CS205 Notes 38
(27 November 2006)
Schedule Update
- Now: Project Progress Reports due.
- This week: If your team would like to arrange a meeting with me,
let me know after class today. (It is not required to meet with me if
your project is well on track and you don't have any questions.)
- Next Monday, December 4 (in class): Project Demos. Each team will have up to 15 minutes
(no need to use all of it) to present and demo your project.
- Next Tuesday, December 5 (before 5pm): Project Final Reports
Ariane 5
Excerpts from Ariane
501 Inquiry Board Report:
Based on the extensive documentation and data on the Ariane 501 failure
made available to the Board, the following chain of events, their
inter-relations and causes have been established, starting with the
destruction of the launcher and tracing back in time towards the primary
cause.
-
The launcher started to disintegrate at about H0 + 39 seconds because of
high aerodynamic loads due to an angle of attack of more than 20 degrees
that led to separation of the boosters from the main stage, in turn
triggering the self-destruct system of the launcher.
- This angle of attack was caused by full nozzle deflections of the
solid boosters and the main engine.
- These nozzle deflections were commanded by the
On-Board Computer (OBC) software on the basis of data transmitted by the
active Inertial Reference System (SRI 2). Part of these data at that
time did not contain proper flight data, but showed a diagnostic bit
pattern of the computer of the SRI 2, which was interpreted as flight
data.
- The reason why the active SRI 2 did not send correct attitude data was
that the unit had declared a failure due to a software exception.
- The OBC could not switch to the back-up SRI 1 because that unit had
already ceased to function during the previous data cycle (72
milliseconds period) for the
same reason as SRI 2.
- The internal SRI software exception was caused
during execution of a data conversion from 64-bit floating point to
16-bit signed integer value. The floating point number which was
converted had a value greater than what could be represented by a 16-bit
signed integer. This resulted in an Operand Error. The data conversion
instructions (in Ada code) were not protected from causing an Operand
Error, although other conversions of comparable variables in the same
place in the code were protected.
- The error occurred in a part of the
software that only performs alignment of the strap-down inertial
platform. This software module computes meaningful results only before
lift-off. As soon as the launcher lifts off, this function serves no
purpose.
- The alignment function is operative for 50 seconds after
starting of the Flight Mode of the SRIs which occurs at H0 - 3 seconds
for Ariane 5. Consequently, when lift-off occurs, the function continues
for approx. 40 seconds of flight. This time sequence is based on a
requirement of Ariane 4 and is not required for Ariane 5.
- The Operand Error occurred due to an unexpected high value of an
internal alignment function result called BH, Horizontal Bias, related
to the horizontal velocity
sensed by the platform. This value is calculated as an indicator for
alignment precision over time.
- The value of BH was much higher than
expected because the early part of the trajectory of Ariane 5 differs
from that of Ariane 4 and results in considerably higher horizontal
velocity values.
The SRI internal events that led to the failure have been reproduced by
simulation calculations. Furthermore, both SRIs were recovered during
the Board's investigation and the failure context was precisely
determined from memory readouts. In addition, the Board has examined the
software code which was shown to be consistent with the failure
scenario. ... Therefore, it is established beyond reasonable doubt that
the chain of events set out above reflects the technical causes of the
failure of Ariane 501.
What recommendations would you make to the Ariane software developers?
What general lessons about dependable software development should we
learn from the Ariane 5 failure?
What should critical systems do with exceptions?
Design
by Contract: The Lessons of Ariane, Jean-Marc Jezequel and
Bertrand Meyer.
Ken Garlington's
Critique