Ariane Crash (Was: Adriane crash)

[john@assen.demon.co.uk (John McCabe)]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 6162 bytes --]


jerry@jvdsys.nextjk.stuyts.nl (Jerry van Dijk) wrote:

>Dutch videotext had a topic this evening that said that ESA found that the 
>Adriana-5 lauch failed because the software of its guidance systems was 
>accidentally replaced by the Adriane-4 version.

>Anyone hear anything more about this ?

>(If its true, it must be the worlds most spectacular example of a 
>configuration management failure :-)

That isn't what the report said. Here is a copy of the report obtained
from sci.space.news:

------------------------------------------------------------------------------
>Date:         Tue, 23 Jul 1996 16:59:23 EST
>Reply-To:     ESAPRESS list <ESAPRESS@VMPROFS.ESOC.ESA.DE>

JOINT ESA/CNES PRESS RELEASE
N  33-96  -  Paris, 23 July 1996


Ariane 501 - Presentation of Inquiry Board report

Attached is a summary of the Inquiry Board report on the
failure of the first Ariane 5 flight.

The full report is available on written request from ESA and
CNES Public Relations.

     ESA     Tel.: + 33.1.53.69.72.82
                Fax: + 33.1.53.69.76.90

     CNES   Tel.: + 33.1.44.76.76.87
                Fax: + 33.1.44.76.78.16


ARIANE 501
Presentation of Inquiry Board report

On 4 June 1996 the maiden flight of the Ariane 5 launcher ended
in a failure.  Only about 40 seconds after initiation of the flight
sequence, at an altitude of about 3700 m, the launcher veered off
its flight path, broke up and exploded.

Mr Jean-Marie Luton, ESA Director General, and Mr Alain
Bensoussan, CNES Chairman, immediately set up an independent
Inquiry Board (see ESA-CNES Press Release of 10 June 1996),
which has now submitted its report.

The report begins by presenting the causes of the failure, analysis
of the flight data having indicated:

-   nominal behaviour of the launcher up to Ho  + 36 seconds;
-   simultaneous failure of the two inertial reference systems;
-   swivelling into the extreme position of the nozzles of the two
solid boosters and, slightly later, of the Vulcain engine, causing
the launcher to veer abruptly;



-   self-destruction of the launcher correctly triggered by rupture
of the electrical links between the solid boosters and the core
stage.

A chain of events, their inter-relations and causes have been
established, starting with the destruction of the launcher and
tracing back in time towards the primary cause.  These provide
the technical explanations for the failure of the 501 flight, which
lay in the flight control and guidance system.  A detailed account
is given in the report, which concludes:

"  The failure of Ariane 501 was caused by the complete loss of
guidance and attitude information 37 seconds after start of the
main engine ignition sequence (30 seconds after lift-off).  This
loss of information was due to specification and design errors in
the software of the inertial reference system.

  The extensive reviews and tests carried out during the Ariane
5 development programme did not include adequate analysis and
testing of the inertial reference system or of the complete flight
control system, which could have detected the potential failure."

Despite the series of tests and reviews carried out under the
programme, in the course of which thousands of corrections were
made, shortcomings in the system approach concerning the
software resulted in failure to detect the fault.  It is stressed that
alignement function of the inertial reference system, which served
a purpose only before lift-off (but remained operative afterwards),
was not taken into account in the simulations and that the
equipment and system tests were not sufficiently representative.

Without implicating the system architecture, the report makes a
series of recommendations for ensuring that the launcher's
software operates correctly.  The Ariane 5 programme will be
taking action in line with all these recommendations, as follows:

-   correction of the problem in the SRI (inertial reference
system) that led to the accident;
-   reexamination of all software embedded in equipment;
-   improvement of the representativeness (vis-�-vis the launcher)
of the qualification testing environment;
-   introduction of overlaps and deliberate redundancy between
successive tests:
     .   at equipment level,
     .   at stage level,
     .   at system level;
-   improvement and systematisation of the two-way flow of
information:



     .   up from equipment to system:  nominal and failure-mode
behaviour;
     .   down from system to equipment:  use of equipment items
in flight.

More specifically, the following corrective measures will be
applied:

-   to the inertial reference system:
     .   switch-off or inhibition of the alignment function after
liftoff,
     .   analysis/modification of processing, particularly on
detection of a fault (no processor shutdown),
     .   testing to check the coverage of the SRI flight domain;

-   to the system qualification environment:
     .   general improvement of representativeness through
systematic use of real equipment and components wherever
possible,
     .   simulation of real trajectories on SRI electronics.

-   In addition, the following general measures will be taken:
     .   critical reappraisal of all software (flight program and
embedded software),
     .   review of mechanisms for managing double failures,
     .   improvement of facilities for acquisition and retrieval of
telemetry data,
     .   improvement of overall coordination relating to software.

The ESA Director General and CNES Chairman will be making
a joint presentation of the plan of action put into effect and its
programmatic consequences at a press conference in September.
-------------------------------------------------------------------

Hope this is useful. So basically it _was_ a software fault - the
software didn't ignore signals it was receiving after launch from a
system whose signals are only valid prior to launch.

What I want to know is, who wrote that software, and if their was an
ESA representative responsible for it, who was he!

Not that I want to apportion blame of course, just interested!


Best Regards
John McCabe <john@assen.demon.co.uk>