European Space Agency

The Inquiry Board's Recommendations

R1      Switch off the alignment function of the inertial reference
        system immediately after lift-off. More generally, no software
        function should run during flight unless it is needed.

R2      Prepare a test facility including as much real equipment
        as technically feasible, inject realistic input data, and perform
        complete, closed-loop, system testing. Complete simulations must
        take place before any mission. A high test coverage has to be
        obtained.

R3      Do not allow any sensor, such as the inertial reference
        system, to stop sending best-effort data.

R4      Organise, for each item of equipment incorporating
        software, a specific software qualification review. The
        Industrial Architect shall take part in these reviews and report
        on complete system testing performed with the equipment. All
        restrictions on use of the equipment shall be made explicit for
        the Review Board. Make all critical software a Configuration
        Controlled Item.


R5      Review all flight software (including embedded software),
        and in particular:

R6      Wherever technically feasible, consider confining
        exceptions to tasks and devise backup capabilities.

R7      Provide more data to the telemetry upon failure of any
        component, so that recovering equipment will be less essential.

R8      Reconsider the definition of critical components, taking
        failures of software origin into account (particularly single-
        point failures).

R9      Include external (to the project) participants when
        reviewing specifications, code and justification documents. Make
        sure that these reviews consider the substance of arguments,
        rather than check that verifications have been made.

R10     Include trajectory data in specifications and test
        requirements.

R11     Review the test coverage of existing equipment and extend
        it where deemed necessary.

R12     Give the justification documents the same attention as
        code. Improve the technique for keeping code and its
        justifications consistent.

R13     Set up a team that will prepare the procedure for
        qualifying software, propose stringent rules for confirming such
        qualification, and ascertain that specification, verification and
        testing of software are of a consistently high quality in the
        Ariane-5 Programme. Inclusion of external RAMS (Reliability,
        Availability, Maintainability, Safety) experts is to be
        considered.

R14     A more transparent organisation of the cooperation among
        the partners in the Ariane-5 Programme must be considered. Close
        engineering cooperation, with clear-cut authority and
        responsibility, is needed to achieve system coherence, with
        simple and clear interfaces between partners.