Key parts of today's report by MPs on £7bn DII project

This is a summary of some of the most important parts of a hard-hitting report by the Public Accounts Committee on the Windows-based £7bn Defence Information Infrastructure [DII]  project 

The DII is not a failure. Given its complexity and over-ambitious timetable it’s surprising more hasn’t gone wrong; and parts of it have gone well: the MoD has a strong relationship, for example, with EDS which leads the Atlas consortium, the main DII contractor.

Still, progress has fallen well short of expectations and in the first three years of the programme the MoD spent more than 90% of the original budgeted costs of the first stage but received fewer than 50% of the terminals and software it had expected. Core software such as word processing, email, internet access and security should all have been available in June 2006, but less than half of the requirement had been delivered two years later in June 2008. The report criticises the MoD and Atlas for “severe underperformance”.

From the report [my sub-headings]:

Did the MoD mislead Parliament in 2006 by understating DII’s full costs?

“The Department originally forecast that the Programme would cost £5.8bn …This cost is greater than the £2.3bn that the Department had previously reported to Parliament. The Department stated that it had provided Parliament with the value of the contract that had been awarded to ATLAS at the time, which is its usual practice, but subsequently acknowledged that this could have been explained more fully.  The Department now estimates that the cost of delivering the DII Programme will be £7.09bn …

Who are DII’s contractors?

The ATLAS consortium which won the DII contract in 2005 is led by EDS. Its partners are Fujitsu, EADS, General Dynamics and LogicaCMG.

What is DII?

“The main part of DII is a 10 year contract with the ATLAS consortium, which began in March 2005. It is one of the largest IT programmes ever undertaken in the United Kingdom and, if completed, will deliver 150,000 computer terminals to 300,000 users at more than 2,000 defence sites, including on Royal Navy ships and in deployed operations. The infrastructure will be able to handle material classified as Restricted, Secret and Top Secret. The parts of DII already on contract are currently estimated to cost £4.9bn by 2015 … The total cost of the full programme, if the Department goes ahead with all of the work originally planned, would be some £7.1bn.

Delays have led to roll-out plans being changed repeatedly

“To date, the Programme has suffered from major delays. Although the first 62,800 terminals should have been installed at United Kingdom defence sites no later than July 2007, only 45,600 were in place by the end of September 2008… The Department revised its schedules again in September 2008 and it now plans to reach the target of 62,800 terminals installed and working by the end of January 2009, eighteen months later than originally intended… The DII Programme’s record of sustaining a reasonable rollout rate for longer than a few months is not good.

Delays also mean upgrading legacy IT which adds to costs

“The greatest risk is posed by the many legacy computer systems still in use…Most of the legacy systems remain robust at present, but the Department is aware that some will not be able to operate for much longer without requiring major upgrade work. ..delays to the Programme have required the Department to spend money on short-term fixes such as purchasing additional terminals on legacy systems, to avoid jeopardising dependent change programmes, most notably the Joint Personnel Administration project… More generally, any additional delay to the implementation of DII will further inconvenience the Department’s employees, many of whom have already faced disruption getting their site ready to receive the new system only to have the installation date postponed.

Many first-year users of DII were dissatisfied

“At least 40% of users declared themselves dissatisfied with DII in the first user satisfaction survey carried out at the beginning of 2008. The DII Programme will only be successful if users are trained and willing to exploit the benefits of the new system.

MoD partnership with EDS-led Atlas consortium is a “model” says MoD

“We questioned the Department on their choice of contractors given the poor track record of EDS in delivering Government IT projects, such as the IT system for the Child Support Agency. The Department told us that the contract for DII was won by ATLAS in open competition. Although there have been problems on the Programme which required hard work with ATLAS, the Department felt that its partnership with the consortium has been something of a model and, while it could not comment on the projects of other government departments, its experience of working with EDS did not bear out the description of poor performance on other projects.

What went wrong?

1) An underestimation of complexity – a fixed rollout methodology proved too inflexible

“The two causes of …severe underperformance were the DII Programme’s failure to understand the condition of the buildings into which DII would be installed, and the subsequent selection of an unsuitable, rigid implementation methodology.

“The DII Programme started in 2005 with a totally inadequate understanding of the condition of the Department’s land and buildings. Preparatory work, which had been good in many other respects, was lacking in this area and the DII Programme team did not consult Defence Estates in planning the DII implementation. Instead, it took for granted that up-to-date site plans and statutory Health and Safety documentation, including asbestos and power supply surveys, would be in place.

“The DII Programme’s mistaken assumption about the condition of buildings was a crucial factor in its acceptance of an inappropriate method for installing DII terminals, the Fixed Rollout Methodology. This process assumed that a generic approach, operated to a strict 38-week timetable, would be suitable for implementing DII at all sites, whatever their size or condition.

“The methodology was proposed by the ATLAS consortium, which told the Department that it had worked in other organisations of a similar size, such as the Department for Work and Pensions and the Royal Bank of Scotland. The Department now admits that the defence environment is more complex than that of these organisations.

“When the DII Programme attempted to begin implementation during 2005, it quickly began to unearth problems, such as asbestos, at many sites. These issues took much longer to resolve than the 38-week timetable could tolerate, but the lack of active project management–supposedly one of the advantages of the Fixed Rollout Methodology– meant that a flexible response was impossible.

“Sometimes, a single manager would be responsible for the implementation of DII terminals at up to 30 different sites.In many places, this resulted in sub-contractors attempting to do work at sites in line with a timetable that was no longer realisable. It was only at the beginning of 2007, almost two years after the start of the Programme, that a more sensible rollout methodology was adopted.

2) No proper pilot – a perverse decision to cut a run-in period

“Many of these problems [arising from the state of buildings] could have been identified before they had such serious consequences had the DII Programme set aside time and resources to conduct a proper pilot.

“Instead, when contract negotiations lasted longer than intended, the Department and its contractor took the perverse decision to cut a three-month start-up period from the schedule. Conversely, when the Programme did conduct proper piloting and testing before letting the contract to design a deployable version of DII in 2007, it found that this enabled it to reduce risks and increase the robustness of its plans.

“DII, like many other major IT projects in Government, is inherently complex, because of its size and ambitious requirements. Some of the Department’s preparatory work for this Programme had successfully reduced complexity, in particular, by not making DII responsible for the development of new software applications as well as infrastructure.

“Nonetheless, a number of other application projects that were ongoing within the Department made heavy demands on DII. The Joint Personnel Administration programme, in particular, required DII rollout schedules to be made more challenging so that its own timetable could be met.

“Even after the problems with implementation occurred, the DII Programme continued throughout 2006 to expend significant resources on short-term measures to protect the Joint Personnel Administration programme, which diverted the team’s attention from addressing its own systemic problems.

3) Complexity of software underestimated – the number of design defects “unacceptably high”

“The Department’s requirement for core software has changed very little since the contract was signed but the Programme has failed to deliver much of it. Whereas all software was to have been provided in two instalments, known as Releases, by June 2006, less than half had been delivered by June 2008.  Only in recent months has the Programme tested a version of the core software that will allow DII users to view Secret material. …

“The Department told us that the slow pace of core software design has been primarily caused by the ATLAS consortium’s inability to meet its requirements …ATLAS underestimated the complexity of the software it had agreed to create and could not muster the resources to run multiple streams of software design work concurrently.

“When ATLAS did present designs, they were often not in a fit state to be signed off, forcing the Department to decide whether to wait for new designs and delay the Programme, or to proceed at risk. During the first two years of the Programme, the number of defects found in ATLAS’ designs was unacceptably high.

“The Department increased the level of scrutiny it applied to ATLAS’ work, and it was only when the quality of designs improved in 2008 that the level of the Department’s quality assurance work reduced. The problems were most acute in the area of security, where ATLAS was incapable of delivering a system that could safely handle Secret material for over two years. The Department found it hard to get ATLAS to address the problems arising from its underestimation of the complexity of the Programme.

Some of the risks remaining

“Software delays could cause problems on the DII Programme in future. A large proportion of the software capability the Department requires is still to be delivered …

“The full benefits of DII, already postponed at most sites, will not be realised if users do not get access to this software. The Department’s intention is also to design a version of DII that can handle Top Secret material, but this will be even more challenging to deliver than previous security features. If ATLAS does not deliver, the Department has the right to oblige the consortium to bring in other resources to complete the work.

Data security and DII

“The Department currently has an undesirable record on data security when it should be amongst the best in Government … Increasing the security of the Department’s IT systems and the data that resides on them has never been of greater importance, following high-profile incidents of data loss. The Department estimates that, between 1 April 2004 and 31 March 2008, 747 of its laptops and 121 memory sticks have gone missing or been stolen. Since the start of this financial year, a further seven breaches have occurred, which together amount to the loss of the personal details of at least 1.7 million people… 

“A key goal of the DII system is to enhance the Department’s data security, both by making all data safer through measures like encryption, and by providing more stringent protection for highly classified material.

“Thus, the long delays in implementing the Programme can only have contributed to the Department’s difficulties: most laptops that run on legacy systems were not encrypted until the major incidents of data loss came to light in 2008. The recent testing of a version of DII that can handle Secret material is a step forward, but the Department acknowledges that better hardware and software will only lead to data being better protected if personnel are provided with the training and incentives to use it correctly.”

On the MoD’s data loses Conservative MP Richard Bacon, a member of the Public Accounts Committee, said:

“Recruitment data seems to be handled with an extraordinary lack of care.  Data on recruits has been lost on at least 6 occasions in less than 5 years, including on four occasions from cars outside private residences.  In this latest incident, a portable hard disk containing data on 1.7 million recruits and potential recruits was lost from EDS at Hook in Hampshire.  The MoD state that their police force are now investigating this incident but it would be much better not to lose the data in the first place.

“Another incident involved the theft of a laptop from the Army Foundation College in Harrogate which had been used for making local passes for junior soldiers.  This is a very worrying breach of security.

“On two occasions, in February 2008 and May 2008, laptops or memory sticks containing Army personnel data were lost in night clubs.  The MoD needs to explain why some of its staff think it is appropriate for information on serving soldiers to be loaded on to privately-owned laptops or memory sticks and then taken into nightclubs.

“If the MoD had managed to lose the personal details of military top brass, senior civil servants or ministers, then it is unlikely that its ‘Lose data? Find it later’ attitude would have persisted for so long.

 “Between 1 April 2004 and 31 March 2008, the Ministry of Defence managed to lose 747 laptops. That is equivalent to three laptops lost each week, every week, for four years.”


New Labour’s unlucky 13 IT Projects – IT Projects blog

Report of the Public Accounts Committee on the DII – 1.4MB

MoD hid true costs of DII – Computer Weekly

DII could cost £7bn – IT Projects blog

Computers too modern for ramshackle military bases – MP Richard Bacon 

DII hits major problems – Computer Weekly

Informed comment on DII – by Major General (ret) Bill Robins, an Associate Fellow of RUSI, the Royal United Services Institute 

MoD system an “unmitigated disaster” – Channel 4 News

DII – Army Rumour Service

MoD defends DII  – Kable

DII – Army website  

National Audit Office report on DII – 2008

DII – Vega website

“Badly-planned” MoD project led to major delays – Computer Weekly   

2008 a bad year for MoD data