This month [2 June 2007] marks the anniversary of a notorious crash of a Chinook helicopter on the Mull of Kintyre in Scotland in 1994 – a crash that had many possible causes, including faulty software design, but for which the two dead piloits were blamed .
It’s one the most grievous miscarriages of justice in memory.
Shortly Computer Weekly and this blog will report on the disclosures by a former senior RAF officer who has never given a media interview.
Two air marshals found that Flight Lieutenants Rick Cook and Jonathan Tapper were grossly negligent by crashing Chinook ZD 576, killing all 29 on board including four crew and 25 passengers, who were mostly intelligence and Special Branch officers.
Thirteen years after the crash there are still discussions about it on the Professional Pilots Rumour Network – 137 pages of it. That this thread is still active – the latest posts are dated this month – is due largely to a particularly dogged campaigner Brian Dixon.
Computer Weekly and other newspapers, broadcasters, particularly Channel Four News, have also campaigned against the verdict, as have the families of the dead pilots, prominent MPs and peers, and many others including many professional pilots. Computer Weekly received more than 400 emails in support of the campaign to overturn the finding against the pilots.
Even the Public Accounts Committee called for the reputation of Cook and Tapper to be reinstated. It looked into the crash as part of its investigation into the value for money of the Chinook MK2. One of its conclusions was:
“At entry to Service and the time of the crash of ZD 576 the Chinook Mark 2 fleet was experiencing widespread and repeated faults caused by the Full Authority Digital Engine Control software”.
But why is Computer Weekly still concerned about a helicopter crash 13 years ago?
The RAF’s Board of Inquiry found that problems with the Chinook Mk2’s new and unreliable Full Authority Digital Engine Control [FADEC] system – in which control over the throttle was given to software – could have been a factor in the crash.
Two air marshals accepted the case put by Boeing, the aircraft’s manufacturer, and separate evidence from the suppliers of the engine control software, that there was no evidence of any serious technical malfunction.
The Ministry of Defence assumed that the aircraft’s two FADEC systems, one for each jet engine, were performing to specification – and that the specification was itself sound – largely because the manufacturers said so; and the MoD relied on the reports of manufacturers to draw up a case against the pilots of ZD 576.
Perhaps the manufacturers were right. Perhaps they were not. But the Ministry of Defence told a Scottish inquiry into the accident that evidence provided by the manufacturers was “hard fact”.
When safety-critical software in an aircraft fails, or the plane’s software contains coding or design flaws, and these defects contribute to or cause a major incident, there may be no discernible trace of a software-related deficiency.
Besides, only the manufacturer may understand its system well enough to identify any flaws in its design, coding or testing.
Yet no commercial manufacturer can be expected to implicate itself in a major software-related disaster. So, if software kills or maims people, it is possible and even highly likely that the exact cause of the incident will never be known.
This is especially likely to be the case if the software has failed in no obvious way, as when a coding error has set off a chain of complex events that cannot be replicated after a disaster.
Convention dictates that someone must be blamed for a major accident, perhaps pilots, keyboard clerks or train drivers. In business, the sacrificial lambs could be middle-ranking managers, IT managers, or anyone who cannot prove their innocence.
It should be remembered that manufacturers, in proving their equipment was not at fault after a major incident, may have large resources at their disposal. They may also have the goodwill of the customer, in this case the Ministry of Defence.
Individuals may have minimal resources to defend themselves in any incident investigation: no access to the manufacturer’s commercially sensitive information, none of the manufacturer’s knowledge of how the systems work, and little money for expert reports and advice.
Therefore, the weakest link after a disaster, particularly a major fatal accident, will always be the operators or their managers – especially if they are dead.
That is why the loss of Chinook ZD 576 is so much more than a helicopter crash. To accept the verdict against the pilots is to accept that it is reasonable to blame the operators if the cause of a disaster is not known.
The chief investigator of the crash of ZD 576, Tony Cable of the Air Accidents Investigation Branch, told a House of Lords select committee on 7 November 2001: “Throughout this investigation the evidence was remarkably thin, from my point of view, I must say”.
There were no survivors; the helicopter was not equipped with a cockpit voice recorder or an accident data recorder; there were no eyewitnesses to the crash, and the aircraft was almost destroyed in a post-impact fire.
Since the crash there have been several separate, independent investigations: by an RAF Board of Inquiry’s three-officer investigative team, a Scottish Sheriff Sir Stephen Young, members of the Flight Operations Group of the Royal Aeronautical Society, the Lord Advocate, the Public Accounts Committee and a House of Lords Select Committee.
None of these investigations reached a definite conclusion on the cause of the crash. The only finding that stands, hovever, is the one by two air marshals.
That the accident happened 13 years ago makes the stigmatising of the reputation of the dead pilots no less of an injustice. It’s a subject we’ll be revisiting shortly..