Your Simulation Is Only as Honest as the Models Inside It
In 1990, Hubble passed every optical test its builders ran. Perkin-Elmer figured the primary mirror to one of the smoothest surfaces ever manufactured, and figured it precisely to the wrong shape, because the instrument that measured it was misassembled by 1.3 millimeters. The tests certified the flaw instead of catching it.
That is the failure mode nobody budgets for. We have spent two years arguing that software-in-the-loop simulation should be a daily practice, not a milestone gate. It should. But a quieter version of the same problem hides inside teams that already simulate every day: the run comes back green, everyone moves on, and the green meant nothing, because the models feeding the simulation were never as truthful as the result implied.
A simulation inherits the honesty of its weakest model
A simulation is not a measurement. It is an argument built from models, and an argument is only as sound as its premises. Hubble is the cleanest case in the history of aerospace. The reflective null corrector was the reference Perkin-Elmer ground the mirror against, and the null corrector was wrong. A 1.3 mm spacing error meant the truth standard lied. Two other correctors on the same shop floor detected the spherical aberration, and the team set their readings aside, because they trusted the instrument that agreed with the plan.
Swap "null corrector" for "vendor-supplied dynamics model" and you have described a normal week in spacecraft integration. The simulation runs. The numbers close. And nobody can tell you whether the model at the center of the loop describes the hardware or describes someone's hope for the hardware. A green result against a wrong reference is a flaw with a certificate.
In multi-vendor integration, your models are someone else's black box
Space integration differs from a single-team software shop in one way that decides everything: you don't own the models. The reaction wheel comes from one vendor, the star tracker from another, the propulsion controller from a third, and each one ships you a model of their box, if you are lucky. More often they ship a compiled binary, a sanitized version with the interesting dynamics filed off, or a datasheet and a wish. They guard the internals because the internals are the product. That is a fair position. It is also a fidelity problem you have inherited and cannot see into.
Ariane 5 Flight 501 is what that looks like when it bites. The inertial reference software was reused from Ariane 4, proven code, flown for years, trusted because it had flown. It carried an alignment routine validated against Ariane 4's flight envelope, and Ariane 5 climbed with far higher horizontal velocity. A 64-bit value overflowed a 16-bit conversion, both inertial units shut down, and 37 seconds after liftoff the vehicle tore itself apart. The software was not buggy in isolation. It was honest about a rocket that was no longer the one flying. Its domain of validity was an invisible assumption, and the assumption was wrong.
A simulation result without model provenance is an opinion with a progress bar.
A passing run on unknown fidelity is worse than no run at all
A green simulation you cannot trace is more dangerous than no simulation, because it manufactures confidence, and confident teams stop looking. The team that never simulated knows it is exposed at integration and plans its tests around that exposure. The team holding a stack of passing runs believes the risk is retired. They stop scrutinizing the interface, because the screen is green. The cost does not disappear. You pay it downstream at the test bench, where an integration issue costs weeks instead of minutes and arrives disguised as a problem that "should have been caught."
Catching an issue in simulation is the whole promise of simulation. The promise is conditional. It holds only when the models in the loop are known to describe the hardware in the regime you are exercising. Outside that regime the run is theater: convincing and empty. The green tells you the math is self-consistent. It does not tell you the math is about your spacecraft.
The fix is provenance, not access
The instinct is to demand the vendor's source, their internal models, the real thing. That fight is decades old and the vendors aren't wrong to refuse, because the internals are the IP. You do not need to see inside the box. You need the box to tell you where its model is valid and where it is guessing.
A power MOSFET datasheet does this without controversy. It states absolute maximum ratings, the conditions behind each curve, and the regions where behavior is uncharacterized. No engineer reads the typical-performance graph as truth at 150C when the graph stops at 85C. A vendor dynamics model deserves the same discipline: shipped as an artifact with a stated domain of validity, the conditions it was validated against, and the boundary past which it is extrapolation. That artifact travels without the source. It is the difference between "here is our model" and "here is our model, here is what it knows, here is what it is guessing." The second one you can simulate against and believe.
We hold the same conviction about interfaces. An ICD should be an artifact generated from code, trusted because it was generated and not typed by hand. A simulation model should carry the same chain of custody, validated and versioned and explicit about its own limits, for the same reason. Documents drift. Assumptions hide. A model with no stated envelope is a document pretending to be a measurement.
Accept this and the daily simulation practice we keep advocating gains a second requirement. Running the loop every day is not enough. Every model in the loop has to declare what it knows, and every green result has to read back to the fidelity that produced it. A run you cannot trace to validated models is not a test you passed. It is a question you have not asked yet, and on a spacecraft the unasked question is the one waiting for you at integration, or in orbit, where Hubble's was, 1.3 millimeters from correct and certain the whole way down.
