Ariane5 FAQ, Professional version, first draft

Ariane5 FAQ, Professional version, first draft

[Alexandre E. Kopilovitch]

During the recent development of Ariane 5 FAQ, at least 2 participants of the
discussion suggested another organization of the FAQ. Specifically, they
proposed to move the technical explanation of the rocket's failure to the top
of the FAQ. I think that it is incompatible with the unfolding logic of that
FAQ, but there may be another unfolding logic, which leads to another version
of the FAQ. Below is the first draft of that alternative version, I think that
both versions may exist concurrently (like a duet -:) . I'd like to call the
older one "Observer's version" and the following one - "Professional version".

Here is the first draft of that Professional version of the FAQ. Comparing
against the Observer's version, some Q-A pairs are unchanged, some moved to
another place, some excluded, and some are new.

----------------------------------------------------------------------------

Q. Can you explain in several words what was the actual cause of the Ariane 5
launch failure in 1996, technically?

A. There are several points which are different for Ariane 5 vs. Ariane 4,
one of which was instrumental to the events: Ariane 4 is a vertical launch
vehicle where as Ariane 5 is slightly tilted.
  Ariane 4 software was developed to tolerate certain amount of inclination
but not as much as required by Ariane 5. The chain of events were as follows:

- The on-board software detects that one of the accelerometers is out of range,
this was interpreted as hardware error and caused the backup processor to take
over;
- The backup processor also detects that one of the accelerometers is out of
range, which caused the system to advice an auto destruction.

Q. At which levels and in which parts of the Ariane 5 development project
the critical errors (that caused the launch failure) were made?

A. There was a compound, 3-stage construction of the failure; all 3 component
errors were made at the top level of the project, within Arianespace.

The first error-stage was improper reuse of software.

The second and third error-stages ordered sized down verification:

- the second error-stage excluded from the rocket's testing procedure one
subsystem -- Inertial Reference System device, replacing it by a simulator,

- the third error-stage excluded one part of the device's software from the
simulator development contract, and refused the simulator's developers from
the device's documentation (giving them the device's software source code only). 

Q. Can you describe this development project failure in general terms of
large-scale system engineering?

A. The failure was in the process that Arianespace set up, not in the work
of any contractor, and certainly not in the work of any employee of those
contractors. The process that Arianespace set up delegated requirements
to individual subcontracts, which is fine. But there was neither process for
checking that changes in the subcontracts did not result in failure to test
some requirements, nor a final pre-launch validation that all requirements
had been tested.

The scope of one of the subcontracts was reduced, and as a result
certain tests that were part of the original test plan did not get
performed. However, Arianespace's project management process equated
completion of all subcontracts with completion of all testing.

Q. But certainly there were engineers, who can see possible consequences
of that approach. So why they weren't alarmed enough?

A. This is difficult question indeed. An explanation exists, which tells that
the informational paths within the project were interspersed with those 
managers of non-engineering kind, and because of that no one of the engineers
can obtain enough information for recognition of the danger. In particular,
no one of the engineers was in position to compare requirements for Ariane 4
with trajectory data for Ariane 5.

A contributing factor was the specifics of communications and crossings of
responsibilities, which often manifests itself within international projects.
Here is an insider's view on that specifics:

"As with many international projects, some of the information is eyes only.
This is sometimes a burden for engineers that write the software, since they
have to rely on good will and reliable deliveries of sub-components.
As you can imagine, Ariane is a fairly complex system which relies on many
"sub-systems"; now imagine that all those subsystems come from a different
supplier. The integration of all of them is a very large and complex project
on is own."

Q. Did the Arianespace learned the lesson?

A. It seems, not enough, for now. Several subsequent Ariane 5 failures
followed essentially the same or similar error pattern. (Only significant
difference from the first failure is that the subsequent failures weren't
related to software -- probably because all the Ariane 5 software was reviewed
after the first crash.)

For example, consider the point of the second Ariane 5 failure investigation.
Diffferent launch, different subsystem, very different failure mode. But the
thing both failures had in common was systems reused from Ariane 4 without
checking that they met the new requirements. The failure didn't get nearly
the press that the first one did, but the result was the same, a launch
failure (http://spaceflightnow.com/ariane/v142/010713followup.html and
http://www.arianespace.com/site/news/03_06_19_release_index.html).

There was also a fourth Ariane 5 failure (out of 14 tries) on flight 157
(http://www.esa.int/export/esaCP/ESA7198708D_index_0.html). This was due to
failure of the cooling of the Vulcain 2 engine, new to the Ariane 5 ECA.
Although this failure had nothing to do with Ariane 4 reuse, what do we find
under contributing factors?  "non-exhaustive definition of the loads to which
the Vulcain 2 engine is subjected during flight" -- another requirements
definition failure. The first three launch failures were all due to the
failure of change mananagement and requirements tracking during the original
Ariane 5 development. But this latest failure involves a design subsequent
to the first two Ariane 5 failures.

Q. Where can I find official report for the investigation of the Ariane 5
crash?

A. At the moment of writing this FAQ this report was, for example. at:
 http://www.dcs.ed.ac.uk/home/pxs/Book/ariane5rep.html
But read it to the end, because your overall impression will probably be
different (and wrong) if you stop in the middle of it, deciding that you
got it all clear enough.

Q. Where this topic was discussed in depth?

A. For example, in comp.lang.ada newsgroup (several times). Search that
newsgroup for "Ariane 5", and you'll find several threads discussing this
topic (most recent at the moment of writing this FAQ was quite long thread
with subject line "Boeing and Dreamliner"; during the development of this FAQ
another long thread with the subject line "Ariane5 FAQ" was running).

----------------------------------------------------------------------------

Re: Ariane5 FAQ, Professional version, first draft

[rc211v]

On Sun,  3 Aug 2003 05:32:00 +0400 (MSD), "Alexandre E. Kopilovitch"
<aek@vib.usr.pu.ru> wrote:


>
>A. There are several points which are different for Ariane 5 vs. Ariane 4,
>one of which was instrumental to the events: Ariane 4 is a vertical launch
>vehicle where as Ariane 5 is slightly tilted.
>  Ariane 4 software was developed to tolerate certain amount of inclination
>but not as much as required by Ariane 5. 

It's absolutely incredible. As far as you know, do you believe a
conspiracy theory?

This FAQ is very interesting.

Re: Ariane5 FAQ, Professional version, first draft

[Alexander Kopilovitch]

rc211v wrote:

> >A. There are several points which are different for Ariane 5 vs. Ariane 4,
> >one of which was instrumental to the events: Ariane 4 is a vertical launch
> >vehicle where as Ariane 5 is slightly tilted.
> >  Ariane 4 software was developed to tolerate certain amount of inclination
> >but not as much as required by Ariane 5. 
>
>It's absolutely incredible. As far as you know, do you believe a
>conspiracy theory?

Well, reading the source info and "processing" it, I was on the verge of
conspiracy theory, several times. But two things deterred me from that:

1) the Chernobyl's story provided me even more incredible facts (some of them,
in sequence, lead to catastrophe, while others immediately followed it);

2) I understand clearly that in such circumstances any level of suspicion
will not lead to a solid and/or concrete accusation. Actually, any good
conspiracy theory for such cases should focus not at particular decisions
and moves, which lead to disaster, but at the actions that created the
circumstances in which some "natural implementation" of the disaster becomes
probable (perhaps, with little "help"). Obviously, this "probabilistic approach"
to investigation is still quite undeveloped, and therefore it can't be used
effectively -- you can't collect enough information for that, and you can't
convince anybody with that (if you aren't a dictator -;) .

Therefore I think that we should simply ignore a possibility of conspiracy here.

Anyway, every good conspiracy theory should start with the question:
"Who could reasonably expect to benefit from that?".
And I'm not interested in that question for the case of Ariane 5 -:) .



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Ariane5 FAQ, Professional version, first draft

[rc211v]

>Therefore I think that we should simply ignore a possibility of conspiracy here.

You are surely right on this,

i understand human errors in a process or mistakes in a design (like
meters/miles confusion) etc, but here it's more difficult to accept. 

imagine a car maker designing a new car with an old engine but with a
different gearbox without testing? And nobody in the engineering staff
says uh oh ... 

This "bug" is so extraordinary that it deserves a FAQ...

Re: Ariane5 FAQ, Professional version, first draft

[Robert I. Eachus]

rc211v wrote:

> imagine a car maker designing a new car with an old engine but with a
> different gearbox without testing? And nobody in the engineering staff
> says uh oh ... 
> 
> This "bug" is so extraordinary that it deserves a FAQ...

Replace that with putting a new engine in a new car model, but using the 
brakes, tires, and suspension from the previous version, and you have a 
mistake so frequent it deserves a FAQ.  (Or a whole generation of 
"muscle cars" depending on your point of view.)

In fact for a similar generation of mistakes look at Allied military 
aircraft during WWII.  There was a period in 1942 when the 'solution' to 
all combat aircraft problems was to modify the engines to provide more 
horsepower.  Most of 1943 was spent fixing the problems caused by the 
bigger engines.  The net result was better aircraft, but it was very 
expensive in lives of pilots, many of them in training.

My favorite example of the result of all this was a chapter in a book 
"Fork-tailed devil: the P-38" by Martin Caidin 
(http://tinyurl.com/j4yn).  But the chapter is about another airplane 
the P-47 Thunderbolt, and about the differences made by replacing the 
propeller.  They had improved the engine to provide more horsepower, 
without changing the propeller to match.  (Technically since the Jug had 
a variable pitch propeller, all that was actaully changed were the four 
blades.)  With the new propeller, the Jug was a completely different 
aircraft in terms of handling.

The P-38 went through a similar set of problems, but the major fix was 
the addition of dive brakes.  Dive brakes were first introduced on the 
P-38 and later needed on most jet aircraft.  At a certain speed, the 
airflow over top of the wings is transonic.  When this happens, it 
doesn't matter what the pilot does, the aircraft doesn't respond to 
control inputs, in fact all the control surfaces seem frozen.  (First 
order approximation, it takes infinite force to move a control surfacte 
into a transonic airflow once established.  The dive brakes are small 
flaps to create turbulance before the airflow becomes transsonic.)

-- 
"As far as I'm concerned, war always means failure." -- Jacques Chirac, 
President of France
"As far as France is concerned, you're right." -- Rush Limbaugh