IP: Broke up on launch or you GOT to be kidding or FIRE the

[Dave Farber <farber () central cis upenn edu>]

From: Fred <fred () cyrix com>


You can read the report on the causes of the Ariane 5 rocket crash, which
is available at:
  http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html


To summarize what happened:


 - An overflow occured in the Inertial Reference System (SRI) computer when
converting a 64-bit floating point to 16-bit signed integer value. 


 - There was no error handler for that specific overflow.  The default
handler (wrongly) shut down the SRI unit.


 - The standby SRI unit had previously shut itself down for the same reason.
The hot SRI and the standby were running the same software.


 - The shutdown caused the SRI to output a core dump on the bus.  The main
computer interpreted the core dump as flight data, causing such a violent
trajectory correction that the rocket desintegrated.


 - The SRI software had been ported from the previous generation rocket
Ariane 4.  The original software designers made a deliberate decision not to
protect the conversion because overflow could not occur due to  the
physical characteristics of Ariane 4.


 - The program that failed was a pre-flight program, and should not have
been running during the flight.  (In the Ariane 4 design, this program  was
allowed to run during flight to guard against some rare condition, but this
was a poor decision in the first place; when the software was  ported to
Ariane 5 all justification for it was gone but nobody bothered to  turn
it off.)


The investigation team concluded that the designers of the computer system
put in protections against hardware faults but did not take into account
software faults.  Furthermore the SRI had not been tested with realistic
Ariane 5 flight data, and there had been no integration tests of the SRI
with the rest of the new rocket.