Moon mission "Bereshit" - the preliminary cause of the accident was announced

6 days after the fall of the Bereshit apparatus on the lunar surface, the SpaceIL team officially announced an intriguing version of the Moon crash on April 11, 2019. And there are even more questions about what happened.

Updated information on the accident on 04/18/2019.

In continuation of this publication .
')
The official from SpaceIL at the moment is the last photo from the Bereshit apparatus (15 km to the surface of the Moon):



Here is the location link for this photo:



Preliminary results of the accident investigation: during the landing process, the on-board computer activated the team, the execution of which led to a fatal result for the mission



It was the time when the reaction was carried out.

“It seems that during the landing process a team was entered that led to a chain reaction that caused the main engine to shut down and did not allow it to resume its operation further.”

Updated on 04/18/2019:
Yet the accident due to the command received from the operator during the landing is nerves, there is no time to analyze the situation, the main IMU1 unit (inertial measurement unit) is abnormal, the operator sends a command to activate the spare IMU2 unit, which caused further critical consequences in the work onboard computer (hang, reboot) and engine failure.

It’s not a problem.

Thus, it is possible that this was a software / human error (commands were entered by the operator or engineers at the MCC) in the procedure for landing the Bereshit device.

The list of commands and modes of operation with the Bereshit device were approved and transmitted only from the SpaceIL MCC. SpaceIL engineers created patches for the on-board computer of the device, checked their performance and functionality, and also prepared the teams for the landing procedure.

It is interesting to intercept the control of the device and introduce an additional code / command into its on-board computer. Theoretically, was it possible to do it or was there some kind of protection from external unauthorized access?

After all, when landing, the time went on for seconds and operators could miss the situation with the device receiving other teams. Although, at this moment, the operators also conjured in manual mode, trying to work with the device. Maybe there was also a discrepancy on the commands entered at the same time.

But, most likely, there was an error in "his" code (maybe it was in one of the many patches that were transmitted to the on-board computer after each restart of it), which contained a fatal command.



This team was introduced intentionally or accidentally, which led to the accident - this fact will remain closed, most likely, although we are waiting for the final results in the near future from SpaceIL, which they have promised to publish.

What is known about the hardware and software components of the Bereshit Apparatus:

- the on-board computer is one (1), not duplicated (there were several reboots of the computer during the flight to the Moon);

- program control code, commands and work with the on-board computer - in C;

- due to the fact that the computer is only one, when you restart, all updates (patches) are erased and they need to be additionally downloaded again into the system;

- data transfer rate is low: one high resolution photo (from 8 Mpx camera) loads 40 minutes;

- DLR (German Aerospace Center) conducted testing of the landing mechanism of the Bereshit apparatus;

- a team at SpaceIL: the majority are engineers in the space industry and physics scientists, several young scientists and engineers who are just studying satellite management systems.

When could the code be implemented with this fatal command? Most likely, when preparing for the landing procedure.

But the team in the on-board computer worked after the vehicle passed the “point of no return” when the automatic landing-controlled computer-controlled process began.

Although in the SpaceIL MCC there was an attempt in the manual control mode to influence the situation with the device during landing.

At a distance of 800 km from the landing, the landing procedures begin:



The Bereshit unit will receive a series of commands from the MCC:



The landing sensors (main and backup) will be activated:



A procedure will be initiated to change the position (orientation) of the Bereshit vehicle:



After the preparatory procedures are completed before landing, the on-board computer of the Bereshit device and the MCC will be able to assess the condition of the systems and readiness for landing, if something does not work correctly, the landing procedure will be canceled, if everything is normal, then after the start of the next stage No more cancellations will be done:



If everything goes smoothly, the Bereshit unit will begin to reduce its orbital speed and reduce the distance to the surface of the moon using the main and auxiliary engines, this procedure will take 15 minutes:



Landing video:



What happened, according to the landing video, with the device (the times are shown from the video):

23:03 The telemetry indicator turned green. Mode: orientation.
25:04 Mode: braking.
25:20 Passed "point of no return."
25:26 Indicator "point of no return" turned black.
25:52 Vertical speed indicator is green.
28:16 Telemetry indicator is no longer green.
28:20 The telemetry indicator momentarily turned green, then ceased to be green.
29.37 Distance: 210 km.
29:50 The distance varies by 385 km.
30:03 The distance changes to 370 km.
30:40 The telemetry indicator turns green.
30:51 Distance varies by 314 km.
31:33 Shows a selfie picture with the moon. Height about 22 km? The telemetry indicator has turned green.
31:50 Telemetry indicator is no longer green.
31:55 to 32:29 "[unintelligible] kill him (process?)." "[more unintelligible] busy"
(here the engineers are already in manual control mode trying to deal with the emergency situation that has arisen)
32:48 Telemetry screen is displayed. The telemetry indicator is yellow. Height is 14095 m. Horizontal speed is 955.5 m / s. Vertical speed 24.8 m / s. The main engine is on. The “horizontal speed” cell is yellow. Other parameters are shown in green, with the exception of the telemetry indicator.
32:49 All engines are on.
32:51 All engines are off.
32:55 The main engine is on.
32:57 All engines are on.
32:59 The main engine is on. Distance: 183.8 km.
33:01 - 33:03 "IMU sensor out of order"
33:02 All engines are on.
33:05 The main engine is on.
33:07 All engines are on.
33:09 Main engine is on.
33:11 All engines are on.
33:13 The main engine is on.
33:16 All engines are on.
33:20 The telemetry indicator turns green. All engines are off. All pictures are frozen (no change in the testimony).
33:32 Telemetry indicator is no longer green. All engines are off. All pictures are frozen (no change in the testimony).
34:24 The telemetry indicator turns green. All engines are off.
36:25 - 36:33 “Problems with the main engine. We reboot the on-board computer to turn on the engine. ”

Attempt to transcribe the words of the announcer and engineers in the process of landing (timing is different, but the essence and seconds are the same):

7:37:37 - IMU2 Not OK
7:37:50 - [not clear] will try to enable it.
7:37:57 - Someone is curious [something]
7:38:10 - Lost connection from JPL
7:38:34 AM - We lost one IMU and we lost connection.
[in the background someone says something about restarting the IMU]
7:38:39 - Do not enable IMU2
7:38:52 - it is not correct, there is currently no telemetry
7:39:06 - [in english] we lost telemetry, but we have telemetry back now.
7:39:23 - We passed altitude 10km
7:39:29 - Velocity below 900 m / s
7:39:34 PM - Reminder that we need to reach a velocity of 0
7:39:47 - The engine is running up to 5 bar [?], "Interesting"
7:39:52 - 2nd image downloaded.
7:40:06 - [Anouncer of the laser landing sensor]. [the engine is not running]
7:40:13 - We can have a problem with the main engine.
7:40:17 - Do you want to send spacecraft during the landing process?
7:40:24 - What do you want?
7:40:28 - Situation seems no good, no main engine.
7:40:33 - 2nd image received.
7:40:40 - Losing altitude
7:41:07 - [In english] We have been resetting the engine.
7:41:10 - Is there approval to send [unclear]?
7:41:15 - The main engine is now running, based on [pressure measurements]
7:41:19 - Main engine back on. [and again in english]
7:41:27 - Lost alot of altitude, situation unclear.
7:41:32 - Lost connection with JPL
7:41:45 am - not thru nasa, but we have a connection with the spacecraft.
7:41:49 - Lost telemetry
7:41:52 - We are now without telemetry
7:41:57 - [english] The communication is lost
7:42:10 - We will wait a moment for [evalution] from [unclear]
7:42:17 - We suspect that still evaluating
7:42:56 - We are without space and we lost the spacecraft.
7:43:16 AM - All indications are not the 4th nation to land on the moon.
7:43:33 - We wanted to be.

The last 4 seconds of the life of the device according to the data center (from 678 to 149 meters reduction):









At 19:23 the telemetry data completely ceased to arrive.

SpaceIL engineers now have all the data, command listings and patches that they sent to the Bereshit device after each restart of the onboard computer, it is also possible to investigate all this information more thoroughly and analyze the landing procedure before an accident occurs on the device.

If it is true that not only incorrect data from external sensors led to the tragedy, but also the program code that processed this data or even accidentally brought the device into an emergency, then it is only with experience that you can then resolve and prevent it at the stage of creating the code before sending on the spacecraft.

SpaceIL Chairman Morris Kahn said: “ I am proud of the SpaceIL engineering team for their excellent work and dedication, unfortunately, accidents are often an integral part of such a complex and innovative project. Now it is important to learn the lessons learned as much as possible, study the mistakes and boldly keep moving forward .

By the way, the Bereshit spacecraft in orbit of the Moon and during the landing used an onboard magnetometer and transmitted some of the scientific data on the magnetic field of the Moon to the MCC SpaceIL.

Thus, he nevertheless fulfilled a part of his scientific small program!

Updated data by mistake in case of an accident:

The completed first stage of the investigation was limited to the study of the facts and the sequence of events. During the flight, there were interruptions in communication, but the Bereshit device continued to function in a given mode. That was until the moment when the device began to land on the lunar surface.

During the investigation, it was established that one of the commands transmitted from the flight control center was not executed, which led to a chain of subsequent failures: the engine stopped working, and the device itself fell to the surface.

A malfunction was identified in the operation of the accelerometer sensor, called UMI (responsible for acceleration). It has not yet been precisely determined why the refusal followed, which led to subsequent negative reactions of the system.

The command to activate the acceleration sensor was sent from the SpaceIL MCC.

After the rejection followed, attempts were made to restart the engine in alternative ways, but they were not crowned with success.

Everything happened under the conditions of the most severe time trouble: a failure occurred in the last seconds of the mission, which was not finally completed.

The on-board computer of the Bereshit unit also tried to autonomously restart the engine - there were 5-6 such attempts. But they all proved to be unsuccessful.

It is possible that the execution of commands on the device for switching on spare modules (IMU2), which led further to new problems and accidents, was inconsistent between the engineers.

The spacecraft was using the IMU 1.

IMU 2 and another engineer asks for it.

It’s possible that I’m thinking about it.