Software error doomed Japanese Hitomi spacecraft (opens in new tab)

(scientificamerican.com)

175 pointsnimbs10y ago64 comments

64 comments

29 comments · 7 top-level

microcolonel10y ago· 7 in thread

This is just depressing. How was this not tested? This is complete sign reversal of a control output; you'd think it would show up immediately.

johansch10y ago

(I have absolutely no insight into the software development practices of JAXA and their subcontractors, so I apologize if this is insensitive or uniformed.)

Is this another sign of how bad japanese hardware-oriented companies and organizations are at doing software? Like the organisational software crisis at Toyota?

Or was it a fluke?

dwc10y ago

I would call it a fluke.

Two things to keep in mind:

* Don't compare JAXA (or anyone else) to NASA at this point. We (the US) have a ton of experience, some of it bought the hard way.

* This isn't Japan's typical performance. They have a nice string of very good space science missions. And don't forget things like the Mars Climate Orbiter[1], where ground based commands sent it through the atmosphere due to a unit mix up.

1. https://en.wikipedia.org/wiki/Mars_Climate_Orbiter

1 more reply

microcolonel10y ago

I hate to feel that way; but yeah most software I see come out of Japan scares me. Outside of legally-critical software, such as automotive control systems: it doesn't seem that there is much focus on quality.

I suspect it has to do with the scale of integrators in the country being much smaller, and lacking in terms of B2B collaboration.

There are some jewels here and there, though. It's probably just a matter of culture. Maybe they're also somewhat isolated from the English and Chinese language leads in software development. I don't think Japanese English language education is very effective. Their popular courses likely don't leave an individual comfortable with technical reading in English.

4 more replies

sitkack10y ago

Brother wrote the software.

1 more reply

johansch10y ago

So the rate of downvotes seem to be one per ten minutes since the time of posting.

Why?

1 more reply

asimuvPR10y ago

Perhaps it's one of those "only happens in real use" corner case. I had a stupid little robot shred itself to parts during live use (controlled environment no humans) due to a bug. Learn and move on I guess.

planteen10y ago

Testing a big spacecraft is hard. With a cube sat, you can put it on an air beating and make sure something isn't catastrophically wrong, like the reaction wheels are backwards. You can't do that on a big spacecraft. So instead, there's lots of testing with flight software and a simulator. But what if someone made a mistake interpreting the wheel direction specification to the mechanical body frame, for example?

jupiter9000010y ago· 6 in thread

It seems very strange that the 3 missions that would deploy an X-ray calorimeter have all failed. I feel sad for the scientists who have been hoping to get a working one into space for what sounds like over 16 years now (based on the article).

ww52010y ago

Someone traveled from the future doesn't want those calorimeters up there?

desdiv10y ago

Or aliens with cloaking ships that work in every spectrum except the X-ray one.

1 more reply

exabrial10y ago

Yah no kidding, I feel terrible for him. We'll get one to space eventually, hopefully in his lifetime.

breck10y ago

Sophons?

chinathrow10y ago

Are you asking yourself whether theses losses were by chance or by conspiracy to fail?

jupiter9000010y ago

I don't know the expected success rate for these missions, it just seemed odd that each time this particular instrument has been launched, an issue occurred to render it unusable. Maybe it is par for the course, but it does raise suspicions (at least in my mind).

1 more reply

dwc10y ago· 4 in thread

This is the key passage:

    The spacecraft then automatically switched into a safe
    mode and, at about 4:10 a.m., fired thrusters to try to
    stop the rotation. But because the wrong command had
    been uploaded, the firing caused the spacecraft to
    accelerate further. (The improper command had been
    uploaded to the satellite weeks earlier without proper
    testing; JAXA says that it is investigating what
    happened.)

Going into safe mode is a thing. It happens with NASA stuff, ESA stuff, whatever. The spacecraft failed to stabilize and went into safe mode, and that's proper. Whatever glitch in the systems, this would have saved it and allowed for recovery.

But the uploaded command to shed rotational velocity was wrong. This is what caused the loss of the spacecraft. I'm sure there will be a pretty heavy postmortem on how this happened.

azernik10y ago

The more striking thing to me is the long failure cascade before that, mostly hardware failures: the star tracker that glitched over the South Atlantic Anomaly, the gyro that reported a nonexistent spin, and the reaction wheel that didn't spin down properly.

ww52010y ago

Isn't there a parallel simulator on the ground to try out the commands to see the effect before hand?

rtkwe10y ago

> The improper command had been uploaded to the satellite weeks earlier without proper testing

All the available testing programs in the world doesn't matter if the tests aren't run.

quadrature10y ago

I would not want to be in that PR.

tlb10y ago· 3 in thread

I'm surprised that they had to design custom inertial stabilization, considering how many times it's been done successfully before. Was it NIH mentality? Or did it have some requirement for more precise stabilization than other space telescopes?

bayesian_horse10y ago

At a guess, I'd say that most satellites have different requirements due to the way their weight is distributed and where the inertial stabilization is done.

As far as I understand it, Satellite design is all about cramming the most amount of features in as small and light a package as possible. That would mean a lot of tight coupling and a hard time standardizing anything across different types of satellites.

JshWright10y ago

While that's true for science payloads, when it comes to commercial satellites, there are a handful of 'busses' that form the core of the vast majority of satellites.

https://en.wikipedia.org/wiki/Satellite_bus

rtkwe10y ago

Commercial payloads are a lot of the time. Science payload have a harder time doing that because the instruments they're designed to carry come in weird shapes and can't really be chopped up and rearranged to fit into the standard satellite bus.

unchocked10y ago· 2 in thread

It seems like the core error was in the inertial measurement unit: it would be a common cause between the reaction wheel failures and the failure of the despin burn.

sitkack10y ago

Seems like the kind of thing one would have multiple of, along with voting, it should also contain a kalman filter. The software correcting the rotation should have been run in a tighter feedback loop so that it would stop making the problem worse.

Lots of these subsystems can be tested in a pure software simulator. Esp when it comes to faults.

sitkack10y ago

Thinking about it further, the simulator should consume the logs from the existing system and map those logs from existing simulation runs, use a form of compressed sensing and pattern matching to figure out what is occurring just from the logs and previous simulation runs.

dewiz10y ago

Interesting, I never heard about the south atlantic anomaly. https://en.m.wikipedia.org/wiki/South_Atlantic_Anomaly

lerax10y ago

Sad.

j / k navigate · click thread line to collapse

64 comments

29 comments · 7 top-level

microcolonel10y ago· 7 in thread

This is just depressing. How was this not tested? This is complete sign reversal of a control output; you'd think it would show up immediately.

johansch10y ago

(I have absolutely no insight into the software development practices of JAXA and their subcontractors, so I apologize if this is insensitive or uniformed.)

Is this another sign of how bad japanese hardware-oriented companies and organizations are at doing software? Like the organisational software crisis at Toyota?

Or was it a fluke?

dwc10y ago

I would call it a fluke.

Two things to keep in mind:

* Don't compare JAXA (or anyone else) to NASA at this point. We (the US) have a ton of experience, some of it bought the hard way.

1. https://en.wikipedia.org/wiki/Mars_Climate_Orbiter

1 more reply

microcolonel10y ago

I suspect it has to do with the scale of integrators in the country being much smaller, and lacking in terms of B2B collaboration.

4 more replies

sitkack10y ago

Brother wrote the software.

1 more reply

johansch10y ago

So the rate of downvotes seem to be one per ten minutes since the time of posting.

Why?

1 more reply

asimuvPR10y ago

planteen10y ago

jupiter9000010y ago· 6 in thread

ww52010y ago

Someone traveled from the future doesn't want those calorimeters up there?

desdiv10y ago

Or aliens with cloaking ships that work in every spectrum except the X-ray one.

1 more reply

exabrial10y ago

Yah no kidding, I feel terrible for him. We'll get one to space eventually, hopefully in his lifetime.

breck10y ago

Sophons?

chinathrow10y ago

Are you asking yourself whether theses losses were by chance or by conspiracy to fail?

jupiter9000010y ago

1 more reply

dwc10y ago· 4 in thread

This is the key passage:

    The spacecraft then automatically switched into a safe
    mode and, at about 4:10 a.m., fired thrusters to try to
    stop the rotation. But because the wrong command had
    been uploaded, the firing caused the spacecraft to
    accelerate further. (The improper command had been
    uploaded to the satellite weeks earlier without proper
    testing; JAXA says that it is investigating what
    happened.)

But the uploaded command to shed rotational velocity was wrong. This is what caused the loss of the spacecraft. I'm sure there will be a pretty heavy postmortem on how this happened.

azernik10y ago

ww52010y ago

Isn't there a parallel simulator on the ground to try out the commands to see the effect before hand?

rtkwe10y ago

> The improper command had been uploaded to the satellite weeks earlier without proper testing

All the available testing programs in the world doesn't matter if the tests aren't run.

quadrature10y ago

I would not want to be in that PR.

tlb10y ago· 3 in thread

bayesian_horse10y ago

At a guess, I'd say that most satellites have different requirements due to the way their weight is distributed and where the inertial stabilization is done.

JshWright10y ago

While that's true for science payloads, when it comes to commercial satellites, there are a handful of 'busses' that form the core of the vast majority of satellites.

https://en.wikipedia.org/wiki/Satellite_bus

rtkwe10y ago

unchocked10y ago· 2 in thread

It seems like the core error was in the inertial measurement unit: it would be a common cause between the reaction wheel failures and the failure of the despin burn.

sitkack10y ago

Lots of these subsystems can be tested in a pure software simulator. Esp when it comes to faults.

sitkack10y ago

dewiz10y ago

Interesting, I never heard about the south atlantic anomaly. https://en.m.wikipedia.org/wiki/South_Atlantic_Anomaly

lerax10y ago

Sad.

j / k navigate · click thread line to collapse