The Mars Polar Lander (MPL) was a NASA spacecraft designed to set down near the Martian south pole and study the planet’s water and climate history. After a normal cruise from its January 1999 launch, it began its descent to the surface on December 3, 1999, and was never heard from again. Because the lander did not transmit during the final descent, no telemetry directly recorded what went wrong. NASA’s Jet Propulsion Laboratory convened a special review board, whose findings were documented in the “Report on the Loss of the Mars Polar Lander and Deep Space 2 Missions,” released in March 2000 and archived on NASA’s Technical Reports Server.
Without direct data, the board reconstructed the failure by analysis and testing and identified a most-probable cause rooted in the touchdown-detection software. As the lander descended under power, its three landing legs deployed from their stowed position. The board found that this deployment could generate a brief, spurious electrical signal in the touchdown sensors on the legs, a transient that the magnetic sensors produced when the legs snapped into place, even though the spacecraft was still far above the ground.
The flight software was supposed to use the touchdown sensors to know when the lander had actually reached the surface so it could shut off the descent engines. The software architecture latched a touchdown indication, and the requirements did not properly account for the transient signals produced during leg deployment. As a result, the software could record a false “touchdown” while the lander was still roughly 40 meters above the surface. With that latched indication in place, the software would command engine shutdown prematurely as soon as it began monitoring for landing, and the lander would then fall freely from altitude and be destroyed on impact.
The board was careful about the verification history. The flawed handling of the transient was a software logic error that should have been caught, but related testing was compromised: during system testing the touchdown sensors had been miswired, which masked the spurious-signal behavior, and after the wiring was corrected the complete end-to-end test was not rerun in a way that would have exposed the software flaw. The transient-signal case was also not part of the software’s modeled requirements, so the simulation never exercised it.
Mars Polar Lander, lost in the same year as the Mars Climate Orbiter, became a second jarring lesson for NASA’s faster-better-cheaper era. The combination of a missing requirement, a latent software logic error, and a test gap that hid the defect is a recurring shape in safety-critical software failures: no single mistake was fatal in isolation, but together they removed every chance to catch the error before flight. The losses drove substantial reforms in independent verification, requirements traceability, and end-to-end testing for low-cost planetary spacecraft.