ESA: European Mars Lander Crash Caused By 1-Second Glitch (space.com)

← Back to Stories (view on slashdot.org)

ESA: European Mars Lander Crash Caused By 1-Second Glitch (space.com)

Posted by BeauHD on Wednesday November 23, 2016 @07:00PM from the what-went-wrong dept.

An anonymous reader quotes a report from Space.com: The European Space Agency (ESA) on Nov. 23 said its Schiaparelli lander's crash landing on Mars on Oct. 19 followed an unexplained saturation of its inertial measurement unit (IMU), which delivered bad data to the lander's computer and forced a premature release of its parachute. Polluted by the IMU data, the lander's computer apparently thought it had either already landed or was just about to land. The parachute system was released, the braking thrusters were fired only briefly and the on-ground systems were activated. Instead of being on the ground, Schiaparelli was still 2.3 miles (3.7 kilometers) above the Mars surface. It crashed, but not before delivering what ESA officials say is a wealth of data on entry into the Mars atmosphere, the functioning and release of the heat shield and the deployment of the parachute -- all of which went according to plan. In its Nov. 23 statement, ESA said the saturation reading from Schiaparelli's inertial measurement unit lasted only a second but was enough to play havoc with the navigation system. ESA said the sequence of events "has been clearly reproduced in computer simulations of the control system's response to the erroneous information." ESA's director of human spaceflight and robotic exploration, David Parker, said in a statement that ExoMars teams are still sifting through the voluminous data harvest from the Schiaparelli mission, and that an external, independent board of inquiry, now being created, would release a final report in early 2017.

74 of 110 comments (clear)

Min score:

Reason:

Sort:

This never happened to me before... by hyades1 · 2016-11-23 19:05 · Score: 5, Funny

Man, if I had a nickel for every time some kind of sensory saturation forced a premature release...

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:This never happened to me before... by rsmith-mac · 2016-11-23 19:19 · Score: 5, Funny
  
  Man, if I had a nickel for every time some kind of sensory saturation forced a premature release...
  Then you'd still be broke. This is Slashdot; you're not fooling anyone.
2. Re:This never happened to me before... by Freischutz · 2016-11-23 20:40 · Score: 2
  
  Man, if I had a nickel for every time some kind of sensory saturation forced a premature release...
  Then you'd still be broke. This is Slashdot; you're not fooling anyone.
  Visit the lair of any Slashdot poster, buried deep in the basement of his parent's house, and you will find that the height and majesty of the tissue mountain on the nightstand next to his bed thoroughly discredits your hypothesis. If you need further confirmation, shine a black light at his laptop and prepare yourself to be blinded by the glow.
3. Re:This never happened to me before... by Anonymous Coward · 2016-11-23 20:41 · Score: 1
  
  I believe he's referring to the manual override.
4. Re:This never happened to me before... by hyades1 · 2016-11-23 20:49 · Score: 1
  
  What...you never put lipstick on your hand for those special evenings?
  Fairness forces me to note that you, too, are a Slashdot denizen.
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
5. Re:This never happened to me before... by stealth_finger · 2016-11-23 22:44 · Score: 1
  
  Visit the lair of any Slashdot poster, buried deep in the basement of his parent's house, and you will find that the height and majesty of the tissue mountain on the nightstand next to his bed thoroughly discredits your hypothesis. If you need further confirmation, shine a black light at his laptop and prepare yourself to be blinded by the glow.
  Just because your house is like that doesn't mean everyone's is.
  
  --
  Wanna buy a shirt?
  https://www.redbubble.com/people/stealthfinger/shop?asc=u
6. Re:This never happened to me before... by silentcoder · 2016-11-23 23:17 · Score: 3, Insightful
  
  He never said there was another person involved. He's just complaining about never managing to make it to the end of the pornhub clip.
  
  --
  Unicode killed the ASCII-art *
Cheater? by Anonymous Coward · 2016-11-23 19:27 · Score: 2, Funny

They're blaiming lag?
Kalman filter by little1973 · 2016-11-23 19:29 · Score: 4, Insightful

https://en.wikipedia.org/wiki/...
How in hell did they test their Kalman filter to allow such bad data to reach the decision logic? (I assume they used one.)

--
Government cannot make man richer, but it can make him poorer. - Ludwig von Mises
1. Re:Kalman filter by gTsiros · 2016-11-23 20:14 · Score: 3, Insightful
  
  I find it more weird that *one* sensor misbehaving lead to the entire mission failing.
  I have more robustness in my thrust measuring rig made of wood beams and zipties :|
  
  --
  Looking for people to chat about multicopters, coding, music. skype: gtsiros
2. Re:Kalman filter by 0100010001010011 · 2016-11-23 20:38 · Score: 2
  
  "Check for integer overflow" is a checkbox in Simulink.
  How was this not caught on the Hardware in the Loop test benches?
  Jesus people, is this amateur hour.
3. Re:Kalman filter by Ramze · 2016-11-24 04:38 · Score: 1
  
  This. So much this. I don't know about the EU, but when NASA builds spacecraft, it tends to put in multiple redundancies where it can and add a little logic to determine if and when a sensor fails given other data. If you're going to send up a multi-million dollar craft for a project that will last months, have a backup plan for each and every thing that could possibly go wrong so long as it doesn't significantly add to the expense.
  We know that rocket scientists can fire an object into orbit and hit a spot only a few meters wide on Mars -- while the Earth and Mars are both in motion -- rotation and revolution! I bet there's even a checklist as to when each system should come online and be deployed. If a sensor says "hey, we're on the ground or very near it!" when you're still 2 or 3 miles up... and you KNOW there hasn't been enough time for descent, maybe ignore that sensor and fire the descent engines based upon other data. Maybe even include a second sensor that works on different principles -- or fire a laser at the ground and have an optical sensor figure out the altitude from the reflected light. Maybe even throw down a reverse GPS system for Mars... some planetary markers so that orbital and landing craft can triangulate their location and proximity to the ground in real time.
4. Re:Kalman filter by vtcodger · 2016-11-24 06:09 · Score: 2
  
  "How in hell did they test their Kalman filter to allow such bad data to reach the decision logic? (I assume they used one.)"
  1) A Kalman Filter probably is not really appropriate here because the parachute has just been deployed and you wouldn't have state statistics available to filter the input data. Doesn't mean they didn't use one with ad hoc statistics. That's not as uncommon as perhaps it should be.
  2) Presumably the IMU is expected to tell you the probe has run into the planet (i.e. landed) and it's time to get rid of the 'chute before it lands on your probe and also time to shut down the thrusters lest they bounce the probe across the landscape or flip it upside down. Depending on how often the IMU is read out during landing, a full second of bad data may be pretty convincingly NOT noise.
  Not that I know anything about landing Mars probes.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
5. Re: Kalman filter by eliphalet · 2016-11-24 09:28 · Score: 1
  
  Or it's an off-by-one coding error.
6. Re:Kalman filter by RockDoctor · 2016-11-25 16:20 · Score: 1
  
  Presumably the IMU is expected to tell you the probe has run into the planet (i.e. landed) and it's time to get rid of the 'chute before it lands on your probe and also time to shut down the thrusters
  Wrong landing sequence. This spacecraft was intended to parachute down to some hundreds of metres, then fire up retro-rockets and jettison the parachutes, then descend to a few metres on the retro-rockets, then drop to the ground. So, the signal from the IMU would vary between free-fall and various substantial decelerations several times during the planned descent.
  Well, they achieved the desired state of not having the parachute land on top of the lander.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
They didn't learn the lesson by LordHighExecutioner · 2016-11-23 19:34 · Score: 4, Informative

Overflows and bad data problems happened to ESA before.
1. Re:They didn't learn the lesson by thegarbz · 2016-11-23 21:23 · Score: 5, Insightful
  
  To be fair, few people did. Multiple cases of overflows and bad data problems have occurred and still continue to occur not just in space programs around the world but in other industries too.
Teach it Phenomenology! by Bongo · 2016-11-23 19:43 · Score: 2

"Obligatory" Dark Star reference.
Ariane 5 by MichaelSmith · 2016-11-23 19:46 · Score: 1, Interesting

Brings to mind the failure of the first Arianne 5 launcher because control software spat an Ada stack trace over a line which was supposed to only contain kinematic data.

--
http://michaelsmith.id.au
1. Re:Ariane 5 by Anonymous Coward · 2016-11-23 21:07 · Score: 3, Informative
  
  > ...control software spat an Ada stack trace over a line...
  Eh, no. The failure of the INS's control software caused the INS to send diagnostic data (rather than sensor data) to the control systems, which then did what they _thought_ they were being commanded to do.
  None of the code in the system was modified in flight.
Filter or not by evanh · 2016-11-23 19:47 · Score: 4, Informative

When the altitude stops changing for a whole second the filter is going to have to be a long one! And that ain't desirable for responsive control.
The real question is how could the sensory processor have overloaded in the first place? My money is on simple [b]code bloat[/b]. Ie: They used a bunch of generic libraries that use further libraries that use further libraries that use further libraries that use further libraries that use further libraries ...
1. Re:Filter or not by Anonymous Coward · 2016-11-23 20:07 · Score: 1
  
  Bloat itself typically just makes things consistently slow.
  To get stalling you either need buffers upon buffers put there "to make things faster" or you need a runaway process that hangs.
  Not not realize you have them you need abstractions that hides them away.
2. Re:Filter or not by Anonymous Coward · 2016-11-23 20:55 · Score: 1
  
  I seriously doubt they cobbled the software together with a bunch of generic libraries; but if they did they got what they deserved.
3. Re:Filter or not by Solandri · 2016-11-24 04:17 · Score: 4, Insightful
  
  Dynamic range. Sensors which can measure from 0 - 100 g's are not as sensitive in the 0-1 g range you may be more concerned about. So you instead opt for accelerometers which max out at 10 g's and try to deal with the periods of max acceleration in software.
  
  A more elegant solution is to use both the sensitive accelerometer and an accelerometer with a greater max threshold. That way you keep the higher max limit without giving up low-gain sensitivity. But spacecraft tend to be both weight- and budget-constrained...
  
  More troubling to me was that there wasn't some basic sanity checking going on. Like a calculation that says "3 seconds ago I was at 4 km high. Now I think I'm on the ground. Does it make sense that I could've traveled that far in that little time? No? Then the instruments saying I'm on the ground are probably wonky, and I should give other instruments a higher priority in calculating my altitude for a bit." Same way I write my code (and spreadsheets) to calculate important numbers two, three, or sometimes even four different ways to make sure they all agree before proceeding to act on it.
4. Re:Filter or not by little1973 · 2016-11-24 07:11 · Score: 1
  
  This is not how Kalman filter works. Even if it gets totally wrong data for one second it outputs "correct" values based on previous data.
  So, in our case the altitude output would have changed for this one second and the output values would have been quite close to the real altitude.
  
  --
  Government cannot make man richer, but it can make him poorer. - Ludwig von Mises
5. Re:Filter or not by Kjella · 2016-11-24 08:18 · Score: 2
  
  More troubling to me was that there wasn't some basic sanity checking going on. (...) Same way I write my code (and spreadsheets) to calculate important numbers two, three, or sometimes even four different ways to make sure they all agree before proceeding to act on it.
  Well it's not exactly like the lander can abort, it's do or die. So you got inconsistent or unlikely data, but what's good and what's bad? It is a glitch, is it defective, did a misfire flip us around or put us in a spin or block the sensor? Can we salvage it or is the mission fucked no matter what? That's really the million dollar question, is there a contingency plan that could work and if so what should trigger it.
  I'm guessing that with combinatorics you'll have potentially very many possible failure modes and it's hard to find the realistic and salvageable ones while not screwing up non-sensor issues because you don't trust the data. I imagine you can spend a lot of time and resources on a few paths only to find it fails in a completely different way you didn't expect. It's a lot easier in hindsight...
  
  --
  Live today, because you never know what tomorrow brings
6. Re:Filter or not by Cochonou · 2016-11-24 10:11 · Score: 1
  
  This is not as simple as that. The inertial sensor is not outputting bogus or noisy data that can be easily discarded from previous data. It is saturating because the actual acceleration or rotation of the spacecraft is higher than any value the sensor can measure. Any integration algorithm used to compute the position of the spacecraft, including a Kalman filter or not, is going to have trouble in those conditions. Of course, there are methods to estimate what could be the correct measurement value during sensor saturation, but they are far from being a silver bullet.
7. Re:Filter or not by presidenteloco · 2016-11-24 14:33 · Score: 1
  
  You want sanity checking (based on physical possibility/impossibility) on individual input data streams to the Kalman filter prior to allowing them to get into the filter's weighted averaging. If a given single measurement stream (the position measurement by integrated acceleration) is indicating impossible changes in position over various near-past time ranges, exclude the whole measurement-type from the averaging immediately.
  
  --
  
  Where are we going and why are we in a handbasket?
8. Re:Filter or not by presidenteloco · 2016-11-24 14:35 · Score: 1
  
  To be fair, either doesn't occur to programmers, or it doesn't occur to managers to allow sufficient development and test time to consider stuff like that.
  I got my part of the lander done on time on budget. Gold star for me.
  
  --
  
  Where are we going and why are we in a handbasket?
9. Re:Filter or not by cwsumner · 2016-11-27 12:52 · Score: 1
  
  When the altitude stops changing for a whole second the filter is going to have to be a long one! And that ain't desirable for responsive control.
  The real question is how could the sensory processor have overloaded in the first place? ...
  
  ... When I heard about the crash landing I literally said to a friend of mine, "I bet the subroutine that cuts the parachute loose so it doesn't land on top of the payload detected the thump of the parachute strings going-taught, determined that meant it was on the ground, and cut the parachute." ...
  Mechanical devices can have really long "bounce" times, when it includes a parachute and riser lines it can easily be over a second.
  Not only was their mechanical testing lacking, their simulation software should have also picked this up. And they had a similar failure when the landing gear opened, in a previous lander.
  It sounds like they had a lot of scientists, but no engineers!
10. Re:Filter or not by strikethree · 2016-11-29 02:46 · Score: 1
  
  Same way I write my code (and spreadsheets) to calculate important numbers two, three, or sometimes even four different ways to make sure they all agree before proceeding to act on it.
  You sir, are not a typical coder. I would go so far as to say your error checking and thought processes are superior to (random very high number) 90% of the programmers I have seen. Mind you, I still think that is a bare minimum for calling yourself a programmer but each instance of proper coherency checking requires notice so that others can learn from it.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
What the? by NewtonsLaw · 2016-11-23 20:03 · Score: 5, Informative

So they didn't correlate the IMU data with ranging radar or even barometric altitude information so as to avoid this?
I know weight and volume are at a premium on such craft but a barometric sensor (even one capable of operating in Mars's rarefied atmosphere, is the size of a thumbnail and weighs just a fraction of a gram.
Sigh!
1. Re:What the? by MichaelSmith · 2016-11-23 21:17 · Score: 1
  
  You can even correlate it with your own kinematic model. The scenario which the vehicle followed is impossible. It can't land one second after dropping the parachute, and so timing alone should have made it reject the invalid data.
  
  --
  http://michaelsmith.id.au
2. Re:What the? by thegarbz · 2016-11-23 21:26 · Score: 3, Insightful
  
  even barometric altitude information
  I'm interested to know how you calibrate your barometric altitude information, and even more so what vacuum followed by a sudden atmospheric entry will do to such a sensor.
  If I'm going to take a guess I'd so no, an instrument capable in operating that range of pressures, temperatures, vibration, etc is not the size of a thumbnail weighing a gram.
3. Re:What the? by Ihlosi · 2016-11-24 03:08 · Score: 2
  
  I know weight and volume are at a premium on such craft but a barometric sensor (even one capable of operating in Mars's rarefied atmosphere, is the size of a thumbnail and weighs just a fraction of a gram.
  Even one that works at the velocity encountered during atmospheric entries?
  Sounds like you're suggesting putting a Pitot tube on a space probe ...
4. Re:What the? by vtcodger · 2016-11-24 06:31 · Score: 1
  
  Will a barometric sensor work properly while descending through gases emitted from thrusters that are trying to slow the vehicle?
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
5. Re:What the? by RockDoctor · 2016-11-25 16:25 · Score: 1
  
  So they didn't correlate the IMU data with ranging radar or even barometric altitude information so as to avoid this?
  How do you know the barometric pressure profile before you enter the atmosphere? Mars has a trickily variable atmosphere.
  There was a large dust storm developing at the time, which is a (potentially) global event. How much does that affect barometric pressure? (On Mars, not necessarily on Earth.)
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Oops by wonkey_monkey · 2016-11-23 20:38 · Score: 4, Funny

Should've used metric seconds.

--
systemd is Roko's Basilisk.
IMU by dohzer · 2016-11-23 20:57 · Score: 1

What kind of IMUs are normally used in these craft? The same kind used in aircraft and weapons?
1. Re:IMU by Cochonou · 2016-11-24 09:13 · Score: 1
  
  An Honeywell MIMU.
Meanwhile.. by Mascot · 2016-11-23 21:25 · Score: 1

... $1000 quadcopters back here on Earth ship with multiple IMUs for redundancy, since the bloody things are about as trustworthy as your average politician.
Having made that glib remark, I'm sure it either did have redundancy, or if it didn't that was for a good reason (e.g. risk of failure deemed too low to warrant the weight penalty in adding redundancy). I would also like to think that they're using somewhat more reliable IMUs than those found in quads.
Radar by Viol8 · 2016-11-23 21:48 · Score: 1

Yes, you have to wonder why on a mission of this expense and complexity the height about the ground is essentially done by mathematical dead reckoning. Would adding a ranging radar really have added so much to the weight and/or required package size that it was infeasible to include it? Obviously they must have considered it and I'd be interested to know why in the end it was not seen as a viable part of the solution.
1. Re:Radar by MichaelSmith · 2016-11-23 21:58 · Score: 1
  
  The article says that the radar was working. But the data from the radar seems to be have been ignored at this point.
  
  --
  http://michaelsmith.id.au
2. Re:Radar by khallow · 2016-11-24 04:01 · Score: 1
  
  Yes, you have to wonder why on a mission of this expense and complexity the height about the ground is essentially done by mathematical dead reckoning.
  
  Because it works really well. The other replier, MichaelSmith indicated it had radar as well.
3. Re:Radar by ddtmm · 2016-11-24 04:14 · Score: 1
  
  The radar unit plugs in to the lander's headphone jack. Unfortunately, the headphone jack was removed on the new landers.
Abstraction is bloat by evanh · 2016-11-23 22:54 · Score: 1

Hidden malloc()'s is a good example of the bloat problem I'm referring to.
1. Re: Abstraction is bloat by maugle · 2016-11-24 09:00 · Score: 1
  
  MISRA disallows using malloc in a car's critical systems code. I imagine a Mars lander would be subject to at least that level of stringent requirements.
Single point of failure? by Visarga · 2016-11-23 22:58 · Score: 1

Why wasn't the IMU sensor doubled by other ways of detection? There was no fallback in case it malfunctioned.
State machine/discrete event control? by Ihlosi · 2016-11-23 23:21 · Score: 1

No basic sanity checks? As in "This phase must last at least X seconds", or "No switching to landing behavior if altitude measurement from 1 second ago still said '2 miles above surface'"?
1. Re:State machine/discrete event control? by Ihlosi · 2016-11-24 03:47 · Score: 1
  
  Um ... this is about a joint mission by ESA and Roscomos.
2. Re:State machine/discrete event control? by khallow · 2016-11-24 04:16 · Score: 1
  
  You're talking to a genuine flat earther. He did the experiments to show that the world is flat, but the Freemasons are holding him back.
What? No landing sensor? by Larsen+E+Whipsnade · 2016-11-23 23:37 · Score: 1

If the landing struts are subject to a compressive force, you've probably landed. If not, you haven't. Why wouldn't the computer make use of this?

Am I missing something, or is this a stupid design?
1. Re:What? No landing sensor? by Xolotl · 2016-11-24 00:55 · Score: 1
  
  It was supposed to have released the parachute and made the last part of the descent using retro-rockets for final braking, and only then would you get compression of the struts. In this case it released the parachute at 3+km rather than a few tens of metres ... oops.
Calculations were prescient by tomhath · 2016-11-24 00:04 · Score: 2

FTFA:

"[T]he erroneous information generated an estimated altitude that was negative," ESA said.
Which resulted in an actual altitude that was negative.
The Martians' gravity weapon test worked! by msk · 2016-11-24 00:30 · Score: 1

A brief burst was enough.
Open Source? by Midnight+Thunder · 2016-11-24 01:19 · Score: 2

I wonder whether making the source code of these probes available to the public, for vetting would help spot bugs like these? I am also curious whether releasing the code would be problematic for any reason?

--
Jumpstart the tartan drive.
1. Re:Open Source? by pr100 · 2016-11-24 02:08 · Score: 1
  
  I wonder whether making the source code of these probes available to the public, for vetting would help spot bugs like these? I am also curious whether releasing the code would be problematic for any reason?
  Dunno. But I suppose it might be that the code is written by a contractor and they hope to make money out of the code in other contexts.
2. Re:Open Source? by volodymyrbiryuk · 2016-11-24 04:59 · Score: 1
  
  Very unlikely. They didn't do it in the past. However, this story will make another good anecdote for a software engineering lecture.
  
  --
  sudo rm -r -f --no-preserve-root /
3. Re:Open Source? by DerekLyons · 2016-11-24 14:38 · Score: 1
  
  I wonder whether making the source code of these probes available to the public, for vetting would help spot bugs like these?
  Probably not, as the public wouldn't spend the months needed to study the hardware and interface specifications needed to understand what's going on in the software. Seriously, this is a tightly integrated system not a standalone program - without understanding the system, you can't tell a bug from working as intended.
All you flight software noobies.. by Anonymous Coward · 2016-11-24 03:19 · Score: 1

Lots of just plain old ignorant comments here. I say this in a nonperjorative sense - if you've not worked on flight software, there's no way you could know.
1) Space is unforgiving, hardware designs change very, very slowly. Project schedules move fast and have limited budgets. Just because you can buy a MEMS based IMU for your quadcopter does not mean that you can get one for a spacecraft that will work reliably from -40 to +80C, withstand the vibe tests, the pyroshock, etc. Oh, yeah, and it (and the surrounding electronics) has to not suffer any ill effects from a stray high energy particle: Single Event Effects, generally, but Latch-up, gate rupture, etc. are the issues one would worry about - bit flips and SEFI are something software can potentially handle, but destructive latchup is, well, destructive. Parts made for consumer or automotive high-rel applications just don't worry about this kind of thing. Sure, you could test your brand new whiz-bang IMU in an accelerator, but that costs money and schedule.
2) Yes, not range checking or reasonableness checking the data from the IMU was a definite design problem. Or, maybe, the entry descent and landing algorithm was such that if you DID get a hiccup and detect it, the missing data means all is lost anyway, so why bother. There's a basic principle in spacecraft design that you don't add hardware or software (which might fail, and costs time, money, and maybe mass or power) to give you information which you cannot use.
3) With respect to the landing radar - it's very possible that it has poor accuracy up high and is only used in the final descent stages.
4) Fault handling is tricky - you can easily go down a rat maze of low probability events generating code (and hardware) to handle obscure corner cases, thereby increasing your test costs and time, and potentially introducing other faults. For a lot of plausible error scenarios, it's likely you're going to fail for other reasons, so there's no point in trying to do things like estimate state from other sensors.
Summary - Entry, Descent, and Landing on another planet is really, really hard. It's even harder when you have time and budget constraints.
1. Re:All you flight software noobies.. by presidenteloco · 2016-11-24 14:51 · Score: 1
  
  It's really really hard, granted.
  In my experience in the systems engineering industry, there was rarely any re-use of design or code from one project to the next similar project. Silo-ism and misaligned incentives.
  Imagine if the reliability of this kind of EDL system and its software could be improved by evolution where different space agencies and subcontractors shared and re-used their ideas for improving solutions to the complex problem.
  Imagine all the landers... living for today.
  
  --
  
  Where are we going and why are we in a handbasket?
2. Re:All you flight software noobies.. by cwsumner · 2016-11-27 13:11 · Score: 1
  
  ...
  4) Fault handling is tricky - you can easily go down a rat maze of low probability events generating code (and hardware) to handle obscure corner cases, thereby increasing your test costs and time, and potentially introducing other faults. For a lot of plausible error scenarios, it's likely you're going to fail for other reasons, so there's no point in trying to do things like estimate state from other sensors. ...
  That's true, but it can also encourage a habit of lazyness in the designs. And, an exceleration spike when the parachute opens or the landing gear locks, is not something that has low probability. It sounds like a lot of "not my job".
no backup by khallow · 2016-11-24 04:34 · Score: 1

The Schiaparelli EDM lander is an example of the typical one-off missions that humanity does these days. It's worth noting that they could have had built and launched two or more of these vehicles for much less than the first and already be correcting the erroneous code on a second spacecraft. Then they wouldn't have to wait years for a replacement mission and have a much better chance of mission success.
1. Re:no backup by vtcodger · 2016-11-24 06:47 · Score: 1
  
  Could be wrong, but I believe there are follow up missions and the Schiaparelli probe was intended as a great-if-everything-works-but-if-it-doesn't-we'll-probably-learn-a-lot proof of concept mission.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
2. Re:no backup by khallow · 2016-11-25 02:56 · Score: 1
  
  It's a result of the developed world's attitude these days, the attitude of being highly skeptical at best for any big collective action, especially ones with government involvement.
  Stuff like this gives them just cause to be skeptical. Funny how the people who are right are the ones getting blamed here.
3. Re: no backup by mcswell · 2016-11-25 15:45 · Score: 1
  
  I thought all the space pizza was on Io? http://www.space.com/18272-jup...
Re:In retrospect by TWX · 2016-11-24 05:13 · Score: 1

Heh. When I heard about the crash landing I literally said to a friend of mine, "I bet the subroutine that cuts the parachute loose so it doesn't land on top of the payload detected the thump of the parachute strings going-taught, determined that meant it was on the ground, and cut the parachute." Didn't something like this happen to an American probe sent to Mars around twenty years ago?

--
Do not look into laser with remaining eye.
Not gonna be open source by Anonymous Coward · 2016-11-24 08:14 · Score: 1

Software to land a probe on mars is quite similar, if not identical, to software to put a (nuclear) warhead on a target. That's an important strategic capability for "first world" nations - otherwise you're in the category of Saddam firing Scuds, which are basically V2s with newer parts, and quite literally cannot hit the broad side of a barn (albeit from 100 km away).
So, the hard parts of solving the problem (after you've done the basic college physics part) are likely to not be open source. Things like handling the rapidly changing aerodynamic effects at hypersonic speeds are a long way from "considering air as an incompressible fluid": Your state estimator has inputs with wildly varying inputs (dynamic range is huge compared to, say, a quadcopter), with equally wildly varying uncertainties. The transitions as you go through various deployments are also something that does not have a lot of commonality with other applications: airplanes do have deployments (landing gear, flaps, stores), quads and hexes do not; and the deployment of flaps on a plane occurs in a fairly narrow, and well understood, set of dynamic conditions.
Re: In retrospect by turbidostato · 2016-11-24 10:27 · Score: 2

And then, what? Should it take an "instantenous" decision about what to do next?
It was only a functional example by evanh · 2016-11-24 11:20 · Score: 1

This is not a bugginess issue.
Point is the layers create bloat. Any hidden dynamic memory allocations that occur, by whatever system call, is just one more part of the bloat.
1. Re: It was only a functional example by maugle · 2016-11-25 10:47 · Score: 1
  
  Ah, yes, good point. One nested function call too many could exhaust available memory just as easily as malloc.
Re:In retrospect by newcastlejon · 2016-11-24 13:49 · Score: 1

...detected the thump of the parachute strings going-taught, determined that meant it was on the ground, and cut the parachute...
Just think about that again for a moment.
It's "taut" by the way, but apart from that I see a bright new career in space exploration in your future.

--
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
Sanity checking code by presidenteloco · 2016-11-24 14:21 · Score: 2

So say they're doing some kind of weighted average of an altitude computation from the inertial navigation unit and an altitude computation from the doppler radar altimeter.
They should have some code in there saying: If these two values that we're averaging are wildly off from each other, let's not take the average. Instead, let's go into some exception handling code which uses some kind of heuristic (and a little time perhaps) to determine which of the two instruments should become the solely trusted source of the altitude value.
Sounds like a lack of hazard analysis / fault tree analysis and or fault-tolerant design in the design process.

--

Where are we going and why are we in a handbasket?
1. Re:Sanity checking code by lucien86 · 2016-11-25 23:50 · Score: 1
  
  Its basic engineering. You need to consider and have plans for as many worst case scenarios as possible, while at the same time maintaining a positive good position vis spurious fault events. So agree with you totally..
  
  --
  Below the speed of light Special Relativity is one of the most accurate theories in physics - above the speed of light..