Inertial reference system software reused from Ariane 4 contained a 64-bit float to 16-bit signed integer conversion. Ariane 5 was faster than Ariane 4, so horizontal velocity exceeded 32,767 and overflowed. Both primary and backup systems ran identical code.
The $370 million failure led to one of the most thorough software failure analyses ever published. The investigation board's report became a foundational document in software engineering education.
The Incident
On June 4, 1996, the European Space Agency's Ariane 5 rocket — carrying four Cluster satellites worth $370 million — veered off course 37 seconds after its maiden launch from French Guiana and self-destructed.
The Root Cause
The inertial reference system (SRI) software was reused from the Ariane 4 rocket. It contained a conversion from a 64-bit floating-point number representing horizontal velocity to a 16-bit signed integer. On Ariane 4, this value never exceeded 32,767 — the maximum value a 16-bit signed integer can hold. Ariane 5 was faster. The value overflowed.
The overflow caused the SRI to crash and send diagnostic data to the flight computer. The flight computer interpreted this diagnostic data as flight data, calculated that the rocket was wildly off course, and commanded the nozzles to correct — swinging them to their maximum deflection. The resulting aerodynamic forces tore the rocket apart. The self-destruct system activated.
The backup inertial reference system — the one designed to take over if the primary failed — contained identical software. It had already failed in the identical way, 72 milliseconds earlier.
The Pattern
The Ariane 5 failure is the canonical example of three compounding failures: code reuse without revalidation of assumptions (Ariane 4's speed constraints did not apply to Ariane 5), identical backup systems (redundancy without diversity is not redundancy), and a software error converting into a physical catastrophe through a chain of misinterpretation.
Why It Matters
The backup system failed identically because it was identical. This single fact has been cited in thousands of engineering courses, papers, and safety standards. If your backup runs the same code, it will fail the same way. Redundancy requires diversity — in implementation, in assumptions, in failure modes.