Event
There is a strange paradox in computer science.
When something goes wrong, everybody talks about it, but when it
is the other way around, hardly anybody notices it. The second Ariane 5
launch was not immune to this paradox. INRIA was significantly involved in this
second launch.
The success of the second Ariane 5 launch last year partly erased the unfortunate memories of the previous failure. It is now possible to draw a few lessons from the event with a little more serenity than previously. Following the 1996 accident, engineers quickly realized that it had been caused by a software problem. An Enquiry Board was appointed, under the direction of the President of the Academy of Science, Jacques-Louis Lions. This committee brought together several European engineers and scientists, with the participation of Gilles Kahn, Vice-President for Science, INRIA. The committee issued a certain number of recommendations. One of the recommendations was to seek external collaborations, hence INRIA's involvement.
What had happened? A rather bizarre incident: the malfunctioning of a peripheral organ, whose role was nonetheless central, that had already proved its worth 23 times aboard Ariane 4. It was an inertial reference system - both hardware and software bought off the shelf - which served in particular to orient the rocket. In addition, for this first Ariane 5 flight, engineers were primarily concerned about testing the separation of the two powder boosters situated on each side of the launcher, which was one of the objectives of the mission. The moral of the story is that the complexity of software problems deserves utmost attention.
In particular, software verification stems from a very specific difficulty. The question is: "is there a latent design fault?" explains Gilles Kahn. To answer this question, sufficiently diverse experimentation situations must be tested with simulation methods on the one hand and, on the other hand, using reasoning and verification tools. This latter task was assigned to Alain Deutsch and Georges Gonthier at INRIA. It was a formidable task, if you consider that it required combing through the whole set of software used during the flight.
In effect, says Gilles Kahn, between Ariane 4 and Ariane 5, the volume of software increased more than tenfold, now reaching some 80,000 lines of code. This software regulates the various flight phases (take-off, stage separation, etc.). The main tool used by scientists was static analysis, which studies the properties of the code in addition to the numerous tests already carried out. The effects of floating point overflow and of access to shared, unprotected resources had to be studied, among others. Beyond the Ariane 5 success, this application of static analysis to such an emblematic industrial case demonstrated, if need was, that the theoretical research and tools that have been developed at the Institute for many years on this subject have a major impact on the economic world. Today there is a demand, and thus a market, for this kind of tool.
Contact: Gilles Kahn,
Vice-President for Science, INRIA
Tel.: +33 1 39 63 51 22
Gilles.Kahn@inria.fr