Examination of Witnesses (Questions 20
WEDNESDAY 8 MARCH 2000
20. Would you please let me have a note on the
question of the comparison with the US fleet. I think that would
(Mr Tebbit) As I say, Chairman, I will
try to do so. I am not sure whether a comparison with the US fleet
would be helpful, but I am happy to do that.
I understand that the US Army have 25 similar Chinooks, we have
so it would be possible, but perhaps a more accurate comparison
would be to know about any problems that had existed in our existing
fleet since they were brought into service in 1994. As I say,
in 119,000 hours there have been no safety problems associated
with the FADEC software.
21. I would like you to verify those numbers,
Mr Tebbit, not necessarily today but when you get back to the
Department, both in terms of the actual number and in terms of
the comparability of software just so we are very clear on that.
(Mr Tebbit) Happy to.
22. One of the reasons, as you will probably
know, that I raised this is we have had a number of letters from
people who dispute your argument on Chinooks because they say
the Mull of Kintyre crash is unproven as to cause. That is what
the court found even though the MoD Board of Inquiry found cause
at the time. It is obviously a question for other people about
the reputation of the pilots involved. For us it is also a matter
of how we deal with software coming into use, something which
will be very important for all future MoD procurement, that you
are able to test and be sure of the safety and effectiveness of
software. So it has an implication for this Committee as well,
I am afraid.
(Mr Tebbit) I do understand that, Mr Chairman.
23. Which is why I am pressing the point. I
am not going to press it any further at the moment except for
one last question to you but I may well come back at the end.
The question I want to raise with you now is why does your own
Departmentand I appreciate you may not be able to give
me an absolutely straightforward answerbut is it not the
case that in the event of an accident both the Ministry of Defence
and, for that matter, civilian air accident investigation boards
have inadequate methods of evaluating the causes of accidents
rooted in software problems?
(Mr Tebbit) Mr Chairman, I will not answer that question
directly because I think given the context you have explained
it I ought to say first that the reason I have been able to answer
your questions quite precisely so far in this area is for the
same reason that you are implying. The reason that I can say our
FADEC is reliable through 119,283.5 hours without any confirmed
software failuresI got that yesterday from the Head of
the Integrated Project Team in the Defence Logistics Organisationis
because I am acutely conscious and the Department is and Ministers
are of the importance of this issue still to the families of those
concerned in this human tragedy. If any new information comes
to light which changes the existing assessment that we have we
will indeed look at it and Ministers have promised this and I,
too, repeat it today. Sadly, I have to say that no new information
has come to light that changes the Department's view and we have
no element of doubt about the airworthiness of the Chinook or
the FADEC software either at the time of the accident or since,
but I do want to emphasise that we are acutely conscious of the
interest in this issue and the need for it to be monitored very
carefully. When any issue arises I ask if there is anything in
it which has any read-across of the software into the service.
24. Of course, and I may come back to that.
(Mr Tebbit) On the particular question you asked,
as you say, there was an Aircraft Accident Investigation Board
convened at the beginning which is not the Ministry of Defence.
25. I do not want at this point to go down the
avenue relating to the Mull of Kintyre crash. We may come back
to that later depending how the Committee progresses. I am more
concerned at this pointand I do not diminish in any sense
the importance of the reputation of these two no doubt highly
capable special forces pilots. What I want to ask you at the moment
is the more general question which I think has serious implications
for all high technology systems acquired, weapons systems that
are software dependent and navigation control systems on aircraftmaybe
on both, I am not sure. We do not appear to have (not just the
MoD, this is a generic problem) a method of evaluating accidents
where there is obviously major damage, where there may be a cause
rooted in software. Am I right or am I wrong?
(Mr Tebbit) I do not think you are completely right,
Mr Chairman, because the way in which we develop systems for safety
are such as to ensure that if there is a software failure then
the problem does not lead to a failure in the system itself, in
the platform, in the weapons system, in the aircraft or whatever.
The way in which they are built is to guard against the risk that
a software failure could lead to a system failure. In the specific
case from which this has come the Investigation Board was satisfied
that there was no system failure that was involved in the accident
either of the software or equipment.
26. You have not answered my question in some
(Mr Tebbit) The general point is one where I think
I am correct. I would ask Sir Robert Walmsley to comment because
I think that is a statement of the way in which we develop systems.
27. We want to get as far as we can to the truth.
(Sir Robert Walmsley) The situation, Chairman, is
that the possibility which you mentioned of course exists. I should
make it quite clear that in response to this general line of questions
that one of the great reliances one places on any software system
is reuse of chunks of software from previously established systems
which are well understood and well defined. We need to do that
to save money and to reduce risk on a programme. It is a feature
of any big software programme that most of it is reuse. On testing,
as you quite rightly imply, there simply is not enough time left
in the future of this universe to test every single interaction
of any decent sized piece of software. We do, however, test it
as thoroughly as we can to avoid the kind of subroutine collisions
that you mentioned before, which I totally accept are a possibility,
and most of us have experienced them happening at some stage or
other. But our approach does not just depend on hoping that things
will not go wrong. Actually in any large system very little of
the software is safety criticalI mean absolutely safety
criticalso our approach tends to be to try to identify
the software that is absolutely safety critical and then use mathematical
verification techniques on that bit;and where you do not feel
you can rely on that because you have not developed the techniques
or there is too much of it, you can use a voting regime so you
run several parallel sets of computing. That is how it is done
in Airbus and how it is done on nuclear installations.
28. I am familiar with that. I am taking massively
more than my normal amount of time so I am going to draw to a
close in a minute and widen it out and we will come back to the
matter later, if need be. The problem arises from what you call
an absolutely safety critical regime. After all, if you look through
the history of civil aviation accidents you will find many of
them which were initially put down to pilot error came about because
the pilot overload because of some of the instrumentation going
wrong and pilots being distracted by lights going off in parts
of the cockpit and so on. That is fairly classically understood
as part of civil aviation accident history. The Mull of Kintyre
issue was one of the things that apparently was typical of the
FADEC system. It set off caution lights that were not appropriate
at the time. The more general point worries me and it applies
not just to the MoD but to civil aviation in this country and
other places, and that is as more and more of the operation engines,
navigation systems, fly-by-wire control systems come to depend
on software, it is very, very difficult to take out of the loop
completely even, as you call it, the absolutely safety critical,
let alone those which may impede safety by pilot distraction or
by creating false alarms anywhere.
(Mr Tebbit) Could I just comment, Mr Chairman, just
to follow up the point. We do indeed do a lot of work in that
area and there are three activities which are critical activities
which are undertaken to minimise the risks that you mention. The
first is that under our procedures we carry out a safety assessment
to establish whether equipment could endanger human life which
is a Defence Standard 0056. If that is the case we establish whether
the components controlled by the software can endanger human life.
That is Defence Standard 0056.
29. The second one?
(Mr Tebbit) They are both 0056.
30. I thought so.
(Mr Tebbit) If so, we develop our safety critical
software to an appropriate level of standard which is another
one of these numbers. So a specific set of procedures is in place
to look at this very issue. I would mention on the light going
31. I will give you time to come back in a second.
Importantly you used the word "could" rather than "would".
How long has 0056 been in place?
(Mr Tebbit) We are getting to an area which is classified
because some of it has a military significance as well. I do not
know precisely how long this has been in place. I would need to
give you an answer to that.
32. I am happy to have that by note.
(Mr Tebbit) I will give you a list of
the standards but the piece of paper I am using at the moment
33. You wanted to make the point about the lights.
(Mr Tebbit) I only wanted to say that the evidence
from the particular case you are quoting is that there were no
lights on in the dashboard at the time. That was part of the investigation
that was carried out.
Chairman: Again we may ask you to let us have
your written evidence on that.
Let's widen it out. Mr Alan Campbell?
34. I have only one question on Chinooks at
this point in time and it follows on from the discussion you had
earlier with the Chairman on why there was debate, indeed dispute,
between Boscombe Down EDS and Lycoming over FADEC. How many complaints
were there from flight staff about the way in which the Chinook
Mark 2s were performing and were you aware at that stage that
while the Chinooks were still in operational service that there
was concern amongst flight staff?
(Mr Tebbit) Which Chinooks are we talking about?
35. Mark 2s.
(Mr Tebbit) Which were just coming into service. I
understand there were some complaints but I would not know the
details of that.
I can only talk about the specific issue of the software we are
discussing. The Chinooks in general were safe.
36. Surely if a new software system is being
introduced while discussion and debate is going on about the technicalities
of it, who is responsible for which tests and what they show
(Mr Tebbit) The responsibility is for the Ministry
of Defence to decide.
37. One of the things the Ministry of Defence
would presumably take into consideration is feedback from pilots
who were trying out the new machines? Is that not right?
(Mr Tebbit) That would be the test pilots. That would
be at an earlier stage. We are talking about the in service operation
of the system.
38. But there was concern when the Chinook 2s
came into operation.
(Mr Tebbit) The word "concern" I do not
quite understand. When a new system is being tested and fielded,
clearly there is a discussion about the system but I do not understand
the word "concern".
39. Let me give you a quotation.
(Mr Tebbit) I am not quite sure what direction your
questioning is moving in here.
Chairman: I will deal with the direction of
the questioning if need be.
7 Evidence Appendix 1, pages 31-42. Back
Note: See Evidence, Appendix 1, page 36. Back
Note by Witness: There are 34 similar Chinooks, not 27. Back
Evidence, Appendix 1, pages 31-42. Back
Note: See Evidence, Appendix 1, pages 31-42. Back
Note: See Evidence, Appendix 1, pages 31-42. Back
Note: Ibid. Back