Flight 501, which took place on on June 4, 1996, was the first test flight of the Ariane 5 expendable launch system. It was not successful; the rocket tore itself apart 40 seconds after launch because of a malfunction in the control software, making the fault one of the most expensive computer bugs in history. The breakup caused the loss of the payload: four Cluster mission spacecraft. June 4 is the 155th day of the year in the Gregorian calendar (156th in leap years), with 210 days remaining. ... 1996 is a leap year starting on Monday of the Gregorian calendar, and was designated the International Year for the Eradication of Poverty. ... Ariane 5 liftoff from Kourou Ariane 5 is an expendable launch system, designed and manufactured under the authority of the European Space Agency (ESA) by EADS SPACE Transportation, the Prime Contractor, leading a consortium of many sub-contractors, and is operated and marketed by Arianespace as part of the Ariane... An expendable launch system is a single-use launch vehicle usually used to launch a payload into space. ... A computer bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working correctly or produces an incorrect result. ... The Cluster mission is an European Space Agency (ESA) unmanned space mission mission to study the Earths magnetosphere using four identical spacecraft flying in a tetrahedral formation. ...

Summary

The Ariane 5 software reused the specifications from the Ariane 4, but the Ariane 5's flight path was considerably different and beyond the range for which the reused code had been designed. Specifically, the Ariane 5's greater acceleration caused the back-up and primary inertial guidance computers to crash, after which the launcher's nozzles were directed by spurious data. Pre-flight tests had never been performed on the re-alignment code under simulated Ariane 5 flight conditions, so the error was not discovered before launch. Ariane 42P rocket with the TOPEX/Poseidon satellite (Kourou, August 10, 1992) (NASA) Ariane 4 was an expendable launch system, designed by the European Space Agency and manufactured and marketed by the French company Arianespace. ... An inertial navigation system measures the position and altitude of a vehicle by measuring the accelerations and rotations applied to the systems inertial frame. ...

Because of the different flight path, a data conversion from a 64-bit floating point to 16-bit signed integer value caused a hardware exception (more specifically, an arithmetic overflow, as the floating point number had a value too large to be represented by a 16-bit signed integer). Efficiency considerations had led to the disabling of the software handler (in Ada code) for this error trap, although other conversions of comparable variables in the code remained protected. This led to a cascade of problems, culminating in destruction of the entire flight. In computing, a 64-bit component is one in which data are processed or stored in 64-bit units (words). ... A floating-point number is a digital representation for a number in a certain subset of the rational numbers, and is often used to approximate an arbitrary real number on a computer. ... In computer science, 16-bit is an adjective used to describe integers that are at most two bytes wide, or to describe CPU architectures based on registers, address buses, or data buses of that size. ... Signedness is a property of an integer number used by the GCC compiler to indicate if variables of that type are capable of storing both positive and negative numbers. ... In computer science, the term integer is used to refer to any data type which can represent some subset of the mathematical integers. ... Hardware is equipment such as fasteners, keys, locks, hinges, latches, corners, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts, especially when they are made of metal. ... Exception handling is a programming language construct or computer hardware mechanism designed to handle runtime errors or other problems (exceptions) which occur during the execution of a computer program. ... The term arithmetic overflow or simply overflow has the following meanings. ... Ada is a structured, statically typed imperative computer programming language designed by Jean Ichbiah of CII Honeywell Bull in the 1970s. ...

Full report

This excerpt is taken from Report by the Inquiry Board

3. CONCLUSIONS

3.1 FINDINGS

The Board reached the following findings:

...

e) At 36.7 seconds after H0 (approx. 30 seconds after lift-off) the computer within the back-up inertial reference system, which was working on stand-by for guidance and attitude control, became inoperative. This was caused by an internal variable related to the horizontal velocity of the launcher exceeding a limit which existed in the software of this computer.

f) Approx. 0.05 seconds later the active inertial reference system, identical to the back-up system in hardware and software, failed for the same reason. Since the back-up inertial system was already inoperative, correct guidance and attitude information could no longer be obtained and loss of the mission was inevitable.

g) As a result of its failure, the active inertial reference system transmitted essentially diagnostic information to the launcher's main computer, where it was interpreted as flight data and used for flight control calculations.

h) On the basis of those calculations the main computer commanded the booster nozzles, and somewhat later the main engine nozzle also, to make a large correction for an attitude deviation that had not occurred.

i) A rapid change of attitude occurred which caused the launcher to disintegrate at 39 seconds after H0 due to aerodynamic forces.

...

m) The inertial reference system of Ariane 5 is essentially common to a system which is presently flying on Ariane 4. The part of the software which caused the interruption in the inertial system computers is used before launch to align the inertial reference system and, in Ariane 4, also to enable a rapid realignment of the system in case of a late hold in the countdown. This realignment function, which does not serve any purpose on Ariane 5, was nevertheless retained for commonality reasons and allowed, as in Ariane 4, to operate for approx. 40 seconds after lift-off.

n) During design of the software of the inertial reference system used for Ariane 4 and Ariane 5, a decision was taken that it was not necessary to protect the inertial system computer from being made inoperative by an excessive value of the variable related to the horizontal velocity, a protection which was provided for several other variables of the alignment software. When taking this design decision, it was not analysed or fully understood which values this particular variable might assume when the alignment software was allowed to operate after lift-off.

o) In Ariane 4 flights using the same type of inertial reference system there has been no such failure because the trajectory during the first 40 seconds of flight is such that the particular variable related to horizontal velocity cannot reach, with an adequate operational margin, a value beyond the limit present in the software.

p) Ariane 5 has a high initial acceleration and a trajectory which leads to a build-up of horizontal velocity which is five times more rapid than for Ariane 4. The higher horizontal velocity of Ariane 5 generated, within the 40-second timeframe, the excessive value which caused the inertial system computers to cease operation.

q) The purpose of the review process, which involves all major partners in the Ariane 5 programme, is to validate design decisions and to obtain flight qualification. In this process, the limitations of the alignment software were not fully analysed and the possible implications of allowing it to continue to function during flight were not realised.

r) The specification of the inertial reference system and the tests performed at equipment level did not specifically include the Ariane 5 trajectory data. Consequently the realignment function was not tested under simulated Ariane 5 flight conditions, and the design error was not discovered.

...

t) Post-flight simulations have been carried out on a computer with software of the inertial reference system and with a simulated environment, including the actual trajectory data from the Ariane 501 flight. These simulations have faithfully reproduced the chain of events leading to the failure of the inertial reference systems.

3.2 CAUSE OF THE FAILURE

The failure of the Ariane 501 was caused by the complete loss of guidance and attitude information 37 seconds after start of the main engine ignition sequence (30 seconds after lift- off). This loss of information was due to specification and design errors in the software of the inertial reference system.

The extensive reviews and tests carried out during the Ariane 5 Development Programme did not include adequate analysis and testing of the inertial reference system or of the complete flight control system, which could have detected the potential failure.

Aftermath

Flight 501's high profile disaster brought to the attention of the general public, politicians and executives the high risks associated with complex computing system, of which it is now a classical example, resulting in increased support for research on ensuring the reliability of safety-critical systems. The subsequent automated analysis of the Ariane code was the first example of large-scale static analysis by abstract interpretation. A politician is an individual involved in politics. ... A life-critical system or safety-critical system is a system whose failure or malfunction may result in death or serious injury. ... Source code (commonly just source or code) is any series of statements written in some human-readable computer programming language. ... Static code analysis is a set of methods for analysing software source code or object code in an effort to gain understanding of what the software does and establish certain correctness criteria. ... Abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. ...

The failure also harmed the excellent success record of the European Space Agency's rocket family, set by the high success rate of the Ariane 4 model. Only recently have Ariane 5 launches become as reliable as those of the predecessor model. Ariane 42P rocket with the TOPEX/Poseidon satellite (Kourou, August 10, 1992) (NASA) Ariane 4 was an expendable launch system, designed by the European Space Agency and manufactured and marketed by the French company Arianespace. ...

See also

• Therac-25, an example of a computer bug in a radiation therapy machine which led to loss of life.

Therac-25 was a radiation therapy machine produced by Atomic Energy of Canada Limited. ... Radiation therapy (or radiotherapy) is the medical use of ionizing radiation as part of cancer treatment to control malignant cells (not to be confused with radiology, the use of radiation in medical imaging and diagnosis). ...

External link

• Ariane 5 - 501 (1-3) - A good article (in German) where the actual code in question is given