Movatterモバイル変換

[0]ホーム

Jump to content

Ariane flight V88

Edit links

From Wikipedia, the free encyclopedia

(Redirected fromAriane 5 Flight 501)

Failed maiden flight of Ariane 5, 1996

"Cluster (spacecraft)" redirects here. This article is about the failed Cluster launch. For the successful space mission, seeCluster II (spacecraft).

Cluster
Spacecraft properties

Mission type	Magnetospheric
Operator	ESA


Launch mass	1,200 kilograms (2,600 lb)


Start of mission
Launch date	12:34:06, 4 June 1996 (UTC) (1996-06-04T12:34:06Z)
Rocket	Ariane 5G
Launch site	Kourou ELA-3


End of mission
Disposal	launch failure
Destroyed	4 June 1996 (1996-06-04)

ESA quadrilateral mission insignia forCluster Horizon 2000 ← SOHO Huygens →

Ariane flight V88^[1] was the failedmaiden flight of theArianespace Ariane 5 rocket, vehicle no. 501, on 4 June 1996. It carried theCluster spacecraft, a constellation of fourEuropean Space Agency research satellites.

The launch ended in failure due to multiple errors in the software design:dead code, intended only forAriane 4, with inadequate protection againstinteger overflow led to anexception handled inappropriately, halting the whole otherwise unaffectedinertial navigation system. This caused the rocket to veer off its flight path 37 seconds after launch, beginning to disintegrate under high aerodynamic forces, and finally self-destructing via its automatedflight termination system. The failure has become known as one of the most infamous and expensivesoftware bugs in history.^[2] The failure resulted in a loss of more than US$370 million.^[3]

Launch failure

[edit]

Diagram of the Ariane 501 with the four Cluster satellites

Fragment fallout zone of failed Ariane 501 launch

Recovered support strut of the satellite structure

The Ariane 5reused the code from theinertial reference platform from theAriane 4, but the early part of the Ariane 5's flight path differed from the Ariane 4 in having higher horizontal velocity values. This caused an internal value BH (Horizontal Bias) calculated in the alignment function to be unexpectedly high. The alignment function was operative for approximately 40 seconds of flight, which was based on a requirement of Ariane 4, but served no purpose after lift-off on the Ariane 5.^[4] The greater values of BH caused a data conversion from a64-bit floating point number to a16-bit signed integer value tooverflow and cause ahardware exception.^[5] The programmers had protected only four out of seven critical variables against overflow to keep within a required maximum workload target of 80% for the on-board Inertial Reference System computer, and relied on assumptions which were correct for the trajectory of Ariane 4, but not Ariane 5, regarding the possible range of values for the three unprotected variables.^[6] The exception halted both of the inertial reference system modules, although they were intended to beredundant. The active module presented a diagnostic bit pattern to the On-Board Computer which was interpreted as flight data, in particular causing full nozzle deflections of the solid boosters and theVulcain main engine. This led to an angle of attack of more than 20 degrees, causing separation of the boosters from the main stage, the triggering of the self-destruct system of the launcher, and the destruction of the flight.^[4]

The official report on the crash (conducted by an inquiry board headed byJacques-Louis Lions) noted that "An underlying theme in the development of Ariane 5 is the bias towards themitigation of random failure. The supplier of theinertial navigation system (SRI) was only following the specification given to it, which stipulated that in the event of any detected exception the processor was to be stopped. The exception which occurred was not due to random failure but a design error. The exception was detected, but inappropriately handled because the view had been taken that software should be considered correct until it is shown to be at fault. [...] Although the failure was due to a systematic software design error, mechanisms can be introduced to mitigate this type of problem. For example the computers within the SRIs could have continued to provide their best estimates of the requiredattitude information. There is reason for concern that a software exception should be allowed, or even required, to cause a processor to halt while handling mission-critical equipment. Indeed, the loss of a proper software function is hazardous because the same software runs in both SRI units. In the case of Ariane 501, this resulted in the switch-off of two still healthy critical units of equipment."^[4]

Other issues identified in the report focused on testing:^[4]

The purpose of the review process, which involves all major partners in the Ariane 5 programme, is to validate design decisions and to obtain flight qualification. In this process, the limitations of the alignment software were not fully analysed and the possible implications of allowing it to continue to function during flight were not realised.
The specification of the inertial reference system and the tests performed at equipment level did not specifically include the Ariane 5 trajectory data. Consequently, the realignment function was not tested under simulated Ariane 5 flight conditions, and the design error was not discovered.
It would have been technically feasible to include almost the entire inertial reference system in the overall system simulations which were performed. For a number of reasons it was decided to use the simulated output of the inertial reference system, not the real system or its detailed simulation. Had the system been included, the failure could have been detected. Post-flight simulations have been carried out on a computer with software of the inertial reference system and with a simulated environment, including the actual trajectory data from the Ariane 501 flight. These simulations have faithfully reproduced the chain of events leading to the failure of the inertial reference systems.

Another perspective of the failure, based onsystems engineering, focuses on requirements:^[7]

The ranges of variables such as horizontal velocity and the quantity BH computed from it should have been explicitly quantified. Instead, a 16-bit range was assumed.
The alignment task should have been deactivated at an appropriate moment. Instead, the alignment task was running after lift-off.
A failure model of the inertial reference platforms should have been analyzed to ensure that service would be continuously delivered throughout the flight, rather than assuming that at most one module would fail. Instead, both modules failed, and rather than killing the flight gracefully, output diagnostic messages were interpreted as flight data.

Payload

[edit]

Cluster consisted of four 1,200 kilograms (2,600 lb) cylindrical,spin-stabilised spacecraft, powered by 224 watt solar cells. The spacecraft were to have flown in atetrahedral formation, and were intended to conduct research into the Earth'smagnetosphere. The satellites would have been placed into highly elliptical orbits; 17,200 by 120,600 kilometres (10,700 by 74,900 mi),inclined at 90 degrees to the equator.^[8]

Aftermath

[edit]

Following the failure, four replacementCluster II satellites were built. These were launched in pairs aboardSoyuz-U/Fregat rockets in 2000.

The launch failure brought the high risks associated with complex computing systems to the attention of the general public, politicians, andexecutives, resulting in increased support for research on ensuring the reliability ofsafety-critical systems. The subsequent automated analysis of the Arianecode (written inAda) was the first example of large-scalestatic code analysis byabstract interpretation.^[9]

The failure also harmed the excellent success record of the European Space Agency's rocket family, set by the high success rate of the Ariane 4 model. It was not until 2007 that Ariane 5 launches were recognised as being as reliable as those of the predecessor model.^[10]

References

[edit]

^Henrion, Jean Yves; Vallée, Thierry (1997)."V88 Ariane 501".Capcom Espace.
^Gleick, James (1 December 1996)."A Bug and A Crash".New York Times Magazine. Archived fromthe original on 20 April 2012. Retrieved7 April 2012.
^Dowson, Mark (March 1997). "The Ariane 5 Software Failure".ACM SIGSOFT Software Engineering Notes.22 (2): 84.doi:10.1145/251880.251992.S2CID 43439273.
^^a ^b ^c ^dLions, J. L. (19 July 1996).ARIANE 5 Failure - Full Report (Report). Inquiry Board set up by ESA and CNES.Archived from the original on 26 April 2014.
^Nuseibeh, Bashar (May 1997)."Ariane 5: Who Dunnit?"(PDF).IEEE Software.14 (3):15–16.doi:10.1109/MS.1997.589224.S2CID 206482665.
^Jézéquel, Jean-Marc; Meyer, Bertrand (January 1997)."Put it in the contract: The lessons of Ariane".Computer.30 (2):129–130.doi:10.1109/2.562936.Archived from the original on 4 June 2016 – via Irisa.
^Le Lann, Gérard (March 1997). "An Analysis of the Ariane 5 Flight 501 Failure – A System Engineering Perspective".Proceedings of the 1997 international conference on Engineering of computer-based systems (ECBS'97).IEEE Computer Society. pp. 339–346.doi:10.1109/ECBS.1997.581900.ISBN 0-8186-7889-5.
^Krebs, Gunter."Cluster 1, 2, 3, 4, 5, 6, 7, 8".Gunter's Space Page. Retrieved29 November 2011.
^Faure, Christèle."PolySpace Technologies History". Retrieved3 October 2010.
^Todd, David (March 2007)."ASCEND Space Intelligence News"(PDF). Archived fromthe original(PDF) on 14 February 2007.

External links

[edit]

Jacques-Louis Lions et al.,Ariane 501 Inquiry Board report ()
Spaceflight Now – Cluster II – Ariane 501 explodes at theWayback Machine (archived 25 March 2015),direct link to video file — Footage of the final seconds of the rocket flight.
Wired – History's Worst Software Bugs — An article about the top 10 software bugs. The Ariane 5 Flight 501 software glitch is mentioned as one of these bugs.
(in German)Ariane 5 – 501 (1–3) — A good article (in German) where the actual code in question is given.

European Space Agency

Space Centres	Guiana Esrange
Launch vehicles	Ariane 6 Vega C
Facilities	Space Operations Centre Space Research and Technology Centre ESA Centre for Earth Observation European Astronaut Centre Space Astronomy Centre Space Applications and Telecommunications Centre Concurrent Design Facility Space Telescope European Coordinating Facility
Communications	ESTRACK European Data Relay System
Programmes	Artemis ESM Aurora Copernicus Columbus CryoSat EGNOS Galileo ELIPS ExoMars FLPP Living Planet Programme Space Situational Awareness Programme Science Programme Cosmic Vision PRIDE
Predecessors	European Launcher Development Organisation European Space Research Organisation
Related topics	Arianespace ESA Television EUMETSAT European Space Camp GEWEX Planetary Science Archive

Projects and missions

Science

Solar physics	ISEE-2 (1977–1987) Ulysses (1990–2009) SOHO (1995–present) Cluster II (2000–2024) Solar Orbiter (2020–present) Vigil (2031)
Planetary science	Giotto (1985–1992) Huygens (1997–2005) SMART-1 (2003–2006) Mars Express (2003–present) Rosetta/Philae (2004–2016) Venus Express (2005–2014) ExoMarsTrace Gas Orbiter (2016–present) BepiColombo (2018–present) Jupiter Icy Moons Explorer (2023) Hera (2024) Rosalind Franklin rover (2028) Comet Interceptor (2029) EnVision (2031)
Astronomy and cosmology	Cos-B (1975–1982) IUE (1978–1996) EXOSAT (1983–1986) Hipparcos (1989–1993) Hubble Space Telescope (1990–present) Eureca (1992–93) ISO (1995–1998) XMM-Newton (1999–present) INTEGRAL (2002–present) CoRoT (2006–13) Planck (2009–2013) Herschel (2009–2013) Gaia (2013–2025) CHEOPS (2019–present) James Webb Space Telescope (2021–present) Euclid (2023–present) PLATO (2026) ARIEL (2029) ARRAKIHS (2030s) Athena (2035) LISA (2035)
Earth observation	Copernicus (1988–present) Meteosat First Generation (1977–1997) ERS-1 (1991–2000) ERS-2 (1995–2011) Meteosat Second Generation (2002–present) Envisat (2002–2012) Double Star (2003–2007) MetOp (2006–present) GOCE (2009–2013) SMOS (2009–present) CryoSat-2 (2010–present) Swarm (2013–present) Sentinel-1 /1A /1B /1C (2014–present) Sentinel-2 /2A /2B /2C (2015–present) Sentinel-3 /3A /3B (2016–present) Sentinel-5 Precursor (2017–present) ADM-Aeolus (2018–present) ɸ-Sat (1 (2020)2 (2024)) EarthCARE (2024–present) Meteosat Third Generation (Sentinel-4) (2024) ALTIUS (2025) Biomass (2025) FLEX (2025) MetOp-SG-A (2025) MetOp-SG-B (2025) SMILE (2025) FORUM (2027)

ISS contributions

Columbus (2008–present)
Automated Transfer Vehicle (2008–2015)
Cupola (2010)
European Robotic Arm (2021)

Telecommunications

GEOS 2 (1978)
Olympus-1 (1989–1993)
Artemis (2001–present)
GIOVE-A (2005–present)
GIOVE-B (2008–present)
HYLAS-1 (2010–present)
Galileo IOV (2011–present)
Galileo FOC (2014–present)
EGNOS
European Data Relay System (2016–present)

Technology
demonstrators

ARD (1998)
PROBA-1 (2001–present)
YES2 (2007)
PROBA-2 (2009–present)
PROBA-V (2013–present)
IXV (2015)
LISA Pathfinder (2015–2017)
OPS-SAT (2019–present)
PROBA-3 (2024–present)

Cancelled
and proposed

Failed

Future missions initalics

Ariane (rocket family)

Rockets

Current	Ariane 6
In development	Ariane Next
Retired	Ariane 1 Ariane 2 Ariane 3 Ariane 4 Ariane 5

Launch sites

Guiana Space Centre(Kourou)

Engines

Launches

List of launches

Flights

Organizations

Manufacturing	ArianeGroup Airbus Space Aérospatiale(merged) Safran Aircraft Engines Beyond Gravity MT Aerospace SABCA Nammo
Launch provider	Arianespace
Related	European Space Agency CNES