Patriot Missile FailurePatriot Missile Failure

1991: The American Patriot 1991: The American Patriot Missile Battery in DhahranMissile Battery in Dhahran

Dhahran, Saudi ArabiaDhahran, Saudi Arabia

The Patriot MissileThe Patriot Missile

► PPhased hased AArray rray TRTRacking acking IIntercept ntercept OOf f TTargetarget► Unproven in 1991Unproven in 1991► Results after Gulf War: controversialResults after Gulf War: controversial

February 25, 1991February 25, 1991

8:40pm (12:40pm EST)8:40pm (12:40pm EST)

►An Army barracks was struck by a An Army barracks was struck by a Scud in DhahranScud in Dhahran

►28 American soldiers were killed28 American soldiers were killed►97 people injured in the strike97 people injured in the strike►The Alpha Patriot Battery did not The Alpha Patriot Battery did not

track and intercept the Scudtrack and intercept the Scud

What Happened?What Happened?

► The system was unable to identify the ScudThe system was unable to identify the Scud► The range gate was inaccurateThe range gate was inaccurate

The Design FlawThe Design Flaw

►Old softwareOld software►Time stored in 1/10 of a second, in Time stored in 1/10 of a second, in

integer formatinteger format

►0.10.11010 = 0.00011001100110011… = 0.00011001100110011…22

►24 bit registers24 bit registers►Operation outside the range of Operation outside the range of

expected use: 100 hours vs 14 hoursexpected use: 100 hours vs 14 hours

How We Almost Avoided ItHow We Almost Avoided It

►Data recorders: the US did not use them, Data recorders: the US did not use them, but Israel didbut Israel did

► February 11, 1991: Israeli forces reported February 11, 1991: Israeli forces reported the Patriot errors back to USthe Patriot errors back to US

Lessons LearnedLessons Learned

► When you adapt an older software system to a new When you adapt an older software system to a new use, make sure you also analyze the likely behavior use, make sure you also analyze the likely behavior of the users.of the users.

► Take the results of testing seriously! If user A could Take the results of testing seriously! If user A could find the error, user B can too.find the error, user B can too.

► You can’t be too accurate when lives are at stake. You can’t be too accurate when lives are at stake. Military software must be robust.Military software must be robust.

► Don’t rely on assumptions; if it’s a usage standard, Don’t rely on assumptions; if it’s a usage standard, include it in the operating instructions.include it in the operating instructions.

► Protect against error, not against error discovery.Protect against error, not against error discovery.

ReferencesReferences

► http://en.wikipedia.org/wiki/Gulf_Warhttp://en.wikipedia.org/wiki/Gulf_War► http://en.wikipedia.org/wiki/MIM-104_Patriothttp://en.wikipedia.org/wiki/MIM-104_Patriot► http://plichta-travels.blogspot.com/2007/03/patriot-http://plichta-travels.blogspot.com/2007/03/patriot-

missile.htmlmissile.html► http://www.fas.org/spp/starwars/gao/im92026.htmhttp://www.fas.org/spp/starwars/gao/im92026.htm► http://www.1stfighter.com/F15s/desertstorm.htmlhttp://www.1stfighter.com/F15s/desertstorm.html► http://www.ima.umn.edu/~arnold/455.f96/http://www.ima.umn.edu/~arnold/455.f96/

disasters.htmldisasters.html► http://shelley.toich.net/projects/CS201/patriot.html http://shelley.toich.net/projects/CS201/patriot.html