Did Software Kill Soldiers? [ITWeb, 2007-10-16]

Publication: ITWeb Issued: Date: 2007-10-16 Reporter: Leon Engelbrecht

Did Software Kill Soldiers?

Publication	ITWeb
Date	2007-10-16
Reporter	Leon Engelbrecht
Web Link	www.itweb.co.za

Johannesburg - The National Defence Force is probing whether a software glitch led to an antiaircraft cannon malfunction that killed nine soldiers and seriously injured 14 others during a shooting exercise on Friday.

SA National Defence Force spokesman brigadier general Kwena Mangope says the cause of the malfunction is not yet known and will be determined by a Board of Inquiry. The police are conducting a separate investigation into the incident.

Media reports say the shooting exercise, using live ammunition, took place at the SA Army's Combat Training Centre, at Lohatlha, in the Northern Cape, as part of an annual force preparation endeavour.

Mangope told The Star that it "is assumed that there was a mechanical problem, which led to the accident. The gun, which was fully loaded, did not fire as it normally should have," he said. "It appears as though the gun, which is computerised, jammed before there was some sort of explosion, and then it opened fire uncontrollably *1, killing and injuring the soldiers."

Other reports have suggested a computer error might have been to blame *3. Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if "the cause lay in computer error, the reason for the tragedy might never be found".

Electronics engineer and defence company CEO Richard Young says he can't believe the incident was purely a mechanical fault *5. He says his company, C²I²,in the mid 1990s, was involved in two air defence artillery upgrade programmes, dubbed Projects Catchy and Dart.

Software details

During the shooting trials at Armscor's Alkantpan shooting range, "I personally saw a gun go out of control several times," Young says. "They made a temporary rig consisting of two steel poles on each side of the weapon, with a rope in between to keep the weapon from swinging. The weapon eventually knocked the polls (sic) down."

Young says he was also told at the time that the gun's original equipment manufacturer, Oerlikon, had warned that the GDF Mk V twin 35mm cannon system was not designed for fully automatic control. Yet the guns were automated. At the time, SA was still subject to an arms embargo and Oerlikon played no role in the upgrade.

"If I was an engineer on the Board of Inquiry, I would ask for all details about the software for the fire control system and gun drives," Young says. "If it was not a mechanical or operating system error, you must find out which company developed the software and did the upgrade."

Young says in the 1990s the defence force's acquisitions agency, Armscor, allocated project money on a year-by-year basis, meaning programmes were often rushed. "It would not surprise me if major shortcuts were taken in the qualification of the upgrades. A system like that should never fail to the dangerous mode [rather to the safe mode], except if it was a shoddy design or a shoddy modification.

"I think there have been multiple failures here; in software and the absence of interlocking safeguards." He asks if the guns were given arcs of fire and whether these were enforced with electromechanical end stops. "On a firing range you don't want guns to fire through 360 degrees."

Oerlikon's local agent, Intertechnic, did not respond to requests for comment. The SANDF said investigations were still under way.

The air defence artillery will, in the next two years, receive new missiles, radar and computer-based fire control equipment worth R3 billion as part of projects Guardian and Protector.

With acknowledgements to Leon Engelbrecht and ITWeb.

*1 One thing is for sure, the fire control system became unstable *2.

*2 Or possibly and very unfortunately, stably entered into an undesired state, from which it never emerged until all 550 rounds of ammunition had been expended.

A further question other than system technical failures, is why the automatic ammunition loaders were not disengaged immediately after the initial stoppage occurred.

Was :

inter alia;
there a faulty stoppage clearance procedure?
the autoloader jammed into position?
the gun crew member responsible for clearing the stoppage physically strong enough to do what was required?

*3      Other than the implementation of system design techniques such a deterministic finite state machines and multiple levels of system safety interlocks (mechanical, electro-mechanical, firmware and software), there are simple mechanisms such as the dead man's hand that even if a severe fault occurs such as the destruction of the control computer or firing control signal, the dead man's hand physically disengages any link between the computer and the mechanical firing mechanism with the system being forced into a safe mode *4.

*4      This system safe mode can only be overcome by the willful engagement of the battleshort switch to enable soldiers to themselves fire the weapon in self-defence in a non-automatic mode.

*5      It might not only have been a technical fault, i.e. either mechanical, electronic or logic, but it could also have been, at least partly, an operational, i.e. procedural fault.