Ariane 5 Launch Failure


On June 4th, 1996, Flight 501, the first lift off of the unmanned space vehicle Ariane 5, veered off the flight path, broke up and exploded. The financial loss of the cargo and rocket was $500 million.

The exception handling mechanism of the Ariane 5 was based upon the approach that the system should: indicate the failure on the databus, store the context of the failure, and shut down the Inertial Reference System. This was based on analysis that restart was not feasible given the difficulty in calculating attitude after shutdown.

Analysis of the vulnerability of unprotected code found that seven Ada conversions could give rise to exceptions. Four of these seven conversions were protected, but no explicit justification was given as to why these were selected, apart from reports that it was felt that each of the three remaining variables were physically limited or had large safety margins.

The Ariane 5 trajectory data was not included in SRI requirements and specification, and the value of the horizontal bias was much higher in Ariane 5 than Ariane 4 due to difference in early trajectory.

After approximately 36 seconds of flight, the software that performed the alignment of the strap-down interial platform, (a function that was not used in flight), attempted to perform a type conversion. The software in both the active and backup Inertial Reference Systems attempted to convert a 64 bit floating point relating to horizontal velocity to a 16 bit signed integer failed, due to the integer value exceeding the range able to be stored. The data conversion was not protected, and caused an exception.

The alignment function was operative for approximately 40 seconds of flight, based upon the requirements of the predecessor Ariane 4.

Exception handling was only meant to address random hardware failures, and did not handle software failures well. The exception resulted in the failure of the backup Inertial Reference System, and almost immediately thereafter the active Inertial Reference System failed.

The onboard computer interpreted the diagnostic bit patterns from the inertial reference systems as flight data.

The most obvious effect of the failures was the swivelling of the nozzles of the solid boosters into an extreme position followed by the same behaviour from the Vulcain engine. This caused a rupture of the links between the solid boosters and the core stage, and self-destruction was triggered.

Fix?

The Inertial Reference System could have continued to provide an estimate of the attitude. This is known as coasting, one method of forward error recovery.

Fix?

If the conversion had been protected, no exception would have occurred. and some form of error recovery might have been applied.

Fix?

If the requirements for Ariane 5 had been better documented, the calculation of how many seconds the alignment function could safely be run for might have been corrected and not caused the exception.

Similar?

The Patriot Missile mistiming was caused by inaccuracy in a conversion.