Case Study

The Crash of Ariane 5

Abstract—Software bugs have always been a part of software development. Code can never be free of errors. The errors must
be found and corrected. The failure of Ariane 5 rocket is the most famous and expensive software bug in history. The code for
the Inertial Reference System of Ariane 5 was inherited from Ariane 4. The Ariane 5 had a greater horizontal acceleration due
which both the primary and backup IRS failed. The IRS sent diagnostic data to the On Board Computer which it interpreted as
control signals. It imposed unsustainable stresses on the rocket and it self destructed. We have learned several lessons from
this incident. 1. Code should always be written keeping in mind that it might be reused in the future. 2. Testing is very essential
and should not be ignored. 3. Code reuse is not always helpful. 4. Coordination between various departments plays a major role
in the success of a project. This failure has become a lesson not just for Arianespace and ESA but for everyone.

1 Introduction

The Ariane 5 is a heavy lift launch vehicle designed and developed by the European Space Agency (ESA) in coordination with Centre National D`etudes Spatiales (CNES). Till date, there have been 97 Ariane 5 rocket launches. The Ariane 6 is currently under development and will replace the Ariane 5 in the near future.

   The Ariane 5 development programme began in 1987. It cost the ESA around $7 billion and 10 years to develop. However, during its maiden flight in June 1996, the rocket veered off course and was destroyed due to a software bug in its active and backup flight control systems.

   The purpose of this report is to document the mistakes of the ESA and its partners which led to the failure of the first Ariane 501 rocket.

2 Background

The Ariane 5 project was a heavy lift launch vehicle that had the aim of delivering payloads (primarily satellites into either geostationary transfer orbit or low earth orbit).

   This project undertaken by the European Space Agency (ESA) in 1987. There were a multitude of European companies involved in the implementation of this project, under the ESA Arianespace programme. Arianespace became the parent company which operates the Ariane 5 heavy lift rockets, providing commercial space transportation services. Today, Arianespace has 50 shareholders from 12 European nations.

   The Ariane 5 programme was financed by 10 European company, with France being the primary contributor. This was preliminary a commercial venture rather than an academic one. The ESA launches the rockets from the Guiana Space Center in French Guiana. The Ariane 5 is expected to carry on launches until 2022; however the Ariane 6 will begin launches in 2020.

3 The Incident

On 4th June 1996, the newest rocket of the European Space Agency (ESA), the Ariane 5 serial number 501, exploded approximately 37 seconds after its initial take off due to a software bug in its guidance system. It was under development for a decade at the cost of $7 billion. The Ariane 5 is the first European-made human capable rocket, designed to launch the Hermes spaceplane and other future spacecraft or satellites into low earth orbit (LEO). The LEO launch capacity of the Ariane 5 is 20 metric tons.

   The Ariane 501 suddenly changed its trajectory and exploded mid-air shortly after launch. It was due to an error in its internal navigation system, also known as the Inertial Reference System (IRS).

   An IRS system consists of laser gyroscopes and accelerometers which measure the altitude, speed and angular rate with respect to pitch, roll and yaw axes of the rocket. This data is then fed to the onboard computer (OBC), which helps in maintaining the trajectory of the rocket. The OBC executes the built-in flight program which interprets this data and guides the rocket in its intended flight path.

There were two IRS systems installed on the Ariane 5 rockets, one active primary system, and another as backup in case of hardware failure of the active IRS system.

The Ariane 501 took off successfully from the launchpad. But about 37 seconds after launch, the software installed on the primary active IRS system encountered a bug which led to its crash. The backup IRS system crashed immediately afterwards as it’s codebase was the same as the active IRS system.

The onboard computer (OBC) was no longer receiving correct trajectory data, but instead received diagnostic data from the crashed IRS system, which it misinterpreted as rocket trajectory data. The computer used this faulty data to correct the rocket trajectory,  which created extreme pressures on the rocket. The Ariane 5 was not designed to tolerate such extreme aerodynamic loads, and hence it started to break up. The safety mechanism of the rocket got initiated, and the rocket exploded mid-air, before it could cause any damage on the ground.

3.1 Impact of the Incident

The failure of the Ariane 501 was a setback to the European Space Agency (ESA). This incident lead to an increase in support and funding for research and development, to ensure the reliability of safety critical systems. An indigenous Ariane 5 programme was necessary to develop and maintain the European Meteosat satellite systems as well as European telecommunication satellite systems, and reduce dependence on foreign heavy-lift vehicles.

   There was a risk that multiple concurrent failures of this system could have jeopardized the funding by the 10 member nations for the Ariane 5 project, as some countries could lose confidence in the ability of ESA to successfully deploy such advanced rocket system without cost overruns. This project was strategically important, but also had to be commercially viable. In the end, this did not have any long-term impact on the ESA. Massino Trella, the ESA inspector general said: “I have great confidence that we have a vehicle that is more robust than 501.”

   The European Space Agency’s Ariane 5 programme bounced back quickly, and on 30th October 1997, the ESA successfully launched the Ariane 502 rocket, which met all their objectives.

4 What Went Wrong

The fault was identified as a software bug in the rocket’s Inertial Reference System. The rocket used this system to determine whether it was pointing up or down, which is formally known as the horizontal bias, or informally as a BH value. This value was represented by a 64-bit floating variable, which was perfectly adequate. Problems began to occur when the software attempted to stuff this 64-bit variable, which can represent billions of potential values, into a 16-bit integer, which can only represent 65,535 potential values (a range from -32,768 to +32,767). For the first few seconds of flight, the rocket’s acceleration was low, so the conversion between these two values was successful. However, as the rocket’s velocity increased, the 64-bit variable exceeded the range, and became too large to fit in a 16-bit variable. It was at this point that the processor encountered an operand error and populated the BH variable with a diagnostic value.

   The independent investigators concluded that there were a series of software design errors that were not picked up however no individual group was to blame. From this and the research conducted we can take the view that all groups showed a clear lack of responsibility to ensure the systems would work prior to launch. However, after the independent investigation was conducted most groups felt responsible for the failure. Based on the assumption that every group felt responsible upon reflection it can be concluded there was a clear lack of communication within the project from top-down and down-top. Many lessons can be taken from this failure for future Ariane projects.

5 Lessons Learnt

There were a number of lessons that could be learned from the failure of the Ariane 5 launch. One commonly raised issue was the use of programming language. Ariane 5 was programmed using Ada, developed for the United States Department of Defence, which did not throw an error handler when the conversion error occurred, shutting down the SRI. Jean-Marc Jezequel and Bertrand Meyer have argued that the use of a different programming language, which would have forced all data type errors to be handled, could have prevented the issue. Although this wasn’t the cause of the disaster, it has at least prompted discussion on whether the programming language used was adequate for the situation.

  Following the incident, The Inquiry Board’s recommendation was that better testing procedures needed to be implemented to detect the failure. This could be achieved through the use of a more realistic simulation, fully replicating the conditions of the launch, as this would have revealed the error that eventually led to the destruction of the Ariane 5 rocket without the eventual material cost that affected ArianeSpace and the European Space Agency.

   The code that led to the failure of the Ariane 5 rocket had been reused from the Ariane 4 rocket launch. Although all the re-used code had been tested, the inertial reference system that led to the failure of the Ariane 5 was no longer needed after the initial launch. Had the inertial reference system been shut down after the initial launch, the section of code that led to the failure would not have been used, preventing the failure from ever happening in the first place. As a result, one of the recommendations of the Inquiry Board was that any software that was not essential should not function throughout the duration of the launch. This action helped prevent a similar failure occurring within future launches of the Ariane 5.

   One of the final lessons learnt from the Ariane 5 disaster was that closer cooperation was needed between the various departments that contributed towards the construction of the rocket. With proper coordination between the software engineering and safety engineering departments it may have been possible to discover the fatal flaw in the system and prevented the Ariane 5 disaster.

6 Conclusion

To conclude, the primary reason for the failure of the Ariane 5 launch was the recycled code taken from the Ariane 4 launch not being able to successfully convert a number and thus shutting down the whole system. But there was more to this disaster than just a failed conversion.

   Since the failure of the initial Ariane 5 launch, the issues that led to the catastrophic failure have since been rectified. A total of 96 rockets have been launched since with 92 of them being successful. This has led to a total of success rate of 94.8% for all launches of the Ariane 5 rocket. Not only has Ariane 5 had an extremely high success rate for its launches but also between April 2003 and December 2017, Ariane 5 Had flown 82 consecutive missions without failure. Ariane 5 has contracts for launches until 2022, after the planned introduction of a new rocket, Ariane 6, in 2020. Hopefully, the lessons learnt with the failure of the initial Ariane 5 launch will be translated to the Ariane 6 launch and prevent any further disasters from occurring.

References

[1] Sommerville, I., 2015. Software Engineering. 10th ed. Harlow, UK: Pearson.

[2] Lions, J L, 1996. ARIANE 5. “ARIANE 5 Flight 501 Failure Report by the Inquiry Board”. https://web.archive.org/web/20000815230639/http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html[Accessed 20 February 2018].

[3] Gleick, J, 1996. “A Bug and a Crash. Sometimes a Bug Is More Than a Nuisance”. https://around.com/ariane.html [Accessed 20 February 2018].

[4] ArianeSpace. 2018. “Ariane 5 The Heavy Launcher”. http://www.arianespace.com/vehicle/ariane-5/. [Accessed 26 February 2018].

[5] Centre national d’études spatiales. 2003. “WHO DOES WHAT ON ARIANE 5?”. https://cnes.fr/en/web/CNES-en/5412– who-does-what-on-ariane-5.php [Accessed 1 March 2018].

[6] Bashar Nuseibeh, 1997. “Ariane 5: Who Dunnit?” http://iansommerville.com/software-engineeringbook/files/2014/07/Bashar-Ariane5.pdf. [Accessed 1 March 2018].

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.