Mars Polar Lander Lost: Leg-Sensor Software Bug Shuts Down Descent Engines 40 Metres Above the Surface
What happened
On 3 December 1999, NASA's Mars Polar Lander fell silent as it entered the Martian atmosphere and was never heard from again. The mission review board concluded the most probable cause was a software defect: vibrations from the deployment of the landing legs during descent generated brief spurious signals in the leg-touchdown sensors. The flight software interpreted these signals — generated at high altitude — as confirmation that the spacecraft had already landed, and shut off the descent engines approximately 40 metres above the surface. The lander fell and was destroyed on impact. This was NASA's second Mars spacecraft lost in three months — the Mars Climate Orbiter had been lost on 23 September 1999.[1]
What went wrong
The landing-shutdown software was designed to cut the descent engines when touchdown sensors registered contact. The behaviour of the leg sensors during leg deployment — generating brief spurious trigger signals — had been observed in testing but was deemed harmless because engineers incorrectly assumed the engine-shutdown logic would only be armed close to the surface. In practice, the shutdown logic was active throughout the final descent phase. The error was never caught because the full descent sequence was not tested end-to-end with real hardware before launch. Three months earlier, the Mars Climate Orbiter had been lost to a unit conversion error. NASA was losing a spacecraft every few months under its 'faster, better, cheaper' programme.[1]
Lesson learned
Integration testing of safety-critical sequences must be performed end-to-end with actual flight hardware under simulated mission conditions. Dismissing a known failure mode as 'harmless under assumed conditions' without verifying those assumptions is engineering negligence. Two spacecraft lost in three months to basic software and specification errors ended the 'faster, better, cheaper' approach and forced a complete review of NASA's mission assurance processes.
Sources
- [1]
External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.