WEDNESDAY 8 MARCH 2000

MR KEVIN TEBBIT, SIR ROBERT WALMSLEY, VICE ADMIRAL SIR JEREMY BLACKHAM AND MR JOHN OUGHTON

  20. Would you please let me have a note on the question of the comparison with the US fleet. I think that would be useful[7].

  (Mr Tebbit) As I say, Chairman, I will try to do so. I am not sure whether a comparison with the US fleet would be helpful, but I am happy to do that[8]. I understand that the US Army have 25 similar Chinooks, we have around 27[9], so it would be possible, but perhaps a more accurate comparison would be to know about any problems that had existed in our existing fleet since they were brought into service in 1994. As I say, in 119,000 hours there have been no safety problems associated with the FADEC software.

  21. I would like you to verify those numbers, Mr Tebbit, not necessarily today but when you get back to the Department, both in terms of the actual number and in terms of the comparability of software just so we are very clear on that.
  (Mr Tebbit) Happy to[10].

  22. One of the reasons, as you will probably know, that I raised this is we have had a number of letters from people who dispute your argument on Chinooks because they say the Mull of Kintyre crash is unproven as to cause. That is what the court found even though the MoD Board of Inquiry found cause at the time. It is obviously a question for other people about the reputation of the pilots involved. For us it is also a matter of how we deal with software coming into use, something which will be very important for all future MoD procurement, that you are able to test and be sure of the safety and effectiveness of software. So it has an implication for this Committee as well, I am afraid.
  (Mr Tebbit) I do understand that, Mr Chairman.

  23. Which is why I am pressing the point. I am not going to press it any further at the moment except for one last question to you but I may well come back at the end. The question I want to raise with you now is why does your own Department—and I appreciate you may not be able to give me an absolutely straightforward answer—but is it not the case that in the event of an accident both the Ministry of Defence and, for that matter, civilian air accident investigation boards have inadequate methods of evaluating the causes of accidents rooted in software problems?
  (Mr Tebbit) Mr Chairman, I will not answer that question directly because I think given the context you have explained it I ought to say first that the reason I have been able to answer your questions quite precisely so far in this area is for the same reason that you are implying. The reason that I can say our FADEC is reliable through 119,283.5 hours without any confirmed software failures—I got that yesterday from the Head of the Integrated Project Team in the Defence Logistics Organisation—is because I am acutely conscious and the Department is and Ministers are of the importance of this issue still to the families of those concerned in this human tragedy. If any new information comes to light which changes the existing assessment that we have we will indeed look at it and Ministers have promised this and I, too, repeat it today. Sadly, I have to say that no new information has come to light that changes the Department's view and we have no element of doubt about the airworthiness of the Chinook or the FADEC software either at the time of the accident or since, but I do want to emphasise that we are acutely conscious of the interest in this issue and the need for it to be monitored very carefully. When any issue arises I ask if there is anything in it which has any read-across of the software into the service.

  24. Of course, and I may come back to that.
  (Mr Tebbit) On the particular question you asked, as you say, there was an Aircraft Accident Investigation Board convened at the beginning which is not the Ministry of Defence.

  25. I do not want at this point to go down the avenue relating to the Mull of Kintyre crash. We may come back to that later depending how the Committee progresses. I am more concerned at this point—and I do not diminish in any sense the importance of the reputation of these two no doubt highly capable special forces pilots. What I want to ask you at the moment is the more general question which I think has serious implications for all high technology systems acquired, weapons systems that are software dependent and navigation control systems on aircraft—maybe on both, I am not sure. We do not appear to have (not just the MoD, this is a generic problem) a method of evaluating accidents where there is obviously major damage, where there may be a cause rooted in software. Am I right or am I wrong?
  (Mr Tebbit) I do not think you are completely right, Mr Chairman, because the way in which we develop systems for safety are such as to ensure that if there is a software failure then the problem does not lead to a failure in the system itself, in the platform, in the weapons system, in the aircraft or whatever. The way in which they are built is to guard against the risk that a software failure could lead to a system failure. In the specific case from which this has come the Investigation Board was satisfied that there was no system failure that was involved in the accident either of the software or equipment.

  26. You have not answered my question in some ways.
  (Mr Tebbit) The general point is one where I think I am correct. I would ask Sir Robert Walmsley to comment because I think that is a statement of the way in which we develop systems.

  27. We want to get as far as we can to the truth.
  (Sir Robert Walmsley) The situation, Chairman, is that the possibility which you mentioned of course exists. I should make it quite clear that in response to this general line of questions that one of the great reliances one places on any software system is reuse of chunks of software from previously established systems which are well understood and well defined. We need to do that to save money and to reduce risk on a programme. It is a feature of any big software programme that most of it is reuse. On testing, as you quite rightly imply, there simply is not enough time left in the future of this universe to test every single interaction of any decent sized piece of software. We do, however, test it as thoroughly as we can to avoid the kind of subroutine collisions that you mentioned before, which I totally accept are a possibility, and most of us have experienced them happening at some stage or other. But our approach does not just depend on hoping that things will not go wrong. Actually in any large system very little of the software is safety critical—I mean absolutely safety critical—so our approach tends to be to try to identify the software that is absolutely safety critical and then use mathematical verification techniques on that bit;and where you do not feel you can rely on that because you have not developed the techniques or there is too much of it, you can use a voting regime so you run several parallel sets of computing. That is how it is done in Airbus and how it is done on nuclear installations.

  28. I am familiar with that. I am taking massively more than my normal amount of time so I am going to draw to a close in a minute and widen it out and we will come back to the matter later, if need be. The problem arises from what you call an absolutely safety critical regime. After all, if you look through the history of civil aviation accidents you will find many of them which were initially put down to pilot error came about because the pilot overload because of some of the instrumentation going wrong and pilots being distracted by lights going off in parts of the cockpit and so on. That is fairly classically understood as part of civil aviation accident history. The Mull of Kintyre issue was one of the things that apparently was typical of the FADEC system. It set off caution lights that were not appropriate at the time. The more general point worries me and it applies not just to the MoD but to civil aviation in this country and other places, and that is as more and more of the operation engines, navigation systems, fly-by-wire control systems come to depend on software, it is very, very difficult to take out of the loop completely even, as you call it, the absolutely safety critical, let alone those which may impede safety by pilot distraction or by creating false alarms anywhere.
  (Mr Tebbit) Could I just comment, Mr Chairman, just to follow up the point. We do indeed do a lot of work in that area and there are three activities which are critical activities which are undertaken to minimise the risks that you mention. The first is that under our procedures we carry out a safety assessment to establish whether equipment could endanger human life which is a Defence Standard 0056. If that is the case we establish whether the components controlled by the software can endanger human life. That is Defence Standard 0056.

  29. The second one?
  (Mr Tebbit) They are both 0056.

  30. I thought so.
  (Mr Tebbit) If so, we develop our safety critical software to an appropriate level of standard which is another one of these numbers. So a specific set of procedures is in place to look at this very issue. I would mention on the light going out question—

  31. I will give you time to come back in a second. Importantly you used the word "could" rather than "would". How long has 0056 been in place?
  (Mr Tebbit) We are getting to an area which is classified because some of it has a military significance as well. I do not know precisely how long this has been in place. I would need to give you an answer to that.

  32. I am happy to have that by note[11].

  (Mr Tebbit) I will give you a list of the standards but the piece of paper I am using at the moment is classified.

  33. You wanted to make the point about the lights.
  (Mr Tebbit) I only wanted to say that the evidence from the particular case you are quoting is that there were no lights on in the dashboard at the time. That was part of the investigation that was carried out.

  Chairman: Again we may ask you to let us have your written evidence on that[12]. Let's widen it out. Mr Alan Campbell?

  34. I have only one question on Chinooks at this point in time and it follows on from the discussion you had earlier with the Chairman on why there was debate, indeed dispute, between Boscombe Down EDS and Lycoming over FADEC. How many complaints were there from flight staff about the way in which the Chinook Mark 2s were performing and were you aware at that stage that while the Chinooks were still in operational service that there was concern amongst flight staff?
  (Mr Tebbit) Which Chinooks are we talking about?

  35. Mark 2s.
  (Mr Tebbit) Which were just coming into service. I understand there were some complaints but I would not know the details of that[13]. I can only talk about the specific issue of the software we are discussing. The Chinooks in general were safe.

  36. Surely if a new software system is being introduced while discussion and debate is going on about the technicalities of it, who is responsible for which tests and what they show—
  (Mr Tebbit) The responsibility is for the Ministry of Defence to decide.

  37. One of the things the Ministry of Defence would presumably take into consideration is feedback from pilots who were trying out the new machines? Is that not right?
  (Mr Tebbit) That would be the test pilots. That would be at an earlier stage. We are talking about the in service operation of the system.

  38. But there was concern when the Chinook 2s came into operation.
  (Mr Tebbit) The word "concern" I do not quite understand. When a new system is being tested and fielded, clearly there is a discussion about the system but I do not understand the word "concern".

  39. Let me give you a quotation.
  (Mr Tebbit) I am not quite sure what direction your questioning is moving in here.

  Chairman: I will deal with the direction of the questioning if need be.

8   Note: See Evidence, Appendix 1, page 36. Back

9   Note by Witness: There are 34 similar Chinooks, not 27. Back

10   Evidence, Appendix 1, pages 31-42. Back

11   Note: See Evidence, Appendix 1, pages 31-42. Back

12   Note: See Evidence, Appendix 1, pages 31-42. Back

13   Note: Ibid. Back