Ariane 5 Exploded Because It Reused Ariane 4's Code

On June 4, 1996, at 12:34 UTC, the maiden Ariane 5 lifted off from Kourou with four Cluster magnetosphere satellites worth around $370 million in the fairing. Thirty-seven seconds later, it shredded itself over the jungle. The cause was not a manufacturing defect or a fueling error. It was a line of Ada code that had worked perfectly fine on Ariane 4.

The inertial reference system on both rockets ran a pre-launch alignment routine. On Ariane 4, that routine was allowed to keep running for about 40 seconds after lift-off as a hedge against a launch hold. On Ariane 5, it served no purpose at all after the rocket left the pad — but the code stayed in. Ariane 5 also accelerated harder horizontally than its predecessor, so a variable called BH, the horizontal bias, started taking values the older rocket had never produced.

When the alignment code converted that 64-bit floating-point BH into a 16-bit signed integer, it overflowed. The Ada runtime raised an operand-error exception. Engineers had explicitly considered which conversions to protect; they protected four of seven, on the reasoning that the CPU was already at 80 percent and the unprotected ones were physically bounded — on Ariane 4. The unhandled exception killed the active SRI, which then handed the on-board computer a diagnostic word the computer happily read as flight data. The boosters and main engine slewed to the stops, the airframe pitched past 20 degrees, and the self-destruct fired.

The inquiry board, chaired by Jacques-Louis Lions, delivered its report inside six weeks. The recommendation that landed hardest was the simplest: do not reuse safety-critical software without re-verifying every assumption it bakes in.