Chinook helicopter crash: was it computer software
failure or a cause we'll never know? This article gives the
background to the Chinook helicopter disaster with links to all the
relevant articles published by ComputerWeekly and other useful web
links.
2 June 2008 marks the
fourteenth anniversary of the notorious crash of a Chinook
helicopter, ZD576, on the Mull of Kintyre in Scotland in 1994 -
a crash that had many possible causes, including
faulty software design, but for which the two dead pilots were
blamed: Flight Lieutenants Jonathan Tapper and Rick Cook.
Two air marshals found that Cook and Tapper were grossly
negligent by crashing Chinook ZD576, killing all 29 on board
including four crew and 25 passengers, who were mostly intelligence
and Special Branch officers.
Today there are still
discussions about the Chinook helicopter crash and whether the
Chinook's
computer system failed or it was the fault of the pilots. A
summary of all that is important to know is on
Battle for Justice
website. There is also discussion on the Professional Pilots
Rumour Network – the
latest thread is 174 pages long.
That the debate is still active is due largely to the tenacity
of the families of the dead pilots, a particularly dogged
campaigner Brian Dixon, Channel Four News, Computer Weekly and many
others including professional pilots, peers and MPs. Computer
Weekly has received more than 400 e-mails in support of the
campaign.
We have published a 140-page report:
“RAF Justice - How the Royal Air Force blamed two dead pilots and
covered up problems with the Chinook’s computer system
Fadec”.
There have been several separate, independent inquiries into the
causes of the crash. The Public Accounts Committee, for example,
criticised the procurement of the Chinook Mk2’s Full Authority
Digital Engine Control [Fadec] system.
The committee looked into the crash as part of its investigation
into the value for money of the Chinook MK2, and concluded:
“At entry to Service and the time of the crash of ZD-576 the
Chinook Mark 2 fleet was experiencing widespread and repeated
faults caused by the Full Authority Digital Engine Control
software”. It said that “faults with the Fadec led to doubts as to
the reliability and safety of the aircraft at the time and make it
very difficult to rule out categorically a technical fault as at
least a cause of ZD576’s crash”.
Why is Computer Weekly still concerned about a
helicopter crash 14 years ago?
When safety-critical computer software fails, or software
contains coding or design flaws, and these defects contribute to or
cause a major incident, there might be no physical trace of a
software-related deficiency.
Only the manufacturer may understand its system well enough to
identify any flaws in its design, coding or testing.
Yet no commercial manufacturer can be expected to implicate
itself in a major software-related disaster. So, if software kills
or injures people, it is possible and even likely that the exact
cause of the incident will never be known.
This is especially likely to be the case if the computer
software has failed in no obvious way, as when a coding error has
set off a chain of complex events that cannot be replicated after a
disaster.
Convention dictates that someone must be blamed for a major
incident, perhaps pilots, keyboard clerks or train drivers. In
business, those blamed for failures could be anyone in a relevant
senior post who could not prove their innocence.
It should be remembered that manufacturers, in proving their
equipment was not at fault after a major incident, may have large
resources at their disposal.
Individuals may have minimal resources to defend themselves in
any incident investigation: no access to the manufacturer's
commercially sensitive information, none of the manufacturer's
knowledge of how the systems work, and little money for expert
reports and advice.
Therefore, the weakest link after a disaster, particularly a
major fatal accident, will always be the operators or their
managers - especially if they are dead.
That is why the loss of Chinook ZD576 is so much more than a
helicopter crash. To accept the verdict against the pilots is to
accept that it is reasonable to blame the operators if the cause of
a serious incident is not known.