CS5032 Case study Ariane 5 launcher failure

12
Ariane launcher failure, Case study, 2013 Slide 1 The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its maiden flight

TAGS:

description

 

Transcript of CS5032 Case study Ariane 5 launcher failure

Page 1: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 1

The Ariane 5 Launcher Failure

June 4th 1996

Total failure of the Ariane 5

launcher on its maiden flight

Page 2: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 2

Ariane 5

• A European rocket designed to launch commercial payloads (e.g.communications satellites, etc.) into Earth orbit

• Successor to the successful Ariane 4 launchers

• Ariane 5 can carry a heavier payload than Ariane 4

Page 3: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 3

Launcher failure

• Appoximately 37 seconds after a successful lift-off, the Ariane 5 launcher lost control

• Incorrect control signals were sent to the engines and these swivelled so that unsustainable stresses were imposed on the rocket

• It started to break up and self-destructed

• The system failure was a direct result of a software failure. However, it was symptomatic of a more general systems validation failure

Page 4: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 4

The problem• The attitude and trajectory of the rocket are

measured by a computer-based inertial reference system. This transmits commands to the engines to maintain attitude and direction

• The software failed and this system and the backup system shut down

• Diagnostic commands were transmitted to the engines which interpreted them as real data and which swivelled to an extreme position

Page 5: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 5

Software failure

• Software failure occurred when an attempt to convert a 64-bit floating point number to a signed 16-bit integer caused the number to overflow.

• There was no exception handler associated with the conversion so the system exception management facilities were invoked. These shut down the software.

• Redundant but not diverse software– The backup software was a copy and behaved in exactly

the same way.

Page 6: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 6

Avoidable failure?

• The software that failed was reused from the Ariane 4 launch vehicle. The computation that resulted in overflow was not used by Ariane 5.

• Decisions were made– Not to remove the facility as this could introduce new

faults

– Not to test for overflow exceptions because the processor was heavily loaded. For dependability reasons, it was thought desirable to have some spare processor capacity

Page 7: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 7

Why not Ariane 4?

• The physical characteristics of Ariane 4 (A smaller vehicle) are such that it has a lower initial acceleration and build up of horizontal velocity than Ariane 5

• The value of the variable on Ariane 4 could never reach a level that caused overflow during the launch period.

Page 8: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 8

Validation failure• As the facility that failed was not required for

Ariane 5, there was no requirement associated with it.

• As there was no associated requirement, there were no tests of that part of the software and hence no possibility of discovering the problem.

• During system testing, simulators of the inertial reference system computers were used. These did not generate the error as there was no requirement!

Page 9: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 9

Review failure

• The design and code of all software should be reviewed for problems during the development process

• Either– The inertial reference system software was not reviewed

because it had been used in a previous version

– The review failed to expose the problem or that the test coverage would not reveal the problem

– The review failed to appreciate the consequences of system shutdown during a launch

Page 10: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 10

Lessons learned

• Don’t run software in critical systems unless it is actually needed

• As well as testing for what the system should do, you may also have to test for what the system should not do

• Do not have a default exception handling response which is system shut-down in systems that have no fail-safe state

Page 11: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 11

Lessons learned

• In critical computations, always return best effort values even if the absolutely correct values cannot be computed

• Wherever possible, use real equipment and not simulations

• Improve the review process to include external participants and review all assumptions made in the code

Page 12: CS5032 Case study Ariane 5 launcher failure

Ariane launcher failure, Case study, 2013 Slide 12

Avoidable failure

• The designer’s of Ariane 5 made a critical and elementary error.

• They designed a system where a single component failure could cause the entire system to fail


Mutations ariane

Mutations ariane

THE ARIANE 6 SYSTEM : ON BOARD-GROUND INTERFACES AND ... · THE ARIANE 6 SYSTEM : ON BOARD-GROUND INTERFACES AND LAUNCH FACILITY ... Airbus Safran Launcher (ASL) created in December

THE ARIANE 6 SYSTEM : ON BOARD-GROUND INTERFACES AND ... · THE ARIANE 6 SYSTEM : ON BOARD-GROUND INTERFACES AND LAUNCH FACILITY ... Airbus Safran Launcher (ASL) created in December

CS5032 L9 security engineering 1 2013

CS5032 L9 security engineering 1 2013

CS5032 Lecture 6: Human Error 2

CS5032 Lecture 6: Human Error 2

LNCS 4037 - Modeling and Validation of a Software ...graf/PAPERS/OGL-FMOODS06.pdf · Modeling and Validation of a Software Architecture for the Ariane-5 Launcher Iulian Ober1, Susanne

LNCS 4037 - Modeling and Validation of a Software ...graf/PAPERS/OGL-FMOODS06.pdf · Modeling and Validation of a Software Architecture for the Ariane-5 Launcher Iulian Ober1, Susanne

Launcher Evolution - KTH/Forsberg-GKN-space... · Heritage from Ariane 5 Main engine is improved Vulcain 2 (reduced number of parts, new technologies) Technology sharing with Vega

Launcher Evolution - KTH/Forsberg-GKN-space... · Heritage from Ariane 5 Main engine is improved Vulcain 2 (reduced number of parts, new technologies) Technology sharing with Vega

Bacchus et Ariane

Bacchus et Ariane

Improved Hybrid Navigation for Space Transportation...Improved Hybrid Navigation for Space Transportation 3 Ariane-V launcher [11]. Results of this experiment have been used by Braun

Improved Hybrid Navigation for Space Transportation...Improved Hybrid Navigation for Space Transportation 3 Ariane-V launcher [11]. Results of this experiment have been used by Braun

Software Verification and Validation Prof. Lionel Briand Ph.D., … · • Worked with ESA on Ariane launcher SW testing processes • Head of the SW quality engineering department

Software Verification and Validation Prof. Lionel Briand Ph.D., … · • Worked with ESA on Ariane launcher SW testing processes • Head of the SW quality engineering department

Indaux Ariane

Indaux Ariane

ENVIRONMENTAL IMPACT OF THE EXPLOITATION OF ......ENVIRONMENTAL IMPACT OF THE EXPLOITATION OF THE ARIANE 6 LAUNCHER SYSTEM Aurélie Gallice, Thibaut Maury, Dr. Encarna del Olmo Cleanspace

ENVIRONMENTAL IMPACT OF THE EXPLOITATION OF ......ENVIRONMENTAL IMPACT OF THE EXPLOITATION OF THE ARIANE 6 LAUNCHER SYSTEM Aurélie Gallice, Thibaut Maury, Dr. Encarna del Olmo Cleanspace

PUSHING BACK THE FRONTIERS · 2018. 11. 8. · Press kit / 3 Air Liquide, at the heart of the european launcher Ariane 5 Since the Ariane program kicked off in Brussels in 1973, Air

PUSHING BACK THE FRONTIERS · 2018. 11. 8. · Press kit / 3 Air Liquide, at the heart of the european launcher Ariane 5 Since the Ariane program kicked off in Brussels in 1973, Air

WIRELESS ON SPACE LAUNCHER – ARIANE 5 Astrium · 2009. 5. 19. · Provider of all major elements for Ariane 5 EUROPROPULSION EAP Engine SNECMA EPC Engine Astrium ST EPC Astrium

WIRELESS ON SPACE LAUNCHER – ARIANE 5 Astrium · 2009. 5. 19. · Provider of all major elements for Ariane 5 EUROPROPULSION EAP Engine SNECMA EPC Engine Astrium ST EPC Astrium

Ariane Baby Shower

Ariane Baby Shower

ARIANE 6 - AAE · 2018. 11. 28. · Ariane 1 to 5: a long story in brief Ariane 1 development: After the failure of the Europa launcher programme, France has proposed to its European

ARIANE 6 - AAE · 2018. 11. 28. · Ariane 1 to 5: a long story in brief Ariane 1 development: After the failure of the Europa launcher programme, France has proposed to its European

Ariane Moss

Ariane Moss

Ariane-5 - ESA

Ariane-5 - ESA

CS5032 Lecture 9: Learning from failure 1

CS5032 Lecture 9: Learning from failure 1

CS5032 Lecture 19: Dependable infrastructure

CS5032 Lecture 19: Dependable infrastructure

IAASS13 Arianespace 2013 [Mode de compatibilité]iaassconference2013.space-safety.org/wp-content/uploads/... · 2020. 7. 13. · 6 Ariane 2 11 Ariane 3 116 Ariane 4 68 Ariane 5 Arianespace

IAASS13 Arianespace 2013 [Mode de compatibilité]iaassconference2013.space-safety.org/wp-content/uploads/... · 2020. 7. 13. · 6 Ariane 2 11 Ariane 3 116 Ariane 4 68 Ariane 5 Arianespace