Today, in the week of the 15th anniversary of the
notoriouscrash of a Chinook helicopteron the Mull of Kintyre,
Computer Weekly is publishing, in full for the first time, an MoD
memo that is the clearest evidence yet that software problems made
the helicopter unsafe to fly at the time of the accident.
The internal MoD letter - which by coincidence was written on
the day of the crash of the Chinook - says that recommendations
over the Chinook's
"Fadec" engine
control software have "been ignored" and that air crews will be at
risk if they continue to fly the helicopter.
The letter urges "in the strongest possible terms" an end to
operational flights of the Chinook until corrective action is
taken. The letter says that the official explanation of "no fault
found" after Fadec system problems have occurred will no longer
suffice.
The concerns raised in the letter add to the mystery of why the
RAF allowed some of the UK's top police and intelligence to fly
together on one aircraft which was known to have dangerously flawed
safety-critical software. Twenty-five VIPs were killed in the crash
of Chinook ZD576 soon after 6pm on 2 June 1994.
One of the pilots of Chinook ZD576 had not wanted to fly in the
Mk2 [HC2] helicopter which was fitted with two new Fadec systems,
one for each jet engine. He had requested an earlier Mk1 [HC1]
non-Fadec version of the helicopter. His request was denied.
Also, the internal MoD letter failed to stop the last flight of
ZD576. Two Air Marshals found the pilots of ZD576, Flight
Lieutenants Rick Cook and Jonathan Tapper, grossly negligent.
Ever since, the Cook and Tapper families have campaigned for the
finding of negligence to be overturned because of doubts about the
cause of the crash. RAF rules said that dead pilots could be found
negligent only if there was "absolutely no doubt whatsoever".
Now Computer Weekly is publishing the internal MoD letter in
full, because it is evidence that the unreliability of the Fadec
system made the helicopter unsafe to fly. A year before the crash,
services supplier
EDS had abandoned an assessment of the Fadec software because
it had hundreds of anomalies and bugs.
For many years it has been known that trials flying of the
Chinook Mk2 had ceased, because of Fadec concerns, on the day
before the crash on the Mull of Kintyre. But now the internal
letter shows the intense pressure the RAF was under to cease
operational flights as well.
The Fadec was unusually reliant on software - for both the main
(primary) mode and also back up [reversionary] mode. The system
controlled the flow of fuel to the Chinook's engines. Too much fuel
and the engines could accelerate out of control. Two little fuel
and they could flame out - switch off.
Even before the crash on the Mull, tests of the reversionary
mode had made the engines flame out or behave erratically. So,
during operational flights, pilots were under instruction not to
select reversionary mode manually, Computer Weekly has learned.
But this ban on the manual use of the software-based
reversionary channel left open the question of what would happen to
the engines if the system automatically went into reversionary mode
when the helicopter was in flight.
A fault code was indeed found in the self-diagnosis unit of a
Fadec system recovered from the crashed ZD576. The second Fadec
system on ZD576 was too badly damaged to check.
There was evidence in the crash that pilots might have been
seeking full power but the wreckage showed the engines were
delivering power at an intermediate setting only.
The defence secretary at the time of the crash,
Malcolm
Rifkind, endorsed the findings of negligence but he has since
changed his mind. He says he was not given all the facts. All
Labour defence ministers have, however, backed the air
marshals.
Computer Weekly has backed a campaign to clear the reputations
of the pilots because of the wider implications of blaming the
weakest link in the chain of command - in this case the
pilot-operators - for a fatal crash which could have been caused by
poorly-designed software.
We have also been concerned at the overlooking by the RAF of the
systemic failures which lay behind the installation of flawed
software on operational Chinooks. The Fadec software was improved -
but only after the crash on the Mull of Kintyre.
We
published a 140-page report on the cover-up of the Chinook's
software problems.
This is the letter from the Officer Commanding Rotary Wing Test
Squadron, Procurement Executive, Ministry of Defence, Aeroplane and
Armament Experimental Establishment (now Qinetiq)
Boscombe
Down, Salisbury, Wilts.
To: Project Manager, Chinook, Procurement Executive,
Ministry of Defence Aeroplace and Armament Experimental
Establishment Boscombe Down, Salisbury
Date: 2 June 1994
CURRENT SAFETY OF CONTINUED HC2 TRIALS
FLYING
References:
A. [reference number] dated 18 August 1993
B. [reference number] dated 27 August 1993
C. Letter report, Chinook HC Mk2 Interim CA [Controller
Aircraft] Release Recommendations dated October 1993
D. [reference number] 24 February 1994
E. RAF Odiham March 1994 [incident report]
F. RAF Odiham April 1994 [incident report]
G. RAF Laarbruch May 1994 [incident report]
H. RAF Odiham May 1994 [incident report]
1. As CA [controller aircraft - the RAF's equivalent of a
civil safety certificate] release trials were about to start on the
Chinook HC2 helicopter in late summer 1993, interested parties at
Boscombe Down raised questions as to the integrity of the engine
control system, particularly the Full Authority Digital Electronic
Control [FADEC]. Long considered a desirable upgrade to the engine
controls, the design of the FADEC software had been suspect for a
considerable period preceding the commencement of flight trials. A
summary of references A and B, correspondence from the
Superintendent of Engineering Systems Division, indicates that the
major concerns were:
a. It was impossible to independently verify the
software
b. The software contained illegal code, the effects of which
were unknown even in safety-critical areas.
c. That the risks associated with operating the FADEC were
essentially unquantifiable.
It was assumed that the FADEC would act unpredictably at
some point in the future. Reference C failed to recommend CA
Release of the FADEC for the reasons previously stated and
considered a re-write of the software essential.
2. Since the Chinook HC2 has been phased into service, a
large number of engine related incident signals [reports] have been
generated by a comparatively small fleet of aircraft flying a
limited number of hours. Some of these incidents, detailed at
references B through G, have been serious. Reference H was one of
two incidents which reported single engine flameout upon selection
of FADEC Reversionary control and was sufficiently serious to cause
A&AEE [Aeroplane and Armaments Experimental Establishment - now
Qinetiq] to temporarily halt flying operations until the engine
could be evaluated. These incidents were compared to a fault found
in the HMA [hydro-mechanical assembly controlled by the FADEC's
software] of a US Army MH-47E [a special forces helicopter fitted
with a better-tested FADEC than the UK's Mk2 version], which
experienced an engine Rundown, and while no defects in either
British HMA were detected, the HMA was presumed to be the cause and
provided sufficient reason for A&AEE to resume trials flying.
No explanation for the variation between rundown (HMA attributable)
and Shutdown (FADEC Reversionary mode attributable) was given and
the incidents remain under the category 'No Faults Found'.
Following the decision to continue trials flying, the second
flameout (reference F) and a serious runaway up [unexpected
acceleration of the engine(s)] (Reference G) have occurred. The
runaway up has prompted Engineering and Performance Divisions to
reassess trials sortie profiles, electing not to conduct trials
flying using the Reversionary control.
3. Rotary Wing Test Squadron [RWTS] has now received
reference H, yet another incident signal [report] relating to a
Chinook HC2 suffering a serious engine malfunction. While
previously all incidents have manifested themselves on the ground,
primarily during reversionary checks, this one occurred in flight
in a benign handling scenario and resulted in at least three
overtemps [over-temperatures] of the engine. The power turbine
section of the engine sustained significant damage and had to be
replaced. Summarily, the weight of the incident signals, both their
frequency of occurrence and their increasing variability, causes
RTWS to believe that the previous forecast of system
unpredictability is now a reality. Further, while RWTS concede
that, since there have been no changes to the Engine control
system, the actual risks associated with operating the Mk2 have not
changed since trials first commenced, the previously unquantifiable
risk is now much more clearly defined and is, at present,
unacceptable. Even limiting the potential to a single engine
problem, it would be impossible for the aircraft to conduct its
role if it were required to remain in single engine flight
condition during every sortie. This precludes a reasonable
assurance of safety of any flight let alone relatable trials
flying.
4. During trials flying conducted since the autumn of 1993,
two other problems associated with the FADEC controlled engines
have been discovered:
a. A spurious engine failure warning.
b. A 2.5 Hertz engine drive train oscillation.
The former was dismissed by the manufacturer as not being a
safety-critical problem. Considering the Operational Role of the
aircraft this is most definitely a view not shared by RWTS. The
consequences of the latter problem have not been resolved fully as
more sensitive instrumentation is required to investigate it
further. In the interim, Boeing Helicopters has stated that they
are not concerned about the short term fatigue implications of the
2.5 Hertz oscillation on the fuel metering valve of the HMA, a
concern expressed by [deleted] at reference D.
5. While RWTS appreciate the effect that any delay in the
programme [withdrawing Chinook MK2 from operational service] will
have on current theatres of operation and the associated political
pressures thus imposed, we consider that Boscombe Down is failing
in its primary role of providing the front line with equipment
which can not only efficiently carry out this task but do this
safely.
6. RWTS has carefully monitored the progress of this trial
and has put tremendous effort into ensuring that it progresses
safety to provide timely CA [Controller Aircraft] Release
recommendations. These recommendations with respect to FADEC have,
to date, been ignored. Until RWTS is provided with a clear,
unequivocal and realistic explanation of the faults described at
references B through H, with corrective action, further Chinook HC2
flying shall not be authorized. A statement of 'No Fault Found'
will no longer satisfy this requirement.
7. As a trials organisation, A&AEE has always been
keenly aware of the risks associated with operating the Chinook HC2
and has tailored sortie profiles accordingly. Crews of the RAF have
no such luxury and are likely at higher risk than A&AEE crews.
As such, RWTS deem it imperative that, in the strongest possible
terms, the RAF should be provided with a recommendation to cease
Chinook HC2 operations until the conditions established in
paragraph 6 are satisfied.
For Officer Commanding RWTS
Action:
Superintendent of Flying Division
Superintendent of Engineering
Superintendent of Aircraft Dynamics Division
RTWS How it's described on its website:
Rotary Wing Test Squadron
Rotary Wing Test Squadron (RWTS) is a tri-service UK
military organisation based at MOD Boscombe Down, Wiltshire.
Primarily, the squadron is responsible for test and evaluation of
rotary wing aircraft and equipment, or their associated
modifications.
Chinook crash - Computer Weekly's links and summary
>>
RAF Justice - a 140-page report on how the RAF covered up
software problems and blamed two pilots for the crash of Chinook
ZD576
Campaign for
Justice - the tireless efforts of Brian Dixon who has
campaigned for years on behalf of the families of the two pilots of
ZD576. He runs a website dedicated to the campaign.