
The Ariane 5 software reused the specifications from the Ariane 4, 
but the Ariane 5's flight path was considerably different and beyond 
the range for which the reused code had been designed. 

Specifically, the Ariane 5's greater acceleration caused the back-up 
and primary inertial guidance computers to crash, after which the 
launcher's nozzles were directed by spurious data. Pre-flight tests 
had never been performed on the re-alignment code under simulated 
Ariane 5 flight conditions, so the error was not discovered before launch.

Because of the different flight path, a data conversion from a 64-bit 
floating point to 16-bit signed integer value caused a hardware exception 
(more specifically, an arithmetic overflow, as the floating point number 
had a value too large to be represented by a 16-bit signed integer). 

Efficiency considerations had led to the disabling of the software 
handler (in Ada code) for this error trap, although other conversions 
of comparable variables in the code remained protected. This led to a 
cascade of problems, culminating in destruction of the entire flight.



4. June 1996, Kourou/Frz. Guyana, ESA
Maiden flight of the new European booster rocket (weight: 740 t, pay load 7 - 18 t) with 4 cluster satellites
Development costs in 10 years: DM 11,800 million (approx USD $6 Million)

--------------------------------------------------------------------------------


Ada source code of Ariane 5's inertial navigation software system (cutout):

Note: 37 seconds after ignition, Ariane 5 reached an altitude of 3700m with 
a horizontal speed of 32768.0 (internal units). 
...

declare
  horizontal_veloc_sensor: float;  // data type => 64-bit floating point
  horizontal_veloc_bias: integer;
  last_valid_horizontal_veloc_bias: integer = 0;
  ...
begin
  declare
    pragma suppress(numeric_error, horizontal_veloc_bias);  // turned off error trap for efficiency
  begin
    sensor_get(horizontal_veloc_sensor);
    horizontal_veloc_bias := integer(horizontal_veloc_sensor);  // cast 64-bit float to a 16-bit signed int 
    calculate_horizontal_veloc(horizontal_veloc_bias);         // Blew up here 37 sec after liftoff due 
    last_valid_horizontal_veloc_bias := horizontal_veloc_bias  // to suppression of numeric_error 
    ...                                                        // since float conversion to int exceeded 32,767
  exception
    when numeric_error => calculate_horizontal_veloc(last_valid_horizontal_veloc_bias);
    when others => use_irs1();
  end;
end irs2;

// NOTE: above worked fine in Ariane 4's software!

--------------------------------------------------------------------------------


Effect:
Horizontal speed of 32768.0 (internal units was about five times higher than with Ariane 4. 

The cast to an integer led to an overflow which was not intercepted since numeric_errors were suppressed. 

The spare computer had had the same problem 72 MSEC previously and switched itself off after sending diagnostic data to the central processor (and ground control), which were interpreted as flight path data. 

As a result, unreasonable control instructions were given to the tiltable solid-propellant engines in order to correct the large flight deviations (over 20 degrees). The rocket sustained G-forces that broke it apart 39 seconds into launch. 

An intensive test of navigation and central processor had not previously been undertaken, since the software was used in Ariane 4 without incident.


Damage:
DM 250 million starting costs 
DM 850 million cluster satellite 
DM 600 million for following improvements 
Loss of wages for 2 to 3 years 
The next test flight could be accomplished only 17 months later - 1. Stage terminated prematurely a firing. 
The first commercial flight took place in December 1999. 



--------------------------------------------------------------------------------


Tragik:
The problematic program section was used only for the preparation when starting and the start. 
It should be active only during a transition period, for safety reasons: 50 seconds, until the ground station would have taken over control during a starting interruption. 
Despite the completely different behavior of the Ariane 5 this value was not again considered. 


Optimization:
Only with 3 of 7 variables an overflow was examined - for the other 4 variables proof existed that the values would remain small enough (Ariane 4). 
These proofs did not apply however to the Ariane 5 and to it were not also at all reconstructed. 
Problem of the re-use of software! 


Unbelievably - after 40 years software error realizations:
One assumed with the program Design only hardware errors can occur! 
Therefore the spare computer had also the identical software. The system specification specified that in the event of an error the computer was to switch itself off and the spare computer substitutes. 
A restart of a computer was not meaningful, since the new regulation of the flight altitude is too complex. 

 
HP: The attempt to start new 4 cluster satellites succeeded in July and August 2000 with two Russian booster rockets.

Source: http://www-aix.gsi.de/~giese/swr/ariane5.html