Small Thing matters!: Arianne-5 and Ada Compiler- Revisited

On 4 June 1996, the maiden flight of the Ariane 5 launcher ended in a failure. Only about 40 seconds after initiation of the flight sequence, at an altitude of about 3700 m, the launcher veered off its flight path, broke up and exploded. IDMS/SQL News 5.3 (Aug 96) had carried the news about Arianne-5 rocket failure. We had commented that it was due to software error which sent wrong signals to the rocket such that it took wrong course. Here we take second look at this disaster.

 

COMMENTS ON THE FAILURE SCENARIO

In the failure scenario, the primary technical causes are the Operand Error when converting the horizontal bias variable BH, and the lack of protection of this conversion which caused the SRI computer to stop.

It has been stated to the Board that not all the conversions were protected because a maximum workload target of 80% had been set for the SRI computer. To determine the vulnerability of unprotected code, an analysis was performed on every operation which could give rise to an exception, including an Operand Error. In particular, the conversion of floating point values to integers was analysed and operations involving seven variables were at risk of leading to an Operand Error. This led to protection being added to four of the variables, evidence of which appears in the Ada code. However, three of the variables were left unprotected. No reference to justification of this decision was found directly in the source code. Given the large amount of documentation associated with any industrial application, the assumption, although agreed, was essentially obscured, though not deliberately, from any external review.

More of this at http://www.esa.int/htdocs/tidc/Press/Press96/ariane5rep.html

 

Re-usable Component Error?

Today everyone is talking about re-usable component architecture. One example is the Javabeans in the Java world. But it will be interesrting to note that Arianne-5 disaster was caused by a reusable component error!

It is a reuse error. The SRI horizontal bias module was reused from a 10-year-old software, the software from Ariane 4.

But this is not the full story:

It turns out that an integer overflow raised an (Ada) exception which halted the machine (which was the specified behaviour). In addition, the differences in object code between the tested and operational systems raise the issue of errors in the object code for the operational system. Such errors are most likely to occur due to an error in the compilation environment, although it is possible that other factors, such as human error (e.g. specifying the wrong version of a file when the code is recompiled) can be involved. For example, there are documented cases where Ada compilers generate the correct code when exceptions are not suppressed, but generate incorrect code (beyond the language's definition of "erroneous") when they are suppressed.

Today Java is introducing re-usable code in the form of JavaBeans. But read this:

It is regrettable that this lesson has not been heeded by such recent designs of Java (which added insult to injury by removing the modest assert instruction of C!), IDL (the Interface Definition Language of CORBA, which is intended to foster large-scale reuse across networks, but fails to provide any semantic specification mechanism), Ada 95 and ActiveX.

For reuse to be effective, Design by Contract is a requirement. Without a precise specification attached to each reusable component -- precondition, postcondition, invariant -- no one can trust a supposedly reusable component.

 

Just One more! What Units are you talking about?

On July 23, 1983 Flight 143 from Montreal to Ottawa, and on to Edmonton which was using one of the newest Boeing 767, ran out of fuel in mid-air and glided and crash-landed on an unused air-strip at Gimli, Manitoba near Winnipeg. The problem arose because of the miscalculation of the needed fuel, an error caused by mixing metric and imperial units (kg vs pounds). Luckily the pilot was an gliding expert who managed to save all on board and the plane. As an added coincidence the Air Canada mechanics driving a van to Gimli to begin repairs ran out of gas in the backroads of Manitoba!

 

(from http://www.geocities.com/idmssql/idms93.htm )

 

LINKS:

http://www.flash.net/~kennieg/ariane.html

http://www.eiffel.com/doc/manuals/technology/contract/ariane/page.html