This is the unperfected transcript of the fourth day of the Horizon trial, held on 14 March 2019 in court 26 of the High Court's Rolls Building.
Thursday, 14 March 2019
(10.30 am)
MR JUSTICE FRASER: I am not going to deal with this now but
just to ask you both to remind me, at the end of the day
can you remind me to deal with 8 and 9 May.
MR DE GARR ROBINSON: My Lord, yes.
MR JUSTICE FRASER: I have written a note for myself so
I should --
MR DE GARR ROBINSON: Between us I'm sure we will ...
MR RICHARD ROLL (continued)
Cross-examination by MR DE GARR ROBINSON (continued)
MR DE GARR ROBINSON: Mr Roll, just a brief recap on what we
were discussing yesterday. In your various witness
statements you use the phrase "software errors" and just
so that I can confirm my own understanding, when you say
"software errors" you don't mean coding errors, you mean
a much wider category of errors, including data
problems, yes?
A. Generally, yes, including coding errors as well though.
Q. But sometimes you use the phrase -- perhaps it is unfair
of me to ask it, but sometimes when you say "software
errors" you actually mean data problems in the context
in which you use it?
A. Yes.
Q. But given that I'm not putting anything to you, I will
take that as read.
And when you say data errors or data problems you
generally mean operational type data, don't you? You
don't mean things like configuration data, things like
that?
A. I generally mean the data that's been written to the
message store, so transaction data.
Q. Well, you say -- if I may say so, generally speaking
transaction data -- well, let me ask you actually.
Let's agree some terminology so that we don't get
confused going forward. Could I go to the defendant's
witness statement bundles to tab 14 please {E2/14}.
Paragraph 3, Mr Roll, perhaps you could briefly read it.
I'm not interested in the first sentence, it is the rest
of the paragraph.
A. This is Mr Godeseth's statement, yes.
MR JUSTICE FRASER: Which paragraph, sorry?
MR DE GARR ROBINSON: Paragraph 3, my Lord.
When you get to the end perhaps we could ask and
then the page can be turned for you.
(Pause).
A. Can you turn the page please, yes. {E2/14/2}.
(Pause).
So, sorry, what was your question again?
Q. So if you go back to page 1 you see that Mr Godeseth is
drawing a distinction between transaction data on the
one hand and data in the background, operational parts
of Horizon on the other. Are you aware of that
distinction, does that have any resonance for you?
A. It does. I was -- in my mind it is very similar. The
data that postmasters -- that's going into the message
store when you are doing a transaction, how it is
replicated up to the server and then how it is
processed, that's the sort of information I was talking
about.
Q. But when you talk about data corruption often you're
talking about things like for example a bit being a zero
instead of a 1 --
A. Yes.
Q. -- you described that in your witness statement. That's
not transaction data of that sort, is it, it's different
kinds of data?
A. It could be transaction data that's been corrupted.
Q. I will take you to the relevant passage of your witness
statement later but for present purposes can we please
agree that when I say transaction data I mean a record
of a transaction undertaken in a branch, or a branch
activity that causes a change in the branch's cash or
stock, I don't mean the wider collection of data, for
example all sorts of data have fields that are allocated
to all sorts of tables throughout the database, correct?
A. Right, yes.
Q. That kind of data, even if it is attached, if it's
relevant to a transaction, that kind of data isn't seen
by the subpostmaster, is it?
A. No.
Q. And it won't affect his branch accounts at all, will it?
A. I don't know.
Q. Well, often it won't. Do you know that often it won't?
A. Often it won't.
Q. It is to do with things like harvesting. That data will
be harvested by the system for other purposes?
A. Yes.
Q. For example to monitor what transactions are being done,
what products are being sold by Post Office, that kind
of -- and many many other things. You do recognise
that?
A. Yes.
Q. So that kind of data, which I think you may previously
have been referring to as transaction data, that's not
what I mean when I say transaction data, I mean data
relating to transactions that actually has an impact
that the postmaster sees in his branch accounts?
A. Right.
Q. Okay, thank you.
MR JUSTICE FRASER: And are you going to adopt a similarly
precise term for the other sort of --
MR DE GARR ROBINSON: Yes, I'm going to call that
operational data.
MR JUSTICE FRASER: So, Mr Roll, just so we're all using the
same terms and we all understand --
A. I will try and stick to --
MR JUSTICE FRASER: Do you now understand the
differentiation as far as today is concerned?
A. Yes.
MR JUSTICE FRASER: There's transaction data and operational
data, is that --
MR DE GARR ROBINSON: My Lord, yes. I'm sure there are
better terms but those are the terms I'm going to use.
MR JUSTICE FRASER: All right.
MR DE GARR ROBINSON: Now, having established points of
nomenclature, could I ask you, Mr Roll, to go to your
second witness statement. It is E1, tab 10 and it is
paragraph 14 of that witness statement which starts at
page 9 {E1/10/9}. You have it in hard copy I think with
you. It may be more easy to use that.
Now, what I'm interested in is some -- I will let
you find it. You will see that it is under the heading
"Transaction corrections and patterns of software
errors", so in this section you are talking about TCs
and software errors and paragraph 14 you then start
talking about software errors and what I'm interested in
is the text that's in red over the page at page 10
{E1/10/10}.
MR JUSTICE FRASER: Which I don't think will come up on the
common screen but it doesn't matter because you are
using the hard copy. Have you got your amended one,
Mr Roll? Have you got your amended one with the red
text?
A. Yes I have mine.
MR DE GARR ROBINSON: Now, I only saw this shortly before
you started giving evidence yesterday -- well, I saw it
shortly before court sat at 10.30 yesterday morning.
The first thing I would like to ask you is why was this
text added to your witness statement here?
A. I was trying to clarify something that had come to mind
after re-reading this a few days ago. It is possible
that if a postmaster is doing a transaction and as he --
between pressing "enter" and the data being written
there could be a corruption or an error that would cause
that data to change.
Q. And why did you include it in this particular paragraph?
A. I had specifically said "bugs" before that, in the line
above it, and I wanted to clarify that there were other
things that could have caused problems.
Q. Oh, so you're not talking about bugs here, you're
talking about other causes?
A. Yes.
Q. And you say:
"As well as being caused by bugs, software errors
could also be caused by data corruption."
Stopping there, when you say "software errors" --
A. Transaction data errors.
Q. -- you mean data errors?
A. Yes.
Q. So when you say "data errors could also be caused by
data corruption", is that circular, or are you -- could
you explain what you mean? It looks like you are saying
data corruption could be caused by data corruption --
A. Sorry, I see what you mean.
Q. -- and I would like to give you the opportunity to
explain what you mean?
A. There could be some corruption of data at that point
that might cause the postmaster to -- for the account to
say he has a certain amount of money perhaps that he may
not have.
Q. You are talking about hardware errors causing data
corruption, aren't you?
A. It needn't necessarily be the hardware that caused the
problem, it could be the software that's become corrupt,
the transaction --
Q. Well you have just told me you weren't talking about
software bugs, you were talking about --
A. No, sorry, the transaction data could be corrupt at that
point. Just one of those spurious things that happens.
MR JUSTICE FRASER: Just pausing there, you said software
bugs, I think yesterday we worked out that's coding.
MR DE GARR ROBINSON: Coding.
MR JUSTICE FRASER: Can we keep to that.
MR DE GARR ROBINSON: So you're not saying these kind of
things are caused by coding?
A. Sometimes it is caused by coding bug, or it could be
a potential bug, other times it could have been
something else. It could just be data corruption that
just happened at the moment.
Q. I'm struggling to understand this, Mr Roll, because you
say "as well as being caused by bugs" and you just told
me about a minute ago that you put this in here because
you were distinguishing between issues that are caused
by bugs and issues that are caused by other things. Now
you are saying these things are caused by bugs after
all. Which is it?
A. Sorry, what I'm trying to say in this added bit is it's
not caused by bugs, it's data that has become corrupted
at a specific moment in time just because it has become
corrupted.
Q. And I'm suggesting to you, Mr Roll, that in that
scenario it will generally be because of some hardware
error in the counter in which the transaction is being
entered. Would you accept that?
A. No.
Q. Well, let's proceed. You then say:
"If the corruption happened just as a transaction
was being written to disc, it could have altered the
value of a transaction and the subpostmaster may not
have realised."
So what you are suggesting is the subpostmaster
types in a number on the screen and actually the number
that comes up is different from the number that he or
she has typed?
A. No, the number that he or she has typed would be
correct, but in-between pressing the "enter" key and it
going off you've got milliseconds between it going
between there and being written to the disc. If the
data corruption occurs in that instant ...
Q. I see.
You then say:
"This would not be detected by the system as there
would not be a mismatch in the figures."
Is that your evidence?
A. That's what I'm suggesting there, yes.
Q. Well, could I suggest to you, Mr Roll, that where that
happens there are cyclic redundancy checks being
constantly done which check to see whether the amount
typed in is the same as the amount that goes into the
system. It is something that's continually done within
the Horizon system, isn't it?
A. You are probably right there.
Q. It is done at both levels. We're talking about
Legacy Horizon. It is done at the Riposte level which
operates the message store, as it were, and it is done
at the operating system level, the NT which operates --
sorry, the NT, the Windows that operates the counter
itself. There are cyclic redundancy checks that are
applied as these processes are being done at both of
those levels, aren't there?
A. I don't remember that precise detail.
Q. But I suggest to you that that is the case and are you
in a position to dispute that?
A. I'm not in a position to dispute that, no.
MR JUSTICE FRASER: Are you saying six on Legacy Horizon?
MR DE GARR ROBINSON: I'm talking about Legacy Horizon, the
counters that were used in branch at that time and
your Lordship will remember that --
MR JUSTICE FRASER: No, you don't need to go into any more
explanation, I just wanted to check.
MR DE GARR ROBINSON: And those checks will automatically
and immediately tell if there is a difference between
what the application is attempting to write, what's
actually being typed in, and what is actually being
written into the system; that's right, isn't it?
A. Usually, yes.
Q. I would suggest to you, Mr Roll, it always happens, it's
a constant feature of the Legacy Horizon system. It's
one of the fundamental consistency checks that is always
applied in the operation of the system. Do you accept
that?
A. I accept that's how it is supposed to work, yes. I'm
still not sure that it would be 100%, but --
Q. Well, let me ask you about your experience. In your
44 months at the SSC did you ever encounter a situation
where a cyclic redundancy check missed an error of this
sort?
A. I can't remember that.
Q. I suggest to you didn't, Mr Roll.
Could I also ask you whether you were ever aware of
this -- in your experience you ever actually saw this
problem happening with a subpostmaster?
A. I don't think I did, no.
Q. You said --
A. I don't think I did.
Q. You don't think you did?
A. No.
Q. So what you're saying in red text here in paragraph 14,
it's really largely a -- and I don't mean to be rude
when I say this -- it's an armchair theoretical exercise
that you are discussing, it's not something that
actually reflected your experience when working at the
SSC, is it?
A. No, it was something I was thinking of hypothetically.
Q. I'm grateful.
Then just to complete this point -- and this may be
beyond your experience because it appears that you
didn't actually see any of this happening while you were
there, but just to complete, would you accept that if
and when the cyclic redundancy check spotted there was
the mismatch of figures being typed in and figures going
into the system, as well as sending an event straight
away to the SSC which would be picked up by the SSC's
automatic systems, it would also prevent the counter
actually undertaking the transaction. Do you accept
that?
A. Yes.
Q. I'm grateful. Now, I would like to go to paragraph 8 of
your first witness statement please and that's at
{E1/7/2}. I would like to pick it up at the third
sentence where you say:
"Any errors made by subpostmasters would be
relatively easy to identify, and would normally be
picked up by 1st or 2nd line support. If an error was
referred to us then it was extremely unlikely to be due
to a mistake made by a postmaster ..."
Do you see that?
A. Yes.
Q. Having read that could we then move please to what
Mr Parker says about this and I would like to go to
bundle E2, tab 11 and it is at page 6 {E2/11/6} and it
is the text just underneath the numbered
paragraph 26.1.3. Mr Parker says:
"If a branch required assistance to attempt to
determine the cause of a discrepancy they would contact
NBSC in the first instance. Discrepancies are not
unusual in a retail system."
I imagine you would accept that, Mr Roll.
"They indicate a difference between the operator's
declaration of cash and stock on hand and the system's
calculation and as such are a business operation issue.
However ..."
He says and this is the point I'm going to ask you
about:
"... it was not always possible for NBSC to identify
the cause of a discrepancy. For example, a user may
enter a deposit of £100 into a customer's bank account
on Horizon but rather than taking £100 from the
customer, they may make a mistake and give the customer
£100 as if it had been a withdrawal. In that scenario,
NBSC would not have been able to identify the cause of
a discrepancy. Clearly, NBSC is also unable to assist
when losses have been caused by theft."
Now, do you accept what Mr Parker says in the
paragraph I have just read out?
A. Yes.
MR JUSTICE FRASER: NBSC is the helpline, isn't it?
MR DE GARR ROBINSON: My Lord, yes. It's the first line
of support.
MR JUSTICE FRASER: And is that Fujitsu or Post Office?
MR DE GARR ROBINSON: The NBSC is run by Post Office. It
then goes through to the second line.
MR JUSTICE FRASER: Mr De Garr Robinson, I just wanted to
check that.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: Because in other statements it is
referred to as the helpline. I just wanted --
MR DE GARR ROBINSON: My Lord, it is sometimes referred to
as the helpline. It is confusing because there is the
HSD as well as the NBSC and they are both elements of
the first line of support.
So where you say, Mr Roll, in paragraph 8 of your
statement that any errors made by subpostmasters would
be easy to identify and would normally be picked up,
that's not right, is it? There are all sorts of errors
that are made by the postmaster that will not be picked
up. Would you accept that?
A. From my memory of when we were working there, no, but
from reading this ... yes.
Q. You would accept that. So, for example, if an irate
subpostmaster phones into the NBSC and says "These
figures aren't right, there's a glitch in the system,
there's a glitch in the system", keeps insisting there's
a glitch, it would not be easy -- in fact in many cases
it would be impossible for the first or the second line
of support to say categorically "That's definitely
a user error" and close the matter down. In that kind
of situation wouldn't what would happen be that the
second line of support would refer on to SSC for
investigation; do you accept that?
A. Yes.
Q. Then I would like to go back to your witness
statement -- it is quicker to do it in hard copy,
Mr Roll -- paragraph 10 of your first witness statement
{E1/7/2} you must have in front of you. You say, second
sentence -- so we have a problem like that, it gets
passed to the SSC and I think you would accept that the
SSC would always investigate to see if it could be
attributed to a bug or other fault within Horizon --
A. Yes.
Q. -- yes? So you then say:
"If we were unable to find the cause of the
discrepancy then this was reported up the chain and it
was assumed that the postmaster was to blame."
That's your claim. I would like now to compare it
to what Mr Parker says about this. It is in his first
witness statement again, this time at page 13
{E2/11/13}. Paragraph 46, Mr Parker says:
"In paragraph 14 Mr Roll states, 'I would reiterate
that the main recurring issues were software issues'.
It is a symptom of working within a software support
team that the majority of issues that come in have been
attributed to a software issue by, for example, a lower
line of support. This can lead to a mindset of 'look at
all these Horizon errors' but what this indicates to me
is that the previous levels of support are functioning
correctly, removing the majority of other causes
(user/hardware problems). It does not indicate that the
majority of Horizon errors could be attributed to
software."
By "software" he means coding. Would you accept
that, Mr Roll?
A. Yes.
Q. Thank you. And then if we could move on over the page
to page 14, paragraph 49 {E2/11/14}, he says:
"Mr Roll further states that if SSC was 'unable to
find the cause of the discrepancy then this was reported
up the chain and it was assumed that the postmaster was
to blame' (paragraph 10). That is not my experience: it
is a simple truth of support that the majority of issues
reported in the system are attributable to user action
or user misunderstanding much system functionality."
Stopping there, Mr Roll, would you accept that?
A. I would accept that -- and as he says, those issues
would have been picked up at first or second line
support. The way I remember it is that we were dealing
with issues not necessarily the majority of issues
caused by the user, but that's how I remember it.
Q. I think I'm seeking to suggest to you, Mr Roll, that as
a matter of just common sense the majority of issues
reported in a system, whether it goes to first, second
or third line of support, the majority of issues
reported in the system are attributable to user action
or user misunderstanding of system functionality?
A. Yes.
Q. As a matter of common sense you would accept that?
A. Yes.
Q. So "Hence", Mr Parker says:
"... someone working in a support environment
analysing a new issue would examine the possibilities of
user error as a first hypothesis but any final
conclusion is only generated based on the evidence.
Where the evidence does not support a conclusion that
there's a problem with Horizon, the SSC feeds the
existent factual data back to Post Office and might say
something along the lines of 'all indications are that
the branch has made a mistake' but Fujitsu neither
attributes 'blame' or agrees the final conclusion ..."
What I would like to suggest to you, Mr Roll, is
that when a problem was, when you were there, reported
into the third line of support and the problem would
then be allocated to a member of the SSC, that SSC
member would look for ways in which the symptom that's
complained about could be attributed to a coding error
or other problem within Horizon; that's right, isn't it?
A. Yes.
Q. And they worked quite hard to try and figure -- they
would look at all the data, the system log, the event
log, transaction data; all the data, vast array of data
that's available to Fujitsu, and they would work very
carefully through to try and see whether there's
a credible explanation that's based upon a coding bug or
some other systemic problem with Horizon, yes?
A. Usually.
Q. Usually.
A. There were instances which I can't remember but I know
that at the time I felt uncomfortable with what was
going on because of the pressure that was put on us to
find -- to either find a problem or to say that we
couldn't find a problem. So there were time constraints
and we weren't given -- this is my recollection, but
I can't give you specific details. And this is why --
Q. So --
MR JUSTICE FRASER: Can you just let him finish.
A. This is why I first spoke to people about this, because
there are instances that I remember being unhappy with
it.
MR DE GARR ROBINSON: But you can't give any specifics --
A. No.
Q. -- and we can't look at the documents to see what you
are talking about?
A. No.
Q. And it's not that -- I think we discussed this
yesterday. You are not suggesting that there was any
pressure put upon you to put it down to human error,
it's simply that you are saying that not enough time was
given to do the job to your satisfaction, is that right?
A. Yes.
Q. I challenge that, Mr Roll. I formally suggest to you
that that didn't happen.
A. All I can say is that is how I remember feeling, but it
was a long time ago.
Q. But from the SSC's perspective your job was to
investigate a problem as thoroughly as it needed to be
investigated?
A. Our job in the team; it wasn't always me who was doing
the work that I was worried about.
Q. Well, quite often it was -- looking for these kind of
problems, quite often it was someone more senior in the
team that was looking at these kinds of problems --
A. Yes.
Q. -- isn't it? And you can't speak to the amount of
pressure that they were under, can you?
A. Not from direct memory, no. It's just, as I said, the
impression I took away with me.
Q. So you would accept, wouldn't you, that everyone in the
SSC including you did a professional, rigorous and
thorough job?
A. We tried to, yes.
Q. If we could go to your second witness statement please
now which is at E1, tab 10 and I would like to ask you
about paragraph 14 {E1/10/4}. You say:
"I do not believe that it is realistic to say that
all software errors would have been picked up by the
processes which were in place, or that the likelihood of
software errors staying disguised as human errors was
very small ... I believe there were likely many cases
where subpostmasters would have been held responsible
for problems which had not at the time been identified
as software errors, either because they could not
identify the problem and did not pursue these with
Post Office or Fujitsu, or because when they were raised
we ... were ultimately unable to identify the problem at
the time."
Now, I would like to ask you about your belief that
there were "likely many cases". Mr Roll, that's
speculation, isn't it, that's not a statement of fact?
A. That is how I felt, yes, that's --
Q. You felt it? What was the basis of your feeling?
A. Going back to what I have said a moment ago about
feeling that at times we were under pressure and we
couldn't do the job properly.
Q. How often -- do you have a recollection as to how often
you were under pressure?
A. No.
Q. My sense of the evidence you have given -- and I want to
tell you this so that you can tell me whether you agree
or not -- is that it didn't happen very often?
A. Not very often, no.
Q. Okay. So can you say how many times --
A. No.
Q. -- you had a sense when faced with a problem that it was
likely to be a bug but you hadn't --
A. I wouldn't be able to say.
Q. You couldn't say how many times --
MR JUSTICE FRASER: Keep your voice up, Mr Roll.
A. Sorry. I have no idea.
MR DE GARR ROBINSON: It is just your language. You say
"I believe" -- that's your present state of mind --
"there were likely many cases where subpostmasters would
have been held responsible for problems which had not at
the time been identified". How can you say "many"?
When I ask you about the problem you say it is because
"Sometimes I was busy and wasn't given enough time to
investigate". You very fairly say -- although you
cannot be categorical, you can't identify particular
incidences but you don't believe that happened very
often.
A. First of all --
Q. On that basis how can you say that you believe there
were likely many cases where it happened?
A. First of all, it wasn't necessarily me that was busy, it
was comments from other people in the team about how
busy they were trying to find a solution and I heard
that infrequently, but that led me to the belief --
that's the way I think I feel it, that if I was aware of
a few then there must have been more. So it's
speculation, yes.
Q. You accept that it is speculation. You are talking
about something that happened between 15 and --
A. 19 years ago.
Q. -- 18 years ago. It would be fair to say, wouldn't it,
that your recollection is very hazy about these kind of
things?
A. Certainly some of it, yes.
Q. Would you accept that your recollection of this kind of
thing is hazy?
A. It is quite hazy, but the feeling persists that
sometimes things could have slipped through.
Q. Sometimes things could have slipped through. One last
question before I move on. When you were under time
pressure and you didn't feel that you were being given
as long as you needed to do your job, is it that you
were given ten minutes and told to do something else, or
is it that you needed four hours and that you were only
given three? I would like a sense of what you mean when
you say that you didn't have the time that you wanted?
A. You might have had eight or ten hours. From my
recollection -- I may be getting different things mixed
up here, but we had so many days to come to
a resolution, to resolve a problem, so if we didn't get
the problem for a couple of days then our window had
closed. It was shorter than it should have been.
Q. And did you communicate concerns about this to anyone
else -- to Mr Peach, your superior?
A. I believe that was -- it was mentioned at times, yes.
Q. You mentioned it to Mr Peach. And did you mention it to
Mr Parker?
A. I don't think so, no. Mr Peach was the manager.
Q. But Mr Parker was your deputy manager, wasn't he? He
had authority over you, didn't he?
A. I never saw it as that, no.
Q. So it's not something you discussed with Mr Parker, it's
just something you discussed with Mr Peach who isn't
giving evidence, is that right?
A. Yes.
Q. I see.
Then there's one phrase I would like to ask you
about. It is where you say:
"I believe there were likely many cases where
subpostmasters would have been held responsible for
problems which ... we (Fujitsu) were ultimately unable
to identify the problem at the time."
Are you suggesting that problems reported to the SSC
would not be resolved at that time, but then at some
later time when a further problem arose it would then be
identified? Are you suggesting --
A. I wasn't trying to suggest that, no.
Q. It is just your use of the words "at the time"?
A. I'm sorry, that is misleading, yes.
MR JUSTICE FRASER: I'm sorry, Mr De Garr Robinson, I have
lost where -- the passage you were asking about.
MR DE GARR ROBINSON: It is the sentence beginning
"I believe there were likely many cases".
MR JUSTICE FRASER: Can you maybe give me a paragraph and
page number?
MR DE GARR ROBINSON: Paragraph 14 of Mr Roll's second
statement.
MR JUSTICE FRASER: It is just the screen had moved, that
was all. So we are still on paragraph 14.
MR DE GARR ROBINSON: Well, the sentence starts on page 4
and then goes over to page 5.
So you are not suggesting that you are aware of
a problem that was identified at some later stage but
manifested itself at some earlier stage and was not
corrected at that stage and therefore was left there,
you're not suggesting that that happened in your
knowledge?
A. Sorry, could you say that again.
Q. I'm not being very clear, I'm so sorry.
I'm trying to investigate with you whether you are
seeking to allude to the following scenario and
I suspect that you are not, so I will be quick. At time
T zero someone phones in with a problem, gets through
the two lines of support, gets through to the SSC, it is
investigated. The investigator tries very hard to find
a coding problem or some other problem in Horizon that's
responsible for it, can't, puts it to one side, closes
it down and then the problem reappears through some
other postmaster at some later stage, gets through the
first and second lines of support, gets to the SSC and
a coding problem is then identified, but that leaves the
poor first subpostmaster in the cold. I was just
seeking to investigate with you whether you are seeking
to suggest in that sentence that that ever happened?
A. No.
Q. I'm grateful. Because the truth is that in that kind of
scenario, when the second problem is identified and the
root cause determined then all occasions on which this
problem has manifested itself in the past would then be
investigated and identified, would they not?
A. Yes.
Q. So in that scenario information would be provided to
Post Office to allow the earlier subpostmaster to be
made whole -- I don't know if I'm allowed to use that
expression, my Lord.
A. Yes, I would --
Q. Thank you. Then I would like to go to Mr Parker's
second witness statement now please, which is {E2/12/5}.
I would like to ask you about paragraph 15 of
Mr Parker's witness statement which is about recovery
processes. He says:
"Mr Roll states that 'Fujitsu's stance was generally
that if there was a problem with transactions following
a recovery process and if SSC could not identify the
cause, then the problem must have been caused by the
subpostmaster not following the recovery process
properly'."
And then Mr Parker says:
"I agree that if Fujitsu was unable to identify the
cause of a discrepancy that was said to relate to
a recovery issue, having investigated the matter, the
likely conclusion would be that the discrepancy
(if there was one following the recovery process) was
probably the result of human error. The key point
here ..."
And this is what I'm seeking to discuss with you,
Mr Roll:
"The key point here is that the SSC would thoroughly
review all of the available evidence. I am confident
that if there had been a software issue in relation to
the recovery process, the SSC would have identified it
or in the very unlikely case that we could not determine
root cause, would have at least documented its
symptoms."
Full stop. Would you accept that, Mr Roll?
A. Yes, if we couldn't determine the root cause then it
would have been documented. But I should say, if we
couldn't determine the root cause then that would have
been passed on to the Post Office and the assumption
would have been that the postmaster had made a mistake.
Q. I would like to suggest to you that Mr Parker here is
saying that if there had been a software issue -- he
means coding issue --
MR JUSTICE FRASER: That means coding, does it, there?
MR DE GARR ROBINSON: My Lord, I believe so.
"... if there had been a [coding issue] in relation
to the recovery process, the SSC would have identified
it ..."
Stopping there, do you accept that?
A. No.
Q. And why do you not accept that?
A. We may have passed it -- if we may have suspected --
sometimes it would have been identified as a coding
issue. Sometimes if we couldn't identify it and
suspected it as a potential one, it would have gone to
development. But we may not have detected the software
issue -- the coding issues ourselves.
Q. He goes on to say:
"... in the very unlikely case that we could not
determine root cause ..."
Would you accept that the situation you have just
described would be a very unlikely one?
A. Terminology I suppose. Unlikely.
Q. Very unlikely, Mr Roll.
A. I wouldn't agree with that.
Q. But you would agree unlikely?
A. Unlikely, yes.
Q. Then he says:
"... [we] would have at least documented its
symptoms."
Would you agree with that?
A. They would have been recorded.
Q. They would be recorded in a what, in a KEL?
A. I don't know.
Q. In a PEAK?
A. I can't remember.
Q. The system would maintain knowledge of the symptoms and
would be aware of or would be looking out for any
recurrences?
A. Yes.
Q. And you said I think that this would then be passed on
to the fourth line of support, is that right?
A. From my recollection of it, yes.
Q. And what would the fourth line support then do with it?
A. I think they would look at the code and see if they
could find a problem with it.
Q. So in most cases, save in the unlikely case, the third
line of support would have spotted the problem. If they
didn't spot the problem they would document the symptoms
so that the system would be alive to the possibility of
recurrences and at the same time they would pass the
problem over to fourth line support who would give the
problem an even more thorough investigation, is that
right?
A. Usually, except if we were under pressure, as I said
before --
Q. Well, if you were under pressure, Mr --
A. -- to provide an answer to our manager who was probably
under pressure himself to provide an answer to --
Q. It is very hard to discuss the pressure you were under,
Mr Roll, because you are talking in such generalities.
A. I'm sorry.
Q. I don't criticise you for that because it is a long time
ago, you are doing what you can do. But can I suggest
to you that in circumstances where there's a problem
that's been encountered and it is suspected that it may
be the result of some kind of bug or other problem in
Horizon, the matter is not going to be closed by anyone
at the SSC. One way or another, either at third line or
at fourth line, the people are going to keep going until
the suspicion has been fully exhausted; would you accept
that?
A. No. If we couldn't find a problem, then it may have
been closed. The information could have been passed
back to Post Office saying "We can't find any problems"
and from then on it would have been -- I assume it would
have been put down as a postmaster's error or whatever.
Q. So you don't know what it would have been put down as in
relation to the postmaster?
A. No.
Q. What I'm asking you is not just about the situation
where you haven't been able to attribute a problem to
a coding issue or some other problem in Horizon. You
try and attribute and you fail. If you had been given
proper time, which I think you say happened in most
cases, then you would be satisfied that it wouldn't be
the result of a coding problem or some other problem in
Horizon, is that right?
A. Yes.
Q. But you say sometimes -- not very often, but sometimes
you didn't get the chance to spend as much time on it as
you would have liked; is that what you are saying?
A. Yes.
Q. I have already challenged you on that evidence. But
here is my suggestion to you, Mr Roll. In circumstances
where having got as far as you've got you actually
suspect that a coding issue or some other problem in
Horizon is responsible, you would not stop, you would
not close down the PEAK --
A. No, you would pass it on.
Q. You would, wouldn't you?
A. Yes.
Q. So in any case where you have a lingering suspicion that
there's a problem in Horizon of some sort causing this
symptom, you would never close it down but you would
always pass it on for further investigation?
A. If you thought it was a coding issue, yes.
Q. If you suspected it was a coding issue?
A. Yes.
Q. Or other problem in Horizon?
A. I'm not sure whether we would have closed some of them
down or not at that point.
Q. What, with other problems? Why would other problems in
Horizon be dealt with differently?
A. Some of the areas we had a lot of control over --
I don't really know how to explain this, I can't really
remember much about it, but there were times when we
couldn't find a problem with the message store and the
data -- it was passed back to the Post Office as closed
because we couldn't find any supporting evidence for
what the postmaster was saying.
Q. Yes. But how does that answer my question?
A. I think I'm getting side-tracked here, I'm sorry.
Q. My suggestion to you is that on any occasion when you or
anyone else at the SSC had a lingering suspicion that
a problem that had been identified --
A. Yes.
Q. -- was the result of the Horizon system --
A. If we had a suspicion then it would be passed on.
Q. -- it would absolutely not be closed down and blamed on
the subpostmaster, would it?
A. No.
Q. Thank you. But however, if having done your
investigation and having formed the view that you don't
have a suspicion of a problem in Horizon, does the last
sentence of paragraph 15 of Mr Parker's statement
{E2/12/6} apply? He says:
"Having conducted a careful investigation which did
not reveal any software issues, human error would be by
far the most likely explanation."
Would you accept that as a matter of common sense?
A. I need to backtrack a bit here because sometimes, going
back to the pressure, we would not suspect a software
coding issue, a bug, a coding bug, there might be
something else, but if we were under pressure then we
wouldn't necessarily have the time to fully look at that
to understand what was going on, so then we would close
the KEL.
Q. Are you suggesting to me that in your situation as
an SSC team member there would be checks that would need
to be done in order to answer the question whether there
was a problem in Horizon causing this situation and you
would deliberately close a PEAK and close down the
problem even though the check had not been done?
A. As far as I can remember, on occasion that did happen.
Q. Mr Roll, I suggest that's extraordinary and it's
unprofessional and it's not what any member of the SSC
should ever have done?
A. I know.
Q. Are you saying it's what you did?
A. On occasion I was instructed to close a particular call
which was not software related or anything, basically to
quieten it down.
Q. Well, that's quite remarkable, Mr Roll. Why is none of
that in your witness statement?
A. It is.
Q. You are telling me there was a specific occasion when
someone with authority over you told you to close down
a call when you hadn't finished your investigation,
are you?
A. I'm not putting that very well, but yes.
Q. Who was the person who told you that?
A. Mik Peach.
Q. So Mr Peach told you -- what was the nature of the
problem?
A. The nature of the problem was that a postmaster was
reporting that a system was rebooting unexpectedly. We
looked -- or I looked at it and I found that the -- she
was actually powering the system off and she insisted
she wasn't. It was a mobile system and she was -- as
I said, we could see from the message store that the
system was being rebooted and she insisted she wasn't
rebooting it. So I did some tests on the test rigs in
the testing area at the end of floor 6 where we were and
I found that on one of the test rigs I could simulate
the same problem. If I turned the screen off, it
actually turned the whole computer off. And when
I dismantled the equipment I found that the screen
button had been miswired and it had been wired into the
motherboard so that it actually cut the power off and
not the power to the screen, so it rebooted the system.
That's documented in the PINICLs.
I asked for the base unit to be brought back but in
the meantime -- we then found out that this was a known
build error but somebody in the hardware department had
built a batch of computers and wired them up
incorrectly. They had sent them out to the estate but
they -- they had realised they had done it and they knew
about it but they hadn't informed anyone else.
So I pinpointed the problem, spoke to Mik Peach.
Mik Peach got back to me later and said "Yeah they know
about this". When the system came back and I confirmed
it, I was asked not to put any more information on this
on the PINICL and it was being dealt with internally.
Q. Let's talk about -- I was going to ask you about that
later. So that's not an occasion where Mr Peach told
you to stop investigating something that needed to be
investigated?
A. Not to stop investigating, no, he told me --
MR JUSTICE FRASER: Both of you, if you talk over each other
we can't transcribe it. So you wait for
Mr De Garr Robinson to finish. He will, I can assure
you, wait for you to finish.
A. Sorry, your Honour.
MR JUSTICE FRASER: Right, Mr De Garr Robinson.
MR DE GARR ROBINSON: The answer you have just given me was
the result of a question which I asked which is are you
seriously -- I now can't reformulate my question.
My question was based upon a claim that you have
just made to the effect that there was a problem which
required further investigation. You said this didn't
happen with coding bugs but sometimes with other issues
that were less the SSC's purview, sometimes it did,
where more investigation was needed and you said
Mr Peach told you not to do that investigation but to
close it down. Now, do you remember giving that
evidence?
A. That's ...
Q. We could go back to the transcript, if you like,
Mr Roll.
A. What was it you said exactly before that part?
Q. Page 35 of the transcript.
MR JUSTICE FRASER: Line 17 I think. Well, the passage goes
from line 3 to about line 13.
Can we go higher on the common screen -- that's it,
just stop there. Page 35.
MR DE GARR ROBINSON: You say:
"Answer: On occasion I was instructed to close
a particular call which was not software related or
anything, basically to quieten it down."
And if we could go actually further up, it is at
line 16 on page 34:
"Question: Are you suggesting to me that in your
situation as an SSC team member there would be checks
that would need to be done in order to answer the
question whether there was a problem in Horizon causing
this situation and you would deliberately close a PEAK
and close down the problem even though the check had not
been done?"
That was my question to you. So I was asking you
whether there were occasions when you needed to do
further sessions and you were told not to. And you
said:
"Answer: As far as I can remember, on occasion that
did happen."
So that's quite a bold claim. And then I say:
"Question: ... I suggest that's extraordinary and
it's unprofessional and it's not what any member of the
SSC should ever have done?"
And you say "I know" and I say:
"Question: Are you saying it's what you did?"
And you say:
"Answer: On occasion I was instructed to close
a particular call which was not software related or
anything, basically to quieten it down."
Now, I took you, Mr Roll, to be saying "Yes, I was
told not to perform investigations that I felt I needed
to perform", but the example you have just given, which
I will be coming to, is not an example of that at all,
is it?
A. No, it's not. The line on 16 and my response at 22,
I -- the way I remember that happening in the SSC is
that not myself but other people were under a lot of
pressure to come up with a "can you find anything, we
have to know by lunchtime if you can find anything in
this message store" and then they would come back and
say "No, we can't find anything".
Q. Mr Roll, first of all that's not addressing the point
that I'm suggesting to you. You are not suggesting,
are you, that people in the SSC were told not to perform
checks that they felt they needed to perform in order to
do their job properly?
A. Oh, I see. No.
Q. And can I suggest to you that no one in authority at the
SSC would ever have wanted a team member not to perform
a check that needed to be done in order to satisfy that
team member whether there was or wasn't a problem in
Horizon?
A. The feeling I still have is that on occasion we could
have done more if we had had more time but that
occasionally due to time pressures we didn't have the
time. That's -- it's just my feeling from 19 years ago.
Q. Your feeling from 19 years ago and could I suggest to
you, Mr Roll -- it may be wrong, but my understanding of
your evidence is that that feeling is that it only
happened on relatively rare occasions, it wasn't
something that was frequent.
A. Rare occasions, but that was the feeling I had then and
it has persisted.
Q. Very good.
If we could move to page 6 of Mr Parker's second
statement {E2/12/6} and look at paragraph 19 at the
bottom of the page. He says:
"Fujitsu has mechanisms in place for detecting
potential issues. In ... my first statement I briefly
explained that the system management centre monitors
system events and I briefly described the work of the
communications management team in paragraph 26.1.2.
Each of these teams would generate support actions based
on system generated event information."
That's true, isn't it?
A. Horizon was an evolving system, it probably still is.
In the early days a lot of the processes weren't in
place and we had to find them, we had to find the
problems and develop the processes to -- so that by the
end of by the time I left then yes, this was true.
Q. I suggest to you that this sentence is true of the
entire time that you were working at SSC, Mr Roll.
A. My recollection is that we improved the systems
tremendously over the years.
Q. But from the word go these teams did exist and they
would generate support actions based on systems
generated event information from the first day that you
were there?
A. Yes, if the system was able to generate the event.
Q. But you're not, I presume, in a position to tell me what
events it was able to generate when you arrived --
A. No.
Q. -- and what events it was able to generate when you
left?
A. No, but as we put more processes in, the system is much
more able to detect errors.
Q. Well, it's difficult for me to ask you questions about
that kind of claim.
Then he says:
"It is also the case that the sheer number of
subpostmasters using the service and reporting issues
via the help desks make it very unlikely that there is
any significant number of hidden errors."
Would you accept that?
A. A significant number, yes. There may have been the
occasional one.
Q. Yes, but can we say the vast majority of problems that
were caused by the system would have manifested
themselves in some kind of reporting --
A. Yes.
Q. Thank you. And he says:
"These mechanisms are so effective at identifying
when bugs are a cause of problems that it would be very
rare for a bug to not be detected."
Would you accept that?
A. If it was a known bug, yes.
Q. What do you mean by that?
MR JUSTICE FRASER: We are talking coding, yes? Coding.
A. Coding, yes.
MR DE GARR ROBINSON: Yes.
A. If a coding bug was detected then we could put in place
mechanisms to detect when that was -- when that bug had
had an effect.
Q. I think Mr -- I'm grateful for that answer, but I think
Mr Parker is making a slightly different point. He has
described the mechanisms in place and you generally
agreed them.
A. Right.
Q. And he says:
"These mechanisms are so effective at identifying
when bugs are a cause of problems that it would be very
rare for a bug to not be detected."
That's true, isn't it? Sometimes the bug could get
through --
A. Yes.
Q. -- but it would be very rare for that to happen, would
you accept that?
A. Yes.
Q. Thank you. Then on to paragraph 20 {E2/12/7}:
"Once an issue has been raised, Fujitsu is
experienced in providing support and will go to great
lengths to investigate the root cause."
Stopping there, would you accept that? That that
was true of your time when you were at the SSC?
A. Yes.
Q. "In paragraph 61 of my first statement I explained that
Fujitsu use a custom solution, developed and
administered by the SSC, which allows us to record
support knowledge into a known error log ... KELs record
support knowledge which is intended to assist staff in
the support and understanding of the Horizon system."
I apprehend you won't disagree with any of that?
A. No.
Q. He then says:
"Mr Roll's statement that 'subpostmasters would have
been held responsible for problems which had not at any
time been identified as software errors ... because when
they were raised we (Fujitsu) were ultimately unable to
identify the problem at the time' assumes that if
Fujitsu was not able to get to the root cause of an
issue, it must have been a software error rather than
a human error. But as I explain ... above, if Fujitsu
was unable to identify any software issues after
carrying out a careful investigation, human error would
be by far the most likely explanation."
Now, would you accept that, Mr Roll?
A. I would accept that it is the most likely explanation,
yes.
Q. Thank you.
Then if we can move on to paragraph 23 {E2/12/7} --
I'm reading this to you to give you an opportunity to
disclaim any intention of what Parker thinks you might
be doing. He says:
"I think that Mr Roll may be trying to suggest that
Fujitsu were quite happy to assume that issues were the
responsibility of subpostmasters. That is not the case.
We investigated matters thoroughly and if we identified
an error in Horizon, we dealt with it appropriately.
Our investigative and analytical procedures have always
been thorough in my view and while I obviously cannot
say that in each and every case our diagnosis was
correct, I am confident that that was the case in the
overwhelming majority of cases."
Now, Mr Roll, a couple of questions, perhaps three
or four. Given the discussion we have just had, could
I invite you to indicate whether you are or are not
trying to suggest that Fujitsu were quite happy to
assume that issues were the responsibility of
subpostmasters?
A. I don't know what the management's position was on how
protective they were of their system, the directors
et cetera at that level. At our level certainly we
would -- I would certainly agree with what Mr Parker has
put in the second part there --
Q. What, you mean "we investigated matters" --
A. -- "in the overwhelming majority of cases".
MR JUSTICE FRASER: You said the second part, which part do
you mean?
A. Sorry --
MR DE GARR ROBINSON: Do you agree then that "We
investigated matters thoroughly and if we identified an
error in Horizon we dealt with it appropriately"?
A. Yes.
Q. You agree with that. Do you agree that:
"Our investigative and analytical procedures have
always been thorough in my view ..."
Do you agree with that? Is that your view too?
A. Generally speaking, yes.
Q. "... and while I obviously cannot say that in each and
every case our diagnosis was correct, I am confident
that that was the case in the overwhelming majority of
cases."
Is that your view?
A. In the majority of cases, yes.
Q. Thank you.
A. I wouldn't want to suggest that Fujitsu were happy to
assume.
Q. Very good. I'm very grateful for that, Mr Roll, and
that means I don't need to ask you any more questions.
Could we now move on to your second witness
statement please. I would like to ask you about
paragraph 9, it is {E1/10/3}. It is under the heading
"Transactional integrity", and here you are taking
Dr Worden to task about something he said in his expert
report and you say:
"At paragraph 156, Dr Worden describes zero sum
baskets, other branch actions being zero sum, and
transactional integrity. I agree that the system was
designed with these intentions in mind but there were
limitations and errors in the system. Data corruption
and glitches sometimes meant that transactions were not
zero sum. I recall on more than one occasion where
subpostmasters had problems with a deficit showing in
their accounts, and then as a result of working through
a process to try to resolve it, the deficit doubled."
Let's just break that down, if we can. You refer in
that paragraph to three concepts. Transaction baskets
and accounts. I think you will accept, won't you, that
when you are doing business at a counter, several
transactions can go into a basket, yes?
A. Yes.
Q. And then many baskets, once they are entered into the
accounts, make up the accounts, yes?
A. Yes.
Q. The zero sum point only relates to baskets, doesn't it?
A. I can't remember. I'm not sure.
Q. So I'm just trying to understand what you mean when you
say:
"Data corruption and glitches sometimes meant that
transactions were not zero sum."
A transaction is never zero sum, is it, it's the
basket that's zero sum having summed up all the
transactions that are in the basket?
A. I think you're correct there, yes.
Q. Then if I could ask you to go to what Dr Worden says
about transactional integrity. That's at {D3/1/39}.
Could I ask you to read -- it is quite long so I won't
read it out, you will be pleased to know. Could I ask
you to read paragraph 156.3. This is the paragraph that
you take issue with.
(Pause).
A. Okay, I have read that now, yes.
Q. Now, you say -- we have just read the relevant paragraph
from your witness statement. You said you agree that
the system was designed with these intentions in mind
but you say there were limitations and you go on to say
that data corruption and glitches sometimes meant the
transactions were not zero sum and we have discussed the
difficulty I have with your use of the phrase
"transactions".
You then go on to give an example. You say in
paragraph 9 of your witness statement {E1/10/3}:
"I recall on more than one occasion where
subpostmasters had problems with a deficit showing in
their accounts, and then as a result of working through
a process to try to resolve it, the deficit doubled.
Sometimes we found the source of the problem as a known
bug ... and we could resolve the problem, but we were
not always able to find or understand the cause."
Mr Roll, I'm slightly bemused by that because the
example you have just given there is not an example of
a limitation or error in transactional integrity, is it?
A. No, it's not, I ... I must have misunderstood or misread
what Dr Worden was saying in paragraph 156.3.
Q. Well, could I suggest to you, Mr Roll, that what
Dr Worden is saying in paragraph 156.3 is true and that
you don't have any contrary examples to offer to suggest
that it didn't always happen?
A. No, I misunderstood his -- what he put.
Q. Were you asked to -- did someone invite you to disagree
with this paragraph?
A. No.
Q. That's not what happened?
A. No.
Q. I see.
Then the example you give is discussed by Mr Parker
at paragraph 8 of his second witness statement, which is
{E2/12/4}. If I could ask you to read paragraphs 8 and
9, is that the example that you have in mind?
A. I can't remember exactly.
Q. Have you looked at the KEL that Mr Parker refers to in
paragraph 8?
A. No.
Q. So you haven't looked at any of the underlying
documents?
A. No.
Q. Or the PEAKs?
A. No.
Q. Mr Parker says at paragraph 10:
"I am not aware of any case in which baskets were
not zero sum (ie any case in which a non-zero sum basket
was accepted into Horizon), although given the lack of
detail in Mr Roll's statement on this point it is
difficult for me to state definitively that such an
issue never arose."
Would I be right in thinking that you can't think of
an example of that happening either?
A. Yes, I think I got my terminology wrong in the zero sum
basket.
Q. So would the answer to my question be right: you can't
think of an example of that happening --
A. No. You are right, yes.
MR JUSTICE FRASER: So what terminology should I read it as
saying?
A. I'm afraid I can't remember the full terminology that
I should be using for the Horizon system, my Lord.
MR JUSTICE FRASER: I'm not asking about that. Is there any
other word that I should change to reflect what your
evidence is on this, or not?
A. No, your Honour. I was trying to point out in this that
due to errors sometimes when a postmaster tried to
correct it actually doubled the error.
MR JUSTICE FRASER: All right.
Back to you, Mr De Garr Robinson.
MR DE GARR ROBINSON: Then if we could continue with
paragraph 10 of Mr Parker's statement, halfway down he
says:
"I would expect any such issue ..."
This is a true transaction integrity issue:
"I would expect any such issue to result in
a receipts and payments mismatch which would be (1)
picked up by Fujitsu's reconciliation reporting ..."
Stopping there, that's right, isn't it?
A. Yes.
Q. And secondly be:
"... visible to the branch when they balanced at the
end of the trading period."
That's true also, isn't it?
A. I don't know.
Q. Fair enough, Mr Roll. But you accept, do you, that when
you were there it would have been picked up in
reconciliation reporting?
A. I believe so, yes.
Q. And it would have resulted, as he says in the last
sentence, in investigation and resolution by the SSC?
A. We would investigate it, yes.
Q. I'm very grateful, thank you.
Then if we could go back to your second statement,
paragraph 10 {E1/10/3}. It's a very long paragraph and
I'm not going as quickly as I expected. If I could ask
you just to have a quick look at paragraph 10 so you can
remind yourself what you're talking about.
Have you --
A. Yes.
Q. Now, I would like to ask you, Mr Roll, how good is your
recollection of this particular instance?
A. It's a bit hazy but I can remember the sort of basics.
Q. And I'm interested in your suggestion that it was
"impossible to fix". Was it really impossible to fix?
A. From my understanding of the problem, yes. To fix the
software, to recode the amount of software that would
have needed to be recoded would have meant, from my
understanding, a basic rebuild, so it would have taken
too much effort.
Q. You refer to your understanding; was this a problem that
you yourself worked on?
A. I can't remember. It's certainly one I was aware of,
because we discussed it.
Q. So it might have been something that you picked up in
discussions with other people?
A. Yes.
Q. And you say you have a recollection of something you
can't actually remember -- it is not clear enough for
you to know whether you actually worked on it or not, it
might just be what other people told you, is that right?
A. It was a fairly common problem this.
Q. A fairly common problem?
A. From what I remember.
Q. So this is a problem that you suggest happened a lot of
times, did it?
A. Periodically. We were aware -- we kept an eye out for
it because we knew it would happen.
Q. And then you refer to a workaround. You say at the top
of page 4 {E1/10/4}:
"Eventually the problem would be escalated to SSC
and a workaround established."
Again, are you speaking from your experience, or are
you speaking from your recollection of what people may
have said when you were at work?
A. I can't remember if I worked on that or not. It was
something we all kept an eye out for.
Q. So it is something you kept an eye out for. Is it
something you ever actually saw in your own experience?
A. I think so but I can't be certain.
Q. Very good. And you say a workaround established. What
was the workaround?
A. You basically had -- the net result of this would be
that because the system wasn't able to differentiate
which organisation the money would go to, it could have
gone to the wrong one. So we could monitor the systems
processing this data, pick it up and then by examining
the actual reference data we could see which
organisation it should go to and then we could make sure
it went to the right one.
Q. So is that what happened, the SSC set up a system --
A. Yes.
Q. -- to monitor where these problems might be occurring?
A. Yes.
Q. And fix them when they did?
A. Yes.
Q. I'm grateful. And presumably you would go back and look
in the past to see if it happened in the past, to deal
with it in that situation as well?
A. Yes.
Q. But even before that had happened though, this wouldn't
have an effect on any branch accounts, would it? It
wouldn't affect the net position on any branch accounts?
A. No.
MR DE GARR ROBINSON: My Lord, I see the time.
MR JUSTICE FRASER: Do you want a break?
MR DE GARR ROBINSON: I'm not going as quickly as I expected
and I need to tighten up.
MR JUSTICE FRASER: Sure. So we will come back at 5 to.
Are you going to go into the afternoon with Mr Roll?
MR DE GARR ROBINSON: Most certainly.
MR JUSTICE FRASER: And then you have just got Mr Henderson.
MR DE GARR ROBINSON: Yes, and we are not allowed more than
an hour with him anyway.
MR JUSTICE FRASER: No, I rechecked my transcript of that.
I said that I was imposing that limit to make it clear
you didn't need to put everything to him but you could
have longer than that if you wanted.
MR DE GARR ROBINSON: I wish I hadn't said it, my Lord,
because you are quite right and I really ought to be
careful about my mouth.
MR JUSTICE FRASER: No -- I have just been asked for the
short break for the shorthand writers but we were
I think 30 seconds ahead of that.
Same form as yesterday: don't chat to anyone about
your evidence.
(11.46 am)
(Short Break)
(11.58 am)
MR DE GARR ROBINSON: Mr Roll, I'm going to try to deal with
some evidence that you give about the recovery process
as quickly as I can. If I could ask you to go to
paragraph 11 of your second statement {E1/10/4}. We are
in the same section of your witness statement that we
were in before, so this is all under the heading
"Transactional integrity" and you say:
"I do recall that problems sometimes arose after
subpostmasters used the recovery process and that this
was a not uncommon problem which affected even
experienced subpostmasters. This might suggest that
there was a problem with the recovery process itself, or
at least that it was not as straightforward as it should
have been."
"Might suggest": I don't mean to be discourteous,
Mr Roll, but that's a mealy-mouthed phrase. Are you
positively claiming that in your judgment there was
a problem with the recovery process?
A. No. There was a possibility but that's all. It's
a long time ago and I can't remember what the process
was now.
Q. So you are not suggesting there was a coding bug in the
software dealing with recovery --
A. No.
Q. -- which affected branch accounts, are you?
A. No.
Q. So would it be fair to say -- I use this term
advisedly -- that in that sentence what you are doing is
speculating as to the possibility of a problem, you're
not suggesting that there is likely to be one?
A. Yes.
Q. Are you suggesting that there were investigations that
should have been undertaken by the SSC that weren't
undertaken?
A. No, I'm not suggesting that.
Q. So why are you even mentioning it, Mr Roll? I'm
slightly puzzled.
A. It sticks in my memory that there were problems with the
recovery process that we got involved with that we had
to try and fix. At times there were the -- I suppose it
was either the number that came in or something that
stuck in my mind about this that made me feel there was
something that could have been not quite right with it.
Q. Are you suggesting -- let me take it in stages. First
of all, you are saying problems were reported to the SSC
by subpostmasters in relation to the recovery process,
is that right?
A. Yes.
Q. And you will accept, would you, that whenever those
problems came in they were investigated?
A. Yes.
Q. And you will accept, would you, that when they were
investigating they were investigated thoroughly?
A. Yes.
Q. And that thorough process, I think you have already
accepted very helpfully in a prior discussion with me
that generally speaking, when there is a thorough
investigation of that sort if there is a problem it's
likely to be identified?
A. Yes.
Q. And I infer that it is your evidence that all of those
investigations you are referring to were unable to find
any problem with Horizon itself, is that right?
A. I don't know if it was ever considered there was
a problem with Horizon itself.
Q. But, Mr Roll, let's just be clear. When an investigate
is carried out -- it's a bit like philosophers trying to
test a theory, you try and find something that disproves
the theory that you're trying to establish. In the same
way, your job at the SSC, when you get a problem in is
you are looking for something in Horizon that could have
caused it; that's where you are starting, is that right?
A. Yes.
Q. Thank you. And that process was followed whenever there
were these problems reported into the SSC about the
reconciliation process, yes?
A. Yes.
Q. And on each occasion when these investigations were done
the investigators were unable to find a problem with
Horizon that was responsible for it, yes?
A. Yes.
Q. So why do you now suggest that despite all of that,
there could have been a problem with the recovery
process in Horizon when you worked there?
A. I'm not sure what it is, but I was not happy with the
way that some of these were dealt with. But I can't --
I can't remember why, but I know that at the time there
was something that made me uneasy about it.
Q. So are you suggesting that on every occasion that
a problem came in, something was reported in in relation
to reconciliation, you were the one that investigated
them all?
A. Oh, no, I wasn't -- everybody -- it would have been
farmed out.
Q. So are you saying that you knew enough about everybody
else's investigations to be uncomfortable about the
investigations your colleagues were doing?
A. No.
Q. Right, so are you saying that you were uncomfortable
with the investigations that you did?
A. No.
Q. So what were you uncomfortable with?
A. Sometimes the pressure we were under, the timescales.
I think that's what it must have been. Again --
Q. So are you suggesting that there was a particular
timescale issue with respect to reconciliation processes
that had a particular application to reconciliation
problems that didn't apply to other problems that you
were investigating in Horizon?
A. All I can remember is that I felt uneasy about
something, about this process, but I can't tell you why,
so ...
Q. My attention has been drawn to the fact that on a number
of occasions I have talked about reconciliation when
I should have been talking about recovery, I do
apologise, but I think we have understood what I'm
talking about.
A. Yes.
Q. I apologise.
Well, let's just go quickly. In principle, when
a system goes down when a transaction is being done at
the counter, either because the system itself has gone
down or there is a power outage at the branch or
whatever the reason might be, there's always going to be
a possibility that some transactions being undertaken at
the counter may not have reached the Horizon accounts of
that branch when the system goes down, is that right?
A. Yes.
Q. Because, for example, there's an outage before the stack
has actually been settled by pressing the button that
enters the stack into the branch's accounts, yes?
A. Yes.
Q. And that's inevitable. You can't design a system which
doesn't have that problem, it's an inevitable part of
a system design where there's a possibility that crashes
may happen mid-transaction, yes?
A. Yes.
Q. So in that situation what do you do to build resilience
into the system? Could I suggest to you, Mr Roll, that
what you do is you build into the system a facility
which identifies the transactions that were mid-way but
that didn't actually reach the accounts, that have not
recovered, yes?
A. Yes.
Q. And that is the recovery process that we're discussing?
A. There is -- I seem to remember there being far more to
it than that, but ...
Q. If you want to elucidate then I don't want to stop you,
Mr Roll, but I really don't know what you mean.
A. I ... I would have included -- there was a lady giving
evidence yesterday about having to go and find --
a transaction hadn't gone through, it hadn't been
recovered. She was able to find the customer. I don't
remember the full story about it. But she went to the
bank and she found that -- she was able to find the
money or to find a paperwork trail to get the money put
back into her account. That's all part of the recovery
process for me, it's not just ... I'm not making myself
very clear, I'm sorry about this.
Q. Well, you are talking about Mrs Burke and in Mrs Burke's
case what happened, in short, was that the system went
down before she had entered the transaction into her
accounts, then when the system came back up again the
system identified the transactions in relation to which
there was a problem. Later on the system identified the
transactions that had gone through, so there was
a physical piece of paper identifying the transaction
that hadn't gone through and she was able to look at
that physical paper and look at her transaction log and
see that indeed it had not gone through.
Now, I would suggest -- I will be suggesting to the
judge in due course that that's an example of the
Horizon system doing what it is supposed to do, namely
to produce some evidence identifying the transaction
that hasn't actually reached the Horizon accounts.
Isn't that what the recovery process is designed to do?
A. That's I think what it is designed to do, but I think
what she was trying to point out was that the
paperwork -- some of the paperwork that she had wasn't
produced by the Horizon system and --
Q. Well, I'm not sure that this is very helpful.
MR JUSTICE FRASER: That's just what I was about to say
actually. Whatever the Mrs Burke situation was or
wasn't --
A. Sorry.
MR JUSTICE FRASER: -- I'm not sure you are necessarily
going to be able to help me with and I'm not sure,
Mr De Garr Robinson, that it's necessarily a correct
question for this witness, other than to say: when you
were asked about the recovery process and you said that
you thought there was more to it than that -- do you
remember that?
A. Yes, your Honour.
MR JUSTICE FRASER: And then there was a phrase I think
where you said "I would have included ..." and then it
appeared to me, if I may say so, that you then got
distracted talking about Mrs Burke.
So far as your recollection is when you worked for
Fujitsu, Mr De Garr Robinson is now going to suggest to
you I think again, or reput the question, about what the
recovery process involved and if you think there are
other steps or other examples of what the recovery
process either did or ought to have included then you
can tell me what they are.
A. Right.
MR JUSTICE FRASER: So, Mr De Garr Robinson, do you want to
do that.
MR DE GARR ROBINSON: I rather think you have actually asked
the question already --
MR JUSTICE FRASER: I would rather you put it, if that's all
right.
MR DE GARR ROBINSON: Mr Roll, as I have explained, the
recovery process is a form of resiliance designed into
the system to ensure that if a transaction doesn't reach
the system, which is always possible because of timing
issues in the nanoseconds before you press "enter" to
push the stack into your accounts and so on, the purpose
of the system is to ensure that the missing transaction,
the transaction that hasn't reached the branch accounts,
has been identified, both to the postmaster and indeed
to Fujitsu, because Fujitsu can see this material in
their own log.
Are you saying from your own experience that there
were any occasions where that did not happen?
A. I can't remember.
Q. Thank you.
Then going back to paragraph 11 of your witness
statement {E1/10/4}, this is a sentence we have already
been discussing the first part. You say:
"This might suggest that there was a problem with
the recovery process itself ..."
Then you say:
"... or at least that it was not as straightforward
as it should have been."
Let me repeat my question. Are you saying from your
own experience you can recall examples of where the
recovery process was not as straightforward as it should
have been?
A. No. My understanding of the recovery process is that it
should have been -- it should have been able to be dealt
with at first or second line and if we got involved then
there was a problem with it.
Q. So it's simply the fact that if a subpostmaster was
insisting there was a glitch or something and in
circumstances where the first and second line couldn't
categorically say that it wasn't the result of a glitch,
it would go to the SSC and you're saying the mere fact
that that would on occasion go to the SSC is a basis for
suggesting there's something wrong with the system, is
that right?
A. No. What I'm saying there is that some of them came
through to us and then my recollection is that the
majority of them we would have dealt with and we would
have found a problem, but that on some times we couldn't
find a problem and we couldn't identify where there had
been a problem.
Q. Well, could I suggest that another way of putting that
is that you looked at the symptoms that were complained
about and you checked -- there was a very thorough
investigation as to whether Horizon might be responsible
and as a result of that thorough investigation you
couldn't figure out a way in which Horizon could have
been responsible; would that be another way of putting
what you have just said?
A. Yes.
Q. Thank you. Then let's move on to paragraph 12 of your
statement {E1/10/4}. You refer to paragraph 167 of
Dr Worden's report {D3/1/43} where he deals with what he
calls TCs, that's transaction corrections, that "Post
Office would soon suspect a software error" and so on
and you then say:
"I do not recall Fujitsu carrying out any analysis
of transaction corrections to try to identify if there
may be an underlying software error."
Now, I only want to ask you a couple of questions
about this, Mr Roll, but why are you talking about
transaction corrections? When you worked at Fujitsu
there was no such thing as a transaction correction, was
there?
A. I don't know, wasn't there? I ...
Q. Do you honestly not remember?
(Pause).
A. No I don't. There were corrections made ... we made
corrections to transactions.
Q. "Transaction corrections" is a term which refers to
a message that's sent by Post Office to
a subpostmaster's branch suggesting that there ought to
be a change, a transaction entered into their branch to
change the accounts in some way, that the subpostmaster
then gets to accept or if he disputes it not to accept
into his branch accounts. It's an electronic message
that goes from Post Office to the branch and it is
generated usually as a result of quite sophisticated
reconciliation processes undertaken both by Post Office
and Fujitsu.
At the time that you worked for Fujitsu TCs didn't
exist. What they had instead were what were called
error notices and error notices would be sent from
Post Office to the branch but a similar practice was
followed. That's what Dr Worden is talking about.
A. Right.
Q. Were you not aware of that?
A. I wasn't aware that he was talking about those.
Q. So you thought he was talking about something different?
A. Something completely different.
Q. Did you not -- I don't wish to probe into privileged
matters, but was it not explained to you what he was --
perhaps I am probing into privileged matters.
MR JUSTICE FRASER: Well, you are if you put the question
that way.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: You could say "Did you know 'transaction
corrections' was a specific term that had a specific
meaning in Horizon?"
A. I didn't know they had that specific term -- meaning.
MR DE GARR ROBINSON: Well, here Dr Worden is talking about
TCs. Was it not necessary for you to be told what TCs
were?
A. I misinterpreted the term "transaction corrections".
Q. TCs were actually identified, they were defined in
Dr Worden's report. Did you read the definition?
A. No.
Q. It does look as if you are making quite a convenient
claim on the basis of -- well, I don't understand the
basis upon which you are making it. What did you think
Dr Worden was talking about when he talked about TCs?
A. We corrected transactions -- it was part of our job, if
you like -- on the message stores at times.
Q. Oh, you are talking about transaction insertions that
were undertaken by -- that's what you thought --
A. That's what I --
Q. -- Dr Worden was talking about?
A. That's what I misinterpreted there, yes.
MR JUSTICE FRASER: I wonder if you could possibly finish
your sentences. Mr De Garr Robinson isn't interrupting
you but you will often start a sentence, stop it, and
then start another one. If you could just answer in
complete sentences it would help enormously.
Right, Mr De Garr Robinson.
MR DE GARR ROBINSON: I'm sorry, would your Lordship give me
a moment.
(Pause).
My Lord, I will move on. I don't think this is
going to be a productive line of cross-examination
bearing in mind I hadn't prepared for it in that way.
Let's stay with your second statement, Mr Roll, and
go to paragraph 19 {E1/10/6}. Perhaps I could ask you
to simply read the paragraph to save time.
(Pause).
A. Yes.
Q. You say at the end of the paragraph:
"... generally this was a developing area, so
generally if the SSC found something that should have
been picked up by the system we notified the developers
so they could fix the software, so it did incrementally
improve over time. However, sometimes the decision was
taken that the chances of the unexpected error happening
again were too remote to merit a development/fix. In
this case the developers would be instructed not to work
on a fix."
Were you involved in these cases? So do you have
personal experience of these cases?
A. I think I had experience in one or two where we found
a problem but it was deemed -- it was one that could be
easily monitored and checked out for by writing a small
bit of code and that was -- it was easier to do the
workaround than it was to do the software fix, so that's
what we did. There is a bit of a syntax error where it
should have read instead of "instructed not to" it would
be "not be instructed" to work on the fix. They
wouldn't be told not to do it.
Q. I see. First of all, you are not talking about
a decision not to do a software fix or a coding fix for
bugs causing an impact in branch accounts; we're not
talking about that kind of problem at all, are we?
A. It would be a ... no, it's not an error that the
postmaster would have been aware of. It wouldn't have
affected his accounts.
Q. So you are talking about problems that didn't affect
branch accounts. You have said one or two cases. Could
you describe either of them or both of them?
A. No, I couldn't, just the recollection --
Q. Could you give some indication of the nature of the
problem?
A. I can't even give you that, I'm afraid.
Q. Well, could you give some indication of the process that
was gone through to decide what the appropriate response
was, whether there should be a workaround or a fix?
A. Well, the -- we would find out what the problem was,
what the impact was, how easy it was to find the problem
and then that information would be passed on up the
management chain for them to decide whether it warranted
a software fix to be developed and released, or whether
it would be faster and as reliable to put a workaround
in place rather than a fix.
Q. And what's the nature of the workaround you're talking
about? You're talking about some facility built into
the system which would pick up when this thing
happened --
A. Yes.
Q. -- and made sure it was made good?
A. Yes, it could be corrected at -- when it was picked up
rather than writing software to make sure it didn't
happen in the first place.
Q. But you're talking about something within the system, so
the system would automatically monitor for these
occasions --
A. Yes.
Q. -- and make sure that they were fixed more or less
automatically, is that what you mean?
A. Yes.
Q. Thank you. So really what you're talking about is
a debate between how best to fix a problem, do you do it
by way of some kind of change of coding so that the
problem never arises, or do you do it by way of change
of coding to ensure that when the problem does arise it
is immediately fixed; would that be fair?
A. Yes.
Q. Thank you.
MR JUSTICE FRASER: And in either situation is the code
changed?
A. The underlying code -- in the first situation where you
directly change the code so that the problem doesn't
arise, that is when the code would be changed for -- on
the Horizon system, but in the second scenario then no,
the code for the Horizon system need not necessarily be
changed, but something running on one of the servers --
you could write a small batch programme that would be
supplementary to the code.
MR JUSTICE FRASER: All right.
Mr De Garr Robinson.
MR DE GARR ROBINSON: Thank you.
I would like to move on to paragraph 16 of your
statement {E1/10/5}. You say:
"In my first statement, I refer to the pressure that
the SSC team and Fujitsu were under generally due to an
awareness of the financial penalties imposed by the
service level agreements between Post Office and
Fujitsu ... I believe that although individual penalties
were quite modest, when applied across multiple
counters/post offices the cumulative figures involved
were very high, potentially amounting to tens of
millions or more. I disagree with Stephen Parker's
statement that these potential financial penalties were
not a factor for the SSC ... as we were aware of them
and often commented on them, eg 'That's saved Fujitsu
another 25 million'."
So I'm now going to ask you some questions about
this general issue. Could we first of all go to
Mr Parker's first witness statement, that's at
{E2/11/12}. He starts by saying in paragraph 43:
"Mr Roll refers to a 'perception … that the Service
Level Agreements between Post Office Ltd and Fujitsu
involved financial penalties payable by Fujitsu to Post
Office' (paragraph 12). I am aware that there were
Service Level Agreements for issues such as stuck
transactions (Fujitsu had 10 days to retrieve
transactions that had not replicated from a counter)."
Stopping there, Mr Roll, did you know that?
A. I couldn't remember the timescale for that. But I knew
there was a timescale to get them off and sent across.
Q. He then says:
"It is quite normal for contracts such as the one
between Fujitsu and Post Office relating to Horizon to
have such agreements."
A. Yes.
Q. Would you agree with that?
A. Yes.
Q. "The same level of diligence was (and is) applied to all
incidents, whether an SLA was relevant or not."
That's Mr Parker's evidence. Do you disagree with
it?
A. No.
Q. And then he says:
"The possibility of financial penalties was never
a factor for the SSC."
Would you accept that?
A. I don't see that as a yes or no answer I'm afraid.
There were SLAs for the harvesting of batch transactions
from the correspondence servers which I think it was
supposed to get from the correspondence server to the
bank within three days or something. Now, we were aware
that if the harvesters failed for a couple of nights in
a row then you would have a huge backlog of transactions
which you were then -- we were aware that Fujitsu was
facing or could potentially have faced penalties for not
getting those transactions through in time.
Q. Right.
A. So there was perhaps -- we were aware -- I wasn't
involved in the work of getting those transactions
through, that was not my area of technical ability, or
whatever. So -- but there was the awareness that
certainly if we managed to get them through in time then
we would save Fujitsu a lot of money.
Q. So that's the £25 million reference --
A. That was an example, yes.
Q. -- that you give.
So let me get this straight, because there's
a danger of a false impression being given by your
evidence, both in paragraph 12 of your first statement
{E1/7/2} and indeed in the paragraph of your second
statement we have just read out. You are not talking,
are you, about pressures on the process by which
problems being reported in to the third line of support
would be investigated, that could affect branch
accounts; you're not talking about those things at all?
A. They -- they were also -- we were aware of the penalties
for those but not to -- the pressure wasn't as great for
those.
Q. What penalties were you aware of in relation to problems
coming into the SSC?
A. The problems regarding the counters coming into the SSC
you're thinking of now, or ...? Because these other
problems for the servers, the harvesters, they would
come into the SSC as well.
Q. But those problems won't have any impact -- I'm sorry,
I'm being slightly unfair to you, Mr Roll. This entire
extraordinary trial process that we're engaging in --
A. Sorry, yes.
Q. -- is about whether branch accounts generated by Horizon
were accurate or not, or reliable or not.
MR JUSTICE FRASER: Why is it an extraordinary trial
process?
MR DE GARR ROBINSON: Because it's so large and I don't mean
that in any critical way. I probably shouldn't have
used that word.
MR JUSTICE FRASER: The group litigation.
MR DE GARR ROBINSON: Yes. In my experience it is unusual.
This is my first GLO, your Lordship may have noticed.
So my concern is the process by which the work that
was done in the SSC to investigate problems with Horizon
that might have had an impact on branch accounts.
A. Mm-hm.
Q. And it's fair to say that's the concern of most of the
people sitting in this court today. And so when one
reads your witness statement, one's natural reaction --
and I don't mean this as a criticism, but one's natural
reaction is to think that that's what you are talking
about. The impression that I'm getting from what you
are saying now though is that you are not saying that
the service level agreements, which may have had targets
for harvesting data for banks and so on and so forth,
you're not saying that those service level agreements
created a perception within the SSC which caused people
in the SSC to think that when they were investigating
problems that might have an impact on branch accounts,
they would have to do a quick job and not do a proper
job?
That's an extraordinarily long question and if you
would like me to make it shorter I'm happy to do so but
if you've got my point then I would invite you to answer
it.
A. From my recollection there was pressure if you
weren't -- if you couldn't pinpoint the fault in the
counter, the problem with the data, whatever, then there
was -- you know, there was the -- there was pressure put
on you, you were asked "How was it going? We need
an answer", which was a degree of pressure.
Q. Well, you use the phrase "there was a perception", you
use the impersonal. One often sees that phrase used.
Are you saying that you, Mr Roll, physically were aware
that there was an SLA that had the effect that the SSC
couldn't or shouldn't properly investigate any bugs that
might affect branch accounts?
A. We were aware that there was an SLA and that we had to
investigate within the timescale.
Q. And was there a perception -- because I'm going to
suggest to you that there wasn't, Mr Roll -- was there
a perception that this SLA of which you were aware meant
that you couldn't do your job properly?
A. I felt that that might be the case in some areas.
Q. You felt that it might -- this is -- how strong and
accurate is your recollection of all of this?
A. Vague.
Q. I see. Well, let's --
A. And this is another -- sorry.
Q. No, I think it was me talking over you, Mr Roll.
A. This is another one of those things where I had
a feeling that things weren't right, but --
Q. But it's difficult at this remove in time to put your
finger on it?
A. Yes.
Q. Well, let me continue with paragraph 44 of Mr Parker's
statement {E2/11/12}:
"I do not understand what Mr Roll means when he says
that 'any discrepancy in the Post Office accounts had to
be resolved speedily' ... there was (and is) a process
run by the management support unit ..."
Do you remember the MSU?
A. Now you mention the term, I do remember the term.
Q. But nothing else?
A. No.
Q. "... which involves examination of various system
reporting and may result in business incident management
service ... entries going to Post Office."
Was that true? Is that in your recollection?
A. I don't remember.
Q. "An incident may also be raised by MSU with the SSC to
provide support to the MSU in resolution of the BIMS."
But you probably can't comment on that either.
What he is talking about here is various systems
reporting. It may be consistent with what you were
talking about before about harvesting. He is not
talking though about the identification and fixing of
coding issues in Horizon that might impact on branch
accounts.
A. Mm-hm.
Q. Are you aware of any case where there was a contractual
pressure on Fujitsu to speed up that process or to deal
with that process in a given space of time?
A. I don't remember any specific details, no. I don't, no.
Q. Then he says:
"These are subject to service level agreements and
Mr Roll may be referring to this process. However, if
Mr Roll is suggesting that Fujitsu routinely rushed out
fixes or work-arounds due to SLA time pressure, that is
not the case."
Mr Roll, I would like to give you an opportunity to
say that you are not suggesting that.
A. Which paragraph are we looking at now?
Q. Paragraph 44, last three sentences. It's the sentence
beginning:
"However, if Mr Roll is suggesting that Fujitsu
routinely rushed out fixes or work-arounds due to SLA
time pressure, that is not the case."
I'm inviting to you say that you are not suggesting
that this is the case.
A. I would agree with what Mr Parker has put here, yes, and
it is wrong to suggest that they were not done properly
because of SLAs.
Q. Thank you.
Then would you also agree with what he says in the
next sentence, "fixes would be expedited based on
service impact"?
A. Yes.
Q. And would you agree that "it would be quite wrong to
suggest that they were not done properly because of any
SLAs"?
A. No, the fixes would be done properly.
Q. Thank you.
Then if we could go back to your second statement,
paragraph 15, it's {E1/10/5}. To save time could I ask
you simply to read paragraph 15 please.
(Pause).
A. Yes.
Q. First of all, you say:
"The test team felt they were under enormous
pressure to complete the testing within certain
timescales which negatively affected the test regime."
That's quite a bold claim. The testing wasn't your
team, was it?
A. No, they were on the same floor as us, some of them.
Q. So you're talking about your recollection of -- would it
be fair to say office gossip?
A. Yes.
Q. From 15 or 19 years ago?
A. Yes.
Q. How many conversations of this sort did you have during
your time at Fujitsu?
A. I don't recall.
Q. Was it a view that was expressed by the entire test team
on a regular basis, or was it something that was said to
you by one or two people a couple of times?
A. My recollection is that the majority of the team felt
pressured.
Q. The majority of the team felt pressure. What did they
say about this pressure? What did it make them do?
A. I can't remember.
Q. Budget restrictions, you refer to them in paragraph 15.
What did you know about Fujitsu's budgets, Mr Roll?
A. ICL were bought out or taken over by Fujitsu and at the
same time an American company was taken over as well.
ICL were not, from my recollection, were not very
profitable at the time and nor were the American
company, so shortly afterwards when Fujitsu couldn't
turn them around they were merged into Fujitsu. There
were lots of redundancies. My recollection is that the
Horizon project, which I seem to remember had originally
been a joint DSS project but they had backed out, the
Post Office went with it on their own, my recollection
is that Horizon was the only profitable part of Fujitsu
at the time.
Q. And consistently with Horizon being profitable, there
were no redundancies in the SSC when the takeover
happened, were there?
A. No. I think one or two people were a bit worried there
might have been, but there weren't. There were
redundancies in the test team from what I remember.
Q. There were redundancies in the test team? I'm not in
a position to deal with that point now.
MR JUSTICE FRASER: What year are we talking?
A. 2002 maybe.
MR DE GARR ROBINSON: Could I just advance some general
propositions and see if you will agree with me.
Isn't it the case that Fujitsu had every incentive
to make the support operation work, to minimise the
problems requiring changes and to minimise the problems
requiring fixes down the line; wouldn't that be right?
A. Yes.
Q. It would be more expensive in the long-run for a company
such as Fujitsu to do the support work badly than it
would be to do it properly, wouldn't it?
A. Yes.
Q. That's a statement of the obvious.
And the £25 million that you referred to, that
was -- bearing in mind the focus that this trial has,
that has no bearing on the kind of transactions that
we're talking about, does it?
A. No, that was the servers and the batch transactions.
Q. Okay. If we could just move on to Mr Parker's second
witness statement at paragraph 24 at page 7 {E2/12/7}.
I would like to suggest to you -- I'm going to read out
passages and invite you to agree or disagree, Mr Roll.
At paragraph 25 {E2/12/8} he refers to paragraph 16
{E1/10/5} which we have been looking at from your
statement:
"At paragraph 43 of my first witness statement
I explained that the possibility of financial penalties
or service level agreement breach was never a factor
which affected the diligence with which SSC would
investigate an issue."
I have already put that to you:
"By way of further explanation ..."
Then he talks about schedule 15 to the service level
targets for Horizon services and perhaps I could invite
you to read paragraph 25.1 to yourself.
(Pause).
A. Yes.
Q. At the time had you ever seen this document?
A. No.
Q. Were you aware of what was in it?
A. Not directly, no.
Q. Then he says:
"There were no specific financial penalties relating
to the SSC processing of incidents."
And then he quotes some text from the service
description.
Did you know that at the time?
A. No. This is the 2005 version, is it, 30 November 2005.
Is this -- was this -- is this the same as when I was
there in 2004?
Q. I believe so, yes. Mr Parker is nodding at me.
A. Right. My recollection is that incident processing,
some incidents weren't subject to SLAs but the ones
I have already mentioned, the harvesters, were, and that
some of the financial data from the counters --
Q. But not incidents of the sort that this trial is
concerned with, perhaps I could ask you that. You
weren't aware that there were any --
A. No.
Q. -- SLA targets which related to the incidents with which
we are concerned in this trial?
A. No.
Q. Thank you. Then I can skip over paragraph 25. Let me
finish with 25.4 {E2/12/9}:
"The SSC had operational targets to turn incidents
around based on an order of priority. As explained in
paragraph 22 above, if an issue was causing a financial
impact in a branch's accounts, it would be treated as
high priority ..."
Stopping there, Mr Roll, would you agree with that?
A. Yes.
Q. "... and high impact by SSC."
Would you agree with that, it would be treated as
high impact?
A. Yes.
Q. "However, any increase in priority would not adversely
impact the diligence with which work was done."
Do you agree with that?
A. I still feel that some work was rushed. I can't tell
you why, but I feel that.
Q. Very good and I won't -- I don't wish to discuss your
feelings on the point any more than we have already.
Let's just talk briefly about getting fixes out.
If I could go to paragraph 13 of your first statement
please {E1/7/2} and again to save time let me just ask
you to read that paragraph.
A. Sorry, which paragraph is that?
Q. Paragraph 13 at the bottom of the page.
A. 13, thank you very much.
(Pause).
Yes.
Q. First of all, the need for multiple upgrades, that's
normal in any IT infrastructure of this sort, isn't it?
A. Yes.
Q. The fact that there were a limited number of time
windows, that's also normal for any large IT
infrastructure of this sort?
A. Yes.
Q. These things are unavoidable given the scale of the
Horizon system, aren't they?
A. Yes.
Q. Then you say:
"... there could be six weeks delay before a fix
could go out, and during that period Post Office
branches could continue to be affected by the coding
issue."
But you would accept, wouldn't you, that if there
was an urgent fix dealing with a high priority, high
impact problem, that would generally be treated as an
urgent matter requiring a hot fix; would you agree with
that?
A. Yes.
Q. Urgent fixes were expedited, weren't they?
A. Probably within two or three days from what I remember.
Q. And that's just normal -- what you are describing
here -- the impression might not be coming through from
paragraph 13, but actually what you are describing is
the normal operation of proper risk management process
in a commercial business, isn't it?
A. Yes.
Q. Thank you. And then you say:
"... there could be six weeks delay before a fix
could go out, and during that period Post Office
branches could continue to be affected by the coding
issue."
Let me just make it clear, Mr Roll, if you had
identified a coding issue that was affecting branches
and if there was a period of time between identifying
the problem and getting it fixed, however long that time
was, Fujitsu had in place a mechanism by which all the
branches that would pop up being affected by that
problem would be identified; that's right, isn't it?
A. Over time, yes.
Q. So the fact that there was a gulf in time, however big
or small the gulf might be, between spotting the problem
and getting a fix released onto the entire network,
regardless of how long that period of time was, the
postmasters that would be affected by the problem in the
meantime would be identified so that they could be
sorted out; would you agree with that?
A. Yes.
Q. Thank you. Then you say:
"I also recall situations where software developers
worked on a coding fix which was then sent out, however
the bug reappeared several weeks later because, it
seemed, the IT team responsible for developing upgrades
had been working on an older version of the
software ..."
Mr Roll, I don't know what you are referring to.
Are you seriously suggesting that there were times when
the development team would actually be looking at
a historical version of the Horizon software?
A. Yes.
Q. Really?
A. Yes.
Q. How is it that happened, can you explain?
A. My understanding of this was that the development team
had the current version of software and they were
working on that, a bug -- a coding bug was then
identified, a hot fix was written and sent out, but it
wasn't implemented onto the code that the developers
were using, so six months later when this new batch of
code went out it overwrote the hot fix that had been
sent out, so then the hot fix had to be re-applied.
Q. Oh, I see, so you are not suggesting that the team would
be working on an already historical version of Horizon,
what you're talking about is regression, you're talking
about a later update undoing the good things that was
done by an earlier update?
A. Yes.
Q. I see, thank you. That did happen but it was very rare,
wasn't it?
A. It was rare but it did happen.
Q. Very good.
I would like to ask you now about hardware failures.
Could we go back to your first witness statement please,
paragraph 14 {E1/7/3}. I'm sorry, you haven't got there
yet.
A. Paragraph?
Q. Paragraph 14, page 3. It is only a sentence:
"As well as software issues, I can also recall that
there were regular IT hardware issues at branch level."
What kind of issues are we talking about, Mr Roll?
A. I'm sorry, I still haven't found the page.
Paragraph 14?
Q. Paragraph 14.
MR JUSTICE FRASER: You are in the wrong statement. We're
in your first statement.
MR DE GARR ROBINSON: It is your first witness statement,
Mr Roll.
MR JUSTICE FRASER: It doesn't have any red on it.
A. I'm sorry.
(Pause).
Yes.
MR DE GARR ROBINSON: What kind of issues are you talking
about?
A. Hardware issues could have been keyboard failure, or
a hard drive failure. "Software" here I mean --
Q. I don't need to ask you about that otherwise we will be
here forever and it is not your fault, I just ...
So you're talking about those kind of issues and you
say "regular". Later on in your second statement you
say that you personally received one of these about once
a month, yes?
A. That's what I was thinking, yes, when I ...
Q. And would that be reflective of what other people at
your level of seniority in the SSC team were also
receiving?
A. I don't know.
Q. You don't know. I was going to take you to numbers, but
I won't. Let me move on instead to your second witness
statement, the one with red in it. It is E1, tab 10 and
I would like to ask you a couple of questions about
paragraph 6 {E1/10/2}. This is all under the heading
"Hardware failure". It is on page 7.
You talk about hardware failures in paragraph 5 and
you say:
"I would estimate that I was involved with
a hardware failure on average at least once a month.
These problems could and did affect branch accounts."
How would they affect branch accounts?
A. I can't remember.
Q. Then you give an example:
"The most extreme case that I can recall was
a complete failure of a counter to communicate with the
server, which required the server to be removed to the
SSC so that the data could be recovered, and
a replacement counter installed in the sub-post office.
Prior to the problem being identified, data could be
accumulating on the counter without it being replicated
to other counters or the correspondence server."
This is something you experienced personally, is it?
A. Yes.
Q. And do I infer from your use of language that this
happened to you once?
A. I remember one specific instance fairly clearly when it
happened.
Q. Do you remember any other instances? Can you say for
sure that there were any other instances?
A. No.
Q. So it may well be that this happened only once in your
four years at the SSC, is that right?
A. For me, yes.
Q. You are talking about stuck transactions, aren't you,
what we saw on a PEAK yesterday, marooned transactions,
yes?
A. In this instance because the counter couldn't
communicate at all, well, yes, they were marooned
transactions. It was just very difficult to get them
off.
Q. And the way to get them out was to move the machine from
the branch to the SSC so that it could be downloaded, is
that right?
A. Very briefly, yes.
Q. You say -- it is a phrase in paragraph 6 I would just
like to ask about. You say:
"Prior to the problem being identified, data could
be accumulating ..."
Why do you say could be rather than was? Was it not
clear whether that was happening or not?
A. Sometimes you may not have been aware -- if the counter
hadn't been switched on for a while then data might not
be actually accumulating, there might not be any stuck
transactions on it.
Q. When there is a stuck transaction on a machine, that is
something that's going to get identified as night
follows day, isn't it, and spotted?
A. Eventually, yes.
Q. It's not something that's going to be missed and just
allowed to lie there? Fujitsu itself --
A. It would be spotted.
Q. Fujitsu itself would spot that this was happening?
A. Eventually, yes.
Q. From its own monitoring, yes?
A. Yes.
Q. So that's one example of a hardware failure that could
affect branch accounts because a transaction is stuck on
a machine and isn't getting through to the system and
the truth of the matter is that was in an extreme case
that was very rare, yes?
A. Yes.
Q. And when it did happen it would be spotted and it would
be fixed in the way that you described, yes?
A. Yes.
Q. Then in paragraph 7 you say:
"I recall there were also PIN pad problems which
caused issues in branches, and problems with other
peripheral devices such as keyboards which only occurred
intermittently, although I cannot recall the specific
detail of these now."
Can I just get this out of the way quickly now.
PIN pad problems, those are not problems which could
affect branch accounts, are they?
A. I don't recall what the problems were with them or how
they affected the system.
Q. And problems with other peripheral devices such as
keyboards, they wouldn't affect the branch accounts,
would they?
A. Probably not, no.
Q. And then you come to paragraph 8 which I think is the
example that you tried to give earlier when we were
discussing -- and let's see if we can finish this off
before lunchtime. Could I ask you to read paragraph 8
please, Mr Roll.
(Pause).
A. Yes.
Q. So you are describing there a problem that was
spotted -- it's the kind of problem that's always
ultimately going to be spotted, isn't it?
A. This particular problem, no, it -- I don't think any of
the other counters that were affected had the problem,
because most postmasters don't bother turning the screen
off, to save the screen, it's ... so ...
Q. So you're saying it's very rare?
A. It's very rare that it would have been spotted.
Q. And it's to do with a mobile post office which makes it
even rarer --
A. Yes.
Q. -- because they are a tiny proportion of the branch
network, yes?
A. Yes.
Q. So we're talking about a tiny, tiny incidence, a tiny
problem, but my question wasn't about how frequent it
was, my question was it's a problem when it does arise
that's always going to be spotted?
A. I don't know if it would always be spotted. If it
was -- caused a problem at one point then it might be
that it would be 24 hours before the system fixed
itself, in which case it might not actually --
Q. I see. So if the problem caused a persistent failure to
replicate, that is a problem that --
A. Yes.
Q. -- was always going to be spotted?
A. Yes.
Q. So when you say it wouldn't necessarily be spotted,
that's because the system itself might deal with it
appropriately?
A. Yes.
Q. But if it didn't, it was always going to be spotted?
A. Yes.
Q. Very good. And in this particular case the problem was
spotted and the data was replicated, yes?
A. Yes.
Q. And again, that would always be the position,
wouldn't it: once the problem is spotted this is very
easy to deal with?
A. In this case, yes.
Q. Well, in all cases of this sort, yes?
A. Yes.
Q. Thank you.
Then Mr Parker deals with that in paragraph 7 of his
second statement, that's {E2/12/3}. Could I ask you to
read paragraph 7 to yourself. It is quite long.
(Pause).
A. Yes.
Q. Have you read that paragraph before?
A. Yes.
Q. And have you looked at the PEAKs that Mr Parker refers
to?
A. Yes.
Q. And are those the PEAKs that actually describe the case
that you are talking about?
A. Yes.
Q. Very good. The well, let's have a quick look at those
PEAKs. The first one is at {F/197}. So this is
PC0100174. It happened on 4 March 2014 and the summary
says "Kit rebooting itself for no apparent ..."
And I think it must mean "reason". And you will see
from the bottom of the first large paragraph:
"Information: contacted SSC and spoke to
Richard Roll."
So you are the contact man for this and later on
down the page, three boxes up from the bottom,
1 March 2014 at 16.56 and 40 seconds, Barbara Longley
assigns this to you.
If we go over the page {F/197/2} there's
a description of the problem. Perhaps we can pick it up
at 5 March at 10.50, about nearly halfway down the page:
"Evidence (from event logs) shows that the power is
being switched off every morning shortly (ie 5 or 6
minutes) before the [postmaster] logs on."
So that was the problem?
A. Yes.
Q. Then if we go three boxes down, 5 March at 12.09, this
is you:
"After carrying out tests on our rigs ..."
Stopping there, what rigs are you talking about?
A. I think we had three mobile test rigs in the -- on our
floor.
Q. So you are not testing the postmaster's equipment, you
are testing your own equipment, the sample equipment?
A. Yes, this was in Scotland I think.
Q. So very properly you go and look at the rigs and you
test them, and you say:
"I have been able to duplicate the problem here on
one of our rigs."
So did you say there were three --
A. I tested all three and it only happened on one.
Q. "It seems that the screen power button is incorrectly
connected to the motherboard, operating the power switch
turns off power to the entire unit, not just the screen.
We have now identified two instances of this, one in
live. This is a hardware build quality issue."
So you clearly flag this as a hardware issue.
A. Yes.
Q. And then in the next box it says:
"Responded to call type L as category 70 - Avoidance
Action Supplied."
What did that mean?
A. I don't know.
Q. Then you say a little further down:
"Defect cause updated to 42:Gen - Outside Pathway
Control."
A. I don't know.
Q. Doesn't it mean that it's a hardware issue that's the
responsibility of another --
A. Probably, yes.
Q. -- institution that deals with hardware?
A. Probably, yes.
Q. If we could then move on there's a second associated
PEAK, Mr Roll, that's at {F/201/1} --
MR JUSTICE FRASER: Is this just a two-page document, this
one?
MR DE GARR ROBINSON: It is four pages. The last one was
a two-page document, my Lord, yes.
MR JUSTICE FRASER: The last one was.
MR DE GARR ROBINSON: I'm so sorry, I didn't understand your
question.
Right, this is PC0100899. This one is dated
21 March. The summary refers to the branch and it is
the same -- you can take it from me, it's the same
branch number, FAD number.
The first big box, about four lines down,
17 March 2004, so that's 12 days after you had spotted
the problem on one of your three test rigs:
"SSC request base unit is removed and sent to
Bracknell for investigation."
So you asked for the postmaster's mobile laptop to
be physically removed and brought to you?
A. Yes.
Q. Then if we move down to the next box, 18 March, 15.55,
about four lines down:
"Recommend: base unit (node 1) to be swapped for
investigation purposes."
What did that mean?
A. Bring it back to Bracknell so we could look at it.
Q. Very good. And about halfway down that same box, if you
could look at the screen, it says "Recommend" and in
capitals:
"PLEASE SWAP MOBILE UNIT AND RETURN TO SANDIE
BOTHICK FOR PROGRESSION TO SSC."
Who was Sandie Bothick?
A. I can't remember.
Q. Then over the page {F/201/2}, on the first big box it
says, you can take it from me, that the engineer has
arrived at the site and the unit will not arrive in
Bracknell until later in the week. Towards the bottom
of the page, page 2, 18 March 16.04 Barbara Longley
assigned it to you.
Then on page 3 {F/201/3}, 24 March at 2.15 and
25 seconds it is recorded that you record that the base
unit is received, do you see that? It is the
penultimate box, Mr Roll?
A. Yes.
Q. And then I would like to then go to the last box on that
page:
"Tests carried out on screen power switch - working
correctly, no further action required."
So does that -- I mean the impression I get from
reading this is that although you had found this problem
on a test rig, in fact it wasn't a problem that was
affecting the laptop that was used in the
subpostmaster's branch. Would that be right or wrong?
A. No, it was affecting it. You didn't necessarily put
these in, enter the data as it happened, if you like.
So the base unit would have arrived, I worked on it and
then I went and -- so I changed the switchover so it
worked properly and then we put it back into stock and
then I filled the data in on that.
Q. I see. So we have a batch of faulty laptops and then if
we go back to paragraph 8 of your witness statement, at
the bottom of page 7 that's E1, tab 10, page 7, you say:
"When I raised this with my manager, Mik Peach, he
initially told me not to do anything until he had spoken
to someone about this."
Who would he have spoken to about it?
A. I don't know.
Q. It would have been the people who were responsible for
hardware issues, wouldn't it?
A. Probably.
Q. So you raised the problem with him and he said "Hang on,
I will just speak to the responsible people", would that
be a fair way of describing what you are saying?
A. Yes.
Q. And then you say:
"Mick did subsequently talk to the hardware team.
They were responsible for ensuring that ..."
A. I'm certain it was them that he spoke to.
Q. And then you say:
"At which point I found out that this was a known
problem."
Is that what Mr Peach told you?
A. At some point I found out that there were several units
out there that had been changed. I'm not sure if it was
Mik Peach that told me or if somebody else told me from
the hardware team, I can't remember.
Q. Well, it is quite important, bearing in mind the
impression given at the end of this witness statement.
Can you really not remember whether Mr Peach was aware
of this?
A. Mr Peach was aware of it at some point, that he knew.
Q. And would it be fair to infer that he probably knew
because he had spoken -- if this is true he would have
spoken to the hardware team about it?
A. Yes.
Q. And then you say:
"No one outside the team responsible for building
the laptops had been informed of this, which meant that
I had spent several days investigating the problem."
Is this why you remember, because you were cross?
A. Yes.
Q. "Whereas the subpostmistress in this case was provided
with a replacement laptop, knowledge of this problem was
kept within the departments concerned and the batch of
faulty laptops was not recalled."
Are you saying that there was prior knowledge in the
hardware team of the problem and the hardware team had
not recalled the faulty laptops?
A. Yes.
Q. Is that what you are saying? And what was your source
of knowledge for that?
A. I was told there were several laptops that had the
problem on them that had actually gone out into live --
into the estate.
Q. How did the hardware team know that the laptops had
problems with them given that they had already been
distributed out? You're not suggesting that the
hardware team identified a problem with a laptop and
then sent it out to branches, are you?
A. No, I think what happened is that they suddenly realised
they made a mistake at some point but by that time
several had already gone out, so then they were able to
fix the ones they had ...
Q. And you're saying they didn't recall the others. And do
you know how many we're talking about?
A. No.
Q. Could it be two, could it be one?
A. It could have been two, it could have been half a dozen.
Q. So that's the period leading up to the point when the
SSC gets involved and you write two PEAKs saying "There
is faulty hardware here". Are you in a position to
say -- or are you claiming that once Mr Peach had spoken
to the hardware team, that remained the position, that
the hardware team continued to not recall these units?
A. I don't know what happened after that.
Q. Isn't it fairly obvious that once someone quite senior
like Mr Peach from the SSC had spoken to the hardware
team, the people involved would very quickly have
thought "Good gracious me, I had better recall these
outstanding laptops"; would that not be a fair inference
as to what happened?
A. My inference from this was that it was kept in-house and
as a favour and that: okay, we know it happened, it's
not going to happen again, it was very limited impact,
it's having probably no impact on the estate, so it's
not worth recalling the laptops.
Q. You say "inference" and that's a fair word to use
because it's a word I think I put to you, but you are
not saying, are you, that you were told by anyone that
after Mr Peach had told the hardware team of the problem
that was being encountered, you're not saying that you
know that the hardware team continued to sit on their
hands and not call the laptops back?
A. Something at the time made me certain that was what was
going on.
Q. Something at the time made you certain?
A. Yes. I don't know why I've got that certainty in my
mind, but -- and then I was told to put minimal details
on that last -- the last PINICL.
MR DE GARR ROBINSON: My Lord, two more minutes and then we
break, would your Lordship give me some indulgence?
MR JUSTICE FRASER: I will on this occasion give you the two
minutes.
MR DE GARR ROBINSON: I'm grateful.
This looks as if it might be quite a serious
allegation. It is one you have just made by this
amendment that I received at 10.30 yesterday morning.
A. Yes.
Q. You say:
"I was told by Mik Peach not to include any details
of this when I closed the PINICL."
Which is the predecessor of PEAKs. That's
an extraordinary -- are you suggesting, Mr Roll, that
the manager of the SSC -- which that's a senior
position, isn't it?
A. Yes.
Q. It's a senior management position?
A. Yes.
Q. That he took the view that the hardware team having done
this thing that was bad, having allowed bad laptops to
remain in circulation, he also took the view that the
hardware team should be protected from any criticism and
they should be allowed to continue the process under
which those laptops remained in circulation?
A. I've got no idea what view he took, but I was asked --
or told rather not to put -- not to include too much
detail in that PINICL.
Q. Why? Did he tell you why?
A. I can't remember.
Q. What conceivable motive would someone like Mr Peach have
to affect the record in this extraordinary way?
A. The only motive I can think is that if he was friends --
close friends with another manager on the same level and
that manager had covered up something in his department
then Mik Peach out of friendship and as a favour might
have decided that it wasn't worth -- having passed the
information on to his manager -- the other manager, it
was then his responsibility what to do with it. I got
the impression nothing was going to be done with it
because of what I was told, but I might be wrong.
Q. Well, Mr Roll, I had thought that when I asked you
questions about this you would rather retreat from the
allegation that Mr Peach -- who obviously isn't here to
defend himself -- did this thing. Are you saying that
it is within your knowledge that Mr Peach was a friend
of the person who was in charge of the hardware team?
A. No.
Q. So that's speculation?
A. That's speculation.
MR JUSTICE FRASER: But to be fair to the witness,
Mr De Garr Robinson, you did put the question what
conceivable motive might Mr Peach have, which is in any
case inviting speculation I think.
MR DE GARR ROBINSON: That's true.
But that's all you have, you have no basis for --
A. No.
Q. No other basis for thinking that Mr Peach would --
A. No.
Q. The extraordinary thing about this, Mr Roll, is you
accept, don't you -- and these are my last questions --
you accept, don't you, that it is not in anyone's
interests, it's not in the SSC's interests for these
faulty laptops to remain in circulation; you accept
that, don't you?
A. The only people who would have an interest in this would
be the person who might be sacked for trying to cover it
up in the first place.
Q. So it is not in the interests of the SSC team that they
remain in circulation?
A. No.
Q. It's not in the interests of Fujitsu that they remain in
circulation?
A. No.
Q. You say it could be in the interests of the person who
was responsible for not having pulled them back, but if
the machines remain out there in circulation, that just
increases the likelihood of that person ending up being
sacked, doesn't it? Isn't it in that person's interests
to get these damn machines back as quickly as he or she
can?
A. Yes, then that would -- yes, it would be.
Q. But you do maintain, do you, that you think that person,
whoever it was, didn't do that?
A. That was the impression I got at the time, yes.
Q. The impression from whom?
A. I can't remember, but that is how I -- that is what
I think happened. You might be right though, you could
be right there that -- I was I suppose basing my
presumption, which is what it was basically, on the
thought that to have to recall the laptops would expose
the person to, you know, "Why were you recalling them?",
but as you have just pointed out it would probably have
been better to recall them and then not have to worry
about them sitting out there and potentially causing
a problem later.
MR JUSTICE FRASER: Right. If you are going to pursue this
any further you can do it at 2.15. We really have to
try and finish at 1 for the shorthand writers, really.
It's not for any personal convenience.
Right, we are going to come back at quarter past 2.
You are still in the witness box. You mustn't talk to
anyone about your evidence. And I will see everyone at
2.15.
(1.15 pm)
(The luncheon adjournment)
(2.15 pm)
MR DE GARR ROBINSON: My Lord, good afternoon.
MR JUSTICE FRASER: We have to stop at 4.30.
MR DE GARR ROBINSON: I'm conscious of the need to speed.
I'm going to move on to remote access now, Mr Roll.
Could I ask you to go to paragraph 15 of your first
statement which is at {E1/7/3}. You said:
"During the course of resolving software issues ..."
And I asked about software issues. You said:
"... we would frequently access a Post Office
counter IT system remotely. An example of a relatively
common problem that arose was when a binary bit would
'flip' thus a '1' became a '0'."
I want to ask you what you are talking about when
you describe that phenomenon and I want to ask you
whether you are talking about what Mr Parker talks about
in paragraph 55 of his witness statement, so could we go
to bundle E2 behind divider 11 please. It is at page 15
{E2/11/15} and perhaps I could ask you to read
paragraph 55 through and stop at the end of 55.4.
(Pause).
A. I have read that page.
Q. Very good. When you are describing what you describe in
paragraph 15 are you referring to the condition known as
CRC errors?
A. This problem would probably cause -- would cause a CRC
error.
Q. And would Mr Parker be right when he says at the end of
paragraph 55.1:
"To clarify, this process did not involve changing
any transaction data."
In accordance with the definition we have discussed.
A. This error would occur in a line of transaction data.
Now, every digit, every character in that transaction
data is made up of bits, binary bits. So an A --
I don't remember the full binary code for it, but it
might be 101010 for instance. Now, times that could
flip so it would become 110 or whatever, one of the
digits would change. That character would then cease
becoming an A and might become a non-principal character
or an ampersand or something. That would then cause
a CRC fail because the data wouldn't be -- it wouldn't
add up.
To correct that when we detected that what would
happen at that point is that that message store would
then stop replicating. So transactions would then start
accumulating on the message store after that point.
We could copy the data that had been -- we could
copy the message store off that counter intact, from
what I remember, so we would get all of it off.
Q. Yes.
A. You could then identify the line that was broken, for
want after better word, and by looking at it, it was
quite obvious then which character was wrong, if it
was -- if it should have been an angle bracket, it was
something else, so you could then correct that in a text
editor. And basically you could then put that
transaction back in to the message store and then copy
the rest of the data back on top of it that you had
taken off, so you have corrected that particular line of
code. So in this instance we have rewritten a line of
code into the message store to correct it.
Q. Mr Roll, I want to distinguish now between inserting
individual transactions into a message store -- which
you could do and you have read the witness statement so
you know it is accepted that you could do that. I want
to talk though about the process that you appear to have
describing here. It's not possible, is it -- if there's
data on the message store, it's not possible for you to
gain access to the message store in Riposte and alter
any line of transaction data? It's physically
impossible to do that, isn't it?
A. The way I understand it and what I believe is that if
that data hadn't been replicated, if it was on a single
server -- sorry, a single counter, if we took that data
off and deleted some of it, we could possibly then have
created something else and put it on and then by
importing it into Riposte it would then have rewritten
the cyclic redundancy check correctly so it wouldn't
have flagged an error.
Q. Mr Roll, you started by explaining a situation where
transactions are stuck on a particular counter and they
are not replicating.
A. Yes.
Q. The moving of the bit from 1 to 0 is what you could do
remotely in order to unlock the counter so that the
replication process would occur as normal?
A. Yes, but to do that we would have to delete -- from what
I remember, we would have to delete the existing data,
including the broken line of data, and then import the
data back into the counter, so we were writing code into
the message store remotely.
Q. Mr Roll, I'm asking you about the process by which you
unlock a counter so that it is able to replicate onto
other counters.
A. Yes.
Q. And what I'm suggesting to you is that the process of
doing that does not involve changing/editing any actual
transaction data, any -- as we have discussed -- data
that shows up in the accounts. That doesn't involve in
he changing of transaction data at all, does it?
A. I'm sorry, I'm -- I think we're talking -- I'm obviously
not understanding what you're getting at because to me
what I'm discussing is changing the transaction data.
I'm at a bit of a loss here.
MR JUSTICE FRASER: Well, you are explaining that that's the
change which happens.
A. Yes.
MR JUSTICE FRASER: Mr De Garr Robinson is either putting to
you that that physically can't happen, which I think is
one of the questions he put, or he is putting questions
in relation to something else. So he is just going to
explore that with you.
MR DE GARR ROBINSON: Could you go please to Mr Godeseth's
witness statement which is in E2 behind divider 1 and
I would like to go to page 11 please {E2/1/11}. Perhaps
we could pick it up at paragraph 35, Mr Roll. Could you
read paragraph 35 very quickly and then indicate whether
you agree with it or not.
(Pause).
A. Yes.
Q. And you agree with it?
A. Normally that's what was happening, yes, unless
something had broken.
Q. Then if we go to paragraph 37:
"All accounting at the counter was carried out based
on the data held in the message store."
That's right, isn't it?
A. I'm just reading it.
MR JUSTICE FRASER: Mr De Garr Robinson, I know that you
have slightly run out of time but you can't really rush
him too much.
MR DE GARR ROBINSON: You are right.
MR JUSTICE FRASER: You are putting 12 or 14 lines of text.
Right, have you read it now?
A. Yes.
MR DE GARR ROBINSON: So the first sentence is right,
isn't it?
A. I believe so, yes.
Q. And the second sentence:
"The Riposte product managed the message store and
it did not allow any message to be updated or deleted,
although it did allow for data to be archived once it
had reached a sufficient age ..."
A. Yes.
Q. It is correct, isn't it, that Riposte didn't allow any
transaction line in the message store to be individually
deleted or changed or edited in any way?
A. You couldn't do it through Riposte, no. You had to hack
the system to do it.
Q. So would this be right then, that it wouldn't be
possible to remotely access a counter and change the
data on the message store of that counter remotely?
A. I believe that theoretically it would.
Q. How would that be possible? Riposte wouldn't allow you
to do it, would it?
A. By doing the system that I have just said. If you
could -- without the message store replicating, so
there's no other copies of it, if you could get that
message store off, alter the data in some of the lines
of code, to do that you would need to strip out all of
the preamble and the post-amble, so you're just then
left with the basic data as if it had been on the stack
or whatever -- forgive me, I'm very rusty on this -- but
then by -- I think it was the Riposte import but it
might have been something else, you could then reinject
that data which is the process we would have used to
rebuild a counter. But if you had changed some of that
data, I think that it would then have rewritten the CRC
when it imported it so that then when it replicated, the
data could theoretically have been changed.
Q. I'm finding it difficult to follow you and it may be my
fault.
MR JUSTICE FRASER: I follow what the witness is saying but
keep exploring it.
MR DE GARR ROBINSON: I would like to distinguish though
between transactions insertions -- the process of
injecting particular transactions into the message
store, which could be done, with the process of actually
manually changing a transaction line that is in the
message store and you could insert new transactions,
couldn't you, but what you couldn't do is you couldn't
edit or indeed individually delete lines that were in
the message store itself?
A. You would have to delete all of the message -- from what
I remember, delete all of the messages down to a certain
point to the one you wanted to amend and then inject
a load more text, or insert more transactions in to make
the message store and Riposte think that it had been put
in by Riposte and by the postmaster.
MR JUSTICE FRASER: I think you can probably explore this
with the experts.
MR DE GARR ROBINSON: I think I probably should.
So if we go back to Mr Parker's witness statement
{E2/11/16}, the process that's described in
paragraph 55.4, would you agree that -- you have already
read this paragraph, would you agree with what Mr Parker
says in --
MR JUSTICE FRASER: Wait, it is not on the screen yet.
MR DE GARR ROBINSON: E2/11/16.
MR JUSTICE FRASER: Page 1 is up but 16 isn't.
(Pause).
MR DE GARR ROBINSON: Paragraph 55.4, you have read this
already. Is what Mr Parker says there true?
A. In that case, yes, no new data is added, what we have
done is correct data and put it back in.
Q. And paragraph 55, Mr Parker -- you will recall how 55 is
structured. Mr Parker is trying to figure out what you
are talking about and he suggests first of all you might
be talking about the process that's described in
paragraphs 55.1 to 55.4 and then he says:
"Alternatively, Mr Roll's reference to a binary code
flipping may relate to a configuration item ..."
And then he goes on, he gives an example of:
"... a stock unit lock which, in the wrong state,
would prevent updates to stock units within a branch.
This issue was corrected by a member of the SSC
accessing Horizon remotely, but it did not involve
accessing or editing transaction data in any way or
re-creating databases."
Is that true?
A. I can't remember that. I was not referring to that
process.
Q. Very good. And then Mr Parker says:
"I cannot think of any other examples of incidents
that Mr Roll may be referring to in paragraph 15."
And you are suggesting there is another way, the one
that you have just described, are you?
A. That's the way I remember doing it.
Q. Okay. And you continue -- if we go back to paragraph 15
of your original statement {E1/7/3} -- would you excuse
me a moment.
It is suggested to me that you may be describing
a process that Mr Parker describes in his second witness
statement; let me go to that very briefly just to see if
you are. {E2/12/12} paragraph 38.2. Let's read the
whole of 38 together. He says:
"For completeness, in the rare circumstances where
it was necessary for Fujitsu to rebuild transaction data
in Legacy Horizon, there were three possible scenarios:
"[1] when a counter failed and there was a complete
replication of that counter's transactions elsewhere,
Fujitsu simply deleted the message (transaction) store
on the faulty counter and used the standard facilities
of the Riposte software to rebuild the data from the
replicated copy. In this scenario, the branch would be
unable to use the counter while this process was carried
out ..."
Is that correct?
A. I think so.
Q. You don't have a clear recollection?
A. I don't have a clear recollection of that.
Q. 38.2:
"Where no replicated copies of the transactions
existed on the network, Fujitsu would physically
retrieve the disc from the faulty counter. The disc
should hold all of the transactions that had taken place
on the counter. At its own office, the SSC would
extract the transaction data and deliver it to the
replacement counter without amending that data."
Stopping there, is that true?
A. In some instances, yes.
Q. "The SSC would need the subpostmaster's memory card ...
to decrypt the data. This was a physical card
(a subpostmaster had two) and Fujitsu would have to
borrow one - so the subpostmaster would know what was
happening."
Is that true?
A. I don't remember the memory cards. I don't remember
that process of it.
MR JUSTICE FRASER: You might be able to save time by
jumping to the penultimate sentence of that paragraph.
MR DE GARR ROBINSON: If I could do the intermediate ones.
Next sentence:
"If Fujitsu were to change anything, it would be to
remove the envelope around the transaction data. The
envelope contains the system admin data ie the sequence
number of the data and its ID."
A. That's what I remember doing, yes.
Q. That's what you are talking about?
A. That's one of -- yes.
Q. And just now when you were describing the process that
I'm afraid rather confused me, that's what you are
talking about here?
A. Yes, that was one of the steps in it.
Q. Thank you. And then it says:
"Fujitsu would not change the transaction data
itself and in removing the envelope data, they would
simply be allowing the system to automatically renumber
the transactions when they were reinserted."
Is that what you are talking about?
A. Effectively, yes, but this is where -- if it was that
transaction data that had the corruption in it then all
we would do is correct it to put it back to what it
should have been, so in that instance -- in that effect
we're not changing the data, we're merely correcting it.
Q. Well, my suggestion to you will be that you never and
would never manually change a transaction line of data
that a postmaster had keyed in. That's just not
something SSC would ever do.
A. The process I have just described is something we did,
as far as I remember it.
The process of actually changing a line of code to
change it from £100 to £10, we would never have done
that.
Q. So -- I mean Mr Parker says -- let's go back to this
sentence:
"Fujitsu would not change the transaction data
itself and in removing the envelope data, they would
simply be allowing the system to automatically renumber
the transactions when they were reinserted."
I'm suggesting to you, Mr Roll, that that's the most
that anyone at the SSC would ever do in terms of
changing transaction data?
A. That's not my recollection of it. It was a long time
ago though.
Q. And then he says:
"Ultimately, when the counter was replaced at the
branch the subpostmaster would be able to see what
Fujitsu had done."
Is that true?
A. Again, my understanding is that in certain circumstances
the data would be indistig ... sorry.
MR JUSTICE FRASER: Indistinguishable, is that what you are
trying to say?
A. Yes. Yes, my Lord.
MR JUSTICE FRASER: You couldn't tell the difference?
A. You couldn't tell the difference. The postmaster
wouldn't be able to tell the difference from data that
he had entered as he was scanning a stamp or whatever
and to what we had put in. That's my understanding --
my recollection.
MR DE GARR ROBINSON: Well, I suggest to you, Mr Roll, that
no one at SSC would ever manually change a line of
transaction data and then reinsert that transaction data
into the message store of any branch. There might be
occasions when new transactions were inserted, but it
was more than the job of an SSC member was worth to
actually start mucking about with lines of existing
transaction data.
A. Can I say that we were not "mucking about" with lines of
transaction data. We were trying to rebuild counters.
If I can take the instance after single-counter
post office where one of the lines of data had been
corrupted. Without correcting that corruption and then
reinserting it, if the corruption remained then that
line of data would have continued to cause problems.
Q. Well, you have heard the case I have put to you. Could
I ask you this -- well, actually, can I please ask you
to go to E2/13/4, which is the third witness statement
of Mr Godeseth. Page 4, paragraph 17. Perhaps I could
ask you to read that.
A. Sorry, paragraph 17 was this?
Q. This is where Mr Godeseth is referring -- I don't have
time to take you to the underlying PEAKs --
MR JUSTICE FRASER: We are in Parker 3.
MR DE GARR ROBINSON: We should be in Godeseth 3, E2,
tab 13. I'm so sorry, it should be {E2/14/5}. Could
I ask you to read paragraph 17 please.
(Pause).
A. I have read that, yes.
Q. Might that be what you are talking about?
A. No, I don't recognise this.
Q. So are you in a position to confirm what Mr Godeseth
says or not?
A. No, because the data that -- I'm unsure what BRDB refers
to --
Q. I'm so sorry, that's Horizon Online.
A. -- but the data would have been transaction data that we
could have been changing, from my recollection of it.
Q. Then the process you are describing in your witness
statement -- you say that you would -- I'm looking now
at paragraph 15 of your first statement {E1/7/3}, you
say that you would contact the branch and arrange for
them to stop using the computer for a limited period of
time. You would then log on to the branch's system,
download all the data from the relevant computer. Now,
stopping there, when you say "log on to the branch's
system", which system are you logging on to?
A. Sorry, we would log into the counter that was faulty.
Q. When you say log into it, you wouldn't physically log
into the counters, you wouldn't be in control of the
counters, would you?
A. The counter had to be switched on -- my recollection is
that if the postmaster hadn't logged on then we could
log on with our ID to access the message store and the
Riposte system. In that instance there would be an
audit trail because our user ID would be in the message
store not the postmaster's.
In certain circumstances we could do that. In other
instances, the way I remember it is that for the system
to operate correctly for the accounting, it had to be
the same user ID logged on, so that postmaster, or that
clerk or whatever would have to be logged in with their
ID and password so that any data we changed, or put back
on, would then go in with their ID, which is why they
couldn't use it, then that data would then be picked up
correctly by Riposte, Riposte would assume that the
postmaster had been operating as normal and would accept
the data into the message store and process it
correctly.
Q. Could you tell me what were the circumstances in which
you had to use the same user ID as the original user?
A. I can't remember what the differences were for the
different errors, but it depended on what error was
coming up and what bit of data was corrupt -- where the
corruption lay in the message store.
Q. So you can't think of a specific reason why it would
have to be the same person, but you're saying that it
did sometimes?
A. Yes, it -- sorry.
Q. I didn't let you finish.
A. I have lost my train of thought now, sorry. It often
made it much cleaner for accounting reasons, from what
I remember, if it was the same user ID. All of this --
all of these actions would be detailed in the PINICL and
if -- from what I remember, if you were accessing
a counter in this way, two people had to be there, one
as an independent witness to make sure that everything
was going correctly.
Q. So there would have to be what we now call PEAKs and
there would have to be two pairs of eyes --
A. That was what --
Q. -- it would never be left to one particular member of
the SSC team to do it on his own?
A. It was never supposed to be and I don't think it ever
was but I'm not sure.
Q. So this is a formal process then, is it --
A. Yes.
Q. -- which the SSC took very seriously?
A. It was developed and taken very seriously, yes.
Q. And is it also the case that Post Office consent was
always needed for this kind of process?
A. When I was there we were supposed to speak to the
postmaster to get his consent. So from Post Office
consent, that's what I believe you mean by that. Formal
consent from the Post Office itself, maybe not.
Q. Do you remember the phrase OCPs? The operational change
process --
A. No.
Q. -- does that ring a bell? Do you remember that a form
needed to be filled in in which Post Office consent was
obtained for alterations to data that could affect
branch accounts?
A. No.
Q. You don't remember? Can I suggest to you that that was
the process and that did have to be complied with.
A. Right. It may have been, yes.
Q. And you are also saying that it was also required that
postmaster consent had to be obtained for this kind of
change, yes?
A. That was my understanding of the consent that was
obtained. It was just one of those things that if you
were going to log on to a counter remotely for whatever
reason then you spoke to the -- you should speak to the
postmaster first and get his consent.
Q. And it stands to reason, doesn't it, that if you
started -- forgive me for the loose form of language,
but if you start fiddling with data on his machines that
could have an impact on his branch accounts, he or she
could hit the roof, couldn't he? He or she would need
to know what was happening so as to avoid any upset?
A. Yes.
Q. And is it the case that when you engaged in this process
you ensured that proper protocols were followed that you
have just described?
A. Yes.
Excuse me, I have just got cramp in my leg, sorry
about that.
Q. Mr Roll, we have discussed what you say you could do and
I have put my case to you. The controls, the permission
controls, the change controls that we have just
discussed, that is having another colleague in the SSC
review what changes you are making, obtaining
Post Office consent and obtaining subpostmaster consent
to anything that could have an impact on branch
accounts, you followed those processes both for the
process that you're describing, with which I have
certain reservations, but also with the process of
transaction insertions that we're coming to in a few
minutes, yes?
A. Yes, as far as I'm aware.
Q. If you did anything that could have an impact on branch
accounts, those processes had to be followed,
didn't they?
A. Yes.
Q. Thank you. So in paragraph 16 of your first witness
statement {E1/7/3}, you say:
"Still on the subject of remote access to branch
systems, as I recall some errors were corrected remotely
without the subpostmaster being aware."
Those errors are not errors -- or rather those
corrections were not corrections which changed branch
accounts in the way that we discussed?
A. No.
Q. You're talking about other errors, aren't you?
A. Yes.
Q. Could you give some examples of the kind of errors you
are talking about?
A. I can't remember I'm afraid.
Q. But would it be things like changing configuration
items?
A. Probably, yes.
Q. That sort of thing, which would not have an impact on
the branch accounts in the way that we have previously
discussed?
A. I think so, yes.
Q. Now, the process that you describe in paragraph 15, you
say "We would frequently access a post office counter IT
system remotely". The occasions on which you would
access a post office counter remotely in order to change
lines of transaction data, whether by inserting
something or engaging in the other process that we have
discussed and I have queried, these changes would only
arise in circumstances where the cyclic redundancy check
had been triggered where there had been some problem
which the CRC system had identified as requiring
attention, would that be right?
A. I'm not sure. I think so.
Q. Very good. Then could I ask you just to look back to
Mr Parker's first witness statement at paragraph 55.3
{E2/11/15} and the top of page 16. He is talking about
the CRC process and he says:
"If one of the sets of data on a branch counter
became corrupted it would generate an event that would
be picked up by the SMC and/or reported to HSD by the
branch (an incident reporting a 'CRC error'). There
were a total of 629 CRC errors over the life of
Legacy Horizon ..."
Would you be in a position to challenge that
calculation?
A. That's not my recollection of it. My recollection is
that some of these errors that I'm describing we would
detect because a counter perhaps hadn't replicated for
two or three days, so we would then look to see why it
had not replicated and that's when we would find out
that the postmaster was still using it, transactions
were accumulating on the counter and a corruption at
some level had stopped the counter replicating after
that point, so we would -- from my recollection it
wasn't an error that we were receiving, it was something
we were monitoring on an ongoing basis.
Q. Could I just ask you about that, Mr Roll. It's always
dangerous to ask a question to which you don't think you
know the answer, but I can understand that something may
happen to a counter which means it stops replicating to
its fellow systems within the branch; what I don't
understand is why it would stop replicating because of
a problem with a particular line of -- with a particular
transaction message. Why would a particular transaction
message stop the unit communicating with its fellow
units?
A. A corrupt line of code in the message store would, from
my recollection, stop that message store replicating.
I can't remember why, but the messages, as I say,
including that corrupt one wouldn't get replicated.
That's how you could find out which one was broken, you
could look at the message store and see that up to
line 9,004 had come through, so you would know, if the
postmaster had carried on using it, that 9,005 was the
bad message.
Q. And would I be right in thinking that the problem with
9,005, there would be a problem in the envelope, the
data in the envelope around the transaction?
A. Not necessarily, it could be in the data itself.
Q. Why would that be?
A. Because of data corruption.
Q. But why would that -- why, for example, if there was
a problem in the amount that was recorded in the
relevant transaction, why would that stop the counter
replicating --
A. I don't know, but it did. That's the way I remember it.
Q. Let's move on to transaction insertions. Paragraph 18
of your first witness statement, that's page 3 {E1/7/3},
you say:
"The ability to remotely access the Horizon system
at branch level was extensive, in that we were able to
change not only data and transaction information, but we
also had the ability to insert transactions and transfer
money remotely ..."
I'm not going to ask you about transferring money
remotely, the evidence has been explored in a series of
witness statements, but what I'm seeking to ascertain
from you is that you are talking about two different
forms of changing data, are you: firstly, the form of
data that you have just discussed, data changing that we
have just discussed; and secondly, the form of
transaction insertions? Are they entirely separate, or
are they the same thing?
A. Separate.
Q. They're separate, are they?
During the course of your time at the SSC did you
ever insert a transaction using that facility?
A. I don't think so.
Q. You don't think you did?
A. No. I believe there were instances where corrections
had to be made because data hadn't been written in and
some members of staff were able to add lines in to
correct the problems that were coming up, but I can't
remember -- I think -- I can't remember which ones they
were.
Q. So when you say in paragraph 18 "we were able to change
not only data and transaction information, but we also
had the ability to insert transactions", when you say in
the next sentence "obviously this was not done by me",
are you referring to the ability to insert transactions
and the ability to transfer money?
A. Yes.
Q. So you couldn't do either of those things?
A. I could have done. From my recollection.
Q. I'm so sorry, you didn't do either of those things?
A. No. What I'm referring to here is somebody -- if you
want to be dishonest -- if the postmaster was using the
counter then my recollection was that you could have
logged onto the counter without the postmaster
knowing --
Q. I don't need to ask you any questions about that,
Mr Roll, but I understand why you want to tell me.
Going back to the form of access you refer to in
paragraph 15, this is the situation you're referring
to: the counter would stop replicating, you would be
aware that the counter would stop replicating. Would
that come up in the automatic checks?
A. Yes, I think it was something that certainly in the
early days we were looking for, was counters that hadn't
communicated for three days or so.
Q. And then you would gain reading access to that counter
and see what had happened?
A. You would just log in.
Q. And you would see that the transactions had stopped
replicating at a particular point, is that right?
A. Basically, yes. Quite often the postmaster would have
gone on holiday, so the counter was turned off or
something and that's why it wasn't replicating. In that
case there was no need to do anything. In other
instances you would see that the postmaster was still
using the counter and that's when you would realise
there was a problem.
Q. And what would the nature of the problem be? What would
be wrong with the line of data that would make the
machine stop replicating?
A. As I have previously said, one of the lines of --
a digit or a bit somewhere, from what I remember, would
have been flipped.
Q. And are you suggesting that that wrongly flipped bit
could also have the effect of, I don't know, making the
transaction wrong, making it for £100 rather than £10,
something like that?
A. Originally I thought that, but I don't think it would,
because merely flicking one bit wouldn't alter the data
that much. It would make one of the digits wrong but
not to the extent that it ...
Q. So the basic features of the transaction, whether it was
a purchase of stamps, or a sale of insurance or whatever
the transaction was, and the amount involved, the sort
of basic features of the transaction that end up having
an impact on the branch accounts, the problem you're
talking about requiring fixing wouldn't involve any
corruption of those features, would it?
A. It could be that if it was £100 then one of the zeros
would get flipped to a non-numerical value.
Q. And that error might itself, what, prevent -- might it
also prevent the machine from replicating?
A. That might then prevent the message store from
replicating.
Q. This is a voyage of discovery for both of us.
In that situation you say that you would correct the
data in the way that you have described?
A. Yes.
Q. And we have already discussed whether you could or not,
but how would you know what change to make to the data?
How would you know, for example, that it should be £100
or £105 or £10, what investigations would you carry out?
A. You would -- by looking at the value, for example if it
was 100, or should have been, then it would be 1 and
maybe a backspace character and a zero. Now, if you
change any one of those bits, from my recollection only
one of them would result in a numerical value. If you
wanted a different numerical value to the original one
you would have to change two bits and the chances of two
bits becoming corrupted at once were astronomically
small.
It would also then if you corrected it -- if you
changed to put the wrong value in then there would be
probably an accounts or a cash balance mismatch, so you
knew that by changing one of the bits you would then get
a numerical value and that should -- when it is run
through the books properly, it wouldn't affect -- there
would be no errors.
Q. So are you saying that when you did this there was
a means by which you could be absolutely sure what the
right figure should be?
A. Yes.
Q. And how often -- I'm inferring, but it may be optimism
bias on my part, but I'm inferring that of the problems
that caused counters to stop replicating there were many
many problems that didn't involve the basic features of
the transaction data being wrong and I'm thinking that
the cases in which that problem was caused by the
transaction features itself being wrong was a very, very
small proportion. Would that be right?
A. Unfortunately this is one of the things where the
mundane solutions, which are very easily fixed, you tend
to forget about and this, which is a very complex
solution, tends to make more of a -- more of a memorable
impact. So my perception is that it was frequent, or it
certainly sticks in my mind more, but I wouldn't --
I would say it was only a small -- a --
Q. Would you be able to give an estimate --
A. No.
Q. -- as to how many times you did it in the four years?
A. No.
Q. Would it be -- it would be less than a handful?
A. I would think every couple of months, but I could be
wrong.
Q. You could be wrong.
It is right, isn't it, that Fujitsu generally, the
SSC, was extremely reluctant to make any changes to the
basic features of transaction data that we have been
discussing?
A. Yes.
Q. That's not something they regarded as their job,
correct?
A. Sorry, the changes to the transaction data?
Q. The basic features of the transaction data?
A. How do you mean by ..?
Q. Well, changing a figure in the -- the discussion that we
have just been having?
A. Right. That would have been our job because it was
trying to fix a corruption in the data.
Q. All right. And let me suggest to you that it is
something you only did when you absolutely had to do it?
A. Yes.
Q. So I would like now to ask you to go to your second
statement, paragraph 20 please {E1/10/6}. You say about
halfway down that paragraph -- we may have discussed
this already, but here you are describing transaction
insertions and there's a discussion about whether you
could use the correspondence server to piggy-back
through the gateway. And then you say:
"The nature of many problems meant that we had to
implement a fix in this way rather than going to the
correspondence server, and we frequently did use this
method in practice."
Could you explain the nature of the problems which
meant it was necessary to use that mechanism?
A. No.
Q. Can you identify a single problem that requires you to
do it that way?
A. I can't remember any specific examples, but it was --
I do remember that quite often we went to the counter as
opposed to the correspondence server.
Q. And then you say:
"If we injected transactions in this way, at the
counter position, then the counter position would be
shown in the branch records and reports as the relevant
counter position used in the branch ..."
Then going to the next sentence:
"Sometimes we had to ask for a specific person to
log in to the counter before injecting transactions so
that the software would not detect any discrepancies."
Could you explain why that was?
A. The way that I remember it, if you -- if the system --
if Riposte was looking at a batch of transactions going
through, so you had a certain user ID logged in, if it
then suddenly saw right in the middle a different user
ID, it would reject that transaction, it wouldn't
process it, it would --
Q. When you say transaction, we are obviously not talking
about transactions undertaken at the branch, we're not
talking about sale -- we have already established --
A. I am in this instance, sorry.
Q. Wasn't your previous evidence, Mr Roll, that you have
never used transaction insertions so as to insert
transactions into --
A. I'm sorry, we're ... I misunderstood your question in
that case. Yes, I did insert transaction data on
occasion into the counter servers under the processes
that we have discussed where we would correct data,
log into the server -- sorry, into the counter and then
put the corrected data back in. I wouldn't insert
data -- or I don't recall inserting data to correct the
system when data had not been written by Riposte.
I believe that on occasion lines of transaction data
were not written into the message store when they should
have been and that there was a way of correcting that
and inserting new lines into the message store, perhaps
not with accounting data in it, but with ancillary data
to -- so that the message store would continue
processing and running properly and I believe that
certain members of SSC did that.
Q. You didn't though?
A. I don't recall ever having to do that myself, no.
Q. If we could look at the transcript at the bottom of
page 134. My question to you at the top of the page
was:
"Question: ... during the course of your time at the
SSC did you ever insert a transaction using that
facility."
And you said:
"Answer: I don't think so."
A. Could we scroll up a little bit further please.
Q. Yes, if we could just go up the page.
A. Thank you.
Q. So I say at line 5:
"Question: Let's move on to transaction insertions.
Paragraph 18 ..."
You refer to them and I quote -- I read out
what paragraph 18 says.
A. Right.
Q. And I say:
"Question: I'm not going to ask you about
transferring money remotely ... what I'm seeking to
ascertain from you is that you are talking about two
different forms of changing data, are you: firstly, the
form of data that you have just discussed, data changing
that we have just discussed; and secondly, the form of
transaction insertions? Are they entirely separate, or
are they the same thing?
"Answer: Separate.
"Question: During the course of your time at the SSC
did you ever insert a transaction using that facility?"
"Answer: I don't think so."
A. I'm sorry, you've got two types of data here which we
were discussing. The first one yes, the second one no.
Q. Sorry, and what are the two types of data?
A. So the first one is where we have had the bit that's
been corrected, as I have described, and where we have
corrected the bit, created a text file which we then
log on to the counter via the server with the postmaster
logged on but not using the machine. We then ran
I think it was an import tool to rebuild the message
store on the counter. That's the way that I recall it.
Q. Yes.
A. So that is the process I was involved in.
Q. I see. I think there may be a very large penny
dropping, Mr Roll. So the process that we discussed
perhaps 40 minutes ago that threw me somewhat, I will be
frank, was a process -- I think what you're saying --
involving two different actions. The first one was the
action to get hold of the data that hadn't replicated
and make sure it did get onto the system, but the second
was to deal with the problem of a line of transaction
data that was stopping the counter from operating?
A. By -- sorry, if I can just stop you there. Getting that
data copied, it meant we had to correct that line of
data first to get the data to replicate properly.
Q. Right. But are you saying that the line of data that
you corrected was actually a new transaction that you
inserted using the transaction insertion facility?
A. It was -- in this instance no it wasn't a new
transaction, it was an existing transaction that was put
in, but there was the facility to create -- from what
I remember, to create a new line of code. Not
a transaction in the terms of selling a stamp or
something, but in the process of creating -- processing
a sale to a customer there would be numerous lines of
code, lines of data written to the message store. Now,
sometimes one of those might not have got written. The
data regarding the sale, the value, et cetera, would
have been and maybe one of the other lines wasn't.
Q. Yes.
A. So there was also the facility to correct that, which
I believe involved putting a new line into the message
store as a correction and that's what I wasn't --
I didn't -- I don't remember ever doing that.
Q. So the process that we spent some time discussing
earlier on this afternoon, did that process -- I had
understood you a couple of minutes ago to be saying that
as part of that process you did do transaction
insertions and those transaction insertions were the
kind of transaction insertions that involved putting
lines of transaction data in in the way that we have
defined?
A. Yes, reinserting existing ...
Q. And that was part and parcel of the process you
described at say 10 past 2 this afternoon --
A. Yes.
Q. -- when we started talking about paragraph 15 of your
first statement, is that right?
A. Yes.
Q. I see. And that's the only kind of transaction
insertion that you say you ever did --
A. As far as I can remember, yes.
Q. -- that involved actually inserting transactions?
A. Yes.
Q. And you say it is correcting data, but the truth of the
matter is it is just putting in a new transaction line
that you yourself have formulated, is that right?
A. Yes.
Q. I see. Now that makes more sense to me. And what you
say is that's the only time you ever did use the
transaction insertion facility in a way that would have
had an impact on a set of branch accounts?
A. Yes.
Q. And what you say is you can't remember how often you did
it, but it could have been once every couple of months?
A. Yes.
Q. And how clear are you in your memory as to how often you
did it? Might it have been much less frequent than
that?
A. It might have been.
Q. And might it have a bigger impact on your memory because
of the -- frankly the palava you had to go through --
A. Yes.
Q. -- before you had sufficient permissions to do that?
A. Yes.
Q. Thank you, Mr Roll.
Now, one thing I want to ask you about, Mr Roll, is
that on those occasions when you inserted transactions
piggy-backing off the correspondence server, you don't
remember why you had to do it but you do say you had to
do it.
A. Yes.
Q. Would I be right in saying though that the default
process of doing it was doing it through the front door?
A. Yes. It was always safer to do it from the
correspondence server. The further you got away from
it, if you like, the more risks and --
Q. And as a general rule the SSC didn't like taking risks
of that sort, that's not what they were there for?
A. That's not what we were there for.
Q. I'm grateful for that.
And could I suggest to you that in those situations
when it was necessary to use the piggy-back procedure
and indeed perhaps even more widely, that care was taken
to insert something in the message that was sent through
to make it clear it did come from the SSC?
A. I don't remember that in the message. In some instances
from what I recall, you couldn't do that. I could be
wrong, but the way I remember it is that it was -- when
we did this it was documented in the paperwork, so there
was a record of it on that side of things.
Q. Well, let's look at an example. It's an example when
you weren't there, but could we go to {F/485} please.
This is a PEAK that took place in 2009 so it's a long
time after you left, Mr Roll, and you will see that the
summary indicates there is a harvester exception and
I think we have already discussed -- or could you
perhaps explain what a harvester exception is?
A. I think a harvester exception was when the servers --
the correspondence servers overnight -- they were, from
what I remember, UNIX servers handling huge amounts of
data from all of the Post Offices and the harvesters
would run sequentially from sort of 2 o'clock in the
morning or something, one would run for 15 minutes, it
would allow 15 minutes to run and then the next one
would run and then the next one would run. So they were
not directly related to the counters at all.
Q. Then if we go to page 2 {F/485/2} just to see what the
problem was in that case. Someone called
Garrett Simpson -- I don't know whether you know who
Garrett Simpson was?
A. He was probably the one who knew most about UNIX
servers.
Q. And he says at the bottom of the page:
"After discussion with Cheryl and David I think the
situation was this:-
"1) The session ... had four Mode:SC transactions
for different currencies. Each one of these messages was
missing mandatory fields so the harvester rejected
them."
Stopping there, could you explain to the court what
these mandatory fields would have been?
A. I can't remember. I think -- well, no, I can't
remember.
MR JUSTICE FRASER: Mr De Garr Robinson, this is an example
from five years after he has stopped working there
I think, is it? 2009?
A. It is, yes, my Lord.
MR JUSTICE FRASER: Well, just hold on one second.
Am I right it is a 2009 incident?
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: I question how much help any of
Mr Roll's evidence might be about something in 2009.
MR DE GARR ROBINSON: All right. Let me do this very
quickly in that case.
As a result of this PEAK a transaction was inserted
into the message store of the relevant branch and
there's a copy of the transaction that was -- of what
was done at {F/416.1} and perhaps we could look at that.
(Pause).
This may be a convenient moment.
MR JUSTICE FRASER: All right. We will have five minutes.
I do draw your attention to time.
MR DE GARR ROBINSON: Yes, I'm well aware of that.
MR JUSTICE FRASER: Good.
All right, we will have a five minute break for the
shorthand writers, Mr Roll. Same form as before, back
for 20 past 3 please, don't talk to anyone about your
evidence.
(3.15 pm)
(Short Break)
(3.24 pm)
MR DE GARR ROBINSON: Mr Roll, you will be pleased to know
that we are going to have some expedited
cross-examination now. Could you please go to
bundle E2, tab 12. This is Mr Parker's second witness
statement and I would like to ask you to read at page 9
paragraphs 27 and 28 please {E2/12/9}.
(Pause).
A. Yes.
Q. Have you looked at the PEAK to which Mr Parker refers in
paragraph 28?
A. I can't remember if I saw that one or not.
Q. Okay. Well, we actually looked at it just before the
break -- I didn't give you the number so there's no
reason why you should know that. But you will see what
Mr Parker says in paragraph 28.4 and that is a point
I would like to put to you {E2/12/10} he says:
"The messages were inserted with the additional
property <Comment:PC0175821> ..."
Which was the name of the PEAK.
"... to allow them to be identified ..."
MR JUSTICE FRASER: Hold on one second something has gone
wrong. Can we jump back a page to page 10 please
{E2/12/10}.
MR DE GARR ROBINSON: Yes, paragraph 28.4:
"The messages ..."
This is the transaction insertions and this is in
Legacy Horizon that you worked on, although it is
five years after your time. He says:
"The messages were inserted with the additional
property <Comment:PC0175821> to allow them to be
identified in the audit trail ..."
Now, what I would like to suggest to you, Mr Roll,
is that when steps were taken to insert transactions
into branch accounts, that was the practice that was
followed: you would do something in order to enable the
source of the transaction to be identified from the log.
A. This, as you pointed out, is Legacy Horizon from 2009.
I would not say that was the same version as the
software that I worked on. There were constant changes
and upgrades going out all the time. I can't remember
if we had the facility to insert comments into the
version that I was working on. It may be that we did,
but my recollection first of all is that when we were
doing it it was documented in the PINICL and also this
is for the creation of a new item, a new transaction,
that I was not involved -- I do not think I actually got
involved in that side of things. It was the correction
of the corrupted ones that I was working in.
So it's possible, yes, that there was, but, briefly,
I don't know, I can't remember.
Q. If we go down to paragraph 31 {E2/12/10}, Mr Parker
says:
"Transactions injected into a counter would appear
on the transaction logs available on Horizon as if it
had been carried out by the user that was logged into
the counter at the time (if nobody was logged on, the
user ID would be missing)."
Is that right?
A. Yes.
Q. "However, when injecting such a transaction, the SSC
user would ensure that it was clearly identified in the
audit trail as having been inserted by SSC. Examples of
such identification I am aware of are the use of an SSC
user as the clerk ID and/or details of the incident
number as an additional property."
You could put additional properties into the
transactions you inserted, couldn't you?
A. I don't recall that -- I don't recall. I didn't think
we could, or I didn't think we did at that point when
I was working on it. There's a point here where it says
that "Examples of such identification I am aware of are
the use of an SSC user as the clerk ID". That is where
if the SSC user had logged into the counter and was
inserting a new transaction, rather than getting the
clerk to log in and then injecting a transaction as if
it were the clerk who were logged on, so that would --
in this instance if you were creating a new transaction
to balance the accounts then you probably won't need to
log in as that clerk who had done the original
transactions, in which case it would make sense to log
in as yourself because then from the user ID it would be
clearly identifiable that it wasn't a Post Office
employee doing it, it was someone from the SSC.
Q. What I'm suggesting to you, Mr Roll, was that when you
worked at the SSC, first of all there was the ability,
when using transaction insertions, to include additional
properties which made it possible for it to be
identified that you were the one inserting the
transaction and I want to suggest to you, Mr Roll, that
it was the practice to use that facility so as to be
clear as to the state of affairs where the transaction
came from.
A. I would disagree, to put it briefly, bluntly. If it was
a new transaction of the type we are discussing here
which I didn't do then yes, it's possible it was, but my
recollection is that if we were rebuilding the message
store and correcting a piece of data then -- effectively
creating a new item to go in to replace the broken item,
then it wouldn't have any comment put into it, but that
is my recollection.
Q. And how clear is that recollection? I will give you an
opportunity to indicate whether you --
A. It is 15 or 19 years ago, so ...
Q. Say again?
A. I might be mistaken.
Q. You fairly accept that you might have just overlooked or
forgotten?
A. Yes.
Q. That's very kind of you, Mr -- and very fair of you, if
I may say so.
Then in the last few minutes let's go to
paragraph 23 of your second statement {E1/10/7}. We are
now talking about rebuilding branch transaction data
where a particular counter becomes corrupted. You will
recall that before the break I read you paragraph 38 of
Mr Parker's second witness statement where he went
through those stages?
A. Yes.
Q. And my recollection is that you essentially accepted the
processes that Mr Parker described?
A. Yes.
Q. You say:
"As part of my role in the SSC, I was involved in
rebuilding branch transaction data ... whilst in general
terms I agree with Dr Worden's summary ... his
description is very much a simplification ... when data
on a counter became corrupt, the effect was that data
transmitted after that corruption could become
stuck ..."
Then moving on, you say halfway down:
"There was clearly room for error in this process,
where data could be lost, or mistakes made when
replicating data."
Now, I would like to ask you first of all what room
for error was there in the process where data could be
lost?
A. When you are copying the data from a counter, in my
recollection, if it's a remote counter, you're copying
across the network and then editing it yourself on
a computer, you might make a mistake and you might
delete something that you shouldn't have deleted. And
that is the error -- the room for error that I'm talking
about. There were processes -- I have to admit there
were processes in place to minimise this risk, such as
having two people checking it and so on.
Q. Well, that was going to be my next question, Mr Roll.
Why didn't you mention the fact that there were these
protections that were specifically designed to reduce
that risk to a really infinitesimally small level?
A. It didn't seem necessary to put that in.
Q. It does give a rather unfortunate impression which is
rather different from the fact of the matter, would you
accept that?
A. To my mind, no, but I will accept that it -- to other
people it could perhaps.
Q. Well, could I suggest this to you, Mr Roll. You
download this data, you get the line that you think
needs correcting and you correct it and this is all with
someone else formally sitting there watching what you
are doing, is that right?
A. Not at that point necessarily, no.
Q. When would they be watching?
A. When you're about to insert the data.
Q. So let's imagine a situation where that's happening.
The person comes along. What does that person -- he
obviously have has to check that the data you are
inserting is going to be right --
A. They check the data that you've got and then make sure
the process is followed correctly to insert the data.
Q. So that person would, for example, make sure that no
data has been lost?
A. Yes.
Q. He or she would make sure that the change being made is
the correct change?
A. Yes.
Q. And only when both he or she and you are satisfied that
it is all correct would be possible for you to press the
button and insert the transaction, is that right?
A. Yes.
Q. Now, doesn't that suggest that the chances of an error
being made such that a wrong transaction being entered
into a branch accounts really is infinitesimally small?
A. It is quite small, yes.
Q. Thank you. Then in paragraph 24 of your statement
{E1/10/7} you say:
"The process that I describe at paragraph [23] above
could be carried out without the subpostmaster's
knowledge ... and in my recollection it sometimes was
done without the subpostmaster's prior knowledge, for
example if the subpostmaster was away from the branch on
a lunch break and had not logged out of the system."
And then you say at the end of that paragraph:
"... there were times where the job needed to be
done quickly to prevent potentially catastrophic failure
and we were unable to contact the subpostmaster
beforehand."
Were those the only occasions in which you would
have inserted a transaction without informing the
subpostmaster beforehand?
A. That is the only time we would have got onto a counter
without --
Q. Right, so I would just like to ask you: in relation to
the particular transactions we're talking about, in what
situations would that potential catastrophe arise?
A. I can't recollect exact scenarios. I can't remember.
Q. Can you not give me an idea of what you're talking
about?
A. No.
Q. So let us assume there was a situation of potential
catastrophe, you would never allow a subpostmaster to
have his or her accounts changed without them knowing
about it, would you? It might be that you might not
have told them beforehand, you would certainly tell them
afterwards?
A. You would tell them afterwards.
Q. So it is absolutely standard SSC practice, isn't it,
when you are dealing with a branch and correcting
problems that the branch has got that the branch will
see, it is absolutely standard that you will communicate
with the subpostmaster to ensure that the subpostmaster
knows what changes you are making?
A. Yes.
Q. Thank you.
My Lord, I have rather hurriedly come to the end of
my cross-examination.
MR JUSTICE FRASER: Thank you very much. Mr Green.
Re-examination by MR GREEN
MR GREEN: A few points if I may.
Mr Roll, could you please be shown {F/1839}. I will
tell you what's coming up. It's the spreadsheet you
were shown -- a whole load of figures were put to you
and you were challenged on your recollection on the
basis of various statistics. Do you remember?
A. Yes.
Q. Just a couple of quick points. First of all, can we
just look at the RRP live PEAKs into SSC. And scroll up
please. Sorry, I thought it was that tab, apologies.
Can we try by category, sorry, "RRP live PEAKs by
category". That's better, apologies. Can we scroll up
just to the top very kindly.
So you've got the closure category codes down the
left-hand side: 0, 8, 9, 12, 14, 15, 40, 42 and so
forth.
A. Yes.
Q. And you have the legend or the description against them
and if we look, for example, at number 63, "Programme
approved - no fix required", 115 of those.
A. Yes.
Q. At this distance in time can you remember what was
encompassed in those descriptions?
A. I've got no recollection at all I'm afraid.
Q. Okay. And we see another one "Administrative response"
at line 21.
A. Again, I can't remember that. I can't remember any of
them.
Q. But that one seems to have quite a lot: 5,358, so about
a fifth of the overall total. Do you see that?
A. Yes.
Q. Okay. You weren't shown it, but the court was told
there was a document which was broadly consistent with
what those codes meant and if we can look please at that
document, it is at {F/823/23}. Mr Roll, I'm only going
to give a couple of examples of this. If we look at 63,
which is the line we looked at first. If you come down
the left-hand code side to 63. Do you see this table
actually only starts at 60, it doesn't have any of the
earlier codes?
A. Yes.
Q. But it does have 63 and you look across and it says
"Programme approved no fix required" which on the face
of it sounds quite chirpy and positive and then we look
and it says:
"Rarely used. Covers the case where there IS
a fault in the product and this is acknowledged by both
Fujitsu and [Post Office Limited], but the fault is
there as a result of an agreed design specification and
Fujitsu would require POL to fund any correction. MUST
NOT be used without approval from HNGX Programme Manager
or authorised representative."
At this distance of time can you remember seeing any
examples of those that you dealt with?
A. No, I'm afraid I can't.
Q. Just one other one if I may. Can we please see
{F/16/2}. This is PEAK PC0027887 and you will see it
comes in on 21 July 1999. Can you see the narrative
there, for FAD code in the third line of the light green
box, for FAD code O011523 on week, 9 receipts and
payments misbalance of £1,337.05, week 10 misbalance of
£24,000, week 11 misbalance of £12,000, week 12
1,051,111.48; do you see that?
A. Yes.
Q. And if we could go forward please to page 3 {F/16/3} and
look in the bottom yellow box, 27 July at 10.09, do you
see "CAP12" on the left-hand side?
A. Yes.
Q. It says:
"Balance brought forward was multiplied twice due
[to] known software error. The initial balance brought
forward for this CAP was 1,196,622.72. This was
multiplied twice to give a total of BBF of 2,279,189.04.
The discrepancy was therefore 1,082,540.28. This was
due [to] a known software error which has [now] been
resolved."
Do you see that?
A. Yes.
Q. So that would have been quite a bad one, is that fair?
A. Yes.
Q. If that had come across your desk?
MR JUSTICE FRASER: Mr Green, on the basis you still have
another witness ...
MR GREEN: I'm really rushing, it is the last page.
MR JUSTICE FRASER: Well, you are almost getting to the
outer envelope of arising out of cross-examination, so
put one more or two more questions.
MR GREEN: I will, my Lord. It was just on those codes.
If you look please at -- there are two last places
to look in the document. One is on page 11 {F/16/11},
where it has been given a categorisation "Fix for first
maintenance release". Can you just tell the court what
that would normally mean as far as you remember?
A. I can't remember.
Q. And then at the end it is closed, on page 13 {F/16/13},
as "Administrative response". Can you see that?
A. Yes.
Q. And just above it says "Insufficient evidence".
A. Yes.
Q. Can you remember how frequent it was for PEAKs to be
closed with insufficient evidence while you were there,
or ..?
A. I can't give you an accurate -- I can't say how often
I'm afraid. I can't remember. I know it was used but
I can't remember how often.
Q. Last point if I may. Can you please be shown {F/99.2}.
You were asked about pressure in relation to service
level agreements and if we look at {F/99.2} -- sorry, on
my copy --
MR JUSTICE FRASER: Do you want 99? We are on 16/13 at the
moment.
MR GREEN: I've got printed out on mine F/99.2.
MR JUSTICE FRASER: It might not be wrong, we just might not
have got there yet.
MR GREEN: Well, my Lord, I can probably deal with it with
another witness.
MR JUSTICE FRASER: I think you probably --
MR GREEN: It was a point of fairness to this witness. He
was challenged on something and there was evidence about
it, but I will deal with it with Mr Parker.
MR JUSTICE FRASER: Mr Roll, no questions from me. Your
evidence is at an end now, you can now leave the witness
box and you can chat to people about the case if you
would like to. Thank you very much.
A. Thank you, my Lord.
MR JUSTICE FRASER: Thank you very much.
Right, next witness.
MR GREEN: My Lord, it is Mr Henderson if I may.
MR IAN HENDERSON (sworn)
MR JUSTICE FRASER: Thank you, Mr Henderson, do have a seat.
A. I would prefer to stand if I may.
MR JUSTICE FRASER: Yes, of course you may.
Examination-in-chief by MR GREEN
MR GREEN: Mr Henderson, in front of you there is a file and
if you turn to tab 5 you will see an "Amended witness
statement of Ian Henderson" {E1/5/1} and if you turn to
the back of that witness statement on page 7 {E1/5/7}
you will see a signature. Is that your signature?
A. Yes, it is.
Q. And is that statement true to the best of your knowledge
and belief?
A. It is, subject to two points. Firstly, I originally
prepared a much longer witness statement but I was told
that because this is a time limited trial it was not
appropriate to submit one of that length, so this is
substantially shorter.
Secondly, I think the court is aware that I'm
a party to an agreement between sort of Post Office and
the claimants that restrict the matters on which I can
give evidence, so that is a further limitation in my
evidence today.
MR JUSTICE FRASER: Understood.
Have you any questions in-chief?
MR GREEN: No questions in-chief, my Lord.
Cross-examination by MR DRAPER
MR DRAPER: Good afternoon, Mr Henderson.
A. Good afternoon.
Q. You make very clear from your witness statement that you
don't propose to give opinion evidence and I'm not going
to ask you any questions about the opinions set out in
Second Sight's reports.
What it may be helpful to do is to take you through
some of the background to Second Sight's involvement and
some of the chronology as to what happened at various
stages and your involvement in the mediation scheme.
A. Fine.
Q. With that said, there's one very general point about the
scope of Second Sight's work that I would like to
confirm with you. As you are aware, the issues to be
determined in this trial and to which you refer in your
statement are purely technical issues about the Horizon
system as to its functions, reliability, robustness.
You are aware of that, aren't you?
A. Yes, I am.
Q. It is fair to say, isn't it, that the scope of
Second Sight's work was substantially broader than that?
You also considered, for example, issues as to training
and support?
A. Sorry, was there a question there?
Q. Yes: that's right, isn't it?
A. That our scope was much wider?
Q. Yes.
A. Well, our scope changed quite substantially during the
terms of our appointment. We issued an interim report
and it was that that gave rise to Post Office deciding
to offer a mediation scheme. Our role at that point
changed from being an in-depth investigation to being
one of supporting the mediation scheme primarily and
dealing with the 150 or so applicants to the scheme.
We adopted the definition of Horizon that
Post Office itself adopted, so it was much more than the
coding or the software, it also included the way that
processes operated, the impact of Horizon on
subpostmasters and the various sort of remediation
procedures that were available.
Q. Yes, thank you. So just to -- I'm going to run you
through the chronology if I may and at the end of my
doing so there will be an opportunity for you to comment
on that but I think everything I'm about to say to you
ought to be uncontroversial.
You were engaged first in July 2012, so the total
time span of your involvement is 2012 to 2015. You have
just mentioned the CRRs we're going to come on to and,
as you have you have said, the interim report was
produced in July 2013, the mediation scheme was set up
around then in the latter half of 2013 and it is right
I think to say that the applications to enter the
mediation scheme had to be in by November 2013, so
roughly towards the end of that year?
A. My recollection is actually slightly different to that.
We were first appointed around about July 2012. Towards
the end of 2012 we were in active discussions with
Post Office and JFSA who invited applications for us to
consider various matters. After we issued our interim
report, that was the point at which Post Office decided
that we should move to the mediation scheme phase.
MR JUSTICE FRASER: I don't think the witness did mention
a CRR.
A. No, I didn't, my Lord. Case review report.
MR DRAPER: He may not have used the words but I think you
said "individual reports in the mediation scheme",
didn't you? I may have misheard you.
MR JUSTICE FRASER: Rather than be combative, Mr Draper,
when you put a question to the witness that says "You
mentioned the CRRs" and he didn't, I just wanted to
check you weren't at cross-purposes.
MR DRAPER: No, I had understood him to be referring to what
I would call a CRR, but we shall come back to those in
more detail.
It is right to say, isn't it, that there were
initially 150 applicants to the scheme --
A. Of which 136 were finally admitted into the scheme.
Q. Thank you, you finished my question.
Once the mediation scheme started -- and again you
have already said something of this -- it is fair to say
that you had essentially two roles at Second Sight. The
first was the production of thematic reports, which are
the reports you describe in your witness statement;
that's right, isn't it?
A. Correct.
Q. And the second was the production of what I have called
CRRs which are individual reports relating to
a particular complainant's case?
A. Correct.
Q. Now, with that background can we turn please to the
Second Sight engagement letter which is at {F/1228.1}.
Do that you have on the screen there, Mr Henderson?
A. Dated 1 July 2014?
Q. That's the one, yes. It says in "Background" there that
this letter sets out the arrangements for your
engagement on behalf of the working group in relation to
your role in the scheme. And we can read further just
under 2 --
A. Can I just make a point, I'm sorry to interrupt, it is
dated July 2014. I mean that is a long time after the
mediation scheme started, so I'm not sure that that is
the first letter, or was the letter that was relevant at
the time that we started our work in relation to the
mediation scheme.
Q. I'm sure if it is going to be said that there was
a different arrangement that had materially different
terms, that can be suggested by the claimants. So
I just wanted to take you to some key elements of this.
Obviously if you have that concern, you can raise it.
If we could skip down quickly please to clause 4.1,
which appears on page 3 {F/1228.1/3}, that's the
provision allowing for termination on notice and that's
the provision that was relied on the following year,
isn't it?
A. That's correct.
Q. 4.2 refers to the services being provided exclusively by
Second Sight directors. That's you and one other
director, isn't it?
A. Correct.
Q. Go forward to page 5 please {F/1228.1/5}, just the
signature page, to orientate everyone. Then over the
page {F/1228.1/6}, "Scope of services", is where this
agreement describes what you are actually intended to
do. If you could just remind yourself please of 1.1
down to 1.4.
(Pause).
A. Yes, I have read that.
Q. Does that accord with your recollection of what your
role was?
A. I remember this letter, but as I said earlier, this
letter arrived probably at least halfway through the
mediation scheme so we had already done a great deal of
work, possibly on terms different than the ones
described in this letter.
Q. Understood. If you could turn then to look at 3
{F/1228.1/3} please, towards the bottom:
"It is recognised that Second Sight is not required
to definitively determine every issue raised by
a subpostmaster but rather is required to reasonably
investigate and, where appropriate, offer an opinion on
the key issues in dispute between a subpostmaster and
Post Office."
So it was recognised, wasn't it, from an early stage
that it might not be suitable for Second Sight to be
required to determine each and every issue that arose?
A. I take dispute with "at an early stage". As I said,
this letter is dated at least halfway through the period
of us supporting the mediation scheme.
Q. Putting to one side whether the situation may have been
different, you can confirm I think that it was certainly
the position from the date of this agreement, that that
was recognised?
A. Yes, I can.
Q. If we look please at 5 which starts at the bottom of the
page but really the meat of it is over the page please
{F/1228.1/7}, 5.1 refers to your expertise and the scope
of that expertise. 5.2, just remind yourself of that.
And 5.3 Second Sight shall:
"... use its reasonable endeavours to comply with
any deadlines or timeframes set by the working group."
I just want to see whether you will agree with this
in relation to timeframes: is it fair to say that the
anticipation at the outset was that the working group
would set relatively demanding timeframes and hope to
move forward quite quickly?
A. I think that's a reasonable sort of expectation. It's
got to be measured by reality though and we had regular
meetings of the working group and timetable was always
on the agenda.
Can I come back to 5.1, which you started to draw my
attention to. That was substantially varying the
previous scope of our engagement which was that the
scope of our work was to be set solely by Second Sight.
We believed, as we said in our part 2 report, that
issues relating to criminal law and so on were relevant
to the mediation scheme, so this was inserted fairly
late in the day.
Q. I'm not going to ask you about what you said or didn't
say in the Second Sight report, but I think you will
acknowledge that this isn't something that was inserted,
this was something that you agreed in July 2014?
A. Halfway through the mediation scheme, yes.
Q. Just to get the timeline right, the briefing report
part 1 was produced in July 2014; that's right,
isn't it?
A. Yes, I think that's right.
Q. And I'm not going to ask you about any opinions
expressed in that report, but purely as a matter of
getting some understanding of how it all fits together,
I think you will agree with me that the part 1 report
was intended to be a largely uncontroversial account of
Horizon's functions, Post Office's operations, things
like that, with the part 2 report being intended to
contain your opinions on issues?
A. Part 1 was intended to be, yes, uncontroversial, to
reflect the permanent information relevant to the
matters that we were looking at. The part 2 report was
dealing with the thematic issues that we had identified
from our previous work.
Q. And it is right, isn't it, that there were two versions
of the part 2 report, the first of those being published
in August 2014, so really not long after the part 1
report?
A. That's correct, which was very shortly followed up by
a very substantive response by Post Office.
Q. Yes. If we could turn to the CRRs that we have already
discussed briefly. It is fair to say, isn't it, that
they were intended to be one of three key documents that
would go before the working group: there would be the
written complaint from the subpostmaster, there would be
Post Office's written response and there would be your
CRR?
A. My recollection is slightly different to that. There
would be the application to the scheme which I think was
known as the CQR, the questionnaire. At that point we
would request such files that were available from
Post Office together with a report. As a result of
reviewing all of that information, Second Sight would
then produce its consolidated report.
Q. And that suite of documents was intended to go before
the working group and inform the decision it would then
take on whether or not to recommend mediation?
A. That's correct.
Q. And without attributing blame to anyone -- not
Second Sight, not the subpostmaster, not Post Office --
but looking purely at a factual level as to what
happened, would it be fair to say that the progress in
the scheme, in the production of those three documents,
and in obtaining a decision from the working group, went
somewhat slower than had been hoped at the outset?
A. That's correct.
Q. Can I show you briefly a couple of documents relevant to
that. The first is at {F/1325/137}. I think,
Mr Henderson, you may or may not have seen this before.
It is a letter from Sir Anthony Hooper to Ms Swinson,
who is an MP, in fact Minister for Employment Relations
and Consumer Affairs. This was in mid-December 2014.
Have you seen this before?
A. I can't see a date on that letter, I may be missing it.
Q. You can take it from me for now that we can tell from
other documents that it is mid-December.
MR JUSTICE FRASER: Mid-December which year?
MR DRAPER: 2014.
If we look at the second paragraph,
Sir Anthony Hooper is saying here the thing that you
have just agreed, Mr Henderson:
"The progress of cases at every stage of the scheme
has taken longer than the working group would have
wanted."
He then sets out those various stages. He then
says:
"In addition disagreements within the working group
as to whether individual cases should proceed to
mediation has led to further delays because such
disagreements can only, for reasons of fairness, be
resolved at face-to-face meetings."
He then gives some further detail and over the page
please {F/1325/138}. Do you recall seeing this update
on progress at the time, Mr Henderson?
A. I don't recall seeing this letter or this appendix, but
those numbers do look broadly familiar and we may well
have discussed them in a mediation working group
meeting.
Q. So by this time in mid-December, if we look down to
roughly two-thirds of the way down the table, we see the
cases that had been mediated to date, there were seven
of those; that's right, isn't it? And we see from the
very bottom that there were 110 left in the scheme.
A. I see that.
Q. If we could go forward please then -- I should just say
for completeness there's a document I won't go to which
is a later letter from Sir Anthony Hooper which is at
{F/1325/165}. That just provides an update a couple of
months later.
Moving on then to March 2015, so a few months after,
there's a report from CEDR on progress and that's at
{F/1325/186}.
A. Can I make an observation on this appendix and the
apparent slow progress. I can't remember precisely at
what point CEDR was selected but it took some time to
make the decision that CEDR was going to be the
nominated body to administer the actual mediation
process and I think that more than anything else
reflects the relatively sort of small number of cases
that were listed on that schedule.
Q. It is fair for you to add that consideration.
If we look now at the document we have on screen
here from CEDR, CEDR explains that by this date -- which
you can see from the top is 6 March -- if you look at
the second paragraph:
"As you know, since July 2014, CEDR has been
referred 31 cases for mediation under the scheme. So
far 12 mediations have been taken up by the parties,
using six different mediators, and 2 are currently being
scheduled for mediation this month."
So this is coming up to a year and a half since the
scheme closed to applicants and by this stage there has
been 12 mediations. Does that accord with your
recollection of the kind of progress that was being
made?
A. Well, perhaps I can make another point before I answer
that. I mean this letter is to Post Office general
counsel. I would not have necessarily seen this letter.
I certainly don't recall this letter. Those numbers are
broadly sort of consistent with my sort of recollection.
Q. Is it fair to say that by this stage in March 2015 there
was a desire within the working group to make somewhat
faster progress?
A. Well, I think we had already made faster progress. You
will also recall that it was in March 2015 that our
appointment under the previous letter that you showed
the court was terminated. I think at that point we had
reviewed and produced reports for something like 116
sort of cases, so the vast majority of our work was
actually complete by that point.
Q. Yes, that's a very fair point for you to make.
If we could just look at it very briefly, the
termination letter to which you have just referred is at
{F/13/24.1}. That's the termination letter I think to
which you at least indirectly referred.
A. That's correct.
Q. If we could look then to {F/1324.2}. This is a much
longer letter from Post Office that came to you on the
same day. Do you recall this longer letter? If I maybe
tell you broadly what it is to do with. It's a letter
in which Post Office sets out a plan for how
Second Sight could finish its outstanding work. Do you
remember that letter?
A. Yes, I do.
Q. And the second paragraph makes clear that Second Sight
was expected to continue working during the notice
period and that even beyond the notice period there
would be a proposed future role for Second Sight.
That's what this document dealt with, isn't it? It's
a fairly long document.
A. It is, but there's another document of that date or very
close to that date which you haven't mentioned which was
the press release from Post Office announcing the
winding up with immediate effect of the mediation scheme
itself. That I understand was the primary decision and
our termination was a consequence of that not a separate
issue.
Q. Well, I think when you say mediation scheme it's fair to
say, isn't it, that this winding up process, as you
describe it, did not put an end to mediations; in
fact --
A. It put an end to the mediation working group with, as
I understand it, no consultation and the announcement
was made I think the day immediately before the next
planned meeting of the working group, so it was
a considerable sort of shock to everybody.
The rationale from Post Office -- because
Post Office general counsel was kind enough to explain
this to me in a meeting I had with her when I was handed
this letter, that Post Office felt that we had reached
the point of -- it might be unfair to say sort of
diminishing returns, but we were at the point where the
mediation process using CEDR could continue without any
further input from the mediation working group and that
alternative arrangements would be made for Second Sight
to complete the I think it was 20 outstanding reports at
that point.
Q. And in fact although there was not much time required
for this, but also to complete your version 2 of the
briefing report?
A. Yes. That was already substantially complete. Within
the letter I seem to recall was the requirement to
complete that by 10 April which we were happy to agree
to and I think it was signed off on 9 April or
thereabouts.
Q. And it is right to say, isn't it, that that version 2 of
the briefing report part 2 was in fact -- Second Sight
had told the working group that at least the first draft
of that report would be produced on the 11th, so the day
after this letter, and you in fact did produce a draft
very shortly afterwards?
A. Yes, that's my recollection and we invited comments from
Post Office to enable us to complete the report and we
issued it I think early May -- early April.
Q. And I'm not going to take you through all of them merely
because of the time so please do tell me if anything
I say here is unfair, but there is then an exchange of
letters between Second Sight and Post Office and indeed
at least one meeting of which I'm aware in which the
terms of Second Sight's ongoing engagement were
discussed and agreed over the next couple of weeks.
A. There was a certain amount of to and fro-ing. I do
recall that one element of the proposal that was not
acceptable to Second Sight was that we were going to be
instructed directly by claimants. We felt that that
potentially compromised our independence and objectivity
and we suggested an alternative, which I seem to recall
Post Office readily agreed to.
Q. Yes. Just so we have the full detail on that,
Post Office proposed to pay to applicants the amount
that it would otherwise pay to you and for them to pay
you directly. You said, for the reason you have given,
you weren't comfortable with that and Post Office agreed
to essentially continue the existing arrangement which
was direct payment from Post Office to Second Sight?
A. Correct.
Q. And is it fair to say that that was the main point of
difficulty between you in reaching agreement?
A. That's the main point that I recall but I haven't
revisited the documents recently.
Q. That's fair.
Last point just to confirm -- I think this is
probably implicit in what you have already said to me,
Mr Henderson, but it is right, isn't it, to say that
looking at both the CRRs and the briefing report part 2,
version 2, each of those was ultimately produced
slightly -- I make no criticism -- slightly later than
had been anticipated by the working group, but in
relatively short order nonetheless?
A. I think that's a fair comment.
Q. Thank you very much.
I have no further questions, my Lord.
MR JUSTICE FRASER: Re-examination?
MR GREEN: My Lord, no.
MR JUSTICE FRASER: I have some questions.
Questions from MR JUSTICE FRASER
MR JUSTICE FRASER: The first is the two points that you
made at the beginning of your evidence-in-chief
effectively qualifying your evidence. You don't need to
tell me what you were told by whom, but your
understanding was that there was some restriction in
length on your written witness statement because this
was a time limited trial, is that correct?
A. I was told that the draft -- or my first witness
statement that I prepared stood the risk of being
rejected by the court as going into too much detail and
being too long and that I should prepare a much shorter
version, which I ultimately did.
MR JUSTICE FRASER: All right, well, just to be clear, no
such restriction has ever been imposed by the court on
your witness statement.
The second one, I understand and you have identified
this in your witness statement and it leads into a point
I'm going to ask you in a moment, that you remain
subject to a confidentiality agreement that you entered
into with the Post Office, is that right?
A. Modified by a protocol agreement that released us in
some respects so that we could work with the solicitors
to the claimants and give the evidence that I have
given. We refer to it as the protocol agreement but it
was quite clear that there were certain matters that
I am not allowed to discuss.
MR JUSTICE FRASER: Right, well, that sort of answers my
next question, but I just want to be clear: is it your
evidence therefore that because of that protocol
agreement your evidence of fact to this court is
narrower in scope than it would be absent the protocol
agreement?
A. Yes, it is.
MR JUSTICE FRASER: Thank you.
Next document please -- or the first document I'm
going to show you, which Mr Draper took you to:
{F/1228.1/1} please. Now, that's the letter that you
were shown which you point out is July 2014. As
I understand your evidence you were engaged in
July 2012, which is two years before that; is that
right?
A. Correct.
MR JUSTICE FRASER: Was there a letter in similar terms sent
to you for July 2012?
A. I think not because the scope was still evolving over
that initial sort of six to 12 months. I mean there was
certainly correspondence; I don't recall a formal
engagement letter in this sort of style at that point.
MR JUSTICE FRASER: All right. Can we go please to page 3
of that letter {F/1228.1/3}. There's a clause at the
bottom of that letter, 6.2, which runs over to the next
page which says that:
"Second Sight will not, and will ensure that the SS
directors and any SS personnel will not, act directly or
indirectly in any capacity ... against Post Office or
any of its officers, directors or employees save to the
extent (a) that it is expressly agreed in writing ...
that the work proposed to be undertaken will not have
a material adverse effect on Post Office's commercial or
financial interests or reputation ..."
And then there are some other exceptions which
effectively relate to court orders.
Do you know if there was a similar provision in
respect of your work between July 2012 and July 2014 to
that provision?
A. I don't recall that, I'm sorry.
MR JUSTICE FRASER: You can't recall.
When you received this letter in July 2014 did you
form the view that it made any material impact or
difference to the terms upon which you had been engaged
for the two years earlier than that?
A. I think we anticipated that it was certainly possible
that at some point we could be asked either to give
factual evidence or support in some other way to
claimants in an action against the Post Office. We were
quite upfront about that. There is another document
where I seem to recall that there was originally
a clause referring to 12 months' gap between the
completion of any work for Post Office and us working
for in this case sort of claimants. I recall
a handwritten amendment that I made where we agreed to
extend that 12-month period to 15 months and I notice
that in paragraph 6.3, 15 months is the date mentioned
there. So at an early point in all of this I think
there was a mutual recognition that as experts
independently appointed to look into these matters, we
could end up acting for either the Post Office or
claimants and that was envisaged in the documentation.
MR JUSTICE FRASER: All right, thank you very much.
Mr Draper, any questions arising?
Re-examination by MR DRAPER
MR DRAPER: If I may, just one point of clarification
arising out of your Lordship's first question.
You have mentioned the confidentiality restrictions
that were relaxed to enable you to speak to the
claimants for the purposes of these proceedings. You
didn't feel, did you, inhibited in answering any of the
questions that I asked you?
A. I had at the back of my mind that protocol agreement and
I tried to make sure that my answers did not infringe
that agreement.
Q. It is fair to say they didn't risk doing so, did they,
because of the nature of the questions that I asked you?
A. I would have to refresh my mind as to the questions, I'm
sorry.
MR JUSTICE FRASER: I think that's probably a point for me
actually. Thank you, Mr Draper.
Mr Green?
MR GREEN: My Lord, no.
MR JUSTICE FRASER: Thank you very much for coming,
Mr Henderson. That's the end of your evidence, you are
now free to leave the witness box.
Mr Green, that's your factual case I think.
MR GREEN: My Lord indeed.
Housekeeping
MR GREEN: My Lord, there is one housekeeping thing --
MR JUSTICE FRASER: Well, there are about five but let's
start with yours first.
MR GREEN: -- upon which I think Post Office might be
assisted by an indication from your Lordship, because
the --
MR JUSTICE FRASER: An indication?
MR GREEN: It might have to go further than that but we hope
the help might sort it out. The Ernst & Young reports
in relation to the Horizon system, we have reports --
MR JUSTICE FRASER: Which you dealt with in opening I think.
MR GREEN: Yes. We've got the ones from 2011. As far as
I can tell we seem to have most of them from 2011 going
forwards, it may be we have all, but the position on the
earlier ones which we have been asking about for
a little while is that the latest position I think is
that Royal Mail -- from whom Post Office split on
1 April 2012 -- have said, according to my learned
friend's solicitors, that they are concerned -- is the
word that's used in the letter -- about providing them
without a third party disclosure order from the court.
We are a little surprised.
MR JUSTICE FRASER: Would they be coming from the
Post Office or would they be coming from the Royal Mail?
MR GREEN: Post Office say that apparently they don't have
them and that only Royal Mail has them and Royal Mail is
saying that they are concerned about providing them
without a third party disclosure order, notwithstanding
that Post Office was part of Royal Mail and normally
when these organisations are split there are transfer
orders in the usual way. So it's a surprising position
which we hope might be lightly resolved initially.
MR JUSTICE FRASER: All right, well I will hear what
Mr De Garr Robinson has to say. I'm effectively being
invited I think to make a third party disclosure order
but against Royal Mail who you probably aren't
instructed for.
MR DE GARR ROBINSON: I have no brief for Royal Mail.
My Lord, last year my instructing solicitors --
I think actually Post Office contacted Royal Mail and
said "Could we have these documents, they are being
requested in these proceedings" and Royal Mail said
"We're not going to give them voluntarily, if you want
them you will need a court order".
MR JUSTICE FRASER: And this was last year, was it?
MR DE GARR ROBINSON: This was towards the end of last year,
yes, in the late part of last year. I'm looking around
to --
MR JUSTICE FRASER: All right, if that's the situation
then -- do you need them for Monday, Mr Green?
MR GREEN: It would be quite helpful.
MR JUSTICE FRASER: But how is -- I don't see how I can make
an order against Royal Mail if they are not here.
MR GREEN: I'm not inviting your Lordship to make a order.
The issue that concerned us -- the letter is at
{H/227/1} from Wombles dated 27 February where they
explain --
MR JUSTICE FRASER: Give me a second while it is pulled up
on the screen if you're going to ask me to look at it.
H what?
MR GREEN: H/227/1. What they say is they don't say they
are refusing -- it's the letter of 22 February -- they
say:
"... Royal Mail Group are concerned about providing
these documents without a formal order from the court
for third party disclosure."
So it is pitched at the level of concern rather than
anything more.
MR JUSTICE FRASER: The problem is, just purely in terms of
logistics ... well, it's a fundamental principle that
I can't make an order in these circumstances against
Royal Mail.
MR GREEN: Of course.
MR JUSTICE FRASER: I can express my views on the transcript
and I can also make an order, which I'm going to do, you
just have to give me a moment to consider what it is
going to be.
(Pause).
Right, your juniors are going to have to take a note
when I get to the order. First of all I will say what
I'm going to do on the transcript and why I'm going to
do it.
Order
MR JUSTICE FRASER: Royal Mail are not here today so
I cannot make, as it has been expressed in the letter of
the Post Office's solicitors on 27 February 2019,
a third party disclosure order against the Royal Mail.
However, what I am going to do is make the following
order.
I am going to order the claimants to issue an
application for third party disclosure of the
Ernst & Young reports prior to 2011, to be supported by
a witness statement and that should be issued by
1 o'clock tomorrow. I am going to give permission for
short service. It is to be served on the Royal Mail if
at all possible tomorrow and no later than 12 noon on
Monday.
In the event that the Royal Mail still decline to
produce these documents voluntarily they can come at
10 o'clock on Tuesday and I will hear the application
then and if I do make an order against them in respect
of third party disclosure, the necessary order and the
relevant timings of that can be dealt with on Tuesday.
Hopefully, considering the transcript, which I'm
sure you will provide to them, they will realise there
is little to be gained by doing anything other than
being cooperative but I am not going to pre-judge the
outcome of the application.
All right?
MR GREEN: I'm most grateful.
MR JUSTICE FRASER: So that's that done. Is that the only
housekeeping from your point of view?
MR GREEN: My Lord, the only one from me.
MR JUSTICE FRASER: Mr De Garr Robinson, do you have any?
MR DE GARR ROBINSON: My Lord, I have your housekeeping
points. You asked me to remind you to discuss
8 and 9 May.
MR JUSTICE FRASER: Yes, I have that on my sticker, we will
come to that at the end.
MR DE GARR ROBINSON: I have a file of claimants' witness
statements, my Lord.
MR JUSTICE FRASER: Excellent, thank you very much.
MR DE GARR ROBINSON: If I can hand that up. That includes
some sheets of corrections to the extent that any
witnesses have minor corrections to make to their
witness statements. I have also a document which
contains all the corrections in one place if
your Lordship is interested to see that.
MR JUSTICE FRASER: Yes please, thank you very much.
MR DE GARR ROBINSON: The corrections will of course be
provided straight away. We have copies for my learned
friend.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: My Lord, yesterday you asked for
a Word version of opening submissions. Your clerk
should now have that.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: You wanted me to address your Lordship
on the question of redactions.
MR JUSTICE FRASER: I wanted you to tell me how many
documents had been disclosed as a function of the review
that you have told me about.
MR DE GARR ROBINSON: My Lord, the figures are as follows.
There was a request to review 31 documents.
MR JUSTICE FRASER: And that was a request from ..?
MR DE GARR ROBINSON: From Freeths. Pursuant to that
request, WBD and junior counsel, Mr Draper, reviewed
31 documents. The redactions were maintained on 16 of
those documents on the basis of privilege.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Redactions were maintained on four of
those documents on the basis that redacted information
was both confidential and irrelevant.
MR JUSTICE FRASER: Four of the 16, or another four?
MR DE GARR ROBINSON: Four of the 31. So we are up to 20
now.
MR JUSTICE FRASER: On privilege, did you say?
MR DE GARR ROBINSON: And four was confidential and
irrelevant.
MR JUSTICE FRASER: Confidential and irrelevant.
MR DE GARR ROBINSON: My Lord, redactions for privilege were
narrowed or removed on seven documents.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: On the basis that the redactions had
been applied too widely for privilege. And, my Lord,
I can give your Lordship an example of one of those so
your Lordship will see the kind of error that was made.
If I could ask your Lordship to look at {F/1251.1}.
Your Lordship will see an email. This is a Second Sight
email involving Post Office. Indeed Mr Henderson I see
is one of the recipients. If you go down to the bottom
of this page your Lordship will see a script "Privileged
and confidential - created for the purpose of obtaining
legal advice". That was inserted by Mr Henderson in his
email and that resulted in that email, or large portions
of that email being redacted. A similar phenomenon
occurred on I think four of the seven occasions. That's
what led to that judgment call, which on reflection it
was decided was incorrect.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: And, my Lord, in relation to
redactions for confidential and irrelevant documents,
they were narrowed or removed in four documents,
essentially for pragmatic reasons.
MR JUSTICE FRASER: So of the 31, 16 maintained on
privilege, four maintained confidential/irrelevant,
seven led to a narrowing and four were handed over, is
that right? Or have I got the last four wrong?
MR DE GARR ROBINSON: Four was confidential or irrelevant,
so it led to either a narrowing or a withdrawal.
MR JUSTICE FRASER: Right. Which led to some material being
disclosed that hadn't been disclosed already?
MR DE GARR ROBINSON: My Lord, yes. If I give your Lordship
an example. If we look at {F/619.1}. Your Lordship
will see this is a document where the tracking summary
and the executive summary were previously redacted on
the grounds that they were both confidential and
irrelevant. One may well think that they are completely
irrelevant, but on a pragmatic view --
MR JUSTICE FRASER: Well, redaction on the grounds of
relevance is a potential two-edged sword, isn't it? But
this is the version that has now been disclosed?
MR DE GARR ROBINSON: This is the version that's been -- the
original version is at --
MR JUSTICE FRASER: I don't need to see the original one.
But it is the tracking summary and the executive
summary.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: Okay.
MR DE GARR ROBINSON: So that gives your Lordship an idea of
the scale.
MR JUSTICE FRASER: Thank you very much.
MR DE GARR ROBINSON: My Lord, I had thought there was
something else. Oh, your Lordship during the course of
Tuesday asked for memo views that were talked about in
the evidence of Mr Latif.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Post Office has acquired what it
thinks are the memo views for January. There's nothing
relevant in there that they have found so far, but they
want to ensure that they've got all of them so
your Lordship may have to bear with us for a while.
MR JUSTICE FRASER: Well, that's all right. When they've
got them all -- I don't necessarily want them but you
ought to give them to the claimants.
MR DE GARR ROBINSON: My Lord, yes.
MR JUSTICE FRASER: Right, so is that all the outstanding
points?
MR DE GARR ROBINSON: Would your Lordship give me one
moment?
MR JUSTICE FRASER: Yes.
(Pause).
MR DE GARR ROBINSON: The only outstanding question is
something that actually it's really outside my job
description but it's judgment on the common issues
trial. I don't know whether your Lordship has any
thoughts as to --
MR JUSTICE FRASER: I'm going to come on to that now, but as
far as housekeeping for this trial, I think that's dealt
with all the currently loose ends except for --
MR DE GARR ROBINSON: 8 and 9 May.
MR JUSTICE FRASER: -- 8 and 9 May.
In the time from telling you I was keeping those
first two weeks of May clear to you saying when you
wanted, I'm afraid the Thursday 9 May is no longer
available. It would have to be the 7th and the 8th.
Now, I'm not going to mess around too much about this.
I don't want -- because we're moving it I'm going to be
relatively flexible. I would like you please both to
see if you can do the 7th and 8th rather than the
8th and 9th.
MR DE GARR ROBINSON: My Lord, yes, we will.
MR JUSTICE FRASER: If there is an insuperable problem we
will revisit it on Monday morning first thing. The
trouble is there are so many cogs going behind the
scenes --
MR DE GARR ROBINSON: I can imagine.
MR JUSTICE FRASER: -- that despite the fact that one wants
to and has a certain degree of autonomy, it is just not
possible to keep dates open for the length of time that
counsel might expect.
So unless you tell me on Monday morning first thing
that the Tuesday and Wednesday of that week, so the 7th
and the 8th, are simply not possible for good and proper
reasons, that's when it is going to be. If you say it
has to be the Wednesday and Thursday then I'm afraid
there's going to have to be yet more to-ing and fro-ing
about it. So I need to tell you about that straight
away. I only found out yesterday.
MR GREEN: My Lord, if we can give you a completely sure
indication by tomorrow lunchtime, would that help?
MR JUSTICE FRASER: Yes.
MR GREEN: Bearing in mind on the --
MR JUSTICE FRASER: Yes. You can do it tomorrow if you
want.
MR GREEN: Most grateful. I'm just trying to help in case
there is --
MR JUSTICE FRASER: By all means. But given the general
level of judicial business across all the divisions it's
not possible to keep everybody happy all the time.
So that then leads me on to the only other thing,
which is the common issues judgment. I am going to hand
it down at 12 o'clock tomorrow. I have had
typographical and other suggestions from both parties.
They are relatively reasonable in scope. I'm fairly
confident that although I haven't incorporated all of
them now, I will have done either by the end of today or
first thing tomorrow and I think we will keep with
12 o'clock tomorrow. I don't intend to deal with any
consequential applications at all, but I will be making
the relevant order in the relevant terms to extend time
as I identified at the beginning of last week and you
will be expected to draw it up.
MR GREEN: My Lord, we have already done a draft which
I think --
MR JUSTICE FRASER: I don't need it in advance and it
depends what it says, but you will be the one doing it
so I suggest you bring it with you tomorrow.
MR GREEN: Very grateful.
MR JUSTICE FRASER: Anything from the Post Office about
that?
MR DE GARR ROBINSON: My Lord, I have nothing to say.
I think my learned friend's order has been shared with
my instructing solicitors and if we have any issues with
it we will communicate them.
MR JUSTICE FRASER: Can I make it clear, for the purposes of
assisting in terms of cost, I don't require -- and
I will read nothing into -- either party turning up in
any numbers at all. I will expect one person from the
claimant to be here just because of the order. It will
be open to the public. There will be printed copies.
There are unlikely to be as many printed copies as
people might want them but it will be instantly posted
on the relevant websites and all those details will be
given tomorrow, so please -- particularly for the
Post Office team, Mr De Garr Robinson, because I know
you have two different teams, please nobody should think
that there will be any discourtesy assumed if nobody
decides to come.
MR DE GARR ROBINSON: My Lord, thank you.
MR JUSTICE FRASER: Finally, I have something for Opus which
is a hardly used envelope, compliments slip and plastic
folder which can be reused.
Thank you all very much. 10.30 -- well, 12 o'clock
tomorrow and then 10.30 Monday.
(4.34 pm)
(The court adjourned until 10.30 am on Monday,
18 March 2019)
(10.30 am)
MR JUSTICE FRASER: I am not going to deal with this now but
just to ask you both to remind me, at the end of the day
can you remind me to deal with 8 and 9 May.
MR DE GARR ROBINSON: My Lord, yes.
MR JUSTICE FRASER: I have written a note for myself so
I should --
MR DE GARR ROBINSON: Between us I'm sure we will ...
MR RICHARD ROLL (continued)
Cross-examination by MR DE GARR ROBINSON (continued)
MR DE GARR ROBINSON: Mr Roll, just a brief recap on what we
were discussing yesterday. In your various witness
statements you use the phrase "software errors" and just
so that I can confirm my own understanding, when you say
"software errors" you don't mean coding errors, you mean
a much wider category of errors, including data
problems, yes?
A. Generally, yes, including coding errors as well though.
Q. But sometimes you use the phrase -- perhaps it is unfair
of me to ask it, but sometimes when you say "software
errors" you actually mean data problems in the context
in which you use it?
A. Yes.
Q. But given that I'm not putting anything to you, I will
take that as read.
And when you say data errors or data problems you
generally mean operational type data, don't you? You
don't mean things like configuration data, things like
that?
A. I generally mean the data that's been written to the
message store, so transaction data.
Q. Well, you say -- if I may say so, generally speaking
transaction data -- well, let me ask you actually.
Let's agree some terminology so that we don't get
confused going forward. Could I go to the defendant's
witness statement bundles to tab 14 please {E2/14}.
Paragraph 3, Mr Roll, perhaps you could briefly read it.
I'm not interested in the first sentence, it is the rest
of the paragraph.
A. This is Mr Godeseth's statement, yes.
MR JUSTICE FRASER: Which paragraph, sorry?
MR DE GARR ROBINSON: Paragraph 3, my Lord.
When you get to the end perhaps we could ask and
then the page can be turned for you.
(Pause).
A. Can you turn the page please, yes. {E2/14/2}.
(Pause).
So, sorry, what was your question again?
Q. So if you go back to page 1 you see that Mr Godeseth is
drawing a distinction between transaction data on the
one hand and data in the background, operational parts
of Horizon on the other. Are you aware of that
distinction, does that have any resonance for you?
A. It does. I was -- in my mind it is very similar. The
data that postmasters -- that's going into the message
store when you are doing a transaction, how it is
replicated up to the server and then how it is
processed, that's the sort of information I was talking
about.
Q. But when you talk about data corruption often you're
talking about things like for example a bit being a zero
instead of a 1 --
A. Yes.
Q. -- you described that in your witness statement. That's
not transaction data of that sort, is it, it's different
kinds of data?
A. It could be transaction data that's been corrupted.
Q. I will take you to the relevant passage of your witness
statement later but for present purposes can we please
agree that when I say transaction data I mean a record
of a transaction undertaken in a branch, or a branch
activity that causes a change in the branch's cash or
stock, I don't mean the wider collection of data, for
example all sorts of data have fields that are allocated
to all sorts of tables throughout the database, correct?
A. Right, yes.
Q. That kind of data, even if it is attached, if it's
relevant to a transaction, that kind of data isn't seen
by the subpostmaster, is it?
A. No.
Q. And it won't affect his branch accounts at all, will it?
A. I don't know.
Q. Well, often it won't. Do you know that often it won't?
A. Often it won't.
Q. It is to do with things like harvesting. That data will
be harvested by the system for other purposes?
A. Yes.
Q. For example to monitor what transactions are being done,
what products are being sold by Post Office, that kind
of -- and many many other things. You do recognise
that?
A. Yes.
Q. So that kind of data, which I think you may previously
have been referring to as transaction data, that's not
what I mean when I say transaction data, I mean data
relating to transactions that actually has an impact
that the postmaster sees in his branch accounts?
A. Right.
Q. Okay, thank you.
MR JUSTICE FRASER: And are you going to adopt a similarly
precise term for the other sort of --
MR DE GARR ROBINSON: Yes, I'm going to call that
operational data.
MR JUSTICE FRASER: So, Mr Roll, just so we're all using the
same terms and we all understand --
A. I will try and stick to --
MR JUSTICE FRASER: Do you now understand the
differentiation as far as today is concerned?
A. Yes.
MR JUSTICE FRASER: There's transaction data and operational
data, is that --
MR DE GARR ROBINSON: My Lord, yes. I'm sure there are
better terms but those are the terms I'm going to use.
MR JUSTICE FRASER: All right.
MR DE GARR ROBINSON: Now, having established points of
nomenclature, could I ask you, Mr Roll, to go to your
second witness statement. It is E1, tab 10 and it is
paragraph 14 of that witness statement which starts at
page 9 {E1/10/9}. You have it in hard copy I think with
you. It may be more easy to use that.
Now, what I'm interested in is some -- I will let
you find it. You will see that it is under the heading
"Transaction corrections and patterns of software
errors", so in this section you are talking about TCs
and software errors and paragraph 14 you then start
talking about software errors and what I'm interested in
is the text that's in red over the page at page 10
{E1/10/10}.
MR JUSTICE FRASER: Which I don't think will come up on the
common screen but it doesn't matter because you are
using the hard copy. Have you got your amended one,
Mr Roll? Have you got your amended one with the red
text?
A. Yes I have mine.
MR DE GARR ROBINSON: Now, I only saw this shortly before
you started giving evidence yesterday -- well, I saw it
shortly before court sat at 10.30 yesterday morning.
The first thing I would like to ask you is why was this
text added to your witness statement here?
A. I was trying to clarify something that had come to mind
after re-reading this a few days ago. It is possible
that if a postmaster is doing a transaction and as he --
between pressing "enter" and the data being written
there could be a corruption or an error that would cause
that data to change.
Q. And why did you include it in this particular paragraph?
A. I had specifically said "bugs" before that, in the line
above it, and I wanted to clarify that there were other
things that could have caused problems.
Q. Oh, so you're not talking about bugs here, you're
talking about other causes?
A. Yes.
Q. And you say:
"As well as being caused by bugs, software errors
could also be caused by data corruption."
Stopping there, when you say "software errors" --
A. Transaction data errors.
Q. -- you mean data errors?
A. Yes.
Q. So when you say "data errors could also be caused by
data corruption", is that circular, or are you -- could
you explain what you mean? It looks like you are saying
data corruption could be caused by data corruption --
A. Sorry, I see what you mean.
Q. -- and I would like to give you the opportunity to
explain what you mean?
A. There could be some corruption of data at that point
that might cause the postmaster to -- for the account to
say he has a certain amount of money perhaps that he may
not have.
Q. You are talking about hardware errors causing data
corruption, aren't you?
A. It needn't necessarily be the hardware that caused the
problem, it could be the software that's become corrupt,
the transaction --
Q. Well you have just told me you weren't talking about
software bugs, you were talking about --
A. No, sorry, the transaction data could be corrupt at that
point. Just one of those spurious things that happens.
MR JUSTICE FRASER: Just pausing there, you said software
bugs, I think yesterday we worked out that's coding.
MR DE GARR ROBINSON: Coding.
MR JUSTICE FRASER: Can we keep to that.
MR DE GARR ROBINSON: So you're not saying these kind of
things are caused by coding?
A. Sometimes it is caused by coding bug, or it could be
a potential bug, other times it could have been
something else. It could just be data corruption that
just happened at the moment.
Q. I'm struggling to understand this, Mr Roll, because you
say "as well as being caused by bugs" and you just told
me about a minute ago that you put this in here because
you were distinguishing between issues that are caused
by bugs and issues that are caused by other things. Now
you are saying these things are caused by bugs after
all. Which is it?
A. Sorry, what I'm trying to say in this added bit is it's
not caused by bugs, it's data that has become corrupted
at a specific moment in time just because it has become
corrupted.
Q. And I'm suggesting to you, Mr Roll, that in that
scenario it will generally be because of some hardware
error in the counter in which the transaction is being
entered. Would you accept that?
A. No.
Q. Well, let's proceed. You then say:
"If the corruption happened just as a transaction
was being written to disc, it could have altered the
value of a transaction and the subpostmaster may not
have realised."
So what you are suggesting is the subpostmaster
types in a number on the screen and actually the number
that comes up is different from the number that he or
she has typed?
A. No, the number that he or she has typed would be
correct, but in-between pressing the "enter" key and it
going off you've got milliseconds between it going
between there and being written to the disc. If the
data corruption occurs in that instant ...
Q. I see.
You then say:
"This would not be detected by the system as there
would not be a mismatch in the figures."
Is that your evidence?
A. That's what I'm suggesting there, yes.
Q. Well, could I suggest to you, Mr Roll, that where that
happens there are cyclic redundancy checks being
constantly done which check to see whether the amount
typed in is the same as the amount that goes into the
system. It is something that's continually done within
the Horizon system, isn't it?
A. You are probably right there.
Q. It is done at both levels. We're talking about
Legacy Horizon. It is done at the Riposte level which
operates the message store, as it were, and it is done
at the operating system level, the NT which operates --
sorry, the NT, the Windows that operates the counter
itself. There are cyclic redundancy checks that are
applied as these processes are being done at both of
those levels, aren't there?
A. I don't remember that precise detail.
Q. But I suggest to you that that is the case and are you
in a position to dispute that?
A. I'm not in a position to dispute that, no.
MR JUSTICE FRASER: Are you saying six on Legacy Horizon?
MR DE GARR ROBINSON: I'm talking about Legacy Horizon, the
counters that were used in branch at that time and
your Lordship will remember that --
MR JUSTICE FRASER: No, you don't need to go into any more
explanation, I just wanted to check.
MR DE GARR ROBINSON: And those checks will automatically
and immediately tell if there is a difference between
what the application is attempting to write, what's
actually being typed in, and what is actually being
written into the system; that's right, isn't it?
A. Usually, yes.
Q. I would suggest to you, Mr Roll, it always happens, it's
a constant feature of the Legacy Horizon system. It's
one of the fundamental consistency checks that is always
applied in the operation of the system. Do you accept
that?
A. I accept that's how it is supposed to work, yes. I'm
still not sure that it would be 100%, but --
Q. Well, let me ask you about your experience. In your
44 months at the SSC did you ever encounter a situation
where a cyclic redundancy check missed an error of this
sort?
A. I can't remember that.
Q. I suggest to you didn't, Mr Roll.
Could I also ask you whether you were ever aware of
this -- in your experience you ever actually saw this
problem happening with a subpostmaster?
A. I don't think I did, no.
Q. You said --
A. I don't think I did.
Q. You don't think you did?
A. No.
Q. So what you're saying in red text here in paragraph 14,
it's really largely a -- and I don't mean to be rude
when I say this -- it's an armchair theoretical exercise
that you are discussing, it's not something that
actually reflected your experience when working at the
SSC, is it?
A. No, it was something I was thinking of hypothetically.
Q. I'm grateful.
Then just to complete this point -- and this may be
beyond your experience because it appears that you
didn't actually see any of this happening while you were
there, but just to complete, would you accept that if
and when the cyclic redundancy check spotted there was
the mismatch of figures being typed in and figures going
into the system, as well as sending an event straight
away to the SSC which would be picked up by the SSC's
automatic systems, it would also prevent the counter
actually undertaking the transaction. Do you accept
that?
A. Yes.
Q. I'm grateful. Now, I would like to go to paragraph 8 of
your first witness statement please and that's at
{E1/7/2}. I would like to pick it up at the third
sentence where you say:
"Any errors made by subpostmasters would be
relatively easy to identify, and would normally be
picked up by 1st or 2nd line support. If an error was
referred to us then it was extremely unlikely to be due
to a mistake made by a postmaster ..."
Do you see that?
A. Yes.
Q. Having read that could we then move please to what
Mr Parker says about this and I would like to go to
bundle E2, tab 11 and it is at page 6 {E2/11/6} and it
is the text just underneath the numbered
paragraph 26.1.3. Mr Parker says:
"If a branch required assistance to attempt to
determine the cause of a discrepancy they would contact
NBSC in the first instance. Discrepancies are not
unusual in a retail system."
I imagine you would accept that, Mr Roll.
"They indicate a difference between the operator's
declaration of cash and stock on hand and the system's
calculation and as such are a business operation issue.
However ..."
He says and this is the point I'm going to ask you
about:
"... it was not always possible for NBSC to identify
the cause of a discrepancy. For example, a user may
enter a deposit of £100 into a customer's bank account
on Horizon but rather than taking £100 from the
customer, they may make a mistake and give the customer
£100 as if it had been a withdrawal. In that scenario,
NBSC would not have been able to identify the cause of
a discrepancy. Clearly, NBSC is also unable to assist
when losses have been caused by theft."
Now, do you accept what Mr Parker says in the
paragraph I have just read out?
A. Yes.
MR JUSTICE FRASER: NBSC is the helpline, isn't it?
MR DE GARR ROBINSON: My Lord, yes. It's the first line
of support.
MR JUSTICE FRASER: And is that Fujitsu or Post Office?
MR DE GARR ROBINSON: The NBSC is run by Post Office. It
then goes through to the second line.
MR JUSTICE FRASER: Mr De Garr Robinson, I just wanted to
check that.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: Because in other statements it is
referred to as the helpline. I just wanted --
MR DE GARR ROBINSON: My Lord, it is sometimes referred to
as the helpline. It is confusing because there is the
HSD as well as the NBSC and they are both elements of
the first line of support.
So where you say, Mr Roll, in paragraph 8 of your
statement that any errors made by subpostmasters would
be easy to identify and would normally be picked up,
that's not right, is it? There are all sorts of errors
that are made by the postmaster that will not be picked
up. Would you accept that?
A. From my memory of when we were working there, no, but
from reading this ... yes.
Q. You would accept that. So, for example, if an irate
subpostmaster phones into the NBSC and says "These
figures aren't right, there's a glitch in the system,
there's a glitch in the system", keeps insisting there's
a glitch, it would not be easy -- in fact in many cases
it would be impossible for the first or the second line
of support to say categorically "That's definitely
a user error" and close the matter down. In that kind
of situation wouldn't what would happen be that the
second line of support would refer on to SSC for
investigation; do you accept that?
A. Yes.
Q. Then I would like to go back to your witness
statement -- it is quicker to do it in hard copy,
Mr Roll -- paragraph 10 of your first witness statement
{E1/7/2} you must have in front of you. You say, second
sentence -- so we have a problem like that, it gets
passed to the SSC and I think you would accept that the
SSC would always investigate to see if it could be
attributed to a bug or other fault within Horizon --
A. Yes.
Q. -- yes? So you then say:
"If we were unable to find the cause of the
discrepancy then this was reported up the chain and it
was assumed that the postmaster was to blame."
That's your claim. I would like now to compare it
to what Mr Parker says about this. It is in his first
witness statement again, this time at page 13
{E2/11/13}. Paragraph 46, Mr Parker says:
"In paragraph 14 Mr Roll states, 'I would reiterate
that the main recurring issues were software issues'.
It is a symptom of working within a software support
team that the majority of issues that come in have been
attributed to a software issue by, for example, a lower
line of support. This can lead to a mindset of 'look at
all these Horizon errors' but what this indicates to me
is that the previous levels of support are functioning
correctly, removing the majority of other causes
(user/hardware problems). It does not indicate that the
majority of Horizon errors could be attributed to
software."
By "software" he means coding. Would you accept
that, Mr Roll?
A. Yes.
Q. Thank you. And then if we could move on over the page
to page 14, paragraph 49 {E2/11/14}, he says:
"Mr Roll further states that if SSC was 'unable to
find the cause of the discrepancy then this was reported
up the chain and it was assumed that the postmaster was
to blame' (paragraph 10). That is not my experience: it
is a simple truth of support that the majority of issues
reported in the system are attributable to user action
or user misunderstanding much system functionality."
Stopping there, Mr Roll, would you accept that?
A. I would accept that -- and as he says, those issues
would have been picked up at first or second line
support. The way I remember it is that we were dealing
with issues not necessarily the majority of issues
caused by the user, but that's how I remember it.
Q. I think I'm seeking to suggest to you, Mr Roll, that as
a matter of just common sense the majority of issues
reported in a system, whether it goes to first, second
or third line of support, the majority of issues
reported in the system are attributable to user action
or user misunderstanding of system functionality?
A. Yes.
Q. As a matter of common sense you would accept that?
A. Yes.
Q. So "Hence", Mr Parker says:
"... someone working in a support environment
analysing a new issue would examine the possibilities of
user error as a first hypothesis but any final
conclusion is only generated based on the evidence.
Where the evidence does not support a conclusion that
there's a problem with Horizon, the SSC feeds the
existent factual data back to Post Office and might say
something along the lines of 'all indications are that
the branch has made a mistake' but Fujitsu neither
attributes 'blame' or agrees the final conclusion ..."
What I would like to suggest to you, Mr Roll, is
that when a problem was, when you were there, reported
into the third line of support and the problem would
then be allocated to a member of the SSC, that SSC
member would look for ways in which the symptom that's
complained about could be attributed to a coding error
or other problem within Horizon; that's right, isn't it?
A. Yes.
Q. And they worked quite hard to try and figure -- they
would look at all the data, the system log, the event
log, transaction data; all the data, vast array of data
that's available to Fujitsu, and they would work very
carefully through to try and see whether there's
a credible explanation that's based upon a coding bug or
some other systemic problem with Horizon, yes?
A. Usually.
Q. Usually.
A. There were instances which I can't remember but I know
that at the time I felt uncomfortable with what was
going on because of the pressure that was put on us to
find -- to either find a problem or to say that we
couldn't find a problem. So there were time constraints
and we weren't given -- this is my recollection, but
I can't give you specific details. And this is why --
Q. So --
MR JUSTICE FRASER: Can you just let him finish.
A. This is why I first spoke to people about this, because
there are instances that I remember being unhappy with
it.
MR DE GARR ROBINSON: But you can't give any specifics --
A. No.
Q. -- and we can't look at the documents to see what you
are talking about?
A. No.
Q. And it's not that -- I think we discussed this
yesterday. You are not suggesting that there was any
pressure put upon you to put it down to human error,
it's simply that you are saying that not enough time was
given to do the job to your satisfaction, is that right?
A. Yes.
Q. I challenge that, Mr Roll. I formally suggest to you
that that didn't happen.
A. All I can say is that is how I remember feeling, but it
was a long time ago.
Q. But from the SSC's perspective your job was to
investigate a problem as thoroughly as it needed to be
investigated?
A. Our job in the team; it wasn't always me who was doing
the work that I was worried about.
Q. Well, quite often it was -- looking for these kind of
problems, quite often it was someone more senior in the
team that was looking at these kinds of problems --
A. Yes.
Q. -- isn't it? And you can't speak to the amount of
pressure that they were under, can you?
A. Not from direct memory, no. It's just, as I said, the
impression I took away with me.
Q. So you would accept, wouldn't you, that everyone in the
SSC including you did a professional, rigorous and
thorough job?
A. We tried to, yes.
Q. If we could go to your second witness statement please
now which is at E1, tab 10 and I would like to ask you
about paragraph 14 {E1/10/4}. You say:
"I do not believe that it is realistic to say that
all software errors would have been picked up by the
processes which were in place, or that the likelihood of
software errors staying disguised as human errors was
very small ... I believe there were likely many cases
where subpostmasters would have been held responsible
for problems which had not at the time been identified
as software errors, either because they could not
identify the problem and did not pursue these with
Post Office or Fujitsu, or because when they were raised
we ... were ultimately unable to identify the problem at
the time."
Now, I would like to ask you about your belief that
there were "likely many cases". Mr Roll, that's
speculation, isn't it, that's not a statement of fact?
A. That is how I felt, yes, that's --
Q. You felt it? What was the basis of your feeling?
A. Going back to what I have said a moment ago about
feeling that at times we were under pressure and we
couldn't do the job properly.
Q. How often -- do you have a recollection as to how often
you were under pressure?
A. No.
Q. My sense of the evidence you have given -- and I want to
tell you this so that you can tell me whether you agree
or not -- is that it didn't happen very often?
A. Not very often, no.
Q. Okay. So can you say how many times --
A. No.
Q. -- you had a sense when faced with a problem that it was
likely to be a bug but you hadn't --
A. I wouldn't be able to say.
Q. You couldn't say how many times --
MR JUSTICE FRASER: Keep your voice up, Mr Roll.
A. Sorry. I have no idea.
MR DE GARR ROBINSON: It is just your language. You say
"I believe" -- that's your present state of mind --
"there were likely many cases where subpostmasters would
have been held responsible for problems which had not at
the time been identified". How can you say "many"?
When I ask you about the problem you say it is because
"Sometimes I was busy and wasn't given enough time to
investigate". You very fairly say -- although you
cannot be categorical, you can't identify particular
incidences but you don't believe that happened very
often.
A. First of all --
Q. On that basis how can you say that you believe there
were likely many cases where it happened?
A. First of all, it wasn't necessarily me that was busy, it
was comments from other people in the team about how
busy they were trying to find a solution and I heard
that infrequently, but that led me to the belief --
that's the way I think I feel it, that if I was aware of
a few then there must have been more. So it's
speculation, yes.
Q. You accept that it is speculation. You are talking
about something that happened between 15 and --
A. 19 years ago.
Q. -- 18 years ago. It would be fair to say, wouldn't it,
that your recollection is very hazy about these kind of
things?
A. Certainly some of it, yes.
Q. Would you accept that your recollection of this kind of
thing is hazy?
A. It is quite hazy, but the feeling persists that
sometimes things could have slipped through.
Q. Sometimes things could have slipped through. One last
question before I move on. When you were under time
pressure and you didn't feel that you were being given
as long as you needed to do your job, is it that you
were given ten minutes and told to do something else, or
is it that you needed four hours and that you were only
given three? I would like a sense of what you mean when
you say that you didn't have the time that you wanted?
A. You might have had eight or ten hours. From my
recollection -- I may be getting different things mixed
up here, but we had so many days to come to
a resolution, to resolve a problem, so if we didn't get
the problem for a couple of days then our window had
closed. It was shorter than it should have been.
Q. And did you communicate concerns about this to anyone
else -- to Mr Peach, your superior?
A. I believe that was -- it was mentioned at times, yes.
Q. You mentioned it to Mr Peach. And did you mention it to
Mr Parker?
A. I don't think so, no. Mr Peach was the manager.
Q. But Mr Parker was your deputy manager, wasn't he? He
had authority over you, didn't he?
A. I never saw it as that, no.
Q. So it's not something you discussed with Mr Parker, it's
just something you discussed with Mr Peach who isn't
giving evidence, is that right?
A. Yes.
Q. I see.
Then there's one phrase I would like to ask you
about. It is where you say:
"I believe there were likely many cases where
subpostmasters would have been held responsible for
problems which ... we (Fujitsu) were ultimately unable
to identify the problem at the time."
Are you suggesting that problems reported to the SSC
would not be resolved at that time, but then at some
later time when a further problem arose it would then be
identified? Are you suggesting --
A. I wasn't trying to suggest that, no.
Q. It is just your use of the words "at the time"?
A. I'm sorry, that is misleading, yes.
MR JUSTICE FRASER: I'm sorry, Mr De Garr Robinson, I have
lost where -- the passage you were asking about.
MR DE GARR ROBINSON: It is the sentence beginning
"I believe there were likely many cases".
MR JUSTICE FRASER: Can you maybe give me a paragraph and
page number?
MR DE GARR ROBINSON: Paragraph 14 of Mr Roll's second
statement.
MR JUSTICE FRASER: It is just the screen had moved, that
was all. So we are still on paragraph 14.
MR DE GARR ROBINSON: Well, the sentence starts on page 4
and then goes over to page 5.
So you are not suggesting that you are aware of
a problem that was identified at some later stage but
manifested itself at some earlier stage and was not
corrected at that stage and therefore was left there,
you're not suggesting that that happened in your
knowledge?
A. Sorry, could you say that again.
Q. I'm not being very clear, I'm so sorry.
I'm trying to investigate with you whether you are
seeking to allude to the following scenario and
I suspect that you are not, so I will be quick. At time
T zero someone phones in with a problem, gets through
the two lines of support, gets through to the SSC, it is
investigated. The investigator tries very hard to find
a coding problem or some other problem in Horizon that's
responsible for it, can't, puts it to one side, closes
it down and then the problem reappears through some
other postmaster at some later stage, gets through the
first and second lines of support, gets to the SSC and
a coding problem is then identified, but that leaves the
poor first subpostmaster in the cold. I was just
seeking to investigate with you whether you are seeking
to suggest in that sentence that that ever happened?
A. No.
Q. I'm grateful. Because the truth is that in that kind of
scenario, when the second problem is identified and the
root cause determined then all occasions on which this
problem has manifested itself in the past would then be
investigated and identified, would they not?
A. Yes.
Q. So in that scenario information would be provided to
Post Office to allow the earlier subpostmaster to be
made whole -- I don't know if I'm allowed to use that
expression, my Lord.
A. Yes, I would --
Q. Thank you. Then I would like to go to Mr Parker's
second witness statement now please, which is {E2/12/5}.
I would like to ask you about paragraph 15 of
Mr Parker's witness statement which is about recovery
processes. He says:
"Mr Roll states that 'Fujitsu's stance was generally
that if there was a problem with transactions following
a recovery process and if SSC could not identify the
cause, then the problem must have been caused by the
subpostmaster not following the recovery process
properly'."
And then Mr Parker says:
"I agree that if Fujitsu was unable to identify the
cause of a discrepancy that was said to relate to
a recovery issue, having investigated the matter, the
likely conclusion would be that the discrepancy
(if there was one following the recovery process) was
probably the result of human error. The key point
here ..."
And this is what I'm seeking to discuss with you,
Mr Roll:
"The key point here is that the SSC would thoroughly
review all of the available evidence. I am confident
that if there had been a software issue in relation to
the recovery process, the SSC would have identified it
or in the very unlikely case that we could not determine
root cause, would have at least documented its
symptoms."
Full stop. Would you accept that, Mr Roll?
A. Yes, if we couldn't determine the root cause then it
would have been documented. But I should say, if we
couldn't determine the root cause then that would have
been passed on to the Post Office and the assumption
would have been that the postmaster had made a mistake.
Q. I would like to suggest to you that Mr Parker here is
saying that if there had been a software issue -- he
means coding issue --
MR JUSTICE FRASER: That means coding, does it, there?
MR DE GARR ROBINSON: My Lord, I believe so.
"... if there had been a [coding issue] in relation
to the recovery process, the SSC would have identified
it ..."
Stopping there, do you accept that?
A. No.
Q. And why do you not accept that?
A. We may have passed it -- if we may have suspected --
sometimes it would have been identified as a coding
issue. Sometimes if we couldn't identify it and
suspected it as a potential one, it would have gone to
development. But we may not have detected the software
issue -- the coding issues ourselves.
Q. He goes on to say:
"... in the very unlikely case that we could not
determine root cause ..."
Would you accept that the situation you have just
described would be a very unlikely one?
A. Terminology I suppose. Unlikely.
Q. Very unlikely, Mr Roll.
A. I wouldn't agree with that.
Q. But you would agree unlikely?
A. Unlikely, yes.
Q. Then he says:
"... [we] would have at least documented its
symptoms."
Would you agree with that?
A. They would have been recorded.
Q. They would be recorded in a what, in a KEL?
A. I don't know.
Q. In a PEAK?
A. I can't remember.
Q. The system would maintain knowledge of the symptoms and
would be aware of or would be looking out for any
recurrences?
A. Yes.
Q. And you said I think that this would then be passed on
to the fourth line of support, is that right?
A. From my recollection of it, yes.
Q. And what would the fourth line support then do with it?
A. I think they would look at the code and see if they
could find a problem with it.
Q. So in most cases, save in the unlikely case, the third
line of support would have spotted the problem. If they
didn't spot the problem they would document the symptoms
so that the system would be alive to the possibility of
recurrences and at the same time they would pass the
problem over to fourth line support who would give the
problem an even more thorough investigation, is that
right?
A. Usually, except if we were under pressure, as I said
before --
Q. Well, if you were under pressure, Mr --
A. -- to provide an answer to our manager who was probably
under pressure himself to provide an answer to --
Q. It is very hard to discuss the pressure you were under,
Mr Roll, because you are talking in such generalities.
A. I'm sorry.
Q. I don't criticise you for that because it is a long time
ago, you are doing what you can do. But can I suggest
to you that in circumstances where there's a problem
that's been encountered and it is suspected that it may
be the result of some kind of bug or other problem in
Horizon, the matter is not going to be closed by anyone
at the SSC. One way or another, either at third line or
at fourth line, the people are going to keep going until
the suspicion has been fully exhausted; would you accept
that?
A. No. If we couldn't find a problem, then it may have
been closed. The information could have been passed
back to Post Office saying "We can't find any problems"
and from then on it would have been -- I assume it would
have been put down as a postmaster's error or whatever.
Q. So you don't know what it would have been put down as in
relation to the postmaster?
A. No.
Q. What I'm asking you is not just about the situation
where you haven't been able to attribute a problem to
a coding issue or some other problem in Horizon. You
try and attribute and you fail. If you had been given
proper time, which I think you say happened in most
cases, then you would be satisfied that it wouldn't be
the result of a coding problem or some other problem in
Horizon, is that right?
A. Yes.
Q. But you say sometimes -- not very often, but sometimes
you didn't get the chance to spend as much time on it as
you would have liked; is that what you are saying?
A. Yes.
Q. I have already challenged you on that evidence. But
here is my suggestion to you, Mr Roll. In circumstances
where having got as far as you've got you actually
suspect that a coding issue or some other problem in
Horizon is responsible, you would not stop, you would
not close down the PEAK --
A. No, you would pass it on.
Q. You would, wouldn't you?
A. Yes.
Q. So in any case where you have a lingering suspicion that
there's a problem in Horizon of some sort causing this
symptom, you would never close it down but you would
always pass it on for further investigation?
A. If you thought it was a coding issue, yes.
Q. If you suspected it was a coding issue?
A. Yes.
Q. Or other problem in Horizon?
A. I'm not sure whether we would have closed some of them
down or not at that point.
Q. What, with other problems? Why would other problems in
Horizon be dealt with differently?
A. Some of the areas we had a lot of control over --
I don't really know how to explain this, I can't really
remember much about it, but there were times when we
couldn't find a problem with the message store and the
data -- it was passed back to the Post Office as closed
because we couldn't find any supporting evidence for
what the postmaster was saying.
Q. Yes. But how does that answer my question?
A. I think I'm getting side-tracked here, I'm sorry.
Q. My suggestion to you is that on any occasion when you or
anyone else at the SSC had a lingering suspicion that
a problem that had been identified --
A. Yes.
Q. -- was the result of the Horizon system --
A. If we had a suspicion then it would be passed on.
Q. -- it would absolutely not be closed down and blamed on
the subpostmaster, would it?
A. No.
Q. Thank you. But however, if having done your
investigation and having formed the view that you don't
have a suspicion of a problem in Horizon, does the last
sentence of paragraph 15 of Mr Parker's statement
{E2/12/6} apply? He says:
"Having conducted a careful investigation which did
not reveal any software issues, human error would be by
far the most likely explanation."
Would you accept that as a matter of common sense?
A. I need to backtrack a bit here because sometimes, going
back to the pressure, we would not suspect a software
coding issue, a bug, a coding bug, there might be
something else, but if we were under pressure then we
wouldn't necessarily have the time to fully look at that
to understand what was going on, so then we would close
the KEL.
Q. Are you suggesting to me that in your situation as
an SSC team member there would be checks that would need
to be done in order to answer the question whether there
was a problem in Horizon causing this situation and you
would deliberately close a PEAK and close down the
problem even though the check had not been done?
A. As far as I can remember, on occasion that did happen.
Q. Mr Roll, I suggest that's extraordinary and it's
unprofessional and it's not what any member of the SSC
should ever have done?
A. I know.
Q. Are you saying it's what you did?
A. On occasion I was instructed to close a particular call
which was not software related or anything, basically to
quieten it down.
Q. Well, that's quite remarkable, Mr Roll. Why is none of
that in your witness statement?
A. It is.
Q. You are telling me there was a specific occasion when
someone with authority over you told you to close down
a call when you hadn't finished your investigation,
are you?
A. I'm not putting that very well, but yes.
Q. Who was the person who told you that?
A. Mik Peach.
Q. So Mr Peach told you -- what was the nature of the
problem?
A. The nature of the problem was that a postmaster was
reporting that a system was rebooting unexpectedly. We
looked -- or I looked at it and I found that the -- she
was actually powering the system off and she insisted
she wasn't. It was a mobile system and she was -- as
I said, we could see from the message store that the
system was being rebooted and she insisted she wasn't
rebooting it. So I did some tests on the test rigs in
the testing area at the end of floor 6 where we were and
I found that on one of the test rigs I could simulate
the same problem. If I turned the screen off, it
actually turned the whole computer off. And when
I dismantled the equipment I found that the screen
button had been miswired and it had been wired into the
motherboard so that it actually cut the power off and
not the power to the screen, so it rebooted the system.
That's documented in the PINICLs.
I asked for the base unit to be brought back but in
the meantime -- we then found out that this was a known
build error but somebody in the hardware department had
built a batch of computers and wired them up
incorrectly. They had sent them out to the estate but
they -- they had realised they had done it and they knew
about it but they hadn't informed anyone else.
So I pinpointed the problem, spoke to Mik Peach.
Mik Peach got back to me later and said "Yeah they know
about this". When the system came back and I confirmed
it, I was asked not to put any more information on this
on the PINICL and it was being dealt with internally.
Q. Let's talk about -- I was going to ask you about that
later. So that's not an occasion where Mr Peach told
you to stop investigating something that needed to be
investigated?
A. Not to stop investigating, no, he told me --
MR JUSTICE FRASER: Both of you, if you talk over each other
we can't transcribe it. So you wait for
Mr De Garr Robinson to finish. He will, I can assure
you, wait for you to finish.
A. Sorry, your Honour.
MR JUSTICE FRASER: Right, Mr De Garr Robinson.
MR DE GARR ROBINSON: The answer you have just given me was
the result of a question which I asked which is are you
seriously -- I now can't reformulate my question.
My question was based upon a claim that you have
just made to the effect that there was a problem which
required further investigation. You said this didn't
happen with coding bugs but sometimes with other issues
that were less the SSC's purview, sometimes it did,
where more investigation was needed and you said
Mr Peach told you not to do that investigation but to
close it down. Now, do you remember giving that
evidence?
A. That's ...
Q. We could go back to the transcript, if you like,
Mr Roll.
A. What was it you said exactly before that part?
Q. Page 35 of the transcript.
MR JUSTICE FRASER: Line 17 I think. Well, the passage goes
from line 3 to about line 13.
Can we go higher on the common screen -- that's it,
just stop there. Page 35.
MR DE GARR ROBINSON: You say:
"Answer: On occasion I was instructed to close
a particular call which was not software related or
anything, basically to quieten it down."
And if we could go actually further up, it is at
line 16 on page 34:
"Question: Are you suggesting to me that in your
situation as an SSC team member there would be checks
that would need to be done in order to answer the
question whether there was a problem in Horizon causing
this situation and you would deliberately close a PEAK
and close down the problem even though the check had not
been done?"
That was my question to you. So I was asking you
whether there were occasions when you needed to do
further sessions and you were told not to. And you
said:
"Answer: As far as I can remember, on occasion that
did happen."
So that's quite a bold claim. And then I say:
"Question: ... I suggest that's extraordinary and
it's unprofessional and it's not what any member of the
SSC should ever have done?"
And you say "I know" and I say:
"Question: Are you saying it's what you did?"
And you say:
"Answer: On occasion I was instructed to close
a particular call which was not software related or
anything, basically to quieten it down."
Now, I took you, Mr Roll, to be saying "Yes, I was
told not to perform investigations that I felt I needed
to perform", but the example you have just given, which
I will be coming to, is not an example of that at all,
is it?
A. No, it's not. The line on 16 and my response at 22,
I -- the way I remember that happening in the SSC is
that not myself but other people were under a lot of
pressure to come up with a "can you find anything, we
have to know by lunchtime if you can find anything in
this message store" and then they would come back and
say "No, we can't find anything".
Q. Mr Roll, first of all that's not addressing the point
that I'm suggesting to you. You are not suggesting,
are you, that people in the SSC were told not to perform
checks that they felt they needed to perform in order to
do their job properly?
A. Oh, I see. No.
Q. And can I suggest to you that no one in authority at the
SSC would ever have wanted a team member not to perform
a check that needed to be done in order to satisfy that
team member whether there was or wasn't a problem in
Horizon?
A. The feeling I still have is that on occasion we could
have done more if we had had more time but that
occasionally due to time pressures we didn't have the
time. That's -- it's just my feeling from 19 years ago.
Q. Your feeling from 19 years ago and could I suggest to
you, Mr Roll -- it may be wrong, but my understanding of
your evidence is that that feeling is that it only
happened on relatively rare occasions, it wasn't
something that was frequent.
A. Rare occasions, but that was the feeling I had then and
it has persisted.
Q. Very good.
If we could move to page 6 of Mr Parker's second
statement {E2/12/6} and look at paragraph 19 at the
bottom of the page. He says:
"Fujitsu has mechanisms in place for detecting
potential issues. In ... my first statement I briefly
explained that the system management centre monitors
system events and I briefly described the work of the
communications management team in paragraph 26.1.2.
Each of these teams would generate support actions based
on system generated event information."
That's true, isn't it?
A. Horizon was an evolving system, it probably still is.
In the early days a lot of the processes weren't in
place and we had to find them, we had to find the
problems and develop the processes to -- so that by the
end of by the time I left then yes, this was true.
Q. I suggest to you that this sentence is true of the
entire time that you were working at SSC, Mr Roll.
A. My recollection is that we improved the systems
tremendously over the years.
Q. But from the word go these teams did exist and they
would generate support actions based on systems
generated event information from the first day that you
were there?
A. Yes, if the system was able to generate the event.
Q. But you're not, I presume, in a position to tell me what
events it was able to generate when you arrived --
A. No.
Q. -- and what events it was able to generate when you
left?
A. No, but as we put more processes in, the system is much
more able to detect errors.
Q. Well, it's difficult for me to ask you questions about
that kind of claim.
Then he says:
"It is also the case that the sheer number of
subpostmasters using the service and reporting issues
via the help desks make it very unlikely that there is
any significant number of hidden errors."
Would you accept that?
A. A significant number, yes. There may have been the
occasional one.
Q. Yes, but can we say the vast majority of problems that
were caused by the system would have manifested
themselves in some kind of reporting --
A. Yes.
Q. Thank you. And he says:
"These mechanisms are so effective at identifying
when bugs are a cause of problems that it would be very
rare for a bug to not be detected."
Would you accept that?
A. If it was a known bug, yes.
Q. What do you mean by that?
MR JUSTICE FRASER: We are talking coding, yes? Coding.
A. Coding, yes.
MR DE GARR ROBINSON: Yes.
A. If a coding bug was detected then we could put in place
mechanisms to detect when that was -- when that bug had
had an effect.
Q. I think Mr -- I'm grateful for that answer, but I think
Mr Parker is making a slightly different point. He has
described the mechanisms in place and you generally
agreed them.
A. Right.
Q. And he says:
"These mechanisms are so effective at identifying
when bugs are a cause of problems that it would be very
rare for a bug to not be detected."
That's true, isn't it? Sometimes the bug could get
through --
A. Yes.
Q. -- but it would be very rare for that to happen, would
you accept that?
A. Yes.
Q. Thank you. Then on to paragraph 20 {E2/12/7}:
"Once an issue has been raised, Fujitsu is
experienced in providing support and will go to great
lengths to investigate the root cause."
Stopping there, would you accept that? That that
was true of your time when you were at the SSC?
A. Yes.
Q. "In paragraph 61 of my first statement I explained that
Fujitsu use a custom solution, developed and
administered by the SSC, which allows us to record
support knowledge into a known error log ... KELs record
support knowledge which is intended to assist staff in
the support and understanding of the Horizon system."
I apprehend you won't disagree with any of that?
A. No.
Q. He then says:
"Mr Roll's statement that 'subpostmasters would have
been held responsible for problems which had not at any
time been identified as software errors ... because when
they were raised we (Fujitsu) were ultimately unable to
identify the problem at the time' assumes that if
Fujitsu was not able to get to the root cause of an
issue, it must have been a software error rather than
a human error. But as I explain ... above, if Fujitsu
was unable to identify any software issues after
carrying out a careful investigation, human error would
be by far the most likely explanation."
Now, would you accept that, Mr Roll?
A. I would accept that it is the most likely explanation,
yes.
Q. Thank you.
Then if we can move on to paragraph 23 {E2/12/7} --
I'm reading this to you to give you an opportunity to
disclaim any intention of what Parker thinks you might
be doing. He says:
"I think that Mr Roll may be trying to suggest that
Fujitsu were quite happy to assume that issues were the
responsibility of subpostmasters. That is not the case.
We investigated matters thoroughly and if we identified
an error in Horizon, we dealt with it appropriately.
Our investigative and analytical procedures have always
been thorough in my view and while I obviously cannot
say that in each and every case our diagnosis was
correct, I am confident that that was the case in the
overwhelming majority of cases."
Now, Mr Roll, a couple of questions, perhaps three
or four. Given the discussion we have just had, could
I invite you to indicate whether you are or are not
trying to suggest that Fujitsu were quite happy to
assume that issues were the responsibility of
subpostmasters?
A. I don't know what the management's position was on how
protective they were of their system, the directors
et cetera at that level. At our level certainly we
would -- I would certainly agree with what Mr Parker has
put in the second part there --
Q. What, you mean "we investigated matters" --
A. -- "in the overwhelming majority of cases".
MR JUSTICE FRASER: You said the second part, which part do
you mean?
A. Sorry --
MR DE GARR ROBINSON: Do you agree then that "We
investigated matters thoroughly and if we identified an
error in Horizon we dealt with it appropriately"?
A. Yes.
Q. You agree with that. Do you agree that:
"Our investigative and analytical procedures have
always been thorough in my view ..."
Do you agree with that? Is that your view too?
A. Generally speaking, yes.
Q. "... and while I obviously cannot say that in each and
every case our diagnosis was correct, I am confident
that that was the case in the overwhelming majority of
cases."
Is that your view?
A. In the majority of cases, yes.
Q. Thank you.
A. I wouldn't want to suggest that Fujitsu were happy to
assume.
Q. Very good. I'm very grateful for that, Mr Roll, and
that means I don't need to ask you any more questions.
Could we now move on to your second witness
statement please. I would like to ask you about
paragraph 9, it is {E1/10/3}. It is under the heading
"Transactional integrity", and here you are taking
Dr Worden to task about something he said in his expert
report and you say:
"At paragraph 156, Dr Worden describes zero sum
baskets, other branch actions being zero sum, and
transactional integrity. I agree that the system was
designed with these intentions in mind but there were
limitations and errors in the system. Data corruption
and glitches sometimes meant that transactions were not
zero sum. I recall on more than one occasion where
subpostmasters had problems with a deficit showing in
their accounts, and then as a result of working through
a process to try to resolve it, the deficit doubled."
Let's just break that down, if we can. You refer in
that paragraph to three concepts. Transaction baskets
and accounts. I think you will accept, won't you, that
when you are doing business at a counter, several
transactions can go into a basket, yes?
A. Yes.
Q. And then many baskets, once they are entered into the
accounts, make up the accounts, yes?
A. Yes.
Q. The zero sum point only relates to baskets, doesn't it?
A. I can't remember. I'm not sure.
Q. So I'm just trying to understand what you mean when you
say:
"Data corruption and glitches sometimes meant that
transactions were not zero sum."
A transaction is never zero sum, is it, it's the
basket that's zero sum having summed up all the
transactions that are in the basket?
A. I think you're correct there, yes.
Q. Then if I could ask you to go to what Dr Worden says
about transactional integrity. That's at {D3/1/39}.
Could I ask you to read -- it is quite long so I won't
read it out, you will be pleased to know. Could I ask
you to read paragraph 156.3. This is the paragraph that
you take issue with.
(Pause).
A. Okay, I have read that now, yes.
Q. Now, you say -- we have just read the relevant paragraph
from your witness statement. You said you agree that
the system was designed with these intentions in mind
but you say there were limitations and you go on to say
that data corruption and glitches sometimes meant the
transactions were not zero sum and we have discussed the
difficulty I have with your use of the phrase
"transactions".
You then go on to give an example. You say in
paragraph 9 of your witness statement {E1/10/3}:
"I recall on more than one occasion where
subpostmasters had problems with a deficit showing in
their accounts, and then as a result of working through
a process to try to resolve it, the deficit doubled.
Sometimes we found the source of the problem as a known
bug ... and we could resolve the problem, but we were
not always able to find or understand the cause."
Mr Roll, I'm slightly bemused by that because the
example you have just given there is not an example of
a limitation or error in transactional integrity, is it?
A. No, it's not, I ... I must have misunderstood or misread
what Dr Worden was saying in paragraph 156.3.
Q. Well, could I suggest to you, Mr Roll, that what
Dr Worden is saying in paragraph 156.3 is true and that
you don't have any contrary examples to offer to suggest
that it didn't always happen?
A. No, I misunderstood his -- what he put.
Q. Were you asked to -- did someone invite you to disagree
with this paragraph?
A. No.
Q. That's not what happened?
A. No.
Q. I see.
Then the example you give is discussed by Mr Parker
at paragraph 8 of his second witness statement, which is
{E2/12/4}. If I could ask you to read paragraphs 8 and
9, is that the example that you have in mind?
A. I can't remember exactly.
Q. Have you looked at the KEL that Mr Parker refers to in
paragraph 8?
A. No.
Q. So you haven't looked at any of the underlying
documents?
A. No.
Q. Or the PEAKs?
A. No.
Q. Mr Parker says at paragraph 10:
"I am not aware of any case in which baskets were
not zero sum (ie any case in which a non-zero sum basket
was accepted into Horizon), although given the lack of
detail in Mr Roll's statement on this point it is
difficult for me to state definitively that such an
issue never arose."
Would I be right in thinking that you can't think of
an example of that happening either?
A. Yes, I think I got my terminology wrong in the zero sum
basket.
Q. So would the answer to my question be right: you can't
think of an example of that happening --
A. No. You are right, yes.
MR JUSTICE FRASER: So what terminology should I read it as
saying?
A. I'm afraid I can't remember the full terminology that
I should be using for the Horizon system, my Lord.
MR JUSTICE FRASER: I'm not asking about that. Is there any
other word that I should change to reflect what your
evidence is on this, or not?
A. No, your Honour. I was trying to point out in this that
due to errors sometimes when a postmaster tried to
correct it actually doubled the error.
MR JUSTICE FRASER: All right.
Back to you, Mr De Garr Robinson.
MR DE GARR ROBINSON: Then if we could continue with
paragraph 10 of Mr Parker's statement, halfway down he
says:
"I would expect any such issue ..."
This is a true transaction integrity issue:
"I would expect any such issue to result in
a receipts and payments mismatch which would be (1)
picked up by Fujitsu's reconciliation reporting ..."
Stopping there, that's right, isn't it?
A. Yes.
Q. And secondly be:
"... visible to the branch when they balanced at the
end of the trading period."
That's true also, isn't it?
A. I don't know.
Q. Fair enough, Mr Roll. But you accept, do you, that when
you were there it would have been picked up in
reconciliation reporting?
A. I believe so, yes.
Q. And it would have resulted, as he says in the last
sentence, in investigation and resolution by the SSC?
A. We would investigate it, yes.
Q. I'm very grateful, thank you.
Then if we could go back to your second statement,
paragraph 10 {E1/10/3}. It's a very long paragraph and
I'm not going as quickly as I expected. If I could ask
you just to have a quick look at paragraph 10 so you can
remind yourself what you're talking about.
Have you --
A. Yes.
Q. Now, I would like to ask you, Mr Roll, how good is your
recollection of this particular instance?
A. It's a bit hazy but I can remember the sort of basics.
Q. And I'm interested in your suggestion that it was
"impossible to fix". Was it really impossible to fix?
A. From my understanding of the problem, yes. To fix the
software, to recode the amount of software that would
have needed to be recoded would have meant, from my
understanding, a basic rebuild, so it would have taken
too much effort.
Q. You refer to your understanding; was this a problem that
you yourself worked on?
A. I can't remember. It's certainly one I was aware of,
because we discussed it.
Q. So it might have been something that you picked up in
discussions with other people?
A. Yes.
Q. And you say you have a recollection of something you
can't actually remember -- it is not clear enough for
you to know whether you actually worked on it or not, it
might just be what other people told you, is that right?
A. It was a fairly common problem this.
Q. A fairly common problem?
A. From what I remember.
Q. So this is a problem that you suggest happened a lot of
times, did it?
A. Periodically. We were aware -- we kept an eye out for
it because we knew it would happen.
Q. And then you refer to a workaround. You say at the top
of page 4 {E1/10/4}:
"Eventually the problem would be escalated to SSC
and a workaround established."
Again, are you speaking from your experience, or are
you speaking from your recollection of what people may
have said when you were at work?
A. I can't remember if I worked on that or not. It was
something we all kept an eye out for.
Q. So it is something you kept an eye out for. Is it
something you ever actually saw in your own experience?
A. I think so but I can't be certain.
Q. Very good. And you say a workaround established. What
was the workaround?
A. You basically had -- the net result of this would be
that because the system wasn't able to differentiate
which organisation the money would go to, it could have
gone to the wrong one. So we could monitor the systems
processing this data, pick it up and then by examining
the actual reference data we could see which
organisation it should go to and then we could make sure
it went to the right one.
Q. So is that what happened, the SSC set up a system --
A. Yes.
Q. -- to monitor where these problems might be occurring?
A. Yes.
Q. And fix them when they did?
A. Yes.
Q. I'm grateful. And presumably you would go back and look
in the past to see if it happened in the past, to deal
with it in that situation as well?
A. Yes.
Q. But even before that had happened though, this wouldn't
have an effect on any branch accounts, would it? It
wouldn't affect the net position on any branch accounts?
A. No.
MR DE GARR ROBINSON: My Lord, I see the time.
MR JUSTICE FRASER: Do you want a break?
MR DE GARR ROBINSON: I'm not going as quickly as I expected
and I need to tighten up.
MR JUSTICE FRASER: Sure. So we will come back at 5 to.
Are you going to go into the afternoon with Mr Roll?
MR DE GARR ROBINSON: Most certainly.
MR JUSTICE FRASER: And then you have just got Mr Henderson.
MR DE GARR ROBINSON: Yes, and we are not allowed more than
an hour with him anyway.
MR JUSTICE FRASER: No, I rechecked my transcript of that.
I said that I was imposing that limit to make it clear
you didn't need to put everything to him but you could
have longer than that if you wanted.
MR DE GARR ROBINSON: I wish I hadn't said it, my Lord,
because you are quite right and I really ought to be
careful about my mouth.
MR JUSTICE FRASER: No -- I have just been asked for the
short break for the shorthand writers but we were
I think 30 seconds ahead of that.
Same form as yesterday: don't chat to anyone about
your evidence.
(11.46 am)
(Short Break)
(11.58 am)
MR DE GARR ROBINSON: Mr Roll, I'm going to try to deal with
some evidence that you give about the recovery process
as quickly as I can. If I could ask you to go to
paragraph 11 of your second statement {E1/10/4}. We are
in the same section of your witness statement that we
were in before, so this is all under the heading
"Transactional integrity" and you say:
"I do recall that problems sometimes arose after
subpostmasters used the recovery process and that this
was a not uncommon problem which affected even
experienced subpostmasters. This might suggest that
there was a problem with the recovery process itself, or
at least that it was not as straightforward as it should
have been."
"Might suggest": I don't mean to be discourteous,
Mr Roll, but that's a mealy-mouthed phrase. Are you
positively claiming that in your judgment there was
a problem with the recovery process?
A. No. There was a possibility but that's all. It's
a long time ago and I can't remember what the process
was now.
Q. So you are not suggesting there was a coding bug in the
software dealing with recovery --
A. No.
Q. -- which affected branch accounts, are you?
A. No.
Q. So would it be fair to say -- I use this term
advisedly -- that in that sentence what you are doing is
speculating as to the possibility of a problem, you're
not suggesting that there is likely to be one?
A. Yes.
Q. Are you suggesting that there were investigations that
should have been undertaken by the SSC that weren't
undertaken?
A. No, I'm not suggesting that.
Q. So why are you even mentioning it, Mr Roll? I'm
slightly puzzled.
A. It sticks in my memory that there were problems with the
recovery process that we got involved with that we had
to try and fix. At times there were the -- I suppose it
was either the number that came in or something that
stuck in my mind about this that made me feel there was
something that could have been not quite right with it.
Q. Are you suggesting -- let me take it in stages. First
of all, you are saying problems were reported to the SSC
by subpostmasters in relation to the recovery process,
is that right?
A. Yes.
Q. And you will accept, would you, that whenever those
problems came in they were investigated?
A. Yes.
Q. And you will accept, would you, that when they were
investigating they were investigated thoroughly?
A. Yes.
Q. And that thorough process, I think you have already
accepted very helpfully in a prior discussion with me
that generally speaking, when there is a thorough
investigation of that sort if there is a problem it's
likely to be identified?
A. Yes.
Q. And I infer that it is your evidence that all of those
investigations you are referring to were unable to find
any problem with Horizon itself, is that right?
A. I don't know if it was ever considered there was
a problem with Horizon itself.
Q. But, Mr Roll, let's just be clear. When an investigate
is carried out -- it's a bit like philosophers trying to
test a theory, you try and find something that disproves
the theory that you're trying to establish. In the same
way, your job at the SSC, when you get a problem in is
you are looking for something in Horizon that could have
caused it; that's where you are starting, is that right?
A. Yes.
Q. Thank you. And that process was followed whenever there
were these problems reported into the SSC about the
reconciliation process, yes?
A. Yes.
Q. And on each occasion when these investigations were done
the investigators were unable to find a problem with
Horizon that was responsible for it, yes?
A. Yes.
Q. So why do you now suggest that despite all of that,
there could have been a problem with the recovery
process in Horizon when you worked there?
A. I'm not sure what it is, but I was not happy with the
way that some of these were dealt with. But I can't --
I can't remember why, but I know that at the time there
was something that made me uneasy about it.
Q. So are you suggesting that on every occasion that
a problem came in, something was reported in in relation
to reconciliation, you were the one that investigated
them all?
A. Oh, no, I wasn't -- everybody -- it would have been
farmed out.
Q. So are you saying that you knew enough about everybody
else's investigations to be uncomfortable about the
investigations your colleagues were doing?
A. No.
Q. Right, so are you saying that you were uncomfortable
with the investigations that you did?
A. No.
Q. So what were you uncomfortable with?
A. Sometimes the pressure we were under, the timescales.
I think that's what it must have been. Again --
Q. So are you suggesting that there was a particular
timescale issue with respect to reconciliation processes
that had a particular application to reconciliation
problems that didn't apply to other problems that you
were investigating in Horizon?
A. All I can remember is that I felt uneasy about
something, about this process, but I can't tell you why,
so ...
Q. My attention has been drawn to the fact that on a number
of occasions I have talked about reconciliation when
I should have been talking about recovery, I do
apologise, but I think we have understood what I'm
talking about.
A. Yes.
Q. I apologise.
Well, let's just go quickly. In principle, when
a system goes down when a transaction is being done at
the counter, either because the system itself has gone
down or there is a power outage at the branch or
whatever the reason might be, there's always going to be
a possibility that some transactions being undertaken at
the counter may not have reached the Horizon accounts of
that branch when the system goes down, is that right?
A. Yes.
Q. Because, for example, there's an outage before the stack
has actually been settled by pressing the button that
enters the stack into the branch's accounts, yes?
A. Yes.
Q. And that's inevitable. You can't design a system which
doesn't have that problem, it's an inevitable part of
a system design where there's a possibility that crashes
may happen mid-transaction, yes?
A. Yes.
Q. So in that situation what do you do to build resilience
into the system? Could I suggest to you, Mr Roll, that
what you do is you build into the system a facility
which identifies the transactions that were mid-way but
that didn't actually reach the accounts, that have not
recovered, yes?
A. Yes.
Q. And that is the recovery process that we're discussing?
A. There is -- I seem to remember there being far more to
it than that, but ...
Q. If you want to elucidate then I don't want to stop you,
Mr Roll, but I really don't know what you mean.
A. I ... I would have included -- there was a lady giving
evidence yesterday about having to go and find --
a transaction hadn't gone through, it hadn't been
recovered. She was able to find the customer. I don't
remember the full story about it. But she went to the
bank and she found that -- she was able to find the
money or to find a paperwork trail to get the money put
back into her account. That's all part of the recovery
process for me, it's not just ... I'm not making myself
very clear, I'm sorry about this.
Q. Well, you are talking about Mrs Burke and in Mrs Burke's
case what happened, in short, was that the system went
down before she had entered the transaction into her
accounts, then when the system came back up again the
system identified the transactions in relation to which
there was a problem. Later on the system identified the
transactions that had gone through, so there was
a physical piece of paper identifying the transaction
that hadn't gone through and she was able to look at
that physical paper and look at her transaction log and
see that indeed it had not gone through.
Now, I would suggest -- I will be suggesting to the
judge in due course that that's an example of the
Horizon system doing what it is supposed to do, namely
to produce some evidence identifying the transaction
that hasn't actually reached the Horizon accounts.
Isn't that what the recovery process is designed to do?
A. That's I think what it is designed to do, but I think
what she was trying to point out was that the
paperwork -- some of the paperwork that she had wasn't
produced by the Horizon system and --
Q. Well, I'm not sure that this is very helpful.
MR JUSTICE FRASER: That's just what I was about to say
actually. Whatever the Mrs Burke situation was or
wasn't --
A. Sorry.
MR JUSTICE FRASER: -- I'm not sure you are necessarily
going to be able to help me with and I'm not sure,
Mr De Garr Robinson, that it's necessarily a correct
question for this witness, other than to say: when you
were asked about the recovery process and you said that
you thought there was more to it than that -- do you
remember that?
A. Yes, your Honour.
MR JUSTICE FRASER: And then there was a phrase I think
where you said "I would have included ..." and then it
appeared to me, if I may say so, that you then got
distracted talking about Mrs Burke.
So far as your recollection is when you worked for
Fujitsu, Mr De Garr Robinson is now going to suggest to
you I think again, or reput the question, about what the
recovery process involved and if you think there are
other steps or other examples of what the recovery
process either did or ought to have included then you
can tell me what they are.
A. Right.
MR JUSTICE FRASER: So, Mr De Garr Robinson, do you want to
do that.
MR DE GARR ROBINSON: I rather think you have actually asked
the question already --
MR JUSTICE FRASER: I would rather you put it, if that's all
right.
MR DE GARR ROBINSON: Mr Roll, as I have explained, the
recovery process is a form of resiliance designed into
the system to ensure that if a transaction doesn't reach
the system, which is always possible because of timing
issues in the nanoseconds before you press "enter" to
push the stack into your accounts and so on, the purpose
of the system is to ensure that the missing transaction,
the transaction that hasn't reached the branch accounts,
has been identified, both to the postmaster and indeed
to Fujitsu, because Fujitsu can see this material in
their own log.
Are you saying from your own experience that there
were any occasions where that did not happen?
A. I can't remember.
Q. Thank you.
Then going back to paragraph 11 of your witness
statement {E1/10/4}, this is a sentence we have already
been discussing the first part. You say:
"This might suggest that there was a problem with
the recovery process itself ..."
Then you say:
"... or at least that it was not as straightforward
as it should have been."
Let me repeat my question. Are you saying from your
own experience you can recall examples of where the
recovery process was not as straightforward as it should
have been?
A. No. My understanding of the recovery process is that it
should have been -- it should have been able to be dealt
with at first or second line and if we got involved then
there was a problem with it.
Q. So it's simply the fact that if a subpostmaster was
insisting there was a glitch or something and in
circumstances where the first and second line couldn't
categorically say that it wasn't the result of a glitch,
it would go to the SSC and you're saying the mere fact
that that would on occasion go to the SSC is a basis for
suggesting there's something wrong with the system, is
that right?
A. No. What I'm saying there is that some of them came
through to us and then my recollection is that the
majority of them we would have dealt with and we would
have found a problem, but that on some times we couldn't
find a problem and we couldn't identify where there had
been a problem.
Q. Well, could I suggest that another way of putting that
is that you looked at the symptoms that were complained
about and you checked -- there was a very thorough
investigation as to whether Horizon might be responsible
and as a result of that thorough investigation you
couldn't figure out a way in which Horizon could have
been responsible; would that be another way of putting
what you have just said?
A. Yes.
Q. Thank you. Then let's move on to paragraph 12 of your
statement {E1/10/4}. You refer to paragraph 167 of
Dr Worden's report {D3/1/43} where he deals with what he
calls TCs, that's transaction corrections, that "Post
Office would soon suspect a software error" and so on
and you then say:
"I do not recall Fujitsu carrying out any analysis
of transaction corrections to try to identify if there
may be an underlying software error."
Now, I only want to ask you a couple of questions
about this, Mr Roll, but why are you talking about
transaction corrections? When you worked at Fujitsu
there was no such thing as a transaction correction, was
there?
A. I don't know, wasn't there? I ...
Q. Do you honestly not remember?
(Pause).
A. No I don't. There were corrections made ... we made
corrections to transactions.
Q. "Transaction corrections" is a term which refers to
a message that's sent by Post Office to
a subpostmaster's branch suggesting that there ought to
be a change, a transaction entered into their branch to
change the accounts in some way, that the subpostmaster
then gets to accept or if he disputes it not to accept
into his branch accounts. It's an electronic message
that goes from Post Office to the branch and it is
generated usually as a result of quite sophisticated
reconciliation processes undertaken both by Post Office
and Fujitsu.
At the time that you worked for Fujitsu TCs didn't
exist. What they had instead were what were called
error notices and error notices would be sent from
Post Office to the branch but a similar practice was
followed. That's what Dr Worden is talking about.
A. Right.
Q. Were you not aware of that?
A. I wasn't aware that he was talking about those.
Q. So you thought he was talking about something different?
A. Something completely different.
Q. Did you not -- I don't wish to probe into privileged
matters, but was it not explained to you what he was --
perhaps I am probing into privileged matters.
MR JUSTICE FRASER: Well, you are if you put the question
that way.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: You could say "Did you know 'transaction
corrections' was a specific term that had a specific
meaning in Horizon?"
A. I didn't know they had that specific term -- meaning.
MR DE GARR ROBINSON: Well, here Dr Worden is talking about
TCs. Was it not necessary for you to be told what TCs
were?
A. I misinterpreted the term "transaction corrections".
Q. TCs were actually identified, they were defined in
Dr Worden's report. Did you read the definition?
A. No.
Q. It does look as if you are making quite a convenient
claim on the basis of -- well, I don't understand the
basis upon which you are making it. What did you think
Dr Worden was talking about when he talked about TCs?
A. We corrected transactions -- it was part of our job, if
you like -- on the message stores at times.
Q. Oh, you are talking about transaction insertions that
were undertaken by -- that's what you thought --
A. That's what I --
Q. -- Dr Worden was talking about?
A. That's what I misinterpreted there, yes.
MR JUSTICE FRASER: I wonder if you could possibly finish
your sentences. Mr De Garr Robinson isn't interrupting
you but you will often start a sentence, stop it, and
then start another one. If you could just answer in
complete sentences it would help enormously.
Right, Mr De Garr Robinson.
MR DE GARR ROBINSON: I'm sorry, would your Lordship give me
a moment.
(Pause).
My Lord, I will move on. I don't think this is
going to be a productive line of cross-examination
bearing in mind I hadn't prepared for it in that way.
Let's stay with your second statement, Mr Roll, and
go to paragraph 19 {E1/10/6}. Perhaps I could ask you
to simply read the paragraph to save time.
(Pause).
A. Yes.
Q. You say at the end of the paragraph:
"... generally this was a developing area, so
generally if the SSC found something that should have
been picked up by the system we notified the developers
so they could fix the software, so it did incrementally
improve over time. However, sometimes the decision was
taken that the chances of the unexpected error happening
again were too remote to merit a development/fix. In
this case the developers would be instructed not to work
on a fix."
Were you involved in these cases? So do you have
personal experience of these cases?
A. I think I had experience in one or two where we found
a problem but it was deemed -- it was one that could be
easily monitored and checked out for by writing a small
bit of code and that was -- it was easier to do the
workaround than it was to do the software fix, so that's
what we did. There is a bit of a syntax error where it
should have read instead of "instructed not to" it would
be "not be instructed" to work on the fix. They
wouldn't be told not to do it.
Q. I see. First of all, you are not talking about
a decision not to do a software fix or a coding fix for
bugs causing an impact in branch accounts; we're not
talking about that kind of problem at all, are we?
A. It would be a ... no, it's not an error that the
postmaster would have been aware of. It wouldn't have
affected his accounts.
Q. So you are talking about problems that didn't affect
branch accounts. You have said one or two cases. Could
you describe either of them or both of them?
A. No, I couldn't, just the recollection --
Q. Could you give some indication of the nature of the
problem?
A. I can't even give you that, I'm afraid.
Q. Well, could you give some indication of the process that
was gone through to decide what the appropriate response
was, whether there should be a workaround or a fix?
A. Well, the -- we would find out what the problem was,
what the impact was, how easy it was to find the problem
and then that information would be passed on up the
management chain for them to decide whether it warranted
a software fix to be developed and released, or whether
it would be faster and as reliable to put a workaround
in place rather than a fix.
Q. And what's the nature of the workaround you're talking
about? You're talking about some facility built into
the system which would pick up when this thing
happened --
A. Yes.
Q. -- and made sure it was made good?
A. Yes, it could be corrected at -- when it was picked up
rather than writing software to make sure it didn't
happen in the first place.
Q. But you're talking about something within the system, so
the system would automatically monitor for these
occasions --
A. Yes.
Q. -- and make sure that they were fixed more or less
automatically, is that what you mean?
A. Yes.
Q. Thank you. So really what you're talking about is
a debate between how best to fix a problem, do you do it
by way of some kind of change of coding so that the
problem never arises, or do you do it by way of change
of coding to ensure that when the problem does arise it
is immediately fixed; would that be fair?
A. Yes.
Q. Thank you.
MR JUSTICE FRASER: And in either situation is the code
changed?
A. The underlying code -- in the first situation where you
directly change the code so that the problem doesn't
arise, that is when the code would be changed for -- on
the Horizon system, but in the second scenario then no,
the code for the Horizon system need not necessarily be
changed, but something running on one of the servers --
you could write a small batch programme that would be
supplementary to the code.
MR JUSTICE FRASER: All right.
Mr De Garr Robinson.
MR DE GARR ROBINSON: Thank you.
I would like to move on to paragraph 16 of your
statement {E1/10/5}. You say:
"In my first statement, I refer to the pressure that
the SSC team and Fujitsu were under generally due to an
awareness of the financial penalties imposed by the
service level agreements between Post Office and
Fujitsu ... I believe that although individual penalties
were quite modest, when applied across multiple
counters/post offices the cumulative figures involved
were very high, potentially amounting to tens of
millions or more. I disagree with Stephen Parker's
statement that these potential financial penalties were
not a factor for the SSC ... as we were aware of them
and often commented on them, eg 'That's saved Fujitsu
another 25 million'."
So I'm now going to ask you some questions about
this general issue. Could we first of all go to
Mr Parker's first witness statement, that's at
{E2/11/12}. He starts by saying in paragraph 43:
"Mr Roll refers to a 'perception … that the Service
Level Agreements between Post Office Ltd and Fujitsu
involved financial penalties payable by Fujitsu to Post
Office' (paragraph 12). I am aware that there were
Service Level Agreements for issues such as stuck
transactions (Fujitsu had 10 days to retrieve
transactions that had not replicated from a counter)."
Stopping there, Mr Roll, did you know that?
A. I couldn't remember the timescale for that. But I knew
there was a timescale to get them off and sent across.
Q. He then says:
"It is quite normal for contracts such as the one
between Fujitsu and Post Office relating to Horizon to
have such agreements."
A. Yes.
Q. Would you agree with that?
A. Yes.
Q. "The same level of diligence was (and is) applied to all
incidents, whether an SLA was relevant or not."
That's Mr Parker's evidence. Do you disagree with
it?
A. No.
Q. And then he says:
"The possibility of financial penalties was never
a factor for the SSC."
Would you accept that?
A. I don't see that as a yes or no answer I'm afraid.
There were SLAs for the harvesting of batch transactions
from the correspondence servers which I think it was
supposed to get from the correspondence server to the
bank within three days or something. Now, we were aware
that if the harvesters failed for a couple of nights in
a row then you would have a huge backlog of transactions
which you were then -- we were aware that Fujitsu was
facing or could potentially have faced penalties for not
getting those transactions through in time.
Q. Right.
A. So there was perhaps -- we were aware -- I wasn't
involved in the work of getting those transactions
through, that was not my area of technical ability, or
whatever. So -- but there was the awareness that
certainly if we managed to get them through in time then
we would save Fujitsu a lot of money.
Q. So that's the £25 million reference --
A. That was an example, yes.
Q. -- that you give.
So let me get this straight, because there's
a danger of a false impression being given by your
evidence, both in paragraph 12 of your first statement
{E1/7/2} and indeed in the paragraph of your second
statement we have just read out. You are not talking,
are you, about pressures on the process by which
problems being reported in to the third line of support
would be investigated, that could affect branch
accounts; you're not talking about those things at all?
A. They -- they were also -- we were aware of the penalties
for those but not to -- the pressure wasn't as great for
those.
Q. What penalties were you aware of in relation to problems
coming into the SSC?
A. The problems regarding the counters coming into the SSC
you're thinking of now, or ...? Because these other
problems for the servers, the harvesters, they would
come into the SSC as well.
Q. But those problems won't have any impact -- I'm sorry,
I'm being slightly unfair to you, Mr Roll. This entire
extraordinary trial process that we're engaging in --
A. Sorry, yes.
Q. -- is about whether branch accounts generated by Horizon
were accurate or not, or reliable or not.
MR JUSTICE FRASER: Why is it an extraordinary trial
process?
MR DE GARR ROBINSON: Because it's so large and I don't mean
that in any critical way. I probably shouldn't have
used that word.
MR JUSTICE FRASER: The group litigation.
MR DE GARR ROBINSON: Yes. In my experience it is unusual.
This is my first GLO, your Lordship may have noticed.
So my concern is the process by which the work that
was done in the SSC to investigate problems with Horizon
that might have had an impact on branch accounts.
A. Mm-hm.
Q. And it's fair to say that's the concern of most of the
people sitting in this court today. And so when one
reads your witness statement, one's natural reaction --
and I don't mean this as a criticism, but one's natural
reaction is to think that that's what you are talking
about. The impression that I'm getting from what you
are saying now though is that you are not saying that
the service level agreements, which may have had targets
for harvesting data for banks and so on and so forth,
you're not saying that those service level agreements
created a perception within the SSC which caused people
in the SSC to think that when they were investigating
problems that might have an impact on branch accounts,
they would have to do a quick job and not do a proper
job?
That's an extraordinarily long question and if you
would like me to make it shorter I'm happy to do so but
if you've got my point then I would invite you to answer
it.
A. From my recollection there was pressure if you
weren't -- if you couldn't pinpoint the fault in the
counter, the problem with the data, whatever, then there
was -- you know, there was the -- there was pressure put
on you, you were asked "How was it going? We need
an answer", which was a degree of pressure.
Q. Well, you use the phrase "there was a perception", you
use the impersonal. One often sees that phrase used.
Are you saying that you, Mr Roll, physically were aware
that there was an SLA that had the effect that the SSC
couldn't or shouldn't properly investigate any bugs that
might affect branch accounts?
A. We were aware that there was an SLA and that we had to
investigate within the timescale.
Q. And was there a perception -- because I'm going to
suggest to you that there wasn't, Mr Roll -- was there
a perception that this SLA of which you were aware meant
that you couldn't do your job properly?
A. I felt that that might be the case in some areas.
Q. You felt that it might -- this is -- how strong and
accurate is your recollection of all of this?
A. Vague.
Q. I see. Well, let's --
A. And this is another -- sorry.
Q. No, I think it was me talking over you, Mr Roll.
A. This is another one of those things where I had
a feeling that things weren't right, but --
Q. But it's difficult at this remove in time to put your
finger on it?
A. Yes.
Q. Well, let me continue with paragraph 44 of Mr Parker's
statement {E2/11/12}:
"I do not understand what Mr Roll means when he says
that 'any discrepancy in the Post Office accounts had to
be resolved speedily' ... there was (and is) a process
run by the management support unit ..."
Do you remember the MSU?
A. Now you mention the term, I do remember the term.
Q. But nothing else?
A. No.
Q. "... which involves examination of various system
reporting and may result in business incident management
service ... entries going to Post Office."
Was that true? Is that in your recollection?
A. I don't remember.
Q. "An incident may also be raised by MSU with the SSC to
provide support to the MSU in resolution of the BIMS."
But you probably can't comment on that either.
What he is talking about here is various systems
reporting. It may be consistent with what you were
talking about before about harvesting. He is not
talking though about the identification and fixing of
coding issues in Horizon that might impact on branch
accounts.
A. Mm-hm.
Q. Are you aware of any case where there was a contractual
pressure on Fujitsu to speed up that process or to deal
with that process in a given space of time?
A. I don't remember any specific details, no. I don't, no.
Q. Then he says:
"These are subject to service level agreements and
Mr Roll may be referring to this process. However, if
Mr Roll is suggesting that Fujitsu routinely rushed out
fixes or work-arounds due to SLA time pressure, that is
not the case."
Mr Roll, I would like to give you an opportunity to
say that you are not suggesting that.
A. Which paragraph are we looking at now?
Q. Paragraph 44, last three sentences. It's the sentence
beginning:
"However, if Mr Roll is suggesting that Fujitsu
routinely rushed out fixes or work-arounds due to SLA
time pressure, that is not the case."
I'm inviting to you say that you are not suggesting
that this is the case.
A. I would agree with what Mr Parker has put here, yes, and
it is wrong to suggest that they were not done properly
because of SLAs.
Q. Thank you.
Then would you also agree with what he says in the
next sentence, "fixes would be expedited based on
service impact"?
A. Yes.
Q. And would you agree that "it would be quite wrong to
suggest that they were not done properly because of any
SLAs"?
A. No, the fixes would be done properly.
Q. Thank you.
Then if we could go back to your second statement,
paragraph 15, it's {E1/10/5}. To save time could I ask
you simply to read paragraph 15 please.
(Pause).
A. Yes.
Q. First of all, you say:
"The test team felt they were under enormous
pressure to complete the testing within certain
timescales which negatively affected the test regime."
That's quite a bold claim. The testing wasn't your
team, was it?
A. No, they were on the same floor as us, some of them.
Q. So you're talking about your recollection of -- would it
be fair to say office gossip?
A. Yes.
Q. From 15 or 19 years ago?
A. Yes.
Q. How many conversations of this sort did you have during
your time at Fujitsu?
A. I don't recall.
Q. Was it a view that was expressed by the entire test team
on a regular basis, or was it something that was said to
you by one or two people a couple of times?
A. My recollection is that the majority of the team felt
pressured.
Q. The majority of the team felt pressure. What did they
say about this pressure? What did it make them do?
A. I can't remember.
Q. Budget restrictions, you refer to them in paragraph 15.
What did you know about Fujitsu's budgets, Mr Roll?
A. ICL were bought out or taken over by Fujitsu and at the
same time an American company was taken over as well.
ICL were not, from my recollection, were not very
profitable at the time and nor were the American
company, so shortly afterwards when Fujitsu couldn't
turn them around they were merged into Fujitsu. There
were lots of redundancies. My recollection is that the
Horizon project, which I seem to remember had originally
been a joint DSS project but they had backed out, the
Post Office went with it on their own, my recollection
is that Horizon was the only profitable part of Fujitsu
at the time.
Q. And consistently with Horizon being profitable, there
were no redundancies in the SSC when the takeover
happened, were there?
A. No. I think one or two people were a bit worried there
might have been, but there weren't. There were
redundancies in the test team from what I remember.
Q. There were redundancies in the test team? I'm not in
a position to deal with that point now.
MR JUSTICE FRASER: What year are we talking?
A. 2002 maybe.
MR DE GARR ROBINSON: Could I just advance some general
propositions and see if you will agree with me.
Isn't it the case that Fujitsu had every incentive
to make the support operation work, to minimise the
problems requiring changes and to minimise the problems
requiring fixes down the line; wouldn't that be right?
A. Yes.
Q. It would be more expensive in the long-run for a company
such as Fujitsu to do the support work badly than it
would be to do it properly, wouldn't it?
A. Yes.
Q. That's a statement of the obvious.
And the £25 million that you referred to, that
was -- bearing in mind the focus that this trial has,
that has no bearing on the kind of transactions that
we're talking about, does it?
A. No, that was the servers and the batch transactions.
Q. Okay. If we could just move on to Mr Parker's second
witness statement at paragraph 24 at page 7 {E2/12/7}.
I would like to suggest to you -- I'm going to read out
passages and invite you to agree or disagree, Mr Roll.
At paragraph 25 {E2/12/8} he refers to paragraph 16
{E1/10/5} which we have been looking at from your
statement:
"At paragraph 43 of my first witness statement
I explained that the possibility of financial penalties
or service level agreement breach was never a factor
which affected the diligence with which SSC would
investigate an issue."
I have already put that to you:
"By way of further explanation ..."
Then he talks about schedule 15 to the service level
targets for Horizon services and perhaps I could invite
you to read paragraph 25.1 to yourself.
(Pause).
A. Yes.
Q. At the time had you ever seen this document?
A. No.
Q. Were you aware of what was in it?
A. Not directly, no.
Q. Then he says:
"There were no specific financial penalties relating
to the SSC processing of incidents."
And then he quotes some text from the service
description.
Did you know that at the time?
A. No. This is the 2005 version, is it, 30 November 2005.
Is this -- was this -- is this the same as when I was
there in 2004?
Q. I believe so, yes. Mr Parker is nodding at me.
A. Right. My recollection is that incident processing,
some incidents weren't subject to SLAs but the ones
I have already mentioned, the harvesters, were, and that
some of the financial data from the counters --
Q. But not incidents of the sort that this trial is
concerned with, perhaps I could ask you that. You
weren't aware that there were any --
A. No.
Q. -- SLA targets which related to the incidents with which
we are concerned in this trial?
A. No.
Q. Thank you. Then I can skip over paragraph 25. Let me
finish with 25.4 {E2/12/9}:
"The SSC had operational targets to turn incidents
around based on an order of priority. As explained in
paragraph 22 above, if an issue was causing a financial
impact in a branch's accounts, it would be treated as
high priority ..."
Stopping there, Mr Roll, would you agree with that?
A. Yes.
Q. "... and high impact by SSC."
Would you agree with that, it would be treated as
high impact?
A. Yes.
Q. "However, any increase in priority would not adversely
impact the diligence with which work was done."
Do you agree with that?
A. I still feel that some work was rushed. I can't tell
you why, but I feel that.
Q. Very good and I won't -- I don't wish to discuss your
feelings on the point any more than we have already.
Let's just talk briefly about getting fixes out.
If I could go to paragraph 13 of your first statement
please {E1/7/2} and again to save time let me just ask
you to read that paragraph.
A. Sorry, which paragraph is that?
Q. Paragraph 13 at the bottom of the page.
A. 13, thank you very much.
(Pause).
Yes.
Q. First of all, the need for multiple upgrades, that's
normal in any IT infrastructure of this sort, isn't it?
A. Yes.
Q. The fact that there were a limited number of time
windows, that's also normal for any large IT
infrastructure of this sort?
A. Yes.
Q. These things are unavoidable given the scale of the
Horizon system, aren't they?
A. Yes.
Q. Then you say:
"... there could be six weeks delay before a fix
could go out, and during that period Post Office
branches could continue to be affected by the coding
issue."
But you would accept, wouldn't you, that if there
was an urgent fix dealing with a high priority, high
impact problem, that would generally be treated as an
urgent matter requiring a hot fix; would you agree with
that?
A. Yes.
Q. Urgent fixes were expedited, weren't they?
A. Probably within two or three days from what I remember.
Q. And that's just normal -- what you are describing
here -- the impression might not be coming through from
paragraph 13, but actually what you are describing is
the normal operation of proper risk management process
in a commercial business, isn't it?
A. Yes.
Q. Thank you. And then you say:
"... there could be six weeks delay before a fix
could go out, and during that period Post Office
branches could continue to be affected by the coding
issue."
Let me just make it clear, Mr Roll, if you had
identified a coding issue that was affecting branches
and if there was a period of time between identifying
the problem and getting it fixed, however long that time
was, Fujitsu had in place a mechanism by which all the
branches that would pop up being affected by that
problem would be identified; that's right, isn't it?
A. Over time, yes.
Q. So the fact that there was a gulf in time, however big
or small the gulf might be, between spotting the problem
and getting a fix released onto the entire network,
regardless of how long that period of time was, the
postmasters that would be affected by the problem in the
meantime would be identified so that they could be
sorted out; would you agree with that?
A. Yes.
Q. Thank you. Then you say:
"I also recall situations where software developers
worked on a coding fix which was then sent out, however
the bug reappeared several weeks later because, it
seemed, the IT team responsible for developing upgrades
had been working on an older version of the
software ..."
Mr Roll, I don't know what you are referring to.
Are you seriously suggesting that there were times when
the development team would actually be looking at
a historical version of the Horizon software?
A. Yes.
Q. Really?
A. Yes.
Q. How is it that happened, can you explain?
A. My understanding of this was that the development team
had the current version of software and they were
working on that, a bug -- a coding bug was then
identified, a hot fix was written and sent out, but it
wasn't implemented onto the code that the developers
were using, so six months later when this new batch of
code went out it overwrote the hot fix that had been
sent out, so then the hot fix had to be re-applied.
Q. Oh, I see, so you are not suggesting that the team would
be working on an already historical version of Horizon,
what you're talking about is regression, you're talking
about a later update undoing the good things that was
done by an earlier update?
A. Yes.
Q. I see, thank you. That did happen but it was very rare,
wasn't it?
A. It was rare but it did happen.
Q. Very good.
I would like to ask you now about hardware failures.
Could we go back to your first witness statement please,
paragraph 14 {E1/7/3}. I'm sorry, you haven't got there
yet.
A. Paragraph?
Q. Paragraph 14, page 3. It is only a sentence:
"As well as software issues, I can also recall that
there were regular IT hardware issues at branch level."
What kind of issues are we talking about, Mr Roll?
A. I'm sorry, I still haven't found the page.
Paragraph 14?
Q. Paragraph 14.
MR JUSTICE FRASER: You are in the wrong statement. We're
in your first statement.
MR DE GARR ROBINSON: It is your first witness statement,
Mr Roll.
MR JUSTICE FRASER: It doesn't have any red on it.
A. I'm sorry.
(Pause).
Yes.
MR DE GARR ROBINSON: What kind of issues are you talking
about?
A. Hardware issues could have been keyboard failure, or
a hard drive failure. "Software" here I mean --
Q. I don't need to ask you about that otherwise we will be
here forever and it is not your fault, I just ...
So you're talking about those kind of issues and you
say "regular". Later on in your second statement you
say that you personally received one of these about once
a month, yes?
A. That's what I was thinking, yes, when I ...
Q. And would that be reflective of what other people at
your level of seniority in the SSC team were also
receiving?
A. I don't know.
Q. You don't know. I was going to take you to numbers, but
I won't. Let me move on instead to your second witness
statement, the one with red in it. It is E1, tab 10 and
I would like to ask you a couple of questions about
paragraph 6 {E1/10/2}. This is all under the heading
"Hardware failure". It is on page 7.
You talk about hardware failures in paragraph 5 and
you say:
"I would estimate that I was involved with
a hardware failure on average at least once a month.
These problems could and did affect branch accounts."
How would they affect branch accounts?
A. I can't remember.
Q. Then you give an example:
"The most extreme case that I can recall was
a complete failure of a counter to communicate with the
server, which required the server to be removed to the
SSC so that the data could be recovered, and
a replacement counter installed in the sub-post office.
Prior to the problem being identified, data could be
accumulating on the counter without it being replicated
to other counters or the correspondence server."
This is something you experienced personally, is it?
A. Yes.
Q. And do I infer from your use of language that this
happened to you once?
A. I remember one specific instance fairly clearly when it
happened.
Q. Do you remember any other instances? Can you say for
sure that there were any other instances?
A. No.
Q. So it may well be that this happened only once in your
four years at the SSC, is that right?
A. For me, yes.
Q. You are talking about stuck transactions, aren't you,
what we saw on a PEAK yesterday, marooned transactions,
yes?
A. In this instance because the counter couldn't
communicate at all, well, yes, they were marooned
transactions. It was just very difficult to get them
off.
Q. And the way to get them out was to move the machine from
the branch to the SSC so that it could be downloaded, is
that right?
A. Very briefly, yes.
Q. You say -- it is a phrase in paragraph 6 I would just
like to ask about. You say:
"Prior to the problem being identified, data could
be accumulating ..."
Why do you say could be rather than was? Was it not
clear whether that was happening or not?
A. Sometimes you may not have been aware -- if the counter
hadn't been switched on for a while then data might not
be actually accumulating, there might not be any stuck
transactions on it.
Q. When there is a stuck transaction on a machine, that is
something that's going to get identified as night
follows day, isn't it, and spotted?
A. Eventually, yes.
Q. It's not something that's going to be missed and just
allowed to lie there? Fujitsu itself --
A. It would be spotted.
Q. Fujitsu itself would spot that this was happening?
A. Eventually, yes.
Q. From its own monitoring, yes?
A. Yes.
Q. So that's one example of a hardware failure that could
affect branch accounts because a transaction is stuck on
a machine and isn't getting through to the system and
the truth of the matter is that was in an extreme case
that was very rare, yes?
A. Yes.
Q. And when it did happen it would be spotted and it would
be fixed in the way that you described, yes?
A. Yes.
Q. Then in paragraph 7 you say:
"I recall there were also PIN pad problems which
caused issues in branches, and problems with other
peripheral devices such as keyboards which only occurred
intermittently, although I cannot recall the specific
detail of these now."
Can I just get this out of the way quickly now.
PIN pad problems, those are not problems which could
affect branch accounts, are they?
A. I don't recall what the problems were with them or how
they affected the system.
Q. And problems with other peripheral devices such as
keyboards, they wouldn't affect the branch accounts,
would they?
A. Probably not, no.
Q. And then you come to paragraph 8 which I think is the
example that you tried to give earlier when we were
discussing -- and let's see if we can finish this off
before lunchtime. Could I ask you to read paragraph 8
please, Mr Roll.
(Pause).
A. Yes.
Q. So you are describing there a problem that was
spotted -- it's the kind of problem that's always
ultimately going to be spotted, isn't it?
A. This particular problem, no, it -- I don't think any of
the other counters that were affected had the problem,
because most postmasters don't bother turning the screen
off, to save the screen, it's ... so ...
Q. So you're saying it's very rare?
A. It's very rare that it would have been spotted.
Q. And it's to do with a mobile post office which makes it
even rarer --
A. Yes.
Q. -- because they are a tiny proportion of the branch
network, yes?
A. Yes.
Q. So we're talking about a tiny, tiny incidence, a tiny
problem, but my question wasn't about how frequent it
was, my question was it's a problem when it does arise
that's always going to be spotted?
A. I don't know if it would always be spotted. If it
was -- caused a problem at one point then it might be
that it would be 24 hours before the system fixed
itself, in which case it might not actually --
Q. I see. So if the problem caused a persistent failure to
replicate, that is a problem that --
A. Yes.
Q. -- was always going to be spotted?
A. Yes.
Q. So when you say it wouldn't necessarily be spotted,
that's because the system itself might deal with it
appropriately?
A. Yes.
Q. But if it didn't, it was always going to be spotted?
A. Yes.
Q. Very good. And in this particular case the problem was
spotted and the data was replicated, yes?
A. Yes.
Q. And again, that would always be the position,
wouldn't it: once the problem is spotted this is very
easy to deal with?
A. In this case, yes.
Q. Well, in all cases of this sort, yes?
A. Yes.
Q. Thank you.
Then Mr Parker deals with that in paragraph 7 of his
second statement, that's {E2/12/3}. Could I ask you to
read paragraph 7 to yourself. It is quite long.
(Pause).
A. Yes.
Q. Have you read that paragraph before?
A. Yes.
Q. And have you looked at the PEAKs that Mr Parker refers
to?
A. Yes.
Q. And are those the PEAKs that actually describe the case
that you are talking about?
A. Yes.
Q. Very good. The well, let's have a quick look at those
PEAKs. The first one is at {F/197}. So this is
PC0100174. It happened on 4 March 2014 and the summary
says "Kit rebooting itself for no apparent ..."
And I think it must mean "reason". And you will see
from the bottom of the first large paragraph:
"Information: contacted SSC and spoke to
Richard Roll."
So you are the contact man for this and later on
down the page, three boxes up from the bottom,
1 March 2014 at 16.56 and 40 seconds, Barbara Longley
assigns this to you.
If we go over the page {F/197/2} there's
a description of the problem. Perhaps we can pick it up
at 5 March at 10.50, about nearly halfway down the page:
"Evidence (from event logs) shows that the power is
being switched off every morning shortly (ie 5 or 6
minutes) before the [postmaster] logs on."
So that was the problem?
A. Yes.
Q. Then if we go three boxes down, 5 March at 12.09, this
is you:
"After carrying out tests on our rigs ..."
Stopping there, what rigs are you talking about?
A. I think we had three mobile test rigs in the -- on our
floor.
Q. So you are not testing the postmaster's equipment, you
are testing your own equipment, the sample equipment?
A. Yes, this was in Scotland I think.
Q. So very properly you go and look at the rigs and you
test them, and you say:
"I have been able to duplicate the problem here on
one of our rigs."
So did you say there were three --
A. I tested all three and it only happened on one.
Q. "It seems that the screen power button is incorrectly
connected to the motherboard, operating the power switch
turns off power to the entire unit, not just the screen.
We have now identified two instances of this, one in
live. This is a hardware build quality issue."
So you clearly flag this as a hardware issue.
A. Yes.
Q. And then in the next box it says:
"Responded to call type L as category 70 - Avoidance
Action Supplied."
What did that mean?
A. I don't know.
Q. Then you say a little further down:
"Defect cause updated to 42:Gen - Outside Pathway
Control."
A. I don't know.
Q. Doesn't it mean that it's a hardware issue that's the
responsibility of another --
A. Probably, yes.
Q. -- institution that deals with hardware?
A. Probably, yes.
Q. If we could then move on there's a second associated
PEAK, Mr Roll, that's at {F/201/1} --
MR JUSTICE FRASER: Is this just a two-page document, this
one?
MR DE GARR ROBINSON: It is four pages. The last one was
a two-page document, my Lord, yes.
MR JUSTICE FRASER: The last one was.
MR DE GARR ROBINSON: I'm so sorry, I didn't understand your
question.
Right, this is PC0100899. This one is dated
21 March. The summary refers to the branch and it is
the same -- you can take it from me, it's the same
branch number, FAD number.
The first big box, about four lines down,
17 March 2004, so that's 12 days after you had spotted
the problem on one of your three test rigs:
"SSC request base unit is removed and sent to
Bracknell for investigation."
So you asked for the postmaster's mobile laptop to
be physically removed and brought to you?
A. Yes.
Q. Then if we move down to the next box, 18 March, 15.55,
about four lines down:
"Recommend: base unit (node 1) to be swapped for
investigation purposes."
What did that mean?
A. Bring it back to Bracknell so we could look at it.
Q. Very good. And about halfway down that same box, if you
could look at the screen, it says "Recommend" and in
capitals:
"PLEASE SWAP MOBILE UNIT AND RETURN TO SANDIE
BOTHICK FOR PROGRESSION TO SSC."
Who was Sandie Bothick?
A. I can't remember.
Q. Then over the page {F/201/2}, on the first big box it
says, you can take it from me, that the engineer has
arrived at the site and the unit will not arrive in
Bracknell until later in the week. Towards the bottom
of the page, page 2, 18 March 16.04 Barbara Longley
assigned it to you.
Then on page 3 {F/201/3}, 24 March at 2.15 and
25 seconds it is recorded that you record that the base
unit is received, do you see that? It is the
penultimate box, Mr Roll?
A. Yes.
Q. And then I would like to then go to the last box on that
page:
"Tests carried out on screen power switch - working
correctly, no further action required."
So does that -- I mean the impression I get from
reading this is that although you had found this problem
on a test rig, in fact it wasn't a problem that was
affecting the laptop that was used in the
subpostmaster's branch. Would that be right or wrong?
A. No, it was affecting it. You didn't necessarily put
these in, enter the data as it happened, if you like.
So the base unit would have arrived, I worked on it and
then I went and -- so I changed the switchover so it
worked properly and then we put it back into stock and
then I filled the data in on that.
Q. I see. So we have a batch of faulty laptops and then if
we go back to paragraph 8 of your witness statement, at
the bottom of page 7 that's E1, tab 10, page 7, you say:
"When I raised this with my manager, Mik Peach, he
initially told me not to do anything until he had spoken
to someone about this."
Who would he have spoken to about it?
A. I don't know.
Q. It would have been the people who were responsible for
hardware issues, wouldn't it?
A. Probably.
Q. So you raised the problem with him and he said "Hang on,
I will just speak to the responsible people", would that
be a fair way of describing what you are saying?
A. Yes.
Q. And then you say:
"Mick did subsequently talk to the hardware team.
They were responsible for ensuring that ..."
A. I'm certain it was them that he spoke to.
Q. And then you say:
"At which point I found out that this was a known
problem."
Is that what Mr Peach told you?
A. At some point I found out that there were several units
out there that had been changed. I'm not sure if it was
Mik Peach that told me or if somebody else told me from
the hardware team, I can't remember.
Q. Well, it is quite important, bearing in mind the
impression given at the end of this witness statement.
Can you really not remember whether Mr Peach was aware
of this?
A. Mr Peach was aware of it at some point, that he knew.
Q. And would it be fair to infer that he probably knew
because he had spoken -- if this is true he would have
spoken to the hardware team about it?
A. Yes.
Q. And then you say:
"No one outside the team responsible for building
the laptops had been informed of this, which meant that
I had spent several days investigating the problem."
Is this why you remember, because you were cross?
A. Yes.
Q. "Whereas the subpostmistress in this case was provided
with a replacement laptop, knowledge of this problem was
kept within the departments concerned and the batch of
faulty laptops was not recalled."
Are you saying that there was prior knowledge in the
hardware team of the problem and the hardware team had
not recalled the faulty laptops?
A. Yes.
Q. Is that what you are saying? And what was your source
of knowledge for that?
A. I was told there were several laptops that had the
problem on them that had actually gone out into live --
into the estate.
Q. How did the hardware team know that the laptops had
problems with them given that they had already been
distributed out? You're not suggesting that the
hardware team identified a problem with a laptop and
then sent it out to branches, are you?
A. No, I think what happened is that they suddenly realised
they made a mistake at some point but by that time
several had already gone out, so then they were able to
fix the ones they had ...
Q. And you're saying they didn't recall the others. And do
you know how many we're talking about?
A. No.
Q. Could it be two, could it be one?
A. It could have been two, it could have been half a dozen.
Q. So that's the period leading up to the point when the
SSC gets involved and you write two PEAKs saying "There
is faulty hardware here". Are you in a position to
say -- or are you claiming that once Mr Peach had spoken
to the hardware team, that remained the position, that
the hardware team continued to not recall these units?
A. I don't know what happened after that.
Q. Isn't it fairly obvious that once someone quite senior
like Mr Peach from the SSC had spoken to the hardware
team, the people involved would very quickly have
thought "Good gracious me, I had better recall these
outstanding laptops"; would that not be a fair inference
as to what happened?
A. My inference from this was that it was kept in-house and
as a favour and that: okay, we know it happened, it's
not going to happen again, it was very limited impact,
it's having probably no impact on the estate, so it's
not worth recalling the laptops.
Q. You say "inference" and that's a fair word to use
because it's a word I think I put to you, but you are
not saying, are you, that you were told by anyone that
after Mr Peach had told the hardware team of the problem
that was being encountered, you're not saying that you
know that the hardware team continued to sit on their
hands and not call the laptops back?
A. Something at the time made me certain that was what was
going on.
Q. Something at the time made you certain?
A. Yes. I don't know why I've got that certainty in my
mind, but -- and then I was told to put minimal details
on that last -- the last PINICL.
MR DE GARR ROBINSON: My Lord, two more minutes and then we
break, would your Lordship give me some indulgence?
MR JUSTICE FRASER: I will on this occasion give you the two
minutes.
MR DE GARR ROBINSON: I'm grateful.
This looks as if it might be quite a serious
allegation. It is one you have just made by this
amendment that I received at 10.30 yesterday morning.
A. Yes.
Q. You say:
"I was told by Mik Peach not to include any details
of this when I closed the PINICL."
Which is the predecessor of PEAKs. That's
an extraordinary -- are you suggesting, Mr Roll, that
the manager of the SSC -- which that's a senior
position, isn't it?
A. Yes.
Q. It's a senior management position?
A. Yes.
Q. That he took the view that the hardware team having done
this thing that was bad, having allowed bad laptops to
remain in circulation, he also took the view that the
hardware team should be protected from any criticism and
they should be allowed to continue the process under
which those laptops remained in circulation?
A. I've got no idea what view he took, but I was asked --
or told rather not to put -- not to include too much
detail in that PINICL.
Q. Why? Did he tell you why?
A. I can't remember.
Q. What conceivable motive would someone like Mr Peach have
to affect the record in this extraordinary way?
A. The only motive I can think is that if he was friends --
close friends with another manager on the same level and
that manager had covered up something in his department
then Mik Peach out of friendship and as a favour might
have decided that it wasn't worth -- having passed the
information on to his manager -- the other manager, it
was then his responsibility what to do with it. I got
the impression nothing was going to be done with it
because of what I was told, but I might be wrong.
Q. Well, Mr Roll, I had thought that when I asked you
questions about this you would rather retreat from the
allegation that Mr Peach -- who obviously isn't here to
defend himself -- did this thing. Are you saying that
it is within your knowledge that Mr Peach was a friend
of the person who was in charge of the hardware team?
A. No.
Q. So that's speculation?
A. That's speculation.
MR JUSTICE FRASER: But to be fair to the witness,
Mr De Garr Robinson, you did put the question what
conceivable motive might Mr Peach have, which is in any
case inviting speculation I think.
MR DE GARR ROBINSON: That's true.
But that's all you have, you have no basis for --
A. No.
Q. No other basis for thinking that Mr Peach would --
A. No.
Q. The extraordinary thing about this, Mr Roll, is you
accept, don't you -- and these are my last questions --
you accept, don't you, that it is not in anyone's
interests, it's not in the SSC's interests for these
faulty laptops to remain in circulation; you accept
that, don't you?
A. The only people who would have an interest in this would
be the person who might be sacked for trying to cover it
up in the first place.
Q. So it is not in the interests of the SSC team that they
remain in circulation?
A. No.
Q. It's not in the interests of Fujitsu that they remain in
circulation?
A. No.
Q. You say it could be in the interests of the person who
was responsible for not having pulled them back, but if
the machines remain out there in circulation, that just
increases the likelihood of that person ending up being
sacked, doesn't it? Isn't it in that person's interests
to get these damn machines back as quickly as he or she
can?
A. Yes, then that would -- yes, it would be.
Q. But you do maintain, do you, that you think that person,
whoever it was, didn't do that?
A. That was the impression I got at the time, yes.
Q. The impression from whom?
A. I can't remember, but that is how I -- that is what
I think happened. You might be right though, you could
be right there that -- I was I suppose basing my
presumption, which is what it was basically, on the
thought that to have to recall the laptops would expose
the person to, you know, "Why were you recalling them?",
but as you have just pointed out it would probably have
been better to recall them and then not have to worry
about them sitting out there and potentially causing
a problem later.
MR JUSTICE FRASER: Right. If you are going to pursue this
any further you can do it at 2.15. We really have to
try and finish at 1 for the shorthand writers, really.
It's not for any personal convenience.
Right, we are going to come back at quarter past 2.
You are still in the witness box. You mustn't talk to
anyone about your evidence. And I will see everyone at
2.15.
(1.15 pm)
(The luncheon adjournment)
(2.15 pm)
MR DE GARR ROBINSON: My Lord, good afternoon.
MR JUSTICE FRASER: We have to stop at 4.30.
MR DE GARR ROBINSON: I'm conscious of the need to speed.
I'm going to move on to remote access now, Mr Roll.
Could I ask you to go to paragraph 15 of your first
statement which is at {E1/7/3}. You said:
"During the course of resolving software issues ..."
And I asked about software issues. You said:
"... we would frequently access a Post Office
counter IT system remotely. An example of a relatively
common problem that arose was when a binary bit would
'flip' thus a '1' became a '0'."
I want to ask you what you are talking about when
you describe that phenomenon and I want to ask you
whether you are talking about what Mr Parker talks about
in paragraph 55 of his witness statement, so could we go
to bundle E2 behind divider 11 please. It is at page 15
{E2/11/15} and perhaps I could ask you to read
paragraph 55 through and stop at the end of 55.4.
(Pause).
A. I have read that page.
Q. Very good. When you are describing what you describe in
paragraph 15 are you referring to the condition known as
CRC errors?
A. This problem would probably cause -- would cause a CRC
error.
Q. And would Mr Parker be right when he says at the end of
paragraph 55.1:
"To clarify, this process did not involve changing
any transaction data."
In accordance with the definition we have discussed.
A. This error would occur in a line of transaction data.
Now, every digit, every character in that transaction
data is made up of bits, binary bits. So an A --
I don't remember the full binary code for it, but it
might be 101010 for instance. Now, times that could
flip so it would become 110 or whatever, one of the
digits would change. That character would then cease
becoming an A and might become a non-principal character
or an ampersand or something. That would then cause
a CRC fail because the data wouldn't be -- it wouldn't
add up.
To correct that when we detected that what would
happen at that point is that that message store would
then stop replicating. So transactions would then start
accumulating on the message store after that point.
We could copy the data that had been -- we could
copy the message store off that counter intact, from
what I remember, so we would get all of it off.
Q. Yes.
A. You could then identify the line that was broken, for
want after better word, and by looking at it, it was
quite obvious then which character was wrong, if it
was -- if it should have been an angle bracket, it was
something else, so you could then correct that in a text
editor. And basically you could then put that
transaction back in to the message store and then copy
the rest of the data back on top of it that you had
taken off, so you have corrected that particular line of
code. So in this instance we have rewritten a line of
code into the message store to correct it.
Q. Mr Roll, I want to distinguish now between inserting
individual transactions into a message store -- which
you could do and you have read the witness statement so
you know it is accepted that you could do that. I want
to talk though about the process that you appear to have
describing here. It's not possible, is it -- if there's
data on the message store, it's not possible for you to
gain access to the message store in Riposte and alter
any line of transaction data? It's physically
impossible to do that, isn't it?
A. The way I understand it and what I believe is that if
that data hadn't been replicated, if it was on a single
server -- sorry, a single counter, if we took that data
off and deleted some of it, we could possibly then have
created something else and put it on and then by
importing it into Riposte it would then have rewritten
the cyclic redundancy check correctly so it wouldn't
have flagged an error.
Q. Mr Roll, you started by explaining a situation where
transactions are stuck on a particular counter and they
are not replicating.
A. Yes.
Q. The moving of the bit from 1 to 0 is what you could do
remotely in order to unlock the counter so that the
replication process would occur as normal?
A. Yes, but to do that we would have to delete -- from what
I remember, we would have to delete the existing data,
including the broken line of data, and then import the
data back into the counter, so we were writing code into
the message store remotely.
Q. Mr Roll, I'm asking you about the process by which you
unlock a counter so that it is able to replicate onto
other counters.
A. Yes.
Q. And what I'm suggesting to you is that the process of
doing that does not involve changing/editing any actual
transaction data, any -- as we have discussed -- data
that shows up in the accounts. That doesn't involve in
he changing of transaction data at all, does it?
A. I'm sorry, I'm -- I think we're talking -- I'm obviously
not understanding what you're getting at because to me
what I'm discussing is changing the transaction data.
I'm at a bit of a loss here.
MR JUSTICE FRASER: Well, you are explaining that that's the
change which happens.
A. Yes.
MR JUSTICE FRASER: Mr De Garr Robinson is either putting to
you that that physically can't happen, which I think is
one of the questions he put, or he is putting questions
in relation to something else. So he is just going to
explore that with you.
MR DE GARR ROBINSON: Could you go please to Mr Godeseth's
witness statement which is in E2 behind divider 1 and
I would like to go to page 11 please {E2/1/11}. Perhaps
we could pick it up at paragraph 35, Mr Roll. Could you
read paragraph 35 very quickly and then indicate whether
you agree with it or not.
(Pause).
A. Yes.
Q. And you agree with it?
A. Normally that's what was happening, yes, unless
something had broken.
Q. Then if we go to paragraph 37:
"All accounting at the counter was carried out based
on the data held in the message store."
That's right, isn't it?
A. I'm just reading it.
MR JUSTICE FRASER: Mr De Garr Robinson, I know that you
have slightly run out of time but you can't really rush
him too much.
MR DE GARR ROBINSON: You are right.
MR JUSTICE FRASER: You are putting 12 or 14 lines of text.
Right, have you read it now?
A. Yes.
MR DE GARR ROBINSON: So the first sentence is right,
isn't it?
A. I believe so, yes.
Q. And the second sentence:
"The Riposte product managed the message store and
it did not allow any message to be updated or deleted,
although it did allow for data to be archived once it
had reached a sufficient age ..."
A. Yes.
Q. It is correct, isn't it, that Riposte didn't allow any
transaction line in the message store to be individually
deleted or changed or edited in any way?
A. You couldn't do it through Riposte, no. You had to hack
the system to do it.
Q. So would this be right then, that it wouldn't be
possible to remotely access a counter and change the
data on the message store of that counter remotely?
A. I believe that theoretically it would.
Q. How would that be possible? Riposte wouldn't allow you
to do it, would it?
A. By doing the system that I have just said. If you
could -- without the message store replicating, so
there's no other copies of it, if you could get that
message store off, alter the data in some of the lines
of code, to do that you would need to strip out all of
the preamble and the post-amble, so you're just then
left with the basic data as if it had been on the stack
or whatever -- forgive me, I'm very rusty on this -- but
then by -- I think it was the Riposte import but it
might have been something else, you could then reinject
that data which is the process we would have used to
rebuild a counter. But if you had changed some of that
data, I think that it would then have rewritten the CRC
when it imported it so that then when it replicated, the
data could theoretically have been changed.
Q. I'm finding it difficult to follow you and it may be my
fault.
MR JUSTICE FRASER: I follow what the witness is saying but
keep exploring it.
MR DE GARR ROBINSON: I would like to distinguish though
between transactions insertions -- the process of
injecting particular transactions into the message
store, which could be done, with the process of actually
manually changing a transaction line that is in the
message store and you could insert new transactions,
couldn't you, but what you couldn't do is you couldn't
edit or indeed individually delete lines that were in
the message store itself?
A. You would have to delete all of the message -- from what
I remember, delete all of the messages down to a certain
point to the one you wanted to amend and then inject
a load more text, or insert more transactions in to make
the message store and Riposte think that it had been put
in by Riposte and by the postmaster.
MR JUSTICE FRASER: I think you can probably explore this
with the experts.
MR DE GARR ROBINSON: I think I probably should.
So if we go back to Mr Parker's witness statement
{E2/11/16}, the process that's described in
paragraph 55.4, would you agree that -- you have already
read this paragraph, would you agree with what Mr Parker
says in --
MR JUSTICE FRASER: Wait, it is not on the screen yet.
MR DE GARR ROBINSON: E2/11/16.
MR JUSTICE FRASER: Page 1 is up but 16 isn't.
(Pause).
MR DE GARR ROBINSON: Paragraph 55.4, you have read this
already. Is what Mr Parker says there true?
A. In that case, yes, no new data is added, what we have
done is correct data and put it back in.
Q. And paragraph 55, Mr Parker -- you will recall how 55 is
structured. Mr Parker is trying to figure out what you
are talking about and he suggests first of all you might
be talking about the process that's described in
paragraphs 55.1 to 55.4 and then he says:
"Alternatively, Mr Roll's reference to a binary code
flipping may relate to a configuration item ..."
And then he goes on, he gives an example of:
"... a stock unit lock which, in the wrong state,
would prevent updates to stock units within a branch.
This issue was corrected by a member of the SSC
accessing Horizon remotely, but it did not involve
accessing or editing transaction data in any way or
re-creating databases."
Is that true?
A. I can't remember that. I was not referring to that
process.
Q. Very good. And then Mr Parker says:
"I cannot think of any other examples of incidents
that Mr Roll may be referring to in paragraph 15."
And you are suggesting there is another way, the one
that you have just described, are you?
A. That's the way I remember doing it.
Q. Okay. And you continue -- if we go back to paragraph 15
of your original statement {E1/7/3} -- would you excuse
me a moment.
It is suggested to me that you may be describing
a process that Mr Parker describes in his second witness
statement; let me go to that very briefly just to see if
you are. {E2/12/12} paragraph 38.2. Let's read the
whole of 38 together. He says:
"For completeness, in the rare circumstances where
it was necessary for Fujitsu to rebuild transaction data
in Legacy Horizon, there were three possible scenarios:
"[1] when a counter failed and there was a complete
replication of that counter's transactions elsewhere,
Fujitsu simply deleted the message (transaction) store
on the faulty counter and used the standard facilities
of the Riposte software to rebuild the data from the
replicated copy. In this scenario, the branch would be
unable to use the counter while this process was carried
out ..."
Is that correct?
A. I think so.
Q. You don't have a clear recollection?
A. I don't have a clear recollection of that.
Q. 38.2:
"Where no replicated copies of the transactions
existed on the network, Fujitsu would physically
retrieve the disc from the faulty counter. The disc
should hold all of the transactions that had taken place
on the counter. At its own office, the SSC would
extract the transaction data and deliver it to the
replacement counter without amending that data."
Stopping there, is that true?
A. In some instances, yes.
Q. "The SSC would need the subpostmaster's memory card ...
to decrypt the data. This was a physical card
(a subpostmaster had two) and Fujitsu would have to
borrow one - so the subpostmaster would know what was
happening."
Is that true?
A. I don't remember the memory cards. I don't remember
that process of it.
MR JUSTICE FRASER: You might be able to save time by
jumping to the penultimate sentence of that paragraph.
MR DE GARR ROBINSON: If I could do the intermediate ones.
Next sentence:
"If Fujitsu were to change anything, it would be to
remove the envelope around the transaction data. The
envelope contains the system admin data ie the sequence
number of the data and its ID."
A. That's what I remember doing, yes.
Q. That's what you are talking about?
A. That's one of -- yes.
Q. And just now when you were describing the process that
I'm afraid rather confused me, that's what you are
talking about here?
A. Yes, that was one of the steps in it.
Q. Thank you. And then it says:
"Fujitsu would not change the transaction data
itself and in removing the envelope data, they would
simply be allowing the system to automatically renumber
the transactions when they were reinserted."
Is that what you are talking about?
A. Effectively, yes, but this is where -- if it was that
transaction data that had the corruption in it then all
we would do is correct it to put it back to what it
should have been, so in that instance -- in that effect
we're not changing the data, we're merely correcting it.
Q. Well, my suggestion to you will be that you never and
would never manually change a transaction line of data
that a postmaster had keyed in. That's just not
something SSC would ever do.
A. The process I have just described is something we did,
as far as I remember it.
The process of actually changing a line of code to
change it from £100 to £10, we would never have done
that.
Q. So -- I mean Mr Parker says -- let's go back to this
sentence:
"Fujitsu would not change the transaction data
itself and in removing the envelope data, they would
simply be allowing the system to automatically renumber
the transactions when they were reinserted."
I'm suggesting to you, Mr Roll, that that's the most
that anyone at the SSC would ever do in terms of
changing transaction data?
A. That's not my recollection of it. It was a long time
ago though.
Q. And then he says:
"Ultimately, when the counter was replaced at the
branch the subpostmaster would be able to see what
Fujitsu had done."
Is that true?
A. Again, my understanding is that in certain circumstances
the data would be indistig ... sorry.
MR JUSTICE FRASER: Indistinguishable, is that what you are
trying to say?
A. Yes. Yes, my Lord.
MR JUSTICE FRASER: You couldn't tell the difference?
A. You couldn't tell the difference. The postmaster
wouldn't be able to tell the difference from data that
he had entered as he was scanning a stamp or whatever
and to what we had put in. That's my understanding --
my recollection.
MR DE GARR ROBINSON: Well, I suggest to you, Mr Roll, that
no one at SSC would ever manually change a line of
transaction data and then reinsert that transaction data
into the message store of any branch. There might be
occasions when new transactions were inserted, but it
was more than the job of an SSC member was worth to
actually start mucking about with lines of existing
transaction data.
A. Can I say that we were not "mucking about" with lines of
transaction data. We were trying to rebuild counters.
If I can take the instance after single-counter
post office where one of the lines of data had been
corrupted. Without correcting that corruption and then
reinserting it, if the corruption remained then that
line of data would have continued to cause problems.
Q. Well, you have heard the case I have put to you. Could
I ask you this -- well, actually, can I please ask you
to go to E2/13/4, which is the third witness statement
of Mr Godeseth. Page 4, paragraph 17. Perhaps I could
ask you to read that.
A. Sorry, paragraph 17 was this?
Q. This is where Mr Godeseth is referring -- I don't have
time to take you to the underlying PEAKs --
MR JUSTICE FRASER: We are in Parker 3.
MR DE GARR ROBINSON: We should be in Godeseth 3, E2,
tab 13. I'm so sorry, it should be {E2/14/5}. Could
I ask you to read paragraph 17 please.
(Pause).
A. I have read that, yes.
Q. Might that be what you are talking about?
A. No, I don't recognise this.
Q. So are you in a position to confirm what Mr Godeseth
says or not?
A. No, because the data that -- I'm unsure what BRDB refers
to --
Q. I'm so sorry, that's Horizon Online.
A. -- but the data would have been transaction data that we
could have been changing, from my recollection of it.
Q. Then the process you are describing in your witness
statement -- you say that you would -- I'm looking now
at paragraph 15 of your first statement {E1/7/3}, you
say that you would contact the branch and arrange for
them to stop using the computer for a limited period of
time. You would then log on to the branch's system,
download all the data from the relevant computer. Now,
stopping there, when you say "log on to the branch's
system", which system are you logging on to?
A. Sorry, we would log into the counter that was faulty.
Q. When you say log into it, you wouldn't physically log
into the counters, you wouldn't be in control of the
counters, would you?
A. The counter had to be switched on -- my recollection is
that if the postmaster hadn't logged on then we could
log on with our ID to access the message store and the
Riposte system. In that instance there would be an
audit trail because our user ID would be in the message
store not the postmaster's.
In certain circumstances we could do that. In other
instances, the way I remember it is that for the system
to operate correctly for the accounting, it had to be
the same user ID logged on, so that postmaster, or that
clerk or whatever would have to be logged in with their
ID and password so that any data we changed, or put back
on, would then go in with their ID, which is why they
couldn't use it, then that data would then be picked up
correctly by Riposte, Riposte would assume that the
postmaster had been operating as normal and would accept
the data into the message store and process it
correctly.
Q. Could you tell me what were the circumstances in which
you had to use the same user ID as the original user?
A. I can't remember what the differences were for the
different errors, but it depended on what error was
coming up and what bit of data was corrupt -- where the
corruption lay in the message store.
Q. So you can't think of a specific reason why it would
have to be the same person, but you're saying that it
did sometimes?
A. Yes, it -- sorry.
Q. I didn't let you finish.
A. I have lost my train of thought now, sorry. It often
made it much cleaner for accounting reasons, from what
I remember, if it was the same user ID. All of this --
all of these actions would be detailed in the PINICL and
if -- from what I remember, if you were accessing
a counter in this way, two people had to be there, one
as an independent witness to make sure that everything
was going correctly.
Q. So there would have to be what we now call PEAKs and
there would have to be two pairs of eyes --
A. That was what --
Q. -- it would never be left to one particular member of
the SSC team to do it on his own?
A. It was never supposed to be and I don't think it ever
was but I'm not sure.
Q. So this is a formal process then, is it --
A. Yes.
Q. -- which the SSC took very seriously?
A. It was developed and taken very seriously, yes.
Q. And is it also the case that Post Office consent was
always needed for this kind of process?
A. When I was there we were supposed to speak to the
postmaster to get his consent. So from Post Office
consent, that's what I believe you mean by that. Formal
consent from the Post Office itself, maybe not.
Q. Do you remember the phrase OCPs? The operational change
process --
A. No.
Q. -- does that ring a bell? Do you remember that a form
needed to be filled in in which Post Office consent was
obtained for alterations to data that could affect
branch accounts?
A. No.
Q. You don't remember? Can I suggest to you that that was
the process and that did have to be complied with.
A. Right. It may have been, yes.
Q. And you are also saying that it was also required that
postmaster consent had to be obtained for this kind of
change, yes?
A. That was my understanding of the consent that was
obtained. It was just one of those things that if you
were going to log on to a counter remotely for whatever
reason then you spoke to the -- you should speak to the
postmaster first and get his consent.
Q. And it stands to reason, doesn't it, that if you
started -- forgive me for the loose form of language,
but if you start fiddling with data on his machines that
could have an impact on his branch accounts, he or she
could hit the roof, couldn't he? He or she would need
to know what was happening so as to avoid any upset?
A. Yes.
Q. And is it the case that when you engaged in this process
you ensured that proper protocols were followed that you
have just described?
A. Yes.
Excuse me, I have just got cramp in my leg, sorry
about that.
Q. Mr Roll, we have discussed what you say you could do and
I have put my case to you. The controls, the permission
controls, the change controls that we have just
discussed, that is having another colleague in the SSC
review what changes you are making, obtaining
Post Office consent and obtaining subpostmaster consent
to anything that could have an impact on branch
accounts, you followed those processes both for the
process that you're describing, with which I have
certain reservations, but also with the process of
transaction insertions that we're coming to in a few
minutes, yes?
A. Yes, as far as I'm aware.
Q. If you did anything that could have an impact on branch
accounts, those processes had to be followed,
didn't they?
A. Yes.
Q. Thank you. So in paragraph 16 of your first witness
statement {E1/7/3}, you say:
"Still on the subject of remote access to branch
systems, as I recall some errors were corrected remotely
without the subpostmaster being aware."
Those errors are not errors -- or rather those
corrections were not corrections which changed branch
accounts in the way that we discussed?
A. No.
Q. You're talking about other errors, aren't you?
A. Yes.
Q. Could you give some examples of the kind of errors you
are talking about?
A. I can't remember I'm afraid.
Q. But would it be things like changing configuration
items?
A. Probably, yes.
Q. That sort of thing, which would not have an impact on
the branch accounts in the way that we have previously
discussed?
A. I think so, yes.
Q. Now, the process that you describe in paragraph 15, you
say "We would frequently access a post office counter IT
system remotely". The occasions on which you would
access a post office counter remotely in order to change
lines of transaction data, whether by inserting
something or engaging in the other process that we have
discussed and I have queried, these changes would only
arise in circumstances where the cyclic redundancy check
had been triggered where there had been some problem
which the CRC system had identified as requiring
attention, would that be right?
A. I'm not sure. I think so.
Q. Very good. Then could I ask you just to look back to
Mr Parker's first witness statement at paragraph 55.3
{E2/11/15} and the top of page 16. He is talking about
the CRC process and he says:
"If one of the sets of data on a branch counter
became corrupted it would generate an event that would
be picked up by the SMC and/or reported to HSD by the
branch (an incident reporting a 'CRC error'). There
were a total of 629 CRC errors over the life of
Legacy Horizon ..."
Would you be in a position to challenge that
calculation?
A. That's not my recollection of it. My recollection is
that some of these errors that I'm describing we would
detect because a counter perhaps hadn't replicated for
two or three days, so we would then look to see why it
had not replicated and that's when we would find out
that the postmaster was still using it, transactions
were accumulating on the counter and a corruption at
some level had stopped the counter replicating after
that point, so we would -- from my recollection it
wasn't an error that we were receiving, it was something
we were monitoring on an ongoing basis.
Q. Could I just ask you about that, Mr Roll. It's always
dangerous to ask a question to which you don't think you
know the answer, but I can understand that something may
happen to a counter which means it stops replicating to
its fellow systems within the branch; what I don't
understand is why it would stop replicating because of
a problem with a particular line of -- with a particular
transaction message. Why would a particular transaction
message stop the unit communicating with its fellow
units?
A. A corrupt line of code in the message store would, from
my recollection, stop that message store replicating.
I can't remember why, but the messages, as I say,
including that corrupt one wouldn't get replicated.
That's how you could find out which one was broken, you
could look at the message store and see that up to
line 9,004 had come through, so you would know, if the
postmaster had carried on using it, that 9,005 was the
bad message.
Q. And would I be right in thinking that the problem with
9,005, there would be a problem in the envelope, the
data in the envelope around the transaction?
A. Not necessarily, it could be in the data itself.
Q. Why would that be?
A. Because of data corruption.
Q. But why would that -- why, for example, if there was
a problem in the amount that was recorded in the
relevant transaction, why would that stop the counter
replicating --
A. I don't know, but it did. That's the way I remember it.
Q. Let's move on to transaction insertions. Paragraph 18
of your first witness statement, that's page 3 {E1/7/3},
you say:
"The ability to remotely access the Horizon system
at branch level was extensive, in that we were able to
change not only data and transaction information, but we
also had the ability to insert transactions and transfer
money remotely ..."
I'm not going to ask you about transferring money
remotely, the evidence has been explored in a series of
witness statements, but what I'm seeking to ascertain
from you is that you are talking about two different
forms of changing data, are you: firstly, the form of
data that you have just discussed, data changing that we
have just discussed; and secondly, the form of
transaction insertions? Are they entirely separate, or
are they the same thing?
A. Separate.
Q. They're separate, are they?
During the course of your time at the SSC did you
ever insert a transaction using that facility?
A. I don't think so.
Q. You don't think you did?
A. No. I believe there were instances where corrections
had to be made because data hadn't been written in and
some members of staff were able to add lines in to
correct the problems that were coming up, but I can't
remember -- I think -- I can't remember which ones they
were.
Q. So when you say in paragraph 18 "we were able to change
not only data and transaction information, but we also
had the ability to insert transactions", when you say in
the next sentence "obviously this was not done by me",
are you referring to the ability to insert transactions
and the ability to transfer money?
A. Yes.
Q. So you couldn't do either of those things?
A. I could have done. From my recollection.
Q. I'm so sorry, you didn't do either of those things?
A. No. What I'm referring to here is somebody -- if you
want to be dishonest -- if the postmaster was using the
counter then my recollection was that you could have
logged onto the counter without the postmaster
knowing --
Q. I don't need to ask you any questions about that,
Mr Roll, but I understand why you want to tell me.
Going back to the form of access you refer to in
paragraph 15, this is the situation you're referring
to: the counter would stop replicating, you would be
aware that the counter would stop replicating. Would
that come up in the automatic checks?
A. Yes, I think it was something that certainly in the
early days we were looking for, was counters that hadn't
communicated for three days or so.
Q. And then you would gain reading access to that counter
and see what had happened?
A. You would just log in.
Q. And you would see that the transactions had stopped
replicating at a particular point, is that right?
A. Basically, yes. Quite often the postmaster would have
gone on holiday, so the counter was turned off or
something and that's why it wasn't replicating. In that
case there was no need to do anything. In other
instances you would see that the postmaster was still
using the counter and that's when you would realise
there was a problem.
Q. And what would the nature of the problem be? What would
be wrong with the line of data that would make the
machine stop replicating?
A. As I have previously said, one of the lines of --
a digit or a bit somewhere, from what I remember, would
have been flipped.
Q. And are you suggesting that that wrongly flipped bit
could also have the effect of, I don't know, making the
transaction wrong, making it for £100 rather than £10,
something like that?
A. Originally I thought that, but I don't think it would,
because merely flicking one bit wouldn't alter the data
that much. It would make one of the digits wrong but
not to the extent that it ...
Q. So the basic features of the transaction, whether it was
a purchase of stamps, or a sale of insurance or whatever
the transaction was, and the amount involved, the sort
of basic features of the transaction that end up having
an impact on the branch accounts, the problem you're
talking about requiring fixing wouldn't involve any
corruption of those features, would it?
A. It could be that if it was £100 then one of the zeros
would get flipped to a non-numerical value.
Q. And that error might itself, what, prevent -- might it
also prevent the machine from replicating?
A. That might then prevent the message store from
replicating.
Q. This is a voyage of discovery for both of us.
In that situation you say that you would correct the
data in the way that you have described?
A. Yes.
Q. And we have already discussed whether you could or not,
but how would you know what change to make to the data?
How would you know, for example, that it should be £100
or £105 or £10, what investigations would you carry out?
A. You would -- by looking at the value, for example if it
was 100, or should have been, then it would be 1 and
maybe a backspace character and a zero. Now, if you
change any one of those bits, from my recollection only
one of them would result in a numerical value. If you
wanted a different numerical value to the original one
you would have to change two bits and the chances of two
bits becoming corrupted at once were astronomically
small.
It would also then if you corrected it -- if you
changed to put the wrong value in then there would be
probably an accounts or a cash balance mismatch, so you
knew that by changing one of the bits you would then get
a numerical value and that should -- when it is run
through the books properly, it wouldn't affect -- there
would be no errors.
Q. So are you saying that when you did this there was
a means by which you could be absolutely sure what the
right figure should be?
A. Yes.
Q. And how often -- I'm inferring, but it may be optimism
bias on my part, but I'm inferring that of the problems
that caused counters to stop replicating there were many
many problems that didn't involve the basic features of
the transaction data being wrong and I'm thinking that
the cases in which that problem was caused by the
transaction features itself being wrong was a very, very
small proportion. Would that be right?
A. Unfortunately this is one of the things where the
mundane solutions, which are very easily fixed, you tend
to forget about and this, which is a very complex
solution, tends to make more of a -- more of a memorable
impact. So my perception is that it was frequent, or it
certainly sticks in my mind more, but I wouldn't --
I would say it was only a small -- a --
Q. Would you be able to give an estimate --
A. No.
Q. -- as to how many times you did it in the four years?
A. No.
Q. Would it be -- it would be less than a handful?
A. I would think every couple of months, but I could be
wrong.
Q. You could be wrong.
It is right, isn't it, that Fujitsu generally, the
SSC, was extremely reluctant to make any changes to the
basic features of transaction data that we have been
discussing?
A. Yes.
Q. That's not something they regarded as their job,
correct?
A. Sorry, the changes to the transaction data?
Q. The basic features of the transaction data?
A. How do you mean by ..?
Q. Well, changing a figure in the -- the discussion that we
have just been having?
A. Right. That would have been our job because it was
trying to fix a corruption in the data.
Q. All right. And let me suggest to you that it is
something you only did when you absolutely had to do it?
A. Yes.
Q. So I would like now to ask you to go to your second
statement, paragraph 20 please {E1/10/6}. You say about
halfway down that paragraph -- we may have discussed
this already, but here you are describing transaction
insertions and there's a discussion about whether you
could use the correspondence server to piggy-back
through the gateway. And then you say:
"The nature of many problems meant that we had to
implement a fix in this way rather than going to the
correspondence server, and we frequently did use this
method in practice."
Could you explain the nature of the problems which
meant it was necessary to use that mechanism?
A. No.
Q. Can you identify a single problem that requires you to
do it that way?
A. I can't remember any specific examples, but it was --
I do remember that quite often we went to the counter as
opposed to the correspondence server.
Q. And then you say:
"If we injected transactions in this way, at the
counter position, then the counter position would be
shown in the branch records and reports as the relevant
counter position used in the branch ..."
Then going to the next sentence:
"Sometimes we had to ask for a specific person to
log in to the counter before injecting transactions so
that the software would not detect any discrepancies."
Could you explain why that was?
A. The way that I remember it, if you -- if the system --
if Riposte was looking at a batch of transactions going
through, so you had a certain user ID logged in, if it
then suddenly saw right in the middle a different user
ID, it would reject that transaction, it wouldn't
process it, it would --
Q. When you say transaction, we are obviously not talking
about transactions undertaken at the branch, we're not
talking about sale -- we have already established --
A. I am in this instance, sorry.
Q. Wasn't your previous evidence, Mr Roll, that you have
never used transaction insertions so as to insert
transactions into --
A. I'm sorry, we're ... I misunderstood your question in
that case. Yes, I did insert transaction data on
occasion into the counter servers under the processes
that we have discussed where we would correct data,
log into the server -- sorry, into the counter and then
put the corrected data back in. I wouldn't insert
data -- or I don't recall inserting data to correct the
system when data had not been written by Riposte.
I believe that on occasion lines of transaction data
were not written into the message store when they should
have been and that there was a way of correcting that
and inserting new lines into the message store, perhaps
not with accounting data in it, but with ancillary data
to -- so that the message store would continue
processing and running properly and I believe that
certain members of SSC did that.
Q. You didn't though?
A. I don't recall ever having to do that myself, no.
Q. If we could look at the transcript at the bottom of
page 134. My question to you at the top of the page
was:
"Question: ... during the course of your time at the
SSC did you ever insert a transaction using that
facility."
And you said:
"Answer: I don't think so."
A. Could we scroll up a little bit further please.
Q. Yes, if we could just go up the page.
A. Thank you.
Q. So I say at line 5:
"Question: Let's move on to transaction insertions.
Paragraph 18 ..."
You refer to them and I quote -- I read out
what paragraph 18 says.
A. Right.
Q. And I say:
"Question: I'm not going to ask you about
transferring money remotely ... what I'm seeking to
ascertain from you is that you are talking about two
different forms of changing data, are you: firstly, the
form of data that you have just discussed, data changing
that we have just discussed; and secondly, the form of
transaction insertions? Are they entirely separate, or
are they the same thing?
"Answer: Separate.
"Question: During the course of your time at the SSC
did you ever insert a transaction using that facility?"
"Answer: I don't think so."
A. I'm sorry, you've got two types of data here which we
were discussing. The first one yes, the second one no.
Q. Sorry, and what are the two types of data?
A. So the first one is where we have had the bit that's
been corrected, as I have described, and where we have
corrected the bit, created a text file which we then
log on to the counter via the server with the postmaster
logged on but not using the machine. We then ran
I think it was an import tool to rebuild the message
store on the counter. That's the way that I recall it.
Q. Yes.
A. So that is the process I was involved in.
Q. I see. I think there may be a very large penny
dropping, Mr Roll. So the process that we discussed
perhaps 40 minutes ago that threw me somewhat, I will be
frank, was a process -- I think what you're saying --
involving two different actions. The first one was the
action to get hold of the data that hadn't replicated
and make sure it did get onto the system, but the second
was to deal with the problem of a line of transaction
data that was stopping the counter from operating?
A. By -- sorry, if I can just stop you there. Getting that
data copied, it meant we had to correct that line of
data first to get the data to replicate properly.
Q. Right. But are you saying that the line of data that
you corrected was actually a new transaction that you
inserted using the transaction insertion facility?
A. It was -- in this instance no it wasn't a new
transaction, it was an existing transaction that was put
in, but there was the facility to create -- from what
I remember, to create a new line of code. Not
a transaction in the terms of selling a stamp or
something, but in the process of creating -- processing
a sale to a customer there would be numerous lines of
code, lines of data written to the message store. Now,
sometimes one of those might not have got written. The
data regarding the sale, the value, et cetera, would
have been and maybe one of the other lines wasn't.
Q. Yes.
A. So there was also the facility to correct that, which
I believe involved putting a new line into the message
store as a correction and that's what I wasn't --
I didn't -- I don't remember ever doing that.
Q. So the process that we spent some time discussing
earlier on this afternoon, did that process -- I had
understood you a couple of minutes ago to be saying that
as part of that process you did do transaction
insertions and those transaction insertions were the
kind of transaction insertions that involved putting
lines of transaction data in in the way that we have
defined?
A. Yes, reinserting existing ...
Q. And that was part and parcel of the process you
described at say 10 past 2 this afternoon --
A. Yes.
Q. -- when we started talking about paragraph 15 of your
first statement, is that right?
A. Yes.
Q. I see. And that's the only kind of transaction
insertion that you say you ever did --
A. As far as I can remember, yes.
Q. -- that involved actually inserting transactions?
A. Yes.
Q. And you say it is correcting data, but the truth of the
matter is it is just putting in a new transaction line
that you yourself have formulated, is that right?
A. Yes.
Q. I see. Now that makes more sense to me. And what you
say is that's the only time you ever did use the
transaction insertion facility in a way that would have
had an impact on a set of branch accounts?
A. Yes.
Q. And what you say is you can't remember how often you did
it, but it could have been once every couple of months?
A. Yes.
Q. And how clear are you in your memory as to how often you
did it? Might it have been much less frequent than
that?
A. It might have been.
Q. And might it have a bigger impact on your memory because
of the -- frankly the palava you had to go through --
A. Yes.
Q. -- before you had sufficient permissions to do that?
A. Yes.
Q. Thank you, Mr Roll.
Now, one thing I want to ask you about, Mr Roll, is
that on those occasions when you inserted transactions
piggy-backing off the correspondence server, you don't
remember why you had to do it but you do say you had to
do it.
A. Yes.
Q. Would I be right in saying though that the default
process of doing it was doing it through the front door?
A. Yes. It was always safer to do it from the
correspondence server. The further you got away from
it, if you like, the more risks and --
Q. And as a general rule the SSC didn't like taking risks
of that sort, that's not what they were there for?
A. That's not what we were there for.
Q. I'm grateful for that.
And could I suggest to you that in those situations
when it was necessary to use the piggy-back procedure
and indeed perhaps even more widely, that care was taken
to insert something in the message that was sent through
to make it clear it did come from the SSC?
A. I don't remember that in the message. In some instances
from what I recall, you couldn't do that. I could be
wrong, but the way I remember it is that it was -- when
we did this it was documented in the paperwork, so there
was a record of it on that side of things.
Q. Well, let's look at an example. It's an example when
you weren't there, but could we go to {F/485} please.
This is a PEAK that took place in 2009 so it's a long
time after you left, Mr Roll, and you will see that the
summary indicates there is a harvester exception and
I think we have already discussed -- or could you
perhaps explain what a harvester exception is?
A. I think a harvester exception was when the servers --
the correspondence servers overnight -- they were, from
what I remember, UNIX servers handling huge amounts of
data from all of the Post Offices and the harvesters
would run sequentially from sort of 2 o'clock in the
morning or something, one would run for 15 minutes, it
would allow 15 minutes to run and then the next one
would run and then the next one would run. So they were
not directly related to the counters at all.
Q. Then if we go to page 2 {F/485/2} just to see what the
problem was in that case. Someone called
Garrett Simpson -- I don't know whether you know who
Garrett Simpson was?
A. He was probably the one who knew most about UNIX
servers.
Q. And he says at the bottom of the page:
"After discussion with Cheryl and David I think the
situation was this:-
"1) The session ... had four Mode:SC transactions
for different currencies. Each one of these messages was
missing mandatory fields so the harvester rejected
them."
Stopping there, could you explain to the court what
these mandatory fields would have been?
A. I can't remember. I think -- well, no, I can't
remember.
MR JUSTICE FRASER: Mr De Garr Robinson, this is an example
from five years after he has stopped working there
I think, is it? 2009?
A. It is, yes, my Lord.
MR JUSTICE FRASER: Well, just hold on one second.
Am I right it is a 2009 incident?
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: I question how much help any of
Mr Roll's evidence might be about something in 2009.
MR DE GARR ROBINSON: All right. Let me do this very
quickly in that case.
As a result of this PEAK a transaction was inserted
into the message store of the relevant branch and
there's a copy of the transaction that was -- of what
was done at {F/416.1} and perhaps we could look at that.
(Pause).
This may be a convenient moment.
MR JUSTICE FRASER: All right. We will have five minutes.
I do draw your attention to time.
MR DE GARR ROBINSON: Yes, I'm well aware of that.
MR JUSTICE FRASER: Good.
All right, we will have a five minute break for the
shorthand writers, Mr Roll. Same form as before, back
for 20 past 3 please, don't talk to anyone about your
evidence.
(3.15 pm)
(Short Break)
(3.24 pm)
MR DE GARR ROBINSON: Mr Roll, you will be pleased to know
that we are going to have some expedited
cross-examination now. Could you please go to
bundle E2, tab 12. This is Mr Parker's second witness
statement and I would like to ask you to read at page 9
paragraphs 27 and 28 please {E2/12/9}.
(Pause).
A. Yes.
Q. Have you looked at the PEAK to which Mr Parker refers in
paragraph 28?
A. I can't remember if I saw that one or not.
Q. Okay. Well, we actually looked at it just before the
break -- I didn't give you the number so there's no
reason why you should know that. But you will see what
Mr Parker says in paragraph 28.4 and that is a point
I would like to put to you {E2/12/10} he says:
"The messages were inserted with the additional
property <Comment:PC0175821> ..."
Which was the name of the PEAK.
"... to allow them to be identified ..."
MR JUSTICE FRASER: Hold on one second something has gone
wrong. Can we jump back a page to page 10 please
{E2/12/10}.
MR DE GARR ROBINSON: Yes, paragraph 28.4:
"The messages ..."
This is the transaction insertions and this is in
Legacy Horizon that you worked on, although it is
five years after your time. He says:
"The messages were inserted with the additional
property <Comment:PC0175821> to allow them to be
identified in the audit trail ..."
Now, what I would like to suggest to you, Mr Roll,
is that when steps were taken to insert transactions
into branch accounts, that was the practice that was
followed: you would do something in order to enable the
source of the transaction to be identified from the log.
A. This, as you pointed out, is Legacy Horizon from 2009.
I would not say that was the same version as the
software that I worked on. There were constant changes
and upgrades going out all the time. I can't remember
if we had the facility to insert comments into the
version that I was working on. It may be that we did,
but my recollection first of all is that when we were
doing it it was documented in the PINICL and also this
is for the creation of a new item, a new transaction,
that I was not involved -- I do not think I actually got
involved in that side of things. It was the correction
of the corrupted ones that I was working in.
So it's possible, yes, that there was, but, briefly,
I don't know, I can't remember.
Q. If we go down to paragraph 31 {E2/12/10}, Mr Parker
says:
"Transactions injected into a counter would appear
on the transaction logs available on Horizon as if it
had been carried out by the user that was logged into
the counter at the time (if nobody was logged on, the
user ID would be missing)."
Is that right?
A. Yes.
Q. "However, when injecting such a transaction, the SSC
user would ensure that it was clearly identified in the
audit trail as having been inserted by SSC. Examples of
such identification I am aware of are the use of an SSC
user as the clerk ID and/or details of the incident
number as an additional property."
You could put additional properties into the
transactions you inserted, couldn't you?
A. I don't recall that -- I don't recall. I didn't think
we could, or I didn't think we did at that point when
I was working on it. There's a point here where it says
that "Examples of such identification I am aware of are
the use of an SSC user as the clerk ID". That is where
if the SSC user had logged into the counter and was
inserting a new transaction, rather than getting the
clerk to log in and then injecting a transaction as if
it were the clerk who were logged on, so that would --
in this instance if you were creating a new transaction
to balance the accounts then you probably won't need to
log in as that clerk who had done the original
transactions, in which case it would make sense to log
in as yourself because then from the user ID it would be
clearly identifiable that it wasn't a Post Office
employee doing it, it was someone from the SSC.
Q. What I'm suggesting to you, Mr Roll, was that when you
worked at the SSC, first of all there was the ability,
when using transaction insertions, to include additional
properties which made it possible for it to be
identified that you were the one inserting the
transaction and I want to suggest to you, Mr Roll, that
it was the practice to use that facility so as to be
clear as to the state of affairs where the transaction
came from.
A. I would disagree, to put it briefly, bluntly. If it was
a new transaction of the type we are discussing here
which I didn't do then yes, it's possible it was, but my
recollection is that if we were rebuilding the message
store and correcting a piece of data then -- effectively
creating a new item to go in to replace the broken item,
then it wouldn't have any comment put into it, but that
is my recollection.
Q. And how clear is that recollection? I will give you an
opportunity to indicate whether you --
A. It is 15 or 19 years ago, so ...
Q. Say again?
A. I might be mistaken.
Q. You fairly accept that you might have just overlooked or
forgotten?
A. Yes.
Q. That's very kind of you, Mr -- and very fair of you, if
I may say so.
Then in the last few minutes let's go to
paragraph 23 of your second statement {E1/10/7}. We are
now talking about rebuilding branch transaction data
where a particular counter becomes corrupted. You will
recall that before the break I read you paragraph 38 of
Mr Parker's second witness statement where he went
through those stages?
A. Yes.
Q. And my recollection is that you essentially accepted the
processes that Mr Parker described?
A. Yes.
Q. You say:
"As part of my role in the SSC, I was involved in
rebuilding branch transaction data ... whilst in general
terms I agree with Dr Worden's summary ... his
description is very much a simplification ... when data
on a counter became corrupt, the effect was that data
transmitted after that corruption could become
stuck ..."
Then moving on, you say halfway down:
"There was clearly room for error in this process,
where data could be lost, or mistakes made when
replicating data."
Now, I would like to ask you first of all what room
for error was there in the process where data could be
lost?
A. When you are copying the data from a counter, in my
recollection, if it's a remote counter, you're copying
across the network and then editing it yourself on
a computer, you might make a mistake and you might
delete something that you shouldn't have deleted. And
that is the error -- the room for error that I'm talking
about. There were processes -- I have to admit there
were processes in place to minimise this risk, such as
having two people checking it and so on.
Q. Well, that was going to be my next question, Mr Roll.
Why didn't you mention the fact that there were these
protections that were specifically designed to reduce
that risk to a really infinitesimally small level?
A. It didn't seem necessary to put that in.
Q. It does give a rather unfortunate impression which is
rather different from the fact of the matter, would you
accept that?
A. To my mind, no, but I will accept that it -- to other
people it could perhaps.
Q. Well, could I suggest this to you, Mr Roll. You
download this data, you get the line that you think
needs correcting and you correct it and this is all with
someone else formally sitting there watching what you
are doing, is that right?
A. Not at that point necessarily, no.
Q. When would they be watching?
A. When you're about to insert the data.
Q. So let's imagine a situation where that's happening.
The person comes along. What does that person -- he
obviously have has to check that the data you are
inserting is going to be right --
A. They check the data that you've got and then make sure
the process is followed correctly to insert the data.
Q. So that person would, for example, make sure that no
data has been lost?
A. Yes.
Q. He or she would make sure that the change being made is
the correct change?
A. Yes.
Q. And only when both he or she and you are satisfied that
it is all correct would be possible for you to press the
button and insert the transaction, is that right?
A. Yes.
Q. Now, doesn't that suggest that the chances of an error
being made such that a wrong transaction being entered
into a branch accounts really is infinitesimally small?
A. It is quite small, yes.
Q. Thank you. Then in paragraph 24 of your statement
{E1/10/7} you say:
"The process that I describe at paragraph [23] above
could be carried out without the subpostmaster's
knowledge ... and in my recollection it sometimes was
done without the subpostmaster's prior knowledge, for
example if the subpostmaster was away from the branch on
a lunch break and had not logged out of the system."
And then you say at the end of that paragraph:
"... there were times where the job needed to be
done quickly to prevent potentially catastrophic failure
and we were unable to contact the subpostmaster
beforehand."
Were those the only occasions in which you would
have inserted a transaction without informing the
subpostmaster beforehand?
A. That is the only time we would have got onto a counter
without --
Q. Right, so I would just like to ask you: in relation to
the particular transactions we're talking about, in what
situations would that potential catastrophe arise?
A. I can't recollect exact scenarios. I can't remember.
Q. Can you not give me an idea of what you're talking
about?
A. No.
Q. So let us assume there was a situation of potential
catastrophe, you would never allow a subpostmaster to
have his or her accounts changed without them knowing
about it, would you? It might be that you might not
have told them beforehand, you would certainly tell them
afterwards?
A. You would tell them afterwards.
Q. So it is absolutely standard SSC practice, isn't it,
when you are dealing with a branch and correcting
problems that the branch has got that the branch will
see, it is absolutely standard that you will communicate
with the subpostmaster to ensure that the subpostmaster
knows what changes you are making?
A. Yes.
Q. Thank you.
My Lord, I have rather hurriedly come to the end of
my cross-examination.
MR JUSTICE FRASER: Thank you very much. Mr Green.
Re-examination by MR GREEN
MR GREEN: A few points if I may.
Mr Roll, could you please be shown {F/1839}. I will
tell you what's coming up. It's the spreadsheet you
were shown -- a whole load of figures were put to you
and you were challenged on your recollection on the
basis of various statistics. Do you remember?
A. Yes.
Q. Just a couple of quick points. First of all, can we
just look at the RRP live PEAKs into SSC. And scroll up
please. Sorry, I thought it was that tab, apologies.
Can we try by category, sorry, "RRP live PEAKs by
category". That's better, apologies. Can we scroll up
just to the top very kindly.
So you've got the closure category codes down the
left-hand side: 0, 8, 9, 12, 14, 15, 40, 42 and so
forth.
A. Yes.
Q. And you have the legend or the description against them
and if we look, for example, at number 63, "Programme
approved - no fix required", 115 of those.
A. Yes.
Q. At this distance in time can you remember what was
encompassed in those descriptions?
A. I've got no recollection at all I'm afraid.
Q. Okay. And we see another one "Administrative response"
at line 21.
A. Again, I can't remember that. I can't remember any of
them.
Q. But that one seems to have quite a lot: 5,358, so about
a fifth of the overall total. Do you see that?
A. Yes.
Q. Okay. You weren't shown it, but the court was told
there was a document which was broadly consistent with
what those codes meant and if we can look please at that
document, it is at {F/823/23}. Mr Roll, I'm only going
to give a couple of examples of this. If we look at 63,
which is the line we looked at first. If you come down
the left-hand code side to 63. Do you see this table
actually only starts at 60, it doesn't have any of the
earlier codes?
A. Yes.
Q. But it does have 63 and you look across and it says
"Programme approved no fix required" which on the face
of it sounds quite chirpy and positive and then we look
and it says:
"Rarely used. Covers the case where there IS
a fault in the product and this is acknowledged by both
Fujitsu and [Post Office Limited], but the fault is
there as a result of an agreed design specification and
Fujitsu would require POL to fund any correction. MUST
NOT be used without approval from HNGX Programme Manager
or authorised representative."
At this distance of time can you remember seeing any
examples of those that you dealt with?
A. No, I'm afraid I can't.
Q. Just one other one if I may. Can we please see
{F/16/2}. This is PEAK PC0027887 and you will see it
comes in on 21 July 1999. Can you see the narrative
there, for FAD code in the third line of the light green
box, for FAD code O011523 on week, 9 receipts and
payments misbalance of £1,337.05, week 10 misbalance of
£24,000, week 11 misbalance of £12,000, week 12
1,051,111.48; do you see that?
A. Yes.
Q. And if we could go forward please to page 3 {F/16/3} and
look in the bottom yellow box, 27 July at 10.09, do you
see "CAP12" on the left-hand side?
A. Yes.
Q. It says:
"Balance brought forward was multiplied twice due
[to] known software error. The initial balance brought
forward for this CAP was 1,196,622.72. This was
multiplied twice to give a total of BBF of 2,279,189.04.
The discrepancy was therefore 1,082,540.28. This was
due [to] a known software error which has [now] been
resolved."
Do you see that?
A. Yes.
Q. So that would have been quite a bad one, is that fair?
A. Yes.
Q. If that had come across your desk?
MR JUSTICE FRASER: Mr Green, on the basis you still have
another witness ...
MR GREEN: I'm really rushing, it is the last page.
MR JUSTICE FRASER: Well, you are almost getting to the
outer envelope of arising out of cross-examination, so
put one more or two more questions.
MR GREEN: I will, my Lord. It was just on those codes.
If you look please at -- there are two last places
to look in the document. One is on page 11 {F/16/11},
where it has been given a categorisation "Fix for first
maintenance release". Can you just tell the court what
that would normally mean as far as you remember?
A. I can't remember.
Q. And then at the end it is closed, on page 13 {F/16/13},
as "Administrative response". Can you see that?
A. Yes.
Q. And just above it says "Insufficient evidence".
A. Yes.
Q. Can you remember how frequent it was for PEAKs to be
closed with insufficient evidence while you were there,
or ..?
A. I can't give you an accurate -- I can't say how often
I'm afraid. I can't remember. I know it was used but
I can't remember how often.
Q. Last point if I may. Can you please be shown {F/99.2}.
You were asked about pressure in relation to service
level agreements and if we look at {F/99.2} -- sorry, on
my copy --
MR JUSTICE FRASER: Do you want 99? We are on 16/13 at the
moment.
MR GREEN: I've got printed out on mine F/99.2.
MR JUSTICE FRASER: It might not be wrong, we just might not
have got there yet.
MR GREEN: Well, my Lord, I can probably deal with it with
another witness.
MR JUSTICE FRASER: I think you probably --
MR GREEN: It was a point of fairness to this witness. He
was challenged on something and there was evidence about
it, but I will deal with it with Mr Parker.
MR JUSTICE FRASER: Mr Roll, no questions from me. Your
evidence is at an end now, you can now leave the witness
box and you can chat to people about the case if you
would like to. Thank you very much.
A. Thank you, my Lord.
MR JUSTICE FRASER: Thank you very much.
Right, next witness.
MR GREEN: My Lord, it is Mr Henderson if I may.
MR IAN HENDERSON (sworn)
MR JUSTICE FRASER: Thank you, Mr Henderson, do have a seat.
A. I would prefer to stand if I may.
MR JUSTICE FRASER: Yes, of course you may.
Examination-in-chief by MR GREEN
MR GREEN: Mr Henderson, in front of you there is a file and
if you turn to tab 5 you will see an "Amended witness
statement of Ian Henderson" {E1/5/1} and if you turn to
the back of that witness statement on page 7 {E1/5/7}
you will see a signature. Is that your signature?
A. Yes, it is.
Q. And is that statement true to the best of your knowledge
and belief?
A. It is, subject to two points. Firstly, I originally
prepared a much longer witness statement but I was told
that because this is a time limited trial it was not
appropriate to submit one of that length, so this is
substantially shorter.
Secondly, I think the court is aware that I'm
a party to an agreement between sort of Post Office and
the claimants that restrict the matters on which I can
give evidence, so that is a further limitation in my
evidence today.
MR JUSTICE FRASER: Understood.
Have you any questions in-chief?
MR GREEN: No questions in-chief, my Lord.
Cross-examination by MR DRAPER
MR DRAPER: Good afternoon, Mr Henderson.
A. Good afternoon.
Q. You make very clear from your witness statement that you
don't propose to give opinion evidence and I'm not going
to ask you any questions about the opinions set out in
Second Sight's reports.
What it may be helpful to do is to take you through
some of the background to Second Sight's involvement and
some of the chronology as to what happened at various
stages and your involvement in the mediation scheme.
A. Fine.
Q. With that said, there's one very general point about the
scope of Second Sight's work that I would like to
confirm with you. As you are aware, the issues to be
determined in this trial and to which you refer in your
statement are purely technical issues about the Horizon
system as to its functions, reliability, robustness.
You are aware of that, aren't you?
A. Yes, I am.
Q. It is fair to say, isn't it, that the scope of
Second Sight's work was substantially broader than that?
You also considered, for example, issues as to training
and support?
A. Sorry, was there a question there?
Q. Yes: that's right, isn't it?
A. That our scope was much wider?
Q. Yes.
A. Well, our scope changed quite substantially during the
terms of our appointment. We issued an interim report
and it was that that gave rise to Post Office deciding
to offer a mediation scheme. Our role at that point
changed from being an in-depth investigation to being
one of supporting the mediation scheme primarily and
dealing with the 150 or so applicants to the scheme.
We adopted the definition of Horizon that
Post Office itself adopted, so it was much more than the
coding or the software, it also included the way that
processes operated, the impact of Horizon on
subpostmasters and the various sort of remediation
procedures that were available.
Q. Yes, thank you. So just to -- I'm going to run you
through the chronology if I may and at the end of my
doing so there will be an opportunity for you to comment
on that but I think everything I'm about to say to you
ought to be uncontroversial.
You were engaged first in July 2012, so the total
time span of your involvement is 2012 to 2015. You have
just mentioned the CRRs we're going to come on to and,
as you have you have said, the interim report was
produced in July 2013, the mediation scheme was set up
around then in the latter half of 2013 and it is right
I think to say that the applications to enter the
mediation scheme had to be in by November 2013, so
roughly towards the end of that year?
A. My recollection is actually slightly different to that.
We were first appointed around about July 2012. Towards
the end of 2012 we were in active discussions with
Post Office and JFSA who invited applications for us to
consider various matters. After we issued our interim
report, that was the point at which Post Office decided
that we should move to the mediation scheme phase.
MR JUSTICE FRASER: I don't think the witness did mention
a CRR.
A. No, I didn't, my Lord. Case review report.
MR DRAPER: He may not have used the words but I think you
said "individual reports in the mediation scheme",
didn't you? I may have misheard you.
MR JUSTICE FRASER: Rather than be combative, Mr Draper,
when you put a question to the witness that says "You
mentioned the CRRs" and he didn't, I just wanted to
check you weren't at cross-purposes.
MR DRAPER: No, I had understood him to be referring to what
I would call a CRR, but we shall come back to those in
more detail.
It is right to say, isn't it, that there were
initially 150 applicants to the scheme --
A. Of which 136 were finally admitted into the scheme.
Q. Thank you, you finished my question.
Once the mediation scheme started -- and again you
have already said something of this -- it is fair to say
that you had essentially two roles at Second Sight. The
first was the production of thematic reports, which are
the reports you describe in your witness statement;
that's right, isn't it?
A. Correct.
Q. And the second was the production of what I have called
CRRs which are individual reports relating to
a particular complainant's case?
A. Correct.
Q. Now, with that background can we turn please to the
Second Sight engagement letter which is at {F/1228.1}.
Do that you have on the screen there, Mr Henderson?
A. Dated 1 July 2014?
Q. That's the one, yes. It says in "Background" there that
this letter sets out the arrangements for your
engagement on behalf of the working group in relation to
your role in the scheme. And we can read further just
under 2 --
A. Can I just make a point, I'm sorry to interrupt, it is
dated July 2014. I mean that is a long time after the
mediation scheme started, so I'm not sure that that is
the first letter, or was the letter that was relevant at
the time that we started our work in relation to the
mediation scheme.
Q. I'm sure if it is going to be said that there was
a different arrangement that had materially different
terms, that can be suggested by the claimants. So
I just wanted to take you to some key elements of this.
Obviously if you have that concern, you can raise it.
If we could skip down quickly please to clause 4.1,
which appears on page 3 {F/1228.1/3}, that's the
provision allowing for termination on notice and that's
the provision that was relied on the following year,
isn't it?
A. That's correct.
Q. 4.2 refers to the services being provided exclusively by
Second Sight directors. That's you and one other
director, isn't it?
A. Correct.
Q. Go forward to page 5 please {F/1228.1/5}, just the
signature page, to orientate everyone. Then over the
page {F/1228.1/6}, "Scope of services", is where this
agreement describes what you are actually intended to
do. If you could just remind yourself please of 1.1
down to 1.4.
(Pause).
A. Yes, I have read that.
Q. Does that accord with your recollection of what your
role was?
A. I remember this letter, but as I said earlier, this
letter arrived probably at least halfway through the
mediation scheme so we had already done a great deal of
work, possibly on terms different than the ones
described in this letter.
Q. Understood. If you could turn then to look at 3
{F/1228.1/3} please, towards the bottom:
"It is recognised that Second Sight is not required
to definitively determine every issue raised by
a subpostmaster but rather is required to reasonably
investigate and, where appropriate, offer an opinion on
the key issues in dispute between a subpostmaster and
Post Office."
So it was recognised, wasn't it, from an early stage
that it might not be suitable for Second Sight to be
required to determine each and every issue that arose?
A. I take dispute with "at an early stage". As I said,
this letter is dated at least halfway through the period
of us supporting the mediation scheme.
Q. Putting to one side whether the situation may have been
different, you can confirm I think that it was certainly
the position from the date of this agreement, that that
was recognised?
A. Yes, I can.
Q. If we look please at 5 which starts at the bottom of the
page but really the meat of it is over the page please
{F/1228.1/7}, 5.1 refers to your expertise and the scope
of that expertise. 5.2, just remind yourself of that.
And 5.3 Second Sight shall:
"... use its reasonable endeavours to comply with
any deadlines or timeframes set by the working group."
I just want to see whether you will agree with this
in relation to timeframes: is it fair to say that the
anticipation at the outset was that the working group
would set relatively demanding timeframes and hope to
move forward quite quickly?
A. I think that's a reasonable sort of expectation. It's
got to be measured by reality though and we had regular
meetings of the working group and timetable was always
on the agenda.
Can I come back to 5.1, which you started to draw my
attention to. That was substantially varying the
previous scope of our engagement which was that the
scope of our work was to be set solely by Second Sight.
We believed, as we said in our part 2 report, that
issues relating to criminal law and so on were relevant
to the mediation scheme, so this was inserted fairly
late in the day.
Q. I'm not going to ask you about what you said or didn't
say in the Second Sight report, but I think you will
acknowledge that this isn't something that was inserted,
this was something that you agreed in July 2014?
A. Halfway through the mediation scheme, yes.
Q. Just to get the timeline right, the briefing report
part 1 was produced in July 2014; that's right,
isn't it?
A. Yes, I think that's right.
Q. And I'm not going to ask you about any opinions
expressed in that report, but purely as a matter of
getting some understanding of how it all fits together,
I think you will agree with me that the part 1 report
was intended to be a largely uncontroversial account of
Horizon's functions, Post Office's operations, things
like that, with the part 2 report being intended to
contain your opinions on issues?
A. Part 1 was intended to be, yes, uncontroversial, to
reflect the permanent information relevant to the
matters that we were looking at. The part 2 report was
dealing with the thematic issues that we had identified
from our previous work.
Q. And it is right, isn't it, that there were two versions
of the part 2 report, the first of those being published
in August 2014, so really not long after the part 1
report?
A. That's correct, which was very shortly followed up by
a very substantive response by Post Office.
Q. Yes. If we could turn to the CRRs that we have already
discussed briefly. It is fair to say, isn't it, that
they were intended to be one of three key documents that
would go before the working group: there would be the
written complaint from the subpostmaster, there would be
Post Office's written response and there would be your
CRR?
A. My recollection is slightly different to that. There
would be the application to the scheme which I think was
known as the CQR, the questionnaire. At that point we
would request such files that were available from
Post Office together with a report. As a result of
reviewing all of that information, Second Sight would
then produce its consolidated report.
Q. And that suite of documents was intended to go before
the working group and inform the decision it would then
take on whether or not to recommend mediation?
A. That's correct.
Q. And without attributing blame to anyone -- not
Second Sight, not the subpostmaster, not Post Office --
but looking purely at a factual level as to what
happened, would it be fair to say that the progress in
the scheme, in the production of those three documents,
and in obtaining a decision from the working group, went
somewhat slower than had been hoped at the outset?
A. That's correct.
Q. Can I show you briefly a couple of documents relevant to
that. The first is at {F/1325/137}. I think,
Mr Henderson, you may or may not have seen this before.
It is a letter from Sir Anthony Hooper to Ms Swinson,
who is an MP, in fact Minister for Employment Relations
and Consumer Affairs. This was in mid-December 2014.
Have you seen this before?
A. I can't see a date on that letter, I may be missing it.
Q. You can take it from me for now that we can tell from
other documents that it is mid-December.
MR JUSTICE FRASER: Mid-December which year?
MR DRAPER: 2014.
If we look at the second paragraph,
Sir Anthony Hooper is saying here the thing that you
have just agreed, Mr Henderson:
"The progress of cases at every stage of the scheme
has taken longer than the working group would have
wanted."
He then sets out those various stages. He then
says:
"In addition disagreements within the working group
as to whether individual cases should proceed to
mediation has led to further delays because such
disagreements can only, for reasons of fairness, be
resolved at face-to-face meetings."
He then gives some further detail and over the page
please {F/1325/138}. Do you recall seeing this update
on progress at the time, Mr Henderson?
A. I don't recall seeing this letter or this appendix, but
those numbers do look broadly familiar and we may well
have discussed them in a mediation working group
meeting.
Q. So by this time in mid-December, if we look down to
roughly two-thirds of the way down the table, we see the
cases that had been mediated to date, there were seven
of those; that's right, isn't it? And we see from the
very bottom that there were 110 left in the scheme.
A. I see that.
Q. If we could go forward please then -- I should just say
for completeness there's a document I won't go to which
is a later letter from Sir Anthony Hooper which is at
{F/1325/165}. That just provides an update a couple of
months later.
Moving on then to March 2015, so a few months after,
there's a report from CEDR on progress and that's at
{F/1325/186}.
A. Can I make an observation on this appendix and the
apparent slow progress. I can't remember precisely at
what point CEDR was selected but it took some time to
make the decision that CEDR was going to be the
nominated body to administer the actual mediation
process and I think that more than anything else
reflects the relatively sort of small number of cases
that were listed on that schedule.
Q. It is fair for you to add that consideration.
If we look now at the document we have on screen
here from CEDR, CEDR explains that by this date -- which
you can see from the top is 6 March -- if you look at
the second paragraph:
"As you know, since July 2014, CEDR has been
referred 31 cases for mediation under the scheme. So
far 12 mediations have been taken up by the parties,
using six different mediators, and 2 are currently being
scheduled for mediation this month."
So this is coming up to a year and a half since the
scheme closed to applicants and by this stage there has
been 12 mediations. Does that accord with your
recollection of the kind of progress that was being
made?
A. Well, perhaps I can make another point before I answer
that. I mean this letter is to Post Office general
counsel. I would not have necessarily seen this letter.
I certainly don't recall this letter. Those numbers are
broadly sort of consistent with my sort of recollection.
Q. Is it fair to say that by this stage in March 2015 there
was a desire within the working group to make somewhat
faster progress?
A. Well, I think we had already made faster progress. You
will also recall that it was in March 2015 that our
appointment under the previous letter that you showed
the court was terminated. I think at that point we had
reviewed and produced reports for something like 116
sort of cases, so the vast majority of our work was
actually complete by that point.
Q. Yes, that's a very fair point for you to make.
If we could just look at it very briefly, the
termination letter to which you have just referred is at
{F/13/24.1}. That's the termination letter I think to
which you at least indirectly referred.
A. That's correct.
Q. If we could look then to {F/1324.2}. This is a much
longer letter from Post Office that came to you on the
same day. Do you recall this longer letter? If I maybe
tell you broadly what it is to do with. It's a letter
in which Post Office sets out a plan for how
Second Sight could finish its outstanding work. Do you
remember that letter?
A. Yes, I do.
Q. And the second paragraph makes clear that Second Sight
was expected to continue working during the notice
period and that even beyond the notice period there
would be a proposed future role for Second Sight.
That's what this document dealt with, isn't it? It's
a fairly long document.
A. It is, but there's another document of that date or very
close to that date which you haven't mentioned which was
the press release from Post Office announcing the
winding up with immediate effect of the mediation scheme
itself. That I understand was the primary decision and
our termination was a consequence of that not a separate
issue.
Q. Well, I think when you say mediation scheme it's fair to
say, isn't it, that this winding up process, as you
describe it, did not put an end to mediations; in
fact --
A. It put an end to the mediation working group with, as
I understand it, no consultation and the announcement
was made I think the day immediately before the next
planned meeting of the working group, so it was
a considerable sort of shock to everybody.
The rationale from Post Office -- because
Post Office general counsel was kind enough to explain
this to me in a meeting I had with her when I was handed
this letter, that Post Office felt that we had reached
the point of -- it might be unfair to say sort of
diminishing returns, but we were at the point where the
mediation process using CEDR could continue without any
further input from the mediation working group and that
alternative arrangements would be made for Second Sight
to complete the I think it was 20 outstanding reports at
that point.
Q. And in fact although there was not much time required
for this, but also to complete your version 2 of the
briefing report?
A. Yes. That was already substantially complete. Within
the letter I seem to recall was the requirement to
complete that by 10 April which we were happy to agree
to and I think it was signed off on 9 April or
thereabouts.
Q. And it is right to say, isn't it, that that version 2 of
the briefing report part 2 was in fact -- Second Sight
had told the working group that at least the first draft
of that report would be produced on the 11th, so the day
after this letter, and you in fact did produce a draft
very shortly afterwards?
A. Yes, that's my recollection and we invited comments from
Post Office to enable us to complete the report and we
issued it I think early May -- early April.
Q. And I'm not going to take you through all of them merely
because of the time so please do tell me if anything
I say here is unfair, but there is then an exchange of
letters between Second Sight and Post Office and indeed
at least one meeting of which I'm aware in which the
terms of Second Sight's ongoing engagement were
discussed and agreed over the next couple of weeks.
A. There was a certain amount of to and fro-ing. I do
recall that one element of the proposal that was not
acceptable to Second Sight was that we were going to be
instructed directly by claimants. We felt that that
potentially compromised our independence and objectivity
and we suggested an alternative, which I seem to recall
Post Office readily agreed to.
Q. Yes. Just so we have the full detail on that,
Post Office proposed to pay to applicants the amount
that it would otherwise pay to you and for them to pay
you directly. You said, for the reason you have given,
you weren't comfortable with that and Post Office agreed
to essentially continue the existing arrangement which
was direct payment from Post Office to Second Sight?
A. Correct.
Q. And is it fair to say that that was the main point of
difficulty between you in reaching agreement?
A. That's the main point that I recall but I haven't
revisited the documents recently.
Q. That's fair.
Last point just to confirm -- I think this is
probably implicit in what you have already said to me,
Mr Henderson, but it is right, isn't it, to say that
looking at both the CRRs and the briefing report part 2,
version 2, each of those was ultimately produced
slightly -- I make no criticism -- slightly later than
had been anticipated by the working group, but in
relatively short order nonetheless?
A. I think that's a fair comment.
Q. Thank you very much.
I have no further questions, my Lord.
MR JUSTICE FRASER: Re-examination?
MR GREEN: My Lord, no.
MR JUSTICE FRASER: I have some questions.
Questions from MR JUSTICE FRASER
MR JUSTICE FRASER: The first is the two points that you
made at the beginning of your evidence-in-chief
effectively qualifying your evidence. You don't need to
tell me what you were told by whom, but your
understanding was that there was some restriction in
length on your written witness statement because this
was a time limited trial, is that correct?
A. I was told that the draft -- or my first witness
statement that I prepared stood the risk of being
rejected by the court as going into too much detail and
being too long and that I should prepare a much shorter
version, which I ultimately did.
MR JUSTICE FRASER: All right, well, just to be clear, no
such restriction has ever been imposed by the court on
your witness statement.
The second one, I understand and you have identified
this in your witness statement and it leads into a point
I'm going to ask you in a moment, that you remain
subject to a confidentiality agreement that you entered
into with the Post Office, is that right?
A. Modified by a protocol agreement that released us in
some respects so that we could work with the solicitors
to the claimants and give the evidence that I have
given. We refer to it as the protocol agreement but it
was quite clear that there were certain matters that
I am not allowed to discuss.
MR JUSTICE FRASER: Right, well, that sort of answers my
next question, but I just want to be clear: is it your
evidence therefore that because of that protocol
agreement your evidence of fact to this court is
narrower in scope than it would be absent the protocol
agreement?
A. Yes, it is.
MR JUSTICE FRASER: Thank you.
Next document please -- or the first document I'm
going to show you, which Mr Draper took you to:
{F/1228.1/1} please. Now, that's the letter that you
were shown which you point out is July 2014. As
I understand your evidence you were engaged in
July 2012, which is two years before that; is that
right?
A. Correct.
MR JUSTICE FRASER: Was there a letter in similar terms sent
to you for July 2012?
A. I think not because the scope was still evolving over
that initial sort of six to 12 months. I mean there was
certainly correspondence; I don't recall a formal
engagement letter in this sort of style at that point.
MR JUSTICE FRASER: All right. Can we go please to page 3
of that letter {F/1228.1/3}. There's a clause at the
bottom of that letter, 6.2, which runs over to the next
page which says that:
"Second Sight will not, and will ensure that the SS
directors and any SS personnel will not, act directly or
indirectly in any capacity ... against Post Office or
any of its officers, directors or employees save to the
extent (a) that it is expressly agreed in writing ...
that the work proposed to be undertaken will not have
a material adverse effect on Post Office's commercial or
financial interests or reputation ..."
And then there are some other exceptions which
effectively relate to court orders.
Do you know if there was a similar provision in
respect of your work between July 2012 and July 2014 to
that provision?
A. I don't recall that, I'm sorry.
MR JUSTICE FRASER: You can't recall.
When you received this letter in July 2014 did you
form the view that it made any material impact or
difference to the terms upon which you had been engaged
for the two years earlier than that?
A. I think we anticipated that it was certainly possible
that at some point we could be asked either to give
factual evidence or support in some other way to
claimants in an action against the Post Office. We were
quite upfront about that. There is another document
where I seem to recall that there was originally
a clause referring to 12 months' gap between the
completion of any work for Post Office and us working
for in this case sort of claimants. I recall
a handwritten amendment that I made where we agreed to
extend that 12-month period to 15 months and I notice
that in paragraph 6.3, 15 months is the date mentioned
there. So at an early point in all of this I think
there was a mutual recognition that as experts
independently appointed to look into these matters, we
could end up acting for either the Post Office or
claimants and that was envisaged in the documentation.
MR JUSTICE FRASER: All right, thank you very much.
Mr Draper, any questions arising?
Re-examination by MR DRAPER
MR DRAPER: If I may, just one point of clarification
arising out of your Lordship's first question.
You have mentioned the confidentiality restrictions
that were relaxed to enable you to speak to the
claimants for the purposes of these proceedings. You
didn't feel, did you, inhibited in answering any of the
questions that I asked you?
A. I had at the back of my mind that protocol agreement and
I tried to make sure that my answers did not infringe
that agreement.
Q. It is fair to say they didn't risk doing so, did they,
because of the nature of the questions that I asked you?
A. I would have to refresh my mind as to the questions, I'm
sorry.
MR JUSTICE FRASER: I think that's probably a point for me
actually. Thank you, Mr Draper.
Mr Green?
MR GREEN: My Lord, no.
MR JUSTICE FRASER: Thank you very much for coming,
Mr Henderson. That's the end of your evidence, you are
now free to leave the witness box.
Mr Green, that's your factual case I think.
MR GREEN: My Lord indeed.
Housekeeping
MR GREEN: My Lord, there is one housekeeping thing --
MR JUSTICE FRASER: Well, there are about five but let's
start with yours first.
MR GREEN: -- upon which I think Post Office might be
assisted by an indication from your Lordship, because
the --
MR JUSTICE FRASER: An indication?
MR GREEN: It might have to go further than that but we hope
the help might sort it out. The Ernst & Young reports
in relation to the Horizon system, we have reports --
MR JUSTICE FRASER: Which you dealt with in opening I think.
MR GREEN: Yes. We've got the ones from 2011. As far as
I can tell we seem to have most of them from 2011 going
forwards, it may be we have all, but the position on the
earlier ones which we have been asking about for
a little while is that the latest position I think is
that Royal Mail -- from whom Post Office split on
1 April 2012 -- have said, according to my learned
friend's solicitors, that they are concerned -- is the
word that's used in the letter -- about providing them
without a third party disclosure order from the court.
We are a little surprised.
MR JUSTICE FRASER: Would they be coming from the
Post Office or would they be coming from the Royal Mail?
MR GREEN: Post Office say that apparently they don't have
them and that only Royal Mail has them and Royal Mail is
saying that they are concerned about providing them
without a third party disclosure order, notwithstanding
that Post Office was part of Royal Mail and normally
when these organisations are split there are transfer
orders in the usual way. So it's a surprising position
which we hope might be lightly resolved initially.
MR JUSTICE FRASER: All right, well I will hear what
Mr De Garr Robinson has to say. I'm effectively being
invited I think to make a third party disclosure order
but against Royal Mail who you probably aren't
instructed for.
MR DE GARR ROBINSON: I have no brief for Royal Mail.
My Lord, last year my instructing solicitors --
I think actually Post Office contacted Royal Mail and
said "Could we have these documents, they are being
requested in these proceedings" and Royal Mail said
"We're not going to give them voluntarily, if you want
them you will need a court order".
MR JUSTICE FRASER: And this was last year, was it?
MR DE GARR ROBINSON: This was towards the end of last year,
yes, in the late part of last year. I'm looking around
to --
MR JUSTICE FRASER: All right, if that's the situation
then -- do you need them for Monday, Mr Green?
MR GREEN: It would be quite helpful.
MR JUSTICE FRASER: But how is -- I don't see how I can make
an order against Royal Mail if they are not here.
MR GREEN: I'm not inviting your Lordship to make a order.
The issue that concerned us -- the letter is at
{H/227/1} from Wombles dated 27 February where they
explain --
MR JUSTICE FRASER: Give me a second while it is pulled up
on the screen if you're going to ask me to look at it.
H what?
MR GREEN: H/227/1. What they say is they don't say they
are refusing -- it's the letter of 22 February -- they
say:
"... Royal Mail Group are concerned about providing
these documents without a formal order from the court
for third party disclosure."
So it is pitched at the level of concern rather than
anything more.
MR JUSTICE FRASER: The problem is, just purely in terms of
logistics ... well, it's a fundamental principle that
I can't make an order in these circumstances against
Royal Mail.
MR GREEN: Of course.
MR JUSTICE FRASER: I can express my views on the transcript
and I can also make an order, which I'm going to do, you
just have to give me a moment to consider what it is
going to be.
(Pause).
Right, your juniors are going to have to take a note
when I get to the order. First of all I will say what
I'm going to do on the transcript and why I'm going to
do it.
Order
MR JUSTICE FRASER: Royal Mail are not here today so
I cannot make, as it has been expressed in the letter of
the Post Office's solicitors on 27 February 2019,
a third party disclosure order against the Royal Mail.
However, what I am going to do is make the following
order.
I am going to order the claimants to issue an
application for third party disclosure of the
Ernst & Young reports prior to 2011, to be supported by
a witness statement and that should be issued by
1 o'clock tomorrow. I am going to give permission for
short service. It is to be served on the Royal Mail if
at all possible tomorrow and no later than 12 noon on
Monday.
In the event that the Royal Mail still decline to
produce these documents voluntarily they can come at
10 o'clock on Tuesday and I will hear the application
then and if I do make an order against them in respect
of third party disclosure, the necessary order and the
relevant timings of that can be dealt with on Tuesday.
Hopefully, considering the transcript, which I'm
sure you will provide to them, they will realise there
is little to be gained by doing anything other than
being cooperative but I am not going to pre-judge the
outcome of the application.
All right?
MR GREEN: I'm most grateful.
MR JUSTICE FRASER: So that's that done. Is that the only
housekeeping from your point of view?
MR GREEN: My Lord, the only one from me.
MR JUSTICE FRASER: Mr De Garr Robinson, do you have any?
MR DE GARR ROBINSON: My Lord, I have your housekeeping
points. You asked me to remind you to discuss
8 and 9 May.
MR JUSTICE FRASER: Yes, I have that on my sticker, we will
come to that at the end.
MR DE GARR ROBINSON: I have a file of claimants' witness
statements, my Lord.
MR JUSTICE FRASER: Excellent, thank you very much.
MR DE GARR ROBINSON: If I can hand that up. That includes
some sheets of corrections to the extent that any
witnesses have minor corrections to make to their
witness statements. I have also a document which
contains all the corrections in one place if
your Lordship is interested to see that.
MR JUSTICE FRASER: Yes please, thank you very much.
MR DE GARR ROBINSON: The corrections will of course be
provided straight away. We have copies for my learned
friend.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: My Lord, yesterday you asked for
a Word version of opening submissions. Your clerk
should now have that.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: You wanted me to address your Lordship
on the question of redactions.
MR JUSTICE FRASER: I wanted you to tell me how many
documents had been disclosed as a function of the review
that you have told me about.
MR DE GARR ROBINSON: My Lord, the figures are as follows.
There was a request to review 31 documents.
MR JUSTICE FRASER: And that was a request from ..?
MR DE GARR ROBINSON: From Freeths. Pursuant to that
request, WBD and junior counsel, Mr Draper, reviewed
31 documents. The redactions were maintained on 16 of
those documents on the basis of privilege.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Redactions were maintained on four of
those documents on the basis that redacted information
was both confidential and irrelevant.
MR JUSTICE FRASER: Four of the 16, or another four?
MR DE GARR ROBINSON: Four of the 31. So we are up to 20
now.
MR JUSTICE FRASER: On privilege, did you say?
MR DE GARR ROBINSON: And four was confidential and
irrelevant.
MR JUSTICE FRASER: Confidential and irrelevant.
MR DE GARR ROBINSON: My Lord, redactions for privilege were
narrowed or removed on seven documents.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: On the basis that the redactions had
been applied too widely for privilege. And, my Lord,
I can give your Lordship an example of one of those so
your Lordship will see the kind of error that was made.
If I could ask your Lordship to look at {F/1251.1}.
Your Lordship will see an email. This is a Second Sight
email involving Post Office. Indeed Mr Henderson I see
is one of the recipients. If you go down to the bottom
of this page your Lordship will see a script "Privileged
and confidential - created for the purpose of obtaining
legal advice". That was inserted by Mr Henderson in his
email and that resulted in that email, or large portions
of that email being redacted. A similar phenomenon
occurred on I think four of the seven occasions. That's
what led to that judgment call, which on reflection it
was decided was incorrect.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: And, my Lord, in relation to
redactions for confidential and irrelevant documents,
they were narrowed or removed in four documents,
essentially for pragmatic reasons.
MR JUSTICE FRASER: So of the 31, 16 maintained on
privilege, four maintained confidential/irrelevant,
seven led to a narrowing and four were handed over, is
that right? Or have I got the last four wrong?
MR DE GARR ROBINSON: Four was confidential or irrelevant,
so it led to either a narrowing or a withdrawal.
MR JUSTICE FRASER: Right. Which led to some material being
disclosed that hadn't been disclosed already?
MR DE GARR ROBINSON: My Lord, yes. If I give your Lordship
an example. If we look at {F/619.1}. Your Lordship
will see this is a document where the tracking summary
and the executive summary were previously redacted on
the grounds that they were both confidential and
irrelevant. One may well think that they are completely
irrelevant, but on a pragmatic view --
MR JUSTICE FRASER: Well, redaction on the grounds of
relevance is a potential two-edged sword, isn't it? But
this is the version that has now been disclosed?
MR DE GARR ROBINSON: This is the version that's been -- the
original version is at --
MR JUSTICE FRASER: I don't need to see the original one.
But it is the tracking summary and the executive
summary.
MR DE GARR ROBINSON: Yes.
MR JUSTICE FRASER: Okay.
MR DE GARR ROBINSON: So that gives your Lordship an idea of
the scale.
MR JUSTICE FRASER: Thank you very much.
MR DE GARR ROBINSON: My Lord, I had thought there was
something else. Oh, your Lordship during the course of
Tuesday asked for memo views that were talked about in
the evidence of Mr Latif.
MR JUSTICE FRASER: Yes.
MR DE GARR ROBINSON: Post Office has acquired what it
thinks are the memo views for January. There's nothing
relevant in there that they have found so far, but they
want to ensure that they've got all of them so
your Lordship may have to bear with us for a while.
MR JUSTICE FRASER: Well, that's all right. When they've
got them all -- I don't necessarily want them but you
ought to give them to the claimants.
MR DE GARR ROBINSON: My Lord, yes.
MR JUSTICE FRASER: Right, so is that all the outstanding
points?
MR DE GARR ROBINSON: Would your Lordship give me one
moment?
MR JUSTICE FRASER: Yes.
(Pause).
MR DE GARR ROBINSON: The only outstanding question is
something that actually it's really outside my job
description but it's judgment on the common issues
trial. I don't know whether your Lordship has any
thoughts as to --
MR JUSTICE FRASER: I'm going to come on to that now, but as
far as housekeeping for this trial, I think that's dealt
with all the currently loose ends except for --
MR DE GARR ROBINSON: 8 and 9 May.
MR JUSTICE FRASER: -- 8 and 9 May.
In the time from telling you I was keeping those
first two weeks of May clear to you saying when you
wanted, I'm afraid the Thursday 9 May is no longer
available. It would have to be the 7th and the 8th.
Now, I'm not going to mess around too much about this.
I don't want -- because we're moving it I'm going to be
relatively flexible. I would like you please both to
see if you can do the 7th and 8th rather than the
8th and 9th.
MR DE GARR ROBINSON: My Lord, yes, we will.
MR JUSTICE FRASER: If there is an insuperable problem we
will revisit it on Monday morning first thing. The
trouble is there are so many cogs going behind the
scenes --
MR DE GARR ROBINSON: I can imagine.
MR JUSTICE FRASER: -- that despite the fact that one wants
to and has a certain degree of autonomy, it is just not
possible to keep dates open for the length of time that
counsel might expect.
So unless you tell me on Monday morning first thing
that the Tuesday and Wednesday of that week, so the 7th
and the 8th, are simply not possible for good and proper
reasons, that's when it is going to be. If you say it
has to be the Wednesday and Thursday then I'm afraid
there's going to have to be yet more to-ing and fro-ing
about it. So I need to tell you about that straight
away. I only found out yesterday.
MR GREEN: My Lord, if we can give you a completely sure
indication by tomorrow lunchtime, would that help?
MR JUSTICE FRASER: Yes.
MR GREEN: Bearing in mind on the --
MR JUSTICE FRASER: Yes. You can do it tomorrow if you
want.
MR GREEN: Most grateful. I'm just trying to help in case
there is --
MR JUSTICE FRASER: By all means. But given the general
level of judicial business across all the divisions it's
not possible to keep everybody happy all the time.
So that then leads me on to the only other thing,
which is the common issues judgment. I am going to hand
it down at 12 o'clock tomorrow. I have had
typographical and other suggestions from both parties.
They are relatively reasonable in scope. I'm fairly
confident that although I haven't incorporated all of
them now, I will have done either by the end of today or
first thing tomorrow and I think we will keep with
12 o'clock tomorrow. I don't intend to deal with any
consequential applications at all, but I will be making
the relevant order in the relevant terms to extend time
as I identified at the beginning of last week and you
will be expected to draw it up.
MR GREEN: My Lord, we have already done a draft which
I think --
MR JUSTICE FRASER: I don't need it in advance and it
depends what it says, but you will be the one doing it
so I suggest you bring it with you tomorrow.
MR GREEN: Very grateful.
MR JUSTICE FRASER: Anything from the Post Office about
that?
MR DE GARR ROBINSON: My Lord, I have nothing to say.
I think my learned friend's order has been shared with
my instructing solicitors and if we have any issues with
it we will communicate them.
MR JUSTICE FRASER: Can I make it clear, for the purposes of
assisting in terms of cost, I don't require -- and
I will read nothing into -- either party turning up in
any numbers at all. I will expect one person from the
claimant to be here just because of the order. It will
be open to the public. There will be printed copies.
There are unlikely to be as many printed copies as
people might want them but it will be instantly posted
on the relevant websites and all those details will be
given tomorrow, so please -- particularly for the
Post Office team, Mr De Garr Robinson, because I know
you have two different teams, please nobody should think
that there will be any discourtesy assumed if nobody
decides to come.
MR DE GARR ROBINSON: My Lord, thank you.
MR JUSTICE FRASER: Finally, I have something for Opus which
is a hardly used envelope, compliments slip and plastic
folder which can be reused.
Thank you all very much. 10.30 -- well, 12 o'clock
tomorrow and then 10.30 Monday.
(4.34 pm)
(The court adjourned until 10.30 am on Monday,
18 March 2019)