From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,5f645669103080a8
X-Google-Attributes: gid103376,public
From: Steve O'Neill <smoneill@sanders.lockheed.com>
Subject: Re: Adriane crash
Date: 1996/07/25
Message-ID: <31F7D9BE.2E9A@sanders.lockheed.com>#1/1
X-Deja-AN: 170179504
references: <Dv0qJH.6x@jvdsys.nextjk.stuyts.nl>
content-type: text/plain; charset=us-ascii
organization: Sanders, A Lockheed-Martin Company
mime-version: 1.0
newsgroups: comp.lang.ada
x-mailer: Mozilla 2.01 (Win16; I)
Date: 1996-07-25T00:00:00+00:00
List-Id: <comp.lang.ada>


Jerry van Dijk wrote:
> 
> Dutch videotext had a topic this evening that said that ESA found that the
> Adriana-5 lauch failed because the software of its guidance systems was
> accidentally replaced by the Adriane-4 version.

Close, but not quite. Based on my read of the report:

Ariane 4 & 5 use the same inertial measurement units and it appears that they did 
not fully analyze the effect of the Ariane 5's flight characteristics against 
these units.  Also, both Arianes 4 and 5 use dual redundant units which are, 
unfortunately, identical in both hardware and software.  The result was that 
higher (but acceptable for Ariane 5) acceleration levels caused a conversion 
operation to overflow, an exception was raised, and both units completely shut 
down leaving the flight control software with no navigation data!  It also 
appeared from the report that the flight control software interpreted bogus data 
as good and as a result commanded the engine nozzles to full deflection resulting 
in the aerodynamic destruction of the vehicle.

On some really sad notes 1) the software that experienced the overflow had not 
real value during that phase of flight and should have been disabled, 2) the 
decision not to protect the conversion from overflow was influenced by a 
requirement for a max of 80% processor utilization, and 3) the units were 
_required_ to shut down as a result of any exception (rather than make the best of 
it and continue in a degraded mode, if possible) on the assumption that it was 
caused by a hardware failure.  Does the phrase 'penny wise, pound foolish' apply 
here?

So, lots of intertwined assumptions, mistakes, etc. led to this failure but 
definitely an avoidable problem.

-- 
Steve O'Neill                      | "No,no,no, don't tug on that!
Sanders, A Lockheed Martin Company |  You never know what it might
smoneill@sanders.lockheed.com      |  be attached to." 
(603) 885-8774  fax: (603) 885-4071|    Buckaroo Banzai