Software Bug Causes Soyuz To Land Way Off

howhardcanitbetocrea writes "A mysterious software fault in the new guidance computer of the Soyuz TMA-1 spacecraft was the cause of the high-anxiety off-course landing over the weekend, according to NASA sources.' Which is why I will never trust the Strategic Defence Initiative - the star wars project. It only takes one line of mistyped code in what will always be a beta release."

space agencies make some big mistakes

[rritterson]

This sounds similar to the crash landing one of the mars spacecraft had when the operators forgot to convert English units to metric units.

You'd think that in such operations, where you only ever get one chance, they would have the most error free systems possible. I'm surprised they didn't feed the computer simulated data and found where it would take them.

Re:Lower cost to consumer?

[Badge 17]

TMA-1? (Must suppress Arthur C. Clarke-inspired giggle).

Maybe the problem was in that gigantic magnetic field wiping some data... (TMA stands for Tycho Magnetic Anomaly, aka the monolith in 2001)

I think the next spacecraft (TMA-2) should be nicknamed "big brother."

Bugs = "Spoilage" in Japan

[handy_vandal]

What we in the West call "bugs", the Japanese call "spoilage". I find this nomenclature honest and refreshing. "Bug" implies that the problem is some independent agent, when in fact the problem is the "spoiled" code itself.

SDI funds basic research too

[AHumbleOpinion]

Which is why I will never trust the Strategic Defence Initiative - the star wars project. It only takes one line of mistyped code in what will always be a beta release

Irrelevant. SDI, then and now, is a proven way to fund some basic research. The public is not that interested in science except to counter a perceived threat.

FWIW with your attitude we would not have the F16, F18 (?), F117, B2, and the various other aircraft with fly-by-wire control systems. The space shuttle too. Also do you think 'beta' mechanical devices are inherently safe and function properly? Again, the space shuttle, both disasters.

Re:ah, right

[Ian Bicking]

The point is you can never test SDI, because you are working against an opponent that is consciously trying to work around your system. You can never predict how the attack with occur. Then you can never simulate the attack, even as you might predict it -- you can never launch empty missiles at a realistic target. Instead at best you do tests over the ocean. That's why it will always be in beta, which is not a useful status for a safeguard.

But more concerning is the fact that despite their effort they cannot pass even their minimal tests, and resort to fraud instead. We have tried, and failed. The whole thing is military graft -- money being sent down a pit to profit defense companies. They probably hope to cover up the failure of the system by avoiding any real-world test of the system, though certainly avoiding having missiles launched at the US is a good goal regardless.

Re:space agencies make some big mistakes

[smithmc]

You'd think that in such operations, where you only ever get one chance, they would have the most error free systems possible.

Given the track record of the Soyuz vehicles, I'd say they're pretty damned error-free, all things considered.

A question About Nasa, Russian Space Agency

[linuxislandsucks]

A question about Nasa, the Russian Space Agency and MS

If Nasa and the Russian Sapce Agency can design strong and reliable computer system OSes and controls under very difficult low budgets that don't put lives in danger....

Why can't a company with 40 billion in cash design a computer system OS that is secure or adequately fix one that they have goofed up on?

Makes you wonder about MS hiring policies and software engineering doesn't it?

Re:space agencies make some big mistakes

[Anonymous Coward]

Don't confuse the scale of the mistake with the scale of the consequences.

One-line error in Microsoft Office = tech support gets a few more phone calls
One-line error in guidance software = state funerals for our brave heroes

Better Question

[Wyatt Earp]

Does the sawed-off shotgun in the Souyz capsule to fight off wolves violate the provisions that demiliterize space?

http://www.cnn.com/2003/TECH/space/05/05/soyuz.l an dings.ap/index.html

"In 1976, a Soyuz spacecraft came down in a freezing squall and splashed into a lake; the crew spent the night bobbing in the capsule.

Eleven years before that, two cosmonauts overshot their touchdown site by 2,000 miles and found themselves deep in a forest with hungry wolves. That's when Russian space officials decided to pack a sawed-off shotgun aboard every spacecraft."

If they can launch a shotgun hundreds of times, then why can't the US launch some lasers?

Fail-safe design

[fname]

It's actually a clever piece of work. Basically, software has to make calculations in order to provide a "soft" entry, 5 Gs approximately. If there is an error, the module goes into a ballistic entry mode, and it is more like 7-8 Gs, rougher but survivable.

On (nearly) every manned spacecraft ever flown, every system has a hot-backup that kicks in if the first one fails. The exceptions are systems for which it is basically impractical to have a backup-- can't really have redundant heat shields, as the weight is too much. But for electronics and software, this is standard. This story would have gone practically unnoticed if Soyuz had notified Star City that they were doing a "ballistic" entry, in which case they would have been located much sooner.

This landing showed that the Soyuz has a robust design; if Endeavour enters the atmosphere at the wrong angle, could it recover? What if the flight landing computer failed? NASA has a lot of these things covered; for many problems it is probably more robust than Soyuz, for others it is less robust. Soyuz has the advantage of much more flight experience; I doubt that it's a coincidence that this anomaly happened on a flight with a newly upgraded Soyuz.

Re:Why single out SDI?

[pyrrho]

right... I'd much rather you get hit by a LASER from space than have to deal with a misbehaving traffic light.

By the way, how can a chip in your car make the engine blow up? Is it like that virus that will format your hard drive and eat all the good leftovers in your fridge and unspay your dog?

SDI

[MickyJ]

As everyone knows, SDI cannot stop terrorists from flying planes into buildings, using suitcase nuclear weapons, launching missiles from off-shore platforms, etc, etc.

But, SDI is really another way to spend billions on research (just like the space race used to be the research money hole). There is no doubt good things will come from it, but at a very high cost.

New here?

[MondoMor]

In order to get a story submitted, it must have a snide remark or overgeneralization. Articles that aren't flamebait are boring, apparently. Especially with timothy and michael picking the stories. Those two horse's asses are the biggest trolls and FUDders on Slashdot. CmdrTaco is up there too, though he just likes to post duplicate stories (can't bother reading his own site) and whine about SPAM.

Re:A question About Nasa, Russian Space Agency

[ender81b]

While I appreciate MS bashing as much as the next person this is... wrong. The 'os' on the space shuttle, and other space equipment, are remarkably simple pieces of technology. iirc, the shuttle has 3 computers, each of which has a 386 (and that was a recent upgrade) and somewhere around 1-2mb of RAM. That's it,because that's all the shuttle needs.

Think about it, the shuttle computer - and the soyuz capsule - needs to only do a, relatively, few things. Autopilot and navigation. These are relatively simple mathematical problems that just don't require alot of horsepower or complexity. The operating systems on these things just aren't that complex. No need for drivers, plug and pray, support for thousands of applications, preemptive multitasking, virtual memory, smp, 3D, hundreds of thousands of hardware configurations, etc, etc. Windows - or any modern OS - is a few orders of magnitutde more complex than the OS's used to run space equipment.

This is not to say that the system used by NASA is in any way inferior or 'easy' - it is not and the entire system has undergone numerous code audits and has recieved lots of praise because, as far as any body can tell, it is impervious to any software caused error.

Glass Cockpit?

[Gojira Shipi-Taro]

I saw an interview over the weekend with the space Tourist guy where the fact that this particular capsule was one of the first Soyuz with a "glass cockpit", similar to what has recently been installed on the shuttle fleet.

As a software QA guy, I know what kinds of havok a UI defect can cause in a software package. Is it possible that insufficient QA is going into the interface software for these "Glass Cockpits"? There's a time and place for everything, and at the moment, I'd feel a lot better with hardware switches for most spacecraft function (particularly with something as old as Soyuz) than with the kinds of UIs that I've seen in terrestrial software...

Re:Why single out SDI?

[Ralph Wiggam]

The four things that you mentioned are extremely mature technologies that have been refined through several generations of mass produced products. Space based laser missile defense can never be fully tested (think of Spies Like Us). It will "always be a beta release" says the article poster. Basically, I know that car computers work very well because they've been tested of millions and millions of miles of real world driving. The space based system currently proposed has failed most of the tests perfomed. The ones it has passed were simplified versions of the tests that it had failed. Honestly, I don't understand spending 10s of billions of dollars defending against the most difficult and expensive way to deliver nuclear weapons. Although they have improved things a bit, our coasts and ports are not being properly secured.

-B

Case in Point: Patriot in Iraq

[That_Dan_Guy]

Why did the Patriot lock on to several and shoot down one or two Allied Aircraft in Iraq? The programming had something wrong in it. In addition, the software was left to run and make decisions ON ITS OWN. Why? Because if you had a person making the decision of whether or not it was an enemy missile or a stray bird it would be too late. Decisions had to made INSTANTANIOSLY.

This is fine in a restricted combat zone/Single theater.

Now, expand this to the entire globe. You set your stuff up in Alaska to shoot down Rogue Nation N. Korea's missiles aimed at the US. How many planes fly back and forth through zones covered by this system? Can you GUARANTEE that your system WILL NOT shoot down a civilian airline by mistake? What if it decides N. Korea has launched a massive first strike, and lets loose all of its anti-missile capability on everything flying over the Pacific Ocean?

When I was in my Software Engineering course back years ago (read: things MAY have changed since then) the Professor talked about his encounters (face to face, via journal articles, conferences, etc.) with the CompSci people in charge of writing the software for the SDI system. When asked how they would gaurantee error free code they'd give vague answers like "we'll do both a top down and bottom up method that will meet in the middle and somehow miracously be bug free"

Uh, That doesn't really work out too well, as I'm sure other /.ers are more capable of explaining than me.

Hopefully there are smart enough people on the job who can build in good enough failsafes that what happened in Iraq with the Patriot (a tried, tested, and tested again in real life system) won't happen on the scale capable from an SDI system.

Re:In Soviet Russia...

[Jeremiah Cornelius]

"Soviet Russia" references may be the obvios start for a thread here... But this is a site for Nerds.

Did any one other than myself notice that the Soyuz module is named TMA-1?
If I'm not mistaken, that was the name of the spooky monument site in Clarke's "2001, a Space Odyssey".
Tycho Magnetic Anomaly One...

Re:Case in Point: Patriot in Iraq

[FredThompson]

The open-source explanation for the aircraft you mention is their IFF wasn't working. If they were interrogated by the system and didn't properly respond with who they are...

There's no guarantee the wrong item won't be removed from the sky. Why is that necessary? (I'm not being ridiculous here, it's a serious question.)

Nothing in life, especially a military situation, is 100% guaranteed nor can it be. It's unrealistic to think something shouldn't be done unless you know the outcome, absolutely, before you begin.

Don't take this next comment as an insult, it most definitely is not:

Deciding not to do something unless the outcome is 100% guaranteed is the the most sure way to guarantee failure.

Getting back to the military thing and software. OK, so some professor mentions some encounters with software developers. So what? He knew ALL of them and talked with ALL of them ALL the time. Funny, I don't remember any professor talking with me...

Does this professor now head anything having to do with software development for critical control of national asset-level resources? My guess is, no.

Methodologies and capabilities grow and change over time. When the U.S. first fielded nuke missiles all it took to launch was flip a switch then turn 2 keys in a co-ordinated manner. Things changed drastically over time.

So has software design. The wildcat days for software in this arena are long gone.

Re:On missile flight paths

[Guppy06]

Cruise missiles do not fly intercontinental distances, at least no sane designs intended to carry thermonuclear warheads. And while they're nowhere near as visible as missiles coming in on a ballistic arc, they are very slow (compared to spacebourne weapons) and simple for conventional anti-air defenses to hit. Realistic nuclear cruise missiles are tactical weapons designed hundreds of miles at best, and even then require some sort of air superiority in the target zone and/or an undetected firing platform (such as a nuclear submarine). And this says nothing of the required technology base to build one.

Stratiegic Defense Initiative is intended to take out stratiegic nuclear weapons, the ones that are designed to cross oceans. And the only realistic way to get a missle to fly over oceans (without a fleet of B-52s hovering just outside the target's borders) is to lob them over a sub-orbital arc. These weapons are essentially in free-fall as soon as the boosters fall away, which happens well before the warhead crosses the target's horizon.

"but I'd assume any country capable of launching nukes from a distance could setup the missiles to fly erratic flight plans."

Consider the decades of time between the development of ICBMs and cruise missiles. And again, these missiles would have trouble crossing the Atlantic Ocean, let alone the Pacific. What are these missiles going to do, hook up to a refuelling jet two or three times during its flight?

The focus on stopping ballistic missiles is both because such missiles are the easiest to build (remember that ballistic missiles were used in WWII) and the most difficult to stop. Any other form of delivery can be stopped by conventional means.

Re:ah, right

[vandan]

You are assuming that SDI will be used in defense.
When used for its primary purpose - attacking countries that do not approve of the US regime - the danger is that instead of knocking out a military target, a bug in the software could cause the death of a large number of civilians in a highly populated area............
Oh yeah.
It already happened and no-one gives a shit.
Sorry.

Yeah, but still no integration test

[enkidu]

What you're talking about is component level testing. Unfortunately, all that testing doesn't substitute for a true "shakedown" integration test. Look up the AEGIS cruiser system (actually sort of a mini-SDI for a ship). On it's first full integration test, it failed to shoot down 6 out of 17 targets due to software errors. Now, make the integrated platform 2 orders of magnitude more complicated than that (and at least one order of magnitude more complicated than ANY software project attempted to date) and you can see why I'm skeptical of the chances of SDI working as advertised.

Re:Why single out SDI?

[hughk]

I have sat down and talk with some military about the technology they use. It is generally somewhat behind the times, because of the extensive test procedure it has to go through. However, never underestimate the stupidity of a tired/bored person in the middle of the night - whether civillian or military. Procedures help, but they don't address all problems especially when in a hurry. Think of the accidental destruction of civillian flights. Most technology in the field requires extensive modifications, simply because the designers couldn't forsee how it would be used.

The thing is that we know that Patriot doesn't work very well in the field (except against friendly aircraft). We know also that the collateral damage from the enemy missle being destroyed is also quite bad.

SDI is only really effective against ballistic missles in their boost phase. They are more difficult to destroy in their extra-atmosphere and reentry phases. If not completely destroyed during the boost phase (likely), they are more likely to go off course and go somewhere unintended.

You talk about the probability of the thing working and compare it with an ICBM. Well, no ICBMs were launched in anger, but enough test firings took place to ensure a high probability of success. Not so with SDI.

The moon program was civil and everything about it was public knowledge. SDI is military and classified. We know that tests have been falsified, we don't know the payola between the gun pushers and those involved with promoting the program within the Government. Any technology spin-offs will start out as classified and remain so. Mostly to prevent people finding out who was paid, how much and for what.

graceful failure is a good thing

[sbwoodside]

Here's a system that failed gracefully. Consider a simple taxonomy of software bugs:
- you lose data
- you corrupt data

The second one is far, far worse because the failure makes changes to your data and you know longer know what is right and what is wrong. The same situation maps onto this failure. The automatic primary system failed, and lost data. But it did not /corrupt/ data. A kernel panic serves exactly the same purpose. The kernel detects that it can no longer rely on itself, instead of continuing to operate it shuts down. The potential consequences of continuing in any form, might results in writing random or bad data to the hard drive, or who knows what else. It's better to system panic and stop doing anything.

Code that fails gracefully is good code.

simon

Re:Why single out SDI?

[hswerdfe]

I disagree.

Canada (greatest country on earth) was the second country in the world with the power to make Nukes.

Yet We Are still Nuclear Free.

We canadians actually value life....150,000 people is a fucking lot, do not belittle them.

The US could/Should have Fired a Warning shots first, (Let the first 1 or 2 off in the ocean).

The Use of nukes had something to do with ending the war early (about 6 months), and something to do with the US Beating its chest like a gorilla to warn the Russians that they mean buisness.

as for countries that would use them
I have to believe your right most countries would have, Rusia would have, Japan Would have, Germany would have used them, But I don't think Britan would have, not that late in the war.

There citizans acutally knew what war was ....and I don't think they liked it much.

any way....

ignore the rest of my ramble ..can you tell I'm bitter at the US over a lot of things, ..

mostly its tendancy to break treaties and when ever the hell they feel like it.
Specifically:
Kyoto [unfccc.int]
NAFTA [unites.uqam.ca]

[bbc.co.uk]
Anti-Ballistic Missile (ABM) Treat

Re:Why single out SDI?

[JimPooley]

When Saddam Hussein was facing his ultimate demise he did not use weapons of mass destruction even though he is a madmen.

Well, that could just be because Bush is a lying fucker and Saddam didn't have any weapons of mass destruction...

SDI: Gold Version

[SEWilco]

I will never trust the Strategic Defence Initiative - the star wars project. It only takes one line of mistyped code in what will always be a beta release.

No, it might not always be a beta release.
We hope it will always be a beta release.
There is a possibility that the code will be tested enough in the real world to reach "production" status, but we hope the situations which exercise it in the real world will never happen.

technophobia

[stinky wizzleteats]

Which is why I will never trust the Strategic Defence Initiative - the star wars project. It only takes one line of mistyped code in what will always be a beta release.

You could use that argument against any weapons system that uses a computer. You could also further expand that statement to say that computers can never be used for important tasks. It is amazing how quickly politics can make luddites of us, isn't it?