Trace: Ariane 501

Ariane 501

This is an old revision of the document!


Ariane 501

Description

Ariane 5 is an expendable launch system used to deliver payloads into geostationary transfer orbit or low Earth orbit. Ariane 5 rockets are manufactured under the authority of the European Space Agency (ESA) and the Centre National d'Etudes Spatiales (CNES). and EADS Astrium Space Transportation (Astrium) is the prime contractor for the vehicles, leading a consortium of sub-contractors. The rocket took a decade to be developed and required 7 billion dollars.

Problem

On 4 June 1996, the maiden flight of the Ariane 5 launcher ended in a failure. Only about 40 seconds after initiation of the flight sequence, at an altitude of about 3700 m, the launcher veered off its flight path, broke up and exploded.

Diagnostic

The launcher behaviour up to H0 + 36 seconds was nominal. The backup Inertial Reference System failed, followed immediately by the failure of the active Inertial Reference System. There was swivelling into the extreme position of the nozzles of the two solid boosters and, slightly later, of the Vulcain engine, causing the launcher to veer abruptly, rupturing the links between the solid boosters and the core stage, triggering the self-destruction of the launcher.

The origin of the failure was thus rapidly narrowed down to the flight control system and more particularly to the Inertial Reference Systems, which obviously ceased to function almost simultaneously at around H0 + 36.7 seconds.

The failure cause was a fault in the software that calculated the horizontal velocity of the rocket. The variable that stored the value was 64 bit wide (floating point) and was incorrectly changed to 16 bits (signed integer). The value was bigger than 32,767 (the biggest value a signed integer can represent), causing a conversion failure.

Insufficient testing for components reused from Ariane 4 was the cause of the failure.

  L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV));
  if L_M_BV_32 > 32767 then
      P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#;
  elsif L_M_BV_32 < -32768 then
      P_M_DERIVE(T_ALG.E_BV) := 16#8000#;
  else
      P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32));
  end if;
  P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH))); 

Solution

The last statement must have its boundary values checked, otherwise an exception will be thrown. A proper replacement for that statement is:

  L_M_BH_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH));
  if L_M_BH_32 > 32767 then
      P_M_DERIVE(T_ALG.E_BH) := 16#7FFF#;
  elsif L_M_BH_32 < -32768 then
      P_M_DERIVE(T_ALG.E_BH) := 16#8000#;
  else
      P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BH_32));
  end if;

References

swe/ariane_501.1654292053.txt.gz · Last modified: 2022/06/03 21:34 by magsilva