Recently in safety-critical systems Category

MOD test flies Universal Credit elastoplast

| No Comments
| More
Systems analyst letches over old Univac computer operator.pngThe Ministry of Defence has been struggling to patch together a vast estate of creaky old computer systems to make them fit for interconnection in the 21st century.

It's travails may provide insight into the challenges being faced at the Department for Work and Pensions, which aims to build its ambitious Universal Credit system on a veritable shanty town of legacy systems.

Kevin Wallis, lead applications architect at the MOD, heckled open standards purists with the legacy problem at a meeting of the British Computer Society's Open Source Specialist Group last week.

This chatter about open standards and interoperability was all very well, but legacy systems simply did not conform to new world thinking.

You can glue disparate systems together, he said, "provided the whole of the architecture has been designed around open standards.

"We are working in a brownfield site where we do not have that bit. That is the problem I face architecting the Ministry of Defence application suite. We don't have open standards that we can plug and play. That's the problem."

Having lobbed the inconvenient truth into the open source meeting, Wallis was forced to admit that the MOD IT section had earned itself the nickname "the Microsoft/Oracle department". But, he said, 70 per cent of MOD IT projects used some element of open source software.

The MOD headache will become familiar to departments across government as the Cabinet Office presses ahead with plans to make its systems interoperable through the use of open standards.

Open standards didn't exist 30 years ago

Very old codger with very old computer possibly from DWP but origin uncertain.pngAfter the meeting, Wallis told Computer Weekly: "The MOD has systems that are 30 years old. They are mission critical. How can we work round them to go to an open standards architecture? Mostly open standards didn't exist then."

The MOD was solving the problem on "a case-by-case basis" using a variety of approaches.

"One of the options is, can we wrap it into a web services wrapper so we can pull that existing system as a web service," said Wallis.

"It can work. The huge advantage is that we don't have to redevelop the application," he said.

Another advantage was business continuity, said Wallis. It could plonk a new IT system on top of the old one, getting some of the advantages of modern computing without the usual delay. That would win the department breathing space where it might consider a long-term strategy for upgrading its decrepit systems.

The department's long-term plan was to do this with all its old systems. But it had a finite budget. And the government was considering whether the MOD was a special case whose systems deserved special attention.

The MOD was had been reviewing all its software applications and asking: "Can we eliminate, can we migrate, do we have to tolerate or do we invest," said Wallis. One MOD programme alone was seeking to "rationalise" 600 applications. The Defence Information Infrastructure had rationalised about 2,000 applications to just 500.

Universal credit

The MOD approach may win the backing of duffers at the Institute for Government, whose report into government IT last week itself won the backing of Ian Watmore, head of the Cabinet Office Efficiency and Reform Group.

The report said the DWP's proposed £2bn Universal Credit system would be built using agile development methods, which effectively means it would be developed piecemeal, with a high degree of autonomy given to software development teams and outputs being produced iteratively as they were in the commercial software world.

The Universal Credit system proposes to integrate 51 separate state benefits into a single credit in just three years. DWP disperses £90bn-a-year through the present system, which is said to rely on 51 separate computer systems, some of which are 30 years old.

Watmore reportedly said at the launch of the Institute's report that Universal Credit would be built on top of the DWP's legacy systems.

One of the worst software project failures in memory?

| More

Last month BBC R4's Today programme and Computer Weekly quoted from an MoD memo that said there was a "positively dangerous" flaw in the Chinook Mk2's safety-critical "Fadec" software.

Software code containing that dangerous flaw was fitted on the type of Chinook that crashed on the Mull of Kintyre in June 1994. The crash of Chinook ZD576 was one of the worst RAF accidents in peacetime.

All on board were killed including 25 VIPs.

There's active discussion today of a crash 16 years ago because two dead pilots were found to have caused the crash of an aircraft that some inside the RAF and the MoD considered was not safe to fly. The development of the Chinook Mk2 fuel-control software has been one of the most improvised projects we have investigated in decades.

It's likely that two RAF air marshals were unaware of the potential seriousness of the faults in the Chinook Mk2 when they found the dead pilots of Chinook ZD576, Flight Lieutenants Richard Cook and Jonathan Tapper, grossly negligent.

Only after an RAF Board of Inquiry into the Mull crash did it become clear that a series of internal documents had tried to alert the MoD hierarchy to the danger posed by the Chinook Mk2's safety-critical Fadec fuel control system.

That those internal MoD memos were not shown to the RAF Board of Inquiry into the Mull crash, or to the Air Accidents Investigation Branch which wrote a technical report on what it found in the wreckage, has never been explained.

The number of those who are now convinced the Mk2 Chinook helicopter was not airworthy has much increased since the disclosure of these documents.We have published several of the documents.

Now we're publishing (below) in technical detail another of the leaked documents: one written by EDS - which is now owned by HP. The EDS report explained in detail what was wrong with the Chinook Mk2's software.

EDS had been commissioned by the MoD to examine the Chinook Fadec's 16, 254 lines of software code.

The analysis was carried out in July 1993, nearly a year before the crash on the Mull.

EDS found such a density of "category one" anomalies - the most potentially serious flaws  - that I find it hard to believe that the RAF put the Mk2 Chinook into service without a software rewrite.

Five Knights ask to brief Tories on Chinook fatal crash

| More

Four former chiefs of the air staff - and a former RAF Chief Engineer - have written to the Daily Telegraph saying they would wish to brief ministers if there is "yet another" review of the RAF's decision to blame the pilots for the crash of Chinook ZD 576 on the Mull in June 1994.

Sir Michael Graydon, Sir Richard Johns, Sir Peter Squire, Sir Glenn Torpy, and Sir Michael Alcock say that the finding of gross negligence against the pilots of ZD 576 was "inescapable".

It appears that the five wish to preempt the appointment of a High Court judge to review the evidence against the pilots, which is what the Tories have promised to do if they are elected.

Flawed Chinook Fadec updated only after fatal Mull crash

| No Comments
| More

Faulty safety-critical "Fadec" software that was installed on the Chinook Mk2 helicopter had secret modifications after the notorious fatal crash on the Mull of Kintyre, Computer Weekly has learned.

The Ministry of Defence has repeatedly dismissed claims that the Mull crash could have been caused by software. Its argument, in part, is that Chinooks have been flying safely all over the world while fitted with the "Fadec" engine control system.

But Computer Weekly has learned that the contractors responsible for the Fadec software, who had previously resisted making code changes requested by the MoD's IT experts at Boscombe Down, modified the software after the crash on the Mull of Kintyre - at their own expense.

Full article on

BBC "Today" reports again on "bitter debate" over danger Chinook Fadec

| No Comments
| More

BBC Radio 4's Today programme this morning raised the question of whether the Ministry of Defence hierarchy is "protecting its own" by maintaining that two pilots were to blame for the crash of a Chinook helicopter that might not have been airworthy.

The broadcast, by Today investigative reporter Angus Stickler, follows his report last week on a "positively dangerous" flaw in the Chinook Mk2's Fadec engine control computer system.

Computer Weekly last week published the internal MoD memo on which Stickler's original report was based.

This is what was said on the Today broadcast this morning:  

James Naughtie [presenter]:  "Last week, an investigation by this programme into the loss of a Chinook helicopter in 1994 - that crash on the Mull of Kintyre - revealed that there were serious concerns about computer software which was being used to control the engines.

"Now a rather bitter debate has erupted in the wake of those reports, in the letters pages of at least one national newspaper. Our reporter Angus Stickler - whose report it was - has been unpicking the detail.

Web publication of "Macdonald" report on Chinook ZD576 crash

| No Comments
| More

ZD576 the Chinook which crashed (reduced).JPG
[Picture is of Chinook ZD576, which later crashed notoriously on the Mull of Kintyre]

An impressive and extensively-researched report on the Chinook Mk2 accident, by three fellows of the Royal Aeronautical Society, has been published on the web today by The Guardian.

An excerpt: "... vital information relating to Chinook HC2 engine malfunctions was knowing kept from the various boards of inquiry by the RAF" and "known possible causal factors were ignored by the RAF's own BOI".

The fellows say that the views of RAF Boscombe Down test pilots and computer software specialists were ignored. The "aircraft was ordered into service before faults such as those found in the HC2 flight critical Fadec engine control computer software had been satisfactorily cleared...."

Ministry of Defensiveness - culture of denial over Chinook software flaws

| No Comments
| More

This is an excerpt from an editorial in The Times on the blaming of two pilots for the crash of Chinook ZD576 on the Mull of Kintyre in June 1994.

It says, in essence, that the MoD would rather perpetuate an injustice than concede it could have been wrong all along.

From The Times:

"The Ministry of Defence, by refusing to reconsider its verdict that the 1994 helicopter crash which killed 29 people was caused by "gross negligence" by the pilots, is risking its credibility just to save face...

"The MoD's position relied on the assumption that technical failures in the Chinook's software system could not explain such a disastrous degree of error. But that possibility can no longer be ruled out.

"Before the crash, several internal MoD documents raised significant alarms about the Chinook's engine control computer software, describing it as positively dangerous.

Chinook Mk2: we publish new evidence of computer problems

| More

The lead news item on BBC radio and TV news for much of yesterday referred to computer-related evidence about the Chinook Mk2, of the type that crashed on the Mull of Kintyre in June 1994.

The crash killed all 29 on board including 25 senior police and intelligence officers. The RAF blamed the two dead special forces pilots, Flight Lieutenants Rick Cook and Jonathan Tapper.

BBC's Online's headline was: "Chinook crash may have been caused by software faults".

So what is the new evidence?

It's in two documents, which are herein published generally for the first time (see below). Thank you to a concerned insider for the information.

The jargon officials want banned - this blog's most-viewed post in 2009

| No Comments
| More

These were the articles that were viewed the most on this IT Projects blog in 2009:

1) The jargon terms council leaders want banned

2) Top tips for project managers

3) Failed £234m C-Nomis IT project - ministers not told full truth

4) Wanless report 2007 - what it says in full on the NHS's National Programme for IT

5) Airbus crash: can a triple-redundant system give false readings?

It's interesting, to me, that the most-viewed post on the NPfIT in 2009 was one written in 2007: a summary of the NPfIT parts of the Wanless report.

Moving towards error-free software - Martyn Thomas

| No Comments
| More

Martyn Thomas is visiting professor of software engineering at Oxford University Computing Laboratory. One of the few in the software community to have strong engineering credentials, he is a Fellow of the Royal Academy of Engineering (RAEng) and of both UK professional computing institutions, the British Computer Society (BCS) and the Institution of Engineering and Technology (IET)

Thomas was one of 23 leading academics who called for an independent and published review of the NHS's £12.7bn National Programme for IT. 

He has now written a guest blog post on a report published by the Royal Academy of Engineering on 31 July 2009. "Every important IT project should be led by a Chartered Engineer or a Chartered IT professional accredited in systems engineering," says Thomas.

Subscribe to blog feed


-- Advertisement --