Crash and Burn Ariane 5

Crash and BurnAriane 5Kristen HieronymusSYSM6309 Advanced Requirements Engineering20130803Table of contentsThe RocketThe Payload37 Seconds After LaunchVideoRoot Cause AnalysisResultIronyRecommendationsHistorical ContextContinuing Spin Story

Ariane 5 RocketJune 4, 1996 launchEuropean Space Agency rocket$7Billion development cost10 years development timePayloadCluster payloadEuropean Space Agency program, in cooperation with NASA4 satellites on-boardTo fly in tetrahedral formationTo study Earths magnetosphere37 seconds after launchRocket self-destructed

videohttp://en.wikipedia.org/wiki/Ariane_5http://upload.wikimedia.org/wikipedia/commons/8/81/Ariane_5_10_2007.ogg

Root cause analysisTrying to put a 64-bit value in a 16-bit register caused an overflow condition, which led toRoot cause analysis 2The guidance system shut down, which led toRoot cause analysis 3The backup (identical) guidance system shutting down after encountering the same error, which led toRoot cause analysis 4A diagnostic bit pattern being sent to the steering system, which the steering system interpreted as flight data from the guidance system, rather than an error code indicating it was shutting down, which led toRoot cause ANALYSIS 5The steering system making an unnecessary and abrupt course correction of 20 degrees, which led toRoot cause analysis 6Aerodynamic forces ripping off the boosters from the rocket, which led to Root cause analysis 7Self-destruction sequence for the rocket, which led toresultComplete loss of the rocket and the four expensive, and uninsured satellites on-boardironyThe system which produced the overflow was not needed on the Ariane 5!Leftover from Ariane 4, due to reuse of entire subsystem (cost savings)Different launch preparation sequence from Ariane 4Velocity on Ariane 5 higher than Ariane 4

More ironyAriane 4 had requirement to not use more than 80% of memorySo, 4 variables had error protection code, but 3 others didntHorizontal Bias (Velocity) variable was one which didnt have protection codeRecommendations - RequirementsInclude trajectory in requirementsInclude the diagnostic bit pattern in the Interface documentChange assumptions from software never encounters an error, except due to CPU failure, so shutdown and failover to handle software exceptions in the code which encounters themRecommendations - RequirementsAdd requirement to shut down software which is not useful anymore at that phase of launchAdd requirement to include actual SRI not just simulator in system test

Recommendations - ProcessReview all flight software for implicit assumptionsBetter communication among participants:Specification reviewsCode reviewsJustification document reviewsMaintenance of justification documentationRecommendations - ProcessRequirement prioritization due to potential impactTreat reused modules more carefullyReview for assumptions about system contextInclude thorough interface tests, rather than treating as previously verifiedInclude error conditions in interface tests, not just happy pathRecommendations - CODEDocument assumptions clearly in codeAdd error protection code to report best estimate rather than shutting downHistorical ContextMilitary expenditures fallingCommercial use explodingInternationalization of competition for businessAerospace responsible for 5% of Frances economyOn-going spin storyWikipedia lists as a test launchTest launches do not carry expensive payloadsLinkshttp://ec.europa.eu/enterprise/sectors/aerospace/files/aerospace_studies/aerospace_study_en.pdfhttp://www.yale.edu/ynhti/curriculum/units/1990/7/90.07.06.x.htmlhttp://cahiersdugres.u-bordeaux4.fr/2006/2006-15.pdf http://www.around.com/ariane.htmlhttp://en.wikipedia.org/wiki/Ariane_5http://en.wikipedia.org/wiki/Cluster_missionhttp://www.ima.umn.edu/~arnold/disasters/ariane5rep.html