From Qualification to Operations: Why Many Space Failures Happen After “Success”

A significant number of space systems fail not because they were badly designed, but because qualification is mistaken for readiness. Some of the most well-known mission failures did not occur because a spacecraft failed qualification; they occurred after success had already been declared.

• The “Mars Climate Orbiter” was lost due to a navigation error originating from an interface mismatch in thrust data units. Thruster impulse information was generated in imperial units, while the ground-based navigation software assumed metric units. This inconsistency was not identified through end-to-end validation of the ground–space operational interface, resulting in an incorrect trajectory correction and atmospheric entry at a non-survivable altitude.
• The “Hitomi” satellite failed during early operations following a fault in its inertial reference data. The spacecraft’s control system accepted erroneous attitude information, triggering inappropriate thruster firings and an uncontrolled spin. The resulting structural loads led to the loss of its solar arrays and mission termination. The failure was not a single component defect, but a combination of sensor fault, software robustness limitations, and insufficient safeguards during autonomous mode transitions.
• Even long-operating satellites such as “NOAA-19” illustrate the same pattern over a different timescale, not as a sudden failure but as a gradual erosion of operational margin. Designed for a five-year mission, NOAA-19 remained operational for more than fifteen years before being decommissioned due to critical battery degradation. Long-term exposure and ageing effects eventually became the dominant operational risk, beyond what qualification testing could realistically bound.

What failed in these cases was not the idea of qualification, but the assumption that qualification evidence alone is sufficient to guarantee safe and predictable operation in orbit.

The Mars Climate Orbiter        Hitomi Satellite                        NOAA-19

What “Operations” Really Means for a Satellite

Operations in space do not resemble a laboratory environment or a short demonstration phase. A satellite in orbit must operate continuously without physical access, under strict power and thermal constraints, exposed to radiation, commanded through limited telemetry, and increasingly governed by autonomous software behaviour. In that environment, a satellite is no longer just a designed system; it is a system operating permanently at the edge of its assumptions.

Why Qualification Is Structurally Insufficient

Qualification demonstrates that a design can survive defined environments and perform specified functions. It does not prove that the system will behave predictably over time, under evolving operational conditions, or in response to combinations of events that were never exercised together on the ground.

Ground testing is necessarily constrained. Time is compressed, configurations are controlled, and systems are heavily instrumented and monitored in ways that cannot be replicated once in orbit. Decisions are made by the engineers who designed the system. While qualification does include representative operational scenarios, these are exercised in isolation and under tightly controlled conditions that cannot fully replicate sustained in-orbit use.

Qualification validates design intent. Operations expose design truth.

Why Failures Cluster After Launch

Many post-launch failures are not sudden. They emerge as assumptions are gradually invalidated: margins consumed by real usage, thermal or power behaviour drifting from predictions, software states accumulating history that was never exercised on the ground, or recovery paths depending on human decisions made with incomplete data. In practice, this often manifests through mechanisms such as estimator bias accumulation, long-duration thermal soak effects, or battery impedance growth, effects that are benign over short tests but become critical over sustained operation.

In orbit, time itself becomes a failure mechanism. Effects that were acceptable over hours or days during test become significant over months or years. Modes that were technically verified but rarely exercised become the default response to unexpected conditions. What looked robust in isolation becomes fragile in sequence.

The Missing Question: Are We Ready to Operate This Satellite?

Most satellite programmes can demonstrate that requirements have been met and qualification objectives achieved. Far fewer can show that operational risks are understood, bounded, and actively mitigated. Operational readiness is not the absence of open actions at launch; it is the result of explicit verification that failure modes, degradations, and recovery paths are detectable and manageable within real operational constraints.

Techniques such as Failure Modes and Effects Analysis, fault-tree analysis, and operational hazard analysis are often performed during design, but are rarely revisited once the system configuration, software behaviour, and operational concept have stabilised. As a result, many risks are formally analysed but never operationally exercised. In practice, these risks are not eliminated; they are transferred, implicitly, to operations.

Confidence Is a Lifecycle Property

Space does not forgive hidden assumptions. Once a satellite is in orbit, every ambiguity is amplified by distance, delay, and autonomy. Many mission losses have not been the result of poor engineering discipline, but of misplaced confidence at the point of release. Success in space is not what passes qualification; it is what continues to behave predictably when no one can touch it.

Mary Mousavi Moayed