Chinook helicopter disaster - computer software failure or pilot error?

Chinook helicopter crash: was it computer software failure or a cause we'll never know? This article gives the background to the Chinook helicopter disaster with links to all the relevant articles published by ComputerWeekly and other useful web links.

Chinook helicopter crash: was it computer software failure or a cause we'll never know? This article gives the background to the Chinook helicopter disaster with links to all the relevant articles published by ComputerWeekly and other useful web links.

2 June 2008 marks the fourteenth anniversary of the notorious crash of a Chinook helicopter, ZD576, on the Mull of Kintyre in Scotland in 1994 - a crash that had many possible causes, including faulty software design, but for which the two dead pilots were blamed: Flight Lieutenants Jonathan Tapper and Rick Cook.

Two air marshals found that Cook and Tapper were grossly negligent by crashing Chinook ZD576, killing all 29 on board including four crew and 25 passengers, who were mostly intelligence and Special Branch officers.

Today there are still discussions about the Chinook helicopter crash and whether the Chinook's computer system failed or it was the fault of the pilots. A summary of all that is important to know is on Battle for Justice website.  There is also discussion on the Professional Pilots Rumour Network – the latest thread is 174 pages long.

That the debate is still active is due largely to the tenacity of the families of the dead pilots, a particularly dogged campaigner Brian Dixon, Channel Four News, Computer Weekly and many others including professional pilots, peers and MPs. Computer Weekly has received more than 400 e-mails in support of the campaign.

We have published a 140-page report: “RAF Justice - How the Royal Air Force blamed two dead pilots and covered up problems with the Chinook’s computer system Fadec”.

There have been several separate, independent inquiries into the causes of the crash. The Public Accounts Committee, for example, criticised the procurement of the Chinook Mk2’s Full Authority Digital Engine Control [Fadec] system. The committee looked into the crash as part of its investigation into the value for money of the Chinook MK2, and concluded:

“At entry to Service and the time of the crash of ZD-576 the Chinook Mark 2 fleet was experiencing widespread and repeated faults caused by the Full Authority Digital Engine Control software”. It said that “faults with the Fadec led to doubts as to the reliability and safety of the aircraft at the time and make it very difficult to rule out categorically a technical fault as at least a cause of ZD576’s crash”.

Why is Computer Weekly still concerned about a helicopter crash 14 years ago?

When safety-critical computer software fails, or software contains coding or design flaws, and these defects contribute to or cause a major incident, there might be no physical trace of a software-related deficiency.

Only the manufacturer may understand its system well enough to identify any flaws in its design, coding or testing.

Yet no commercial manufacturer can be expected to implicate itself in a major software-related disaster. So, if software kills or injures people, it is possible and even likely that the exact cause of the incident will never be known.

This is especially likely to be the case if the computer software has failed in no obvious way, as when a coding error has set off a chain of complex events that cannot be replicated after a disaster.

Convention dictates that someone must be blamed for a major incident, perhaps pilots, keyboard clerks or train drivers. In business, those blamed for failures could be anyone in a relevant senior post who could not prove their innocence.

It should be remembered that manufacturers, in proving their equipment was not at fault after a major incident, may have large resources at their disposal.

Individuals may have minimal resources to defend themselves in any incident investigation: no access to the manufacturer's commercially sensitive information, none of the manufacturer's knowledge of how the systems work, and little money for expert reports and advice.

Therefore, the weakest link after a disaster, particularly a major fatal accident, will always be the operators or their managers - especially if they are dead.

That is why the loss of Chinook ZD576 is so much more than a helicopter crash. To accept the verdict against the pilots is to accept that it is reasonable to blame the operators if the cause of a serious incident is not known.

 

Read more on IT risk management