CASE: ARIANE 5 FLIGHT 501

The Ariane 5 Flight 501 was an unmanned test flight sponsored by the European Space Agency as part of the development of its Ariane 5 system. The flight, which consisted of a cluster of four rockets, came to an end when the rockets self-destructed due to a computer error. The error arose from a particular kind of arithmetic error that could have been prevented if the program developers had not decided to gain efficiency by gambling that such an error would not occur. The bug did not cause a loss of life, but it did result in a loss of $3.5 million and was included on Wired magazine’s 2005 list of the ten worst bugs in history.

Numbers can be stored in a computer in a variety of ways. One type of numeric value, a floating point number, is similar to scientific notation, used in the natural sciences. For example, using scientific notation, one might represent the number 250,000,000 as 2.5 × 108 . Floating point numbers are useful in programming because they allow the program to handle a larger range of magnitudes than would otherwise be possible. In fact, many of the calculations done today in scientific applications would be impossible without the use of floating point numbers. The downside to floating point numbers is a loss of precision. For example, representing exactly the number 1.23 × 1045 would require 46 digits. To be precise, the representation 1.23 × 1045consists of a number of significant digits (in this case the digits 1, 2, and 3) and a scale factor or magnitude (in this case, 45). The number of significant digits determines the precision, while the number of digits in the scale factor determines the range of magnitudes.

We could, for example, choose to represent a floating point number by exactly five digits. We could choose to have the last two of those five digits represent the magnitude, and the first three the digits of precision. In that case, we would have three significant digits followed by two digits of magnitude. We could also assume a decimal point after the first digit. We could, therefore, represent a very large range of numbers using just five decimal digits. In our discussion, we will prefix floating point numbers with an ‘F’ to avoid confusing them with integers. For example, the floating point number F12345 would represent 1.23 × 1045, with the decimal point and the power of ten assumed. Similarly, the floating point number F62131 would represent 6.21 × 1031 and F72003 would represent 7.20 × 1003. The problem with using such a notation is that we lose precision; many numbers will have the same representation because we have only three significant digits. For example, if we were using our five-digit scheme as just described, all of the integers, 123451, 123452, 123453, 123454, 123455, and numerous others, would be represented as the floating point number F12305, which represents 1.23 × 105 . Also, if we are limited in the number of digits we allow in an integer, some floating point numbers cannot be represented as integers. Suppose for example, a computer had a limit of five decimal digits for any integer. Then the floating point number F12311, which represents 1.23 × 1011, could not be represented in that computer as an integer because the integer it represents would require twelve digits, seven more than the maximum allowed. If we programmed such a computer to convert F12311 to an integer, an error would occur when we tried to put twelve digits in a memory cell that had room for only five. That kind of error is called an “arithmetic overflow.” In a computer, of course, numbers are not represented with decimal digits, but with binary digits (bits). The same principles apply to binary digits as to decimal digits, but all digits are either one or zero. In the computer system used in the Ariane 5, floating point numbers were represented as sixty-four bits and integers were represented as either sixteen bits or thirty-two bits. Another complication that we have omitted is that computers must allow for negative numbers and for negative magnitudes to represent small fractions. That simplification will not affect the discussion of any of the cases we consider.

The first fifty seconds of the Ariane 5 flight were controlled by a software system that had been reused from the earlier Ariane 4 system. Unfortunately, the Ariane 5 accelerated much faster than the Ariane 4, forcing the old software to deal with values that became larger much faster than in the old system. At one point, a 64-bit floating point number, which was converted to a 16-bit integer, proved too large to fit into 16 bits. This caused an arithmetic overflow error, as explained above. This error ultimately caused the destruction of the rockets. The whole problem could have been avoided. The software did not contain errorhandling code that would have been able to deal with an arithmetic overflow of the type generated during the Ariane 5 flight. This error-handling code was left out to make the software run more efficiently.

The program monitored seven key values stored as variables. Seven of those variables were at risk of overflowing, but only four were protected by errorhandling code. In an investigation after the fact, a memorandum turned up indicating that there was a plan to add code later that would have protected the other three variables. However, the memorandum did not explain why these variables were ultimately not protected. All we know is that the error was not detected and no corrective action was taken.

A further irony was that, at the time the software failed, the specific program that failed was not actually doing anything useful. The code containing the unprotected variable was there to stabilize the rockets during the countdown period. That code had no real function after liftoff, but continued to run for an additional forty seconds after liftoff in case something happened during the countdown to delay the flight. The additional forty seconds was to give the ground equipment time to resume control of the rockets. The error occurred well after liftoff, just four seconds before the software would have stopped executing. The result was a 3.5 million dollar accident.