Scribd
Upload
307 views29 pages

Patriot Missile PM Presentation

The Patriot missile system failed to intercept an incoming scud missile that hit a US army barracks in Saudi Arabia during the Gulf War in 1991, killing 28 soldiers. An investigation found multiple faults with the Patriot system, including software issues that caused inaccuracies in the system's ability to track targets over long periods of time due to rounding errors, as well as poor project management that failed to prioritize safety and properly test the system under a variety of conditions. The failures revealed the need for improved testing, requirements definition, and system design to prevent single points of failure and ensure safety-critical systems can perform as intended.

Uploaded by

Sam Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
307 views29 pages

Patriot Missile PM Presentation

The Patriot missile system failed to intercept an incoming scud missile that hit a US army barracks in Saudi Arabia during the Gulf War in 1991, killing 28 soldiers. An investigation found multiple faults with the Patriot system, including software issues that caused inaccuracies in the system's ability to track targets over long periods of time due to rounding errors, as well as poor project management that failed to prioritize safety and properly test the system under a variety of conditions. The failures revealed the need for improved testing, requirements definition, and system design to prevent single points of failure and ensure safety-critical systems can perform as intended.

Uploaded by

Sam Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

The Patriot Missile Disaster

What Went Wrong?


Liam McBrien, 200309542
Craig McNulty, 200418935

Patriot Missile System Overview


Mobile missile defence system
Designed by Raytheon, Hughes and RCA
in 1969; produced in 1976 by Raytheon
Backronym of Phased Array Tracking
Intercept Of Target
Initially designed as anti-aircraft system;
extended to deter missiles.

How the System Works [1]


Operates in battalions - usually composed
of six batteries
Each battery has:
Radar unit for target acquisition
Control station for manual/automatic control
Eight missile launchers
Communications station

Targets detected by radar, acquired by


control station, and engaged by launchers

Target Acquisition

Image source: [1]

Target Destruction
Interceptor detonates in
front of target
Detonation sprays ~1000
pellets forwards in a wide
pattern like a shotgun
Distance from interceptor
to target is important! [2]
Ideal range 5-10 metres
At 100 metres, probability
of hitting target is near-zero
Image source: [3]

Project Timeline [3][4]


Development started in 1976 as an antiaircraft system
First deployment in 1982
PAC-1 (1988) introduced limited capability
against TBMs
PAC-2 (1990) improved TBM capability
PAC-3 (2002-) latest version, complete
redesign tailored for TBM interception

The Patriot in the Gulf War


Patriot deployed in the Persian Gulf War to
halt ballistic missiles
Debatable success rate: from Bushs
97% to Postol and Pedatzurs 0%!
What is a successful launch?

January 25th, 1991: ballistic missile hit


army barracks in Dhahran, Saudi Arabia
28 soldiers killed, 97 injured
Patriot didnt detect incoming missile

Failure to Launch
Dhahran, Saudi Arabia, 1991

Failure to Launch
Dhahran protected by six Patriot batteries
Alpha and Bravo batteries deployed at time
of attack to protect Air Base
Bravo out-of-commission due to radar problem
Alpha running continuously for four days

Incoming scud missile not engaged by


Alpha
28 casualties, more than 90 injured

Software Faults [1]


Patriot computer only had 24-bit precision,
so it chopped 0.0001% off timing values
System fell behind by 0.0034 sec (7m) per
hour.
Accuracy threshold is 20 hours.
System had been running for 100 hours,
losing 0.3433 seconds, or 687 metres.
Range gate affected cumulatively by
timing error looked in the wrong place!

Range Gate Inaccuracy

Image source: [1]

Code Quality Failure


Tracking should have depended on
elapsed, not absolute time; errors should
have cancelled out
A subroutine which returned a number
with 48-bit precision was defined to cope
with faster missiles, but was not called in
all necessary places [6]
As a result, errors failed to cancel and
inaccuracy crept in

Testing Recommendations
Safety critical code should be subject to heavy
scrutiny and reviews, with test cases to ensure
numerical accuracy at every essential step
Program was written in assembly language,
which may have presented maintenance and
testing difficulties
Code fifteen years old; lack of understanding,
comments, documentation?
Shouldnt code safety critical functions at a low
level; should abstract away from the hardware
as much as possible for safety and testability [7]

Operating Constraints
Battery intended to run for a few hours per use
Poor or non-existent risk analysis?
Hangover from old constraints
Should start afresh with safety critical systems
Registers with 8 more bits give 256 times the accuracy!

Very long run times could cause a shift in the


range gate, resulting in the target being offset [1]
Supply operators with rich analysis of constraints and
limitations to minimise margin of error

Rebooting to reset state


Downtime produces a 90 second window of
vulnerability; power cycling should be a last resort

Safety By Diversity
Essential for safety critical systems
Several instances of single points of failure
No early warning from observation system in
Narrungar, Australia [8]; though expensive to maintain,
should other such systems be available? [9]
Other battery was broken - two batteries with a run
for three hours at a time constraint is a lethal
combination - three hour repair window!
Updated software arrived the next day [10]; should
delivery have been expedited? Perhaps have
software engineers on site?

Patriot Accuracy
or inaccuracy?

Accuracy Claims
George Bush Snr claimed 97% success:
Patriot is 41 for 42: 42 Scuds engaged, 41
intercepted! [11]

U.S. Army claimed initial success rate of


80% in Saudi Arabia and 50% in Israel
Later scaled back to 70% and 40%

1992: Postol and Pedatzur testify that


according to their studies, success rate
closer to 10% and perhaps even 0% [3]

What is a Successful Launch?


Standard practice: fire four Patriots at
each incoming Scud
25% accuracy should result in around 100%
success rate

What is a kill?
Hitting the warhead?
Hitting the missile?
Deflecting the missile?

Observed Misses
Postol (1992) documented misses
observed through press footage
Patriots often missed target by >100m
Range gate errors?
Late launches early warning failure?

Patriots dove into the ground


Rocket motor failures?

Scud breakup caused incorrect targeting


Hull debris targeted rather than the warhead

Possible Reasons for Inaccuracy


Errors in prediction and tracking:
holdovers from the retrofit to track TBMs?
Missile failures: inadequate field testing?
Targeting the wrong part of the missile:
Iraqi redesigns caused Scuds to be faster but
more prone to breakup [11]
Software needed faster response to changing
operational parameters (or more adaptability)

Project Management Faults

Customer Focus
System designed without contemplating
stakeholders operators/soldiers!
Should ensure that a customer (or proxy) with
field experience is available
User acceptance tests verified by customer

Retrofitted to run in unfamiliar context


Simulations or mockup exercises with
potential operators

External Pressures
Taxpayers money project managers may
have prioritised dollar over human cost
Value of human life perhaps had an impact;
dire history, e.g. the Ford Pinto [12]
We can just patch this old system up attitude

Rushed rollout pressure from customer


to deliver software
Requirements non-negotiable testing suffers

Safety First
Project managements top priority should have
been maximising safety
Testing should extend beyond normal operational
parameters and be supported by software
Definition of abilities and limitations must be clear and
explicit
No single points of failure can be tolerated
Critical vulnerabilities must be identified and fixed as
quickly as possible
Instead of delivering faulty software on time, fully
operational software later could have given the best
outcome

Outcome PAC redesign


PAC-3 (current version) designed from
scratch
Learning from Desert Storm mistakes
Much higher success rate in Iraqi Freedom:
9/9 kills (8 confirmed, 1 probable) [5]

MEADS (next version) learning from Iraqi


Freedom mistakes
IFF improvements to reduce Friendly Fire
incidents

References
1. Anon. (1992). GAO/IMTEC-92-26 Patriot Missile
Software Problem. Available:
http://www.fas.org/spp/starwars/gao/im92026.htm. Last
accessed 03 November 2008.
2. Shelley Toich. (1998). The Patriot Missile Failure in
Dhahran: Is Software to Blame?. Available:
http://shelley.toich.net/projects/CS201/patriot.html. Last
accessed 16 November 2008.
3. Theodore A. Postol. (1992). Optical Evidence Indicating
Patriot High Miss Rates During the Gulf War. Available:
http://www.fas.org/spp/starwars/congress/1992_h/h920
407p.htm. Last accessed 16 November 2008.

References
4.

5.

6.

Redstone Garrison. (1995). PATRIOT History.


Available:
http://www.redstone.army.mil/history/systems/PATRIO
T.html. Last accessed 07 December 2008.
DSB Task Force. (2005). Patriot System Performance
Report Summary.
http://www.acq.osd.mil/dsb/reports/2005-01Patriot_Report_Summary.pdf. Last accessed 07
December 2008.
Robert Skeel. (1992). Roundoff Error and the Patriot
Missile. Available:
http://www.mc.edu/campus/users/travis/syllabi/381/pat
riot.htm. Last accessed 16 November 2008.

References
7.

8.

9.

Andrew McGettrick. (2003). Programming Languages


and High Integrity Systems. Available:
http://local.cis.strath.ac.uk/teaching/ug/classes/52.422/
programming_languages_slides.pdf. Last accessed 07
December 2008.
Cameron Stewart. (1999). US Aussie spy base
revelations: Nurrungar played fateful role in Desert
Storm tragedy. Available: http://www.hartfordhwp.com/archives/24/167.html. Last accessed 16
November 2008.
Robert Garran. (1999). US Aussie spy base
revelations: ASIO was in on it, says top analyst.
Available: http://www.hartfordhwp.com/archives/24/167.html. Last accessed 16
November 2008.

References
10.

11.

12.

Eric Schmitt. (1991). US Details Flaw in Patriot Missile. Available:


http://query.nytimes.com/gst/fullpage.html?res=9D0CEED7163AF
935A35755C0A967958260. Last accessed 07 December 2008.
William Safire. (1991). The Great Scud-Patriot Mystery. Available:
http://query.nytimes.com/gst/fullpage.html?res=9D0CE0DF1431F
934A35750C0A967958260. Last accessed 07 December 2008.
Matthew T. Lee. (1998). The Ford Pinto Case and the
Development of Auto Safety Regulations, 1893-1978. Available:
http://www.hnet.org/~business/bhcweb/publications/BEHprint/v027n2/p0390p0401.pdf. Last accessed 09 December 2008.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy