Incident: Unreliable Starter-Generator Causes Reaper Drone Crashes and Losses

Published Date: 2016-01-20

Postmortem Analysis
Timeline 1. The software failure incident involving the MQ-9 Reaper drone crashing near Bagram Airfield, Afghanistan, happened in November. - The incident was reported in an article published on January 20, 2016 [39478].
System 1. Faulty starter-generator system in the MQ-9 Reaper drone [39478, 39478]
Responsible Organization 1. Electrical faults affecting the Reaper drone [39478] 2. Faulty starter-generator leading to the failure [39478] 3. Depleted backup batteries contributing to the incident [39478] 4. Delay in uploading software for the launch and recovery element [39478]
Impacted Organization 1. US Air Force [39478] 2. Pentagon [39478]
Software Causes 1. Unknown
Non-software Causes 1. Electrical faults causing the Reaper drone to fall from the sky, leading to the destruction of 20 large Air Force drones or sustaining at least $2 million in damage [39478]. 2. Faulty starter-generator identified as a primary cause of the failure incident, with investigators unable to pinpoint why it goes haywire or devise a permanent fix [39478]. 3. Depletion of backup batteries and generator failure contributing to the incident, leading to the loss of the MQ-9 Reaper at a cost of $14.1 million [39478]. 4. Loss of satellite link with the aircraft shortly after takeoff, displaying a battery warning and starter-generator failure, which ultimately led to the decision to intentionally crash the aircraft in nearby mountains [39478].
Impacts 1. The software failure incident led to an unprecedented number of technical problems with the Reaper drone, causing 20 large Air Force drones to be destroyed or sustain at least $2 million in damage in accidents last year [39478]. 2. More than 400 large U.S. military drones have crashed since 2001, with some incidents narrowly averting catastrophes by a few feet, seconds, or luck [39478]. 3. The software failure incident resulted in the destruction of a $3.8 million Predator carrying a Hellfire missile near Kandahar in January 2010 due to the pilot not realizing she had been flying the aircraft upside-down [39478]. 4. Another armed Predator crashed nearby after the pilot squeezed the wrong red button on his joystick, putting the plane into a spin [39478]. 5. Dozens of malfunctioning aircraft have been destroyed in the United States during test and training flights that have gone awry, including a 375-pound Army drone crashing next to an elementary-school playground in Pennsylvania [39478]. 6. Ten Reapers, each costing an estimated $14m, were badly damaged or destroyed in 2015 due to software failures, at least twice as many as in any previous year [39478]. 7. The software failure incident led to the destruction of an MQ-9 Reaper in the Middle East, resulting in a loss of $14.1 million, as the pilot lost satellite link with the aircraft, leading to battery warning and starter-generator failure [39478].
Preventions 1. Implementing more rigorous testing procedures for the software controlling the drones to identify and address potential issues before deployment [39478]. 2. Conducting regular maintenance and inspections on the software systems to ensure they are functioning correctly and are up to date with the latest patches and updates [39478]. 3. Enhancing training programs for drone pilots to ensure they are proficient in handling emergency situations and understanding the software interface [39478].
Fixes 1. Implementing a permanent fix for the faulty starter-generator that has been causing the Reaper drone incidents [39478]. 2. Ensuring proper maintenance and monitoring of the backup batteries to prevent depletion during missions [39478]. 3. Uploading software updates in a timely manner to address any potential software-related issues [39478].
References 1. Air Force safety data 2. Accident-investigation documents obtained under the Freedom of Information Act 3. Air Force investigation report 4. 432nd Attack Squadron at Ellsworth Air Force Base, South Dakota 5. Accident Investigation Board report 6. 455th Air Expeditionary Wing

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident has happened again at one_organization: - The article reports that the MQ-9 Reaper drone experienced a software failure incident in December 2014, where the pilot lost satellite link with the aircraft, leading to a battery warning and a starter-generator failure [39478]. - This incident resulted in the drone being unable to lower its landing gear, ultimately leading to the decision to intentionally crash the aircraft in nearby mountains [39478]. (b) The software failure incident has happened again at multiple_organization: - The article mentions that the Reaper drone is not the only one affected by technical problems, as more than 400 large U.S. military drones have crashed since 2001, indicating a recurring issue with drone software and technical failures [39478]. - It is also highlighted that dozens of drones have been destroyed in the United States during test and training flights due to malfunctions, indicating a broader problem across different types of drones and organizations [39478].
Phase (Design/Operation) unknown The articles do not provide specific information related to software failure incidents occurring due to the development phases (design) or operation phases. Therefore, it is unknown whether the reported drone crashes were specifically caused by issues related to system development, system updates, procedures to operate or maintain the system (design), or by factors introduced during the operation or misuse of the system (operation).
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the Reaper drone crashes was primarily attributed to internal system factors. The incidents were linked to technical problems such as electrical faults, faulty starter-generators, and depleted backup batteries within the drones themselves [39478]. The investigation reports pointed to issues like generator failure and battery depletion as primary causes of the crashes, indicating that the failures originated from within the system. Additionally, delays in uploading software for the launch and recovery element were mentioned as contributing factors to the incident [39478].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The articles mention technical problems and electrical faults besetting the Reaper drone, causing it to fall from the sky and leading to accidents and crashes [39478]. - Investigators traced the Reaper problem to a faulty starter-generator, but have been unable to pinpoint why it goes haywire or devise a permanent fix, indicating a non-human factor contributing to the failure [39478]. - The primary cause of the MQ-9 Reaper crash in the Middle East was identified as the failure of the generator, along with the depletion of backup batteries, which are technical issues [39478]. (b) The software failure incident occurring due to human actions: - The articles mention incidents where pilots made errors such as not realizing they were flying the aircraft upside-down or squeezing the wrong button on the joystick, leading to crashes [39478]. - A decision to not lower the landing gear earlier contributed to the decision to crash the aircraft intentionally, indicating a human action affecting the outcome of the incident [39478].
Dimension (Hardware/Software) hardware (a) The software failure incident related to hardware: - The articles mention that investigators traced the Reaper drone problem to a faulty starter-generator, which is a hardware component [39478]. - The primary cause of the incident was identified as the failure of the generator, along with the depletion of the backup batteries, which are hardware-related issues [39478]. (b) The software failure incident related to software: - The articles do not specifically mention any contributing factors originating in software for the failure incident.
Objective (Malicious/Non-malicious) non-malicious (a) The articles do not mention any software failure incident related to malicious intent by humans to harm the system. (b) The software failure incidents mentioned in the articles are non-malicious in nature. The failures are attributed to technical problems such as electrical faults, faulty starter-generator, depleted backup batteries, and generator failure. These technical issues led to the drones crashing or being destroyed, causing significant damage and loss of expensive equipment [39478].
Intent (Poor/Accidental Decisions) unknown The articles do not provide specific information about the software failure incident being caused by poor decisions or accidental decisions.
Capability (Incompetence/Accidental) accidental (a) The articles do not specifically mention any software failure incidents related to development incompetence. (b) The software failure incidents mentioned in the articles are more related to accidental factors such as technical problems, electrical faults, faulty starter-generator, depleted backup batteries, and generator failure leading to crashes of drones like the Reaper [39478]. These incidents were not attributed to development incompetence but rather to technical issues and accidents during operation.
Duration permanent, temporary The software failure incident related to the MQ-9 Reaper drone crashes appears to involve both permanent and temporary aspects: (a) Permanent: The investigation into the Reaper drone crashes identified a primary cause as the failure of the generator, along with the depletion of backup batteries. The faulty starter-generator issue has been a recurring problem, and investigators have been unable to pinpoint why it goes haywire or devise a permanent fix [39478]. (b) Temporary: In one specific incident, the MQ-9 Reaper drone lost satellite link with the aircraft shortly after takeoff, displaying a battery warning and a starter-generator failure. The pilot attempted to reroute the aircraft to a predetermined location for recovery, but the Reaper lost battery power to the point where it couldn't lower its landing gear, leading to the decision to intentionally crash the aircraft [39478].
Behaviour crash (a) crash: The software failure incident in the articles is related to crashes of military drones, specifically the MQ-9 Reaper drones. These crashes were caused by technical problems, including electrical faults and a faulty starter-generator, leading to the drones falling from the sky and being destroyed [39478]. (b) omission: There is no specific mention of the software failure incident being related to the system omitting to perform its intended functions at an instance(s) in the articles. (c) timing: The articles do not indicate that the software failure incident was related to the system performing its intended functions correctly, but too late or too early. (d) value: The software failure incident is not described as the system performing its intended functions incorrectly. (e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in the software failure incident is the system losing state and not performing any of its intended functions, leading to the drones crashing and being destroyed [39478].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - No one has died in a drone accident, but many catastrophes have been narrowly averted by luck [39478]. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the drone accidents [39478]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the drone accidents [39478]. (d) property: People's material goods, money, or data was impacted due to the software failure - The crashes of military drones have resulted in the destruction or damage of the drones themselves, which are costly assets [39478]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone an activity due to the drone accidents [39478]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incidents primarily impacted the military drones themselves, resulting in their destruction or damage [39478]. (g) no_consequence: There were no real observed consequences of the software failure - The software failures in the military drones led to crashes and destruction of the drones, indicating real consequences [39478]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article mentions that many catastrophes have been narrowly averted by luck, indicating potential consequences that did not materialize [39478]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failures in the military drones resulted in accidents, destruction of expensive equipment, and potential risks to civilians and property on the ground [39478].
Domain knowledge, government (a) The failed system was intended to support the defense industry, specifically the U.S. Air Force's drone operations. The Reaper drone, which experienced technical problems leading to crashes, is a crucial component in conducting surveillance and airstrikes against militant groups like the Islamic State and al-Qaeda [39478].

Sources

Back to List