From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,9df152c1ff02365e,start X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-08-02 18:26:02 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.icl.net!newsfeed.fjserv.net!proxad.net!usenet-fr.net!enst.fr!not-for-mail From: "Alexandre E. Kopilovitch" Newsgroups: comp.lang.ada Subject: Ariane5 FAQ, Professional version, first draft Date: Sun, 3 Aug 2003 05:32:00 +0400 (MSD) Organization: h w c employees, b f Message-ID: NNTP-Posting-Host: marvin.enst.fr Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: avanie.enst.fr 1059873961 69394 137.194.161.2 (3 Aug 2003 01:26:01 GMT) X-Complaints-To: usenet@enst.fr NNTP-Posting-Date: Sun, 3 Aug 2003 01:26:01 +0000 (UTC) To: comp.lang.ada@ada.eu.org Return-Path: X-Mailer: Mail/@ [v2.44 MSDOS] X-BeenThere: comp.lang.ada@ada.eu.org X-Mailman-Version: 2.1.2 Precedence: list List-Id: comp.lang.ada mail to news gateway List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Xref: archiver1.google.com comp.lang.ada:41146 Date: 2003-08-03T05:32:00+04:00 During the recent development of Ariane 5 FAQ, at least 2 participants of the discussion suggested another organization of the FAQ. Specifically, they proposed to move the technical explanation of the rocket's failure to the top of the FAQ. I think that it is incompatible with the unfolding logic of that FAQ, but there may be another unfolding logic, which leads to another version of the FAQ. Below is the first draft of that alternative version, I think that both versions may exist concurrently (like a duet -:) . I'd like to call the older one "Observer's version" and the following one - "Professional version". Here is the first draft of that Professional version of the FAQ. Comparing against the Observer's version, some Q-A pairs are unchanged, some moved to another place, some excluded, and some are new. ---------------------------------------------------------------------------- Q. Can you explain in several words what was the actual cause of the Ariane 5 launch failure in 1996, technically? A. There are several points which are different for Ariane 5 vs. Ariane 4, one of which was instrumental to the events: Ariane 4 is a vertical launch vehicle where as Ariane 5 is slightly tilted. Ariane 4 software was developed to tolerate certain amount of inclination but not as much as required by Ariane 5. The chain of events were as follows: - The on-board software detects that one of the accelerometers is out of range, this was interpreted as hardware error and caused the backup processor to take over; - The backup processor also detects that one of the accelerometers is out of range, which caused the system to advice an auto destruction. Q. At which levels and in which parts of the Ariane 5 development project the critical errors (that caused the launch failure) were made? A. There was a compound, 3-stage construction of the failure; all 3 component errors were made at the top level of the project, within Arianespace. The first error-stage was improper reuse of software. The second and third error-stages ordered sized down verification: - the second error-stage excluded from the rocket's testing procedure one subsystem -- Inertial Reference System device, replacing it by a simulator, - the third error-stage excluded one part of the device's software from the simulator development contract, and refused the simulator's developers from the device's documentation (giving them the device's software source code only). Q. Can you describe this development project failure in general terms of large-scale system engineering? A. The failure was in the process that Arianespace set up, not in the work of any contractor, and certainly not in the work of any employee of those contractors. The process that Arianespace set up delegated requirements to individual subcontracts, which is fine. But there was neither process for checking that changes in the subcontracts did not result in failure to test some requirements, nor a final pre-launch validation that all requirements had been tested. The scope of one of the subcontracts was reduced, and as a result certain tests that were part of the original test plan did not get performed. However, Arianespace's project management process equated completion of all subcontracts with completion of all testing. Q. But certainly there were engineers, who can see possible consequences of that approach. So why they weren't alarmed enough? A. This is difficult question indeed. An explanation exists, which tells that the informational paths within the project were interspersed with those managers of non-engineering kind, and because of that no one of the engineers can obtain enough information for recognition of the danger. In particular, no one of the engineers was in position to compare requirements for Ariane 4 with trajectory data for Ariane 5. A contributing factor was the specifics of communications and crossings of responsibilities, which often manifests itself within international projects. Here is an insider's view on that specifics: "As with many international projects, some of the information is eyes only. This is sometimes a burden for engineers that write the software, since they have to rely on good will and reliable deliveries of sub-components. As you can imagine, Ariane is a fairly complex system which relies on many "sub-systems"; now imagine that all those subsystems come from a different supplier. The integration of all of them is a very large and complex project on is own." Q. Did the Arianespace learned the lesson? A. It seems, not enough, for now. Several subsequent Ariane 5 failures followed essentially the same or similar error pattern. (Only significant difference from the first failure is that the subsequent failures weren't related to software -- probably because all the Ariane 5 software was reviewed after the first crash.) For example, consider the point of the second Ariane 5 failure investigation. Diffferent launch, different subsystem, very different failure mode. But the thing both failures had in common was systems reused from Ariane 4 without checking that they met the new requirements. The failure didn't get nearly the press that the first one did, but the result was the same, a launch failure (http://spaceflightnow.com/ariane/v142/010713followup.html and http://www.arianespace.com/site/news/03_06_19_release_index.html). There was also a fourth Ariane 5 failure (out of 14 tries) on flight 157 (http://www.esa.int/export/esaCP/ESA7198708D_index_0.html). This was due to failure of the cooling of the Vulcain 2 engine, new to the Ariane 5 ECA. Although this failure had nothing to do with Ariane 4 reuse, what do we find under contributing factors? "non-exhaustive definition of the loads to which the Vulcain 2 engine is subjected during flight" -- another requirements definition failure. The first three launch failures were all due to the failure of change mananagement and requirements tracking during the original Ariane 5 development. But this latest failure involves a design subsequent to the first two Ariane 5 failures. Q. Where can I find official report for the investigation of the Ariane 5 crash? A. At the moment of writing this FAQ this report was, for example. at: http://www.dcs.ed.ac.uk/home/pxs/Book/ariane5rep.html But read it to the end, because your overall impression will probably be different (and wrong) if you stop in the middle of it, deciding that you got it all clear enough. Q. Where this topic was discussed in depth? A. For example, in comp.lang.ada newsgroup (several times). Search that newsgroup for "Ariane 5", and you'll find several threads discussing this topic (most recent at the moment of writing this FAQ was quite long thread with subject line "Boeing and Dreamliner"; during the development of this FAQ another long thread with the subject line "Ariane5 FAQ" was running). ----------------------------------------------------------------------------