8 Famous Software Bugs in Space

There’s never a good time to run into software bugs, but some times are worse than others – like during a mission to space. Spacecraft of all shapes and sizes rely heavily on software to complete their objectives. But those missions can be quickly ended by the simplest of human errors when writing code. The omission of an overbar here or overflow error checking code there can mean the difference between success or failure, not to mention the loss of hundreds of millions of dollars, years of work and, on manned missions, human life. Despite the care with which these systems are built, bugs have been occurring in spacecraft software since we started to fling rockets into space, as the following examples demonstrate.

1962: A missing overbar dooms Mariner 1

On July 22, 1962 the Mariner 1 spacecraft was launched from Cape Canaveral, Florida on a mission to fly by Venus. Unbeknownst to the engineers, however, Mariner 1’s onboard guidance software was carrying a fatal flaw: an overbar or overline (not a hyphen) was left out of an equation when translated onto punch cards. This caused the guidance computer to incorrectly compensate for some otherwise normal movement in the spacecraft shortly after launch, and it had to be destroyed just 293 seconds into the mission. The good news is that the bug was fixed in time for Mariner 2 to successfully complete the mission to Venus six months later.

1988: One missing character drains the life out of Phobos 1

Phobos 1 was one of two probes destined to study Mars and its moons Phobos and Demios launched by the Soviet Union in July 1988. Phobos 1 never made it Mars, however, due to the accidental execution of a software test routine. On August 29 of that year, a software upload left out a single character which accidentally initiated the execution of that routine for testing the steering, which shut down the spacecraft’s attitude thrusters. As a result, the probe couldn’t orient its solar arrays towards the sun and its batteries eventually drained. Communications with Phobos 1 was lost on September 2. The other probe bound for Mars, Phobos 2, also failed, this time due to a hardware malfunction.

1996: Integer overflow error leads Cluster to self destruct

34 years after Mariner 1, another software bug in onboard guidance software caused the destructionof four satellites (known collectively as Cluster) and the Ariane 5 rocket on which they were riding. Shortly after launch, the guidance software tried to convert the horizontal velocity (which was greater than anticipated) from a 64-bit floating point number to a 16-bit signed integer, which caused an overflow error. Software checks that could have prevented the error were purposely omitted. The guidance system (and its backup, which had the same bug) then shut down, causing the rocket to veer off course and, ultimately, self destruct 30 seconds after launch on June 4, 1996. Replacement satellites were eventually successfully deployed via a Russian rockets four years later.

1999: Milstar satellite can’t reach intended orbit due to bug

Milstar is five geostationary satellites, launched between 1994 and 2003, operated by the U.S. Air Force to provide secure communications for the Department of Defense. A sixth satellite was also launched on April 30, 1999, but failed to reach the proper orbit, due to a software error in the control systemof the Titan IV rocket that it was riding into space. The satellite could not be lifted into the correct orbit and was shut down after 10 days. 

1999: English instead of metric units cause Mars Climate Orbiter to disintegrate

The Mars Climate Orbiter was one-half of the Mars Surveyor ‘98 program, along with the Mars Polar Lander. The orbiter’s mission was to (duh) reach Mars orbit to study the weather and climate and to, ultimately, serve as a communications relay for the lander. The orbiter, launched on December 11, 1998, never made it into orbit, though, due to a software bug in a ground based system. When attempting enter Mars orbit on September 23, 1999, the orbiter approached at a lower than expected altitude, causing it to disintegrate. The causewas ultimately determined to be that the ground based software generated and sent thrust instructions using English measurements (pound-force), while the onboard software was expecting the measurements in metric (Newtons). Ooops.

1999: Premature touchdown celebration kills Mars Polar Lander

The other half of the Mars Surveyor ‘98 program, the Mars Polar Lander, unfortunately, was also doomed by a software glitch. Launched on  January 3, 1999, it crashed while attempting to land on the surface on December 3 of that year. The ultimate causewas determined to be software meant to shut down the descent engines when it detected contact with the surface, based on sensors on the three lander legs. Apparently, vibration of at least one of the legs during descent was incorrectly interpreted as touchdown, causing engine shutdown 40 meters above the surface and a fatal crash landing.

2004: Flash memory error almost keeps Mars Spirit from roving

Well before the Curiosity rover landed on Mars, the twin rovers Spirit and Opportunity began roaming the red planet. While Opportunity it still going after nine years, Spirit’s mission almost ended after two weeks due to a flash memory management anomaly. A design flaw in the DOS-managed file system caused the flash memory to fill up and the rover to get stuck in an endless reboot cycle, starting on January 21, 2004, which threatened to drain the batteries, cause Spirit to overheat and kill the rover. Luckily, engineers solved the problem, reformatted the flash memory and brought the rover back to life on February 6, 2004. Spirit roved for over six years, well past it’s original life expectancy of 90 solar days.

2006: Memory allocation fault ends Mars Global Surveyor’s extended mission

The Mars Global Surveyor was launched on November 7, 1996 on a one-year mission to study the Martian surface from a low altitude orbit. Surveyor remained operational for almost a decade before a software bug brought its extended mission to an end, when NASA lost contact with it on November 2, 2006. The cause turned out to be a software updatein June 2006 which allowed for the possibility that data could be written to incorrect memory addresses. That memory fault was triggered in early November, which, in turn, caused Suveyor’s solar panels to get stuck and, ultimately, the orbiter to turn towards the sun in such a way as to expose its battery, which eventually overheated and died.