Verification – Software Bug Report

Patriot Missile Software Problem

By Andrew Lum

Introduction

During the Gulf War in the early 1990’s, Operation Desert Storm used sophisticated technology to end the war in a quick and timely manner. Part of this technology was that of the Patriot missile air defence system.1

On the night of the 25th of February, 1991, a Patriot missile system operating in Dhahran, Saudi Arabia, failed to track and intercept an incoming Scud. The Iraqi missile impacted into an army barracks, killing 28 U.S. soldiers and injuring another 98.

The cause of the missile system failing to defend against the incoming Scud was traced back to a bug in Patriot’s radar and tracking software.2

Background Information

The Patriot is a surface-to-air defence missile system manufactured by Raytheon3 and used by the United States Army, originally designed to protect against Soviet cruise missiles and medium to high altitude aircraft. In order to avoid detection it was mobile and would only operate for a few hours at a time.

During Operation Desert Shield (the operation to move forces to the Gulf region), Patriot battalions were deployed in strategic locations in Saudi Arabia and Israel to defend key assets, military personnel, and citizens against Scud missiles launched by Iraqi forces.

Each battalion usually comprised of six batteries, with each battery containing a number of components including a single ground based radar unit used for surveillance target detection and tracking, an Engagement Control Station to control missile interceptors, eight missile launchers, as well as various communications and relay components.4

The Patriot’s weapon control computer performs crucial system functions for tracking and intercepting targets, as well as other control tasks. The system tracked and intercepted missiles in a number of stages:

  1. The system was instructed to search for airborne objects with Scud missile characteristics (based on information such as velocity, latitude, longitude, azimuth, and altitude) on its radar.
  2. A range gate, an electronic device in the radar, calculates an area in the air space for where the system should look next for the incoming missile. The missile is tracked by the system as it approaches.
  3. The Patriot would launch one of it’s own missiles once the incoming missile was in range.

The Software Bug

The bug occurs in the calculation of the next location of the incoming target by the range gate. The prediction is calculated based on the target’s velocity and the time of the last radar detection.

Velocity is stored as a whole number and a decimal, and time is a continuous integer or whole number (i.e. the longer the system has been running, the larger the value) measured in tenths of a second.

The algorithm used to predict the next air space to scan by the radar requires that both velocity and time be expressed as real numbers. However, the Patriot’s computer only has 24 bit fixed-point registers. Because time was measured as the number of tenth-seconds, the value 1/10, which has a non-terminating binary expansion, was chopped at 24 bits after the radix point.5 The error in precision grows as the time value increases, and the inaccuracy resulting from this is directly proportional to the target’s velocity.

When the Patriot system was first designed, the primary targets were Soviet aircraft and cruise missiles travelling at speeds around MACH 2, and only operating at a few hours at a time. However, in Operation Desert Storm, they were deployed as static defences (operating continuously), tracking and intercepting Scud missiles travelling at speeds of approximately MACH 5.6 Consequently, the U.S. army had to learn how to adapt the Patriot for targets of much higher velocity.

Discovery of the Bug

Ironically, Israeli forces had noticed the anomaly in the Patriot’s range gate’s predictions in early February 1991, and informed the U.S. Army of the problem. They told the Army that the Patriots suffered a 20% targeting inaccuracy after continuous operation for 8 hours.

Army officials presumed that Patriot users were not running the systems for longer than 8 hours at a time. They suggested if they would be running for continuous periods, they were rebooted regularly (which took around 1 minute and would reset the system clock to zero).

The Army however did set to work to produce a fix that would be distributed to all Patriot systems that would fix the problem.

Consequences of the Bug

On the 25th February 1991, Iraqi forces targeting an airfield in Dhahran, Saudi Arabia launched a Scud missile. Six Patriot batteries were assigned to protect the airfields and seaports of Dhahran; in particular, Alpha battery was the one assigned the targeted airfield.7

Alpha battery had been in continuous operation for over 100 consecutive hours, and the resulting inaccuracy resulting from the software bug was roughly 0.34 seconds. However, this meant that the range gate could not successfully track the incoming Scud (travelling at roughly 1.7km/sec, so the time difference resulted in the range gate scanning an area of air space more than half a kilometre away from the missile). See Appendix A and for more details.

No Patriot missiles were launched to intercept the incoming Scud, which successfully hit a warehouse being used by the U.S. Army as a barracks, killing 28 soldiers, and another 98 people were injured.

The Bug Fix and Aftermath

When Patriot systems were brought into the Gulf conflict, the software was modified (several times) to cope with the high speed of ballistic missiles, for which the system was not originally designed.

The modification to fix this bug was to introduce call subroutine that would do a more accurate integer to real conversion of the time value. This subroutine was inserted roughly half a dozen times in various locations in the Patriot software.8

The modified software was released on 16 February 1991, however did not reach Dhahran till the 26 February 1991, the day after the incident occurred. According to Army officials, the delay was caused by the time it took to arrange for transportation of the software to wartime locations.(4)

Various reviews and reports on Patriot missile performance were conducted throughout the 1990’s, and the Dhahran incident shows the necessity of well-documented requirements, software testing and correctness.

Appendix A - Effect of Extended Run Time on Patriot Operation 4

                                                                             

Hours

Seconds

Calculated Time (sec)

Inaccuracy (sec)

Approx. shift in Range Gate (meters)

0

0

0

0

0

1

3600

3599.9966       

.0034

7

8

28800

8799.9725       

.0025

55

20(a)

72000

71999.9313       

.0687

137

48

172800

172799.8352       

.1648

330

72

259200

259199.7528       

.2472

494

100(b)

360000

359999.6667       

.3433

687

 

a. Continuous operation exceeding about 20 hours--target outside range gate

b. Alpha Battery ran continuously for about 100 hours

Appendix B – Diagrams of Patriot Tracking System

The following figures show the variation in gate range calculations after various hours of operation.(4)

Correctly Calculated Gate Range for Patriot system.

20% Shift in range gate calculation after 8 consecutive hours of operation.

After 20 consecutive hours of operation, the target is no longer in the range gate area.

References

  1. Desert Storm Homepage http://www.desert-storm.com/
  1. Schmitt, Eric; “Army is Blaming Patriot’s Computer for Failure to Stop Dhahran Scud”; New York Times, 20 May 1991
  1. Raytheon Company http://www.raytheon.com/
  1.  Information Management and Technology Division; “Patriot Missile Defense: Software Problem Led to System Failure at Dhahran, Saudi Arabia”; United States General Accounting Office, 4 February 1992
  1. Arnold, Douglas; “Two Disasters caused by Computer Arithmetic Errors”; http://www.math.psu.edu/dna/455.f96/disasters.html
  1. Ballistic Missile Defense Organization (Patriot PAC 3 Fact Sheet) http://www.acq.osd.mil/bmdo/bmdolink/html/factsheet.html
  1. Falatko, Frank (ed); “Report Issued On Scud Missile Attack”; United States Department of Defence News, 5 June 1991
  1. Skeel, Robert; “Roundoff Error and the Patriot Missile”; Society for Industrial and Applied Mathematics (SIAM) News, July 1992, Volume 25, Number 4

Other Sources

The Risk Digest - Forum on Risks to the Public in Computers and Related Systems

http://catless.ncl.ac.uk/Risks.data/search.html

Raytheon's Response to WGBH FRONTLINE - Gulf War“; Raytheon Company

http://www.pbs.org/wgbh/pages/frontline/gulf/weapons/raytheontext.html

Toich, Shelly; “The Patriot Missile Failure in Dhahran: Is Software to Blame?

http://shelley.toich.net/projects/CS201/patriot.html