Risk Management Chinook crash: critical internal memo on software flaws
Author:Tony CollinsPosted: 11:55 04 Jun 2009 Today, in the week of the 15th anniversary of the notorious crash of a Chinook helicopter on the Mull of Kintyre, Computer Weekly is publishing, in full for the first time, an MoD memo that is the clearest evidence yet that software problems made the helicopter unsafe to fly at the time of the accident.
The internal MoD letter - which by coincidence was written on the day of the crash of the Chinook - says that recommendations over the Chinook's "Fadec" engine control software have "been ignored" and that air crews will be at risk if they continue to fly the helicopter.
The letter urges "in the strongest possible terms" an end to operational flights of the Chinook until corrective action is taken. The letter says that the official explanation of "no fault found" after Fadec system problems have occurred will no longer suffice.
ADVERTISEMENT
The concerns raised in the letter add to the mystery of why the RAF allowed some of the UK's top police and intelligence to fly together on one aircraft which was known to have dangerously flawed safety-critical software. Twenty-five VIPs were killed in the crash of Chinook ZD576 soon after 6pm on 2 June 1994.
One of the pilots of Chinook ZD576 had not wanted to fly in the Mk2 [HC2] helicopter which was fitted with two new Fadec systems, one for each jet engine. He had requested an earlier Mk1 [HC1] non-Fadec version of the helicopter. His request was denied.
Also, the internal MoD letter failed to stop the last flight of ZD576. Two Air Marshals found the pilots of ZD576, Flight Lieutenants Rick Cook and Jonathan Tapper, grossly negligent.
Ever since, the Cook and Tapper families have campaigned for the finding of negligence to be overturned because of doubts about the cause of the crash. RAF rules said that dead pilots could be found negligent only if there was "absolutely no doubt whatsoever".
Now Computer Weekly is publishing the internal MoD letter in full, because it is evidence that the unreliability of the Fadec system made the helicopter unsafe to fly. A year before the crash, services supplier EDS had abandoned an assessment of the Fadec software because it had hundreds of anomalies and bugs.
For many years it has been known that trials flying of the Chinook Mk2 had ceased, because of Fadec concerns, on the day before the crash on the Mull of Kintyre. But now the internal letter shows the intense pressure the RAF was under to cease operational flights as well.
The Fadec was unusually reliant on software - for both the main (primary) mode and also back up [reversionary] mode. The system controlled the flow of fuel to the Chinook's engines. Too much fuel and the engines could accelerate out of control. Two little fuel and they could flame out - switch off.
Even before the crash on the Mull, tests of the reversionary mode had made the engines flame out or behave erratically. So, during operational flights, pilots were under instruction not to select reversionary mode manually, Computer Weekly has learned.
But this ban on the manual use of the software-based reversionary channel left open the question of what would happen to the engines if the system automatically went into reversionary mode when the helicopter was in flight.
A fault code was indeed found in the self-diagnosis unit of a Fadec system recovered from the crashed ZD576. The second Fadec system on ZD576 was too badly damaged to check.
There was evidence in the crash that pilots might have been seeking full power but the wreckage showed the engines were delivering power at an intermediate setting only.
The defence secretary at the time of the crash, Malcolm Rifkind, endorsed the findings of negligence but he has since changed his mind. He says he was not given all the facts. All Labour defence ministers have, however, backed the air marshals.
Computer Weekly has backed a campaign to clear the reputations of the pilots because of the wider implications of blaming the weakest link in the chain of command - in this case the pilot-operators - for a fatal crash which could have been caused by poorly-designed software.
We have also been concerned at the overlooking by the RAF of the systemic failures which lay behind the installation of flawed software on operational Chinooks. The Fadec software was improved - but only after the crash on the Mull of Kintyre.
We published a 140-page report on the cover-up of the Chinook's software problems.
This is the letter from the Officer Commanding Rotary Wing Test Squadron, Procurement Executive, Ministry of Defence, Aeroplane and Armament Experimental Establishment (now Qinetiq) Boscombe Down, Salisbury, Wilts.
Link
http://www.computerweekly.com/Artic...-critical-internal-memo-on-software-flaws.htm
The internal MoD letter - which by coincidence was written on the day of the crash of the Chinook - says that recommendations over the Chinook's "Fadec" engine control software have "been ignored" and that air crews will be at risk if they continue to fly the helicopter.
The letter urges "in the strongest possible terms" an end to operational flights of the Chinook until corrective action is taken. The letter says that the official explanation of "no fault found" after Fadec system problems have occurred will no longer suffice.
ADVERTISEMENT
The concerns raised in the letter add to the mystery of why the RAF allowed some of the UK's top police and intelligence to fly together on one aircraft which was known to have dangerously flawed safety-critical software. Twenty-five VIPs were killed in the crash of Chinook ZD576 soon after 6pm on 2 June 1994.
One of the pilots of Chinook ZD576 had not wanted to fly in the Mk2 [HC2] helicopter which was fitted with two new Fadec systems, one for each jet engine. He had requested an earlier Mk1 [HC1] non-Fadec version of the helicopter. His request was denied.
Also, the internal MoD letter failed to stop the last flight of ZD576. Two Air Marshals found the pilots of ZD576, Flight Lieutenants Rick Cook and Jonathan Tapper, grossly negligent.
Ever since, the Cook and Tapper families have campaigned for the finding of negligence to be overturned because of doubts about the cause of the crash. RAF rules said that dead pilots could be found negligent only if there was "absolutely no doubt whatsoever".
Now Computer Weekly is publishing the internal MoD letter in full, because it is evidence that the unreliability of the Fadec system made the helicopter unsafe to fly. A year before the crash, services supplier EDS had abandoned an assessment of the Fadec software because it had hundreds of anomalies and bugs.
For many years it has been known that trials flying of the Chinook Mk2 had ceased, because of Fadec concerns, on the day before the crash on the Mull of Kintyre. But now the internal letter shows the intense pressure the RAF was under to cease operational flights as well.
The Fadec was unusually reliant on software - for both the main (primary) mode and also back up [reversionary] mode. The system controlled the flow of fuel to the Chinook's engines. Too much fuel and the engines could accelerate out of control. Two little fuel and they could flame out - switch off.
Even before the crash on the Mull, tests of the reversionary mode had made the engines flame out or behave erratically. So, during operational flights, pilots were under instruction not to select reversionary mode manually, Computer Weekly has learned.
But this ban on the manual use of the software-based reversionary channel left open the question of what would happen to the engines if the system automatically went into reversionary mode when the helicopter was in flight.
A fault code was indeed found in the self-diagnosis unit of a Fadec system recovered from the crashed ZD576. The second Fadec system on ZD576 was too badly damaged to check.
There was evidence in the crash that pilots might have been seeking full power but the wreckage showed the engines were delivering power at an intermediate setting only.
The defence secretary at the time of the crash, Malcolm Rifkind, endorsed the findings of negligence but he has since changed his mind. He says he was not given all the facts. All Labour defence ministers have, however, backed the air marshals.
Computer Weekly has backed a campaign to clear the reputations of the pilots because of the wider implications of blaming the weakest link in the chain of command - in this case the pilot-operators - for a fatal crash which could have been caused by poorly-designed software.
We have also been concerned at the overlooking by the RAF of the systemic failures which lay behind the installation of flawed software on operational Chinooks. The Fadec software was improved - but only after the crash on the Mull of Kintyre.
We published a 140-page report on the cover-up of the Chinook's software problems.
This is the letter from the Officer Commanding Rotary Wing Test Squadron, Procurement Executive, Ministry of Defence, Aeroplane and Armament Experimental Establishment (now Qinetiq) Boscombe Down, Salisbury, Wilts.
Link
http://www.computerweekly.com/Artic...-critical-internal-memo-on-software-flaws.htm