Ariane 5: The software reliability verification process: The ARIANE 5 Example

摘要

The Ariane 501 flight failed after 38 seconds. The origin of the failure has been identified in the software of an onboard equipment which is used to compute the trajectory in real time.rnThis failure leads to question the maturity and controllability of the software development technology. The challenge was to get confidence in the critical software pieces and obtain evidence of the software reliability before proceeding with the next flight.rnIn order to solve this problem, the inquiry Board recommended to set up a new organisation for software development management. As a consequence, a new responsibility has been put on AEROSPATIALE to be the " Software Architect " of the program. One of the goals was to verify all critical software pieces of ARIANE 5, and to demonstrate (as far as possible) that no failure could lead to catastrophic consequences, either by failure avoidance (detection and suppression of errors), or by failure tolerance (robustness to real time failures).rnWe describe the roles and objectives of the Software Architect for software verification. We mainly focus on the software verification process and, the tools which have been used to support and automate part of the verification process. These tools have been successfully used to verify the two most complex software products of the launcher : the Inertial Measurement Unit and the Centralised Flight Software.