Chinook computer was 'positively dangerous' say newly-disclosed MoD documents

A computer flaw in the type of Chinook helicopter that crashed on the Mull of Kintyre, killing all 29 on board, was known to be "positively dangerous", according to military documents that have not been published until today.

A computer flaw in the type of Chinook helicopter that crashed on the Mull of Kintyre, killing all 29 on board, was known to be "positively dangerous", according to military documents that have not been published until today.

The RAF blamed the two pilots, Flight Lieutenants Rick Cook and Jonathan Tapper, for the crash of Chinook ZD576 on 2 June 1994, which killed 25 senior police and intelligence officers.

But an RAF Board of Inquiry was unable to establish why the crash happened. It did not rule out problems with the Chinook Mk2's innovative, software-controlled "Fadec" fuel control system as a contributory factor in the crash.

Now internal Ministry of Defence documents, which have been seen by the BBC and Computer Weekly, show that the RAF hierarchy approved the Chinook Mk2 as airworthy while knowing - and without remedying - a dangerous flaw in the helicopter's "Fadec" fuel control system.

Computer Weekly has already reported on problems with the Fadec system in a 140-page report which we published in 1999. But the internal MoD documents that are now disclosed contain the most serious internal criticism yet of the Fadec.

The criticism is contained in a memo written in September 1993 - nine months before the crash on the Mull of Kintyre - by the Superintendent of Engineering Systems at an MoD establishment at Boscombe Down, Salisbury.

IT experts at Boscombe Down were tasked with checking the Chinook's Mk2's Fadec software as part of the tests to see whether the helicopter was airworthy. After an assessment of the Fadec software the Superintendent of Engineering Systems said that the density of deficiencies was so high that the software was unintelligible.

He said of the anomalies in both the software code and documentation: "One of these, the reliance on an undocumented and unproved feature of the processor, is considered positively dangerous".

He added that the software "falls significantly short of the standard required and expected for a safety-critical system No assurance can be given concerning the fidelity of the software and hence the pilot's control of the engine (s) through Fadec cannot be assured".

The Superintendent's memo also said that a hazard analysis by Boeing, the Chinook's manufacturer, had categorised the Fadec software as "safety-critical" because "any malfunctions or design errors could have catastrophic effects".

The Fadec controlled the flow of fuel to the Chinook's two jet engines - and it could not be overridden by pilots.

The Superintendent said: "The standard of engineering is demonstrably not that to be expected of software intended for the purpose of controlling a safety critical function in an aircraft".

The Superintendent's memo was given extra weight when, on 12 October 1993, Boscombe Down formally reported on the memo's contents to the Ministry of Defence in London.

That October letter, which was addressed to the MoD's Director Helicopters Projects, said that Boscombe Down had been unable to recommend Controller Aircraft Release [CAR].

Without the CAR, the Chinook Mk2 could not be released into operational service. Boscombe Down wanted the rewriting of the Fadec software "with some urgency".

It was "impractical" to revert to the helicopter's manual hydro-mechanical system used in the Mk1 helicopter, said the letter.

But the RAF discounted the concerns of Boscombe Down and decided anyway to give the Chinook Mk2 a Controller Aircraft Release. The Chinook went into operational service in early 1994, without a rewriting of the software or corrections to anomalies in the code.

Boscombe Down's concerns proved prophetic. In the months before the crash on the Mull of Kintyre pilots of the Chinook Mk2 reported a series of faults, including engine failure, which were later traced back to Fadec problems.

But Fadec faults were corrected after the crash on the Mull.

Campaigners for the families of the dead pilots say that the Chinook was rushed into service, safety concerns were ignored, and the systemic flaws in airworthiness procedures hidden by the blaming of the pilots.

The Ministry of Defence says it does not accept that the documents represent new evidence. It refuses to set aside the finding of gross negligence against Cook and Tapper.

The Conservatives have promised that, if elected, they will appoint a judge to review the evidence against the pilots.

Computer Weekly "RAF Justice" report on the Chinook Mk2 software

Chinook crash might have been caused by software faults - BBC News online

Read more on IT risk management

CIO
Security
Networking
Data Center
Data Management
Close