ARIANE 5 ON BOARD SOFTWARE : REDUNDANCY MANAGEMENT by Miramont, Philippe
HAL Id: hal-02271023
https://hal.archives-ouvertes.fr/hal-02271023
Submitted on 26 Aug 2019
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
ARIANE 5 ON BOARD SOFTWARE:
REDUNDANCY MANAGEMENT
Philippe Miramont
To cite this version:
Philippe Miramont. ARIANE 5 ON BOARD SOFTWARE : REDUNDANCY MANAGEMENT. 2nd
Embedded Real Time Software Congress (ERTS’04), 2004, Toulouse, France. ￿hal-02271023￿
    
  
 
 
 
2nd European Congress ERTS - 1 - 21 – 22 – 23 January 2004 
 
SESSION 4A: FAULT TOLERANCE 
 
Philippe MIRAMONT 
Embedded Software Project Engineer 
Ariane 5 Project  
 
Centre National d'Etudes Spatiales 
Launchers Directorate   
91 023 Evry – France 
Phone: +33 1 60 87 71 36 
Fax: +33 1 60 87 72 68 
PHILIPPE.MIRAMONT@CNES.FR 
 
 
 
BIOGRAPHICAL 
 
9 1990 Engineer from E.N.S.E.A (Ecole Nationale Supérieure de l'Electronique et de ses 
 Applications) 
  
9 1991/1998 ( 7 years) S.A.G.E.M  
 Development of INS/GPS embedded software for Mirage aircraft (Mirage 2000 E , …) 
 Embedded software responsible for military aircraft retrofit (Mirage III, Sukhoi 30 …) 
9 1998/2003 (5 years)  C.N.E.S  
 Embedded software responsible for Ariane 5 +development. 
 
 
KEYWORDS 
 
Embedded Software 
FDIR 
Ariane 5 
Redundancy 
 
 
ARIANE 5 ON BOARD SOFTWARE: 
REDUNDANCY MANAGEMENT 
 
 
 
ABSTRACT 
 
Ariane 5 software, embedded both in the 
OBC (On Board Computer) and in electrical 
equipments, deal with Flight control sub-system 
management, Flight Management activities but also 
with Telemetry and Safeguard sub-system.  
Flight Program Software (FPS) embedded in 
each OBC (nominal and back-up), deals as well with 
FDIR (Fault Detection Isolation and Recovery) 
management. This, by using avionics redundancies 
and taking system and electrical architecture into 
account in order to reach the high level of reliability 
required for the Ariane 5 launcher. The running of 
FPS in nominal and back-up OBC is not dynamically 
    
  
 
 
 
2nd European Congress ERTS - 2 - 21 – 22 – 23 January 2004 
similar due to the fact that, at one time, only one 
OBC controls both electrical chains through two 
MIL-STD-1553B buses. Therefore, the FDIR and the 
FPS redundancy management in each OBC (nominal 
and back-up) are quite different.  
Regarding to equipments, even if most of 
them are redundant (except those used for telemetry 
functions), their associated embedded software 
running are identical for both the nominal and the 
redundant. All equipments are remote terminals on 
the two redundant MIL-STD-1553B buses (except 
those used for telemetry which are only spies) and so, 
do not manage any system or avionics 
reconfiguration.  
This paper presents the algorithms and 
mechanisms implemented in the A5 embedded 
software (mainly in the FPS running in OBC's) which 
deal with FDIR and redundancy management. 
 
 
INTRODUCTION 
  
 In November 1987, Ministers in charge of 
Space activities of each country member of ESA 
(European Space Agency), voted and decided the 
development of the Ariane 5 launcher. Ariane 5 is an 
ESA Program and, as for all the preceding Ariane 
programs, CNES (French National Space Agency) 
was designated as Prime Contractor. CNES Launcher 
Directorate, located in Evry (France), has been in 
charge of the Ariane 5 launcher development, both in 
term of technical and management activities.  
 The new Ariane 5 Launcher has been 
qualified in October 1998 (Flight 503). Since, then, 
several progressive improvement of the baseline 
Ariane 5 launcher have been approved and financed 
in order to increase its performances and reach a 
large variety of missions. In parallel, an ambitious 
program of production cost reduction has been 
implemented in order to consolidate its rank in the 
global satellite launch market. Whatever the Ariane 5 
configuration, and in order to maintain the same level 
of reliability required for the launcher, the general 
Avionics architecture has not been modified since the 
first version of Ariane 5. 
1 - AVIONICS REDUNDANCY STRATEGY 
 
The choice of a redundant Avionics 
architecture for Ariane 5 comes from a larger number 
of analyses which have been compared to experience 
acquired on previous Ariane developments and to the 
will to cover FO (Fail Operational) aspects in flight. 
Characteristics of a launcher as Ariane 5 can be 
summarised as follow: 
• Time mission from less than one hour 
(typical GTO mission) to several hours 
for specific missions. 
• A severe environment in terms of 
ambiances (vibrations, chocks…), thermal 
environment, … 
• Serial industrial fabrication of materials 
as electrical equipment for a long period 
of time 
• Control of cost production 
• High level of dependability 
 
The first principle retained to deals with 
redundancy management is to consider that the 
Avionics reliability has to be negligible compared to 
the launcher one.  If we consider that the required 
reliability for the launchers is about 10-2, it is 
admitted that a reliability of about 10-3 is sufficient 
for Avionics. This objective does not require having 
redundant chains and especially redundant 
equipments. However, it is necessary to be very 
careful and to know the significance of reliability 
computation for electrical chains, and then to have 
also a qualitative approach. 
At the beginning, the Ariane 5 context, and 
especially with the Hermes program, has lead to a 
redundant Data Management System. This choice has 
not be done to answer a global reliability allocation, 
but in order to tolerate non generic problems on 
electrical equipment (component failures, soldering 
defaults, connector disconnection …) induced by 
manufacture defaults and/or bad controls before 
takeoff. However, this approach does not require any 
double design, both for embedded software and 
electrical equipments.  
The second main principle which introduces 
redundancy is a consequence of functional approach, 
retained on Ariane 5, in order to specify launcher 
components. Analyses and specifications therefore 
have been done on the basis of launcher functions. 
This approach induces: 
    
  
 
 
 
2nd European Congress ERTS - 3 - 21 – 22 – 23 January 2004 
• a high specialization of electrical 
equipment which ensure the interface 
with sensors and actuators, 
• Redundancy mechanisms (including 
software one) analysed at system level, 
taking into account the association 
between electrical equipments and 
sensors/actuators in a more global 
function. This function is to be tolerant to 
single failure (in the limit of what is 
possible and useful to do on Ariane 5). 
During this analysis, only two main rules have been 
required on Avionics: 
• if one equipment fail, or the function for 
which it brings its contribution fails, the 
commutation on redundant device is engaged 
in an irreversible way, 
• When equipment fails, specific mechanisms 
are used to border on the failure in order to 
limit its propagation on the used chain but 
also onto the redundant chain. 
 
Then, redundancy management description is 
given function by function and practically does not 
appear at equipment level. This is amplified by the 
centralized avionics architecture of the Ariane 5 
launcher. So, the only unit allowed to decide on 
board any equipment commutation is the main 
computer (OBC), in which the FPS is executed. The 
FPS has been specified and designed according to 
these main principles and rules. 
 
2 - ARIANE 5 AVIONICS ARCHITECTURE 
 
 As a consequence, the Ariane 5 avionics 
architecture consists in a redundant Data 
Management System. Each electrical chain is 
independent and connected to one MIL-STD-1553B 
bus. The implementation choice is based on 
physically and geographically segregated chains. 
The Ariane 5 Avionics architecture is 
centralized around OBC. The FPS running in OBC, 
manages simultaneously both electrical chains as Bus 
Controller of both MIL-STD-1553B buses. So, each 
acquisition is done by one OBC through both the 
nominal and the redundant equipment and each 
command is send independently toward the nominal 
and the redundant equipments. The two OBC 
computers are identical.  
 
Each OBC is composed of: 
• One UT (Treatment Unit) in which the FPS 
is executed on an MC 68020 processor and 
associated MC 68882 co-processor, running 
both at 18 MHz. 
• An UES (Inputs/Outputs Unit) with its 
associated LUES software which manages 
frame and individual transfers on both MIL-
STD-1553B bus and also ensures the 
interface between the FPS and inputs/outputs 
on the two buses through an exchange 
memory. 
SBF Signal
Nominal
Equipment
OBC 1
(Bus Controller)
Telemetry
Equipment
OBC 2
(Remote Terminal)
Bus 1 - 1553
Bus 2 - 1553
Redundant
Equipment
FIG 1 - Avionics Architecture 
 
 At OBC level, the OBC redundancy is 
organized as a “warm duplex”. The nominal OBC 
manages the mission while the back-up OBC, using 
its “observer mode”, spies the bus traffic on the MIL-
STD-1553B buses, and especially messages sent by 
equipments to the OBC. This "observer mode" in the 
back-up OBC is necessary firstly to synchronize 
itself with nominal OBC (by using a specific message 
in the frame) and secondly to compute some 
algorithms to get, in real time, the necessary data and 
avionics context in order to be able to continue the 
mission in case of an OBC commutation. Data 
transmitted by the IRS (Inertial Reference System) to 
the OBC are necessary for the FPS executed in back-
up OBC in order to ensure the “close loop” for GNC 
(Guidance, Navigation and Control) cyclic 
    
  
 
 
 
2nd European Congress ERTS - 4 - 21 – 22 – 23 January 2004 
algorithms which are also executed in the back-up 
OBC. Furthermore, the back-up OBC “observer 
mode” is necessary because no dialog exists between 
the two OBC's, and so, no information is directly sent 
from one OBC to the other one in order to avoid any 
pollution of any OBC by a failed OBC.  
 The nominal OBC auto-detection mechanism 
and algorithms ensure a coverage rate of about 90%. 
Any failure detected on OBC nominal induces an 
OBC commutation from nominal to back-up OBC. In 
such a case, nominal OBC inhibits itself and set 
down a hardware signal (SBF – Good Behaviour 
Signal) to inform the back-up OBC to ensure the 
mission continuation.  
 
3 - FLIGHT PROGRAM SOFTWARE 
ARCHITECTURE 
 
 The Ariane 5 FPS is the software embedded 
in the OBC (nominal and back-up) whose mission is 
to send satellites in orbit, in spite of perturbation and 
failure. The FPS answers a high level of reliability 
and so, as a critical software, is classified at similar 
level as level B of DO 178B standard used in 
avionics. The FPS is written in ADA 83 language 
even if some low level parts are written in assembly 
language. The FPS (running on UT board) static 
architecture is divided into 3 different levels: 
• LN3, which constitutes the application part 
and deals with the Flight Control algorithms, 
Flight Management activities, but also with 
redundancy algorithms, 
• LN2, which provides services to LN3 to 
activate and control electrical equipments, 
• LN1, which provides LN3, services for time 
management, interruption, interface with 
UES through an exchange memory, and 
FDIR mechanisms. It also includes Runtime 
ADA with ARTK (ADA Real Time Kernel). 
 
In order to ensure requirement such as 
reactivity for asynchronous events (pyrotechnical 
orders for stage separation …), but also synchronous 
treatments for cyclic GNC algorithms, tank 
pressurization… a multitasking architecture, using a 
pre-emptive scheduler and five dynamics tasks, has 
been chosen for the FPS. 
 Another software, LUES, running on the 
UES board of the OBC, is an automate which 
manages frame and individual transfers on the MIL-
STD-1553B buses but also ensures the interface and 
the synchronization between the FPS and the 
inputs/outputs on the two buses. 
 
 The LSSI (Low Level Sub-System Software) 
consists in the LN1 and the LUES. 
 
OBC
UT
UES
LN3
RAM
512 KO
+
512 KO
RAM
256 KO
Bus 1 Bus 2
IT
Exchange Memory
SBF
LUES
ARTK
LN2
LN1
 
 
FIG 2 - FPS Software Architecture 
 
  
4 - SOFTWARE REDUNDANCY 
MANAGEMENT 
 
All redundancy mechanisms and algorithms 
are located in the OBC and associated FPS, either at 
LSSI level or applicative level (LN3). The Ariane 5 
OBC redundancy management can be separated into 
two main categories: 
• Mechanisms introduced for the OBC fault 
detection and the OBC commutation in a 
“warm duplex” mode. 
• OBC algorithms to manage equipment in 
"hot" or "cold" redundancy.  
 
 In spite of the fact that electrical equipment 
redundancy has been considered as a more global 
launcher function, analysis for OBC redundancy has 
been treated at Avionics level. The analysis showed 
that the maximum OBC commutation duration is 
    
  
 
 
 
2nd European Congress ERTS - 5 - 21 – 22 – 23 January 2004 
corresponding to 3 pilot cycles of 72 ms in EAP 
(Solid Propellant Strap-On Booster) phase, meaning 
that during this duration no launcher control is 
ensured by any OBC. It has been in particular 
verified and validated, at system level, that all cyclic 
software processes (navigation, control, guidance, 
pressurisation …) and their consequence at launcher 
level could tolerate such an interruption. However, it 
is not possible to guarantee, due to the OBC 
commutation duration, that all the time requirements 
about sequential activities (stage separation, engine 
ignition …) will be met because sequences are 
defined as a series of MIL-STD-1553B transfers with 
a precision of about 10 ms, but with a limited 
duration of a few seconds. To deal with this specific 
point, a probabilistic approach have been conducted 
by considering the probability that an OBC failure 
happened during a sequence is very low compared to 
avionics required reliability. However, specific 
mechanisms have been implemented in FPS to deal 
with this aspect. 
 
 4-1 OBC FAULT DETECTION 
 
  The Ariane 5 LSSI FDIR strategy is based 
on the following rules. It is excluded that the back-up 
OBC could detect any failure on nominal OBC and 
so takes the control of the mission by itself. On the 
other hand, if the nominal OBC detects itself in 
failure, it will engage an OBC commutation without 
knowing the real status of back-up OBC on which it 
commutes. This strategy involves that: 
• the OBC reconfiguration criteria are only 
based on nominal OBC failure auto-detection 
, 
• the nominal OBC must offer the highest rate 
of failure detection. 
• the nominal OBC must passive itself after 
command an OBC commutation 
• the back-up OBC must always be in a 
situation to continue the FPS mission as soon 
as the OBC nominal fails, 
• the back-up OBC has to best continue the 
mission (last "survivor mode") by ignoring 
any failure that could run into it.  
 
For each Ariane 5 mission, the two OBC's 
are powered on about 6 hours before take off. An 
internal OBC initial self-test, executed on ground and 
called "AT 95", takes place in INIT OBC mode. This 
auto-test ensures a coverage better than 95% (about 
98%), and is resident in the non volatile memory of 
OBC. Once the "AT95" test has been declared 
successful, the FPS is downloaded into the two OBC 
volatile memories (RAM). After H0-3 seconds, the 
nominal OBC becomes controller of the two MIL-
STD-1553B buses and so manages all the processes 
related to mission management, including 
mechanisms for FDIR management. The FPS design 
is such that OBC commutation mechanisms are 
always priority compared to others functions. The 
implemented mechanisms are described here-after: 
 
9 An EDAC (Error Detection And Correction) 
has been implemented on all OBC RAM memories in 
order to protect them from consequences of radiative 
environment. In fact, bit errors in RAM memories 
may only originate from Single Event Upset (SEU) 
or Multiple Events Upsets (MEU) caused by 
environmental conditions (protons, high-energy ions) 
or from hardware failure in the memory chip. The 
effect of a proton hitting a memory cell might be to 
modify its status i.e switch from 0 to 1 or from 1 to 0. 
The OBC (nominal and back-up) EDAC is a logical 
circuit, part of the memory management ASIC, able 
to: 
• Detect, correct in RAM and signal a single 
bit error when the memory is read. It is 
transparent for the application and so does 
not generates any OBC reconfiguration, 
• Detect and signal all double bit errors when 
the memory word is read by the  FPS. 
  
 On the nominal OBC, a double bit error 
detected on a RAM cell, both in the UT or the UES 
RAM, automatically generates an inhibition of the 
Nominal OBC (Inhibit Mode) and induces an OBC 
commutation. On the back-up OBC, in either bus 
observer or bus controller mode, a double bit error 
generates no effects (the transition to Inhibit Mode is 
inhibited on the back-up OBC) and the FPS continues 
its execution with the double-error bit in the impacted 
memory cell, according to the "last survivor" 
strategy. Depending on the impacted cell (data, code) 
the consequence of such an effect could be 
catastrophic for the mission or almost without any 
important effect (Least Significant Bit impacted on a 
data). However, the probability to have, for one 
mission, both an OBC commutation and a double 
error bit on the back-up OBC RAM memory is very 
    
  
 
 
 
2nd European Congress ERTS - 6 - 21 – 22 – 23 January 2004 
low compared to the required reliability for the 
Avionics and is so considered acceptable. 
 
9 In the other hand, no memory scrubbing has 
been implemented in the OBC. In fact, such a 
software algorithm, reading the memory in a loop, 
could detect a MEU in an unused or already used part 
of the memory and then generates an intempestive 
OBC commutation. As an example, during ESC 
(Upper Cryo Stage) flight phase coming after EAP 
(Solid Propellant Strap-On Booster) phase , if an 
MEU is detected on part of memory used only in 
EAP flight phase, it is not be necessary to command 
an OBC commutation. 
 
9 The OBC RAM memory part (where the FPS 
binary code is located) is written protected. So, a 
written access by the FPS in this area (consequence 
for example of an address microprocessor register 
impacted by a proton) will induce an OBC 
commutation, but will not have any specific action on 
back-up OBC, in order to best continue the mission. 
 
9 Furthermore, in order to increase the nominal 
OBC fault detection coverage, a specific applicative 
auto-test algorithm, implemented in the LN3 and 
only in the nominal OBC, is activated periodically 
after the end of the Vulcain engine ignition sequence. 
This auto-test consists in: 
• periodically send specific data to each BDP 
(Power Distribution Unit) connected to the 
OBC through the two MIL-STD-1553B buses, 
and control these data after their acquisition 
from BDP through 1553 buses. These periodic 
and alternative tests allow verifying the LUES 
behaviour. 
• verify the coprocessor MC 68882 functioning 
by comparing results between pre-computed 
trigonometric functions available in RAM and 
results computed in real time by the 
coprocessor. 
 
If the result of one test is not satisfactory, then the 
FPS set a specific bit “Erreur Application” in the 
OBC status word inducing an OBC commutation. 
 
9 In order to verify that FPS and LUES 
software are still running, each electronics module 
(UT and UES) on the nominal OBC gets a watchdog 
to cyclically detect any software blocking. A 
watchdog triggering, detected either on UT or UES 
module, induces an OBC commutation. 
 
9 About exception, if any software exception is 
raised on the nominal OBC, it will not be propagated 
and immediately induces an OBC commutation by 
setting the SBF signal. For hardware processor 
exceptions (floating overflow…), the associated IT 
vector (TRAP) is replaced by a specific software 
treatment which also activates the SBF signal and 
induces an OBC commutation.  On the other hand, an 
exception raised on the back-up OBC is ignored and 
the associated FPS continues its missions, whatever 
the back-up OBC configuration (either bus observer 
or bus controller mode after an OBC commutation). 
 
All the results provided by all these OBC 
failure detection mechanisms activated in flight are, 
in real time, written in each OBC status word. These 
status words are sent to ground by telemetry in order 
to be post-analysed on ground. These mechanisms 
ensure on-board failure coverage of about 90%. 
 
 4-2 OBC RECONFIGURATION 
MECHANISMS 
 
Specific software mechanisms have been 
studied and developed in order to execute all the 
treatments in the back-up OBC to continue the 
mission, in case of an OBC commutation and 
whatever its origin is. While the nominal OBC 
manages the mission, the back-up OBC is placed in 
"observer mode" in order to spy 1553 traffic. In this 
mode, it does not execute acyclic sequences (engine 
ignition and extinction, stage separations ...), 
detection/correction algorithm for servo-activator 
chains, not the OBC auto-test applicative. 
As soon as the SBF signal is activated and 
that no bus traffic is observed on the MIL-STD-
1553B buses for 20 ms (in order to verify that two 
bus controllers are not present at the same time), the 
FPS running in the back-up OBC restarts the cyclic 
frame on the two 1553 buses. The precision of 
synchronisation between nominal OBC frame and the 
back-up OBC frame after an OBC commutation is 1 
millisecond. Associated cyclic algorithms (GNC, 
tank pressurization…) start in synchronization with 
the frame transfers. Then, algorithms relative to 
several urgent processes are activated in order to 
secure the launcher (pyrotechnical order…) and to 
    
  
 
 
 
2nd European Congress ERTS - 7 - 21 – 22 – 23 January 2004 
get the electrical context. Following these operations, 
the back-up OBC is able to restart a sequence (engine 
ignition/extinction, stage separation …) eventually 
interrupted in the nominal OBC by a failure which 
has induced the OBC commutation. In order to define 
if a sequence has to be restarted and re-executed in 
the back-up OBC, the associated FPS takes into 
account the date of the ITBF interrupt generated by 
the SBF signal and the date of the end of sequence 
define by adding to the sequence key date, the 
sequence duration, the offset due to discretisation and 
a fixed pre-defined duration. If the ITBF signal is 
located before the end of sequence as so computed, 
the sequence is automatically re-executed in the 
back-up OBC. So, once all the reconfiguration and 
restart treatments executed by FPS in the back-up 
OBC have been done, FPS continues the mission as it 
would have been executed by nominal OBC. 
 
 4-3 MIL-STD-1553B FAILURE 
MANAGEMENT 
 
The OBC redundancy concept has been 
simultaneously analysed with Communication 
System architecture which is largely involved in the 
avionics and redundancies management. The 
Communication System structure is defined with two 
sections located in the VEB (Vehicle Bay 
Equipment). Each section is connected through a 
repeater to five other section buses for EPC (Main 
Cryo Stage), EAP1, EAP2 stages and ground.  The 
OBC (nominal, or back-up if an OBC commutation 
has occurred), which controls both 1553 buses, 
therefore dialogues simultaneously with equipment 
of both chains. For each launcher flight phase (EAP, 
EPC…), a frame is pre-defined for the cyclic 
transfers emitted simultaneously on the two buses. 
Each 1553 transfer of the frame can be defined with 
or without retry in case of an exchange error. 
At LSSI level, if one or several equipment no 
longer answer, or if a 1553 section fail (and the 
corresponding line bus) inducing no dialog with all 
equipment of this section, the corresponding frame 
transfers are declared in error by their associated 
status word. In this case, the LUES which manages 
the 1553 transfers (frame or individual transfers 
inserted in the frame) repeats transfers declared as 
"class 1" transfers, meaning transfers with retry. 
Furthermore, all transfers declared in error (with or 
without retry) are still emitted in the frame by the 
LUES in order to maintain the synchronization 
(designed by taking bus transfers worst cases in 
account) between the frame running on the buses and 
the FPS applicative treatments. This choice simplifies 
the FPS mechanisms and their associated validation, 
both for the LSSI part than for applicative part. It 
does not modify, in real time, the tight and robust 
synchronization between applicative treatments and 
frame which is essential for the good behaviour of 
the system. 
As soon as equipment does not answer on 
1553 bus, the FPS application is immediately 
informed by the LSSI. At applicative level, the 
redundancy software manages the equipment used for 
function (GNC, launcher management …), taking 
equipment failures in account, including 1553 error 
transfers.  
 
 4-4 FUNCTION REDUNDANCY 
MANAGEMENT 
 
Avionics and especially the FPS, participates 
to several main A5 launcher functions as GNC 
(Guidance, Navigation and Control) and Launcher 
management activities (sequential, tank pressure 
regulation, stage jettisoning …). Applicative software 
redundancy algorithms are specific according to both 
type of applicative algorithms (GNC, pressurization 
…) and used equipment which are managed, for most 
of them, in “hot duplex” mode by OBC. For each 
function, theses algorithms are independent. 
  
9 Two IRS (Inertial Reference System) units 
are available on the A5 launcher. Each IRS is 
connected to one MIL-STD-1553B bus and the IRS 
connected on bus n°2 is considered as the nominal 
IRS for the applicative GNC treatments at flight 
software level. To increase IRS failure detection, IRS 
transversal axes are physically shift by 135°. 
Redundancy algorithms for the IRS ensure failure 
coverage at least better than 95%, with a false 
detection rate less than 5%. These redundancy 
algorithms are running in both OBC and are divided 
in two main parts: 
• Upstream redundancy algorithms deal in 
priority with main IRS's outputs to provide, as 
soon as possible, inertial valid data to the pilot 
algorithms, because it is necessary for the pilot 
to compute and send commanded steering 
orders to servo-actuators within a maximum 
    
  
 
 
 
2nd European Congress ERTS - 8 - 21 – 22 – 23 January 2004 
delay of 25 ms after the IRS measurements 
acquisition. This redundancy analyses the IRS 
status word and cycle counter transmitted by 
IRS units, 1553 dialog between OBC and IRS, 
and test the coherency of attitudes send by the 
two IRS in order to detect potential failures on 
gyro-meters. If the IRS status word indicates a 
failure, or cycle number is wrong, or if a bus 
dialogue between IRS and OBC is twice 
consecutively declared in error, it induces 
immediately and in an irreversible way, an IRS 
commutation, or inhibition of the back-up IRS 
commutation, depending on which IRS is 
declared in failure. In this case, the FPS takes 
inertial information only from the remaining 
still available. Furthermore, upstream 
redundancy includes failure detection 
algorithms which consist in comparing each 
attitude of the IRS unit to the other one, 
relatively to one threshold. If an incoherency 
between these attitudes is detected (threshold 
are so overrun tree times consecutively), an 
IRS commutation is engaged. During an IRS 
commutation, the pilot algorithms use 
predicted measurements. 
• Downstream redundancy rule is to detect and 
localize potential gyro-meter failure (not 
detected by upstream redundancy) and 
accelerometer failures in order to provide valid 
data for GNC algorithms (Guidance, 
Navigation and non critical pilot). The 
redundancy also analyses the 1553 dialog 
between the OBC and the IRS, and IRS status 
word and cycle counter with the same 
consequence than with the upstream 
redundancy. Specific algorithms, based on the 
comparison of two IRS measurements and 
including several tests on accelerometer and 
gyro-meter information are activated. For each 
test, in case a threshold is overrun three 
consecutive times for one IRS, the concerned 
IRS (nominal or redundant) is declared "failed" 
and so no longer used for the mission by the 
FPS. 
 
 In case both IRS units are declared failed, the 
navigation algorithm is no longer used, guidance is 
reduced to interpolation on pre-programmed tables of 
attitudes, and sequential orders managed by GNC 
algorithms are executed at pre-defined dates. All 
these upstream and downstream redundancy 
algorithms are executed in the cyclic tasks of the 
applicative software (LN3) of FPS. 
 
9 Two BGY (Gyrometer Unit) are available on 
the launcher, each mounted on one EAP. The 
requirement relative to the BGY redundancy is to 
ensure failure coverage at least better than 95%, with 
a false detection rate less than 5%. BGY provides the 
launcher with angular speed, in pitch and yaw angle 
for the EAP pilot algorithm, through redundancy 
algorithms. Each BGY includes 4 gyro-meters and 
provides two angular speed measurements for each 
detection (pitch and yaw) axis. Furthermore, a BGY 
provides the reference voltage which false alarm rate 
is better that BGY status word.  Redundancy 
algorithms get measurements on each BGY, check 
the 1553 dialog, test the reference voltage, analyse 
the coherency between both measurements of one 
BGY and measurement between the two BGY and 
then, compute the average of the valid measures 
(according to launcher axes for pitch and yaw) and 
then provides the relevant information to the pilot 
algorithms. If a 1553 bus dialogue error between 
BGY and OBC is twice consecutively declared, or if 
reference voltage on a BGY is three times 
consecutively wrong, concerned BGY is declared 
failed and no longer used. As for an IRS, these 
redundancy algorithms are executed in the cyclic task 
of FPS (LN3). 
 
9 For the EPC stage, thrust vector control 
(TVC) chain software redundancy is ensured by a 
detection/correction algorithm running in the FPS, 
but only in nominal OBC. One EPH (Hydraulic 
Servo-actuator Control Unit) is available and 
accessible by the FPS on each 1553 bus. Each nozzle 
can be commanded according to two axes, U and V. 
In nominal configuration, the U hydraulic jack is 
driven by the EPH n°2 and V hydraulic jack by the 
EPH n°1. For each hydraulic jack and for each cycle, 
a specific detection/correction algorithm, using 
steering angle commanded by the pilot and the 
measurement of hydraulic jack positions, provides 
the estimated position of the "tiroir 
servodistributeur". This estimated position is then 
compared to the corresponding measured position 
through a threshold. If threshold is overrun, the 
precedent operations are re-run and then if overrun is 
then confirmed, a servo-valve commutation is 
    
  
 
 
 
2nd European Congress ERTS - 9 - 21 – 22 – 23 January 2004 
ordered by the FPS to the EPH which does not 
command nominally the failed servo-valve coils. The 
hydraulic power is thus transferred on the second 
chain, and the failed servo-valve is no longer used. 
Furthermore, through the EPH status word, a 
commutation can be engaged by the FPS due, this 
time, to an EPH equipment failure. So, after such a 
commutation, only one EPH commands the two 
hydraulic jacks, one for each axis U and V. 
Nevertheless, after the servo-valve commutation, the 
FPS gets information for telemetry through 1553 
from the EPH on which the failed lines have been 
detected. Once the commutation detected by 
"detection/correction" algorithm has been done, all 
new commutation is prohibited, except in an OBC 
commutation occurring after the first servo-valve 
commutation, because this detection/correction 
algorithm is not running on back-up OBC. 
 
9 For the EPS stage (Upper Liquid Propellant 
Stage), the used algorithms are quite similar to those 
used for the EPC stage. The main difference is that 
electrical power is used and not hydraulic power as 
for the EPC, and that after an EPE (Electric Servo-
actuator Control Unit) commutation, the failed 
equipment is powered off. 
 
9 Functional measurements used for tank 
pressurization, controls and checks during Vulcain 
engine ignition … are acquired by the FPS through 
the three UCAF (Functional Conditioning and 
Acquisition Unit), redundant and connected to the 
MIL-STD-1553B buses. In order to avoid any 
common mode between chains, one sensor is 
connected only to one UCAF. So, measurement 
redundancy is ensured by another sensor, whose 
information is acquired by the FPS through an other 
UCAF. All the FPS applicative treatments using 
these measurements are elaborated on 1/2 or 2/4 
logical algorithms, or on majority vote logic (average 
computed on several measurements and elimination 
of aberrant measures). A measure acquired though 
one UCAF is declared valid if first, UCAF status 
word and refresh counter are valid and if the 
measurement value is included in two likelihood 
thresholds. So, these algorithms implicitly allow that 
an UCAF failure could occurs without any UCAF 
commutation or UCAF inhibition being engaged, 
even if, for the considered cycle, the measure not 
declared valid is not taking in account into 
applicative algorithms. 
 
9 Concerning Electro-Valve (EV) used on 
launcher for engine ignition, stage pressurization …, 
three categories of EV are used: non-latching EV 
with one or two coils and latching EV with 2 coils. 
Each EV is connected to two ES (Sequential 
Electronics) which are also controlled by the FPS 
through 1553 buses. Two main types of EV 
commands are available: 
• Hot redundancy when commands from 
FPS are applied simultaneously to coils 
by the two redundant ES. Most of EV 
commands are applied in hot redundancy. 
• Cold redundancy when commands are 
applied by only one ES, and command 
through other ES are applied only in case 
of failure detection.  
 
Activation of each EV is obtained only by 
current presence in one coil, which ensures a 
protection against "delayed failure". In order to 
ensure current in an EV coils, two 1553 transfers 
emitted by FPS are necessary on an ES which 
protects this command against "premature failure". 
Verification of current value in coils can be realized 
by the FPS, but is not done because of the low 
reliability of current measurement.  
On the other hand, de-activation of each EV 
requires that no more current be present in each coil. 
So, the command transfers emitted by the FPS are 
necessary towards the two ES and require their good 
behaviour. However, only one transfer is necessary 
for each ES, because only one transfer is able to open 
the circuit in order to have no more current available 
in the concerned coil. In order to verify the good 
execution and to control that no more current is 
available in the two coils, the FPS just verifies that 
no 1553 error has happened during the acquisition of 
the coils voltage transfer. In some failure cases (for 
example, when a voltage acquisition transfer is 
declared failed), the FPS asked for an ES de-
connexion by sending, to the corresponding BDP, the 
de-connexion command for the concerned ES. This 
ES de-connexion open the circuit and induces no 
more current in the concerned EV. Furthermore, the 
FPS controls the good behaviour of the ES de-
connexion command and, in case of unsuccessful 
command, send a CAE (EPE & ES Switch-off 
    
  
 
 
 
2nd European Congress ERTS - 10 - 21 – 22 – 23 January 2004 
command) command to the redundant ES (valid) in 
order to open the switch to stop the current in the 
concerned coil. However, we can note that only one 
ES de-connexion is allowed for all ES in the EPC 
stage and for all ES in the VEB stage. 
All this redundancy algorithms are services 
available in the LN2 software managed by the LN3 
applicative program. The reliability requirement 
about EV commands is provided in probability of a 
"feared event" (activation of an EV without order at 
10 -9 or non activation of an EV in spite of the order 
required at 10 -9). 
 
9 The aim of pyrotechnical functions is to 
bring energy toward a squib (for stage separation for 
example). Two chains are also available for it and are 
simultaneously used, despite of the fact that of only 
one chain is strictly necessary. The redundancy 
principle for electrical order toward pyrotechnical 
initiator is quite similar to those used for EV 
commands. Same ES are used, but CDC's (Pyro 
Switching Unit) are necessary for order switching. In 
order to realize a pyrotechnical order, the FPS sends 
orders to the BDP to send energy (by CEX closure) 
on the desired line of the CDC in order to provide 
"fire order". The selected line in CDC has been 
preliminary defined by the FPS, using an LN2 
service, by a specific 1553 order to ES in order to 
configure, in each CDC, the two configuration 
matrices to close the switch corresponding to the 
concerned load. After ignition, the CEX in the BDP 
is opened by a FPS order sent to the BDP, and CDC 
configuration is also disabled by the FPS through a 
1553 order towards the ES. 
Without dealing here with all redundancy 
mechanisms implemented in the FPS, if the CDC 
configuration is detected failed (through specific 
report acquired through ES) or if the BDP switch is 
failed, the concerned chain is no longer used, and the 
pyrotechnical order is sent through the redundant 
one. The reliability requirements are identical for this 
function, treated in term of "feared event" (untimely 
pyrotechnical order at 10 -8 for example). 
 
9 Others sub-systems, available on Ariane 5 
are also redundant but are not directly managed by 
the FPS: 
• Safeguard sub-system, which rely on 
their own means for emission, reception 
and execution in order to realise the on-
board launcher neutralization. 
• Electrical power sub-system which deal 
with all on-board equipment for on-
board generation and distribution of 
electrical power. Each functional chain 
has its own power sub-system strictly 
independent from each other. 
• Telemetry sub-system for which, the 
equipment units are not redundant 
because they are not necessary for the 
launcher functional mission. 
 
 
CONCLUSION 
 
The Ariane 5 on board FPS deals with all 
FDIR and redundancy management required to 
ensure the mission with the best reliability possible. 
It deals with: 
• Mechanisms introduced for OBC fault 
detection and OBC commutation managed 
in a “warm duplex” mode. 
• OBC algorithms to manage equipment in 
"hot" or "cold" redundancy.  
 
All these mechanisms and algorithms have 
been designed and completely qualified at FPS level. 
They have proved to be necessary and efficient 
during several A5 flights (equipment failures,  …) 
even if they cannot save the launcher from all failure 
configurations. 
 
 
*          * 
* 
