Ariane flight V88

Last updated

Cluster
Mission type Magnetospheric
Operator ESA
Spacecraft properties
Launch mass1,200 kilograms (2,600 lb)
Start of mission
Launch date12:34:06,4 June 1996(UTC) (1996-06-04T12:34:06Z)
Rocket Ariane 5G
Launch site Kourou ELA-3
End of mission
Disposallaunch failure
Destroyed4 June 1996 (1996-06-04)
Cluster insignia.jpg
ESA quadrilateral mission insignia for Cluster
  SOHO
Huygens  

Ariane flight V88 [1] was the failed maiden flight of the Arianespace Ariane 5 rocket, vehicle no. 501, on 4 June 1996. It carried the Cluster spacecraft, a constellation of four European Space Agency research satellites.

Contents

The launch ended in failure due to multiple errors in the software design: dead code, intended only for Ariane 4, with inadequate protection against integer overflow led to an exception handled inappropriately, halting the whole otherwise unaffected inertial navigation system. This caused the rocket to veer off its flight path 37 seconds after launch, beginning to disintegrate under high aerodynamic forces, and finally self-destructing via its automated flight termination system. The failure has become known as one of the most infamous and expensive software bugs in history. [2] The failure resulted in a loss of more than US$370 million. [3]

Launch failure

Diagram of the Ariane 501 with the four Cluster satellites Ariane 501 Cluster.svg
Diagram of the Ariane 501 with the four Cluster satellites
Fragment fallout zone of failed Ariane 501 launch Ariane 501 Fallout Zone.svg
Fragment fallout zone of failed Ariane 501 launch
Recovered support strut of the satellite structure Ariane 501 Fragment.jpg
Recovered support strut of the satellite structure

The Ariane 5 reused the code from the inertial reference platform from the Ariane 4, but the early part of the Ariane 5's flight path differed from the Ariane 4 in having higher horizontal velocity values. This caused an internal value BH (Horizontal Bias) calculated in the alignment function to be unexpectedly high. The alignment function was operative for approximately 40 seconds of flight, which was based on a requirement of Ariane 4, but served no purpose after lift-off on the Ariane 5. [4] The greater values of BH caused a data conversion from a 64-bit floating point number to a 16-bit signed integer value to overflow and cause a hardware exception. [5] The programmers had protected only four out of seven critical variables against overflow to keep within a required maximum workload target of 80% for the on-board Inertial Reference System computer, and relied on assumptions which were correct for the trajectory of Ariane 4, but not Ariane 5, regarding the possible range of values for the three unprotected variables. [6] The exception halted both of the inertial reference system modules, although they were intended to be redundant. The active module presented a diagnostic bit pattern to the On-Board Computer which was interpreted as flight data, in particular causing full nozzle deflections of the solid boosters and the Vulcain main engine. This led to an angle of attack of more than 20 degrees, causing separation of the boosters from the main stage, the triggering of the self-destruct system of the launcher, and the destruction of the flight. [4]

The official report on the crash (conducted by an inquiry board headed by Jacques-Louis Lions) noted that "An underlying theme in the development of Ariane 5 is the bias towards the mitigation of random failure. The supplier of the inertial navigation system (SRI) was only following the specification given to it, which stipulated that in the event of any detected exception the processor was to be stopped. The exception which occurred was not due to random failure but a design error. The exception was detected, but inappropriately handled because the view had been taken that software should be considered correct until it is shown to be at fault. [...] Although the failure was due to a systematic software design error, mechanisms can be introduced to mitigate this type of problem. For example the computers within the SRIs could have continued to provide their best estimates of the required attitude information. There is reason for concern that a software exception should be allowed, or even required, to cause a processor to halt while handling mission-critical equipment. Indeed, the loss of a proper software function is hazardous because the same software runs in both SRI units. In the case of Ariane 501, this resulted in the switch-off of two still healthy critical units of equipment." [4]

Other issues identified in the report focused on testing: [4]

Another perspective of the failure, based on systems engineering, focuses on requirements: [7]

Payload

Cluster consisted of four 1,200 kilograms (2,600 lb) cylindrical, spin-stabilised spacecraft, powered by 224 watt solar cells. The spacecraft were to have flown in a tetrahedral formation, and were intended to conduct research into the Earth's magnetosphere. The satellites would have been placed into highly elliptical orbits; 17,200 by 120,600 kilometres (10,700 by 74,900 mi), inclined at 90 degrees to the equator. [8]

Aftermath

Following the failure, four replacement Cluster II satellites were built. These were launched in pairs aboard Soyuz-U/Fregat rockets in 2000.

The launch failure brought the high risks associated with complex computing systems to the attention of the general public, politicians, and executives, resulting in increased support for research on ensuring the reliability of safety-critical systems. The subsequent automated analysis of the Ariane code (written in Ada) was the first example of large-scale static code analysis by abstract interpretation. [9]

The failure also harmed the excellent success record of the European Space Agency's rocket family, set by the high success rate of the Ariane 4 model. It was not until 2007 that Ariane 5 launches were recognised as being as reliable as those of the predecessor model. [10]

See also

Related Research Articles

<span class="mw-page-title-main">Ariane 5</span> European heavy-lift space launch vehicle (1996–2023)

Ariane 5 is a retired European heavy-lift space launch vehicle developed and operated by Arianespace for the European Space Agency (ESA). It was launched from the Guiana Space Centre (CSG) in French Guiana. It was used to deliver payloads into geostationary transfer orbit (GTO), low Earth orbit (LEO) or further into space. The launch vehicle had a streak of 82 consecutive successful launches between 9 April 2003 and 12 December 2017. Since 2014, Ariane 6, a direct successor system, is in development.

A software bug is a bug in computer software.

Matra Marconi Space (MMS) was a Franco-British aerospace company.

<span class="mw-page-title-main">Proton (rocket family)</span> Soviet designed rocket family

Proton is an expendable launch system used for both commercial and Russian government space launches. The first Proton rocket was launched in 1965. Modern versions of the launch system are still in use as of 2023, making it one of the most successful heavy boosters in the history of spaceflight. The components of all Protons are manufactured in the Khrunichev State Research and Production Space Center factory in Moscow and Chemical Automatics Design Bureau in Voronezh, then transported to the Baikonur Cosmodrome, where they are assembled at Site 91 to form the launch vehicle. Following payload integration, the rocket is then brought to the launch pad horizontally by rail, and raised into vertical position for launch.

<span class="mw-page-title-main">Progress (spacecraft)</span> Russian expendable freighter spacecraft

The Progress is a Russian expendable cargo spacecraft. Its purpose is to deliver the supplies needed to sustain a human presence in orbit. While it does not carry a crew, it can be boarded by astronauts when docked to a space station, hence it is classified as crewed by its manufacturer. Progress is derived from the crewed Soyuz spacecraft and launches on the same launch vehicle, a Soyuz rocket.

<span class="mw-page-title-main">Automated Transfer Vehicle</span> Uncrewed cargo spacecraft developed by the European Space Agency

The Automated Transfer Vehicle, originally Ariane Transfer Vehicle or ATV, was an expendable cargo spacecraft developed by the European Space Agency (ESA), used for space cargo transport in 2008–2015. The ATV design was launched to orbit five times, exclusively by the Ariane 5 heavy-lift launch vehicle. It effectively was a larger European counterpart to the Russian Progress cargo spacecraft for carrying upmass to a single destination—the International Space Station (ISS)—but with three times the capacity.

<span class="mw-page-title-main">Apollo 5</span> Uncrewed first test flight of the Apollo Lunar Module

Apollo 5, also known as AS-204, was the uncrewed first flight of the Apollo Lunar Module (LM) that would later carry astronauts to the surface of the Moon. The Saturn IB rocket bearing the LM lifted off from Cape Kennedy on January 22, 1968. The mission was successful, though due to programming problems an alternate mission to that originally planned was executed.

<span class="mw-page-title-main">AS-201</span> 1966 uncrewed, suborbital test flight within the Apollo program

AS-201, flown February 26, 1966, was the first uncrewed test flight of an entire production Block I Apollo command and service module and the Saturn IB launch vehicle. The spacecraft consisted of the second Block I command module and the first Block I service module. The suborbital flight was a partially successful demonstration of the service propulsion system and the reaction control systems of both modules, and successfully demonstrated the capability of the command module's heat shield to survive re-entry from low Earth orbit.

<span class="mw-page-title-main">AS-101</span> 1964 Apollo Program test flight

AS-101 was the sixth flight of the Saturn I launch vehicle, which carried the first boilerplate Apollo spacecraft into low Earth orbit. The test took place on May 28, 1964, lasting for four orbits. The spacecraft and its upper stage completed a total of 54 orbits before reentering the atmosphere and crashing in the Pacific Ocean on June 1, 1964.

<span class="mw-page-title-main">Saturn IB</span> American rocket used in the Apollo program during the 1960s and 70s

The Saturn IB(also known as the uprated Saturn I) was an American launch vehicle commissioned by the National Aeronautics and Space Administration (NASA) for the Apollo program. It uprated the Saturn I by replacing the S-IV second stage, with the S-IVB. The S-IB first stage also increased the S-I baseline's thrust from 1,500,000 pounds-force (6,700,000 N) to 1,600,000 pounds-force (7,100,000 N) and propellant load by 3.1%. This increased the Saturn I's low Earth orbit payload capability from 20,000 pounds (9,100 kg) to 46,000 pounds (21,000 kg), enough for early flight tests of a half-fueled Apollo command and service module (CSM) or a fully fueled Apollo Lunar Module (LM), before the larger Saturn V needed for lunar flight was ready.

<span class="mw-page-title-main">Saturn V instrument unit</span> Ring-shaped structure

The Saturn V instrument unit is a ring-shaped structure fitted to the top of the Saturn V rocket's third stage (S-IVB) and the Saturn IB's second stage. It was immediately below the SLA (Spacecraft/Lunar Module Adapter) panels that contained the Apollo Lunar Module. The instrument unit contains the guidance system for the Saturn V rocket. Some of the electronics contained within the instrument unit are a digital computer, analog flight control computer, emergency detection system, inertial guidance platform, control accelerometers, and control rate gyros. The instrument unit (IU) for Saturn V was designed by NASA at Marshall Space Flight Center (MSFC) and was developed from the Saturn I IU. NASA's contractor to manufacture the Saturn V Instrument Unit was International Business Machines (IBM).

<span class="mw-page-title-main">Apollo PGNCS</span> Apollo spacecraft guidance system

The Apollo primary guidance, navigation, and control system was a self-contained inertial guidance system that allowed Apollo spacecraft to carry out their missions when communications with Earth were interrupted, either as expected, when the spacecraft were behind the Moon, or in case of a communications failure. The Apollo command module (CM) and lunar module (LM), were each equipped with a version of PGNCS. PGNCS, and specifically its computer, were also the command center for all system inputs from the LM, including the alignment optical telescope, the radar system, the manual translation and rotation device inputs by the astronauts as well as other inputs from the LM systems.

<span class="mw-page-title-main">Integer overflow</span> Computer arithmetic error

In computer programming, an integer overflow occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximum or lower than the minimum representable value.

<span class="mw-page-title-main">2011 in spaceflight</span>

The year 2011 saw a number of significant events in spaceflight, including the retirement of NASA's Space Shuttle after its final flight in July 2011, and the launch of China's first space station module, Tiangong-1, in September. A total of 84 orbital launches were conducted over the course of the year, of which 78 were successful. Russia, China and the United States conducted the majority of the year's orbital launches, with 35, 19 and 18 launches respectively; 2011 marked the first year that China conducted more successful launches than the United States. Seven crewed missions were launched into orbit during 2011, carrying a total of 28 astronauts to the International Space Station. Additionally, the Zenit-3F and Long March 2F/G carrier rockets made their maiden flights in 2011, while the Delta II Heavy made its last.

Hot Bird 7 was a communications satellite that was lost in a launch failure in 2002. Intended for operation by Eutelsat, it was to have provided direct-to-home broadcasting services from geostationary orbit as part of Eutelsat's Hot Bird constellation at a longitude of 13° East. Hot Bird 7 was intended to replace the Hot Bird 3 satellite, which had been launched in 1997.

<span class="mw-page-title-main">Progress M-12M</span> Resupply mission or crew escape test

Progress M-12M, identified by NASA as Progress 44P, was an uncrewed Progress spacecraft that was lost in a launch failure on 24 August 2011, at the start of a mission to resupply the International Space Station. It was the twelfth modernised Progress-M spacecraft to be launched. Manufactured by RKK Energia, the spacecraft was to have been operated by the Russian Federal Space Agency.

<span class="mw-page-title-main">European contribution to the International Space Station</span> Overview of the contribution to the International Space Station from Europe

The European contribution to the International Space Station comes from 10 members of the European Space Agency (ESA) and amounts to an 8% share in the programme. It consists of a number of modules in the US Orbital Segment, ATV supply ships, launchers, software and €8 billion.

<span class="mw-page-title-main">Boeing Orbital Flight Test</span> Uncrewed flight test of the Boeing Starliner spacecraft

The Boeing Starliner Orbital Flight Test was the first orbital mission of the CST-100 Starliner spacecraft, conducted by Boeing as part of NASA's Commercial Crew Program. The mission was planned to be an eight-day test flight of the spacecraft, involving a rendezvous and docking with the International Space Station (ISS), and a landing in the western United States. The mission was launched on 20 December 2019 at 11:36:43 UTC or 06:36:43 AM EST; however an issue with the spacecraft's Mission Elapsed Time (MET) clock occurred 31 minutes into flight. This anomaly caused the spacecraft to burn into an incorrect orbit, preventing a rendezvous with the International Space Station (ISS). The mission was reduced to just two days, with the spacecraft successfully landing at White Sands Space Harbor on 22 December 2019.

<span class="mw-page-title-main">Simulation-to-Flight 1</span> Microsatellite

Simulation-to-Flight 1 (STF-1) is a microsatellite built by the Katherine Johnson Independent Verification and Validation Facility (IV&V) in Fairmont, West Virginia with the collaboration of the West Virginia Space Grants Consortium and West Virginia University.

References

  1. Henrion, Jean Yves; Vallée, Thierry (1997). "V88 Ariane 501". Capcom Espace.
  2. Gleick, James (1 December 1996). "A Bug and A Crash". New York Times Magazine. Archived from the original on 20 April 2012. Retrieved 7 April 2012.
  3. Dowson, Mark (March 1997). "The Ariane 5 Software Failure". ACM SIGSOFT Software Engineering Notes. 22 (2): 84. doi:10.1145/251880.251992. S2CID   43439273.
  4. 1 2 3 4 Lions, J. L. (19 July 1996). ARIANE 5 Failure - Full Report (Report). Inquiry Board set up by ESA and CNES. Archived from the original on 26 April 2014.
  5. Nuseibeh, Bashar (May 1997). "Ariane 5: Who Dunnit?" (PDF). IEEE Software. 14 (3): 15–16. doi:10.1109/MS.1997.589224. S2CID   206482665.
  6. Jézéquel, Jean-Marc; Meyer, Bertrand (January 1997). "Put it in the contract: The lessons of Ariane". Computer. 30 (2): 129–130. doi:10.1109/2.562936. Archived from the original on 4 June 2016 via Irisa.
  7. Le Lann, Gérard (March 1997). "An Analysis of the Ariane 5 Flight 501 Failure – A System Engineering Perspective". Proceedings of the 1997 international conference on Engineering of computer-based systems (ECBS'97). IEEE Computer Society. pp. 339–346. doi:10.1109/ECBS.1997.581900. ISBN   0-8186-7889-5.
  8. Krebs, Gunter. "Cluster 1, 2, 3, 4, 5, 6, 7, 8". Gunter's Space Page. Retrieved 29 November 2011.
  9. Faure, Christèle. "PolySpace Technologies History" . Retrieved 3 October 2010.
  10. Todd, David (March 2007). "ASCEND Space Intelligence News" (PDF). Archived from the original (PDF) on 14 February 2007.

Further reading