/standard/84862.html). Compliance with these standards provides users with confidence that the product can reduce risks associated with prolonged use. Testing to meet these standards typically requires advanced equipment, which is expensive for individual manufacturers to develop. Instead, organizations like Pitt’s Wheelchair and Cushion Standards Group conduct these evaluations using highly specialized testing rigs. + +### Testing Setup + +![[press.png]] + +The group’s testing fixture consists of a hydraulic press equipped with a CNC-machined wooden buttocks model. This model features an array of pressure sensors positioned to assess how evenly a cushion distributes weight. A cushion is secured on the press’s lower frame, and the system measures two key quantities: pressure distribution across the wooden model and the total displacement of the hydraulic press. Because different cushions would have different spring constants, the displacement of the buttocks model was controlled by the reported pressure on the sensors. + +The placement of the sensors is particularly critical. Sensors near the base of the model detect pressure first, while those on the sides register load as displacement increases. Ideally, a high-quality cushion distributes pressure evenly across all sensors, yielding a displacement where pressure is similar at all locations. This correlates to a well functioning cushion for a wheelchair user, who then would mitigate potential injury from uneven pressure. + +### The Failure + +Alex’s assignment when the failure occurred was a fatigue test. In this procedure, the press applies a cyclic load: the wooden buttocks press down on the cushion until a set pressure is reached across all sensors, holds briefly, and then retracts. This cycle is repeated thousands of times to evaluate how the cushion's performance degrades under repeated use. High-performing cushions maintain consistent pressure distribution over many cycles, while poorer designs deteriorate quickly. + +One of Alex’s first tests involved a cushion described as resembling a cheap air mattress. She was shown how to start the test, locate the emergency stop (E-Stop), and recognize normal operation. Once her instructor left, the test began. + +The press descended, and the flimsy cushion immediately collapsed. The wooden buttocks pressed closer to the steel frame, separated only by the thin cushion membrane. Pressure on the lower sensors spiked, while the outer sensors struggled to register any load. Recognizing the extreme readings, the controller retracted the press—a safety feature designed to protect the sensors. + +However, the fatigue testing mode had an oversight. After retracting, the controller returned the press to the previous displacement, initiating a destructive feedback loop. To Alex’s horror, the wooden buttocks slammed into the steel frame repeatedly as the failing cushion sabotaged the system. + +After the first impact, the lower sensors were damaged, reporting unrealistically low values. The controller interpreted these readings as insufficient pressure and increased displacement to compensate. With each cycle, the sensors degraded further, causing the press to apply even greater force. + +In about five seconds, the chaos reached its peak. Alex reached for the E-Stop, but not before the press descended with enough force to split the wooden buttocks model in two. While the system was designed for forces around 400 pounds, it was later estimated that over 1,000 pounds had been applied. + +### Reflection + +This failure exemplifies a cyber-physical system flaw. The pressure-based controller was not validated for scenarios where the cushion failed to achieve adequate pressure across all sensors. When the wooden buttocks contacted the steel frame, the controller misinterpreted the situation, leading to catastrophic failure. + +Additionally, the safety control designed for extreme pressure events relied on the assumption that sensors would continue reporting accurate values under all conditions. This assumption proved false; once the sensors were damaged, the control system effectively nullified itself. + +Although no one was injured, the incident incurred significant costs. The wooden buttocks required expensive CNC machining to replace, the damaged sensors had to be reordered and installed, and Alex spent dozens of hours recalibrating the rig and redoing invalidated tests. + +Cyber-physical failures can be insidious. Programming alone cannot guarantee safety, as potential failure modes may remain hidden. In high-assurance systems, tools like proof-based methods can validate that unsafe conditions are impossible under any circumstances. For instance, a proof could have demonstrated that relying solely on the lower sensors for protection was inadequate. Though such proofs require extra effort, they can prevent costly failures like this one. + +## AI Use Statement +In the preparation of this assignment, I used OpenAI's ChatGPT to assist with revising and refining the written content. Specifically, I provided a draft of the prose and requested help improving grammar, sentence structure, clarity, and flow while preserving the original narrative and technical details. All ideas and content are my own, and AI assistance was limited to editing and polishing the text. \ No newline at end of file