Skip to main content
Back to Library
postmortem

What the Review Missed and What Changed

5 min read Chapter 13 of 38

What the Review Missed

The Mars Climate Orbiter Mishap Investigation Board published its Phase I report on November 10, 1999. The report identifies the root cause correctly: SM_FORCES produced output in pound-force-seconds while the navigation software expected newton-seconds. The report also identifies the contributing causes: inadequate interface verification, inadequate trajectory anomaly investigation, and schedule and budget pressure that reduced testing and review activity.

The MIB report is clear-eyed about organizational factors. The MCO mission was part of NASA’s “Faster, Better, Cheaper” initiative, which deliberately reduced mission budgets and timelines compared to previous Mars missions. The report documents specific consequences: reduced staffing on the navigation team, reduced independent verification and validation (IV&V) activity, and reduced end-to-end testing. The MIB does not claim that faster-better-cheaper caused the failure. It documents that the verification activities that would have caught the failure were among those reduced by budget constraints.

Where the report stops short is in articulating a principle about type safety at system boundaries. The report recommends better interface management processes, more thorough testing, and an investigation process for trajectory anomalies. These are all procedural recommendations. They address the MCO failure specifically but do not generalize to a design principle. The design principle is: data that crosses a system boundary must carry its type information, including units, and the receiving system must validate that type information before using the data.

The MCO failure is not a process failure that can be fixed with better process. It is a design failure. The file format that carries impulse values without unit labels is the design failure. A file format that cannot represent units cannot be checked for unit consistency, no matter how thorough the process.

What Changed

The Mars Climate Orbiter loss drove changes in three areas.

Interface control. NASA significantly strengthened its requirements for Interface Control Documents (ICDs) and interface verification. Post-MCO, interface specifications at NASA are not only written documents but must be accompanied by verification procedures that include end-to-end testing with known inputs and expected outputs. The practice of verifying interfaces by testing each component independently against the specification, without testing the components together with real data flowing through the interface, was identified as the gap that allowed the MCO failure. End-to-end interface testing, where data flows from the producing component through the actual interface to the consuming component and the output is compared to an independently computed expected result, became a required verification step.

Unit management in software. The MCO failure became the canonical example for why physical units should be represented in code as types, not as comments or naming conventions. Before MCO, the common practice was to document the expected unit in a variable name suffix (impulse_ns for newton-seconds) or in a comment. After MCO, the software engineering community began developing and adopting unit type systems where the compiler or runtime prevents arithmetic between incompatible unit types.

Languages and libraries that enforce dimensional analysis at the type level, such as Boost.Units for C++, JSR-385 (Units of Measurement) for Java, and similar libraries in other languages, are not solely the result of the MCO failure. But MCO is the case study cited most frequently in the documentation and advocacy for these libraries. The argument is simple: if the impulse value had been typed as PoundForceSeconds in SM_FORCES and the navigation software expected NewtonSeconds, a type error would have been raised at compilation, nine months before Mars orbit insertion.

Trajectory anomaly criteria. The MCO navigation team observed anomalous trajectory behavior throughout the cruise phase and did not investigate the AMD data as a potential source. Post-MCO, NASA revised its criteria for triggering anomaly investigations. Persistent, unidirectional trajectory deviations that are within the modeling uncertainty budget but consistently in the same direction are now flagged for investigation of systematic error sources, not attributed to random modeling uncertainty.

“Faster, Better, Cheaper” reassessment. The MCO loss, combined with the loss of the Mars Polar Lander two months later, forced NASA to reassess the Faster, Better, Cheaper approach. The conclusion was not that cost reduction was wrong, but that verification and validation activities cannot be reduced below a minimum threshold without accepting unacceptable risk. The specific activities that would have caught the MCO error, end-to-end interface testing and independent trajectory verification, were among those cut for budget reasons. The lesson: there is a floor below which verification cuts become mission-ending.

The Rule

Every data interface between independently developed components must enforce unit and type consistency at the software level, not in documents that no software reads. If the interface cannot represent the unit, the interface cannot detect the error.

This rule comes from the Mars Climate Orbiter, where a $327 million spacecraft was lost because one team produced force data in pounds and another consumed it as newtons, and the file format that connected them carried numbers without units.