Software Engineering: Mars Climate Orbiter

The Mission

The Mars Climate Orbiter was part of an extended series of missions conducted by NASA to expore Mars during an extended period when Mars and Earth's orbits brought them into relative proximity. The US$327.6 million mission was scheduled to last six years including support of other probes as a relay system

"The duration of the Mars Climate Orbiter's science mission will be one Martian year, or approximately two Earth years. In addition to collecting data, the Orbiter will act as a relay station for five years, assisting in data transmission to and from the Mars Polar Lander, as well as the 2001 Lander mission.
"Two instruments are aboard the Orbiter: the Pressure Modulator Infrared Radiometer (PMIRR), and the Mars Color Imager (MARCI). PMIRR will provide detailed information about the atmospheric temperatire on Mars, dust, water vapor, and clouds. It will also provide valuable information about the amount of carbon dioxide (CO2) that is added and removed from the poles each Martian Year. MARCI is comprised of two cameras that will observe the behavior of the Martian atmosphere and interaction between the atmosphere and the surface of the planet."

Timeline

December 11, 1998: Launch
September 23, 1999: Mars Orbiter Insertion
September 27, 1999: Mars Aerobraking Begins
November 10, 1999: Mars Aerobraking Ends
December 1, 1999: Transfer To Mapping Orbit
December 3, 1999: Mars Polar Lander Support
March 3, 2000: Mars Mapping Begins
January 15, 2002: Mars Relay Mission Begins
December 1, 2004: End Of Primary Mission

The Orbiter launch and transfer from an Earth orbit to a trajectory towards Mars went as planned. The mission proceeded smoothly for nine months until the Orbiter arrived at Mars on September the 23rd, 1999.

The Failure

Upon arriving at Mars, the Orbiter needed to modify its trajectory and slow down so that it orbited Mars as desired.

Speed before engine firing (relative to Mars): 12,300 mph (5.5 km/sec)
Speed after engine fireing (relative to Mars): 9,840 mph (4.4 km/sec)
Change in speed from engine firing: 3,065 mph (1.37 km/sec)

Achieving this required a precise set of events to happen which were carefully modelled well in advance of the launch. The intended steps were as follows:

Mars Climate Orbiter MOI Timeline September 23, 1999 All times in Earth Receive Time (ERT). One way light time from Mars is 10 minutes 49 seconds.
Event	PDT	EDT	UTC
Orbiter stows solar array	01:41	04:41	08:41
Orbiter turns to correct orientation to begin main engine burn	01:50	04:50	08:50
Orbiter fires pyrotechnic devices which open valves to begin pressurizing the fuel and oxidizer tanks	01:56	04:56	08:56
Main engine burn starts, fires for 16 minutes 23 seconds.	02:01	05:01	09:01
Orbiter passes behind Mars, out of view from Earth	02:06	05:06	09:06
Main engine burn ends	02:17	05:17	09:17
Orbiter turns to orientation which will allow Earth contact	02:19	05:19	09:19
Orbiter comes out from behind Mars, flight controllers regain contact	02:27	05:27	09:27
Solar array unstows	02:30	05:30	09:30

Unfortunately, after commencing the first burn, the MCO lost contact with Earth and no further contact was had. After repeated attempts to reestablish contact the MCO was presumed lost.

The Analysis

Subsequent analysis of the failure determined that the principle cause of the failure was confusion in units, instead of sending thrust information to the orbiter in Newtons, the instructions were in pounds, a factor of 2.2 times greater. These instructions were used by the orbiter's earth based navigation controllers to adjust the craft's aspect during the voyage in order to compensate for changes caused by the assymmetry of the orbiter and pressure from the solar wind on the panels. As the instructions overcompensated, the craft ended up with a trajectory that put it 170 km closer to Mars than anticipated. After the burn, it thus orbited 90 km closer to Mars than originally intended.

Consequently, the orbiter came into contact with the upper atmosphere of Mars and was most likely burnt up and completely destroyed.

While the primary cause of the error was faulty software producing data that was not in the units specified (metric), it was not the only factor responsible as the navigation team should have been able to detect that the orbiter was not behaving as expected and was off course. The report on the failure prepared to determine the reason for the failure before it could affect the Mars Polar Lander identified the following as contributing causes:

Undetected mismodeling of spacecraft velocity changes
Navigation Team unfamiliar with spacecraft
Trajectory correction maneuver number 5 not performed
System engineering process did not adequately address transition from development to operations
Inadequate communications between project elements
Inadequate operations Navigation Team staffing
Inadequate training
Verification and validation process did not adequately address ground software

The team made sixteen recommendations, only two of which directly related to software:

Verify the consistent use of units throughout the MPL spacecraft design and operations
Conduct software audit for specification compliance on all data transferred between JPL and Lockheed Martin Astronautics

Lessons for software engineering

"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."

C.A.R. Hoare

In some respects the error that caused the failure was a trivial one, a mistake that could easily happen in any program. The need to maintain a consistent set of units was well understood and had been included in the programming specification. What led it to be a cause of failure was the sheer complexity of the entire system, not the individual task. Interestingly, the two software recommendations made by the review panel are not associated with methodology - the panel found that the processes and standards used were best practice for programming. This highlights the problem - large, complex software projects are so complex that they can fail even when methodologies are followed to the letter. The only real solution is to simplify programmes as much as possible in order to minimise problems and to ensure that those that do happen are more likely to be detected.

Secondly, it is likely that a more rigorous programme of testing might have identified the problem. Indeed the review panel made seven recommendations for further testing and modelling work in order to ensure that the related Mars Polar Lander would perform as required.

Finally, the review team focussed on communication and experience within the navigation team. The development team was very experienced, but it is clear that more communication could have identified the problem prior to loss of the orbiter.

References

Mars Climate Orbiter home page
http://mars.jpl.nasa.gov/msp98/orbiter/

NSSDC Master Catalog: Spacecraft: Mars Climate Orbiter
http://nssdc.gsfc.nasa.gov/nmc/tmp/1998-073A.html

NASA press release 99-113:Mars Climate Orbiter Team Finds Likely Cause Of Loss
ftp://ftp.hq.nasa.gov/pub/pao/pressrel/1999/99-113.txt

Mars Climate Orbiter Mishap Investigation Board Phase I Report November 10, 1999
ftp://ftp.hq.nasa.gov/pub/pao/reports/1999/MCO_report.pdf