8/4/2019 Arian 5 Failure Details

1/12

The A riane 5 Launcher Failu re

June 4th 1996Tota l fa ilure o f theAriane 5 launcher

on its m aidenflightIan Sommerville 2004 Software Engineering Case Studies Slide 1

8/4/2019 Arian 5 Failure Details

2/12

Ariane 5

Ian Sommerville 2004

A Eu ro pe a n ro c ke t d e s ig n e d tola un ch c om m e rc ia l pa ylo ad s(e .g .c o m m u n ic a tio n s s a te llite s ,e tc .) in to Ea rth o rbitSu cc e s s o r to th e su cc es s fu lA rian e 4 la u nc h e rs

A rian e 5 c an c a rry a h e a vie rpaylo a d th a n A rian e 4

Software Engineering Case Studies Slide 2

8/4/2019 Arian 5 Failure Details

3/12

L au n ch er fa ilu re A ppro xim ate ly 37 seco n d s after a su ccessfu l lift-o ff, th e

A rian e 5 lau n ch er lo s t co n tro l. In co rrec t co n tro l s ig n a ls w ere sen t to th e en g in es an d

th ese sw ive lled so th at u n su s ta inable s tresses w ereim po sed o n th e ro cket.

It s ta rted to break u p an d w as d es tro yed by g ro u n dcontrol lers.

T h e sys tem fa ilu re w as a d irect resu lt o f a so ftw arefa ilu re . H o w ever, it w as sym pto m atic o f a m ore g en era ls ys te m s va lid atio n fa ilu re .

Ian Sommerville 2004 Software Engineering Case Studies Slide 3

8/4/2019 Arian 5 Failure Details

4/12

The problem The attitude and trajectory of the rocket aremeasured by a computer-based inertial referencesystem. This transmits commands to the engines tomaintain attitude and direction. The software failed and this system and the backupsystem shut down. Diagnostic commands were transmitted to theengines which interpreted them as real data andwhich swivelled to an extreme position resulting inunforeseen stresses on the rocket.

Ian Sommerville 2004 Software Engineering Case Studies Slide 4

8/4/2019 Arian 5 Failure Details

5/12

S oftw a re fa ilu re So ftw are fa ilu re o c cu rre d w h e n an a ttem pt to

c o n ve rt a 64 -bit flo a tin g po in t n u m ber to a s ig n ed16-bit in teg e r c au s e d th e n um b er to o verflo w . T h e re w a s n o e xc eptio n h a n d le r a ss o c ia ted w ithth e co nve rs io n so th e sys te m exce ptio nm a nag em e nt fac ilitie s w ere in vo ked . T h e se sh utd ow n th e s o ftw are . T h e ba cku p s o ftw a re w a s a c o py a n d be h a ve d ine xac tly th e sa m e w a y.

Ian Sommerville 2004 Software Engineering Case Studies Slide 5

8/4/2019 Arian 5 Failure Details

6/12

Avoidable failure?

The software that failed was reused from theAriane 4 launch vehicle. The computation thatresulted in overflow was not used by Ariane 5.Decisions were made Not to remove the facility as this could introduce newfaults; Not to test for overflow exceptions because the

processor was heavily loaded. For dependabilityreasons, it was thought desirable to have somespare processor capacity.

Ian Sommerville 2004 Software Engineering Case Studies Slide 6

8/4/2019 Arian 5 Failure Details

7/12

Why not Ariane 4? The physical characteristics of Ariane 4 (A

smaller vehicle) are such that it has a lower initialacceleration and build up of horizontal velocitythan Ariane 5.

The value of the variable on Ariane 4 could neverreach a level that caused overflow during thelaunch period.

Ian Sommerville 2004 Software Engineering Case Studies Slide 7

8/4/2019 Arian 5 Failure Details

8/12

Validation failure As the facility that failed was not required for Ariane5, there was no requirement associated with it. As there was no associated requirement, there were

no tests of that part of the software and hence nopossibility of discovering the problem. During system testing, simulators of the inertialreference system computers were used. These didnot generate the error as there was no requirementl

Ian Sommerville 2004 Software Engineering Case Studies Slide 8

8/4/2019 Arian 5 Failure Details

9/12

Review failure The design and code of all software should be reviewedfor problems during the development process

Either The inertial reference system software was not reviewedbecause it had been used in a previous version; The review failed to expose the problem or that the testcoverage would not reveal the problem; The review failed to appreciate the consequences of system

shutdown during a launch.

Ian Sommerville 2004 Software Engineering Case Studies Slide 9

8/4/2019 Arian 5 Failure Details

10/12

Lessons learned Don't run software in critical systems unless it isactually needed. As well as testing for what the system should do,you may also have to test for what the systemshould not do. Do not have a default exception handling

response which is system shut-down in systemsthat have no fail-safe state.

Ian Sommerville 2004 Software Engineering Case Studies Slide 10

8/4/2019 Arian 5 Failure Details

11/12

Lessons learned In critical computations, always return best effortvalues even if the absolutely correct values

cannot be computed. Wherever possible, use real equipment and notsimulations. Improve the review process to include external

participants and review all assumptions made inthe code.

Ian Sommerville 2004 Software Engineering Case Studies Slide 11

8/4/2019 Arian 5 Failure Details

12/12

A v oid a ble fa ilu re T h e d es ig n er's o f A rian e 5 m ad e a critica l an d

e le m en ta ry erro r. T h ey d es ig n ed a sys tem w h ere a s in g leco m po n en t fa ilu re co u ld cau se th e en tire sys tem

to fa il. As a g en era l ru le , c ritica l system s sh o u ld a lw ays

be d es ig n ed to avo id a s in g le po in t o f fa ilu re .

Ian Sommerville 2004 Software Engineering Case Studies Slide 12