In September 1999, the Mars Climate Orbiter crossed into the Martian atmosphere about 170 kilometers lower than its planners intended and broke apart. Two organizations had written the software that steered it. One expressed thruster impulse in pound-force-seconds, the other read those numbers as newton-seconds, and the interface specification that should have caught the mismatch was a document neither side's code was bound to.
The orbiter is remembered as a unit-conversion blunder, the sort of thing a careful intern would catch. That framing lets everyone off the hook, because the engineers on both teams were careful. Lockheed Martin in Denver built the spacecraft and its ground software. JPL in Pasadena ran navigation. Each group was competent, reviewed, and internally consistent. The failure lived in the seam between them, in the one artifact that belonged to both teams and therefore to neither.
Every integrated system has these seams. A propulsion vendor in one country ships a thruster to a prime in another. An avionics supplier hands a flight computer to an integrator who has never seen the firmware. The components can each be flawless and the spacecraft still won't fly, because the thing that has to be right sits outside both components. It is the agreement between them, and agreements are what our tooling handles worst.
An interface has two authors and no owner
Open any interface control document and you are reading something two parties negotiated and then walked away from. The avionics team owns its firmware repository. The thermal team owns its parser. Both teams version their own code, run their own tests, and answer to their own leads. The ICD that sits between them is owned by a meeting that happened months ago.
This is the structural problem, and it does not require anyone to be careless. Each side can maintain its own half with discipline. The shared contract still rots, because no build anywhere goes red when it does. A repository has a maintainer. A test suite reports green or broken. The interface between two companies has a PDF and the memory of a handshake.
Mars Climate Orbiter was an ownership failure
The orbiter had a specification. It called for metric units on the small-forces impulse data that fed trajectory modelling, and it was neither missing nor ambiguous. It simply had no force. Lockheed's ground software produced impulse in English units, the navigation team consumed it as metric, and across months of cruise the small discrepancies compounded into a trajectory error large enough to lose the spacecraft.
Reviews happened. Navigators saw the orbiter tracking off its predicted path and flagged it more than once. The concern moved through channels that had no power to halt anything, because the specification it would have invoked was a reference rather than a gate. A document that describes the correct behavior but cannot stop the incorrect behavior is decoration. The orbiter obeyed the running code, and the running code was never checked against the contract.
An interface specification with authority on paper and none in the build is a document waiting to be contradicted.
Internal hygiene stops at the boundary
The standard advice for interface drift is to stop hand-maintaining documents and generate them from code. We hold that view and have argued it. By itself it is not enough. A vendor can generate a clean, always-current ICD from its own schema and still hand the integrator a file that drifts the moment it lands, because the integrator regenerates from a different schema on the other side of the boundary. Two sources of truth that disagree are worse than one that is merely wrong, since each side has every reason to trust its own.
The boundary is where this bites. A change you make inside your repository gets checked by your tests within minutes. A change that breaks your neighbor's assumption stays invisible to you until your hardware and theirs are on the same bench. Picture a smallsat bus where the power team widens a telemetry field from eight bits to sixteen and updates its own decoder the same afternoon. Nothing breaks on their side. The fault team, reading the old width, keeps parsing two registers as one for as long as the two boxes never meet. The feedback loop that makes software-in-the-loop simulation worth running moves at the speed of the slowest shared signal, and on most programs that signal is a status meeting.
The contract has to be the thing both sides build against
An interface gets an owner the moment one definition becomes the artifact both parties commit against. A single schema, in a place both sides can see, from which each generates its parser, its test harness, and its simulator stub. When the propulsion vendor changes a scale factor, the integrator's build pulls the new definition and the integrator's tests pass or break on it. The disagreement shows up as a red build on a Tuesday instead of a thermal anomaly two hundred days into cruise.
This is ordinary practice wherever two software teams share an API. They publish a schema, both sides generate against it, and a breaking change fails continuous integration before it ships. Aerospace already owns the formats, from ASN.1 to CCSDS XTCE. What it mostly lacks is the habit of treating one of them as the shared source that gates both builds, rather than a delivery format each side exports once and forgets.
Treat the interface as owned and the integration calendar changes shape. The discovery that used to wait for the high bay moves up to the day the schema changed. Off-nominal cases get written once, against a definition both sides recognize, instead of twice against two that have drifted apart. The prime and the component builder stop trading spreadsheets and start reading the same file. None of this asks either company to open its internal models or surrender its IP, because the shared artifact is the contract, not the implementation sitting behind it.
The Mars Climate Orbiter did not die because someone forgot to convert pounds to newtons. It died because the document that held the right answer was never in a position to enforce it, and two careful teams trusted a handshake that had quietly come apart in the months since. The interface between two companies will go on being the one nobody owns, right up until it becomes the one thing they both have to build against.
