Академический Документы
Профессиональный Документы
Культура Документы
JOINT STATEMENT OF
JASON COYNE
AND
DR ROBERT WORDEN
04 SEPTEMBER 2018
D1/1/1
1. Introduction
1.1 This document is centred around the Horizon issues and seeks to set
out the areas where experts agree and/or disagree and their reasons
for doing so.
1.2 The experts wish to set out first an overall framework for this document.
Because the experts may agree or not agree about parts of that
framework, it is addressed in a manner similar to the other issues, as if
it were 'Horizon Issue 0'.
Areas of Agreement
The experts agree some grouping of the Horizon issues but have chosen
different detailed groupings.
Issues 8 & 9
D1/1/2
Remote Access and Transaction
Amendments
Each expert's approach to writing his report, and to this joint memorandum
which foreshadows their reports, could broadly be one of three possible
approaches:
On some issues, highlighted below, the experts have not been able to agree
because one or other expert is awaiting clarifications. The experts agree
that after clarification it may be worth meeting again to see if they can
reach more agreement.
Areas of Disagreement
Jason Coyne:
Whilst my report will take a balanced approach, it is the case that many of
the issues require a deep focus on the occurrences of bugs, errors and defects
D1/1/3
as well as the potential for modification of transactional data. Whilst context
will be provided as to how Horizon should work in typical circumstances, it is
the non-typical operation where focus will be placed.
Dr Worden:
To provide a joint statement at this stage which will be useful to the court,
under each Horizon issue the experts need first to agree what is worth
agreeing having regard to the case which is being alleged. For instance, it
would not help the court for the experts to list a number of detailed points as
agreed, if one or the other expert thinks that those points are irrelevant or
unimportant to the case alleged; or if collectively the points imply a view
which, in the opinion of either expert, is not a balanced view. Therefore, the
areas of agreement may at this stage be limited and more high level.
My approach will also focus on the Horizon system. It will consider Horizon
within its wider business context, but I do not believe that the Horizon issues
extend to offering any opinion on the wider business practices of Post Office.
Areas of Agreement:
D1/1/4
Evidence exists that that bugs/errors/defects have caused actual
discrepancies or shortfalls relating to Subpostmasters’ branch
accounts/transactions.
In the event that any specific bug/error/defect had such an effect, the
experts have differing views as to the ‘extent’ of the impact that such
bugs/errors/defects may have had on branch accounts.
Areas of Disagreement
Examples:
D1/1/5
capable of being identified by Subpostmasters, who would have believed
from Horizon that their account was balanced when it was not; and
I understand that Horizon had at least 19,842 ‘releases’ of new software, each
one of these could have introduced new bugs/errors/defects.
I am still scoping the data needed for (e). If it is available, I will provide it to
Mr Coyne as soon as I have it.
D1/1/6
• For the majority of KELs, (which record known bugs), it can be shown,
from an understanding of the robustness measures built into Horizon
or otherwise, that they would have no permanent impact on branch
accounts.
2.2 Issue 2
Areas of Agreement:
The extent to which any IT system can automatically alert its users to bugs
within the system itself is necessarily limited.
While Horizon has automated checks which would detect certain bugs, there
are types of bugs which would not be detected by such checks,
Areas of Disagreement
D1/1/7
Dr Worden: In common with most IT systems, Horizon generates messages
to report the occurrence of certain errors to users and operators. Error
messages displayed on the counter screen or presented on reports alert
subpostmasters to conditions that may indicate the presence of bugs or other
defects as described in issue 1. For the avoidance of doubt, I do not believe
that this question extends to whether Post Office notified Subpostmasters
about errors as an operational practice.
There are automated checks in Horizon which would detect certain bugs, and
alert subpostmasters to them (e.g. a non-balancing basket, caused by some
bug in counter software, would be rejected by BAL/BRDB, giving a message
to the subpostmaster)
2.3 Issue 3
Areas of Agreement:
Horizon has evolved since its inception. Therefore, its robustness may have
varied throughout its lifetime. The level of robustness may have increased or
decreased as the system was changed.
The existence of branch shortfalls is agreed. The experts do not agree at this
point as to whether this indicates any lack of robustness.
Areas of Disagreement
D1/1/8
Jason Coyne:
For the purposes of addressing the robustness of Horizon, I have applied the
following definition of robustness:
(a) it contained high levels of bugs, errors and defects as set out under
Issue 1 above which created discrepancies in the branch accounts of
Subpostmasters;
(c) the system did not enable such discrepancies to be detected, accurately
identified and/or recorded either reliably, consistently or at all;
(d) the system did not reliably identify ‘Mis-keying’, which is inevitable in
any system with user input, and did not reliably have in place functionality
to restrict users from progressing a mis-key;
(f) there were weaknesses and risks of errors and other sources of
unreliability within Horizon.
Dr Worden:
D1/1/9
failures, communications failures, power cuts, disasters, user errors or fraud.
These are the dimensions of robustness.
In all these dimensions, robustness does not mean 'be perfect'; it means
'address the risks of being imperfect'. The extent of robustness is to be
interpreted as: in how many dimensions was Horizon robust? and: in each
dimension, how large were the remaining risks?
In my report I shall survey the evidence I have found that Fujitsu paid
sufficient attention to the dimensions of robustness, and that they did so
successfully. I shall also address evidence from Mr Coyne implying that
Horizon fell short of its robustness objectives.
2.4 Issue 4
Issue 4 - To what extent has there been potential for errors in data
recorded within Horizon to arise in (a) data entry, (b) transfer or (c)
processing of data in Horizon?
Areas of Disagreement
D1/1/10
Horizon. Because of those measures, errors of data entry, transfer and
processing were very unlikely to affect branch accounts.
2.5 Issue 5
Areas of Agreement:
Areas of Disagreement
D1/1/11
defined in GPOC at §16 and as admitted by Post Office in its Defence {C3/1/5}
{C3/3/12}
at §37”
Processing facilities within the Horizon system considered relevant (but not
limited to) are:
POLSAP/POL FS
Credence
DRS
APS
TES
TPS
2.6 Issue 6
D1/1/12
c. a failure to detect, correct and remedy software coding
errors or bugs;
Areas of Agreement:
Whilst Horizon contains measures and controls for detecting system integrity
concerns, the automatic mechanisms have failed in the past. The experts do
not agree as to the ‘extent’ of prevention, detection, identification, reporting
or risk reduction that the automatic and manual control measures deliver.
Areas of Disagreement
2.7 Issue 7
D1/1/13
Issue 7 - Were Post Office and/or Fujitsu able to access transaction
data recorded by Horizon remotely (i.e. not from within a branch)?
Areas of Disagreement
Facilities were available to SSC (Third line support) enabling the access and
modification of transaction data with tools specifically designed for such.
I have provided document references that show that remote access was
possible to Dr Worden.
Dr Worden: In the Claimants' outline allegations, the Claimants say they are
"still investigating" this issue. So, it is not yet clear to me where my opinions
are required, or what could be agreed.
1
POL-0218013
D1/1/14
2.8 Issue 8
Areas of Agreement:
No agreements.
Areas of Disagreement
There were extensive report sets available to Post Office for identifying the
occurrence of alleged shortfalls and the causes. Not limited to reports alone,
Post Office also had the ability to request further information in relation to
bugs, errors and/or defects from the various Support Lines. Identified thus
far:
The TPS, APS and DRS Report Sets along with reports produced in accordance
with the BIM and Problem Management Procedures provided a comprehensive
suite of reports which was available to Post Office. These reports would allow
Post Office to identify the occurrence of alleged shortfalls in the Horizon
D1/1/15
system, and they were underpinned by business processes which would
provide further information in relation to the underlying cause of a given
issue. In addition, Post Office should have been able to obtain any additional
information it required via Fujitsu or the Postmasters themselves.
Dr Worden: As for issue 8, this appears to be a factual issue, and one which
the claimants are 'still investigating'. So, it is not yet clear to me where my
opinions are required, or what the experts can agree on.
I have not yet assessed the relevance or importance of the reports cited by
the claimant in their outline.
2.9 Issue 9
Areas of Agreement:
Areas of Disagreement
D1/1/16
Jason Coyne: Subpostmasters were able to access limited reports and
receipts produced by the Counter, insofar as what Horizon or a Post Office
department had calculated and transmitted electronically. They would also
be able to see individual transactions and aggregated totals for items and
figures of which fed into Branch externally from the Counter input (i.e., stock
values, Transaction Acknowledgements and Transaction Corrections issued
by other Post Office departments).
2.10 Issue 10
a. at all;
D1/1/17
Areas of Disagreement
In respect of point (i), it appears that Fujitsu did have the ability to insert,
inject, edit and (potentially) delete transaction data and (ii) had the ability
/facility to implement fixes in Horizon that had the potential to affect
transaction data or data in branch accounts.
Tools and platforms existed specifically for the purpose of accessing and
modifying transaction data, identified thus far are:
(i) Global Branches which would enable the input of transactions within
Horizon as though it had come from an actual Branch;
2.11 Issue 11
Issue 11 - If they did, did the Horizon system have any permission
controls upon the use of the above facility, and did the system
maintain a log of such actions and such permission controls?
Areas of Agreement:
Usage of the above tools and facilities should be auditable. However, the
maintenance of logs would be dependent upon retention periods and size.
Areas of Disagreement
D1/1/18
Jason Coyne: Further information on the Claimants case is not required
to respond to this issue.
I have requested disclosure of these documents but Post Office have declined
to provide them.
Dr Worden: In the outline, it is stated that the claimants' case is still being
investigated. I await clarification before I can express an opinion.
2.12 Issue 12
Issue 12 - If the Defendant and/or Fujitsu did have such ability, how
often was that used, if at all?
Areas of Agreement:
No agreements.
Areas of Disagreement
It is doubtful that the experts will be able to advance this point given that
Post Office has not disclosed Master Service Change (MSC) documents or
Operational Control Procedures (OCP). Post Office have stated that there are
approximately 36,000 MSC and OCP documents, without a review of these
documents the experts will be unable to opine as to how many of these relate
to Post Office/Fujitsu quantification of remote modification of transactional
data.
Dr Worden: In the outline, it is stated that the claimants' case is still being
investigated. I await clarification before I can express an opinion.
D1/1/19
2.13 Issue 13
Issue 13 - To what extent did use of any such facility have the
potential to affect the reliability of Branches’ accounting positions?
Areas of Disagreement
The use of the facilities have the potential to affect the reliability of Branches’
accounting positions to a high extent. Not least since:
Dr Worden: In the outline, it is stated that the claimants' case is still being
investigated. I await clarification before I can express an opinion.
2.14 Issue 14
Issue 14 - How (if at all) does the Horizon system and its
functionality:
D1/1/20
c. record and reflect the consequence of raising a dispute
on an alleged discrepancy, on Horizon Branch account
data and, in particular:
Areas of Agreement:
None agreed.
Areas of Disagreement
The Monthly Trading Period Rollover is mandatory every month and as stated
above requires all discrepancies, including all within the suspense account, to
be resolved. At the end of this process a Branch Trading Statement is
D1/1/21
produced to reflect the cash and stock shown in the accounts matches the
cash and stock held in the branch in addition to any declared discrepancy.
2.15 Issue 15
D1/1/22
Areas of Agreement:
None agreed.
Areas of Disagreement
TPS receives this file, validates the data and performs the required
translations using reference data (converting a SAP article ID into a
Horizon Product).
Changes at the Counter enable a person with the required role to be made
aware of the existence of an outstanding TC and apply the correction at
the counter.
D1/1/23
D1/1/24