Last week, the Rosetta spacecraft crashed into comet 67P/Churyumov-Gerasimenko after orbiting it since 2014. It was supposed to do that: the mission was at an end, and the mission designers wanted to end it by getting a close look at the surface of the comet. But this raises an interesting problem: how do you get a device that is designed to never stop to actually stop?



A spacecraft like Rosetta is built from the ground up to keep going, to reboot and go into a backup mode, phone home and wait for instructions if it encounters a problem. This is called a safe mode, and it has saved the spacecraft several times before. If it was left unfixed, when the spacecraft hit the comet, it would trigger a special safe mode called FDIR (Failure Detection, Isolation and Recovery) that would keep sending a diagnostic signal back to earth until the mission controllers responded.

But this mission was at an end, and if the probe was left constantly rebooting and transmitting a cry for help, it could interfere with other spacecraft using the same frequency. Even a weak signal could interfere with another spacecraft, so the designers wanted to shut it down completely. So, they used an interesting approach: they patched the software on the spacecraft to stop it phoning home. The day before it was crashed into the comet, they sent it a patch that removed the safe mode and replaced it with a passive mode that hadn’t been used since before launch, where the spacecraft would simply sit and wait for instructions if it hit a problem. A few hours before the crash, this patch was activated, and the probe was now without a backup plan. So, when it hit the comet, it entered this passive mode, and it will stay in this mode for as long as the batteries last, forever waiting for a command to restart that will never come…

Thanks to [Daniel] for the tip!