Published Date: 2010-01-04
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in June 1994 [132, 116, 276]. |
| System | 1. Chinook helicopter's computer software [132, 116, 276] |
| Responsible Organization | 1. Ministry of Defence (MoD) [132, 116, 276] |
| Impacted Organization | 1. RAF helicopter pilot crew and passengers, including leading Northern Ireland security and intelligence officials [132, 116, 276] |
| Software Causes | 1. The faulty computer software in the Chinook helicopter was described as "positively dangerous" and had deficiencies that meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. 2. An internal Ministry of Defence document warned about serious concerns regarding the engine control computer software, calling for a rewrite of the computer software due to safety critical issues [132, 116, 276]. |
| Non-software Causes | 1. The RAF rushed the Chinook into service despite knowing it was dangerous [132]. 2. The pilots were blamed for the crash to save face [132]. 3. The aircraft entered cloud too fast and too low according to successive defense secretaries [132]. |
| Impacts | 1. The software failure incident led to the tragic crash of a Chinook helicopter on the Mull of Kintyre, resulting in the loss of all 29 individuals on board, including leading Northern Ireland security and intelligence officials [132, 116, 276]. 2. The incident caused significant controversy and raised doubts about the official findings that initially blamed the pilots for gross negligence, leading to a long campaign by families and campaigners to clear the pilots' names [132, 116, 276]. 3. The failure of the software in the Chinook helicopter raised concerns about the airworthiness of the aircraft and highlighted serious flaws in the engine control computer software, which could not assure the pilot's full control of the engines [132, 116, 276]. 4. The incident resulted in multiple inquiries and reviews, with subsequent investigations finding the cause of the crash to be inconclusive, challenging the initial conclusion of pilot negligence [132, 116, 276]. 5. The software failure incident had a lasting impact on the families of the pilots and the victims, who sought justice, closure, and the clearing of their loved ones' names from the accusations of negligence [132, 116, 276]. |
| Preventions | 1. Properly addressing and acting upon the warnings and concerns raised by Ministry of Defence airworthiness experts regarding the potentially catastrophic problems with the Chinook's computer software could have prevented the software failure incident [132, 116, 276]. 2. Conducting a thorough review and addressing the serious concerns and recommendations regarding the engine control computer software as highlighted in the internal MoD documents from the aircraft testing centre at Boscombe Down could have prevented the incident [116, 276]. 3. Delaying the entry into service of the Chinook Mark 2 until the necessary software issues were resolved and ensuring that the release of the aircraft into service was based on a comprehensive hazard analysis and safety assessment of the software could have prevented the incident [132, 116, 276]. |
| Fixes | 1. Revising and rewriting the computer software of the Chinook helicopter to address the deficiencies and ensure the pilot's full control of the engines can be assured [132, 116, 276]. 2. Conducting a thorough review of the internal Ministry of Defence documents and recommendations from experts at the aircraft testing centre at Boscombe Down to identify and rectify any potential flaws in the software [132, 116, 276]. 3. Reopening the Board of Inquiry to consider the new evidence regarding the faulty computer software and its potential role in the Chinook helicopter crash, as requested by families of the pilots and campaigners [132, 116, 276]. | References | 1. Ministry of Defence document obtained by the BBC [132, 116, 276] 2. Senior engineering officer at the helicopter test centre at Boscombe Down [132, 116, 276] 3. RAF board of inquiry [132, 116, 276] 4. Families of the pilots and relatives of those who died in the crash [116, 276] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization | (a) The software failure incident related to the Chinook helicopter crash in 1994 was specific to the Ministry of Defence (MoD) and its Chinook helicopters. The incident involved faulty computer software in the Chinook helicopter, which was described as "positively dangerous" in internal MoD documents [132, 116, 276]. (b) There is no specific mention in the provided articles of a similar software failure incident happening at other organizations or with their products and services. |
| Phase (Design/Operation) | design, operation | (a) The articles provide information indicating a software failure incident related to the design phase. The incident was attributed to faulty computer software in the Chinook helicopter, specifically the engine control computer software. An internal Ministry of Defence document, written nine months before the crash, described the software as "positively dangerous" and highlighted deficiencies that meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. (b) The articles also suggest a software failure incident related to the operation phase. The official RAF inquiry into the incident concluded that the aircraft was airworthy but found the two pilots guilty of gross negligence. However, subsequent inquiries found the cause of the crash to be inconclusive, indicating a potential failure in the operation or misuse of the system [116, 276]. |
| Boundary (Internal/External) | within_system | (a) within_system: - The software failure incident related to the Chinook helicopter crash was primarily attributed to faulty computer software within the system. An internal Ministry of Defence document highlighted serious concerns about the engine control computer software, stating that deficiencies in the software meant the pilot's full control of the engines "could not be assured" [116, 276]. - The RAF rushed the Chinook into service despite knowing about the dangerous software issues, and the pilots were blamed for the crash to save face [132]. - The official RAF inquiry initially concluded that the aircraft was airworthy and found the pilots guilty of gross negligence, but subsequent inquiries found the cause of the crash to be inconclusive, indicating a potential cover-up or misattribution of blame [116, 276]. (b) outside_system: - There is no explicit mention in the articles of contributing factors originating from outside the system that led to the software failure incident. The focus is primarily on the internal issues related to the faulty computer software within the Chinook helicopter system. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident was primarily attributed to non-human actions, specifically faulty computer software in the Chinook helicopter. An internal Ministry of Defence document, written nine months before the crash, described the software as "positively dangerous" and highlighted serious concerns about the engine control computer software [132, 116, 276]. (b) Human actions were also implicated in the aftermath of the software failure incident. The RAF initially found the two pilots guilty of gross negligence in the Mull of Kintyre tragedy, despite evidence pointing to faulty computer software as the potential cause of the accident. There were accusations of blaming the pilots to save face, and subsequent inquiries questioned the initial findings of pilot negligence [132, 116, 276]. |
| Dimension (Hardware/Software) | hardware, software | (a) The articles provide information that points towards a software failure incident related to hardware issues. The incident involved a Chinook helicopter crash in 1994, where faulty computer software was identified as a potential cause of the accident. An internal Ministry of Defence document described the software as "positively dangerous" and highlighted deficiencies in the engine control computer software, which meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. (b) The articles also indicate that the software itself was a contributing factor in the software failure incident. The software in the Chinook helicopter was identified as problematic, with warnings about the engine control computer software being ignored and deficiencies in the software affecting the pilot's control of the engines. The RAF inquiry initially found the pilots guilty of gross negligence, but subsequent inquiries suggested that the cause of the crash was inconclusive, indicating a potential software failure issue [132, 116, 276]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The articles suggest that the software failure incident related to the Chinook helicopter crash was non-malicious. The incident was attributed to faulty computer software in the helicopter, specifically the engine control computer software, which was described as "positively dangerous" and having deficiencies that meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. The focus was on the technical issues with the software rather than any malicious intent by individuals. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The software failure incident related to the Chinook helicopter crash in 1994 appears to be more aligned with poor_decisions. The incident was attributed to faulty computer software in the helicopter, which was described as "positively dangerous" and had deficiencies that meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. Despite warnings and serious concerns raised by experts at the Ministry of Defence's aircraft testing centre at Boscombe Down, the aircraft was still rushed into service, and the pilots were ultimately blamed for gross negligence. This indicates that poor decisions were made in allowing the Chinook to fly with known software issues, leading to the tragic crash. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The articles suggest the software failure incident related to the Chinook helicopter crash was potentially due to development incompetence. An internal Ministry of Defence document, written nine months before the crash, described the software as "positively dangerous" and highlighted serious concerns about the engine control computer software [132, 116, 276]. The document pointed out deficiencies in the software that meant the pilot's full control of the engines "could not be assured" [132, 116, 276]. There were warnings and recommendations regarding the software that were ignored, indicating a lack of attention to critical issues in the software development process [116]. Additionally, the RAF rushed the Chinook into service despite knowing it was dangerous, which could be seen as a failure in decision-making related to software safety [132]. (b) The articles do not provide specific information indicating that the software failure incident was accidental. Instead, they highlight concerns about the software being "positively dangerous" and the deficiencies in the engine control computer software that could not assure the pilot's full control of the engines, suggesting a more systemic issue related to development incompetence rather than accidental factors. |
| Duration | permanent | (a) The software failure incident related to the Chinook helicopter crash in 1994 was considered permanent. The faulty computer software in the helicopter was identified as a contributing factor that led to the crash, and there were serious concerns and warnings about the engine control computer software being "positively dangerous" [132, 116, 276]. The deficiencies in the software meant that the pilot's full control of the engines "could not be assured" [132, 116, 276]. The internal Ministry of Defence documents highlighted these issues and pointed to the software as a significant factor in the accident, indicating a permanent failure due to contributing factors introduced by all circumstances. |
| Behaviour | crash, omission, value, other | (a) crash: The software failure incident in the Chinook helicopter crash was attributed to faulty computer software, which led to the crash on the Mull of Kintyre, resulting in the deaths of 29 people, including leading Northern Ireland security and intelligence officials [132, 116, 276]. (b) omission: The internal Ministry of Defence document highlighted deficiencies in the software that meant the pilot's full control of the engines "could not be assured," indicating an omission in the system's intended functions [132, 116, 276]. (c) timing: There is no specific mention of a timing-related failure in the articles. (d) value: The software was described as "positively dangerous," indicating that it was performing its intended functions incorrectly, leading to potential catastrophic effects [132, 116, 276]. (e) byzantine: The articles do not provide information suggesting a byzantine behavior in the software failure incident. (f) other: The behavior of the software failure incident in this case could be categorized as a failure due to a critical flaw in the system that compromised the safety and control of the aircraft, ultimately resulting in a tragic crash. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | sensor, processing_unit, embedded_software | (a) sensor: Failure due to contributing factors introduced by sensor error - The articles mention that an internal Ministry of Defence document highlighted serious concerns about the engine control computer software, indicating deficiencies that meant the pilot's full control of the engines "could not be assured" [116, 276]. - The same document warned that any malfunctions or design errors in the software could have catastrophic effects, emphasizing the critical nature of the software in the engine FADEC (control system) [132]. (b) actuator: Failure due to contributing factors introduced by actuator error - The articles do not specifically mention any issues related to actuator errors contributing to the failure incident. (c) processing_unit: Failure due to contributing factors introduced by processing error - The articles discuss how the software in the Chinook helicopter was described as "positively dangerous" and that deficiencies in the software meant the pilot's full control of the engines could not be assured [116, 276]. - A senior engineering officer's report warned about the hazards associated with the software in the engine FADEC, identifying it as safety-critical and stating that malfunctions or design errors could have catastrophic effects [132]. (d) network_communication: Failure due to contributing factors introduced by network communication error - The articles do not mention any network communication errors contributing to the failure incident. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - The articles highlight that faulty computer software in the Chinook helicopter was considered a potential cause of the crash, with an internal MoD document describing the software as "positively dangerous" and raising serious concerns about the engine control computer software [116, 276]. - The same document warned about deficiencies in the software affecting the pilot's control of the engines and emphasized the critical nature of the software in the engine FADEC [132]. |
| Communication | unknown | The articles do not provide specific information about whether the software failure incident related to the Chinook helicopter crash was specifically related to the communication layer of the cyber-physical system that failed. The focus of the articles is on the faulty computer software in the helicopter and the implications for the pilots involved in the crash. Therefore, it is unknown whether the failure was at the link_level or connectivity_level of the cyber-physical system. |
| Application | FALSE | The software failure incident related to the Chinook helicopter crash in the articles was not explicitly attributed to the application layer of the cyber physical system, which includes failures due to bugs, operating system errors, unhandled exceptions, and incorrect usage. The articles primarily focus on the faulty computer software in the helicopter, specifically related to the engine control computer software, which was deemed "positively dangerous" and had deficiencies that affected the pilot's control of the engines [132, 116, 276]. Therefore, based on the information provided in the articles, it is unknown whether the failure was specifically related to the application layer of the cyber physical system. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | death, harm | (a) death: The software failure incident resulted in the death of 29 people, including leading Northern Ireland security and intelligence officials, in the Chinook helicopter crash on the Mull of Kintyre [132, 116, 276]. |
| Domain | information, transportation, government | (a) The failed system was intended to support the information industry as it was related to the production and distribution of information. The software failure incident involved a Chinook helicopter crash in 1994, where faulty computer software was identified as a potential cause of the accident [132, 116, 276]. (b) The transportation industry was indirectly impacted by the software failure incident as it involved a Chinook helicopter crash that resulted in the loss of 29 lives, including leading security and intelligence officials. The transportation of individuals via the helicopter was affected by the software issues [132, 116, 276]. (l) The government sector was directly involved in the software failure incident as it pertained to the Ministry of Defence and the RAF's handling of the Chinook helicopter crash investigation. The incident raised questions about the decision-making processes within the government and military regarding the airworthiness of the aircraft and the attribution of blame to the pilots [132, 116, 276]. |
Article ID: 132
Article ID: 116
Article ID: 276