Chinook crash: critical internal memo on software flaws

Today, in the week of the 15th anniversary of the notorious crash of a Chinook helicopter on the Mull of Kintyre, Computer Weekly is publishing, in full for the first time, an MoD memo that is the clearest evidence yet that software problems made the helicopter unsafe to fly at the time of the accident.

The internal MoD letter - which by coincidence was written on the day of the crash of the Chinook - says that recommendations over the Chinook's "Fadec" engine control software have "been ignored" and that air crews will be at risk if they continue to fly the helicopter.

The letter urges "in the strongest possible terms" an end to operational flights of the Chinook until corrective action is taken. The letter says that the official explanation of "no fault found" after Fadec system problems have occurred will no longer suffice.

The concerns raised in the letter add to the mystery of why the RAF allowed some of the UK's top police and intelligence to fly together on one aircraft which was known to have dangerously flawed safety-critical software. Twenty-five VIPs were killed in the crash of Chinook ZD576 soon after 6pm on 2 June 1994.

One of the pilots of Chinook ZD576 had not wanted to fly in the Mk2 [HC2] helicopter which was fitted with two new Fadec systems, one for each jet engine. He had requested an earlier Mk1 [HC1] non-Fadec version of the helicopter. His request was denied.

Also, the internal MoD letter failed to stop the last flight of ZD576. Two Air Marshals found the pilots of ZD576, Flight Lieutenants Rick Cook and Jonathan Tapper, grossly negligent.

Ever since, the Cook and Tapper families have campaigned for the finding of negligence to be overturned because of doubts about the cause of the crash. RAF rules said that dead pilots could be found negligent only if there was "absolutely no doubt whatsoever".

Now Computer Weekly is publishing the internal MoD letter in full, because it is evidence that the unreliability of the Fadec system made the helicopter unsafe to fly. A year before the crash, services supplier EDS had abandoned an assessment of the Fadec software because it had hundreds of anomalies and bugs.

For many years it has been known that trials flying of the Chinook Mk2 had ceased, because of Fadec concerns, on the day before the crash on the Mull of Kintyre. But now the internal letter shows the intense pressure the RAF was under to cease operational flights as well.

The Fadec was unusually reliant on software - for both the main (primary) mode and also back up [reversionary] mode. The system controlled the flow of fuel to the Chinook's engines. Too much fuel and the engines could accelerate out of control. Two little fuel and they could flame out - switch off.

Even before the crash on the Mull, tests of the reversionary mode had made the engines flame out or behave erratically. So, during operational flights, pilots were under instruction not to select reversionary mode manually, Computer Weekly has learned.

But this ban on the manual use of the software-based reversionary channel left open the question of what would happen to the engines if the system automatically went into reversionary mode when the helicopter was in flight.

A fault code was indeed found in the self-diagnosis unit of a Fadec system recovered from the crashed ZD576. The second Fadec system on ZD576 was too badly damaged to check.

There was evidence in the crash that pilots might have been seeking full power but the wreckage showed the engines were delivering power at an intermediate setting only.

The defence secretary at the time of the crash, Malcolm Rifkind, endorsed the findings of negligence but he has since changed his mind. He says he was not given all the facts. All Labour defence ministers have, however, backed the air marshals.

Computer Weekly has backed a campaign to clear the reputations of the pilots because of the wider implications of blaming the weakest link in the chain of command - in this case the pilot-operators - for a fatal crash which could have been caused by poorly-designed software.

We have also been concerned at the overlooking by the RAF of the systemic failures which lay behind the installation of flawed software on operational Chinooks. The Fadec software was improved - but only after the crash on the Mull of Kintyre.

We published a 140-page report on the cover-up of the Chinook's software problems.

This is the letter from the Officer Commanding Rotary Wing Test Squadron, Procurement Executive, Ministry of Defence, Aeroplane and Armament Experimental Establishment (now Qinetiq) Boscombe Down, Salisbury, Wilts.

To: Project Manager, Chinook, Procurement Executive, Ministry of Defence Aeroplace and Armament Experimental Establishment Boscombe Down, Salisbury

Date: 2 June 1994

CURRENT SAFETY OF CONTINUED HC2 TRIALS FLYING

References:

A. [reference number] dated 18 August 1993

B. [reference number] dated 27 August 1993

C. Letter report, Chinook HC Mk2 Interim CA [Controller Aircraft] Release Recommendations dated October 1993

D. [reference number] 24 February 1994

E. RAF Odiham March 1994 [incident report]

F. RAF Odiham April 1994 [incident report]

G. RAF Laarbruch May 1994 [incident report]

H. RAF Odiham May 1994 [incident report]

1. As CA [controller aircraft - the RAF's equivalent of a civil safety certificate] release trials were about to start on the Chinook HC2 helicopter in late summer 1993, interested parties at Boscombe Down raised questions as to the integrity of the engine control system, particularly the Full Authority Digital Electronic Control [FADEC]. Long considered a desirable upgrade to the engine controls, the design of the FADEC software had been suspect for a considerable period preceding the commencement of flight trials. A summary of references A and B, correspondence from the Superintendent of Engineering Systems Division, indicates that the major concerns were:

a. It was impossible to independently verify the software

b. The software contained illegal code, the effects of which were unknown even in safety-critical areas.

c. That the risks associated with operating the FADEC were essentially unquantifiable.

It was assumed that the FADEC would act unpredictably at some point in the future. Reference C failed to recommend CA Release of the FADEC for the reasons previously stated and considered a re-write of the software essential.

2. Since the Chinook HC2 has been phased into service, a large number of engine related incident signals [reports] have been generated by a comparatively small fleet of aircraft flying a limited number of hours. Some of these incidents, detailed at references B through G, have been serious. Reference H was one of two incidents which reported single engine flameout upon selection of FADEC Reversionary control and was sufficiently serious to cause A&AEE [Aeroplane and Armaments Experimental Establishment - now Qinetiq] to temporarily halt flying operations until the engine could be evaluated. These incidents were compared to a fault found in the HMA [hydro-mechanical assembly controlled by the FADEC's software] of a US Army MH-47E [a special forces helicopter fitted with a better-tested FADEC than the UK's Mk2 version], which experienced an engine Rundown, and while no defects in either British HMA were detected, the HMA was presumed to be the cause and provided sufficient reason for A&AEE to resume trials flying. No explanation for the variation between rundown (HMA attributable) and Shutdown (FADEC Reversionary mode attributable) was given and the incidents remain under the category 'No Faults Found'. Following the decision to continue trials flying, the second flameout (reference F) and a serious runaway up [unexpected acceleration of the engine(s)] (Reference G) have occurred. The runaway up has prompted Engineering and Performance Divisions to reassess trials sortie profiles, electing not to conduct trials flying using the Reversionary control.

3. Rotary Wing Test Squadron [RWTS] has now received reference H, yet another incident signal [report] relating to a Chinook HC2 suffering a serious engine malfunction. While previously all incidents have manifested themselves on the ground, primarily during reversionary checks, this one occurred in flight in a benign handling scenario and resulted in at least three overtemps [over-temperatures] of the engine. The power turbine section of the engine sustained significant damage and had to be replaced. Summarily, the weight of the incident signals, both their frequency of occurrence and their increasing variability, causes RTWS to believe that the previous forecast of system unpredictability is now a reality. Further, while RWTS concede that, since there have been no changes to the Engine control system, the actual risks associated with operating the Mk2 have not changed since trials first commenced, the previously unquantifiable risk is now much more clearly defined and is, at present, unacceptable. Even limiting the potential to a single engine problem, it would be impossible for the aircraft to conduct its role if it were required to remain in single engine flight condition during every sortie. This precludes a reasonable assurance of safety of any flight let alone relatable trials flying.

4. During trials flying conducted since the autumn of 1993, two other problems associated with the FADEC controlled engines have been discovered:

a. A spurious engine failure warning.

b. A 2.5 Hertz engine drive train oscillation.

The former was dismissed by the manufacturer as not being a safety-critical problem. Considering the Operational Role of the aircraft this is most definitely a view not shared by RWTS. The consequences of the latter problem have not been resolved fully as more sensitive instrumentation is required to investigate it further. In the interim, Boeing Helicopters has stated that they are not concerned about the short term fatigue implications of the 2.5 Hertz oscillation on the fuel metering valve of the HMA, a concern expressed by [deleted] at reference D.

5. While RWTS appreciate the effect that any delay in the programme [withdrawing Chinook MK2 from operational service] will have on current theatres of operation and the associated political pressures thus imposed, we consider that Boscombe Down is failing in its primary role of providing the front line with equipment which can not only efficiently carry out this task but do this safely.

6. RWTS has carefully monitored the progress of this trial and has put tremendous effort into ensuring that it progresses safety to provide timely CA [Controller Aircraft] Release recommendations. These recommendations with respect to FADEC have, to date, been ignored. Until RWTS is provided with a clear, unequivocal and realistic explanation of the faults described at references B through H, with corrective action, further Chinook HC2 flying shall not be authorized. A statement of 'No Fault Found' will no longer satisfy this requirement.

7. As a trials organisation, A&AEE has always been keenly aware of the risks associated with operating the Chinook HC2 and has tailored sortie profiles accordingly. Crews of the RAF have no such luxury and are likely at higher risk than A&AEE crews. As such, RWTS deem it imperative that, in the strongest possible terms, the RAF should be provided with a recommendation to cease Chinook HC2 operations until the conditions established in paragraph 6 are satisfied.

For Officer Commanding RWTS

Action:

Superintendent of Flying Division

Superintendent of Engineering

Superintendent of Aircraft Dynamics Division

RTWS How it's described on its website:

Rotary Wing Test Squadron

Rotary Wing Test Squadron (RWTS) is a tri-service UK military organisation based at MOD Boscombe Down, Wiltshire. Primarily, the squadron is responsible for test and evaluation of rotary wing aircraft and equipment, or their associated modifications.

 

Chinook crash - Computer Weekly's links and summary >>

RAF Justice - a 140-page report on how the RAF covered up software problems and blamed two pilots for the crash of Chinook ZD576

Campaign for Justice - the tireless efforts of Brian Dixon who has campaigned for years on behalf of the families of the two pilots of ZD576. He runs a website dedicated to the campaign.