7.0 KiB
Wheelchair Cushion Testing Rig Destroys Itself
Introduction
Recently, I started hosting a poker game. Poker is a beautiful game, connecting people through conversation that is both fulfilling and enlightening. At one of these games, I learned about a comical yet costly cyber-physical system failure. A player in the game, a bioengineer, shared an experience from her internship at Pitt's Wheelchair and Cushion Standards Group. She was tasked with configuring an immersion testing fixture for evaluating wheelchair cushions. While she didn’t design the control program for the automated rig, she discovered early on that it had a catastrophic and unintended failure mode.
Alex had taken the internship at the Wheelchair and Cushion Standards Group as a convenient summer opportunity in Pittsburgh’s East Liberty neighborhood. As part of a small laboratory team, her role was multifaceted—every day brought new tasks, and she had to wear many hats. One of her first responsibilities was running experiments on wheelchair cushions using a highly specialized, expensive test rig.
Wheelchair Cushion Standards
Wheelchair cushions are surprisingly sophisticated devices—far more than simple pieces of foam. For individuals who spend extended periods in a wheelchair, cushions play a critical role in their health. Proper cushions redistribute weight evenly, minimizing the risks of ulcers, poor posture, and restricted blood flow. For people with reduced sensation in their legs, these risks are magnified, as they might not notice injuries until they escalate into serious health issues.
To ensure safety and effectiveness, wheelchair cushions are subjected to rigorous regulatory standards, such as ISO 16840-2. Compliance with these standards provides users with confidence that the product can reduce risks associated with prolonged use. Testing to meet these standards typically requires advanced equipment, which is expensive for individual manufacturers to develop. Instead, organizations like Pitt’s Wheelchair and Cushion Standards Group conduct these evaluations using highly specialized testing rigs.
Testing Setup
!
The group’s testing fixture consists of a hydraulic press equipped with a CNC-machined wooden buttocks model. This model features an array of pressure sensors positioned to assess how evenly a cushion distributes weight. A cushion is secured on the press’s lower frame, and the system measures two key quantities: pressure distribution across the wooden model and the total displacement of the hydraulic press. Because different cushions would have different spring constants, the displacement of the buttocks model was controlled by the reported pressure on the sensors.
The placement of the sensors is particularly critical. Sensors near the base of the model detect pressure first, while those on the sides register load as displacement increases. Ideally, a high-quality cushion distributes pressure evenly across all sensors, yielding a displacement where pressure is similar at all locations. This correlates to a well functioning cushion for a wheelchair user, who then would mitigate potential injury from uneven pressure.
The Failure
Alex’s assignment when the failure occurred was a fatigue test. In this procedure, the press applies a cyclic load: the wooden buttocks press down on the cushion until a set pressure is reached across all sensors, holds briefly, and then retracts. This cycle is repeated thousands of times to evaluate how the cushion's performance degrades under repeated use. High-performing cushions maintain consistent pressure distribution over many cycles, while poorer designs deteriorate quickly.
One of Alex’s first tests involved a cushion described as resembling a cheap air mattress. She was shown how to start the test, locate the emergency stop (E-Stop), and recognize normal operation. Once her instructor left, the test began.
The press descended, and the flimsy cushion immediately collapsed. The wooden buttocks pressed closer to the steel frame, separated only by the thin cushion membrane. Pressure on the lower sensors spiked, while the outer sensors struggled to register any load. Recognizing the extreme readings, the controller retracted the press—a safety feature designed to protect the sensors.
However, the fatigue testing mode had an oversight. After retracting, the controller returned the press to the previous displacement, initiating a destructive feedback loop. To Alex’s horror, the wooden buttocks slammed into the steel frame repeatedly as the failing cushion sabotaged the system.
After the first impact, the lower sensors were damaged, reporting unrealistically low values. The controller interpreted these readings as insufficient pressure and increased displacement to compensate. With each cycle, the sensors degraded further, causing the press to apply even greater force.
In about five seconds, the chaos reached its peak. Alex reached for the E-Stop, but not before the press descended with enough force to split the wooden buttocks model in two. While the system was designed for forces around 400 pounds, it was later estimated that over 1,000 pounds had been applied.
Reflection
This failure exemplifies a cyber-physical system flaw. The pressure-based controller was not validated for scenarios where the cushion failed to achieve adequate pressure across all sensors. When the wooden buttocks contacted the steel frame, the controller misinterpreted the situation, leading to catastrophic failure.
Additionally, the safety control designed for extreme pressure events relied on the assumption that sensors would continue reporting accurate values under all conditions. This assumption proved false; once the sensors were damaged, the control system effectively nullified itself.
Although no one was injured, the incident incurred significant costs. The wooden buttocks required expensive CNC machining to replace, the damaged sensors had to be reordered and installed, and Alex spent dozens of hours recalibrating the rig and redoing invalidated tests.
Cyber-physical failures can be insidious. Programming alone cannot guarantee safety, as potential failure modes may remain hidden. In high-assurance systems, tools like proof-based methods can validate that unsafe conditions are impossible under any circumstances. For instance, a proof could have demonstrated that relying solely on the lower sensors for protection was inadequate. Though such proofs require extra effort, they can prevent costly failures like this one.
AI Use Statement
In the preparation of this assignment, I used OpenAI's ChatGPT to assist with revising and refining the written content. Specifically, I provided a draft of the prose and requested help improving grammar, sentence structure, clarity, and flow while preserving the original narrative and technical details. All ideas and content are my own, and AI assistance was limited to editing and polishing the text.