On June 4, 1996, the maiden flight of the Ariane 5 rocket launched from French Guiana in South America, carrying a payload of research satellites.
37 seconds after liftoff, the rocket took a sharp unexpected turn and disintegrated 2 seconds later, spreading debris across the French Guianan coastline.
What could cause the newest rocket in the European Space Agency’s collection to explode after liftoff? Later investigation showed that critical design decisions made during Ariane 5 development exposed a software bug, both of which led directly to the incident.
Bug, Meet Rocket
The end result of ten years and over US$7 billion of research and development, the Ariane 5 is the European Space Agency’s main lifting spacecraft. It replaced the aging Ariane 4 system with an almost completely new design, and is still in use today.
Despite the massive redesign, parts of the Ariane 4 were re-used in the Ariane 5. Specifically, the intertial guidance system and the software it contained were used as they existed with no changes. In the Ariane 4, this system worked flawlessly, so there was no reason to think it wouldn’t also work in the Ariane 5 as well. However, this decision did not take into account another part of the new design.
The Ariane 5 used boosters and a main stage rocket with many times more thrust that the Arane 4. This not only enables the Ariane 5 to carry 2-3 times more mass to orbit than it’s predecessor, but also get there much much faster on a much steeper trajectory.
So why did that matter?
Rocket, Meet Bug
An inertial guidance system uses accelerometers and gyroscopes to keep track of the position of the rocket. These instruments provide data to the guidance computer, which uses these data to figure out the position of the rocket and make course corrections as needed.
The guidance instruments used in the Ariane 5 provide, among other data, a value called horizontal bias (BH) as 64-bit floating point number. A small BH means the rocket is accelerating slowly. Faster acceleration means a larger BH value.
The raw data gathered and reported by the guidance instruments needs to be processed by the guidance software. The BH value reported by the accelerometer as a 64-bit floating point value was captured by the guidance software in a 16-bit signed integer.
Put another way, the value reported by inertial instruments can be as large as:
$$1.8 \times 10^{308}$$
This value was then stored in a variable which can only hold a number between -32,768 and 32,767.
Let that sink in for moment.
If you’re like me, you’re first reaction was, "What?"
And your second reaction was, "Wait… What?"
And the third was, "Wait… so why didn’t the Ariane 4 have problems?"
The answer to the last question is relatively easy to answer. The performance of the Ariane 4 meant that the the BH value reported by accelerometers was always small enough that it never exceeded the size constraints of a 16-bit signed integer.
The Ariane 5, on the other hand, could easily accelerate fast and hard enough for the BH value reported by the accelerometer to exceed 32,767.
So what happens when you try to store a value larger than 32,767 in a signed integer?
Wrap Around
A signed integer can store both positive and negative numbers. Positive numbers are stored as their normal binary representation. Negative numbers are stored using a scheme called the two’s complement.
Calculating the two’s complement of a number consists requires two operations:
- Invert every bit in the positive number. That is, every
0becomes a1, and every1becomes a0. - Add 1 to that number.
For example, the positive number 7 is represented as the 8-bit binary number 0000 0111. To figure out how -7 is stored, you first flip the bits in 7 to give you 1111 1000, then add 1 to get 1111 1001.
One feature of the two’s complement scheme is that every negative number has the highest bit (or the leftmost bit) set to 1. This is a reliable indicator that a signed number is negative. It’s also the root cause of the software bug.
If you try to put 64 bits of data into a 16-bit space, only the bottom 16 bits will make it. If that space is an unsigned integer, those bits will always be zero or positive. However, if those 16-bits are signed, the value could be interpretted as negative, if the highest bit turns out to be 1.
Let’s see an example. Suppose you have the number 32,767 stored in an signed integer. That will be stored as 0111 1111 1111 1111 — no problem. When you try to store 32,768 in that same signed integer, it gets stored as 1000 0000 0000 0000.
But remember, in a signed integer if the highest bit is 1, the number is negative, so these same bits aren’t interpreted as 32,768. In fact, these bits are interpreted as -32,768.
In effect, the number wraps around from maximum positive (32,767) to minimum negative number (-32,768).
Practical Matters
So imagine that your accelerometer reports ever increasing BH values as 64-bit floating point numbers. These values are reported to the guidance computer, which stores them in a signed integer variable designed to track which way the rocket is moving. As the rocket accelerates, that value grows, eventually getting to 22,000… 25,000… 30,000… 32,000… then 33,000.
The guidance computer stores the positive integer 33,000 in the BH variable. However, since BH is signed, the guidance software interprets it as the negative integer -32,536.
In other words, the software now thinks your rocket just stopped moving up very fast, and started moving down very fast. So it needs to correct the situation.
In the case of the Ariane 5, that flip from a big positive number to a big negative number happened roughly 37 seconds after lift-off. The guidance computer tried to correct for what it thought was radical heading change, turning the rocket sharply. Within two seconds, the forces on the rocket from this correction caused the rocket to spontaneously disassemble, created a 12 square kilometer debris field.
Lessons Learned
Finding this issue led to better testing of guidance software and more scrutiny of reused components between rockets. The guidance system was completely overhauled for the Ariane 5 flight profile and updated guidance hardware. Since then, the Ariane 5 has had 97 successful launches with only 4 additional failures. none of which approach the scale of its maiden flight.
References:
https://www.bugsnag.com/blog/bug-day-ariane-5-disaster
http://www-users.math.umn.edu/~arnold/disasters/ariane.html
https://en.wikipedia.org/wiki/Cluster_(spacecraft)#Launch_failure
https://en.wikipedia.org/wiki/Ariane_5
UPDATE: 14. Feb 2024: Some formatting changes and a typo.