MoD failed to reveal whole truth to MPs

Tony Collins

One of the UK's leading safety-critical software experts has questioned the accuracy of evidence given to MPs by the...

Tony Collins

One of the UK's leading safety-critical software experts has questioned the accuracy of evidence given to MPs by the Ministry of Defence's top civil servant over the Chinook helicopter's Fadec fuel control system.

Martyn Thomas, chairman emeritus of Praxis Critical Systems and an independent adviser to Government organisations on safety-related software, took issue with statements made by Kevin Tebbit, permanent under-secretary at the Ministry of Defence (MoD), to the Commons' Public Accounts Committee.

MPs on the committee had asked Tebbit about whether the safety-critical Fadec system was safe to go into operational service in 1993, after the MoD's own airworthiness assessors at Boscombe Down had described the software as unverifiable and not fit for purpose.

Tebbit said that Boscombe Down was trying to test the software using an "inappropriate" method of validation: static code analysis.

He agreed with a statement by Government auditors that static code analysis was an "internal Boscombe Down policy, not supported by defence standards".

Tebbit added that static code analysis was used by the nuclear industry, implying it was unsuitable for testing aviation software.

But Thomas says in a letter to Computer Weekly that static code analysis was developed by an MoD agency, the Defence Evaluation Research Agency, specifically to verify safety-critical software.

"The work on static analysis was declassified as a matter of public policy: precisely so that it could be used on safety-critical software, such as the Chinook Fadec," says Thomas.

It has also emerged that static code analysis has been used to validate safety critical software in aircraft such as the Tornado F3 and the Eurofighter.

The Ministry of Defence has repeatedly belittled the anomalies found in the Fadec as a result of static code analysis.

Now that it has emerged that Boscombe Down's technique for validating the Fadec was, in fact, the MoD's preferred method, this lends weight to Boscombe Down's view that the software was unfit for purpose at the time of the notorious fatal crash of a Chinook on the Mull of Kintyre in June 1994.

More Chinook news

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.