Ariane V88

Representation of the zone in which the rocket debris fell

Scheme of the Ariane 501 with the four cluster satellites as payload

V88 (V for French vol, "flight") was the starting number of the first flight of the European heavy-lift launch vehicle Ariane 5 on June 4, 1996. The rocket had the serial number 501. The flight ended about 40 seconds after take-off when the rocket suddenly went off course after an exceptional situation in the software of the control unit and destroyed itself shortly afterwards. Four cluster research satellites for studying the earth's magnetic field were lost.

The software that led to the course deviation had been adopted unchanged and without system tests from the predecessor Ariane 4 rocket, although it was not suitable for the changed trajectory of the Ariane 5 and served no purpose after the rocket lifted off. The control unit was redundant, but the same defective software was operated on both systems.

The failure with a total loss of around 290 million euros led to a one-year delay in the Ariane 5 program, which is why Ariane 4 was temporarily switched to. A new set of cluster satellites was launched four years after the Russian Soyuz rocket disaster .

Take-off preparations and flight

prehistory

The development of a new heavy-duty carrier as the successor to the successful Ariane 4 was finally decided at the ESA Ministerial Conference in 1987. The higher performance of the Ariane 5 should on the one hand do justice to the increasing mass of commercial telecommunication satellites and on the other hand enable the launch of the Hermes space shuttle. Although the Hermes program was canceled in 1992, Ariane 5 was further developed with a view to possible manned use. For the qualified Ariane 5 rocket, depending on the upper level, a reliability of 98-99% was aimed for, corresponding to a maximum of one failure per 50 to 100 launches. In addition, the launch costs of Ariane 5 should be reduced compared to the previous rocket. Since these requirements could not be met by further developing Ariane 4, most of the Ariane 5 had to be developed from scratch.

The development of Ariane 5 took place on behalf of the European Space Agency ESA, which handed the technical and financial management over to the French space agency CNES . France made the largest contribution to the program with a participation of 46%. The Ariane 501's qualification flight was originally supposed to take place in October 1995, but was postponed to June of the following year due to delays in development.

payload

A cluster satellite during tests

The payload of the Ariane 501 consisted of four research satellites from the Cluster mission with a total mass of 4681 kg. The cluster program was proposed during an ESA tender for the next series of scientific missions in 1982 and was developed with the participation of NASA . The aim of the mission was small spatial and temporal changes in the Earth magnetosphere and Earth-bound solar wind - plasma to examine three-dimensional. The four satellites were to be deployed by the rocket in two pairs in a geostationary transfer orbit and eventually reach a highly elliptical ( HEO ) orbit.

course

The countdown proceeded normally until seven minutes to start the beginning (H ₀ -7 min) when he was stopped because of unfulfilled visibility conditions. After almost an hour, the countdown was resumed and the start took place at 9:34 local time (12:34 UTC ). Until H ₀ +36 s, when the rocket was at an altitude of about 3700 m, the flight was nominal. In the seconds that followed, the missile deviated from its normal course, began to break apart, and blew itself up.

In the days following the launch, ESA Director General Jean-Marie Luton and CNES President Alain Bensoussan set up a nine-member commission of inquiry headed by Jacques-Louis Lions , President of the French Académie des Sciences . The independent team should determine the cause of the accident, assess the adequacy of the validation methods, and identify corrective actions. The commission started its work on June 13, 1996 and delivered its report on July 19. According to the published summary of the report, the following chain of events occurred from H ₀ +36 s:

The error was caused by a software module of both inertial navigation systems (INS) of the control unit, which was responsible for calculating the position of the strapdown inertial platform. In the conversion of 64-bit floating point - variables in a signed 16-bit integer , there was an arithmetic overflow . This variable, E_BH( bias horizontal, "horizontal alignment") indicated the alignment precision of the inertial platform and was related to the horizontal speed of the rocket. The line of code that led to the error was as follows:

P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S
                                   ((1.0/C_M_LSB_BH) *
                                   G_M_INFO_DERIVE(T_ALG.E_BH)))

The untreated operand errors (operand error) in Ada program led to the failure (transition to "degraded mode") of the Reserve INS and shortly after the main INS, and the complete loss of guidance and attitude information. From this point on, the INS no longer supplied any actual flight data to the flight computer, but essentially only diagnostic information.

The on-board computer interpreted the INS diagnostic information as normal flight data and incorrectly detected a large deviation from the flight path. The computer then sent the signal to the nozzles of the two solids boosters and shortly afterwards to the Vulcain engine of the main stage to swivel in order to correct the supposed deviation. By swiveling the nozzles, the rocket deviated from its course at over 30 degrees per second. Since the rocket was still in the denser layers of the earth's atmosphere, it was unable to cope with the large angle of attack of the air flow and began to break apart in the face of the high aerodynamic forces. After the connections between the solid fuel boosters and the main stage were torn off, the rocket - as provided in this case - initiated the automatic self-destruction and exploded. Then the ground control also activated the command to detonate, even though the missile was already destroyed at this point.

At the time of the explosion, the rocket was at an altitude of 4000 m, about one kilometer east of the launch pad. The debris from the exploded launcher was spread over an area of ​​5 km × 2.5 km; the cloud created by the explosion and the exhaust fumes drifted towards the ocean, where they gradually dissolved. Some fragments fell down near the launch site ELA-3, which itself remained undamaged. People were not harmed in the accident.

Despite the swampy terrain, some systems were recovered. These included the two INS that contained data that had not been received via telemetry . Fragments of the four cluster satellites were also recovered, but were no longer usable.

Causes of failure

The error could be reproduced in a simulation in which the flight software was executed with the actual flight data. The commission also found abnormal fluctuations in the hydraulic pressure of both actuators of the Vulcain engine, which were subsequently investigated. This anomaly had no effect on the false start of Ariane 501. According to the public summary of the report, no other weaknesses or external factors were found that could have been responsible for the false start.

INS software and exception handling

Recovered fragment of the Ariane 501 satellite structure

The design of the INS used in Ariane 5 was adopted almost unchanged from Ariane 4.

The overflow of the variables E_BHwas related to the fact that the horizontal speed of the inertial platform was five times higher than with Ariane 4 due to the larger pitch angle at the beginning of the flight. The software itself was tested before the flight, but with a selection of parameters that did not capture the error conditions. The commission of inquiry criticized the fact that the system specification of the INS did not document the limitations of the operating conditions resulting from the software.

The software module that caused the error only provided meaningful data for both Ariane 5 and the predecessor rocket before the start and then served no purpose. Nevertheless, the module continued to run for the first 40 seconds of the flight, which was based on a request from Ariane 4. The purpose of continuing the procedure was to quickly realign the platform again in the event of a countdown stopped shortly before the start. These considerations do not apply to Ariane 5 as the carrier has a different preparation sequence.

An analysis of the alignment procedure identified seven variables whose calculation could potentially cause an operand error. Four of the variables were protected by exception handling for operand errors. Since the maximum utilization of the INS computer was not allowed to exceed 80% according to the technical specifications, the various project partners mutually agreed E_BHto leave the remaining three variables, including, unprotected. There was no comment on this decision in the source code . Analysis had shown that the three remaining variables either had limited physical effects or there was a large margin of safety. In the case of, E_BHthis turned out to be incorrect, so that, according to the specification, the INS processor was shut down without exception handling. The Commission considered that the effects of software exemptions should be limited and that the INS should at least have provided estimates of the data at all times.

Simulations and tests

The behavior of the unprotected variables was not simulated on the basis of planned flight path data from Ariane 5. If the INS had been simulated using a motion simulator and flight data, the bug could have been discovered. In fact, after a mutual decision, the flight path data of Ariane 5 were not included in the requirements and specification documents of the INS.

The main contractor for the Ariane 5 project, Aérospatiale , owned a facility for simulating flight components ( installation de simulation fonctionnelle, ISF), which was used to test many of the missile's systems in a closed-loop simulation. A request to subject the two INS to such a simulation was rejected by the CNES for financial reasons. Ultimately, only the interfaces to the on-board computer were tested. The reason given was that the INS had been used successfully in 23 Ariane 4 launches since 1994 and that a separate qualification was therefore superfluous. On the other hand, the performance of the ISF would not have been sufficient for a precise simulation. The investigative commission classified this decision as risky and determined that even an imprecise simulation would have made sense to test the system integration.

Classification of the error

The investigative commission concluded that the accident was due to a "systematic software design error". This assessment is not shared by some publications, as the INS computer program behaved according to specification and design all the time. In fact, depending on the point of view, different causes of errors can be determined, the removal of which would have avoided the false start.

According to Gérard Le Lann, the Commission confused software technology and systems engineering . The incomplete specification of the INS should be regarded as a faulty system design. The insufficient storage space that was used for the integer result of the conversion of the variable E_BHis not a software error, but a dimensioning problem of the system. He points out that the same error would have occurred if all software modules had been implemented as hardware.

Mark Dowson also sees at least a systems engineering problem in the error, as the operational environment of the software was not sufficiently taken into account. The accident is an example of how the “political” aspects of the development cycle should not be neglected. A good development process should regulate not only how systems are designed and developed, but also how decisions about design and development are made at a higher level.

In retrospect, the British magazine Space Insurance Report criticized the inconclusive figures on the planned reliability of the rocket. The decision to launch uninsured payloads with an untested launcher was also a risky one.

Although the characterization of the accident as a program error has been questioned, the false start of Ariane 5 is an often cited example of expensive software errors . For example, the technology magazine Wired counted the accident among the ten "worst bugs in history".

Reactions and consequences

corrective actions

In the summary of its report, the commission of inquiry made several recommendations to avoid a similar accident in the future. Software functions that are not required during the flight should be deactivated immediately after take-off and systems should run through a full closed-loop simulation, ideally including flight path data. In addition, the effects of exceptions should be limited and, if necessary, alternative solutions should be used so that no sensor ceases to provide at least estimated values. Reason acts (Justification files) should be given equal attention as code, and both should always be kept consistent.

The commission also recommended that experts be convened to develop a software qualification procedure. A separate software qualification review should take place for each device that contains software, and persons outside the project should systematically check the validity of the arguments put forward during reviews. Finally, it was recommended that the cooperation between the project participants be organized more transparently, with clear powers and responsibilities.

Some of the commission's recommendations were implemented in retrospect. For example, Aérospatiale carried out a complete check of the INS and flight software. Among other things, a static code analysis was carried out using an abstract interpretation of a total of 90,000 lines of Ada code. These tests were among the first major static analyzes of an industrial computer program and contributed to the further spread of static analysis methods. The causal error was corrected in the flight software by E_BHdeclaring it as a 32-bit integer.

aftermath

Launch site ELA-3 of Ariane 5 in the Center Spatial Guyanais

The total loss of rocket and payload was around 1.9 billion francs (290 million euros). The false start of V88 resulted in long delays for the cluster mission. Initially, ESA considered building a single satellite, called a “Phoenix”, from spare parts. However, after the realization that the scientific goals of the mission could not be achieved with just one satellite, another three satellites were built. The satellites were launched in pairs in July and August 2000 by a Soyuz Fregat rocket from the Russian spaceport Baikonur .

After the false start, France's Delegate Minister for Postal, Telecommunications and Space, François Fillon , reaffirmed his confidence in the Ariane program. For the time being, the delays in the Ariane 5 program could be offset by the previous rocket; A successful start of an Ariane 4 took place just eleven days after V88.

The second qualification flight of an Ariane 5 rocket took place in October 1997, with only dummy satellites and the YES student satellite being transported. The flight was only a partial success, as the premature shutdown of the engines caused the payloads to be exposed in an orbit that was too low. This error could be explained and corrected after the flight. Nevertheless, customer confidence in the new carrier suffered, so that Ariane 4 was launched until 2003.

literature

• J. de Dalmau, J. Gigou: Ariane-5: Learning from Flight 501 and Preparing for 502. ESA Bulletin 89 (Feb. 1997), ISSN  0376-4265 ( Online )
• Mark Dowson: The Ariane 5 Software Failure. ACM SIGSOFT Software Engineering Notes 22, 2 (March 1997): 84, ISSN  0163-5948
• Gérard Le Lann: The Ariane 5 Flight 501 Failure - A Case Study in System Engineering for Computing Systems. INRIA Research Report RR-3079 (1996) ( PDF, 140 kB )
• Jean-Jacques Lévy: Un petit bogue, un grand boum! (Presentation with excerpts from the unpublished investigation report and parts of the original source code. PDF, 15.3 MB )
• Jacques-Louis Lions et al .: Ariane 5 Flight 501 Failure - Report by the Inquiry Board. Paris, July 19, 1996; ESA Directorate of Launchers, CNES: Flight A501: Immediate Post-Accident Analysis (Summary of the investigation report. PDF, 2.1 MB )
• Bashar Nuseibeh: Ariane 5: Who Dunnit? IEEE Software 14, 3 (May-June 1997): 15-16, ISSN  0740-7459 Ariane 5: Who Dunnit? ( Memento of March 2, 2012 in the Internet Archive )

Web links

• V88 ARIANE 501 (Capcom Espace) (French) - Report on the launch campaign, with video of the launch

Individual evidence

1. ↑ R. Orye: Ariane 5: A Launcher for the 21st Century, p 2. AIAA 94-4653. AIAA Space Programs and Technologies Conference, Huntsville, AL, September 27-29, 1994
2. ↑ P. Jorant: Ariane 5 Family, p. 5. AIAA 93-4131. AIAA Space Programs and Technologies Conference and Exhibit, Huntsville, AL, September 21-23, 1993
3. ↑ ^{a b c} Jean-Paul Dufour, Jean-François Augereau: Le program Ariane-5 n'est pas remis en cause par la destruction du lanceur. Le Monde, 6 June 1996
4. ↑ Orye: Ariane 5: A Launcher for the 21st Century, page 5
5. ^ William Huon: Ariane, une épopée européenne, p. 200. ETAI 2007, ISBN 978-2-7268-8709-7 .
6. ↑ CP Escoubet and others (eds.): The cluster and Phoenix mission. Kluwer, Dordrecht 1997, ISBN 0-7923-4411-1 .
7. ^ Lions et al.: Ariane 5 Flight 501 Failure - Report by the Inquiry Board. Paris 1996
8. ^ I-Shih Chang: European Space Launch Failures, p. 10. AIAA 2000-3574. 36th AIAA / ASME / SAE / ASEE Joint Propulsion Conference and Exhibit, Huntsville, AL, July 16-19, 2000
9. ↑ ^{a b} De Dalmau, Gigou: Ariane-5: Learning from Flight 501 and Preparing for 502.
10. ↑ Lions et al.: Ariane 5 Flight 501 Failure - Report by the Inquiry Board, p. 3
11. ↑ ESA / CNES: Immediate Post-Accident Analysis, slide 9
12. ↑ Ariane 5 Report Details Software Design Errors. Aviation Week & Space Technology, 19 Sep. 1996, pp. 79-81, ISSN  0005-2175
13. ^ Space News, June 24-30, 1996, ISSN  1046-6940
14. ↑ ESA / CNES: Immediate Post-Accident Analysis, slide 10
15. ↑ Bashar Nuseibeh: Ariane 5: Who Dunnit?
16. ↑ ^{a b} Le Lann: The Ariane 5 Flight 501 Failure - A Case Study in System Engineering for Computing Systems.
17. ^ Dowson: The Ariane 5 Software Failure.
18. ^ Ariane 501 & the Reliability Factor. Space Insurance Report 86 (July 1996), ISSN  0957-0063
19. ^ Simson Garfinkel: History's Worst Software Bugs. Wired, August 11, 2005
20. ↑ Philippe Lacan et al .: ARIANE 5 - The Software Reliability Verification Process. In DASIA 98 Proceedings, pp. 201-205. ESA Publications Division, Noordwijk 1998, ISBN 92-9092-688-0 ( online )
21. ↑ CDRH Software Forensics Lab: Applying Rocket Science To Device Analysis. ( Memento of May 24, 2008 in the Internet Archive ) The Gray Sheet, October 15, 2007, ISSN 1530-1214  
22. ↑ ESA Space Science: Cluster Overview

This version was added to the list of articles worth reading on September 10, 2009 .