Published Date: 2019-04-11
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened on April 11, 2019, as reported in [Article 83133], [Article 83190], and [Article 83309]. |
| System | 1. The main engine of the spacecraft failed during the final descent, leading to the crash into the moon [83133, 83190, 83309]. 2. A measurement unit also went wrong during the descent, contributing to the failure [83190]. 3. The engine misfired, causing a surge in velocity as the spacecraft headed towards the lunar surface [83309]. |
| Responsible Organization | 1. Israel Aerospace Industries' space division collaborated on building the spacecraft, and their general manager mentioned a failure in the spacecraft [83133]. 2. SpaceIL, the nonprofit organization that undertook the mission, was responsible for the spacecraft's development and mission execution [83133, 83190, 83309]. 3. State-owned Israel Aerospace Industries was involved in building the spacecraft [83309]. 4. SpaceX provided the rocket for launching the spacecraft [83190, 83309]. |
| Impacted Organization | 1. SpaceIL [83133, 83190, 83309] 2. Israel Aerospace Industries [83133, 83190, 83309] |
| Software Causes | 1. The software cause of the failure incident was a failure in the spacecraft's engine, which turned off shortly before landing, leading to the crash [Article 83309]. 2. Another software cause mentioned was a measurement unit that went wrong during the descent, causing issues with the spacecraft's landing attempt [Article 83190]. |
| Non-software Causes | 1. The spacecraft's engine turned off shortly before landing, leading to the crash [Article 83309]. 2. The main engine stopped working, causing the velocity to be too high for a successful landing [Article 83190]. 3. A measurement unit went wrong during the descent, contributing to the failure [Article 83190]. |
| Impacts | 1. The software failure incident resulted in the crash of the Israeli spacecraft Beresheet into the moon, leading to the mission being declared a failure [83133, 83190, 83309]. 2. The failure of the spacecraft's engine shortly before landing caused the spacecraft to break apart and scatter at the landing site [83190, 83309]. 3. The loss of communication with ground control during the final descent was a direct impact of the software failure incident [83309]. 4. The failure to achieve a successful landing on the moon was a significant setback for the mission, despite the spacecraft reaching the moon and coming close to landing successfully [83309]. 5. The crash of Beresheet near the historic Apollo landing sites highlighted the challenges and risks associated with lunar missions and the difficulty of achieving a soft landing on the moon [83309]. |
| Preventions | 1. Proper testing and validation of the software before the mission could have potentially prevented the software failure incident. This would involve thorough testing of all systems and components to ensure they function correctly under various conditions [83133, 83190, 83309]. 2. Implementing redundant systems or backup mechanisms in the software could have provided a fail-safe in case of any critical failures during the descent phase of the spacecraft. Redundancy can help mitigate risks and increase the chances of a successful landing [83190, 83309]. 3. Conducting more extensive simulations and scenario planning to anticipate and address potential issues that may arise during the landing process. This proactive approach could help identify and rectify software flaws or weaknesses before the actual mission [83190, 83309]. 4. Continuous monitoring and real-time communication with the spacecraft during critical phases of the mission could have allowed for immediate intervention or troubleshooting in case of any anomalies detected in the software or hardware systems [83190, 83309]. |
| Fixes | 1. Conduct a thorough analysis of the software and hardware systems to identify the root cause of the failure incident [83133, 83190, 83309]. 2. Investigate the communication failure between the spacecraft and ground control during the final descent to understand why the engine turned off shortly before landing [83309]. 3. Address the issue related to the measurement unit that went wrong, as mentioned by some members of the SpaceIL team, to prevent similar failures in the future [83190]. 4. Improve the reliability and precision of the guidance, navigation, and control systems, as well as the on-board propulsion mechanism, to ensure a successful landing on future missions [83190]. 5. Enhance testing procedures to simulate the unique geological and atmospheric conditions of the moon and other planets to better prepare for landing challenges [83309]. 6. Implement measures to maintain communication with the spacecraft during critical phases of the mission to enable real-time troubleshooting and intervention if issues arise [83133, 83309]. | References | 1. Opher Doron, general manager of Israel Aerospace Industries’ space division [Article 83133, Article 83190, Article 83309] 2. Morris Kahn, Israeli telecommunications entrepreneur and president of SpaceIL [Article 83133, Article 83190, Article 83309] 3. Prime Minister Benjamin Netanyahu of Israel [Article 83133, Article 83190, Article 83309] 4. Daniela Geron, SpaceIL engineer [Article 83133] 5. Asaf Ezrai, spectator [Article 83133] 6. Yariv Bash, Kfir Damari, and Yonatan Winetraub, founders of SpaceIL [Article 83133] 7. Ami Halbersberg, SpaceIL engineer [Article 83190] 8. Dr. Mini Saaj, Head of the Robotics and Control Research Group at the University of Surrey [Article 83190] 9. Christopher Conselice, professor of astrophysics at the University of Nottingham [Article 83190] 10. Reuven Rivlin, President of Israel [Article 83309] 11. Jim Bridenstine, head of NASA [Article 83309] 12. Buzz Aldrin, Apollo 11 moonwalker [Article 83309] 13. Morris Kahn, Israeli billionaire investor [Article 83309] 14. Peter Diamandis, XPrize founder [Article 83309] 15. Howard McCurdy, American University professor [Article 83309] 16. Phil Larson, University of Colorado space adviser [Article 83309] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident occurred with the Beresheet spacecraft, which was built by the nonprofit SpaceIL and state-owned Israel Aerospace Industries [83133, 83190, 83309]. - The incident involved a failure in the spacecraft's engine shortly before landing, leading to a crash on the moon [83133, 83190, 83309]. - Despite the failure, the mission was considered an "amazing success" for reaching the moon and coming close to landing successfully [83309]. (b) The software failure incident having happened again at multiple_organization: - There is no information in the provided articles about a similar incident happening at other organizations or with their products and services. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident in Article 83133 can be attributed to the design phase. The failure occurred during the landing sequence of the Beresheet spacecraft, where the main engine cut out, leading to a loss of communication with the spacecraft. This issue was related to the spacecraft's main engine, which stopped working, causing the velocity to be too high for a successful landing [83133]. (b) The software failure incident in Article 83309 can be attributed to the operation phase. The Beresheet spacecraft lost communication with ground control during its final descent, and the engine turned off shortly before landing. Scientists were still trying to determine the cause of the failure, indicating issues related to the operation or misuse of the system during the critical landing phase [83309]. |
| Boundary (Internal/External) | within_system | (a) within_system: The software failure incident related to the crash of the Beresheet spacecraft appears to have originated from within the system itself. The spacecraft's engine turned off shortly before landing, leading to the loss of communication with ground control and the subsequent crash into the moon [Article 83309]. The main engine of the spacecraft stopped working, causing the velocity to be too high, ultimately resulting in the crash [Article 83190]. Additionally, there were issues with the measurement unit that went wrong, contributing to the failure during the descent [Article 83190]. (b) outside_system: There is no information in the articles suggesting that the software failure incident was due to contributing factors originating from outside the system. |
| Nature (Human/Non-human) | non-human_actions | (a) The software failure incident occurring due to non-human actions: - The spacecraft, named Beresheet, experienced a failure in its main engine during its descent towards the moon, causing it to crash [83133]. - The spacecraft lost communication with ground control during its final descent, and the engine turned off shortly before landing, leading to the crash [83309]. (b) The software failure incident occurring due to human actions: - There is no specific mention of the software failure incident being caused by human actions in the articles. |
| Dimension (Hardware/Software) | hardware | (a) The software failure incident occurring due to hardware: - The spacecraft, Beresheet, experienced a failure during its final descent when its engine turned off shortly before landing, leading to the crash on the moon. Scientists were still investigating the cause of the engine turning off [Article 83309]. (b) The software failure incident occurring due to software: - The main engine of the spacecraft, Beresheet, stopped working during its descent, leading to a high velocity that caused it to fall to the moon's surface in pieces. There were conflicting reports about whether the issue was with the engine or a measurement unit that went wrong [Article 83190]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The articles do not mention any indication of a malicious software failure incident. (b) The software failure incident related to the crash of the Israeli spacecraft Beresheet on the moon was non-malicious. The failure was attributed to technical issues with the spacecraft's engine and measurement unit during its final descent, leading to the loss of communication and the eventual crash [83133, 83190, 83309]. |
| Intent (Poor/Accidental Decisions) | accidental_decisions | (a) The intent of the software failure incident related to poor_decisions: - The failure of the Beresheet spacecraft's landing on the moon was attributed to a failure in the spacecraft's engine shortly before landing, leading to the crash [Article 83133]. - The spacecraft's engine turned off shortly before landing, causing the mishap, and scientists were still investigating the cause of the failure [Article 83309]. (b) The intent of the software failure incident related to accidental_decisions: - The failure of the Beresheet spacecraft's landing on the moon was described as an ambitious attempt that came very close to success, despite ultimately crashing [Article 83309]. - The spacecraft's engine misfired during the descent, leading to a surge in velocity and the eventual crash on the lunar surface [Article 83309]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The failure of the Beresheet spacecraft to land successfully on the moon was attributed to a failure in the spacecraft, specifically the main engine cutting out during the landing sequence, leading to a loss of communication with the spacecraft [83133]. - The spacecraft's engine turned off shortly before landing, and scientists were still trying to figure out the cause of the failure. The spacecraft was in pieces scattered at the landing site, indicating a failure in the landing process [83309]. (b) The software failure incident occurring accidentally: - The Beresheet spacecraft experienced problems shortly after beginning its descent, despite a promising start in which it sent back a selfie at just 22 kilometers from the surface. The failure was not specifically attributed to an accidental cause but rather to issues with the main engine or a measurement unit that went wrong [83190]. - The spacecraft lost communication with ground control during its final descent, and the engine misfired, leading to a surge in velocity as it headed toward the lunar surface. The failure was declared a result of the engine turning off shortly before landing, with the cause still being investigated [83309]. |
| Duration | temporary | The software failure incident related to the Beresheet spacecraft crash on the moon was temporary. The incident occurred during the final descent of the spacecraft when its engine turned off shortly before landing, leading to a loss of communication with ground control [83309]. The spacecraft was in pieces scattered at the landing site, and scientists were still trying to determine the cause of the failure [83309]. The failure was attributed to the engine misfiring and the velocity surging as the spacecraft headed toward the lunar surface, ultimately resulting in a crash near the historic Apollo landing sites [83309]. |
| Behaviour | crash, other | (a) crash: The software failure incident in the articles can be categorized as a crash. The spacecraft's engine turned off shortly before landing, leading to the loss of communication with ground control and the spacecraft crashing into the moon [Article 83309]. (b) omission: There is no specific mention of the software failure incident being due to the system omitting to perform its intended functions at an instance(s) in the articles. (c) timing: The failure was not explicitly attributed to the system performing its intended functions correctly but too late or too early in the articles. (d) value: The failure was not described as the system performing its intended functions incorrectly in the articles. (e) byzantine: The failure was not characterized by the system behaving erroneously with inconsistent responses and interactions in the articles. (f) other: The software failure incident can be described as a failure due to the system losing state and not performing any of its intended functions, leading to the crash of the spacecraft into the moon [Article 83309]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, delay, non-human | (a) death: People lost their lives due to the software failure - No mention of any deaths occurring due to the software failure incident in the articles [83133, 83190, 83309]. (b) harm: People were physically harmed due to the software failure - No mention of people being physically harmed due to the software failure incident in the articles [83133, 83190, 83309]. (c) basic: People's access to food or shelter was impacted because of the software failure - No mention of people's access to food or shelter being impacted due to the software failure incident in the articles [83133, 83190, 83309]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in the spacecraft, named Beresheet, crashing into the moon, leading to the failure of the mission to land successfully. This resulted in the loss of the spacecraft itself and the mission's objectives [83133, 83190, 83309]. (e) delay: People had to postpone an activity due to the software failure - The software failure incident caused the mission to fail in its attempt to land on the moon, resulting in the postponement of the successful landing that was planned [83133, 83190, 83309]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the spacecraft, Beresheet, which was a non-human entity, leading to its crash on the moon and the failure of the mission [83133, 83190, 83309]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences, such as the spacecraft crashing into the moon and the failure of the mission to land successfully [83133, 83190, 83309]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles do not mention any potential consequences discussed that did not occur as a result of the software failure incident [83133, 83190, 83309]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - No other consequences of the software failure incident were described in the articles [83133, 83190, 83309]. |
| Domain | knowledge, government, other | The failed system in the reported incident was related to the industry of space exploration and technology development. Here is the relevant information from the articles for all the industry options: (a) information: The incident did not directly involve the production and distribution of information. (b) transportation: The incident did not involve the transportation of people or things. (c) natural_resources: The incident did not involve the extraction of materials from Earth. (d) sales: The incident did not involve the exchange of money for products. (e) construction: The incident did not involve the creation of the built environment. (f) manufacturing: The incident did not involve the creation of products from materials. (g) utilities: The incident did not involve power, gas, steam, water, or sewage services. (h) finance: The incident did not involve the manipulation and movement of money for profit. (i) knowledge: The incident indirectly relates to education and research in the field of space exploration and technology development [83133, 83190, 83309]. (j) health: The incident did not involve the healthcare, health insurance, or food industries. (k) entertainment: The incident did not involve arts, sports, hospitality, or tourism. (l) government: The incident indirectly relates to space exploration, which can have implications for government activities such as defense and public services [83133, 83190, 83309]. (m) other: The incident is specifically related to the space exploration industry, which is not covered by the options (a) to (l) [83133, 83190, 83309]. |
Article ID: 83133
Article ID: 83190
Article ID: 83309