C240
Generally speaking, MoD standards are very good and, if adhered to, ensure an adequate level of safety, which allows the RTS to be signed.
I think the problem was, and remains, much more basic. Refusal to implement, primarily to save time and money. We’ve been discussing Safety Critical Software, and it is a simple exercise to create a compliance matrix of the FADEC programme Vs Def Stan 00-55 Pts 1 & 2. At the time “The Procurement of Safety Critical Software in Defence Equipment” (renamed “Requirements for Safety Related Software” in 1997).
That matrix would reveal key requirements were completely ignored. One could write a book, but the most obvious example on FADEC is the Boscombe recommendation to re-write the software. Over the years, MoD has sought to present this as Boscombe having a hissy fit.
But the reality was that the regulations required a Safety Plan which incorporated a Code of Design Practice. That had to include an agreed acceptance criteria and “the procedures for dealing with unacceptable components” (00-55, Part 2, para 20k).
If I may quote the next para;
“The acceptance criteria for SCS should distinguish between errors in Formal Arguments and discrepancies found during dynamic testing. The criteria should include the maximum number of errors found by the V&V team in Formal Arguments or during Static Path Analysis beyond which the item will be redeveloped from scratch”.
Given that last, and the sheer number of anomalies uncovered during testing (see JB’s #7866), Boscombe’s recommendation seems entirely reasonable and in line with mandated policy. What we don’t know, however, is what the criteria were. We do know that Boscombe offered an opinion as to what number of anomalies would be acceptable, which tends to indicate no formal criteria was laid down in the Safety Plan. THAT is a major failure on the part of both MoD and Design Authority.
In time, such failures could be corrected. The issue I have here is one of timescale and unseemly haste. FADEC had been in development for years. Yet, a mere 3 weeks before ACAS signed the RTS, Boscombe were still flagging serious deficiencies in the Safety Critical Software. What happened in that 3 week period to persuade ACAS that Boscombe and CA were wrong? MoD’s justification was cobbled together after the event, for the benefit of the Fatal Accident Inquiry. As I’ve said before, they tried to dismiss the issue by saying the software was not Safety Critical; when it clearly was, as defined by MoD policy.
The entire programme is littered with similar major failures and deceit. This is not being wise after the event. On airworthiness, prior warning had been given to both MoD(PE) and AMSO senior staffs between 1988 and 1993; and the 1992 CHART report is effectively a consolidation of those reports as applied to Chinook HC Mk1 and Mk2 (plus Puma and Wessex).
The above doesn’t seek to explain the crash, but illustrate the Organisational Faults that make it impossible to attribute sole blame to the pilots. I sympathise to a degree with those charged with delivering the SCS. At the time, and ever since, MoD’s attitude toward safety amounted to criminal negligence. If a project manager flagged a safety problem, he risked disciplinary action, especially from the RAF Chief Engineer’s non-technical staffs. What is really despicable is the deliberate lies to cover up these failings. The emergence (into the public domain) of the CHART report is vital to understanding all this. To their credit, current MoD staffs have declined to comment, perhaps realising how utterly damning the report is and how implementation would have probably prevented the need for Haddon-Cave. But the reaction of retired officers is revealing; one in particular who delights in denigrating the pilots in the press but will now hopefully be called to account for the failure to implement the report’s recommendations.
Tandemrotor - good post.