Incident Report

Prepared by Phillip Teng on June, 4, 2018

Appendix:
I. Summary
II. Cause
III. Analysis and Prevention
IV. Conclusion

I. Summary
Incident time and location: 3:40 PM, June 4, 2018. Location: Helmholtz cage room.

Flight satellite along with the air bearing table almost fell off when three of the lead legs on the
air bearing table catastrophically failed. The satellite and the air bearing table flipped to the
side but Phillip caught it just in time before the entire table fell off. The satellite is unharmed
with no visible damage. Software verification is still pending.

Background: Let’s assign each leg, east, west, north, south.

To give context to the situation. Phillip was moving the satellite to center it under the webcam
for the attitude and determination (ADCS) segment as part of the day in the life test (DITL). The
air bearing table placement can be seen in Fig. 3. After moving it a couple inches away from the
wall, the leg (south) closest to Phillip dropped off and caused a minor scratch on his leg. The air
bearing table immediately flipped towards the other side but Phillip caught the air bearing table
just in time to stop its rotation. The tabs that secured the satellite also stopped the satellite
from sliding onto the Helmholtz cage. The largest degree of inclination was around 30º.

While Phillip was holding the table, another one of the legs (west) fell off, tilting the table
towards the Helmholtz cage. He caught the (west) leg falling off initially but because of his
positioning and lack of grip on the leg, he had to let go. The huge imbalance from the two
remaining weights applied a huge torque on the table that made it extremely difficult to control
with one hand. Shortly after dropping the second lead leg (west) onto the floor, the leg
opposite failed (east). After which Phillip was able to regain control of the air bearing table with
one leg remaining (north). Phillip was finally able to reach out for his computer and call for help
on Slack. Emil arrived shortly after with a text from Brent and the other team members arrived
a couple seconds after. The response time was around two to three minutes. The incidence
starting with the first screw failure till help arrived likely only lasted a two to three minutes, but
due to the adrenaline, it felt more like five minutes.
 II. Cause
The initial cause of the failure seems to be a combination of the constant heavy stress by the
lead blocks catalyzed by the over-torqueing of the screw heads. There is evidence of over-
torque as seen in Figure. 1 with the washer on the right. It is bent to show that considerable
force has been applied which suggests over torqueing.

Figure 1: Washers from all four. The one of the right is evidently bent. Likely due to over-
torqueing and the first failure point.
When the first leg fell off and the table subsequently tilted off axis, the other screws
experienced shear forces that lead to the other two nylon screws failing. The broken screws are
shown in Figure 2. Only one screw held its place until help arrived.

Figure 2: The failures of three of the four legs. The nylon screw heads were ripped off in the
process.
Figure 3: Original Setup location. Overhanging light and camera on a separate wooden two by
four.
 III. Analysis and Prevention

An example of the applications of five whys?

1. Why did the satellite almost break?
a. Because three screws catastrophically failed that almost threw the satellite and
the air bearing table onto the floor.
2. Why did the screws fail?
a. Because of shear forces experienced when the table tilted off axis.
3. Why did the table tilt off axis?
a. Because the initial failure of the first screw caused the table to tilt.
4. Why did the initial screw break?
a. Because the screw was over-torqued and hence the head was weakened and it
gave way.
5. Why was the screw head over-torqued?
a. Because in order to balance the satellite you have to turn the weights, and
without proper care, it was easy to over-torque and weaken the screw heads.

Questions that we should be asking: Is there a better way to design a balancing mechanism that
prevents over-torqueing? Sliding weights that are meant to move instead of spinning a leg?

1. Mechanical
a. Over-torqueing of the screws caused the initial failure
i. Recommendation: Use two or three nuts that act as a buffer and stop the
possibility of over-torque by maintaining a space for the metal plate of
the table.
b. Screws weren’t design to experience shear forces hence causing a cascade of
failures.
i. Recommendation: Use metal screws for the table outside the Helmholtz
cage. Use multiple screws and add redundancy so the stress doesn’t fall
on a single screw.
c. When the table tilts, the aluminum bars on the end can form a new fulcrum
acting as a lever and applying huge stress on the screws.
i. Recommendation: Use more screws to distribute the load, or engineer a
system where the table stops titling past a certain angle.

2. Systematic
a. Help would have arrived faster if there was someone else in the lab
i. Recommendation: Always have two people during tests with the flight
satellite to ensure the fastest response time and aid if something goes
wrong.
b. The satellite would have been broken and in pieces and on the floor if Phillip
wasn’t there and in the perfect position to catch it.
 i. The satellite needs to be monitored at all times with fail safes. In the
event of such failure, it should not depend on a human to save the
satellite. The apparatus needs to save itself.
3. Fail safes
a. In this case of failure, were there any engineered safety nets? No, there were
none. It relied entirely on Phillip being there at the right time when the failure
happened. A well-designed system should not depend on human intervention,
rather fail safes that act as safety nets regardless of who is present.
i. Recommendation: Use longer aluminum bars such that in the event of a
single failure, the longer legs will fall onto the floor and stop the table
from tilting past the catastrophic tilt angle.
ii. Recommendation: Find the maximum degree tilt of the air bearing before
shear stresses cause the screws to fail as part of understanding and
characterizing the safety and limitations of the air bearing table design.
iii. Recommendation: Any other designs that introduce redundancy and no
dependency on human intervention
4. End-User Improvements
a. Any well-designed system should make it highly improbable that the end user
can cause failure. In the event that the end user is at fault, it becomes even more
important to ask ourselves, why would the end user do that? Could it be the lack
of support infrastructure or education that caused the fault in the first place?
Here are some of the questions we should discuss.
i. Are we not adequately educating the team of proper usage of the air
bearing?
ii. Should the air bearing not be moved when the table is loaded?
1. Recommendation: We should be centering the webcam before
the satellite is loaded to minimize movement and hence risk.
iii. Any way to prevent over-torque by the user in the future?
1. Recommendation: Additional nuts that stop the possibility of
over-torqueing, refer to mechanical recommendation section.
5. Post Failure
a. In the event of a failure, what systems do we have in place to ensure proper
documentation and logging to discover the true cause?
i. Recommendation: Logging book for the satellite/Air bearing to hold
people accountable and isolating when a failure happened.
ii. Recommendation: Immediate documentation following the failure and
identifying glaring faults
iii. Recommendation: Stop production/testing to analyze the incident deeply
to find the root cause and implement prevention mechanisms before
another failure could happen again.

Broader questions we should ask:

1. Are we rushing and not thoroughly thinking tests through to ensure proper safety for
the team and the satellite?
2. How else could we have prevented this from happening?
3. How is this lesson applicable to other parts of satellite engineering? Software?
Structural? Electrical?

IV. Conclusion

I hope that this incident serves as a reminder to thoroughly think through testing
methods and design considerations so that failures are prevented before they can happen.
We were extremely lucky that the failure happened at the time and place it did such that it
could be saved from causing significantly more damage. It is important to raise objections
and safety concerns when there is a risk to personnel or irreplaceable hardware. We will
implement the recommendations as laid out in the following report and ensure that such a
failure could not happen again.

V. Follow up Report – three months after incidence

Since the incidence happened implemented the following procedures. When testing is
being performed on the satellite, multiple personnel must be in the room. At least one
person should have their eyes on the satellite if there are multiple

In terms of design decisions, we decided to not change the design of the aluminum legs
and balancing apparatus. Instead we have implemented changes from nylon screws to
brass screws. Over-torque and shear testing have concluded that the brass screws are
more than capable of holding the lead balancing weights on the air bearing table.

No further incidences with the flight satellite have occurred.