The failures of the Therac-25 and the Ariane 5 are important ones in
the history of software engineering. Henry Petroski's book, Design
Paradigms, stresses the importance of learning from past engineering
failures. This paper analyzes the two failures in the context of Petroski's
book.
The Ariane 5 is a launcher that failed on June 4th, 1996.
Approximately forty seconds after lifting off at an altitude of 3700 meters
the launcher initiated its self-destruct mechanism. The conversion of a
64-bit number to a 16-bit number caused an ope rand error in the Inertial
Reference System. In reaction to the error, the Inertial Reference System
shut down, as did the backup system as it was given the same input. This
resulted in the on board computer receiving invalid data for the launcher's
hor izontal velocity. This invalid data caused a change in the launcher's
trajectory and the eventual self-destruction.
The Therac-25 is a software controlled radiation therapy machine.
Between June 1985 and January 1987 six different accidents with the
Therac-25 occurred. All of the accidents involved significant overdoses and
serious injuries, some resulting in the de ath of the patient. The
Therac-25 failed in more than one way; however, all of the failures were
eventually deemed to have been caused by race conditions in the software.
The underlying reasons for the failures of the Ariane 5 and the
Therac-25 can be explored in the context of Petroski's Design Paradigms. In
the case of the Ariane 5, the Inertial Reference System continued to operate
after lift-off despite the fact that it was not necessary. It continued to
operate only because the design of the Ariane 5 was a modification of that
for the Ariane 4 which required the continued operation. The Therac-25
reused software from the Therac-20 which was assumed to be correct a s it
functioned in the Therac-20. Petroski warned against the blind modification
of designs that have proved to be successful in the past through the example
of the Tacoma Narrows Bridge. The Ariane 5 failure could have been
prevented had the Inertial R eference System and its backup failed
independently. The Therac-25 relied solely on its software for safety while
the Therac-20 also included hardware backups. These oversights violated
Petroski's emphasis on the importance of including multiple factors of
safety in critical designs. The failure mode of the Inertial Reference
System in the Ariane 5 was to shut itself down. This is a case of not
recognizing potential failures and hence not designing with the goal of
obviating them. Petroski gives the example of the tubular bridge design
that had problems with the air quality within the bridge. The bridge design
itself was sound, but the designers did not see the air quality as a
potential problem.
Given the above examples one can easily conclude that had the
designers of the Ariane 5 and Therac-25 read Petroski's Design Paradigms the
failures of the systems would not have occurred.