Ariane%205

1
Ariane 5

• Integer overflow

Software error
2
External view

• Only about 40 seconds after initiation of the
  flight sequence, at an altitude of about 3700 m,
  the launcher veered off its flight path, broke up
  and exploded

3
External view
4
Cost

• Development cost 7 Billion
• Delay of more than one year
• One set of four identical, uninsured scientific
  satellites
• One rocket
• 500,000,000

5
Source of the bug

• Software exception in the alignment part of the
  SRI (inertial reference system)

64-bit floating point ? 16-bit signed integer
6
Ada code

• begin
• sensor_get(vertical_veloc_sensor)
  sensor_get(horizontal_veloc_sensor)
• vertical_veloc_bias integer(vertical_veloc_sen
  sor) horizontal_veloc_bias integer(horizontal_
  veloc_sensor)
• ...
• exception
• when numeric_error gt calculate_vertical_veloc()
  when others gt use_irs1()
• end

7
Technical Events

8
Design errors

• Shut down on failure
• Only addressing random hardware failures
• Requirement for continuing operation
• Ariane 4 can continue countdown without waiting
• Ariane 5 has a different preparation sequence
• Alignment function useless after lift-off
• Not all conversions were protected 

9
Design errors

• No Ariane 5 trajectory data was included in the
  specifications
• Never change a running system
• Software should be considered correct until it is
  shown to be at fault

10
Testing

• No adequate analysis and testing of the SRI
•  
• Limitation of the SRI software not fully analysed
• Test coverage was inadequate
• Review contributory factor in failure

11
Testing

• Tests performed on the SRI could not detect the
  fault
• The error could have been detected by
• Testing the software alone
• Using electronic input to the SRI

12
Recommendations

• Any onboard function used solely on the ground
  must be inhibited in flight

Software should be assumed to be faulty until
applying the currently accepted best practice can
demonstrate that it is correct
http//www.esa.int/export/esaCP/Pr_33_1996_p_EN.ht
ml