Chinook Mk2's safety-critical backup system was faulty

Software supplier EDS found so many anomalies in fuel-control software on the Chinook Mk2 helicopter that it became concerned that the Ministry of Defence and RAF would ignore the potential importance of each flaw because of the high volume of errors, a confidential report reveals.

Software supplier EDS found so many anomalies in fuel-control software on the Chinook Mk2 helicopter that it became concerned that the Ministry of Defence and RAF would ignore the potential importance of each flaw because of the high volume of errors, a confidential report reveals.

Despite EDS's concerns - and a recommendation by the MoD's IT and aviation experts at Boscombe Down that the poorly-designed Fadec fuel control software should be rewritten - the unmodified software was fitted to the Chinook helicopter type that crashed on the Mull of Kintyre in June 1994.

The two dead pilots of Chinook ZD576 were blamed for the crash, which killed all on board, including 25 senior police and intelligence officers. Three fellows of the Royal Aeronautical Society say that the MoD, by continuing to blame the pilots for the crash, are conveniently covering over defects in the Chinook Mk2 which made the helicopter unsafe to fly.

First-time publication of EDS report on Chinook software

Computer Weekly has, for the first time, published details the Fadec software anomalies found by EDS when it examined the code under a contract let by the MoD.

EDS said the effect of a "large number of category 1 and 2 anomalies" - which totalled 249 - could deflect the RAF and MoD from fully grasping their impact.

"On well written and documented code with few significant anomalies, each category one or two anomaly is viewed seriously and causes some concern," EDS said in its report.

"Hundreds of anomalies"

"When there are hundreds of such anomalies the threshold of what is acceptable tends to be diminished by the presence of so many anomalies due to poor programming style and inadequate documentation," said the EDS report.

When EDS raised queries about category one and two anomalies with Hawker Siddeley, which later became part of BAe, the supplier gave "adequate" answers which implied no need for any modifications to the code.

And when EDS had concerns that the safety of the Fadec might have been compromised by the anomalies, Hawker Siddeley has "provided more thorough answers", said EDS.

EDS dissatisfied with some responses of Chinook software's authors

But EDS also disclosed in its report that it was dissatisfied with some of Hawker Siddeley's responses. This was because Hawker Siddeley's replies always implied there was no need to modify the code or documentation.

Was the Chinook Mk2 airworthy?

EDS's findings raises questions about why the Chinook Mk2 was put into operational service without a re-write of the software. The MoD's IT and engineering specialists at Boscombe Down, and at Whitehall, had warned the MoD and the RAF against allowing pilots to fly the Chinook Mk2. They refused to endorse the airworthiness of the Mk2.

The MoD overruled the and the Chinook Mk2 went into service without a software rewrite. The aircraft had several Fadec-related incidents in the weeks before the crash of Chinook ZD576 on 2 June 1994. It was one of the RAF's worst peacetime accidents.

Software not a factor in crash says air chief marshal

Last month a senior MoD officer dismissed faulty software as a possible factor in the crash.

Air Chief Marshal Stephen Dalton issued his statement in response to media articles on an internal MoD report which said there was a "positively dangerous" flaw in the Chinook Mk2's Fadec system.

Dalton said the computer software issues were well known at the time of the accident and were factored into operating instructions.

He claimed that the two pilots of Chinook ZD576, Flight Lieutenants Richard Cook and Jonathan Tapper, "consciously breached their operating rules, thereby knowingly placing their aircraft, passengers, crew and themselves at risk".

He added that "this was the basis for the gross negligence finding" against the pilots.

Be wary of flying the Chinook, said MoD memo on the day of Mull crash

But on the day of the crash on the Mull of Kintyre - 2 June 1994 - an internal MoD letter said that recommendations over the Chinook's Fadec engine control software have "been ignored" and that air crews would be at risk if they continued to fly the helicopter.

Chinook software faults leave no trace in the system

The letter urged "in the strongest possible terms" an end to operational flights of the Chinook until corrective action was taken. The letter said that the official explanation of "no fault found" after Fadec system problems occurred "will no longer suffice".

A particular weakness of the Chinook Mk2 Fadec at the time of the crash on the Mull was its backup software.

Fadec's 16,254 lines of software code were split into two parts: a primary lane and a backup lane which was known as the "reversionary" lane. If the system detected a fault with its primary software lane, it would "revert" to the backup reversionary lane.

Faults in the Chinook Mk2's backup software caused engine-related incidents

Pilots could also switch the Fadec system from primary to the backup lane to check it was working properly.

But twice in the months before the crash on the Mull, Chinook pilots reported an engine cutting out unexpectedly when the Fadec went into backup mode.

In a third incident, Chinook engines surged rapidly when pilots switched the Fadec to backup during pre-flight checks. The incident damaged the helicopter.

In all three incidents, the Fadec had failed to self-diagnose any fault.

Don't switch to backup system, Chinook pilots told

To overcome the Fadec-related problems, the RAF told Mk2 Chinook pilots not to switch to backup during flight - but this deprived them of any reliable use of the Fadec should the primary software fail to correctly regulate the flow of fuel to Chinook's two jet engines.

EDS's evaluation of the Fadec found about 80 anomalies in the Fadec's backup lane and about 240 in the primary lane.

A further 150 anomalies were found with documentation "traceability". With safety-critical software, documentation is usually considered as important as the code.

Software was corrected - but only after Chinook crash on the Mull

In late 1993 and early 1994, the Chinook Mk2 went into operational service. It was only after the crash of Chinook ZD576 that the software underwent a major modification, at the expense of the engine contractor Allied Signal.

The MoD told the Public Accounts Committee in May 2000 that its IT experts at Boscombe Down were on hand to give advice only, and not to play any part in airworthiness decisions. "Boscombe Down have no executive role in making airworthiness decisions. Their job is to provide advice," said the MoD in a memo to the committee which studied the possible role of Fadec in the Mull crash.

Public accounts MPs accused MoD of "unwarrantable arrogance" for continuing to blame crash on dead pilots

The committee found that the blaming of the pilots for the crash of ZD576 amounted to a "major miscarriage of natural justice" for which the Ministry of Defence should apologise. The report accused the MoD of "unwarrantable arrogance" for continuing to blame the pilots.

The committee said there were "clear grounds for doubt" over the cause of the accident. "These relate primarily to the Fadec, although there were also problems with the mechanical system". The committee's report added: "At the time of the crash the Chinook Mark 2 was experiencing repeated and unexplained technical difficulties caused by the Fadec software. The technical data recovered from the wreckage was incomplete and does not, we believe, conclusively rule out a technical malfunction as a potential cause of the crash".

EDS report on "dangerous" Chinook software published for the first time

The MoD maintains that the Fadec could not have played any part in the accident, and backs its stance by quoting selectively from a technical analysis of the wreckage by the Air Accidents Investigation Branch.

What was the "positively dangerous" flaw in safety-critical Chinook system?

Chinook Mk2 - we publish new evidence of computer problems

Read more on IT risk management

CIO
Security
Networking
Data Center
Data Management
Close