I encourage people to read the report on the causes of the Ariane 5 rocket
crash, which is available at:
http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html
To summarize what happened:
- An overflow occured in the Inertial Reference System (SRI) computer when
converting a 64-bit floating point to 16-bit signed integer value.
- There was no error handler for that specific overflow. The default
handler (wrongly) shut down the SRI unit.
- The standby SRI unit had previously shut itself down for the same
reason. The hot SRI and the standby were running the same software.
- The shutdown caused the SRI to output a core dump on the bus. The main
computer interpreted the core dump as flight data, causing such a violent
trajectory correction that the rocket desintegrated.
- The SRI software had been ported from the previous generation rocket Ariane
4. The original software designers made a deliberate decision not to
protect the conversion because overflow could not occur due to the physical
characteristics of Ariane 4.
- The program that failed was a pre-flight program, and should not have been
running during the flight. (In the Ariane 4 design, this program was
allowed to run during flight to guard against some rare condition, but this
was a poor decision in the first place; when the software was ported to
Ariane 5 all justification for it was gone but nobody bothered to turn it
off.)
The investigation team concluded that the designers of the computer system put
in protections against hardware faults but did not take into account software
faults. Furthermore the SRI had not been tested with realistic Ariane 5
flight data, and there had been no integration tests of the SRI with the rest
of the new rocket.
-- Marc ShapiroM. Shapiro, INRIA Rocquencourt, BP 105, 78153 Le Chesnay Cedex, France. Tel.: +33 (1) 39-63-53-25. Fax: +33 (1) 39-63-53-30. e-mail: marc.shapiro@inria.fr. http://www-sor.inria.fr/SOR/
------ End of Forwarded Article