Software expert attacks MoD's 'preposterous' Chinook claims
The Ministry of Defence's latest claim that there is 'no doubt' over the cause of the Chinook helicopter crash have raised...
A senior IT specialist has described as "preposterous" the Ministry of Defence's latest claims over the Chinook helicopter crash on the Mull of Kintyre.
Peter Mellor of London's Centre for Software Reliability added his voice to an attack on the MoD for suggesting that it does not need to be certain of events before an accident to know that the pilots were to blame.
His criticism was over a MoD reply to Lord Jacobs, who had asked a Parliamentary question about the lack of certainty over the last moments of Chinook ZD576 which crashed in June 1994, killing four crew and 25 senior police and intelligence officers.
In reply, the MoD said, "It is possible to be certain of the cause for something happening even through the precise details of events leading up to it are less definite. The decision of the RAF Board of Inquiry into the accident was that there was no doubt that the actions of the two pilots were the direct cause of the crash and that this amounted to gross negligence."
IT specialists said the MoD statement, if accepted as true, could greatly simplify the investigation of accidents in which defective IT systems were a suspected cause. Without knowing precisely how IT systems, equipment and instrumentation were performing, the pilots could be blamed for being in the wrong place at the wrong time.
Mellor said, "It takes no account of why the pilots took a particular action. The fundamental cause, whether this was some failure of the hardware or software in the control systems, misleading navigation data or whatever, remains mysterious, and it is this that an investigation should try to elucidate. The ultimate cause or causes may lie a long way back in the accident sequence.
"To find that the pilots were negligent without any firm knowledge of the behaviour of the onboard systems immediately before impact is so utterly preposterous that it beggars belief."
He added, "We need detailed information on the precise failures that have occurred, the faults that gave rise to them, the amount of operating time over which the failures occurred and the precise modification level of the software in question. Unless compelled by law, no manufacturer is going to give this."
Mellor also pointed out that software leaves no trace to guide the crash investigators. "In other words, there is never a smoking gun with the software developer's fingerprints on the trigger," he said.
Peter Amey, senior partner at Praxis Critical Systems, which supplies tools for checking aircraft and other types of safety related software, said, "If you crash into the back of the car in front, the usual working assumption is that you must be to blame. If, however, you had suffered a temporary and non-reproducible brake failure, and were killed in the accident, it would be very easy to miss the real cause and wrongly assume driver error.
"Temporary and non-reproducible are of course common characteristics of software defects. So the question 'was the aircraft in the wrong place?' is not enough - we need to know why."
Les Hatton, professor of software reliability at the Univertsity of Kent Computing Laboratory, has written to the MoD to highlight flaws in the argument that the pilots were to blame for the crash on the Mull of Kintyre. In an e-mail to Computer Weekly he said, "With software there is no clear evidence of failure and in a long correspondence with the MoD I have failed to convince them of this. It is all too easy to blame the pilots in this case.
"In my view, if there is any historical suspicion [of problems] with such critical software - and there is a lot more than that with the Chinook's Full Authority Digital Engine Control system - a claim of no doubt whatsoever against the pilots is unsustainable on technical grounds. Allowing this possibility should cause the MoD no embarrassment. Software failure is a natural property of a software engineering system no matter how much care went into it. To pretend otherwise is to invite its re-occurrence."
Peers and MPs have also attacked the MoD over its latest reply.
Lord Jacobs said the MoD is "stretching to breaking point" the notion that there is no doubt whatsoever about pilot negligence.
And Robert Key, a former defence minister, who has campaigned for a new inquiry over the crash, said, "Far from appearing calm and confident, ministers and their advisers, I feel, are apparently racing across widening crevices in the melting glacier."