POL00059424
POL00059424
Post Office Ltd
CONFIDENTIAL
Witness Statement
Statement Mare ard TNE
of:
Age if under : (if over 18 insert Occupation: 1
18: ‘over 18’) Arehitent
1. Introduction
Jenkins. T am employed by Fujitsu Servic Ltd who
I am Gareth Idr
have been contracted by Post Office Ltd to provide the Horizon systems
operating in Post Offices around the cour y. However I understand that
my role is to assist the court rather than represent. the views of my
employers or Post Office Ltd.
I graduated from Cambridge University with a degree in Mathemati in
1973 and was awarded an MA by Cambridge University in 1997. 1
employed by ICL in tember 1973 and have worked for that company
since (though its was changed to Fujitsu Services about 10 years
ago). During my Lime with ICL / Fujitsu T have held a number of roles
in Gustomer support, development, design and architecture. Curing the
early 1990s T + involy with representing IC in developing Syste
Management Standards and in 1992 I was the head of the UK delegation on
Systems Management at the International Standards Organisation
conference in Ottawa, ada. In the late 1990s 1 become a
Distinguished Engin within ICL. Distinguished Engineers, § abour
100 or so of the nical staff within the company (out about
1 fi i) stat
[ am a member of the B sh Computer Society M , a Chartered
Signature Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Of 12 Pages
Continuation
Statement of
Engineer
ng) a
1996 1 have been working on the Horizon project in association
$
with Post Office Ltd. My initial role was in the integration of the
Riposte messaging system which is responsible for storing all data in
the Post Office branches and replicating it to the Data Centres. I was
also responsible for the design of the interface between Horizon and
Streamline which processes all Credit and Debit Card payments for Post
Office Ltd. More recently I’ve been involved in projects associated
with interfacing data from Horizon to Post Office's back end accounting
sy
I have been asked to provide a statement in the case of Angela Sefton
and Anne Nield. T understand ¢
integrity of the system has been
ioned and this report provides some general information regarding
Integrity of Horiz
on.
tement there is a statement that loss
T note that in the Defence
started in 2005 and a statement that Horizon was installed at that time.
n was rolled out between 1999
As TI mention below (section 2.1), Horize
and 2002, so I am surprised at the refere
e to 2005. However there was
a significant change to Horizon that was implemented late in 2005,
namely the removal of the weekly Cash Account report and the move to the
ed at
monthly Branch Trading Report. The ges were thoroughly te
the time (as is the case with any change to Horizon) and there has been
no indication of there being any issues regarding this change. In
particular the changes had no impact on the overall integrity of the
ateme
stem 4 outlined in th
further background
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 3 Of 12 Pages
Continuation Gareth Idris JENKINS
Statement of
Li The nt Structure
ection 2 of the document describes the Horizon system at a high level,
giving time-line for its development, the Business scope and
Archi cture diagrams for both the original Horizon System and the
current Horizon Online system,
Section 3 then summarises my views on the overali integrity of the
Horizon system.
2. The Horizon System
Timeline
Fujitsu were originally awarded a contract in 1996 to provide a Horizon
System to Post Office Lt The following provides me key dates and
functional changes:
¢ Horizon Pilot 1996
* Horizon Rollout 1999 2002
* Network Banking 2003
. 2004
* Cash Account removed 2005
* Data Centre Migration 2009
e HNG-X Rollout 2010
Horizon Online (or HNG-X} was a major re-implementation of Horizon. it
was a complete re-implementation of the business functionality at the
and utilised a central Database to hold of all
tions re r than the Me t iginal Horizon
All Post Office the Hi be
Signature
witnessed by
GRO
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 4 Of 12 Pages
Tdris JENK
Continuation
Statement of
Online between January and September 2010 actions were
the new system as part
ope
The Business scope of Horizon is:
e Point Of Sale Application
* Transaction Recording
© All such transactions are Audited
¢ Posting Summary Transactions to POL SAP (Post Off Ltd's back
end accounting system)
jence (Post Gffice Ltd’s back
* Posting Detailed Transactions to
end Management Information system)
* Posting Remuneration Data to AP (Royal Mail Group’s back end
Payroll system)
* De parties
ivering Client Data to Post Office Lta lents (ie
that Post Office Ltd acts as an agent for such as Local
Authorities and Utility companies ete)
Diagrams
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 5 Of 12. Pages
Continuation Gareth Tdris JENKINS
Statement of
u” Audit
"Extract
Data
Extract
Journal
Figure 1 - Horizon Data Flows
The Horizon sys
em was designed to store all data locally on the
hard disk
in what is referred to as the messagestore. Once
the data has been successfully stored there it is then replicated
(copied) to the hard disks of any other counters in the branch (and in
the case of a single counter branch to the additional external storade
on the
ingte counter}. Pata is alse pa
on from the eway counter
to the Ho on data centre using similar me
nani
where it is
in the cs
Signature. Signature
G RO witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 6 Of 12 Pages
Continuation NKINS
Statement of
The replication proc ed such that should the data fail to be
a failure on the local IT network
copied immediately (for examp]
due
within the branch or another counter being switched off or the branch
being disconnected from the data centre), then further attempts are made
to replicate the data at regular intervals until it is finally copied
ssfully. Once the data reaches the Data Centre a further copy is
taken by the Audit Agent which writes it te an Audit File which is added
into the audit trail wi e it is available for retrieval for up to 7
years. Data in the audit trail is “sealed” with a secure checksum that
is held separately to ensure that it has not been tampered with or
corrupted,
from the CS M
Other systems can also access the d sagestore via
Harvester Agents. However ich systems are outside the scope of the
integrity of the Audit tra
Every record that is written te the transaction log has a unique
incrementing sequence number. This means it is possible to detect if
any transitions recerds have been lost.
While a customer session is in proar details of the transactions for
that customer session are normally held in the computer's memory until
the customer session (often known as the “stack”) is settled. At that
point all details of the tra ions (including any methods of payment
used) are written to the local hard disk and replicated (as described
above). It should be noted that double entry bookkeeping is used when
recording Financial transactions, ic for every le of goods or
services, © cover the method of payment
such a
it is writ
t has been use
her all the data is hard disk or none
way that
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 7 Of 12. Pages
Continuation Gareth Idris JENKI
Statement of
of it written, This concept of “atomic writes” is also taken into
account when data is replicated to other systems (ie other counters,
external storage or the data centre).
The data for a stack will have been successfully secured to the local
hard disk before the screen is updated indicating that a new customer
sion can be started. Note that although an attempt will have been
to replicate the data to an external system at this time, there is
guarante at this point that such replication will have been
sful. For example if there is a Network Failure followed by a
Terminal failure there is a slight risk that transactions in the
ng period could be lost.
All data that written includes a “checksum” value (known as a CRC)
which is checked whenever the data is read to ensure that it has not
n corrupted. Any such corruptions detected on reading will result in
being recorded in the event logs which are held on the local
hard disk for a few days for immediate diagnosis and also immediately
sent through to the data centre wt i for
e they are he
dilur to wri to a hard disk {after appropriate retri will
in the counter failing and needing to be restarted and so will be
immediately visible to the 1
snever data is retrieved for audit enquiries a number checks are
carried out:
it files have not been tampered with (ie the Seals on the
audit files are correct)
The individual transactions have sure that
Lhey have not been corrupted.
A chex
is made that no re
Signature Signature
GRO 1 witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 8 Of 12 Pages
Continuation
Statement of
s JENKINS
generated by a counter has an incremental sequence number and a
ck is made that there are no gaps in the sequencing.
Oracle
Write
Audit
Write
AL
I I
I Audit Store
BAL Message
Pigure 2 — Horizon Online Data Flows
Horizon Online is designed to store all data in an online database known
as the Branch Database (BRDB). In particular no data concerning
Business Transactions is retained at the counter other than in the
memory of the Counter Business Application.
In order to support recovery, the identifier of the last successfully completed Basket is recorded on the
Hard disk at the counter. However this is not classed as Business Data
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 9 of 12 Pages
Continuation Gareth ldris JENKINS
Statement of
Trans
ions are carried out locally on the Horizon Online counters and
a Basket is built up during a Customer Session. Each transa ion will
result in a Basket Entry consisting of one or more Accounting Lines. At
the end of a Customer Session when the Basket has been completed and all
Settlement items (or Tender lines) have been processed and added into
the Basket as further Accounting Lines, s that the total value of the I
Basket is zero, the entire Basket is sent to the Data Centre as a BAL
Message where the Branch Access Layer (BAL) processes the message and
all the Accounting Lines are recorded and committed to the BRDB as part
of a single Oracle Commit. This means that ther all the transactions
within a Bas
ket are successfully written or none of them are. Once the
Accounting Lines have been successfully committed a response is returned
to the counter indicating this suc and this then allows any receipts
to be printed. Tr
Basket is deemed to be fully completed once all
relevant receipts have been successfully prin 1. Note that if there
are no receipts to be printed, then the screen is updated to show the
top level menu indicating successful
uipletion of the previous Basket.
The Oracle Commit also includes an Audit of the data originally
transmitted from the counter to tl
BRDB. This data is digitally signed
at the counter using a key generated as t of the Log On process. Tt
is this audit record that is used to provide the extract of transactions
used fe
Litigation support.
Any auditable ssage from the counter is stored, together with its
Digital Signature and other key attributes in an “Audit table” (known as
the Journal) in BRDB. Each n
midnight, the contents
of th table for the previous day are co; from the BRDB to a number
of gerial files.
I A number of
Signature Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 10 Of 12 Pages
Continuation
Statement of
data fron
each
number of for ease of
entrated into a
At thi
point a check is made that indeed tt
e@ are no missing
duplicate jsns for any counter and should any be found an alert
raised.
ld only happen as a result of a bug in the
somebody tampering with the data in BRDB and this
included specifically to c any such
These are then copied to the Audit system where they are sealed
with
nls. hey are held there for a period of 7 years during
which they may be retrieved and
iltered to produce the
audit data for a particular Branch.
The audit record may a4
include application events that have been
aceumulated at the counter since the last auditable m
sage was sent to
the Data All major activities that affect the Brar also have
an audit nt from the counter to the Data snire included
in the audit
Audit record includes the following identification:
* Branch identifier (i.e. FAD Code)
© Counter
e Sequer
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 11 Of 12 Pages
Continuation eth idris JENKINS
Statement of
Within any counter (i for a given Branch Id / Counter Id
combination), the jsn will always i by exactly one for each
d. ‘This enables a check to be made that there are
successive audit rec
rds missing fxr © audit trail when they are retrieved.
no re
The transactions in a basket’ are constructed using the principle of
d
Line
uble-entry bookkeeping. This means that in addition to the Accounting
that relate
to the actual business transactions, separate
Accounting Lines are also generated for the tender items (such as Cash,
Cheques or Credit / Debit Cards), resulting in the total value of all
sro. When the contents of a
Accounting Line
sket adding up to
Basket are written to BRDR a check is made that the net value of all the
o and should it not be, then an alert is
accounting lines is indeed ze
raised and the basket is discarded and an error response returned to the
counter,
Not sult of a bug in the
happen as a
code and this duded specifically to check for any
such bugs.
Baskets are also built up during Back Office Sessions and st
ets.
Office baskets
3. Horizon Integrity
ed in a simiiar way to Customer Ba
This is described the separate integrity documents
ARCGENREPOO04 .HorizonDataIntegrity.doc which I now produce as exhibit
GIJ/l and HorizonoOn? i duce
ity_POL.doc which I now pr
invols in a number of challenges to
stam and produced Witness Statem
the or
Signature
witnessed by
POL00059424
POL00059424
CONFIDENTIAL
Witness Statement
Page 12 Of 12. Pages
Continuation Gareth Idris JENKINS
Statement of
To am net
for a numbe where the Integrity has been challende
where Integrity of Horizon Online has be
aware of any en
cases in which I have been involved were
The main chalieng
presented as “Hypothetica and my previous Witness Statements
went through each of t hypotheses and showed that there was no
specific evidence for any of them in the data presented.
In summary I would conclude by saying that I fully believe that Horizon
will accurately record all data that is submitted to it and correctly
account for it. However jit cannot compensate for any data that is
incorrectly input into it as a result of human error, lack of training
or fraud (and nor can any other system).
Signature
witnessed by