Tema TTIT62 - Realtidsprocesser och reglering

 Fel som leder till fel

Den 4:e juni 1996, jungfrufärden av Ariane 5:s  bärraket slutade i en katastrof. Efter endast 40 sekunder från initialiseringen av flygprogrammet, vid en höjd av 3700 m tappade raketen sin kurs, bröt sönder och exploderade.

Omedelbart efter olyckan tillsattes en haverikommission. Kommissionen analyserade telemetridata från raketen upptill sista   stunden, trajektoriedata från markbundna radarstationer och optiska observationer, t.ex. kameror.

Haverikommissionens rapport som lades fram 19 juli 1996, pekar ut flera grundläggande orsaker i form av designfel  i programvara, odiciplinerad undantagshantering och brister i systemutvecklingsmetodik, i synnerhet vid kravspecifikation och testning.

Härnedan följer ett urklipp av  rapporten som återger händelsekedjan.

In general terms, the Flight Control System of the Ariane 5 is of a standard design. The attitude of the launcher and its movements in space are measured by an Inertial Reference System (SRI). It has its own internal computer, in which angles and velocities are calculated on the basis of nformation from a "strap-down" inertial platform, with laser gyros and accelerometers. The data from the SRI are transmitted through the databus to the On-Board Computer (OBC), which executes the flight program and controls the nozzles of the solid boosters and the Vulcain cryogenic engine,via servovalves and hydraulic actuators.

In order to improve reliability there is considerable redundancy at equipment level. There are two SRIs operating in parallel, with identical hardware and software. One SRI is active and one is in "hot" stand-by, and if the OBC detects that the active SRI has failed it immediately switches to the other one, provided that this unit is functioning properly. Likewise there are two OBCs, and a number of other units in the Flight Control System are also duplicated.

The design of the Ariane 5 SRI is practically the same as that of an SRI which is presently used on Ariane 4, particularly as regards the software.

Based on the extensive documentation and data on the Ariane 501 failure made available to the Board, the following chain of events,their inter-relations and causes have been established, starting with the destruction of the launcher and tracing back in time towards the primary cause.

The SRI internal events that led to the failure have been reproduced by simulation calculations. Furthermore, both SRIs were recovered during the Board's investigation and the failure context was precisely determined from memory readouts. In addition, the Board has examined the software code which was shown to be consistent with the failure scenario. The results of these examinations are documented in the Technical Report.

Therefore, it is established beyond reasonable doubt that the chain of events set out above reflects the technical causes of the failure of Ariane 501. 

 Simin Nadjm-Tehrani

Last Modified:  Thu  12 Jan 2006