Senior airmen question safety of Chinook software

Three fellows of the Royal Aeronautical Society have questioned whether the Chinook Mk2, of the type which crashed on the Mull of Kintyre in 1994, was airworthy.

Three fellows of the Royal Aeronautical Society have questioned whether the Chinook Mk2, of the type which crashed on the Mull of Kintyre in 1994, was airworthy.

They question the RAF's decision to clear the helicopter as safe to fly in the face of "world-leading, expert advice that the fuel computer software implementation was "positively dangerous".

In a letter to Computer Weekly, the three fellows say that senior RAF officers disregarded advice on the software given by Ministry of Defence IT experts at Boscombe Down in Hampshire.

Boscombe Down's advice was that the Chinook's safety-critical Fadec engine control be rewritten, without which the software could not be considered safe.

But no software rewrite came before the crash of Chinook ZD576 - a Mk2 - on the Mull of Kintyre in Scotland on 2 June 1994. The crash killed all 29 on board, including 25 senior police and intelligence officers.

The Fadec system was modified substantially after the crash.

A Boscombe Down memo written on 30 September 1993 - less than two months before RAF officers signed off the Chinook Mk2 as airworthy - said the Mk2's Fadec had a flaw that was "positively dangerous" and that the system's software "falls significantly short of the standard required and expected for a safety-critical system".

After the RAF cleared the Chinook Mk2 for flight, its pilots grappled with serious engine problems that were later discovered to have been caused by Fadec-related faults.

An RAF Board of Inquiry set up at the crash on the Mull of Kintyre was unable to discover why the accident happened, but did not rule out engine control problems as a possible factor.

The controls of the pilots suggested that they were seeking full power from the engines. But the engines were found to be delivering only moderate power at the point of impact.

Despite the uncertainties over the cause of the crash, the RAF blamed the two pilots Flight Lieutenants Rick Cook and Jonathan Tapper. The RAF's decision to blame the pilots was supported last week by the Air Chief Marshal Stephen Dalton.

Dalton was in turn backed last week by two former air chief marshals, Michael Graydon and Michael Alcock, who wrote to the Daily Telegraph saying that any Fadec matters were irrelevant. They said the pilots had been grossly negligent.

Now the three fellows of the Royal Aeronautical Society question why the Fadec software problems were not corrected before the Chinook Mk2 was cleared as airworthy.

The three fellows are Ralph Kohn, a retired airline pilot, Ron Macdonald, a retired Air Canada pilot and qualified aircraft accident investigator, and Richard Hadlow, a retired RAF squadron leader and support helicopter squadron commander.

Their letter is below:

We are pleased Air Chief Marshall Stephen Dalton chose to reply to the recent BBC coverage of the "positively dangerous" software implementation in the Chinook fuel computers in The Guardian, letters, 6th January 2010 and The Times (7 Jan 2010) as it gives us the opportunity to respond. This letter also replies to ACM Graydon's letter to The Daily Telegraph (7 Jan 2010) and is complementary to our last letter to The Minister for Defence, as copied to ACM Dalton.

ACM Dalton makes three main claims and admissions.

1. The "positively dangerous" status of the software was well known at the time. That being so, perhaps MoD would care to say what corrective action was taken and why, given this was safety critical software, was it not corrected before the Assistant Chief of Air Staff signed the Release to Service in November 1993? Such failures in the MoD's safety management system have been noted before, most recently by Mr Charles Haddon-Cave, QC in his coruscating condemnation of MoD's "systemic failings".

2. That the above status was "factored into the operating instructions". These instructions are, primarily, the Aircrew Manual (from which the aircrews derive their understanding of the aircraft) and the Flight reference Cards (used by the aircrews in flight to operate the aircraft). Successive inquiries, including the MoD's own Board of Inquiry, heard irrefutable evidence of the immaturity of these documents. Indeed, the evidence of one Chinook Flight Commander at the time described them as "incomprehensible to aircrew operating the aircraft". That is, they were not fit for purpose, a failing that endangered both aircrew and their passengers. Again, why did Assistant Chief of the Air Staff (ACAS) sign the Release to Service (RTS) given such a fundamental breach of the airworthiness regulations?

3. That the "positively dangerous" software issue was discounted following the Air Accident Investigation Branch (AAIB) investigation. This is quite wrong. A simple search of the AAIB report shows no mention of "positively dangerous", or even the word "software". However, it does state, clearly, that the (fuel computer) "operating program" was "not altered from delivery". That is, it remained in the "positively dangerous" state advised by MoD's own experts at Boscombe Down. In fact, Boscombe Down's opinion had hardened, as they grounded their own aircraft shortly before the crash.

We submit that the aircraft was demonstrably not airworthy. ACM Dalton's letter, far from protecting the MoD's position, actually admits they knew of the problems and adds weight to our submission.

It is now time for the MoD to say why this decision was made - their own regulations demand such a record be kept. Who, we ask, would sign to say an aircraft was safe in the face of world-leading, expert advice that the fuel computer software implementation was "positively dangerous"?

And, perhaps more to the point, why would they do this before taking corrective action?

Captain Ralph KOHN FRAeS

Retired Airline pilot and Regulatory Authority inspector (Ret) - Compiler of the Macdonald report (April 2000)

Captain Ron MACDONALD FRAeS - Retired Air Canada pilot &. Qualified aircraft accident investigator

Richard K J HADLOW FRAeS - Retired RAF Squadron Leader & Support Helicopter squadron commander (with 20 years service) & Retired Airline pilot.

Read more on IT risk management

CIO
Security
Networking
Data Center
Data Management
Close