The Ariane 5 Flight 501 Failure - A Case Study in System Engineering for Computing Systems
نویسنده
چکیده
The report issued by the Inquiry Board in charge of inspecting the Ariane 5 flight 501 failure concludes that causes of the failure are rooted into poor S/W Engineering practice. From the failure scenario described in the Inquiry Board report, it is possible to infer what, in our view, are the real causes of the 501 failure. We develop arguments to demonstrate that the real causes of the 501 failure are neither S/W specification errors nor S/W design errors. Real causes of the failure are faults in the capture of the overall Ariane 5 application/environment requirements, and faults in the design and the dimensioning of the Ariane 5 on-board computing system. These faults result from not following a rigorous System Engineering approach, such as applying a proof-based System Engineering method. What is proof-based System Engineering for Computing Systems is also briefly presented. DISCLAIMER This analysis is meant to-hopefully-help those partners in charge of and involved in the Ariane 5 programme. System engineers cannot be " blamed " for not having applied a proof-based System Engineering method, given that it is only recently that such methods have emerged. This analysis is also meant to-hopefully-explain why it is inappropriate to " blame " S/W engineers. La défaillance du vol 501 d'Ariane 5-Une étude de cas de Génie Système en Informatique Résumé : le rapport de la Commission d'Enquête constituée à la suite de l'échec du vol de qualification 501 du lanceur Ariane 5 attribue les causes de cette défaillance à des erreurs de Génie Logiciel. A partir du scénario de défaillance décrit dans le rapport officiel, il est possible d'identifier ce que sont, d'après nous, les véritables causes de l'échec du vol 501. On présente des arguments destinés à démontrer que les causes ne sont ni des erreurs de spécification du logiciel, ni des erreurs de conception du logiciel. Les véritables causes de la défaillance sont des fautes de capture des besoins applicatifs et des hypothèses d'environnement relatifs à Ariane 5, ainsi que des fautes de conception et de dimensionnement du système informatique embarqué à bord d'Ariane 5. L'existence de ces fautes provient d'un manque de méthode rigoureuse en Génie Système comme, par exemple, l'absence de méthode imposant des obligations de preuves. On présente brièvement ce qu'est le Génie Système prouvable pour les systèmes informatiques.
منابع مشابه
An analysis of the Ariane 5 flight 501 failure-a system engineering perspective
The report issued by the Inquiry Board in charge of inspecting the Ariane 5 flight 50.1 failure concludes that causes of the failure are rooted into poor S/W Engineering practice. From the failure scenario described in the Inquiry Board report, it is possible to infer what, in our view, are the real causes of the 501 failure. We develop arguments to demonstrate that the real causes of the 501 f...
متن کاملProof-Based System Engineering and Embedded Systems
We introduce basic principles that underlie proof-based system engineering, an engineering discipline aimed at computer-based systems. This discipline serves to avoid system engineering faults. It is based upon fulfilling proof obligations, notably establishing proofs that decisions regarding system design and system dimensioning are correct, before embarking on the implementation or the fieldi...
متن کاملARIANE 5 Flight 501 Failure
FOREWORD On 4 June 1996, the maiden flight of the Ariane 5 launcher ended in a failure. Only about 40 seconds after initiation of the flight sequence, at an altitude of about 3700 m, the launcher veered off its flight path, broke up and exploded. Engineers from the Ariane 5 project teams of CNES and Industry immediately started to investigate the failure. Over the following days, the Director G...
متن کاملOptimal nonlinear control of flight faults in manned aircrafts in the presence of fault and failure of control actuato
Control actuators' faults are among the major reasons to lose aircraft control while flights. The plane dynamics is severely dependent upon faults and errors in flight control systems and if the reformed control order is not issued by the fault tolerant controller there would be unpleasant outcomes such as inconsistency and the reduction of system performance and some dreadful aerial accide...
متن کاملMTBF evaluation for 2-out-of-3 redundant repairable systems with common cause and cascade failures considering fuzzy rates for failures and repair: a case study of a centrifugal water pumping system
In many cases, redundant systems are beset by both independent and dependent failures. Ignoring dependent variables in MTBF evaluation of redundant systems hastens the occurrence of failure, causing it to take place before the expected time, hence decreasing safety and creating irreversible damages. Common cause failure (CCF) and cascading failure are two varieties of dependent failures, both l...
متن کامل