POL00089077
POL00089077
=
ix)
Post Office Ltd
CONFIDENTIAL
Witness Statement
Statement
of:
Age if under (if over 18 insert Occupation: §cxins
18: ‘over 18’) Archi
Jenkins. Tam employed by Fujitsu Servi
by Post Office Ltd to provi
around the country. However I
role is to assist the court rather than repres “ my
Ltd.
graduated from Cambridge University with a degree in es ir
MA by Cambridge University in 1997 lowas
ptember 1973 and have worked for that
changed to Fujitsu Services about
with ICL / Fujitsu I have held a number of
development, design and architecture. during the
wolved with representing ICL in develop
ardards and in 1992 I was the head of on
Manage at the International S$
in Ottawa, Canada. In the late
vithin TCL. Distingnished
technical staff within the
of che British Computer
Signature
witnessed by
POL00089077
POL00089077
CONFIDENTIAL
Witness Statement
page 2 Of 12 Pages
Continuation Sareth
Statement of
Engineer ¢
Since 1996 i zen project in association
integration of the
with Post Office 1 in role was in
Riposte messag responsible for storing all data in
the te the Data Centres. To was
interface between Horizon and
also responsible for
rd payments for Post
Debit
all Credit
eamline which p:
iated
y I’ve been involved in projects asso
accounting
rigon to Post Office
I have been
quest ior
system has
rity of
i tion regard the Integrity of
inform
I Pacts, it is stated that during a
E note th
of relocat: that Mr Ailen believed that a
discrepa
n-polled
have heen
a
the Winsfor
period § te ol
included in this repert
on the nos-poll
to retrieve the data
knowledge as to whether this
irms the fact that there were
eccurred in
and the Data Centre at
indeed
on data recorded locally
time. However it should have
all operational processes were
provic
correctly. Also, once communications were re
Signature
a witnessed by
Signature
GRO.
POL00089077
POL00089077
(2
CONFIDENTIAL
Witness Statement
Page 3 Of 12. Pages
Continuation
Statement of
es normal.
che Data Centre
back
a period of at least days,
(Data
vs and operational processes
35 de
provide a4
regarding replacement followed correctly, then no
an opportunity to examine the detailed
ould be lost.) q
es, and any
were any i
logs from this pericd to see whether there
this resulted in apparent system lo
justification in the ¢
of £3,000 as claime
some further background
ro provide
The purpose ©
formation.
the Horizon system at high level,
Section 2 of the document
scope and
development, the busin
giving a time-lin
the original Horizon System and the
Architecture diagr
ine syste
current Horizer
on 3 then e overali integrity of the
rises my
Horizon system.
The Horizon System
a contract in 1996 to provide a Horizon
awa rde
provides some key dates and
liowing
iona! changes
Signature
witnessed by
POL00089077
POL00089077
13
CONFIDENTIAL
Witness Statement
Page 4 Of 12 Pages
Continuation
Statement of
a Centre Migr
¢ HNG-X Rollout 20106
ation of Horizon. it
izon Online (or er rent
vetionality at the
usiness
a complete re-~implementation of the
cetails of all
counter and utilised a central Matabase to
original Horizon
transactions rather than the MessageStore u
nal Hord to Horizon
Office Branches migrated from the orig
Historical transactions were
Online between January and September 2016
part ©
migrat
nsaction R
Audi
o Alls
* Posting Summary Transactions to POL SAP {Post
end accounting system}
* Posting Detailed Transactions to Credence {Post Office Ltd’s back
end Management Inform
s back end
ion
o° part
as Local
Signature
witnessed by
POL00089077
POL00089077
14
CONFIDENTIAL
Witness Statement
Page 5 Of 12. Pages
Continuation
Statement of
“Audit
Extract
Data
Extract
Journal
Figure 1 ~ Horizon Data Flows
The Herizon system was designed to store all data locally on the
counter’s hard disk in what is referred to as the messageslore.
ed there it
the data
isks of any other counters in
(copi
the case counter branch to the additional
don from the
Data is also pas
centre using similar mechanisms where
Signature
witnessed by
POL00089077
POL00089077
is
CONFIDENTIAL
Witness Statement
Page 6 Of 12. Pages
Continuation
Statement of
uld the data
The replic
IT network
ure on the loca
copied immediately (fcr
being switched off or the branch
within the
then further attempts are made
being disconnected from the data c¢
the data at regular intervals until it is finally copied
to replic
the Data Centre a further copy is
ce the reac
successfully. Or
taken by the Audit Agent which writes it to an Audit File which is added
it is availeble for retrieval for up to 7
into the audit trail whe
“sealed” with a secure checksum that
audit
years. Data in the
not’ been tampered with or
is heid sepa
the data from the CS Messagestore via
Other systems can a
Harvester Ag are outside the scope of the
integrity of
to the transaction log has a unique
writt
Every record that
incrementing uence number. it is possible to detect if
ds have
iti rec
any tran
ns £
of the trans
While a customer
norm ter’s memory until
thal customer
is settled. At that
sion {often known
the customer
ig any methods of payment
the trai
point all det
are 4 to and replicated (as described
it should be bookkeeping is used when
recording financial itions, ie every sale of goods or
entry to ver the mett
respondi
servic
When a “st
is secured it is written in such 4
that has
Signature...
Signature
i GRO witnessed by i
POL00089077
POL00089077
16
CONFIDENTIAL
Witness Statement
Continuation Gareth
Statement of
or none
the data is
t either
s also taken into
t is written. This concept
other counters,
when data is replicated to
storage or the data centre).
secured to the local
a for a stack will have been suce
at a new customer
updated indicating
disk before the screen is
will have been
jon can be started. Note that althougn an
s time, there is
to replicate the data to an external system
will have been
no guarantee at this point that such
followed by a
cessful. For example if there is a Netwo
in the
Terminal failure there is a slight risk that
intervening period could be lost.
lue {known as a CRC)
ALL data that is written includes a “checksum”
not
re that it h
which is checked whenever the data is read to
will result in
been corrupted. Any such corruptions det
on the local
failures being recorded in the event logs which
and also immediately
hard disk for a few days for immediate diagnosi
are fur 7 years.
sent through to the data centre where t
retries) will
Any failures to write to a hard disk (after
and so will be
in the counter failing and needing to
mediately visible to the user.
of checks are
Whenever data is retrieved for audit enquir
ied out:
(ie the Seals on the
i. The audit fil have not been tam
are correct}
ure that
2. The individual transactions have
have not been corrupted.
Signature
witnessed by
POL00089077
POL00089077
7
CONFIDENTIAL
Witness Statement
Page 8 Of 12 Pages
Continuation Ga
Statement of
are missing. © Bach
mental ence number
in the sequencing.
Write
<i
BAL Message
Figure 2 ~ Horizon Online Data Flows
ed to store all data in an online databas
Horizon ¢
(BRDB) . In particular no 4
as the
at the counter other than
Sransacticns is retair
ication.
‘In order to support recovery, the identifier of the last successfully completed Basket is recorded on the
Hard disk at the counter. However this is not classed as Business Data.
Signature
GRO ] witnessed by
POL00089077
POL00089077
if
CONFIDENTIAL
Witness Statement
Page 9 Of 12 Pages
Continuation Gareth
Statement of
Transactions are carried out locally on Horizon Online counters and
Bach transaction will
At
Basket is built up during a Cus
result in a Basket Entry consisting of one of more Accounting Lines.
has been completed and all
the end of a Customer Session when th
rocessed and added into
Settlement items (or Tender lines} have been pr
that the total value of the
further Accounting Lines, suc
e Basket a
to the Data Centre as a BAL
Basket is zero, the entire Basket
ses the message and
Message where the Branch Access Layer (BAL) proc
all the Accounting Lines are recorded and committed to the BRDB as part
all the transactions
of single Oracle Commit. This mee
1 are, Once the
:ssfully written or
within a Basket are su
{1 a response is returned
Accounting Lines have been successfully commi
mi allows any receipts
ess
to the counter indicating this sv
to be printed. The Basket is deemed completed once all
relevant receipts have been successfuli Note that if there
are no receipts to be printed, then the updated to show the
he previous Basket.
level menu indicating successful conplet
The Oracle Commit also includes an Audit of the data originally
ROB. This data is digitally signed
transmitted from the counter to the
at the counter using a key generated es part of the Log On process. It
et of transactions
ovide the ext
is this audit record that is used to 7
used for Litigation support.
ered, together with its
Any éuditable message from the counter is
tal Signature and other key attributes in an “Andit table” (known as
BRDB. Each ight, the contents
ght after
the Message Journal)
BRDB to a number
of this table for the previous day are copied
of serial files.
are generate
[4 number of
Signature
witnessed by
POL00089077
POL00089077
14
CONFIDENTIAL
Witness Statement
Page 10 Of 12 Pages
Idris JENKI
Continuation
Statement of
data from a given Erench
munber of these files for os
check is made that indeed there are no missing or
or amy counter and should any be found an
only happen as a result
mebody tampering with the data in BRD
specifically to check for any such
copied to the Audit system where they
They are held there for a period of 7
retrieved and filtered to produce the reiev
particular Branch,
ecord may also include application events
at the counter since the last auditable message wa
jor activities that affect the Branch
sent from the counter to the Da Centre
yuence Number or jsn}
Signature Signature
— witnessed by
POL00089077
POL00089077
20
CONFIDENTIAL
Witness Statement
Page 11 Of 12 Pages
Continuation
Statement of
Id / Counter Id
Branc
Within any counter
rease by exactly one
combination}, the
ck to be made that there are
successive audit record.
) they are retrieved.
no records missing from the
The transactions in a basket ar d using the principle of
in addition to the Accounting
This mear
double-entry book ping.
Lines that relate to the actual ness transactions, separate
Accounting Lines are also generated for the tender items (such as Cash,
iiting in the total value of all
Cheques or Credit / Debit Care
Accounting Lines in 4 Basket adding up to zero. When the contents of a
Basket are written to BRDB a check hat the net value of all the
it not be, then an alert is
accounting lines is ind
response returned to the
raised and the basket is carded and an er
counter.
Note that this could @ result of a bug in the
check is cluded specifically to check for any
code and this
such bugs.
Office Sessions and such Back
Baskets are also built up during
similar to Customer Baskets.
Office baskets are handled in
3 Horizon Integrity
This is described in integrity documents
now produce as exhibit
ARCGENREP0004 .HorizonDatalIntegr
GIJ/1 and HorizonOnline which TI now produce as
exhibit GId/2
umber of challenges to the
I have been invoive
integrity of the original Horizon system and produced Witness Statements
Signature . Signature
GRO I witnessed by
POL00089077
POL00089077
2)
CONFIDENTIAL
Witness Statement
Page 12 Of 12 Pages
Continuation
Statement of
for ¢ where the Integrity has been challenged. 1 amt
aware of an ASBS vere the Integrity of Horizon Online h SE
suc het in court.
The main c es in the cases in which I have been invois
prese doas “H hetical issues” and my previous Witness $
went these hypotheses and showed that there
any of them in the data presented.
conclude by saying that I fully believe that
all data that is submitted to it and
ver it cannot compensate for any that is
as a result of human error, lack of training
other system).
sig ; Signature GRO
GRO witnessed by I