Patriot Missile Mistiming


During the Gulf War, Patriot missile batteries were set up as a defence against Iraqi Scuds. On February 25th, 1991 a battery in Dhahran failed to intercept a Scud which subsequently struck an Army barracks causing 28 deaths and 98 injuries.

The Patriot missile was originally intended to operate in a mobile fashion against high-altitude aircraft and cruise missiles, only operating for a few hours at most to avoid detection. It had since evolved to include interception of short-range ballistic missiles.

The battery in question had been in operation for over 100 hours at the time of the incident. A software problem, involving the conversion of a timing variable from an integer to a floating point, an inaccuracy which grew worse the longer the system had been in operation, caused the timing to be thrown out by a third of a second.

Two weeks before the incident, Israeli data had indicated the loss of accuracy over time. On February 21st users of the Patriot were informed that long run times could result in inaccuracies, but no indication was given of what "long" meant. Updated software did not reach Dhahran until the day after the incident.

It is possible to argue that the Patriot was not a safety-critical system, but that it was mission-critical instead. Some forms of hazard identification and risk assessment (such as Damage Modes and Effects Analysis (DMEA)) take account of consequences a system is intended to prevent.

Fix?

It should be ensured that a safety-critical system is only used within its operational envelope, requiring that the envelope be properly identified.

Similar?

The Ariane 5 launch failure was caused by failure of a conversion.

Fix?

Better documentation may have ensured a proper operational envelope.