WTF#: F#, and the Mars Climate Orbiter (MCO) crash in 1998
OMG: Slide Rules and F#, ‘sup with that? World of Twitter, Facebook, $300 computers running Windows 7, why would I even mention this arcane tool? F# and Slide Rules have something in common: Dimensional Analysis.
In F# you can use dimensional analysis to implement your programs. What does this mean? You can save $250,000,000 in wasted space craft for example. In 1999 the Mars Orbiter was doing a aerobraking maneuver to enter into Martian orbit, and when it started it’s rocket motor, it blasted itself out of orbit and crashed. The problem? Some of the code was in SI units (metric) and others were in the SAE (feet/pounds), somehow this passed critical code review. Nice job!
"People sometimes make errors," said Dr. Edward Weiler, NASA's Associate Administrator for Space Science. "The problem here was not the error, it was the failure of NASA's systems engineering, and the checks and balances in our processes to detect the error. That's why we lost the spacecraft."
Would F# as a high level language been able to solve this problem? Not knowing if the control law synthesis was done in a high level language or using assembly language or even hardware level programming. I am certain that with the many successes, as well as failures since the Mars Climate Orbiter’s crash, however the brief accident report that I can find easily on the web, has the quote from NASA ADVISORY COUNCIL March 16, 2000 (you have to scroll down a bit to see the article):
“There were four common themes from the failure investigations and studies: inadequate reviews; inadequately addressing risk management; inadequate testing, simulation, and V&V; and communications. In response to a question, Mr. Stephenson noted that more attention needs to be put on people—skills, training, etc. The Board made recommendations in four categories: people, process, execution, and technology. NASA tends to focus on process. People includes picking the right people (including the right leader), teamwork, communication, and adequate staffing and oversight. In the process area, the mission success criteria needs to be very clearly defined up front. Out of this derives the top level system requirements, etc. Other important aspects of the process are: systems engineering, verification and validation, risk assessment (e.g., fault tree analyses and probability risk assessment), the responsibility of the line organization, science involvement, operations (on the program from the start), and transitions (from development to operations).”
Wow, that sounds like a bunch of “blah, blah, blah” Improve process, the check is in the mail, and so forth. The problem was that there was a disconnect in the units used in programs and I haven’t found the article, but I am GUESSING that the rocket control law had been used in other systems successfully and wasn’t fully tested prior to launch. So fixing that would fix other problems as well. So maybe F# wouldn’t save the day, but for this blog article let’s assume the error in dimensions was the problem, see the article on the NASA site for a very brief explanation.
“Twice a day during the cruise to Mars, tiny thrusters on the spacecraft were fired briefly to counteract the effects of solar wind and other forces on the spinning of the flywheels. The spacecraft team in Colorado used English units called pound-seconds to describe the small forces….
That data was shipped via computer to JPL where the navigation team was expecting to receive the information in newton-seconds, a metric measure of force.”
How would F# have aided in preventing that problem? F# gives the developer the ability to assign units to variables. So it would be possible for a software architect to implement a system that would perform error checking of the results to make sure that the correct units were being used. In later articles I will be going over how to code and do the error handling.
Of course the bottom line is that the Mars Climate Orbiter crash was a monument to the dumb approach of faster, better, cheaper approach to spacecraft design, which is still causing problems inside of NASA these days. More in the next post. This is fun, well it would be if wasn’t so sad. :(