Ariane 5 Flight 501
Encyclopedia
Cluster was a constellation of four European Space Agency
European Space Agency
The European Space Agency , established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states...

 spacecraft which were launched on the maiden flight of the Ariane 5
Ariane 5
Ariane 5 is, as a part of Ariane rocket family, an expendable launch system used to deliver payloads into geostationary transfer orbit or low Earth orbit . Ariane 5 rockets are manufactured under the authority of the European Space Agency and the Centre National d'Etudes Spatiales...

 rocket, Flight 501, and subsequently lost when that rocket failed to achieve orbit. The launch, which took place on Tuesday, June 4, 1996, ended in failure due to an error in the software design caused by inadequate protection from integer overflow
Integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow...

. This resulted in the rocket veering off its flight path 37 seconds after launch, before being beginning to disintegrate under high aerodynamic forces, and finally being commanded to self-destruct by its automated flight termination system. The failure has become known as one of the most infamous computer bugs in history. The failure resulted in a loss of more than US$370 million.

Spacecraft

Cluster consisted of four 1200 kilograms (2,645.5 lb) cylindrical, spin-stabilised
Spin-stabilisation
Spin-stabilisation is the method of stabilizing a satellite or launch vehicle by means of spin. For most satellite applications this approach has been superseded by three-axis stabilisation. It is also used in non-satellite applications such as rifle and artillery.Despinning can be achieved by...

 spacecraft, powered by 224 watt
Watt
The watt is a derived unit of power in the International System of Units , named after the Scottish engineer James Watt . The unit, defined as one joule per second, measures the rate of energy conversion.-Definition:...

 solar cells. The spacecraft were to have flown in a tetrahedral
Tetrahedron
In geometry, a tetrahedron is a polyhedron composed of four triangular faces, three of which meet at each vertex. A regular tetrahedron is one in which the four triangles are regular, or "equilateral", and is one of the Platonic solids...

 formation, and were intended to conduct research into the Earth's magnetosphere
Magnetosphere
A magnetosphere is formed when a stream of charged particles, such as the solar wind, interacts with and is deflected by the intrinsic magnetic field of a planet or similar body. Earth is surrounded by a magnetosphere, as are the other planets with intrinsic magnetic fields: Mercury, Jupiter,...

. The satellites would have been placed into highly eliptical orbits; 17200 by, inclined at 90 degrees to the equator.

Launch failure

The Ariane 5 software reused the specifications from the Ariane 4
Ariane 4
Ariane 4 was an expendable launch system, designed by the Centre National d'Etudes Spatiales and manufactured and marketed by its subsidiary Arianespace. Ariane 4 was justly known as the ‘workhorse’ of the Ariane family. Since its first flight on 15 June 1988 until the last, on 15 February 2003, it...

, but the Ariane 5's flight path was considerably different and beyond the range for which the reused computer program had been designed. Specifically, the Ariane 5's greater acceleration caused the back-up and primary inertial guidance computers to crash, after which the launcher's nozzles were directed by spurious data. Pre-flight tests had never been performed on the re-alignment code under simulated Ariane 5 flight conditions, so the error was not discovered before launch.

Because of the different flight path, a data conversion from a 64-bit
64-bit
64-bit is a word size that defines certain classes of computer architecture, buses, memory and CPUs, and by extension the software that runs on them. 64-bit CPUs have existed in supercomputers since the 1970s and in RISC-based workstations and servers since the early 1990s...

 floating point
Floating point
In computing, floating point describes a method of representing real numbers in a way that can support a wide range of values. Numbers are, in general, represented approximately to a fixed number of significant digits and scaled using an exponent. The base for the scaling is normally 2, 10 or 16...

 to 16-bit
16-bit
-16-bit architecture:The HP BPC, introduced in 1975, was the world's first 16-bit microprocessor. Prominent 16-bit processors include the PDP-11, Intel 8086, Intel 80286 and the WDC 65C816. The Intel 8088 was program-compatible with the Intel 8086, and was 16-bit in that its registers were 16...

 signed
Signedness
In computing, signedness is a property of data types representing numbers in computer programs. A numeric variable is signed if it can represent both positive and negative numbers, and unsigned if it can only represent non-negative numbers .As signed numbers can represent negative numbers, they...

 integer
Integer (computer science)
In computer science, an integer is a datum of integral data type, a data type which represents some finite subset of the mathematical integers. Integral data types may be of different sizes and may or may not be allowed to contain negative values....

 value caused a hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....

 exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....

 (more specifically, an arithmetic overflow
Arithmetic overflow
The term arithmetic overflow or simply overflow has the following meanings.# In a computer, the condition that occurs when a calculation produces a result that is greater in magnitude than that which a given register or storage location can store or represent.# In a computer, the amount by which a...

, as the floating point number had a value too large to be represented by a 16-bit signed integer). Efficiency considerations had led to the disabling of the software handler (in Ada code) for this error trap, although other conversions of comparable variables in the code remained protected. This caused a cascade of problems, culminating in destruction of the entire flight.

Although the report identified a software bug as the direct cause, other investigators see the causes as system design failures and management issues:
h) On the basis of those calculations the main computer commanded the booster nozzles, and somewhat later the main engine nozzle also, to make a large correction for an attitude deviation that had not occurred.
i) A rapid change of attitude occurred, which caused the launcher to disintegrate at 39 seconds after H0 due to aerodynamic forces.
m) Ariane 5's inertial reference system is essentially the same as a system presently flying on Ariane 4. The part of the software that caused the interruption in the inertial system computers is used before launch to align the inertial reference system and, in Ariane 4, also to enable a rapid realignment of the system in case of a late hold in the countdown. This realignment function, which does not serve any purpose on Ariane 5, was nevertheless retained for commonality reasons and allowed, as in Ariane 4, to operate for approx. 40 seconds after lift-off.
n) During design of the software of the inertial reference system used for Ariane 4 and Ariane 5, a decision was taken that it was not necessary to protect the inertial system computer from being made inoperative by an excessive value of the variable related to the horizontal velocity, a protection provided for several other variables of the alignment software. When taking this design decision, it was not analysed or fully understood which values this particular variable might assume when the alignment software was allowed to operate after lift-off.
o) In Ariane 4 flights using the same type of inertial reference system there has been no such failure because the trajectory during the first 40 seconds of flight is such that the particular variable related to horizontal velocity cannot reach, with an adequate operational margin, a value beyond the limit present in the software.
p) Ariane 5 has a high initial acceleration and a trajectory, which leads to a build-up of horizontal velocity five times more rapid than for Ariane 4. The higher horizontal velocity of Ariane 5 generated, within the 40-second timeframe, the excessive value that caused the inertial system computers to cease operation.
q) The purpose of the review process, which involves all major partners in the Ariane 5 programme, is to validate design decisions and to obtain flight qualification. In this process, the limitations of the alignment software were not fully analysed and the possible implications of allowing it to continue to function during flight were not realised.
r) The specification of the inertial reference system and the tests performed at equipment level did not specifically include the Ariane 5 trajectory data. Consequently the realignment function was not tested under simulated Ariane 5 flight conditions, and the design error was not discovered.
s) It would have been technically feasible to include almost the entire inertial reference system in the overall system simulations which were performed. For a number of reasons it was decided to use the simulated output of the inertial reference system, not the system itself or its detailed simulation. Had the system been included, the failure could have been detected.
t) Post-flight simulations have been carried out on a computer with software of the inertial reference system and with a simulated environment, including the actual trajectory data from the Ariane 501 flight. These simulations have faithfully reproduced the chain of events leading to the failure of the inertial reference systems

Arithmetic Overflow

According to a presentation by Jean-Jacques Levy (who was part of the team who searched for the source of the problem), the actual source code in Ada
Ada (programming language)
Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...

 that caused the problem was as follows.

L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV));

if L_M_BV_32 > 32767 then
P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#;
elsif L_M_BV_32 < -32768 then
P_M_DERIVE(T_ALG.E_BV) := 16#8000#;
else
P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32));
end if;

P_M_DERIVE(T_ALG.E_BH) :=
 UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH)));


The last line (shown here as two lines of text) caused the overflow, where the conversion from 64 bits to 16 bits unsigned is not protected. The code before is protected by testing before the assignment if the number is too big.

Aftermath

Following the failure, four replacement Cluster II satellites were built. These were launched in pairs aboard Soyuz-U
Soyuz-U
The Soyuz-U launch vehicle is an improved version of the original Soyuz LV. Soyuz-U is part of the R-7 family of rockets based on the R-7 Semyorka missile. Members of this rocket family were designed by the TsSKB design bureau and constructed at the Progress Factory in Samara, Russia....

/Fregat
Fregat
Fregat is a type of rocket stage developed by NPO Lavochkin in the 1990s. Its main engine is a liquid propellant rocket that uses UDMH and N2O4 as propellants.- Specifications :...

 rockets in 2000.

The launch failure brought the high risks associated with complex computing systems to the attention of the general public, politician
Politician
A politician, political leader, or political figure is an individual who is involved in influencing public policy and decision making...

s, and executives, resulting in increased support for research on ensuring the reliability of safety-critical systems. The subsequent automated analysis of the Ariane code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...

 was the first example of large-scale static code analysis
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...

 by abstract interpretation
Abstract interpretation
In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...

.

The failure also harmed the excellent success record of the European Space Agency's rocket family, set by the high success rate of the Ariane 4
Ariane 4
Ariane 4 was an expendable launch system, designed by the Centre National d'Etudes Spatiales and manufactured and marketed by its subsidiary Arianespace. Ariane 4 was justly known as the ‘workhorse’ of the Ariane family. Since its first flight on 15 June 1988 until the last, on 15 February 2003, it...

 model. It was not until 2007 that Ariane 5 launches were recognised as reliable as those of the predecessor model.

See also

  • Computer bug
  • Ada
    Ada (programming language)
    Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...

  • Apollo guidance computer – PGNCS trouble, another case where a spacecraft guidance computer suffered from having a subsystem inappropriately left running
  • Mars Climate Orbiter software that had been adapted from an earlier Mars Climate Orbiter was not adequately tested before launch

External links

  • Jacques-Louis Lions
    Jacques-Louis Lions
    Jacques-Louis Lions ForMemRS was a French mathematician who made contributions to the theory of partial differential equations and to stochastic control, among other areas. He received the SIAM's John Von Neumann prize in 1986. Lions is listed as an ISI highly cited researcher.-Biography:After...

     et al., Ariane 501 Inquiry Board report
    • Spaceflight Now - Cluster II - Ariane 501 explodes — Footage of the final seconds of the rocket flight (216 kB QuickTime
      QuickTime
      QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and...

       file).
    • Wired - History's Worst Software Bugs — An article about the top 10 software bugs. The Ariane 5 Flight 501 software glitch is mentioned as one of the these bugs. Ariane 5 - 501 (1-3) — A good article (in German
      German language
      German is a West Germanic language, related to and classified alongside English and Dutch. With an estimated 90 – 98 million native speakers, German is one of the world's major languages and is the most widely-spoken first language in the European Union....

      ) where the actual code in question is given
    The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK