“Don’t blame operators for lack of evidence”. Below is an editorial we published in 2002 which explains Computer Weekly’s interest in the crash of Chinook ZD576 on the Mull of Kintyre in June 1994.
The evidence from manufacturers after a major incident should not be regarded, in itself, as infallible.
What if a design error in a software-controlled train sparked a complex sequence of events that caused a fatal crash? What if dozens of people were killed in a fire in a tunnel because software-controlled sprinklers failed? What if a major failure of mission-critical distribution or financial systems caused a company to lose many of its customers, or it was unable to invoice them accurately and lost millions as a result?
The chances are that if an obscure design fault in software caused any of these incidents, we would never know. This is because when software fails – or it contains coding or design flaws and these defects cause a major incident – it may prove impossible to identify any software-related deficiency.
Only the manufacturer will understand its system well enough to identify any flaws in its design, coding or testing. Yet no manufacturer can be expected to implicate itself in a major software-related disaster. So, if software kills many people, or damages a business, it is possible that the exact cause of the incident will never be known.
This is especially likely to be the case if the software has failed in no obvious way, as when a coding error has set off a chain of complex events that cannot be replicated after a disaster.
But after a major incident, convention dictates that someone must be blamed. Step forward the vulnerable equipment operators: the pilots, keyboard clerks or train drivers. In a business disaster, the sacrificial lambs would be middle-ranking managers, IT executives, or anyone who cannot prove their innocence.
It should be remembered that manufacturer, in proving its equipment was not at fault after a major incident, may have large resources at its disposal. It may also have the goodwill of the customer: the chief executive of a company hit by a disaster will not want to take the blame. So the supplier and the chief executive may rely on each other to point the finger of blame at someone else. Step forward once more the vulnerable operators or managers.
Individuals may have minimal resources to defend themselves in any incident investigation: no access to the manufacturer’s commercially-sensitive information, none of the manufacturer’s knowledge of how the systems work, and little money for expert reports and advice.
Therefore, the weakest link after a disaster will always be the operators or their managers, especially if, in the case of a fatal accident, they did not survive.
That is why the loss of Chinook ZD576 is so much more than a helicopter crash. To accept the verdict against the pilots is to accept that it is reasonable to blame the operators if the cause of a disaster is not known.
The loss of Chinook ZD576, with its four crew and 25 VIP passengers, was a notorious and flagrant injustice. The pilots were blamed, not because anyone had any specific, certain knowledge of their failings, but because human error seemed to be the cause in the absence of any other explanation. The chief investigator of the crash, Tony Cable of the Air Accidents Investigation Branch, told the Lords select committee on 7 November 2001, “Throughout this investigation the evidence was remarkably thin, from my point of view, I must say.”
There were no survivors, the helicopter was not equipped with a cockpit voice recorder or an accident data recorder, there were no eye-witnesses to the crash, and the aircraft was almost destroyed in a post-impact fire.
Reliable evidence was too scant to reach any firm conclusion on what happened during the final moments of flight; so every plausible explanation on the cause or the accident can be no more than speculation.
Pilot negligence was a tidy conclusion; and it cannot be ruled out as a cause of the accident. But neither can technical malfunction. The dearth of hard information from the wreckage contrasts sharply with the density of pre-crash evidence of potentially serious problems with the aircraft’s safety-critical Fadec engine control software.
In the case of the crash of ZD576 the injustice of the finding of negligence is particularly disappointing because of RAF rules at the time of the accident. These stated that deceased pilots could be found negligent only if there was “absolutely no doubt whatsoever”.
Such a high standard of proof recognised that, if there was a dearth of evidence after a fatal accident, it would be only too easy to blame the pilots. Yet for ZD576’s pilots, the RAF’s rules have, it seems, provided no protection at all.
Since the crash there have been seven separate, independent investigations into the finding of negligence: an RAF Board of Inquiry’s three-officer investigation team; a Scottish sheriff Stephen Young; members of the Flight Operations Group of the Royal Aeronautical Society; the Lord Advocate; the Commons Public Accounts Committee; the Lords select committee and Boeing. None of these investigations reached a definite conclusion on the cause of the crash.
Therefore we do not believe that the principle – indeed the precedent set by the verdict of gross negligence – should be allowed to stand. It is not right to blame the operators when there is no better explanation for a major fatal incident.
Raf Justice – Computer Weekly’s 140-page report on the problems with software on the type of helicopter which crashed on the Mull of Kintyre: Website of a tireless campaigner for the finding of negligence against the pilots of ZD576 to be set aside