Patriot Missile Failure: The Cost of Numerical Errors
The Patriot Missile Failure: A Numerical Disaster
The incident. On February 25, 1991, during the Gulf War, a U.S. Patriot missile battery at Dhahran, Saudi Arabia, failed to track and intercept an incoming Iraqi Scud missile. The Scud struck the barracks directly, killing 28 American soldiers and injuring around 100 others. The system had successfully intercepted Scuds before; the failure was not a hardware fault or enemy countermeasure, but a numerical software defect. This was documented in the U.S. General Accounting Office report “Patriot Missile Defense: Software Problem Led to System Failure at Dhahran, Saudi Arabia” (GAO/IMTEC-92-26, Feb. 1992). arxiv
Root Cause: Binary Representation Errors
The root cause. The Patriot system stores time in a fixed-point register 24 bits long, sampled every one-tenth of a second. To use this tick count in tracking calculations, the software converts it to seconds by multiplying by 0.1. However, time recorded in tenths of a second as an integer must be converted to a floating-point number for tracking calculations. Rounding errors in this conversion cause shifts in the system’s “range gate” used to track the target. Autarkaw University of North Carolina
The number 0.1 has a non-terminating binary expansion (0.0001100110011...₂, repeating), so it cannot be stored exactly in any finite register. The 24-bit register truncated this expansion, introducing a chopping error of about 0.000000095 in decimal—a tiny error on its own. umn
How Tiny Errors Become Catastrophic
Why a tiny error became catastrophic. This is the critical mechanism: the error did not occur once—it was reintroduced and accumulated at every single clock tick for as long as the system ran without rebooting. Rebooting reset the internal clock and the accumulated drift to zero. By the time the Patriot battery had been operational for about 100 hours, the resulting time error had grown to approximately 0.34 seconds. The error scaled almost exactly proportionally to elapsed time:
- After 8 hours: ~0.0275 seconds
- After 100 hours: ~0.3433 seconds
Impact on the Targeting System
Consequence for the targeting system. A Scud missile travels at roughly 1,676 m/s, so in 0.34 seconds, it covers more than half a kilometer. The Patriot’s radar predicts where to look for the target next—the “range gate”—based on its last known position and velocity. The timing error was large enough to place the incoming Scud outside this range gate; consequently, the system’s software concluded there was no real target there and never attempted an intercept. arxiv
Compounding Factors and Late Fixes
A compounding factor. A more accurate time-conversion subroutine had already been written and inserted into the software, but only at about half of the roughly six places in the program where the calculation was needed. It was missed at the point relevant to this failure. The corrected software, which fully fixed the inaccurate time calculation, arrived at Dhahran the day after the fatal attack. Chang Ge Barr Group
Classification of the Software Defect
Classification within the course’s error taxonomy. This is a clean example of a representation/rounding error (|L−V| in the model-error chain), not a modeling or discretization error. The formal model and tracking algorithm were correct. The failure traces purely to the fact that a simple decimal fraction (0.1) cannot be represented exactly in finite-precision binary arithmetic, combined with the absence of any bound on how long that small per-operation error was allowed to accumulate. This illustrates the lesson: “do not assume a small rounding error stays small.”
Lessons in Software Verification
Why this matters for the verification theme. Conventional floating-point computation gave no warning that its output (a predicted target position) might be wrong by hundreds of meters—it simply returned a number with no attached guarantee of accuracy. This is exactly the gap that methods with result verification are designed to close. By propagating a rigorous enclosure of the error alongside the computed value, a verified computation would have flagged that the predicted position carried an uncertainty large enough to invalidate the range-gate decision, rather than silently returning a confident-looking but wrong number.