Patriot Missile Failure 1991: The American Patriot Missile Battery in Dhahran

Dhahran, Saudi Arabia The air base in Dhahran, Saudi Arabia, is the largest in the country. It was established by the US military in 1946. Later it was re-established as a Saudi air base, but during the Persian Gulf War, the base was used by UN coalition forces and was a target of Iraqi Scud missiles. Note the strategic location of Dhahran. The Scud missiles were largely ineffective, because they were inaccurate at the long ranges necessary to reach their targets. In fact, as I’m sure some of us remember, a popular joke at the time claimed the word Scud was an acronym standing for “Sure Could Use Directions”.

The Patriot Missile Phased Array TRacking Intercept Of Target Unproven in 1991 Results after Gulf War: controversial The Patriot Missile system is a defense technology. Patriot stands for Phased Array Tracking Intercept of Target. It was originally designed to be a mobile defense against enemy aircraft, and that’s an important factor in what went wrong later. Prior to the Gulf War, defensive missiles hadn’t been used to intercept other missiles. The results were controversial; at the beginning of the War, the US military claimed an accuracy rate of 80%, but that figure was pretty hard to verify. Patriots are designed to explode just before encountering an incoming object, fanning out to intercept as much area as possible. Iraqi changes to Soviet Scud technology also made the missiles more prone to breaking up on atmospheric re-entry. Analyzing the resulting chunks falling into the ocean was a problem, and it’s also difficult to estimate how well your defense is working when the enemy’s weapons are so unreliable. Estimates after the war were revised to be much lower, but the figures are still an unknown. We do know that recent advances in Patriot technology have made it more accurate, but we also know of at least one clearly documented incident during the Gulf War where the Patriot Missile failed.

February 25, 1991 An Army barracks was struck by a Scud in Dhahran 8:40pm (12:40pm EST) An Army barracks was struck by a Scud in Dhahran 28 American soldiers were killed 97 people injured in the strike The Alpha Patriot Battery did not track and intercept the Scud

What Happened? The system was unable to identify the Scud The range gate was inaccurate What happened: The range gate of the system was inaccurate, which prevented the Patriot from identifying the incoming object. Now that bears a little explanation. The Patriot is designed to identify only certain airborne objects. Basically, it scans the air with radar. When it detects any object in the air, it compares the object’s speed and trajectory to known behaviors. The Patriot determines a range gate for the object, which you can see illustrated in the drawing here. It’s a moving address in the air where the object is expected to be. If the object continues in the expected range gate for a Scud, the Patriot is activated.

The Design Flaw Old software Time stored in 1/10 of a second, in integer format 0.110 = 0.00011001100110011…2 24 bit registers Operation outside the range of expected use: 100 hours vs 14 hours The weapons control computer was based on a design from the 1970’s. Passage of time was stored in the computer in tenths of a second, which steadily increment from bootup to shutdown in integer format. So if twenty seconds had passed from the time the control unit was rebooted, you’d have a time of 200 units. To get the number of actual seconds, that 200 would be multiplied by 1/10, which gives you back 20 again. Unfortunately, in binary, 1/10 is a non-terminating decimal. To convert the time, 24 bit registers were used, limiting its accuracy. So this *points* number would stop after 24 bits. The result of this time calculation was used, with velocity, to determine the range gate. Now, this isn’t a problem with the Patriot as it had been used up to this point! The Patriot was intended to be moved around, quickly set up to intercept aircraft, and then shutdown and moved again and then rebooted. The average operating time for a Patriot missile system was originally intended to be for 14 hours max. But the control computer at Dhahran had been continuously operating for over 100 hours. If you multiply the expected error after chopping down that decimal times 100 hours, or 360,000 seconds, you’ve got an error of around a third of a second. A Scud would be well out of the expected range gate in that amount of time.

How We Almost Avoided It Data recorders: the US did not use them, but Israel did February 11, 1991: Israeli forces reported the Patriot errors back to US Patriots were used widely in Israel as well as in Saudi Arabia. Now, one of the major problems in testing the Patriot system is that it wasn’t designed to store its own performance data. You can use an external data recorder to do this, but members of the US military often did not use them. There was some fear that the external recorder could cause a system shutdown. Israeli forces, however, made much more use of these recorders, and as a result, they caught the error, and reported it back to us. It was clear from their data that an operation range of 20 hours or more is enough to cause the radar to miss the Scud. We took the Israeli report into account, and sent out a memo on February 21st recommending that bases not operate their Patriot batteries for long periods of time. They didn’t specify how long was long. Software updates were also released to correct the problem, but the fact is, officials assumed that the experience in Israel wouldn’t be typical. They didn’t think anybody was running their control computer for longer than 14 hours at a time. The software update arrived in Dhahran on February 26th, one day after the strike.

Lessons Learned When you adapt an older software system to a new use, make sure you also analyze the likely behavior of the users. Take the results of testing seriously! If user A could find the error, user B can too. You can’t be too accurate when lives are at stake. Military software must be robust. Don’t rely on assumptions; if it’s a usage standard, include it in the operating instructions. Protect against error, not against error discovery. When you adapt an older software system to a new use, make sure you also analyze the likely behavior of the users. So much of what happened could have been avoided if it had been anticipated that the Patriot Missile Batteries were going to be stuck in one place for long periods of time, running continuously. Take the results of testing seriously! If user A could find the error, user B can too. That’s what testing is for. You can’t be too accurate when lives are at stake. Military software must be robust. If there hadn’t been a problem with the data recorders, they would have been more widely used, and the error reports would have been flooding in from everywhere. Don’t rely on assumptions; if it’s a usage standard, include it in the operating instructions. “Run the computer for 14 hours maximum,” is a five word sentence, and almost impossible to misinterpret. But that leads to the next lesson: Protect against error, not against error discovery. An instruction that gives a max operating time in effect admits that errors occur outside of that range. In many projects, admission of something as simple as “this device has operating limits” is unacceptable to your superiors, so designers just hope that users won’t exceed the limits, without warning the user.

References http://en.wikipedia.org/wiki/Gulf_War http://en.wikipedia.org/wiki/MIM-104_Patriot http://plichta-travels.blogspot.com/2007/03/patriot-missile.html http://www.fas.org/spp/starwars/gao/im92026.htm http://www.1stfighter.com/F15s/desertstorm.html http://www.ima.umn.edu/~arnold/455.f96/disasters.html http://shelley.toich.net/projects/CS201/patriot.html