Ariane flight V88, also known as Ariane 5 Flight 501, was the failed maiden flight of the Arianespace Ariane 5 rocket, vehicle no. 501, on 4 June 1996. It carried the Cluster spacecraft, a constellation of four European Space Agency research satellites.

The launch ended in failure due to multiple errors in the software design: dead code, intended only for Ariane 4, with inadequate protection against integer overflow led to an exception handled inappropriately, halting the whole otherwise unaffected inertial navigation system. This caused the rocket to veer off its flight path 37 seconds after launch, beginning to disintegrate under high aerodynamic forces, and finally self-destructing via its automated flight termination system. The failure has become known as one of the most infamous and expensive software bugs in history. The failure resulted in a loss of more than US$370 million.

Launch failure

thumb|right|upright=0.4| Diagram of the Ariane 501 with the four Cluster satellites

thumb|Fragment fallout zone of failed Ariane 501 launch

thumb|Recovered support strut of the satellite structure

The Ariane&nbsp;5 reused the code from the inertial reference platform from the Ariane 4, but the early part of the Ariane&nbsp;5's flight path differed from the Ariane&nbsp;4 in having higher horizontal velocity values. This caused an internal value BH (Horizontal Bias) calculated in the alignment function to be unexpectedly high. The alignment function was operative for approximately 40 seconds of flight, which was based on a requirement of Ariane&nbsp;4, but served no purpose after lift-off on the Ariane&nbsp;5. The programmers had protected only four out of seven critical variables against overflow to keep within a required maximum workload target of 80% for the on-board Inertial Reference System computer, and relied on assumptions which were correct for the trajectory of Ariane&nbsp;4, but not Ariane&nbsp;5, regarding the possible range of values for the three unprotected variables. The exception halted both of the inertial reference system modules, although they were intended to be redundant. The active module presented a diagnostic bit pattern to the On-Board Computer which was interpreted as flight data, in particular causing full nozzle deflections of the solid boosters and the Vulcain main engine. This led to an angle of attack of more than 20 degrees, causing separation of the boosters from the main stage, the triggering of the self-destruct system of the launcher, and the destruction of the flight.</blockquote>Other issues identified in the report focused on testing:

  • The ranges of variables such as horizontal velocity and the quantity BH computed from it should have been explicitly quantified. Instead, a 16-bit range was assumed.
  • The alignment task should have been deactivated at an appropriate moment. Instead, the alignment task was running after lift-off.
  • A failure model of the inertial reference platforms should have been analyzed to ensure that service would be continuously delivered throughout the flight, rather than assuming that at most one module would fail. Instead, both modules failed, and rather than killing the flight gracefully, output diagnostic messages were interpreted as flight data.

Payload

Cluster consisted of four cylindrical, spin-stabilised spacecraft, powered by 224 watt solar cells. The spacecraft were to have flown in a tetrahedral formation, and were intended to conduct research into the Earth's magnetosphere. The satellites would have been placed into highly elliptical orbits; , inclined at 90 degrees to the equator.

Aftermath

Following the failure, four replacement Cluster II satellites were built. These were launched in pairs aboard Soyuz-U/Fregat rockets in 2000.

The launch failure brought the high risks associated with complex computing systems to the attention of the general public, politicians, and executives, resulting in increased support for research on ensuring the reliability of safety-critical systems. The subsequent automated analysis of the Ariane code (written in Ada) was the first example of large-scale static code analysis by abstract interpretation.

The failure also harmed the excellent success record of the European Space Agency's rocket family, set by the high success rate of the Ariane 4 model. It was not until 2007 that Ariane 5 launches were recognised as being as reliable as those of the predecessor model.

See also

  • Mars Climate Orbiter software that had been adapted from an earlier Mars Climate Orbiter was not adequately tested before launch
  • Apollo guidance computer – PGNCS trouble, another case where a spacecraft guidance computer suffered from having a subsystem inappropriately left running
  • List of software bugs

References

Further reading

  • Jacques-Louis Lions et al., Ariane 501 Inquiry Board report ()
  • , direct link to video file — Footage of the final seconds of the rocket flight.
  • Wired – History's Worst Software Bugs — An article about the top 10 software bugs. The Ariane 5 Flight 501 software glitch is mentioned as one of these bugs.
  • Ariane 5 – 501 (1–3) — A good article (in German) where the actual code in question is given.