Since the fatal Chinook helicopter crash on the Mull of Kintyre in 1994, Ministry of Defence (MoD) officials and government ministers have vigorously rebuffed all suggestions that the helicopter's software-controlled engineering systems could endanger the aircraft.
They have referred repeatedly to the system's problems as "trivial" or "nuisance faults".
Now leaked MoD documents, dating from 1997 and 1998, throw new light on the extent to which the Chinook Mk2's Full Authority Engine Control (Fadec) software was critical to safety. The two Fadec software systems control the flow of fuel to each of the helicopter's jet engines.
One of the leaked documents shows how pilots may not rely on maximum engine power when they most need it, for example, when only one of the Chinook's two jet engines is operating.
The other document says the engines may surge or shut down when the Fadec system is in back-up or reversionary mode.
Contradicting statements made over several years by the MoD and ministers on the proven safety of Fadec-related systems, one document says the identified problem represents a "flight safety hazard".
The two documents are air publication notices, which detail modifications to aircraft systems. They reveal different problems involving the Chinook's Fadec software, particularly its controlling computer system, the Digital Engine Control Unit (Decu).
The first notice says a leak in a P3 air line, part of a system monitoring engine pressure, may cause an erroneous signal to be sent to the Decu. In turn, the Decu may mistakenly interpret the drop in pressure as indicating, for example, a possible and potentially damaging engine surge.
So the Decu may seek to limit the flow of fuel to the engines to counter a non-existent surge. This could happen at critical times - when the Chinook's pilots require maximum power or when only one of the engines is operating.
"This condition goes undetected by the pilot and would only become apparent when maximum power was required or single engine operation was required, this affecting safe aircraft operation," says the MoD notice.
A similar warning was issued by the safety watchdog of the US Army to operators of Chinooks fitted with Fadec.
The US Army's mandatory maintenance notice refers to a "defective Fadec P3 drain cartridge". It says the need for a modification is such that exceptions can be made only in "combat operations or matters of life or death in civil disasters or other emergencies are so urgent that they override the consequences of continued aircraft operation".
Problems which cause leaks in the P3 line may "develop easily" but the weakness may not be perceived by the Decu. Therefore, it may not "engage the software fault detection logic".
When this happens it "will result in a partial or complete loss of engine power while in primary mode [the Fadec system's usual, main mode of operation].
The MoD has not said whether these modifications have been made. But the air publication notices raise questions about the crash on the Mull of Kintyre of Chinook ZD576 which killed four crew and 25 intelligence and police officers.
In the RAF's final ruling on the crash, two air marshals found there was absolutely no doubt whatsoever that the pilots were to blame. This contradicted an RAF Board of Inquiry which identified anomalies and concluded that there was insufficient evidence to blame the pilots.
One of the many unexplained aspects of the crash of ZD576 is that the pilot's collective or thrust lever, a handbrake-like control, was found pulled up to its maximum height.
Normally, when the collective lever is pulled to its maximum height, the pilot would expect the engines to deliver full power. But the report of the Air Accidents Investigation Branch said the engines were delivering only intermediate power.
This apparent contradiction raises questions of whether the engines were responding correctly to pilot commands.
The MoD claims that the Fadec on each of the two engines was working normally. But one of the Fadecs was destroyed in the crash, and the other was only partially functioning. It was investigated by the the system's manufacturers which, unknown to air accident inspectors, were being sued by the MoD over a design error in the Fadec which caused the near-loss of an RAF Chinook in 1989.
The MoD says the civil Air Accidents Investigation Branch supervised all Fadec-related inquiries. However Tony Cable, the branch's chief investigator, told a Fatal Accident Inquiry in Scotland in 1996 that he could not answer many of the inquiry's questions on Fadec because he did not have a detailed knowledge. He had not carried out independent checks on the integrity of the Fadec software, and none were carried out. This was because the system was "far too specialised for that", he said.
The MoD has also said, before the Commons defence select committee and the Public Accounts Committee (PAC), that the engines were working normally. But in a separate document, the MoD has said the "rotor and engine indications found by the technical investigation had a caveat that whilst the indications provided some evidence they were not highly positive".
The leaked notices make it clear that the erroneous signal problem can affect safety; and that a potentially serious engine problem may not be detected by the Decu's fault logic.
The air publication notice says of the erroneous signal to the Decu that a modification is needed to "reduce significantly the possibility of a flight safety hazard".
But ministers and officials have argued repeatedly that a Fadec-related problem is never life-threatening because the Chinook will land safely without engines.
Committee
In statements to the defence committee and the PAC, the MoD said each Fadec has a main and reversionary channel and the possibility of failure on both Fadec systems was "infinitesimal". It told the PAC that "should the reversionary system fail the affected engine will still be supplied with a constant fuel supply".
Last year, when the PAC's chairman David Davis asked whether Fadec was a safe system, the MoD's permanent under-secretary Kevin Tebbit replied, "There has not been one problem with the UK fleet and it has now been flown for something like 119,000 hours."
Tebbit also said the defence committee had found "no Fadec safety-related problems either".
In 1998 armed forces minister John Reid said of Fadec: "What we have is not a system that anybody has said is not safe. That is the first thing. Not even Boscombe Down [the MoD's adviser on airworthiness and aircraft IT issues] says it is not safe."
The MoD told the PAC last year that "all incidents record fault codes with the Decu". This appears to contradict the US Army notice which says air line problems may not be detected by Decu.
The second MoD air publication document raises questions about whether the MoD has misled Parliament over system upgrades to Fadec. An upgrade was introduced in late 1994 - several months after the crash on the Mull of Kintyre - to address nine software anomalies.
In a Parliamentary reply by armed forces minister John Spellar to MP Desmond Swayne in August 1999, the MoD listed all nine changes, dubbed Block One, without mentioning specifically that two of them addressed sudden engine surges and engine shutdown when the Fadec system was in reversionary or back-up mode.
Part of the hydro-mechanical assembly on the crashed Chinook's Fadec system was found in reversionary mode, though investigators said this was a result of the impact.
Neither of the air publication notices were known about until they were leaked to Computer Weekly. The ministry has repeatedly stated that it has withheld nothing and is being open about all matters related to the Fadec and the Chinook Mk2.
Contradictions in the MoD's case
How a faulty signal could wrong-foot the Chinook software
The Chinook's Full Authority Digital Engine Control (Fadec) system comprises a hydro-mechanical unit and Digital Engine Control Unit computer system based on Intel processors. The Fadec's main job is to regulate, without pilot command, the flow of fuel to the Chinook's two jet engines. It should also detect and pre-empt serious engine-related problems. There is no evidence that the Fadec caused the Chinook crash but problems with the system cannot be ruled out.
28 Feb 2001