RAF Justice: casting doubt on pilot error

Some IT specialists say that one of the most obvious signs of an impending computer disaster is a determined resistance of the project team to an independent inquiry.

So can any significance be attached to the Ministry of Defence's (MoD) determined resistance to all calls for an independent inquiry over the decision to find two pilots grossly negligent for the notorious fatal crash of a Chinook helicopter on the Mull of Kintyre in Scotland in 1994?

In this case, there is no question of impending disaster. That has already happened. Twenty nine people were killed in the RAF's worst peacetime accident. The dead included 25 top intelligence officers, Special Forces pilots flight lieutenants Jonathan Tapper and Richard Cook and two other crew.

A three-man RAF Board of Inquiry found that the pilots may have chosen an inappropriate rate of climb to overfly the Mull but there was insufficient evidence to blame them. It found that there had been a number of "unforeseen malfunctions mainly associated with the engine control system [Fadec] including undemanded engine shut down, engine run-up and spurious engine failure captions [warnings]".

It added that there was no evidence that these malfunctions had occurred on the final flight of Chinook ZD576. "Nevertheless an unforeseen technical malfunction of the type which would not necessarily have left any physical evidence remained a possibility and could not be discounted," the board's report said.

Gross negligence

However, two air senior marshals reviewed the board's inconclusive report and pronounced that both the pilots were guilty of gross negligence. Their view was that as no firm evidence of technical malfunction was found to have caused the crash, the pilots must have been to blame.

Since then, however, it has emerged that the MoD did not tell the RAF Board of Inquiry of the seriousness of the problems involving Fadec.

For example, it did not say that at the time of the crash it was involved in arbitration proceedings against Fadec's manufacturer Textron Lycoming. It did not say that in those proceedings it was accusing Textron and its sub-contractors of having badly designed Fadec and not meeting international standards. It also failed to tell the RAF Board of Inquiry that Fadec was capable of causing Chinook pilots to lose control of the engines and rotor speed - and that this had happened in an accident in 1989.

As the sixth anniversary of the crash approaches, a call for an independent inquiry has come from Sir Malcolm Rifkind, secretary of state for defence at the time of the accident. Rifkind has reviewed new evidence and says he does not believe it is possible today to say with certainty that the pilots were to blame.

Despite this, the MoD position is that there is no new "relevant" evidence that causes it to doubt the original verdict, and privately it has told MPs that it would instinctively rather blame the equipment than its own pilots.

But does this claim stand up to scrutiny?

From the MoD's perspective what does it have to gain and lose by blaming the equipment or the pilots?

On this page and the next, Computer Weekly has examined the pros and cons.

Blaming the equipment: advantages

If the RAF and MoD were able to blame conclusively the Chinook's equipment, this would provide a definite cause of a highly controversial disaster. And blaming the equipment rather than pilots would have, if not a positive effect on morale among aircrew, no negative effect.

It would also show that the MoD and the RAF were willing to defend the reputation of two pilots who, being dead, could not defend themselves.

At the same time it would show that the MoD was willing to risk a serious disagreement with major international companies - suppliers with whom the RAF and MoD spend tens of millions of pounds every year and with whom a working relationship is vital to the smooth running of operations and logistics support.

It would also explode the myth that the RAF blames aircraft manufacturers after non fatal accidents, but is not inclined to criticise manufacturers after fatal accidents where the legal ramifications are almost unquantifiable.

In neither of the two previous fatal Chinook accidents were the pilots completely exonerated.

Blaming the equipment: disadvantages

To find that an engine surge caused by the Chinook's Fadec fuel control system caused the RAF's worst peacetime accident would be to say, in effect, that all those who it overruled when it put the aircraft into operational service were right after all.

These include the RAF's airworthiness assessors at Boscombe Down who recommended that the Fadec software should be rewritten before the aircraft went into service. Their recommendation was rejected despite an independent report by EDS-Scicon which found hundreds of anomalies in the software.

The RAF may also have to concede that Boscombe Down was right to stop flight trials of the Chinook because of its concerns over Fadec.

Indeed, the RAF would further have to accept that the two pilots who died in the crash were right to express concern about flying the Chinook with the new Fadec installed. In particular, finding fault with the Fadec would raise questions about whether those who had put the aircraft into service, and those who asked flight lieutenants Tapper and Cook to fly the aircraft, should bear some responsibility for the deaths of 29 people.

Another disadvantage of blaming the equipment is that it could put the MoD and RAF on a legal collision course with some of the world's biggest companies. Not being an expert in the design and functioning of Fadec, the MoD could not prove system faults without the co-operation and test facilities of the suppliers.

The problem in the case of the Chinook is compounded by evidence from independent US advisory body the Rand Corporation which found that software may cause unpredictable behaviour on modern aircraft without leaving any trace of its actions.

Blaming the pilots: advantages

There is no concrete evidence that the pilots were not to blame for the Chinook crash. Indeed the investigators' report found no evidence in the wreckage of any technical malfunction capable of causing the crash, apart from a possible radar altimeter error.

Their report can be used, therefore, to justify an unequivocal conclusion that the pilots were to blame. This also provides a definite cause, satisfying the media, MPs and service personnel who have sought an explanation for such a catastrophic accident.

The lack of concrete evidence concerning what happened in the last 20 to 30 seconds of flight means that the decision to blame the pilots cannot be established beyond doubt to be manifestly false.

As no unequivocal evidence in favour or against pilot error exists, new evidence that proves pilot innocence is unlikely to be found.

Also, blaming the pilots does not impugn the reputation of some of the MoD's most important suppliers. And it provides an answer to any questions about whether the RAF should have put the Chinook into service when Fadec had known defects that were described at the RAF Board of Inquiry as "flight-critical".

In addition, blaming the pilots ensures that Boscombe Down has no opportunity to say that it was right to have reservations about Fadec. This is not perhaps a trivial consideration given that senior RAF officials were in dispute with Boscombe Down at the time of the Mull crash over whether Fadec's problems were being exaggerated.

Blaming the pilots also deals effectively with any issues about weaknesses in the technical investigation and what information was not known or shown to the RAF Board of Inquiry and the Fatal Accident Inquiry.

For example, if it is shown that the pilots were to blame, the MoD can say with some justification that it did not tell the Board of Inquiry of a Chinook accident in 1989 that was caused by a faulty Fadec design because this was not relevant to the proceedings. Indeed this is what the MoD has indeed argued.

The mere fact that an aircraft has flown into a hillside and not over or around it is prima facie evidence of incompetence.

On the other hand, any prima facie evidence that software problems might have caused an uncontrollable engine surge (as happened in 1989) will never be so readily available, and may not be available at all.

On a practical level, it makes more sense to risk a confrontation with families of the dead than lawyers of multinational companies.

Blaming the pilots: disadvantages

Although some of the available evidence may suggest pilot error, there is not enough evidence to prove it. Blaming the pilots requires a subjective interpretation of the few facts that exist. Another equally valid but different subjective interpretation of the same small basket of facts could lead to a conclusion that the equipment was to blame.

Without the certainty of evidence from a cockpit voice or flight data recorder the weight accorded to certain facts over others gives rise to the accusation that the pilots can be blamed only if those who judge them use speculation.

At the time of the RAF Board of Inquiry, Queen's Rules dictated that deceased aircrew could be found grossly negligent only in cases where there was absolutely no doubt whatsoever. Finding the pilots grossly negligent without concrete evidence of their ineptitude raises the question of whether the RAF is, for the sake of establishing a definite answer to a highly controversial crash, making a conclusive judgement of pilot negligence on the basis of inconclusive evidence.

It also incites the anger of the families of the dead pilots, who believe that blaming their sons provides too convenient an answer for a series of awkward questions.

The pilots' families are understandably suspicious about a verdict that avoids issues such as: whether the aircraft was brought into service prematurely; whether the software should have been rewritten before it was certified for safe flight, as Boscombe Down had recommended; whether software can cause an accident without leaving any physical evidence; and whether the pilots should have been asked to fly an aircraft that Boscombe Down had grounded the day before the Mull crash.

Computer Weekly's verdict

There is no evidence that any of the factors we have mentioned played any part in the decision to find that the pilots of Chinook ZD576 which crashed on the Mull were grossly negligent. If anything, there is evidence that the air marshals made their decision to blame the pilots in good faith, on the available evidence and based on the limited knowledge of Fadec that was disclosed to the RAF Board of Inquiry.

Since then much new information has come to light which has cast further doubt on the verdict. If there is any cause for criticism, then perhaps this should be directed not at the air marshals but at the MoD. In its anxiety to defend the decision to blame the pilots, the MoD has sometimes been selective in its use of information and it has made and defended incorrect statements.

It may also be said that although the original decision to blame the pilots was taken with objectivity, the arguments used subsequently to defend that decision have not always proved objective.

Critics on this matter say that the MoD has repeatedly declared a willingness to consider new information. But if there is not enough evidence to ascertain the true cause of the accident then it is impossible for anyone to provide the evidence that proves the innocence of the pilots.

In no court of law would a judge, without hard evidence, and without the families of the dead being able to plead the case for the defence, find deceased defendants guilty of manslaughter and then tell the families that the court will look at matters again if they can provide firm evidence of their sons' innocence.

Yet the MoD has this power. It can refuse to consider any evidence that it does not deem new and relevant. At the same time it knows that no concrete evidence proving the pilots' innocence can be provided. Even if any new information is forthcoming, the MoD has the final say on whether it is relevant.

Is this not like asking a demolition company to assess whether or not a particular house should be demolished?

Could the MoD's total control over the current situation and the fact that it has, on paper, much to lose and nothing to gain by overturning the verdict against the pilots explain why it is so resistant to calls for an independent inquiry?

It is the experience of House of Commons committees that, in any computer disaster, the last thing departmental managers will accept is an independent inquiry - unless it is imposed on them.