Category Archives: Campaign4Change

Familiar mistakes, wasted millions, big pay-offs and nobody accountable – yes, it’s the public sector IT-led transformation project

By Tony Collins

There’s no money to pay for bus services into Taunton at the weekend but local council officials have found £6.3m for unnecessary pay-offs to employees.

Unhappy residents can do nothing: when council officers are involved in a botched IT-led transformation scheme, the electorate cannot vote them out of office.

The costliest IT-led transformation failure in history was the £10bn NHS’s National Programme for IT [NPfIT], when unelected officials made wrong decisions in secret.

More than £7bn was wasted and nobody held to account.

Numerous other IT-led transformations have failed. A Cornwall Council report on a transformation by BT said, “Service Transformation anticipated at the time of contract commencement has not reached anything like the intended levels”.

An IT-led transformation at Birmingham Council, Europe’s biggest local authority, led to a spend of billions of pounds with Capita. Exactly how the money was spent councillors are unsure.

A leading Birmingham councillor John Clancy said, “The biggest problem we have is with transparency. We have little idea what is going on.”

Now a detailed report has been published on a failed IT-led transformation in Somerset in which familiar mistakes were made, millions spent unnecessarily, decisions made in secret and nobody held to account.

To local residents, the “transformation” meant unanswered phones, uncut grass and increased council tax and parking fees.

As happened in the planning for the NPfIT, potential savings were overestimated and the risks underestimated.

The plan was to merge two councils, Taunton Deane and West Somerset, using simplified business processes  and new technology. But officers made voluntary redundancy available to all staff before new ways of working had bedded in – although it has been well known in the business world for decades that major changes in ways of working need more staff at the outset.

Planning for the merger therefore contravened one of the most basic rules in any IT-led transformation: don’t make staff cuts until business change has bedded in.

Officials planned a redundancy scheme so attractive that many more  staff took pay-offs than expected  – including officers.

Short of staff because of the pay-offs, the merged council had to bring in agency and additional staff – perhaps including those it had made redundant.

Mike Rigby, executive member of the new council, said: “Clearly the so-called transformation programme had not worked.”

Thanks to local media coverage of the project failure, the merger is better known locally for the £6.35 worth of pay-offs to public servants than any benefits to local residents.

What went wrong is revealed in a cautiously-worded but thorough audit report by a not-for-profit audit team in Somerset called “Swap”.  The Swap report has the optimistic title “Transformation – Lessons Learned”.

As the Swap report puts it (politely) …

“The voluntary redundancy option for all staff within the organisation was not in the best interests of the organisation.”

It goes on to say that there was,

“little or no control over redundancy costs and little or no control over the ability to retain certain individuals with specialist knowledge and skills”.

To what extent were experienced, well-paid and professional officers in a position to dissuade ruling councillors from making well-known business mistakes?

Ruling councillors make policy decisions with advice from their permanent professional team of officers, led by the chief executive, on what is and what is not feasible. Officers also make the decisions on how to implement policy.

Will any officer be held accountable for the botched Somerset transformation scheme?  It is not a question being asked by officers in the new council.

The council’s new leader says the problems are in the past and lessons will be learned – but similar messages were given out after nearly every major IT-led transformation project failure over the past 30 years.

A lack of transparency was singled out as a common factor in “Crash“,  a book on the lessons from the world’s worst IT disasters published in 2000.  Its chapter on “concealment” urged those responsible for scrutinising an IT-led project to,

“…continually seek assurances that a major project is under firm and successful control and if you believe what you are told without independent verification expect to discover a disaster only when it is self-evident.”

The Somerset Swap report in 2020 report said,

“We are aware that a number of Members did not feel they were adequately kept informed on what was happening with the transformation programme.

“This would suggest that the engagement with Members was not as effectively managed as it could have been.

“… for a period of time we are not clear on what information Members were receiving as part of their ‘oversight’ …

“It was not until the later part of 2018 and early 2019 that the level of reporting and engagement seemed to increase, which was too late.”

The book Crash said it was the job of anyone responsible for scrutiny to “pry into computer schemes and not to be beaten back by assurances that everything is OK”.

Crash was not an obscure book on the lessons from big IT-related failures. Its findings were reported by national newspapers and specialist publications including Computer Weekly and New Scientist.

The Times Educational Supplement said of Crash that its case studies “illustrate so many general principles worth taking note of when looking at systems”. The New Scientist said of Crash that it is “essential” reading for “any organisation thinking of investing in a computer system”.

Why then were Crash’s lessons apparently ignored in Somerset’s transformation project and why isn’t anyone being held accountable?


A consultancy, “Ignite”, that received more than £1m for help with the transformation in Somerset has been the subject of an Advertising Standards Authority ruling.

Former Somerset IT professional David Orr, who has sought to hold local councils to account over botched schemes, complained to the Advertising Standards Authority over Ignite’s sales claims.

Ignite had published an unremittingly positive case study on the Somerset transformation scheme saying that the “operating model delivered all financial benefits identified in the business case …”

Orr told the Advertising Standards Authority that Ignite’s claims were “demonstrably false and unachieved”. He said other councils could be misled. The Advertising Standards Authority investigated, ruled in Orr’s favour and Ignite removed the case study from its website.

Orr says of the Somerset debacle,

“What is it about the word ‘transformation’ that causes so many councillors to lose their critical faculties?

“We were promised in 2016 that Somerset and Taunton Deane Councillors had learned lessons from the failed joint venture South West One with IBM that lost at least £69m.

“By 2019, we now learn that many of the same councillors have watched an all too similar failure in the ‘transformation’ project to merge two district councils into a new one called Somerset West and Taunton Council.

“Yet again the hubristic promises of ‘magic IT’ and electronic self-service have led to expensive failures.”

Orr referred to large pay-offs for some senior executives. “We need to stop paying for failure and why can’t we claw back some of these huge payouts…” he said.


Nobody has ever claimed democracy is perfect; and local democracy is particularly imperfect. Audit reports on IT-led transformations rarely – if ever – identify the real underlying cause of failures: the absence of public reporting of ongoing problems.

Such reports could deter failure because civil and public servants have no fear of elections, shareholders, losing money or going bust but they fear embarrassment.

They do not want their mistakes known while they are still in post. Hence no council, government department,  police force or NHS Trust will publish usefully detailed reports on their IT-led transformations while the officials responsible are still in post.

Three possible solutions:

a) Publish detailed progress reports on the IT-led transformation.

b) Elected representatives agree an IT-led transformation only after identifying everyone (or anyone) who has “skin in the game” – that is, a credible reason to fear failure.  If, in the event of failure, officers stand to receive large pay-offs, that’s a good enough reason not to proceed.

c) Simplifying and standardising business processes is usually a good idea if (i) staff numbers involved are doubled until new ways of working have bedded in (ii) realistic calculations  are made of potential costs and savings and (iii) those costs are doubled and the savings halved. If the cost-benefit analysis still looks good, you may have a workable plan.

Thank you to David Orr whose extraordinary tenacity has helped to expose poor decision making, squandered public money and repetitions of familiar mistakes by some councils in Somerset.  

Ignite consultants “probably” breached advertising code

Slapped wrist for Ignite

Merger disaster – critics speak out

Why the victory in Horizon IT dispute is momentous

By Tony Collins

Congratulations to Alan Bates whose remarkable campaign for justice has achieved all he said it would 15 years ago.

In a letter to Computer Weekly in 2004 Bates said,

“I fully expect it to take a number of years to bring Post Office Ltd to account for what they have done to us, but we are determined to do it.”

Now his feat in bringing the truth into the public domain against all odds has become one of the most momentous campaigns for justice in modern times.

The Post Office had a total of four Queen’s Counsels, two major firms of solicitors and seemingly limitless funding as a publicly-owned institution. The judge described its legal spending as “very high, even by the standards of commercial litigation between very high value blue chip companies”.

On Bates’side was a group former sub-postmasters who acted as lead claimants in the case, a technical expert, a former Fujitsu whistleblower and a remarkably effective legal team brought together by Freeths solicitors with venture funding. The judge Sir Peter Fraser found the evidence given by the Bates side helpful and credible. He praised the quality of evidence of the witnesses and the balanced assistance to the court of the expert witness.

On the Post Office side, the judge questioned the truthfulness of evidence given by the Post Office’s witnesses. He found numerous flaws in the evidence of its expert witness. The judge also expressed concerns about Fujitsu, supplier of the Horizon system whose alleged robustness was at the heart of the dispute.

The conduct of the Post Office may, with the advent of a new Parliament, be the subject of debate, questions and a possible inquiry. There will be questions about how the Post Office was allowed to behave the way it did.

The judge said,

“The Post Office’s approach to evidence, even despite their considerable resources which are being liberally deployed at considerable cost, amounts to attack and disparagement of the claimants individually and collectively, together with the wholly unsatisfactory evidence of Fujitsu personnel …”

But for the court case, evidence that the Horizon system could have caused the shortfalls for which sub-postmasters were blamed and, in some cases, prosecuted, would not have emerged.

Bates and his team have held the Post Office to account in a way in which ministers and the civil service failed. During the 15 year dispute,  some have died including campaigning former sub-postmaster Julian Wilson. As the livelihoods of sub-postmasters were lost, family homes sold, marriages dissolved and traumatised individuals tried to pick up the pieces of shattered lives, no minister or civil servant showed even a hint of a sign of wanting to hold the Post Office to account.

Former sub-postmasters were blamed and imprisoned for shortfalls that could have been caused by Horizon systems bugs or transactions inserted from a remote location but ministers and civil servants who were responsible for the Post Office considered the prosecutions to be none of their business.

MPs called it a national scandal before anything was known of the conduct of the Post Office and its witnesses at the trials.

The Post Office has issued an apology that journalist Nick Wallis, who has covered the trials and kept the dispute in the public eye, described as “less than fulsome”.

The apology contains no acknowledgement of the Post Office’s conduct and behaviours in court this year, which suggests that, underneath a few changes of rules, procedures and contracts, the Post Office will continue to be culturally and attitudinally exactly the same organisation it was when Bates started his campaign in 2004.

One of the striking characteristics of the Post Office throughout the years has been an absence of humility or contrition. It remains a striking facet today, an impression reinforced by its carefully-worded apology.

Indeed, the judge refers to the Post Office’s “institutional” problems. He said,

“The approach by the Post Office to the evidence of someone such as Mr Latif [a former sub-postmaster] demonstrates a simple institutional obstinacy or refusal to consider any possible alternatives to their view of Horizon, which was maintained regardless of the weight of factual evidence to the contrary.

“That approach by the Post Office was continued, even though now there is also considerable expert evidence to the contrary as well (and much of it agreed expert evidence on the existence of numerous bugs).

“This approach by the Post Office has amounted, in reality, to bare assertions and denials that ignore what has actually occurred, at least so far as the witnesses called before me in the Horizon Issues trial are concerned. It amounts to the 21st century equivalent of maintaining that the earth is flat.”

At another point in his ruling, the judge refers to the Post Office’s “extreme sensitivity” that seemed to verge at times on “institutional paranoia”. He was referring to “any information that may throw doubt on the reputation of Horizon, or expose it to further scrutiny”. There are no signs this defensiveness has gone.

The judge also refers to a request by the then CEO for a taskforce to investigate points made by a critic of the Post Office Tim McCormack. The CEO’s request said,

“Can I have a report that takes the points in order and explains them. Tim McCormack is campaigning against PO and Horizon. I had another note from him this am which Tom will forward, so you are both in the loop. We must take him seriously and professionally.”

But a reply the same day from a senior manager said, “Can you stand down on this please? [A redacted section then follows.] Any specific actions and I will revert. My apologies.”

The judge was mystified. He said,

“ I can think of no justifiable reason why the Post Office, institutionally, would not want to address the Chief Executive’s points and investigate as she initially intended, and find out for itself the true situation of what had occurred.”

The Post Office’s brief apology gives no hint of any change to the inexplicable attitudes that led to McCormack’s points not being answered. It doesn’t explain the Post Office’s attempts to stop disclosure of relevant information in the case. Or its attempt this year to have removed the one person able to hold it to account – the judge Sir Peter Fraser.

And it doesn’t explain the bizarre notion of ruining hundreds of lives to defend a corporate computer system.

What the briefness of the Post Office’s apology does explain, however, is the small amount it is willing to pay in compensation. Nick Wallis reports that the 550 former sub-postmasters who were part of the case may receive £8-11m between them after legal fees and venture funders are paid. That will represent a large shortfall on the money the sub-postmasters lost.

But the funders deserve payback for the risks they took and the legal team deserves its fees for its profound understanding of the nuances of the case, the depth of its investigation, its appointment of an outstanding QC to represent the claimants and the sensitivity and discernment in the way he conducted the case.

What the Bates victory does achieve is worth more than money: innocents may have their names cleared and their criminal records expunged. They will be able to go abroad without being pulled aside because of their record. Their reputations in the community will be officially restored.

Not only have 1,000 or more former sub-postmasters been vindicated but the practices, conduct and behaviours of the Post Office as an institution have been exposed. The credibility of the evidence of some of its most senior named individuals has been undermined in the rulings.

Soon the questions in Parliament will begin. The demands for accountability have yet to be met.

Meanwhile Bates and all the other sub-postmasters caught up in a campaign they would have loved never to have needed can dwell on a victory that is surprising, remarkable and historic given the seemingly-invulnerable and implacable institutional attitudes and cultures that opposed them.

Nick Wallis has an excellent account of the latest ruling: They did it.

Computer Weekly has an exclusive interview with Freeths that explains the compensation amount of about £58m.

Campaigner Tim McCormack’s blog.

Fujitsu faces prosecution – Law Society Gazette


How did ministers and the civil service let the Post Office behave like this?

Tony Collins

A public or Parliamentary inquiry into the implications of High Court rulings on the Post Office’s business could answer important outstanding questions.

Now that the Post Office has apologised and settled a long dispute with hundreds of former sub-postmasters over the Horizon IT system, the question can be asked: how did ministers and the civil service stand by and let the Post Office damage hundreds of lives?

Why have a public inquiry?      

In its written statement for the opening of the “Common Issues” High Court trial, the Post Office warned of serious dire consequences to its business if it lost the case. The Post Office said that if the claimants (sub-postmasters) were right,

“this would have a very serious impact on Post Office and its ability to control its network throughout the UK”.

The Post Office also said,

“If the Claimants were right in the broad thrust of their case, this would represent an existential threat to Post Office’s ability to continue to carry on its business throughout the UK in the way it presently does.”

This raises a question of whether a public inquiry by MPs after the general election would be needed to look at i) what impact there will be on the Post Office and its ability to control its network throughout the UK and ii) in what way the judgement now represents an existential threat to the Post Office.

Further questions that could be put to an inquiry include:

  1. The legal proceedings contained what the judge called “very wide ranging and extremely serious allegations against the Post Office” which included unlawful treatment of former sub-postmasters leading to bankruptcy and imprisonment. What accountabilities will apply if it transpires the Post Office acted unlawfully?
  2. It is obvious to anyone who works in IT that no complex IT system is infallible but when the Post Office made its case repeatedly in public that sub-postmasters were wrong to blame Horizon, why did no minister or civil servant raise any effective challenge?
  3. The Appeal Court said the Post Office felt entitled to treat sub-postmasters in “capricious or arbitrary ways which would not be unfamiliar to a mid-Victorian factory-owner.” Do these criticisms represent a defining and irreversible culture of the Post Office and, if so, what are the implications for its future management and scrutiny by government?
  4. What are the implications of the dispute on the public funding of the Post Office?,
  5. Is the Post Office in a credible position to make referrals for possible prosecutions given the High Court’s criticisms of its conduct and wrong interpretations of the law?
  6. Why did it take a series of long and costly trials in the High Court for the Post Office to acknowledge – and then only tacitly – that hundreds of its former sub-postmasters were not incompetents, fraudsters or liars?
  7. Will the apologies make any difference to the attitude of senior people in the Post Office whose “entrenched” views were that claimants were either dishonest or wholly incompetent?
  8. Being 100% state-owned, the Post Office has a duty to protect public money and therefore needs robust systems, procedures and contracts in place. What do the High Court rulings say about the robustness of the Post Office’s Horizon system?

There are further questions to be asked. In its apologies the Post Office makes it clear it is referring to past actions in its relationship with sub-postmasters. But what of its own conduct in court this year?

Tim Parker, the Post Office’s chairman, referred to “the past” in his settlement statement…

“We accept that, in the past, we got things wrong in our dealings with a number of postmasters…”

The Post Office’s statement also referred to “the past” …

“The Post Office would like to express its gratitude to claimants, and particularly those who attended the mediation in person to share their experiences with us, for holding us to account in circumstances where, in the past, we have fallen short and we apologise to those affected.”

But the trial judge, Sir Peter Fraser QC, criticised the conduct of the Post Office this year. He questioned the truthfulness or accuracy of a succession of Post Office witnesses who gave evidence during the trial. He said of the Post Office’s most senior witness that she tried to mislead him. “… I find that she did not give me frank evidence, and sought to obfuscate matters, and mislead me.” Was this behaviour “in the past?”

Of another Post Office witness, the judge said, there was “something of an air of unreality about his evidence … I consider his evidence suffered from an overarching reluctance to provide accurate evidence, if that may assist the Claimants”.

The judge also found that a corporate website run by the National Federation of SubPostmasters, which is funded by the Post Office, was altered during the trial to “bolster the Post Office’s position”.

Other comments by the judge raise questions whether any new CEO, however competent and well-meaning, can change the culture of a public institution. Although the Post Office’s apologies relate to its relationship with sub-postmasters, the judge’s rulings this year went wider.

He referred to the Post Office’s appearing at times to “conduct itself as though it is answerable only to itself” which raises a further question about what happened to government and departmental scrutiny.

He also said the Post Office “has appeared determined to make this litigation, and therefore resolution of this intractable dispute, as difficult and expensive as it can”.


Congratulations to former sub-postmaster Alan Bates without whom the Post Office may still be wrongly making sub-postmasters pay for shortfalls shown on the Horizon system. It is astonishing that the Post Office was unable at the hearings to accept that he was telling the truth.

Indeed the judge commented on the truthworthiness of the sub-postmasters who gave evidence, although the Post Office had depicted several of them as liars.

How was it the judge was able to see the sub-postmasters who gave evidence in a totally different light to the Post Office?

The Post Office’s apologies are welcome. They are limited apologies however.

There are signs in them that, despite the best intentions of the new CEO, the institution and its culture is essentially unchanged by the litigation and settlement.

The Post Office’s statements do not in any way acknowledge its own conduct in court this year. Its statements yesterday are careful to refer to mistakes “in the past” and are careful to categorise these mistakes as referring to its relationship with sub-postmasters, not its conduct in court.

Truthfulness in court is surely the least one could expect of senior Post Office officials? The Post Office is, after all, an institution that can investigate and refer suspected criminal behaviour for possible prosecution.

The judge repeatedly criticised the Post Office for evidence that appeared to geared more to public relations than factual accuracy. Indeed the Post Office’s statements yesterday appear to be geared towards protecting its image. They imply that the settlement and apology put an end to actions “in the past”, as if the whole matter were now concluded.

It would be a tragedy for the families of those who have died and the former sub-postmasters who have lost their health, gone to prison and been ruined for nobody to held accountable. An inquiry could at least question former ministers, civil servants and Post Office executives, past and present.

The biggest unanswered question is how it was allowed to happen. The High Court rulings show, if nothing else, how a public institution can behave if it has no effective government scrutiny.

When a public institution acts as if it is unanswerable to nobody, its culture is more suited to an authoritarian or totalitarian regime.


Without accountability to come, the settlement means that the Post Office, being a public institution, has lost nothing and the former sub-postmasters have lost their livelihoods or worse. No amount of compensation will bring back their lost years.

Having suffered no personal loss or consequences for actions and behaviours and conduct, will the real winners of the Horizon IT dispute be the Post Office? It can afford to pay out any number of millions without worrying about shareholder confidence or going bust. An inquiry is vital for justice in the long term.

Will the Post Office be delighted at the settlement? Nick Wallis

Vilified then vindicated – Computer Weekly’s blog on the settlement.

Thank you to Eleanor Shaikh  for her research that established the formal and comprehensive responsibilities of ministers and civil servants to scrutinise the Post Office.

Thank you to Tim McCormack –  @Jusmasel2015 – and Mark Baker – @CWUPostmaster .- for answering my questions, their blog posts and their commitment to achieving justice. A special thank you also to @nickwallis and Computer Weekly’s @Karlfl.

Is the Post Office to blame for Horizon IT dispute – or is it really ministers and civil servants?

By Tony Collins

How does a public institution behave when it has little effective oversight?

Mr Justice Peter Fraser is expected to rule shortly on a critical question that is at the heart of a long-running IT dispute between the Post Office and hundreds of former sub-postmasters.

His ruling may answer the question of whether the Post Office’s “Horizon” IT or sub-postmasters were likely to have been to blame for unexplained shortfalls of sometimes tens of thousands of pounds shown on local branch systems.

If the Post Office loses the High Court case, it could end up paying damages of hundreds of millions of pounds – which could fall to the taxpayer. The state owns 100% of the Post Office. Public funding of the Post Office amounted to £2bn between 2010 and 2017 and a further funding package of £370m is agreed until 2021. Any damages could be on top of this.

If the case ends up with the Post Office’s needing a taxpayer bail-out, this would raise some obvious questions:

  1. Who in government and the civil service provided oversight when the Post Office decided controversially to trust what was shown on a proprietary computer system rather than the word of hundreds of local branch sub-postmasters?
  2. Who in government and the civil service endorsed the Post Office’s decision to defend litigation that could end up costing taxpayers hundreds of millions of pounds?
  3. Who in government and civil service endorsed the decision to continue defending the litigation – and indeed deepening it – despite excoriating criticisms of the Post Office by two High Court judges?

It is still possible for the Post Office to win the case in which event its actions and decisions may be vindicated. But it has lost every interim ruling so far, in a case which has lasted two years to date.

When asked about their oversight of the Post Office, ministers have distanced themselves.

In August 2019, the then Minister for Postal Services, Kelly Tolhurst, said in a letter that Post Office Limited “operates as an independent, commercial business and the matters encompassed by this litigation fall under its operational responsibility”.

But thanks to extensive research by Eleanor Shaikh, a reader of the blog of journalist Nick Wallis, who is crowd-funded to cover the High Court hearings, we know that civil servants reporting to ministers have extensive responsibilities for oversight of the Post Office.

The state categorises the Post Office as an “Arm’s Length Body”]. Shaikh learned that the Department for Business Energy and Industrial Strategy is required to “exercise meaningful and commensurate oversight of ALB [Arm’s Length Body] strategy, financial management, performance and risk management”.

A 2014 Civil Service document, Introduction to Sponsorship, adds that,

“the Secretary of State is ultimately accountable to Parliament for the overall effectiveness and efficiency of each ALB of which their department is responsible.”

It’s not only about oversight. Civil servants are,

“… expected to play an active role in the governance, financial management, risk management and performance monitoring of ALBs and are responsible for managing the relationship with an ALB on behalf of the Minister and the AO [accounting officer].”

Wallis reports in full on Shaikh’s findings.

How effective has civil service oversight been so far?

The judge’s comments in his ruling of March 2019, which the Post Office is seeking leave to appeal, suggest that there has been little effective civil service challenge to Post Office’s decisions. Indeed, one of the judge’s findings was that,

“The Post Office appears, at least at times, to conduct itself as though it is answerable only to itself.”

The judge also criticised,

  • untrue statements by the Post Office
  • threatening and oppressive behaviour by the Post Office.
  • the Post Office’s appearing “determined to make this litigation, and therefore resolution of this intractable dispute, as difficult and expensive as it can”.
  • the Post Office house style for some senior management personnel giving evidence which was to “glide away from pertinent questions, or questions to which the witness realised a frank answer would not be helpful to the Post Office’s cause”.
  • a culture of secrecy and excessive confidentiality generally within the Post Office but particularly focused on Horizon
  • Post Office witnesses in general who have become “so entrenched over the years, that they appear absolutely convinced that there is simply nothing wrong with the Horizon system at all …”
  • attempts by the Post Office to prevent some evidence from emerging into the public domain by applying to have it struck out as irrelevant
  • attacks by the Post Office on the credibility of sub-postmasters whom the judge found credible as witnesses in the case.
  • some Post Office procedures that went from the sublime to the ridiculous,
  • some Post Office submissions that were “bold, pay no attention to the actual evidence, and seem to have their origin in a parallel world”.
  • the Post Office’s asking a sub-postmistress to extend the local branch’s opening hours a day after her husband, who ran the branch, had died.

Of the Post Office’s most senior witness, a director, the judge described her as highly intelligent. She on occasions gave clear and cogent evidence. She helped to improve the Horizon system and had provided some useful evidence.

But in describing parts of her evidence he also referred to a “degree of obstinacy”, extraordinarily partisan”, “sought to obfuscate matters…”, “disingenuous” and a “disregard for factual accuracy”. He said at one point in his ruling, “I find that she was simply trying to mislead me.”

He concluded, “I find that it is necessary to scrutinise everything she said as a witness, both in her witness statement and in cross-examination, and treat it with the very greatest of caution in all respects.”


If the judge is right in his criticisms – and it is too early in the appeals process to say conclusively that he is right – is he simply describing the behaviour of a state institution that is, in essence, without higher control?

Civil servants from, among others, the Department for Work and Pensions, HM Revenue and Customs, the Ministry of Defence, Home Office and DEFRA appear regularly before the Public Accounts Committee and are the subject of value-for-money investigations by the National Audit Office. The Post Office has little of this scrutiny.

A large private company has many shareholders and the threat of going bust to keep it in check. But the Post Office is too big and important to the community to be allowed to fail.

When Boeing’s aircraft technology is the subject of independent, detailed and widespread criticism, its planes are grounded indefinitely while regulators investigate.

The Post Office has no fear of any regulators shutting down its Horizon system.

In an accountability vacuum, how can a state institution be expected to behave?

Individuals within a large organisation will have a sense of right and wrong. But collectively, can people within state institutions be expected to do much more than meet the requirements of the culture and law as they perceive it?

That is why effective and rigorous oversight of state institutions is critical, if only to protect the interests of taxpayers.

When the widow of a sub-postmaster who’d died the previous day took over his branch, the Post Office asked her to extend the opening hours, which seems to have surprised the judge. Wouldn’t that behaviour surprise anyone?

When shortfalls were shown on the computer system, how easy was it for the Post Office to demand that sub-postmasters made good the losses sometimes without full investigations? It was easier, perhaps, without effective oversight.

Can the Post Office be held entirely responsible for the Horizon IT debacle? It is a state institution. Responsibility for the debacle lies, therefore, with ministers and civil servants, whatever the outcome of the Horizon dispute.

Nick Wallis’ trial coverage including Eleanor Shaikh’s research on the oversight that ought to be provided by ministers and the civil service.

Computer Weekly’s useful summary of the latest position


Civil servant in charge of £9.3bn IT project is not shown internal review report on scheme’s failings.

By Tony Collins

“If people don’t know what you’re doing, they don’t know what you’re doing wrong” – Sir Arnold Robinson, Cabinet Secretary, Yes Minister, episode 1, Open Government.

Home Office officials kept secret from the man in charge of a £9.3bn project a report that showed the scheme in serious trouble.

The Emergency Services Network is being designed to give police, ambulance crew and firemen voice and data communications to replace existing “Airwave” radios.  The Home Office’s permanent secretary Philip Rutnam describes the network under development as a “mission-critical, safety-critical, safety-of-life service”.

But Home Office officials working on the programme did not show an internal review report on the scheme’s problems to either Rutnam or Stephen Webb, the senior responsible owner. They are the two civil servants accountable to Parliament for the project.

Their unawareness of the report made an early rescue of the Emergency Services Network IT programme less likely. The scheme is now several years behind its original schedule, at least £3.1bn over budget and may never work satisfactorily.

The report’s non circulation raises the question of whether Whitehall’s preoccupation with good news and its suppression of the other side of the story is killing off major government IT-based schemes.

With the Emergency Services Network delayed – it was due to start working in 2017 – police, ambulance and fire services are having to make do with the ageing Airwave system which is poor at handling data.

Meanwhile Motorola – which is Airwave’s monopoly supplier and also a main supplier of the Emergency Services Network – is picking up billions of pounds in extra payments to keep Airwave going.

Motorola may continue to receive large extra payments indefinitely if the Emergency Services Network is never implemented to the satisfaction of he emergency services.

EE is due to deliver the network component of the Emergency Services Network. Motorola is due to supply software and systems and Kellogg Brown & Root is the Home Office’s delivery partner in implementing the scheme.

Has Whitehall secrecy over IT reports become a self-parody?

The hidden report in the case of the Emergency Services Network was written in 2016, a year after the scheme started. It said that dialogue between suppliers, notably EE and Motorola, did not start until after the effective delivery dates. Integration is still the main programme risk.

MP SIr Geoffrey Clifton Brown has told the Public Accounts Committee that the report highlighted an absence of clarity regarding dependency on the interface providers, which caused something of an impasse.

He said the report “alluded to the fact that that [a lack of clarity around integration] remains one of the most serious issues and is not showing any signs of resolution”.

Stephen Webb has been in charge of the project since its start but he is the business owner, the so-called “senior responsible owner” rather than the programme’s IT head.

In the private sector, the IT team would be expected to report routinely to a scheme’s business owner.

But in central government, secrecy over internal assurance reports on the progress or otherwise of major IT-related projects is a Whitehall convention that dates back decades.

Such reports are not published or shared internally except on a “need-to-know” basis. It emerged during legal proceedings over the Universal Credit IT programme that IT project teams kept reports secret because they were “paranoid” and “suspicious” of colleagues who might leak documents that indicated the programme was in trouble.

As a result, IT programme papers were no longer sent electronically and were delivered by hand. Those that were sent were “double-enveloped” and any that needed to be retained were “signed back in”; and Universal Credit programme papers were watermarked.

The secrecy had no positive effect on the Universal Credit programme which is currently running 11 years behind its original schedule.

Webb has told MPs he was “surprised” not to have seen review report on the Emergency Services Network. He discovered the report’s existence almost by accident when he read about it in a different report written a year later by Simon Ricketts, former Rolls Royce CIO.

This month the Public Accounts Committee criticised the “unhealthy good news” culture at the Home Office. The Committee blamed this culture for the report’s not being shown to Webb.

The Home Office says it doesn’t know why Webb was not shown the “Peter Edwards” report. The following was an exchange at the Public Accounts Committee between MP Sir Geoffrey Clifton-Brown, Webb and Rutnam.

Clifton-Brown: When you did that due diligence, were you aware of the Peter Edwards report prepared in the fourth quarter of 2016?

Rutnam: No, I’m afraid I was not. The Peter Edwards report on what exactly, sorry?

Clifton-Brown: Into the problems with ESN [Emergency Services Network], in particular in relation to suppliers.

Rutnam: I do not recall it. It may have been drawn to my attention, but I’m afraid I do not recall it.

Webb: It was an internal report done on the programme. I have not seen it either.

Clifton-Brown: You have not seen it either, Mr Webb—the documents tell us that. Why have you not seen such an important report? As somebody who was in charge of the team—a senior responsible officer—why had you not seen that report?

Webb: I don’t know. I was surprised to read it in Simon’s report. [Simon Ricketts.]

Chair: Who commissioned it?

Webb: The programme leadership at the time.

Chair: That is the board?

Webb: The programme director. It was a report to him about how he should best improve the governance. I think he probably saw it as a bit of an external assurance. It probably would have been better to share it with me, but that was not done at the time.

Clifton-Brown: “Probably would have been better to share it”? That report said that dialogue between suppliers, notably EE and Motorola, only started after the effective delivery dates. The report highlighted that there was not clarity regarding dependency on the interface providers, and that caused something of an impasse. It also alluded to the fact that that remains one of the most serious issues and is not showing any signs of resolution. That was in 2016, in that report. Had that report been disseminated, would we still be in the position that we are today?

Webb: I think that we would have wanted to bring forward the sort of [independent] review that the Home Secretary commissioned, and we would have done it at an earlier date.

Clifton-Brown: Why did you need to? You would not have needed to commission another review. You could have started getting to the root of the problem there and then if you had seen that report.

Webb: Yes.


Webb and Rutman seem highly competent civil servants to judge from the open way they answered the questions of MPs on the Public Accounts Committee.

But they did not design the Emergency Services Network scheme which, clearly, had flawed integration plans even before contracts were awarded.

With no effective challenge internally and everything decided in secret, officials involved in the design did what they thought best and nobody knew then whether they were right or wrong. With hindsight it’s easy to see they were wrong.

But doing everything in secret and with no effective challenge is Whitehall’s  systemically flawed way of working on nearly all major government IT contracts and it explains why they fail routinely.


It’s extraordinary – and not extraordinary at all – that the two people accountable to Parliament for the £9.3bn Emergency Services Network were not shown a review report that would have provided an early warning the project was in serious trouble.

Now it’s possible, perhaps even likely, the Emergency Services Network will end up being added to the long list of failures of government IT-based programmes over the last 30 years.

Every project on that list has two things in common: Whitehall’s obsession with good news and the simultaneous suppression of all review reports that could sully the good news picture.

But you cannot run a big IT-based project successfully unless you discuss problems openly. IT projects are about solving problems. If you cannot admit that problems exist you cannot solve them.

When officials keep the problems to themselves, they ensure that ministers can be told all is well. Hence, ministers kept telling Parliament all was well with the £10bn National Programme for IT in the NHS  – until the scheme was eventually dismantled in 2011.

Parliament, the media and the public usually discover the truth only when a project is cancelled, ends up in the High Court or is the subject of a National Audit Office report.

With creative flair, senior civil servants will give Parliament, the National Audit Office and information tribunals a host of reasons why review reports on major projects must be kept confidential.

But they know it’s nonsense. The truth is that civil servants want their good news stories to remain uncontradicted by the disclosure of any internal review reports.

Take the smart meters roll-out. Internal review reports are being kept secret while officials give ministers and the Department for Business, Energy and Industrial Strategy the good news only. Thus, the latest Whitehall report on smart meters says,

“Millions of households and small businesses have made the smart choice to get a smart meter with over 12.8 million1 operating in smart mode across Great Britain. This world leading roll out puts consumers firmly in control of their energy use and will bring an end to estimated bills.”

Nothing is said about millions of homes having had “smart” meters installed that are neither smart nor compatible for the second generation of smart meters which have a set of problems of their own.

The answer?

For more than 30 years the National Audit Office and the Public Accounts Committee have published seemingly unique reports that each highlight a different set of problems. But nobody joins the dots.

Sir Arnold, the Cabinet Secretary said in “Yes Minister“, that open government is a contradiction in terms. “You can be open, or you can have government.

This is more than a line in a TV satire.  It is applied thinking in every layer of the top echelons of civil service.

Collective responsibility means civil servants have little to fear from programme failures. But they care about departmental embarrassment. If reviews into the progress or otherwise of IT-enabled programmes are published, civil servants are likely to be motivated to avoid repeating obvious mistakes of the past. They may be motivated to join the dots.

But continue to keep the review reports secret and new sets of civil servants will, unknowingly each time, treat every project as unique. They will repeat the same mistakes of old and be surprised every time the project collapses.

That the civil service will never allow review reports of IT programmes to be published routinely is a given. If the reports were released, their disclosure of problems and risks could undermine the good news stories ministers, supported by the civil service, want to feel free to publish.

For it’s a Whitehall convention that the civil service will support ministerial statements whether they are accurate or not, balanced or not.

Therefore, with review reports being kept secret and the obsession with good news being wholly supported by the civil service, government’s reputation for delivering successful IT-based programmes is likely to remain tarnished.

And taxpayers, no doubt, will continue to lose billions of pounds on failed schemes.  All because governments and the civil service cannot bring themselves to give Parliament and the media – or even those in charge of multi-billion pound programmes –  the other side of the story.

Home Office’s “unhealthy good news culture” blamed for Emergency Services Network Delays – Civil Service World

Emergency Services Network is an emergency now – The Register

Home Office not on top of emergency services programme – Public Accounts Committee report, July 2019

Is Britain capable of managing its own affairs after Brexit?

By Tony Collins

The slogan “take back control” implies Britain is adept at running what it currently controls. But is it?

Ministers and officials now control central government administration. The following summarised case studies give an indication of how well they cope with this task:

– Ministers and senior civil servants lost billions on the National Programme for IT in the NHS after repeatedly telling Parliament of its successes. The scheme was “dismantled” in 2011. Afterwards a new organisation was formed, NHS England, which went from IT disaster to IT disaster.

– The biggest reform in central government, Universal Credit, is, so far, 11 years behind schedule and is the second botched welfare reform programme, the £2.6bn “Operational Strategy” being the first.

– Central government’s largest department, the DWP has had its financial accounts qualified every year for the last 31 years because of high levels of fraud and error. Overpayments and underpayments are now at their highest level since 2005-6.

– The Home Office has gone from IT disaster to IT disaster, as has the Ministry of Justice and the Rural Affairs Agency only sometimes pays farmers the correct amount of subsidy.

– The Emergency Services Network is more than £3.0 over budget and isn’t expected to pay for itself until 2029.

– The Department for Business, Energy and Industrial Strategy continues to tell Parliament of the success of its £12bn smart meter rollout programme. But the few dozen latest-generation SMETS2 smart meters installed in Britain’s homes are said to have cost £28m each.

– Last month a report of the National Audit Office said government data is of such poor quality that officials try to steer around it.

– Last week, the Public Accounts Committee’s annual report said, “we see the same pattern of mistakes repeated consistently across Government”.

– It said the same in its 2018 annual report. The repetition of problems and mistakes was “depressingly familiar”.

– When a minister tries to cut what he sees as the exorbitant costs of central government administration, senior civil servants fight against him. Former Cabinet Office minister Lord Maude, who wanted to bring down the costs of central government IT, later lamented the “overt disobedience” of some senior civil servants.

– Transparency in central government is almost non-existent. The LSE found it impossible to establish the costs of central government administration, in part because civil servants keep changing what counts as an administration cost.

As an aside, a look at how well ministers and officials handle the nation’s finances shows that net public sector pension liabilities are £1,865bn, the equivalent of more than £68,000 per UK household and 92% of GDP.

The shortfall between assets and liabilities increased from £2,420bn to £2,565bn in 2017 and borrowing rose by £58bn – far more than the entire “Brexit divorce bill” of £39bn.

[Medical negligence claims on their own stood at £78.4 billion at 31 March 2018.]


The little openness that exists in government IT depends to an extent on EC open tendering regulations. Open competition for contracts is also largely the result of EC regulations.

These regulations ensure contracts and winners are published; and the EC investigates allegations of breaches of its rules.

Without these regulations, ministers and officials would have more freedom to award large contracts to the same companies – ones that may later recruit them.

Anyone who regularly reads National Audit Office reports knows that there are pockets of competence in central government but consider how IT over the last 30 years has cut costs for the private sector and compare that with the increasing costs of running central government.

There are impressive exceptions, the Department for Digital, Culture, Media & Sport being one.

A frightening thought?

EC regulations deter corruption among ministers and officialdom. Why would anyone be in a hurry to be rid of them?

UK central government administration is largely unaccountable and opaque at the moment, particularly when it comes to arm’s length bodies such as the Post Office. After Brexit, central government administration is destined to become less open and accountable, and thus more costly – a frightening thought for anyone who cares how their taxes are spent.

Horizon IT trial has a focus on probability theory – but it’s seemingly impossible events that cause some of the worst failures of complex systems

By Tony Collins

Can probability theory explain a single one of the Post Office’s major incidents?

Analysis and comment

One focus of the latest High Court hearings over the Post Office Horizon system has been the likelihood or otherwise of known bugs causing losses for which sub-postmasters were held responsible.

The Post Office argues that Horizon is robust and it has countermeasures in place to ensure any errors with potentially serious consequences are detected and corrected.

So reliable is Horizon – thousands of people use it daily without lasting problems – that the Post Office has expressed no doubts about blaming sub-postmasters for losses shown on the system.

But sub-postmasters argue that they did not steal any money and that spurious losses were shown on a system that was demonstrably imperfect at times.

The arguments and counter-arguments have left journalist Nick Wallis who is covering the trial with this impression …

“What you can’t do is actually get a sense of whether Horizon’s bugs, errors and defects caused discrepancies for which subpostmasters have been held liable…

“The expert answer to whether Horizon is responsible for causing discrepancies in branch accounts appears to be ‘possibly’ or ‘possibly not’.”

As Wallis also points out, there may not be enough information on which to make a definitive judgement.

The Post Office’s own expert has referred to …

“levels of depth and complexity in the way Horizon actually works which the experts have not been able to plumb …”

The expert agreed that it was usually difficult to make categorical negative statements of the form: x or y never happened.

This uncertainty raises questions of about how any judge can decide whether Horizon did or did not cause the losses complained of in the litigation.

As part of its case, the Post Office has used probability theory – a branch of maths – to help demonstrate the robustness of Horizon.

This was some of the evidence given in court …

“And we have to take 50,000, we divide it by 3 million, and what I get from that is I can cancel  all the thousands out and I get 32 x 50/3, so that is about 500.  So it is consistent with one occurrence of a bug to each claimant branch during their tenure.”

Another piece of evidence …

“the chances of the bug occurring in a Claimants’ branch would be about 2 in a million.”

The expert made it clear that statistics are not a substitute for hard facts.

But what when the seemingly impossible occurs?

Adding to the “levels of depth and complexity in the way Horizon actually works which the experts have not been able to plumb” is a layer of further possible uncertainty: whether bugs or complex system-related issues affected branch accounts in ways that were not detected or were not considered possible as part of a complex sequence of apparently random events.

Below is a list of some aircraft accidents involving technology or complex system-related problems where the seemingly impossible or the unanticipated happened.

As these involved a sequence of events that had not been considered possible or were not deemed a serious risk, the system operators (pilots) had not been trained to mitigate the consequences.

In many of the accidents, pilots were blamed initially but investigators found, sometimes after years of tests of systems and equipment, that the aircraft was at fault.

The Post Office in the High Court hearings has compared the robustness of Horizon to aircraft and other systems. The Post Office’s QC compared Horizon’s robustness to “systems that keep aircraft in the air, that run power stations and run banks”.

Banking systems are indeed robust but they do fail sometimes; and when they do,  thousands of customers can be locked out of their accounts for days. as happened at Tesco Bank, RBS and TSB.

Power station IT tends to be designed, tested and implemented, in the UK at least, to defence safety-critical standards that impose a rigour not required of commercial systems such as Horizon.

With aircraft systems, however, it may be worth looking at how similar they are or different to Horizon. As air crash investigations are usually exhaustive in their thoroughness, we, the public, know what has gone wrong because reports are published.

We know, therefore, that some of the worst air crashes are caused by occurrences of the seemingly impossible.

Aircraft manufacturers could not, with any authority or credibility, tell investigators of a series of air crashes that, as they cannot fully understand the complexity of the system, they will have to take it that pilots must be to blame given that the aircraft is demonstrably robust.

That millions of flights take place every year without incident, and planes have triple redundancy in their flight systems and fail-safe measures in place for critical components, would not be good reason to assume pilots must be to blame for crashes.

And imagine telling air crash investigators that they could use probability theory to work out the likelihood of a serious fault causing a particular major incident.

The seemingly impossible occurs – a list

These are some of the most notorious failures of complex aircraft systems where the seemingly impossible happened …

  • Nobody thought it possible that new technology on one of the world’s safest aircraft, the 737 Max, could leave pilots fighting to lift the plane’s nose at the same time as complex systems were inexplicably keeping the nose pitching towards the ground. Probability theory would not have explained what went wrong or why – because such a sequence of events was not foreseen. After the first crash, pilots were blamed. After the second crash in March 2019, various countries grounded the plane.  Modifications now being made are likely to save hundreds of lives in future. In the end, despite an initial assumption of pilot error, precise faults in complex systems were identified as the probable cause of both crashes.
  • Nobody thought it possible that a computer-controlled engine on a modern jet airliner, a Boeing 767, could go into reverse thrust at nearly 30,000 feet. Being a theoretical impossibility, pilots were not trained to try and mitigate the consequences. Compulsory improvements after the crash have, potentially, saved many lives by avoiding similar accidents. Probability theory would not have explained what went wrong or why. Initially pilots were blamed but eventually it was found that they could not have recovered from such an event at that altitude.
  • The sequence of events that led to the crash into the side of a mountain of an A320, one of the world’s safest and most reliable aircraft, had not been anticipated. The crash’s lead investigator described the accident as a “random” event. Nobody who designed the computer-controlled plane had anticipated that a confusing screen display, an easily-made input mistake, a little-known autopilot feature that compounded the problems and the absence of a computer-based ground proximity warning system, could combine with poor pilot training to cause a disaster. The crash of Air Inter Flight 148 near Strasbourg airport in France led to industry-wide changes, including a redesigned screen display, more pilot training and more widespread use of onboard warning systems. It was thought the pilots had entered “3.3” into the autopilot believing this to be the angle of descent on their approach to the airport. But the same autopilot control was used to set the rate of descent. The autopilot, being in the “wrong” mode, took the plane on a disastrous 3,300 feet-per-minute descent instead of a more relaxed 3.3 angle of descent. The crash was caused by an unanticipated sequence of events. “It a fascinating lesson about the random dimension of accidents,” said the French lead investigator Jean Paries. “Half a second before or half a second later and we wouldn’t have had the accident.” Probability theory would not have helped identify the contributory factors or the “random” sequence of events.
  • Nobody thought that rain and hail could cause both engines on a 737 to flame out. The engines were certified to cope with water. But flame out they did, on a flight from Belize to New Orleans in 1988. Amazingly, the pilots glided the unpowered airliner onto a narrow grass levee next to a canal and everyone survived. If the plane had crashed and little wreckage recovered and everyone on board had died, the pilots might have been blamed because of an absence of evidence of technical malfunction, as the engines showed signs only of mild hail damage.
  • It was always considered possible, even likely, that birds could be ingested into a computer-controlled jet engine. But it was not considered likely that birds could ingested into the core of the engine. It was even less likely that birds could be ingested into the engine’s core and stop it from working. The idea of birds being ingested into the core of two engines and greatly reducing thrust in both of them at the same time was not even tested for, or pilots trained to cope, because it was thought impossible. But nobody had considered that migrating flocks of Canada geese would be in the vicinity of New York’s LaGuardia airport. The birds weigh up to 10 pounds. The plane’s engines were certified to cope with birds weighing up to four pounds. With a loss of power in both engines, the Airbus A320 glided safely onto the Hudson river, piloted by the gifted and now-famous pilot Chesley “Sully” Sullenberger. Probability theory would have been of no use in identifying what went wrong or why.
  • It was thought impossible that a modern airliner could lose all three of its separate hydraulic systems on one flight but that is exactly what happened on United Airlines Flight 232. The tail engine on a DC-10 had an uncontained fan disk failure in flight, which damaged all three hydraulic systems and rendered the flight controls inoperable. Nobody had considered that a rupture could occur just below the tail engine where all three hydraulic systems were in close proximity. But a number 2 engine explosion hurled fragments that ruptured all three lines, resulting in total loss of control to the elevators, ailerons, spoilers, horizontal stabilizer, rudder, flaps and slats. Probability theory could not have identified the cause.
  • At first, pilots were blamed for a series of 737 crashes where a suspected component was tested by investigators but it performed perfectly every time. After more than five years of investigations,  hundreds of fatalities and thousands of tests on the component, it was discovered that in a very rare set of specific circumstances, the component could not only jam but jam in a way that left the rudder in an extreme position on the opposite side to that expected. This was the equivalent of a car driver turning the steering wheel left and it jams hard over to the right. The seemingly impossible had happened. No probability theory would have helped identify the fault.
  • Nobody had thought it possible that a Chinook helicopter tethered to the ground at Wilmington, Delaware, USA, during tests could be destroyed by an uncontrollably surging computer-controlled engine. It happened because an electrical lead had been unplugged to simulate an electrical failure. The engine software had not been programmed to cope with such an eventuality. It kept pumping fuel into the engine because the software misinterpreted the unplugged lead as evidence the engine was delivering insufficient power.
  • Nobody had considered the possibility of wasps contributing to the deaths of all 189 people on a 757 bound for Germany. The wasps were thought to have nested in a pitot tube which fed incorrect data to the cockpit instruments. As a result, pilots were told simultaneously that the plane was flying too fast (which can cause break-up of the airframe) and too slowly (which can cause a stall and send the plane plummeting to the ground). As such an eventuality was not considered possible, pilots were not trained to cope with the effects of a blocked pitot tube or with conflicting warnings that they were flying too fast and too slowly at the same time. Probability theory would not have helped identify the cause.

So what? – Horizon is not an aircraft system

There are more similar incidents in which the seemingly impossible happened.

All of the aircraft had duplicate or triplicate critical components, methods of error detection and correction, contingency measures, built-in redundancy – and a great deal more in terms of rigorous real-world user testing, independent analyses and firm change control.

And still the aircraft or its complex systems failed. Probability theory and statistics would have solved none of the incidents.

Investigators identified a probable cause after each incident by having a full understanding of the systems and equipment involved, full disclosure of information, in most cases the print-outs from black boxes and dogged independent investigations that sometimes involved years of tests of  single components on multi-million dollar test rigs.

There has been no requirement to determine the exact cause of every major incident involving Horizon.

How, then, can anyone know for certain that Horizon was performing as expected when sub-postmasters were blamed for losses of tens of thousands of pounds  – losses that turned out to be ruinous for them and their families, and on rare occasions led to suicide?

Can probability theory explain a single one of the Post Office’s major incidents?

The Post Office will continue to argue its Horizon system is robust. But the complex systems on more than a dozen planes that crashed, causing the loss of hundreds of lives, were also robust.

The planes crashed not because a one-in-a-million risk materialised but because of a series of events that designers had not considered possible. For this reason, there were no procedures for coping with the events.

We know about the random events and seemingly impossible causes of air crashes because they are among the most thoroughly investigated of all failures of complex systems. Lessons are required to be learnt.

But how does all this leave us on the question on whether Horizon did or did not cause the losses in question?

Perhaps the truth is best summed up in Nick Wallis’ comment that the  expert  answer to whether Horizon is responsible for causing discrepancies in branch accounts seems to be “possibly” or “possibly not”.

But does “possibly” or “possibly not” provide strong enough grounds for Post Office actions that have ruined hundreds of lives?

More to the point, we have with the Horizon system, as with air crashes, evidence of major incidents. Every accusation against a sub-postmaster who denies any knowledge of losses is a major incident. On this basis, there is evidence of hundreds of major Post Office incidents.

But working back from each major incident, there is no full understanding by experts of how exactly the systems worked.

As the Post Office’s expert put it, there are “levels of depth and complexity in the way Horizon actually works which the experts have not been able to plumb …”

There are no print-outs from accident black boxes. There are not single investigations that have taken years to establish the full truth or multi-million pound test rigs on which to assess all the technology in question.

In short, there are many more questions than answers. Is this a just basis for the Post Office’s 100% certainty that it was right to blame sub-postmasters for losses shown on Horizon?

With uncertainty over the exact cause(s) of each incident, was it just and right to require sub-postmasters to make good losses shown on Horizon?

Arguably, that is the same or similar as holding pilots, whether dead or alive, responsible for plane crashes that could have been caused by a random sequence of events that were thought impossible.

Would you feel safer in a plane or running a village post office?

Nick Wallis’ postofficetrial blog

Karl Flinders has reported extensively on Horizon and the trials for Computer Weekly.

Tim McCormack’s “Problems with POL [Post Office Ltd]” blog.

Stephen Mason, barrister and associate research fellow at the Institute of Advanced Legal Studies in London, has written an excellent article (related to the Horizon dispute): the use of the word robust to describe software code

Will Post Office need state bail-out if it loses Horizon IT trial?

By Tony Collins

The Government is now aware, if it wasn’t before, that Horizon IT trials could end up costing the publicly-owned Post Office hundreds of millions of pounds.

Is continuing the case a gamble with public money?

Tom Cooper, the Government’s shareholder on Post Office board

Journalist Nick Wallis has questioned a minister and a senior official on the possible cost implications if the Post Office loses a High Court case over the Horizon IT system.

His questions to the Post Office minister Kelly Tolhurst and civil servant Tom Cooper, who is the government’s representative on the Post Office board, could help to ensure that the Government is aware that the Horizon IT trial may end up costing the Post Office hundreds of millions of pounds if it loses.

This awareness could raise questions among ministers and civil servants about whether the Post Office will face financial problems or even insolvency if it loses the Horizon trials.

The litigation began in 2017 and the Post Office has lost all of the several rulings so far. Judgements have been strongly critical of the Post Office, its approach to the litigation and its behaviour.

Hundreds of millions of pounds?

Tom Cooper joined the Post Office’s board as non-executive director last year. On the board he represents, on behalf of the Department for Business, Energy and Industrial Strategy,  the Government’s 100% shareholding in the Post Office.

He is a director of UK Government Investments, which is wholly-owned by HM Treasury and represents government interests on the boards of arm’s length bodies including the Post Office.

Wallis asked Cooper about the government’s strategy if the claimants win the case. Claimants are about 550 former sub-postmasters who are suing the Post Office – potentially for hundreds of millions of pounds – because they say they were unjustly forced to make good non-genuine losses shown on the Horizon system.

The Post Office is strongly defending the case, arguing that Horizon is robust and that the sub-postmasters were to blame for actual losses.

In his reply to Wallis, Cooper explained that claimants have not declared the size of the damages they seek. Wallis cited Freeths solicitors, which represents the former sub-postmasters, as saying the litigation could cost the Post Office hundreds of millions of pounds.

Cooper replied that no sums of that nature had been mentioned in court. At this point, one of Cooper’s colleagues politely terminated the interview.


Wallis also questioned Post Office minister Kelly Tolhurst on the possible cost implications if the Post Office loses the case. She politely declined to answer directly saying, “I can’t really go into the litigation stuff… I’m not being evasive. I can’t speak to you about it.”

Wallis asked whether, if the Post Office loses, the government could end up bailing out the Post Office. Tolhurst said she wouldn’t “get into theoretical-based outcomes of the litigation.”

But Tolhurst disclosed that there were conversations going on between the Post Office, civil servants and the ministry [Department for Business, Energy and Industrial Strategy which is the Post Office’s parent ministry].

HM Treasury’s UK Government Investments is responsible for ensuring the Post Office has enough investment and subsidy funding to ensue it is commercially sustainable in the longer term, whilst meeting its social obligations, particularly around minimum network coverages requirements.

UK Government Investments also advises ministers on Post Office commercial and policy issues.


Wallis’s interviews with Cooper and Tolhurst are important developments: they mean that officials and ministers cannot credibly deny in future that, if they end up bailing out the Post Office, it has come as a shock.

In Wallis’ questions, he made it clear that solicitors Freeths had said the litigation could end up costing the Post Office hundreds of millions of pounds.

Cooper tacitly acknowledged in his reply that he had heard what Wallis said. Indeed, Cooper’s impressive financial background indicates that he will have a good understanding of the possible cost implications for the Post Office if it loses the case.

Cooper was global co-chairman of mergers and acquisitions at Deutsche Bank. He was at UBS Investment Bank for 21 years where his various roles included head of European merger and acquisitions.

Of course, ministers and officials could argue internally – at the moment – that taxpayers are not funding the litigation.

Indeed, Whitehall officials have obtained a written assurance from the Post Office that it will fund the Horizon litigation from its own money, not public money that is allocated to modernisation and new investment in the Post Office’s network.

But it’s a different story if the Post Office runs into financial trouble.

The Government would have no choice but to use public money for a bail out. It could not allow the Post Office to go bust.

And thanks to Wallis’ questions yesterday,  ministers could not argue they were unaware of the full possible cost implications of losing the case.

Indeed, it is incumbent on civil servants now to make sure ministers are aware of what could happen if the Post Office loses the case and cannot afford to pay damages and costs from its own money.

When fully aware of the risks – the gamble with public money – will ministers and officials allow the Post Office to continue spending large sums on the High Court case – or will they urge it to settle now before many more millions of pounds are spent on legal costs?

The judge in the trials, Mr Justice Fraser, has said the case will continue for “years”. Ministers and officials could therefore take the attitude that they may be long gone by the end of the trials and therefore costs are a matter for their successors.

Or they could do the right thing and urge the Post Office to limit its potential liabilities by settling now.

Wallis has a full account of his conversations with Cooper and Tolhurst on his postofficetrial blog.

Post Office Ltd and the money tree – Tim McCormack’s blog

Post Office ordered to pay £5m towards claimants’ costs – part of Computer Weekly’s coverage of Horizon trials

Are councils short of money? Only for public services

By Tony Collins

Councils are short of money for public services – but not for senior officers’ pay-offs or botched deals.

A recent case is highlighted by Somerset’s County Gazette.

It says that restructuring costs for a newly-created council – in which two local authorities merged to save money by way of a “digital revolution” – are likely to double after more people than expected took redundancy.

The new council is expected to pay about £6m in redundancies instead of the target figure of £3m.

According to Somerset’s County Gazette, the pay-outs include £343,000 to the former chief executive of one of the two councils in the merger, Taunton Deane Borough Council, which was a founder member of the failed Somerset One joint venture with IBM.

The Southwest One enterprise cost taxpayers tens of millions of pounds more than it saved.

Now it emerges that five other senior officers involved in the Somerset merger plans have received pay-offs of more than £100,000 each; and although 191 council staff were laid off last year as part of the merger plans, the new council is now considering recruiting dozens of much-needed extra staff.

Campaigner David Orr, a former IT professional at Somerset County Council, has written to the chief executive of newly-created Somerset West and Taunton Council, to express concerns about pay-offs, consultancy costs involved in the merger and what he called the “failed transformation”.

Somerset West and Taunton Liberal Democrat councillor Mike Rigby said,

This [the merger] is a spectacular failure. An uncontrolled exodus of staff, walking away with tens or even hundreds of thousands of pounds, in advance of a “digital revolution” that never arrived.

The council thought it could lose 120 staff as 250 council services went online. The problem is that 191 staff left while fewer than 20 services are available online.

“No consideration as to whether any of those 191 staff were carrying out essential duties so now we’re having to fill many of the redundant roles.

“An utter shambles … It’ll take some time to put this all back together.”

The new chief executive of Somerset West and Taunton Council, told the BBC,

“We’ve overshot that target (£3m), mainly because people put their hands up for voluntary redundancy…

“I think ultimately, people who were eligible to apply for voluntary redundancy decided to take that opportunity.” He said there had been no limit on the number of employees eligible for voluntary redundancy.

“There was an acceptance that if people wanted to take voluntary redundancy, they could do – that’s the way it was set up.

Short of money?

Although councils are said to be short of money for public services – it was reported in 2017 that many were facing bankruptcy – the Taxpayers’ Alliance said last month that, across the country, 2,441 council officers  — a four-year high – earned at least £100,000 a year with 607 of those receiving at least £150,000 in 2017-18.

A total of 28 local authority employees received remuneration in excess of a quarter of a million pounds in 2017-18.

One council has 55 employees earning more than £100,000.

Councils say they need to pay the equivalent of private sector salaries to attract the right people to run large and complex local authorities.

A Local Government Association spokesperson said councils are  “large, complex organisations” that make a “huge difference” to people’s lives.

The spokesperson added: “Senior pay is always decided by democratically elected councillors in an open and transparent way.”


IT-led transformations are fun. They are a break from routine and great for the CV.

The supplier gains. Those at the council working on the transformation gain. A win-win. Even the public may gain if anyone can ascertain from a complicated deal whether any savings have been made.

If the deal fails,  nobody is constitutionally accountable except the volunteer councillors.

And councils seem to follow the principle that every overtly botched IT-led transformation needs to be followed by a new IT-led transformation. If that doesn’t succeed, a third may make up for the other two.

All the while, senior council officers continue to receive no-risk salaries of £100,000 + and/or large pay-offs.

Large amounts of money paid to senior officers does a disservice to the mass of lower or middle grade council officers who earn appropriate sums and bear the same risks of losing their jobs as anyone in the private sector.

Why do councils exist?

Botched deals leave less for public services. And the more senior council officers continue to receive large sums of money whether their councils succeed or not,  the more they will reinforce the fat cat stereotype and convince people that councils exist for their own benefit rather than the public’s.

As more public services disappear while the cost of the council payroll soars, the more people will wonder whether their local council would prefer not to offer any services at all.

A Yes Minister episode had officials boasting of the efficiency of a newly-built and fully-equipped NHS hospital that had no patients.

The hospital was fully staffed with 500 administrators and ancillary workers but had no money left for any nurses or doctors.

Is this where councils’ public services are headed?

Thank you to campaigner David Orr who seeks to hold those in power in Somerset to account.


Would you feel safer in a plane or running a village Post Office?

By Tony Collins

Technology-related controversies involving Boeing and the Post Office raise similar questions  

Technology is cited as a factor in the crashes of two Boeing 737 Max aircraft in which a total of 346 people died.

Technology is also cited as a factor in suicides, bankruptcies, marriage break-ups and ruined lives of hundreds of former sub-postmasters and their families.

Journalist Nick Wallis reports this month on sub-postmaster Peter Murray  who had a stroke in December last year as the Post Office pursued him for alleged shortages of £35,000 shown on the Post Office’s Horizon branch accounts system.

Unknown to Murray when he took over a post office in Great Sutton, Cheshire, the previous sub-postmaster Martin Griffiths had taken his own life. An inquest heard that Griffiths was being pursued by the Post Office over alleged shortfalls shown on Horizon that ran into tens of thousands of pounds.

The scale of the tragedy in crashes of the two 737 Max aircraft cannot be compared to the Post Office’s Horizon controversy.

But anyone who has studied common factors in plane crashes, bridge collapses, Space Shuttle tragedies and other engineering, IT and human failures may see similarities in the complaints by pilots about the Boeing’s 737 Max technology and complaints by former sub-postmasters about the Post Office’s Horizon branch accounting system.

Excessive secrecy?

The Horizon and 737 Max controversies are marked by allegations of a cover-up of computer-related problems which Boeing and the Post Office deny.

The technology’s operators (pilots and sub-postmasters) complained that they were not being given the full facts after major incidents. Pilots expressed concerns direct to Boeing about the 737 Max’s MCAS anti-stall system. The pilots received assurances that any problems were not serious.

But the second fatal crash of a 737 Max happened after those assurances; and the MCAS system was implicated in both crashes. It transpired that pilots kept trying to raise the plane’s nose while MCAS anti-stall software kept pitching it towards the ground.

A known problem had not been fixed. It was known that MCAS could, in rare circumstances such as faulty sensor data, pitch down the nose even if the plane was not in danger of stalling.

In the two 737 Max crashes, some aviation specialists believe that MCAS  was being fed erroneous data from a faulty sensor. In one of the crashes, a sensor might have been damaged by a bird strike.

Usually with critical aircraft software, an alert is given to pilots when sensors are faulty; and pilots are trained in what to do. But if manufacturers do not judge new software to be safety-critical, they may not consider alerts and related training to be vital on all aircraft.

Sub-postmasters received repeated assurances from the Horizon helpline when they raised concerns about unexplained shortfalls shown the system. For them and their families, a series of life-changing events followed those assurances, culminating in some cases, in serious health-related events or worse.

Blame the operator?

After major incidents, Boeing and the Post Office have defended their technologies and pointed to the system operators: pilots and sub-postmasters.

Other common factors in complaints against technologies in the 737 Max and the Post Office’s Horizon system include:

  • A questionable ability of the system operators – pilots and sub-postmasters – to be taken seriously when they raised concerns about the technology.
  • Little or no statutory scrutiny of the technology in question although its performance could profoundly affect lives. Boeing self-certified the technology in use in the 737 Max. The Post Office’s Horizon system was not subject to any statutory or regulatory inspection. Horizon was scrutinised by forensic accountants Second Sight and the Post Office dismissed its partially unfavourable findings. It also ended Second Sight’s contract.
  • Structural secrecy that prevented pilots and sub-postmasters understanding fully the technology they were required to use.
  • Major incidents that were treated by Boeing and the Post Office as one-offs. Links between major incidents may not be immediately obvious because they are sometimes the result of a complicated combination of events that might not have congealed in exactly the same way before. But, even after two similar, fatal crashes of the 737 Max, the US Federal Aviation Authority said the aircraft was safe. When countries across the world including Britain grounded the 737 Max, the Federation Aviation Authority had no choice but to act. The aircraft remains grounded worldwide; and European and US regulators are at odds over the depth of the oversight changes required to avoid such software-related crashes again. It appears Boeing will end up having to change the way it operates. After hundreds of complaints about the Horizon system, the Post Office is facing a group litigation action. Former sub-postmasters are claiming damages for financial loss, personal injury, deceit, duress, unconscionable dealing, harassment and unjust enrichment. The Post Office disputes the whole basis of the claimants’ case and maintains that large numbers of sub-postmasters knowingly submitted false accounts. The Post Office maintains that Horizon worked perfectly adequately.

Old technology?

There’s also the question of whether the controversies might have been avoided if ageing designs had been replaced entirely rather than modified to keep pace with business imperatives.

Boeing’s 737 design goes back to 1960s and the Horizon system to the 1990s. But fundamentally new designs would have required hugely costly retraining programmes for pilots and sub-postmasters. .

Normalising the questionable 

A further common consideration – as in the loss of the Challenger Space Shuttle – is whether questionable institutional practices and behaviour had become normalised. A fascinating 575-page book on this problem, “The Challenger launch Decision” shows in minute detail how NASA managers did not violate their procedures. Instead they set and followed bad precedents – what the author Diane Vaughan called the “normalization of deviance”. She said,

“It was not amorally calculating managers violating the rules that were responsible for the tragedy. It was conformity.”

Vaughan found that it is easier for large organisations to blame the technology operators for institutional failures rather than identify structural and cultural causes of disaster. She warned of the dangers of seeing organisational failures as the result of individual actions.

“… taken-for-granted aspects of organisational life created a way of seeing that was simultaneously a way of not seeing”. She added,

“Any remedy that targets only individuals misses the structural origins of the problem.”

The organisation’s culture is “supremely important” in allowing constructive criticism to be heard. But Vaughan concludes in her book that NASA’s economic pressures and cultures leading up to the Challenger disaster are still there.

Arguably, it is almost impossible for a large organisation to change its culture unless change is forced on it. When a subsequent Space Shuttle mission [Columbia] ended in disaster, an official report highlighted NASA’s underlying organisational and cultural issues that contributed to the accident.

Clearly, it is possible for everyone involved in the design and implementation of technology for large organisations to do everything right according to long-established procedures – and still have a succession of disasters.


A comprehensive account of what went wrong with the design and development of Boeing’s 737 Max software has been published in The Verge. It is headlined, The many human errors that brought down the 737 Max”.

It explains how Boeing needed to modernise the ageing 737 design – but not too much because major changes would have required a retraining of thousands of pilots, which would have added to costs for potential customers.

Instead of a new design of airframe, Boeing put larger and more efficient engines on an aircraft that remained essentially the same. The heavier engines needed repositioning, further forward, on the wings, which affected handling of the 737 in certain circumstances, but any aerodynamic changes were made largely invisible to pilots by new MCAS software.

The modified aircraft was an apparent winner. It required less than three hours of computer-based training. Boeing sold a record-breaking $200bn worth of the 737 Max before the first prototype took to the skies.

But pilots became concerned after the first fatal crash. Captain Laura Einsetler, who has flown for over 30 years, including on 737s, told The Verge she was not told the full facts on how the new technologies worked.

“I don’t have the schematics. I don’t have the cockpit panels. I don’t have an instructor that I can ask questions to,” she said, “You’re hoping that the first time you see the Max is on a nice clear day. But sometimes it’s not, and you’re showing up at night or in bad weather into an airplane that has all these changes.” Pilots were not told about the MCAS anti-stall system.

This secrecy meant that the aviation world was not generally aware that, at the time of the first fatal Max crash in October, if MCAS was being fed incorrect data from a faulty sensor, 737 pilots could end up fighting against the plane’s software for control of the aircraft.

A Boeing 737 Max, Lion Air Flight 610, with 189 passengers and crew, went into the Java Sea 12 minutes after taking off from Jakarta, Indonesia in October last year. Nobody survived.

About five months later, Ethiopian Airlines Flight 302, with 157 passengers and crew, crashed six minutes after take off from Addis Ababa. Nobody survived. Minutes before each crash, pilots had been fighting against MCAS to lift the nose but MCAS kept pointing it towards the ground. It was the software that had the final, tragic say.

One of the lessons from the crashes is that the US Federal Aviation Authority may include software in its certification tests in future rather than leaving delegated authority with Boeing.

Post Office control

In the case of Horizon, the Post Office has remained in full control.

When some sub-postmasters faced with unexplained shortfalls ended up in prison, the Crown Prosecution Service and police were not always involved in their cases. It was the Post Office that was the investigating and the prosecuting authority. Nothing sub-postmasters could say to the Post Office about Horizon would shake its belief in the system.

However, the Post Office is facing criticism by High Court judges. In the litigation between sub-postmasters and the Post Office, the Horizon trial judge Mr Justice Peter Fraser has been strongly critical of the Post Office, its behaviour, actions and most of its witnesses. In his “common issues” judgement, he said that some of the Post Office’s submissions “seem to have their origins in a parallel world”. The Post Office has appealed the common issues judgement.

Has the Post Office’s control gone unchecked for too long? Would the Post Office, like Boeing, benefit from having its technology subject to close statutory scrutiny? Particularly when, like Boeing, it controls technology that has the power to change the course of people’s lives.


The safety culture in the aviation world has much to teach the designers and operators of business systems generally.

Aircraft design has evolved over decades on the basis of trying to anticipate the improbable and even the impossible. On rare occasions, all the main engines on Airbus and Boeing flights have failed and passengers have emerged from the incidents unscathed.  Examples include British Airways Flight 9 (a Boeing 747), US Airways Flight 1549 (an Airbus A320) and Taca Flight 110 (a Boeing 737)..

This aviation industry’s safety culture means that when things go tragically wrong, lessons are usually learned. There are currently congressional hearings in the US into the two fatal crashes of the 737 Max; and lengthy statutory investigations by the National Transportation Safety Board are underway.

Worldwide media coverage of new disclosures about Boeing’s 737 Max technology has been relentless. Boeing has been compelled to act. The regulators may also change their practices. There remains in Europe a deep distrust of the competence of the Federal Aviation Authority.

The Post Office is not accustomed to being told what to do. Its much earlier predecessor, the General Post Office, was an arm of government and had its own special investigations unit responsible for intercepting letters as part of British intelligence service operations. Some of the Post Office’s work today falls within the scope of the Official Secrets Act. It is not answerable to shareholders (except a single government representative on the board).

Even with a legal challenge from Justice for Subpostmasters Alliance and solicitors Freeths, who represent sub-postmasters, the Post Office has sought to exercise control.

In 2017, the Post Office opposed the sub-postmasters’ application for a Group Litigation Order. The judge granted it. In 2018, the Post Office sought to strike out between about one quarter to one third of all of the evidence served by the sub-postmasters. It said the evidence was irrelevant to the first trial. The trial judge disagreed and ruled that the evidence stay.

In 2019, the Post Office has sought to have Peter Fraser removed as the trial judge. It said he was biased. The Court of Appeal disagreed, which means the judge will stay for the remaining three trials. The Court of Appeal issued a 17-page judgement against the Post Office. The Law Society Gazette described the ruling as “scatching”.

The Post Office remains in control, however. Being 100% government-owned, it can spend money without fear of going bust. Taxpayers would have to bail it out in any financial crisis. It has the power to seek to appeal every major judgement, or appeal refusals to grant a right of appeal, all of which could extend the proceedings for years. Judge Fraser expressed a concern about escalating costs in his judgement in March 2019 when he said,

“The Post Office has appeared determined to make this litigation, and therefore resolution of this intractable dispute, as difficult and expensive as it can.” [Par 544).

He also said that the Post Office appears, at least at times, to conduct itself as “though it is answerable only to itself”.

 If the Post Office has no fear of going bust in any financial crisis, could it control the outcome of the proceedings by appeals and extensions that may eventually drain the other side of its private financing?

Would you feel safer in a plane or running a village Post Office?

It is reassuring for airline passengers to know that plane makers can be held to account if things go wrong. At an ordinary domestic level, homeowners would want to be able to hold a roofer or a central heating company to account if things went wrong. It can be argued that any company is only as good as its reaction when things go wrong.

If anything goes seriously wrong when you are running a village post office, you are in the hands of the Post Office. If the computer says, inexplicably, that you have debts totalling £30,000, £50,000 or £80,000, your options may be limited: pay in full, go bankrupt, lose your home and your health or worse.


It appears the Post Office has shown little or no compassion to most of those who have complained about shortfalls shown on Horizon. Its corporate mindset is that Horizon cannot be the cause of discrepancies. Nobody can change an institutional mindset or force it to change.

After decades of IT-related failures in Whitehall, some costing billions of pounds, such as the £10bn National Programme for IT in the NHS (NPfIT) secretive institutional cultures and mindsets have remained unchanged. Indeed, health officials in recent months have sought to to re-introduce facets of the NPfIT that were discredited years ago, such as central control of locally-based IT.

Even if the Post Office eventually loses the Horizon case and ends up with costs and damages exceeding £100m – and possibly a much larger sum – it could not be compelled to change its culture. The Post Office’s board and senior officials may change. But not the culture.

Why flying is so safe

If Boeing and Airbus were able to treat every major incident as a rare one-off and hold the pilots responsible every time, it is doubtful flying would be as safe as it is. Statute, rules, government-imposed investigations, a safety culture and the risk of the flying public boycotting airlines perceived as unsafe forces manufacturers and airline engineers to learn lessons from accidents.

The result is that accidents and fatalities are a fraction of what they were in the 1990s. A person could fly once a day for four million years before succumbing to a fatal crash, according to Arnold Barnett, a professor of statistics at the Massachusetts Institute of Technology (MIT).

As for those running a village post office, there are no official statistics on how many sub-postmasters have been affected by unexplained deficits shown on Horizon. What is known is that about 550 former sub-postmasters are party to a legal action against the Post Office over the system and a further 500 or so former sub-postmasters are said to have had similar problems but are not in the group litigation. That is a total about one in eleven of all the 11,000 people who are running post offices in the UK.

The chances of being in an intractable dispute with the Post Office over unexpected shortfalls remain very low, however; and the chances of being in an intractable dispute that is a factor in suicide are infinitesimal. A recent unofficial survey indicated that the majority of sub-postmasters regard Horizon as reliable.

But some of the 1,000 or so former sub-postmasters who have been pursued for deficits have suffered life-changing experiences. In most major incidents on aircraft, passengers and crew walked off unscathed.

Statistics can mean little at the best of times and probably nothing when trying to answer whether you would feel safer in a plane or running a village post office. If perception rules your choice, the answer would be obvious: running a village post office is surely much safer than flying at 35,000 feet in a metal tube.

Once you realise, however, that when you have board an aircraft you are highly likely to emerge unscathed from any major technology-related incident, the answer is not so obvious.

Thank you to David Orr for your emailed link to an article on Boeing’s 737 Max that suggested senior management were not aware of the plane’s technology problems.


The Post Office claim I owe them £35,000, despite never showing or telling me what I have done wrong – Nick Wallis’s postofficetrial blog

Post Office applies to appeal damning judgment in first Horizon trial – Computer Weekly’s coverage of the Post Office trial

Post Office Limited and the money tree – campaigner Tim McCormack’s blog

Appeal Court throws out Post Office bid to remove judge

The many human errors that brought down the 737 Max – The Verge