Incident: Mars Climate Orbiter Failure: Metric Conversion Error Leads to Destruction.

Published Date: 2010-11-10

Postmortem Analysis
Timeline 1. The software failure incident with the Mars Climate Orbiter happened in 1999 as mentioned in Article [3508].
System 1. Software controlling the Mars Climate Orbiter's thrusters [3508] 2. Software glitch in the Mars Climate Orbiter that caused the force delivered by onboard thrusters to be coded in imperial pounds instead of metric Newtons [48591]
Responsible Organization 1. NASA engineers [3508] 2. Lockheed Martin engineers [3508]
Impacted Organization 1. NASA [3508] 2. European Space Agency [48591]
Software Causes 1. The software controlling the Mars Climate Orbiter's thrusters calculated force in pounds instead of metric newtons, leading to a fatal miscalculation [3508]. 2. The glitch in the Mars Climate Orbiter's software, specifically the units used for force calculations, was identified as a software cause of the failure incident [48591].
Non-software Causes 1. Lack of proper unit conversion from pounds to newtons in the software controlling the orbiter's thrusters [3508] 2. Overly ambitious appetite in NASA's space exploration projects at the time [3508] 3. Vibrations in the Mars Polar Lander's legs causing the on-board computer to think it had already landed when it was still in the air [3508] 4. Mars Polar Lander shutting down its engine too early when unfolding its legs, leading to its destruction on impact [48591] 5. Beagle 2's solar panels failing to open properly after landing on Mars [48591]
Impacts 1. The Mars Climate Orbiter, a $125 million satellite, burned up in the Martian atmosphere and vanished due to a software failure in the thruster control software, which incorrectly calculated the force in pounds instead of metric newtons [3508]. 2. The failure of the Mars Climate Orbiter led to the loss of the spacecraft, which was intended to be the first weather observer on another world [3508]. 3. The incident highlighted a miscommunication and oversight in unit conversion between engineers at NASA's Jet Propulsion Lab and Lockheed Martin, leading to the spacecraft's destruction [3508]. 4. The failure of the Mars Climate Orbiter and the Mars Polar Lander prompted NASA to make significant changes, including scrapping several planned missions and rebuilding the Mars program based on conservative strategies [3508]. 5. The failure of the Mars Climate Orbiter and the Mars Polar Lander led to a shift in NASA's approach towards space exploration, focusing on more tested and conservative concepts, which ultimately resulted in the successful Mars Exploration Rovers, Spirit and Opportunity [3508].
Preventions 1. Properly converting units from English to metric in the software controlling the orbiter's thrusters could have prevented the software failure incident [3508]. 2. Implementing thorough testing procedures to catch any unit conversion errors in the software could have prevented the software failure incident [3508]. 3. Establishing a culture of double-checking critical calculations and assumptions within the software could have prevented the software failure incident [3508].
Fixes 1. Implement thorough software testing procedures to catch unit conversion errors before deployment [3508]. 2. Enforce strict verification and validation processes to ensure software calculations are accurate and consistent with mission requirements [3508]. 3. Improve communication and collaboration between different teams involved in spacecraft development to prevent misinterpretation of units and assumptions [3508]. 4. Conduct regular audits and reviews of software code to identify and rectify potential issues early on [3508]. 5. Enhance training and awareness programs for engineers and developers regarding the importance of unit consistency and conversion in software development [3508].
References 1. NASA engineer Richard Cook, project manager for Mars exploration projects at the time [3508] 2. Various sources mentioned in the articles [3508] 3. Investigation panel that found the glitch in the Mars Climate Orbiter's software [48591]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the Mars Climate Orbiter burning up in the Martian atmosphere due to a unit conversion error has happened again within the same organization. The article mentions that the Mars Polar Lander, which launched 23 days after the Mars Climate Orbiter, also disappeared on the way to the planet's surface due to a different reason, but with the underlying issue of overly ambitious projects within NASA [3508]. (b) The software failure incident related to spacecraft failures due to various reasons, including landing issues, has occurred at multiple organizations. The article mentions failures of Soviet missions such as Mars 1962B, Mars 2, Mars 3, Mars 6, Mars 7, and Mars 96, where landers failed to land successfully or lost contact with the probes [48591].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the case of the Mars Climate Orbiter [3508]. The failure occurred because engineers failed to convert units from English to metric during the development phase. The software controlling the orbiter's thrusters calculated the force in pounds instead of newtons, leading to a miscalculation that ultimately caused the orbiter to burn up in the Martian atmosphere. (b) The software failure incident related to the operation phase is seen in the case of the Mars Polar Lander [48591]. Mission controllers lost contact with the spacecraft, and it was later concluded that the lander had shut down its engine too early when it unfolded its legs, leading to its destruction on impact. This failure was attributed to the operation or misuse of the system during the landing phase.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident related to the Mars Climate Orbiter was within the system. The failure was attributed to a software issue where the software controlling the orbiter's thrusters calculated the force in pounds instead of metric newtons, leading to a miscalculation in the thruster force [3508, 48591]. This internal software error ultimately caused the orbiter to burn up in the Martian atmosphere. (b) The software failure incident was also influenced by factors outside the system. The underlying issue in the culture of NASA's space exploration at the time, characterized by the mantra of "better, faster, cheaper," played a role in the failure. This ambitious approach to space missions may have contributed to overlooking critical checks and conversions in the software development process [3508].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident related to the Mars Climate Orbiter burning up in the Martian atmosphere was primarily due to a non-human action, specifically a unit conversion error in the software controlling the orbiter's thrusters. The software calculated the force the thrusters needed to exert in pounds of force, while a separate piece of software took in the data assuming it was in the metric unit newtons [3508]. (b) The software failure incident occurring due to human actions: - The software failure incident related to the Mars Polar Lander losing contact with the probe was attributed to human actions. Mission controllers concluded that the lander had shut down its engine too early when it unfolded its legs, leading to its destruction on impact [48591].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The Mars Climate Orbiter failure in 1999 was attributed to a software glitch where the force delivered by onboard thrusters was coded in imperial pounds instead of metric Newtons. This error originated from a hardware-related issue where the software controlling the orbiter's thrusters miscalculated the force needed [3508, 48591]. (b) The software failure incident occurring due to software: - The Mars Climate Orbiter failure in 1999 was primarily a software failure incident. The glitch in the spacecraft's software, where the force delivered by thrusters was coded incorrectly, was the main contributing factor to the mission's failure [3508, 48591].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident related to the Mars Climate Orbiter was non-malicious. The failure was attributed to a mistake in the software controlling the orbiter's thrusters, where the force was calculated in pounds instead of metric newtons. This error led to the orbiter burning up in the Martian atmosphere [3508]. (b) The software failure incident related to the European Space Agency's Mars lander was also non-malicious. The failure of the Mars lander to touch down safely was part of a series of setbacks for scientists eager to learn more about Mars. The incident was not attributed to any malicious intent but rather to technical challenges faced during the mission [48591].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The intent of the software failure incident was poor_decisions. The failure of the Mars Climate Orbiter was attributed to a poor decision made by engineers who failed to convert units from English to metric in the software controlling the orbiter's thrusters. The software calculated the force the thrusters needed to exert in pounds of force, while a separate piece of software took in the data assuming it was in the metric unit newtons [3508]. (b) The intent of the software failure incident was accidental_decisions. The failure of the Mars Polar Lander was due to an accidental decision made by the lander's engine shutting down too early when it unfolded its legs, leading to its destruction upon impact [48591].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the case of the Mars Climate Orbiter [3508]. Engineers failed to convert units from English to metric, leading to the orbiter burning up in the Martian atmosphere. The software controlling the orbiter's thrusters calculated the force in pounds instead of metric newtons, causing a critical miscalculation. This failure was attributed to a lack of professional competence in ensuring proper unit conversion, as it was a known issue that was not caught during development. (b) The software failure incident related to accidental factors is seen in the case of the European Space Agency's Mars lander [48591]. The Mars lander failed to touch down safely, adding to a series of setbacks in Mars missions. This failure was not due to a specific error in software development but rather an accidental outcome of the complex process of landing on Mars, where various factors can contribute to mission success or failure.
Duration permanent, temporary (a) The software failure incident related to the Mars Climate Orbiter was permanent. The incident occurred because engineers failed to convert units from English to metric, leading to the spacecraft burning up in the Martian atmosphere and ultimately being lost for good [3508]. (b) The software failure incident related to the European Space Agency's Mars lander was temporary. The Mars lander failed to touch down safely, which was part of a series of setbacks for scientists eager to learn more about Mars. This incident did not result in a permanent loss of the spacecraft but rather a temporary setback in the mission [48591].
Behaviour crash, omission, value (a) crash: The software failure incident related to the Mars Climate Orbiter can be categorized as a crash. The orbiter burned up in the Martian atmosphere because the software controlling the orbiter's thrusters miscalculated the force needed to be exerted, leading to the orbiter vanishing and ultimately crashing into the atmosphere [3508]. (b) omission: The software failure incident can also be categorized as an omission. The omission occurred when the software controlling the orbiter's thrusters failed to convert units from pounds to newtons, leading to a critical error in the calculations and the subsequent loss of the spacecraft [3508]. (d) value: The software failure incident can be categorized as a value failure. The software incorrectly calculated the force the thrusters needed to exert in pounds instead of newtons, leading to a fatal error in the spacecraft's trajectory and resulting in its destruction [3508].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence death, property, non-human (a) death: People lost their lives due to the software failure - The consequence of the software failure incident involving the Mars Climate Orbiter was the loss of the spacecraft itself, which was a $125 million satellite meant to be the first weather observer on another world. The orbiter burned up in the Martian atmosphere due to a software error that caused it to come within 37 miles of the Martian surface, where atmospheric friction tore it apart [3508]. (g) no_consequence: There were no real observed consequences of the software failure - There were no reports of human casualties or physical harm resulting from the software failure incidents discussed in the articles. The consequences were limited to the loss of the spacecraft and the failure to achieve the intended mission objectives [3508, 48591].
Domain knowledge (a) The failed system was related to the industry of space exploration [3508, 48591]. (i) The Mars Climate Orbiter, a spacecraft intended to observe the weather on Mars, failed due to a software glitch that caused it to burn up in the Martian atmosphere. The software miscalculated the force the thrusters needed to exert because it used imperial pounds instead of metric Newtons [3508]. (i) Various Soviet missions to Mars, such as Mars 2, Mars 6, and Mars 7, also faced failures in landing or transmitting data back to Earth [48591].

Sources

Back to List