Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
The "Don't Crash" Button

By EdFox in Op-Ed
Thu Oct 04, 2001 at 10:38:14 PM EST
Tags: Technology (all tags)
Technology

After the horrific events of September 11th many media talking heads questioned why the hijacked jetliners lacked a "Don't Crash" button. This magic device would allow the ground controllers to easily command the aircraft to simply ignore their terrorist pilots, pull up and away from their targets, and return to the nearest suitable airport for landing. President Bush even leapt on the bandwagon, calling for research into such a device.

Currently, there is no automatic flight control system with such a vast degree of un-cancelable control in existence in civil aviation. Given the state of avionics, I feel that it is possible to make one. However, do we really want such a thing in the avionics bay of a jetliner?


ADVERTISEMENT
Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
ADVERTISEMENT
Automatic Flight Control Systems [AFCS] are commonly known as autopilots, however the autopilot is only one part of the larger system that comprises a modern AFCS. The autopilot, with its control servos and hydraulic actuators, can manipulate the flight controls and throttles but it needs something to tell it what to do. There are multiple levels of this control.

The most basic, typically known as basic pitch and roll, is rarely used in normal flight operations. In basic pitch and roll the autopilot simply holds the aircraft in the attitude it was when the autopilot was engaged. The pilot can change the pitch and bank with a rocker switch and a knob and the aircraft will dutifully follow along.

More commonly used is simple automation mode. Using the Flight Control Panel [FCP] the pilot commands the autopilot to achieve certain basic goals. Some of these are "fly $heading", "maintain $altitude", and "throttle to maintain $airspeed". When maneuvering in the terminal area (close to the airport), the pilot will enter Air Traffic Control [ATC] instructions into the FCP and the autopilot will take care of actually flying the airplane to the targets the pilot sets. The main advantage of simple automation mode is that making changes is very quick, which is important in the busy terminal area.

The most advanced mode is full automation mode. In this mode, the pilot programs the Flight Management System [FMS] with the planned track for the entire flight. The FMS can be thought of as the aircraft's "central computer". When properly programmed, the FMS will command the autopilot to climb to the planned altitude, fly the planned route, and descend towards the destination. ATC commanded changes to the plan enroute are entered into the FMS, which will adjust its plan to fit the new instructions. Modern FMS's are commonly referred to as PFM Units, for Pure F***ing Magic. When properly programmed, they will unerringly guide the aircraft along a "wire in the sky", tell the pilot when he will arrive over every waypoint and at the destination to a tenth of a minute, and figure fuel remaining at every point along the route to the pound.

The FMS, however, does not include a Don't Crash Button. It lacks features designed to miss large buildings, it cannot be controlled in any way from the ground, and it can always be overridden by the pilot.

---

To miss a capital structure requires two things, knowledge of the structure's position and knowledge of the aircraft's position. So long as the twain do not meet, all will be fine and good.

The latter is already taken care of. Modern aircraft have multiple position sensors feeding information to the FMS, such as multiple-channel GPS receivers, redundant Inertial Navigation Systems, VOR/DME sensors, and highly accurate Air Data Computers. The FMS processes all this data, assigns priorities and reliabilities based on its knowledge of the strengths and shortcomings of each sensor, and constantly computes a position that is usually accurate to within a few inches.

The former is more difficult but is already being worked on. After the American Airlines crash outside Cali, Columbia--which was caused by the pilots imputing incorrect route and waypoint data into the FMS, causing the aircraft to fly itself into a hill--the FAA called for the installation of Enhanced Ground Proximity Warning Systems [EGPWS] on all turbine aircraft. The EGPWS is an outgrowth of the GPWS, which has been standard equipment on transport aircraft for decades. The more simple GPWS tracks the aircraft's height above terrain, speed, and position relative to the glideslope navigation beam used in an Instrument Landing System [ILS]. It has several "envelopes" that it considers unacceptable and it informs the pilots when the aircraft enters one of these envelopes by yelling at them, literally. The "WHOOP, WHOOP, PULL UP! PULL UP!" warning made famous by so many bad airplane disaster movies is an example of a GPWS warning. Yes, it does sound like that. :) The EGPWS will expand this capability with the addition of a digitized map of terrain and obstructions for the entire globe stored in its memory. The EGPWS will constantly compare this map to the aircraft's known position and altitude and sound a "TERRAIN, TERRAIN" warning if the aircraft is getting too close to something solid.

Note that this is a warning only. The GPWS or EGPWS is NOT linked to the FMS or to the autopilot. It will yell long and loudly to "PULL UP, PULL UP" but it will never do so itself. This is because false GPWS warnings are very common. The system will activate when it is obvious to the pilot that the aircraft is in no danger and in some cases it will simply go haywire. In many cases, pilots have been forced to ignore continuous GPWS warnings in order to land. There are procedures established to disable the system by pulling circuit breakers to shut the damn thing up. So, the EGPWS is not a Don't Crash Button. It may have yelled "TERRAIN, TERRAIN" at the hijackers, but it wouldn't have done anything about it.

---

Controlling an aircraft from the ground is something that has no precedent in commercial aviation. Military aircraft are flown remotely all the time as spy drones, target planes, or for test crash purposes and scientific research aircraft have flown not only remotely controlled but autonomously but so far nobody has even considered putting passengers in an airplane with no pilots up front. However, doubtless many airline executives have dreamed about it... :)

The main problem with ground control is that airborne datalink systems are still in their infancy. While the passengers can call their girlfriends on satellite telephones from over the Arctic ice cap, the pilots still talk to ATC on radios that are essentially unchanged since the late 40's. The communications loss scenario in "Cast Away" is possible. Transoceanic aircraft use High Frequency [HF] radios because Very High Frequency [VFH] radios do not work beyond line of sight. HF radios are notoriously scratchy, are affected by weather and space phenomena, and sometimes just don't work because they just don't want to. Even over a landmass where VHF can be used, radio contact can still be lost and transmissions can be "stepped on" when multiple aircraft attempt to transmit at once. VHF datalink does exist but the baud rate is awful. Satellite datalink does exist but it not in common use. A terrorist could foil a satellite datalink by simply rolling the aircraft inverted, thus blocking the dorsal antenna with the aircraft's own structure.

In either case there is no current facility to reprogram the FMS or otherwise control the aircraft via these datalinks. Such an ability would be vehemently objected to by pilots and the FAA because of security risks. Even the mere possibility of remotely controlling an aircraft inflight by hacking into the ATC command center in Virginia would be a massive target for not only terrorists but malcontents and bored high school kids the world over. I for one do NOT want some script kiddie hacking into my FMS while I'm enroute, thank you very much!

---

This brings us to the third hurdle for the Don't Crash Button, the ability of the pilots to disable the automation.

An Air France Airbus crashed near Habsheim because automation failed. Unable to apply more power because of "control laws" set by the AFCS, the pilot could only watch as it flew right into a tree line. Another dove into the ground because the pilots inadvertently selected a 3,300 feet per minute descent instead of a 3.3 degree descent. In a third case, the AFCS on yet another Airbus fought the pilots tooth and nail using the trim because it didn't want to land, causing a crash. In yet another example, yet another Airbus crashed because the autothrottle went nuts and drove the plane into a spin. Can you tell that I'm not thrilled with Airbus products yet? :)

All aircraft with autopilots, regardless of manufacturer or complexity, have a red button located on the control yoke under the pilot's thumb. Pressing this switch disables all automatic control, severing the automation from the aircraft's flight controls. Airbus aircraft used to not have such buttons but after the accidents mentioned above they were added. When Big Red is pushed, the FMS will still try to command the aircraft along its path and the autopilot may want to achieve its preset goals all it wants but it will all be for naught. The pilot will be the only one manipulating the actual flight controls. This has been a basic concept in aviation since the Wright brothers. When all else fails, give control back to the pilot and let him fly the silly thing. If the stall warning pusher goes nuts the pilot can hit Big Red and it will give up. If a control surface jams the pilot can disconnect it from its mate and fly with the good surface only. If hydraulic control boost systems fail the pilot can put some elbow grease into it and fly the plane by backup cables. And if the autopilot does something weird, he can hit Big Red and it will instantly give up.

If Big Red or some other means of electrical disconnect such as pulling circuit breakers fails an autopilot will fight against a pilot's input--briefly--then will give up and automatically disconnect. If the pilot does not even press Big Red and just fights with the controls, the autopilot will automatically give up. AFCS systems are designed to disconnect should any major resistance be felt, be it from the pilot, a jammed control surface, or severe turbulence. Failing all of this, autopilot control servos are designed with torque limiters and shear breakaways that enable a pilot to overcome an autopilot gone mad that utterly refuses to disconnect simply through muscle power. The autopilot must by regulation be designed so that a normal pilot can outmuscle it long enough to remove all electrical power on the aircraft, if that is what is necessary to disable the autopilot.

However, for a Don't Crash Button to be effective, it must be impossible for the pilot to disable it. The best FMS in the world linked to a ground controller who can program it to avoid the WTC will be useless if the terrorists can hit Big Red. In addition, auto flight systems linked to a Don't Crash Button must be able to physically overpower the most determined hijackers at the controls.

---

So now we come to the point of the whole article. (Took long enough, didn't it?) Linking terrain and obstacle information from the EGPWS to the FMS would be simple. With the addition of a reliable satellite datalink, the FMS could be ordered into Don't Crash mode from the ground. Hydraulic servos are easily available that could overpower the strongest human pilot and could be retrofitted to commercial aircraft.

The question is, do we want such a device onboard?

As anyone who works with computers knows, the more complex the system, the more prone to failure it will be. Pilots have a variant of this maxim: twin engine aircraft have a worse safety record than single engine aircraft because two engines means twice as many things that can go wrong. A EGPWS linked FMS override activated from the ground is a system of incredible complexity involving multiple overlapping modes and millions of lines of code. Due to its power to override the pilot under any circumstances, any failure could be catastrophic.

If the Don't Crash Button goes nuts, the aircraft will be unable to get close enough to the ground to land and will eventually run out of fuel and crash. If the newly powerful autopilot decides that it wants to dive the plane into the ground--as some autopilots have attempted to do in the past--then the human pilots will be unable to prevent it.

If there is any possible way to override the Don't Crash Button, either in the air or from the ground, than a terrorist will use this method to disable it and render the Don't Crash Button pointless. Obscurity cannot be counted on as a defense. The terrorists used cockpit layouts and aircraft training manuals in their preparation. A sleeper agent could rise through the commercial aviation ranks for decades until he was eventually trusted enough to be trained in the secret Don't Crash Button override procedure. A commercial pilot could be captured and interrogated. Having a truly secret procedure known only to the National Command Authority to disable the Don't Crash Button would also be unacceptable. ATC controllers had only minutes warning that the aircraft that slammed into the WTC were being hijacked. Activation of the Don't Crash Button would have to be simple and quick, requiring no special military or Presidential orders because that would take too much time. If radio communication was subsequently lost, it would be impossible for the pilots to receive the secret override codes. Imagine this nightmare scenario: terrorists learn the radio code that activates the Don't Crash Button by espionage then broadcast it to all aircraft over the United States at once, then they activate radio jammers and wait for the planes to start falling. At any one time there are some 15,000 commercial flights aloft over the continental United States. Such a scheme would kill hundreds of thousands and not require any loss of life on the part of the terrorists.

To quote the computer from "War Games", it is a strange game. The only way to win is not to play. IMO, The only possible solution is to not install a Don't Crash Button. Instead, we should dedicate our energies to other means of defeating hijackers. Better airport security, onboard armed guards, armed pilots, reinforced cockpit doors, revised hijacking response procedures, ground anti-aircraft batteries, and aerial interception are all valid and important aspects of suicide hijacking prevention.

Of course, bombing them all to hell wouldn't hurt either. :)

-- EdFox

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o President Bush
o Flight Management System
o GPS
o Inertial Navigation Systems
o American Airlines crash outside Cali, Columbia
o Air France Airbus crashed near Habsheim
o Another
o In a third case
o In yet another example
o Also by EdFox


Display: Sort:
The "Don't Crash" Button | 75 comments (70 topical, 5 editorial, 0 hidden)
"Distress" Button? (4.50 / 6) (#1)
by SPrintF on Thu Oct 04, 2001 at 07:38:08 PM EST

I'm generally opposed to making revolutionary changes to working systems. I prefer to make incremental changes and examine the results. In this case, an "all-or-nothing" abdication of flight control seems like an extreme first step in confronting this issue.

An alternative incremental step would be a "distress" button, that would signal ground controllers that an emergency had developed on a flight. (This is analogous to a silent alarm at a bank.) It would block attempts to turn off the flight transponder (as was done in the WTC hijackings, IIRC) and open an audio and visual telecommunications link to the cabin, so that ground control could obtain clear information on the crew's situation.

Naturally, this would not, alone, allow ground control to assume command of the aircraft. But an effective system would have to do at least this much in order to allow the next step, partial or full preemption of control, to be implemented.

Also, it's worth pointing out that remote control of an aircraft does not solve the problem; it merely transfers the problem from the air to the ground. How will a hypothetical ground controller respond when the hijackers threaten to execute the passengers unless controller directs the craft to where the hijackers want to go? (For example, if they demand to land and be transferred to another, uncontrolled, aircraft?) Even if the technological fix is in, will the legal, bureaucratic and psychological protocols be in place to allow the controller to say, "No"?

Already done. (none / 0) (#19)
by Signal 11 on Thu Oct 04, 2001 at 11:58:53 PM EST

Most planes have a 'silent alarm' button they can trigger to alert ground controllers of a problem, according to a CNN report from about a week ago.


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]
Transponder codes do this. (5.00 / 1) (#25)
by arheal on Fri Oct 05, 2001 at 02:20:08 AM EST

Most aircraft have a radar transponder on which you can set a 4 digit code which is visible to ATC. All the 7XXX settings are for emergencies. The 7700 (I think) is for hijackings. Accidentally setting this (and it HAS happened a few times) results in the aircraft being unexpectedly surrounded by the FBI when you land (fun, fun). If the hijacker is not cockpit competent the transponder code can be unobtrusivly changed in a couple of seconds.
There can be only one!
[ Parent ]
Just make it unchangeable (4.00 / 1) (#28)
by Cironian on Fri Oct 05, 2001 at 04:03:32 AM EST

Still, you could render the code unchangeable after a 7xxx code has been entered, requiring pushing a button on the outside of a plane to be pressed for reset. (In the cargo bay perhaps? AFAIR there was no way of getting there without leaving the plane on most models.)

The transponder should likewise be placed in a location not accessible in-flight; as it doesnt need to be connected to anything else except a console in the cockpit it wont cause an accidental crash. So what if the FBI surrounds some planes whose pilots messed up and keeps everyone waiting for an hour until the situation clears up? Whats some time lost compared to lives which might be saved if a plane heading for a city is tracked in time as hijacked? While this one doesnt solve all the problems at least its a partial solution that can be safely implemented.

[ Parent ]

Transponders again (4.00 / 1) (#34)
by arheal on Fri Oct 05, 2001 at 08:41:26 AM EST

At present transponders must be able to be turned on/off from within the cockpit while in the airport so as not interfere with the nearby radar systems. They are only (supposed to be) turned on in the air. In addition the transponder may be disabled from the cockpit by pulling the circuit breaker, just as EVERY other (and I do mean every) piece of electrical equipment on the aircraft.
There can be only one!
[ Parent ]
OK (none / 0) (#38)
by Cironian on Fri Oct 05, 2001 at 09:41:02 AM EST

I knew they could be disabled easily right now, which is why I wanted to put it somewhere inaccessible in midair with its own power supply. Didnt realize that there was a problem with the radar though, so this idea is probably out.

[ Parent ]
Hrmm (3.60 / 5) (#3)
by Neuromancer on Thu Oct 04, 2001 at 07:45:51 PM EST

So, instead of hijacking an airplane agressively, they would have to sit at a ground station with ham radio equipment and hack into it, right? I don't see how that's any safer, no offense to the idea. What would they do, make it ILLEGAL to hack into airplanes and crash them? I doubt that that would stop someone willing to kill himself to crash an airplane.

PERHAPS something internal with AI. I could picture a neural net doing something like this, but still, that would not respond to tower commands... the flaw with that is that a would be terrorist could crack into the computer and change a couple variables around to crash it.

I think that it's a doubly screwed situation... at best you can make it more difficult, but not necessarily impossible.

I do however LIKE the idea.

Parsing the threat (2.80 / 5) (#4)
by anansi on Thu Oct 04, 2001 at 07:47:02 PM EST

This 'don't crash' idea is a lot like the other hairbrained ideas being passed around to avoid a repeat of 9/11. It's today's generals wanting to fight the last war all over again.

At some point, you've got to ask yourself what kind of society produces criminals. (I'll sidestep the question, 'what is terrorism?' for now) At some point, you've got to ask how high a fence you're willing to build, to maintain inequities of power. I'm not just thinking Bin Laden, but the 19 shlubs he supposedly sacrificed to make his point. I'm not just talking about Hitler, but the war reperations after WW1 that set the stage for his rise and the sequel to 'the Great War'.

In short, there'll always be someone willing to prescribe another high-tech solution to a problem posed by the 'bad guys'. What's it going to take to muzzle the CIA, and shut down the School of the Americas?

Don't call it Fascism. Use Musollini's term: "Corporatism"

Fuzzy thinking, and you missed my point too. (none / 0) (#12)
by EdFox on Thu Oct 04, 2001 at 09:32:28 PM EST

Like many commenters, you seem to have missed my intent, which was to argue against such a scheme. This is not the reason I am replying to your comment, however.

Do you honestly mean to suggest that simply because I happen to be an airline pilot in the United States I *deserve* to be killed by some discontented "shlub" who wants to use my plane to make a political statement?

A Don't Crash Button is a poor fence against such terrorism but I very strongly *DO* believe that something must be done to prevent further attacks. I consider there to be NO LIMIT AT ALL to the "height of the fence" that should be built to preserve my life! Perhaps you should remember that not only did 5,000 innocent people die in the WTC itself, but 233 passengers and 33 crew who did NOTHING WRONG were also killed.

I am disgusted by your allusion that nothing at all should be done to protect pilots and their passengers because its all the "evil CIA's fault".

-- EdFox


[ Parent ]
fuzzy thinking? Kettle, you're black! (none / 0) (#73)
by anansi on Thu Oct 11, 2001 at 10:31:29 PM EST

In your first line you say, "my intent... was to argue against such a scheme."

Yet when I discount the plan that you already disagree with, then I am "[suggesting] that nothing at all should be done to protect pilots and their passengers

Is it possible to argue both for prevention AND cure at the same time? At the present time, it seems as if there's an arsonist running around torching the city, and all the mayor can think of, is to smoke out suspected hidaways for this bad guy. If more innocent civilians are burned, well, it's not like they are American civilians, after all!

What would it be like to stop treaching arson at the local police acadamy?

The 'terrorist training camps" that we're bombing right now, were payed for by the amrican taxpayers to fight the former soviet union^H^H^H^H^H The war on drugs. (43 million in march of this year) Yet the US continues to operate the school of the americaa in Ft Benning, GA, which teaches the exact same stuff. It's 'terrorism' when they do it, it's 'counterinsugency' when we do it.

I consider there to be NO LIMIT AT ALL to the "height of the fence" that should be built to preserve my life!

I sure hope you don't try to buy life insurance then, becasue you'll quickly find that these companies are in the business of assigning a dollar value to human lives.

Don't call it Fascism. Use Musollini's term: "Corporatism"
[ Parent ]

Radio (3.50 / 2) (#5)
by sigwinch on Thu Oct 04, 2001 at 07:49:10 PM EST

With the addition of a reliable satellite datalink, the FMS could be ordered into Don't Crash mode from the ground.
Your scheme seems to depend strongly on radio links. Unfortunately, any radio receiver can be jammed cheap. Putting together a stout diesel engine, generator, big-ass magnetron or other high-power radio tube, and high-gain antenna is child's play. $100,000 would buy an *awesome* jammer, and $500 would let you raise merry hell.

(Actually that's not true. You can build receivers that are extremely difficult to jam, but it takes lots of channels, each of which has an independent bandpass filter between the antenna and the receiver. They're big and expensive.)

--
I don't want the world, I just want your half.

Airbus Crashes (4.40 / 5) (#6)
by wiredog on Thu Oct 04, 2001 at 07:50:18 PM EST

The Airbus crashes where the aircraft hit the trees and a mountain were actually caused by bad user interfaces. Basically, the pilots thought they were in mode A when they were actually in mode B. There's been quite a bit of stuff written about bad interfaces using those as examples. The airbuses were the first commercial fly by wire aircraft with glass cockpits and it took awhile for the pilots to get used to it. The Therac-m machine, used in radiation therapy for cancer, also had a killer interface. Killed two or three patients, IIRC.

See "Fatal Defect" by Ivars Peterson.

The idea of a global village is wrong, it's more like a gazillion pub bars.
Phage

See also: (4.50 / 2) (#10)
by Inoshiro on Thu Oct 04, 2001 at 08:47:25 PM EST

"Mobile Devices Will Soon Be Useful":
"Automotive Devices: Complexity = Death
Many of the new mobile services are intended for use in cars, mainly by drivers. This changes the equation for usability. Typically, we are concerned with mundane matters like increasing website profits, improving employee's intranet productivity, or reducing the training and support costs for software applications. For in-car interface design, complexity will lead to deaths.
By current estimates, driver distractions cause at least 10,000 deaths per year in the U.S. alone, and mobile user interfaces may increase this number substantially unless usability is given high priority in device development.
" (There are more juicy stats in the article)

It seems like more research into good designs of interfaces will save twice as many people per-year as stopping terrorists will. Perhaps we should have GWB declare war on the companies in the Interface hall of shame?



--
[ イノシロ ]
[ Parent ]
Am I Stating the Obvious ? (4.16 / 6) (#8)
by Phage on Thu Oct 04, 2001 at 08:31:44 PM EST

Just seal the cockpit.

If the pilots cannot be reached, or communicated with by the cabin crew or passengers they cannot be threatened or coerced. Exactly the same idea as those automatic shutters on bank counters.

The proposed solution is merely, as another comment stated, transferring the problem to the ground.


I don't find Heathens to be sexy, as a general rule.
Canthros

Thank you (5.00 / 1) (#16)
by chazzzzy on Thu Oct 04, 2001 at 11:09:33 PM EST

Sometimes the solution is so simple that everyone COMPLETELY overlooks it. Just SEAL THE COCKPIT. EL AL arilines has been sealing their cockpits and have not had a hijacking in 40 years since doing it!



[ Parent ]

Not quite (4.25 / 4) (#29)
by Herring on Fri Oct 05, 2001 at 04:53:22 AM EST

El Al don't completely seal the cockpit. They have a stronger, lockable door - and, probably more of a factor, armed sky marshalls on most flights.

If you completly seal the cockpit (ie pilots enter through a different door from the pax) then you could get incidents where both pilots are incapacitated (fumes, depressurization etc.) and nobody would be able to help. It's rare, but pax (usually someone with a PPL) have landed planes under ATC instruction when this has happened.

The captain is supposed to be in charge of the whole plane. If (s)he can't get back in the cabin for whatever reason - controlling unruly pax or whatever then there could be problems.

Third point, there was an Egypt Air crash a while back where the cause was rumoured to be one of the pilots gone loopy. Assuming there was time (which there wasn't in that case) then, with some help from crew/pax, a rogue pilot could be pulled from the controls and restrained.

I'm not saying that it's a stupid idea mind, just that there are issues which need to be thought through.


Say lol what again motherfucker, say lol what again, I dare you, no I double dare you
[ Parent ]
Locked door - better idea (none / 0) (#67)
by wnight on Sun Oct 07, 2001 at 02:21:41 PM EST

The idea of a locked door is a good idea, it allows access if it's needed, yet without making it easy.

I'd say that the door should have a coded lock, that the passengers/stewards could get the key to from ground control, if needed. You'd press the panic button, talk to ground control, they'd try to contact the pilots and if they couldn't (or detected trouble) they'd transmit the code and you could open the door.

If you use a key that's on the plane it simply becomes a target for the hijackers, they kill the stewards and take it.

I'd put a strong locking door in, openable from the cockpit with a double handle (have to turn both at once) and from the other side with a code. A gun port in the door and two shotguns with flechettes. And a camera or two covering the door area and hiding places nearby.

Having a double-door (airlock style) cubby between the cockpit and cabin would allow passing up meals without opening the door... Otherwise terrorists will just wait for mealtime and ambush then.


[ Parent ]
Mind you. (none / 0) (#21)
by Jacques Chester on Fri Oct 05, 2001 at 12:32:58 AM EST

The proposed solution is merely, as another comment stated, transferring the problem to the ground.
But gee, it's so much easier to secure a cockpit, right? <sarcasm>Because a thin kevlar wall beats reinforced concrete any day</sarcasm>

I'm more worried about the system being used by some enterprising terrorist crackers sniffing the ether. You can shoot what you see, after all.

Gawds, let us hope MS doesn't get the contract.

--
In a world where an Idea can get you killed, Thinking is the most dangerous act of all.
[ Parent ]

Sealing the cockpit? Not necessarily (none / 0) (#51)
by phliar on Fri Oct 05, 2001 at 12:43:19 PM EST

A lot of people are saying "just seal the cockpit!".

Pilots are human, you know... they have to eat, piss, sleep. (There are flights longer than 8 hours; so obviously they have to sleep, right? Long flights carry relief crews.) Civil pilots are not soldiers and you can't expect them to piss in a tube and eat space rations.

This also means scrapping the whole fleet. Adding a door to a pressurised airplane isn't like re-modelling your house.

And after you've spent all this money making aviation incredibly safe [note: it already is!] the terrorists just switch to something else.

Better we spend a little time thinking about why it is that entire countries seem to want to kill us.


Faster, faster, until the thrill of...
[ Parent ]

Waiting for the Revolution (4.20 / 5) (#9)
by dr k on Thu Oct 04, 2001 at 08:40:49 PM EST

I call this kind of speculation "Waiting for the Revolution" - kind of like the dream of global broadband internet access, trying to build an uncrashable plane ignores one critical thing: the present.

If you could find every at-risk plane and retrofit it with the new "Don't Crash" technology, everywhere at once, at the stroke of midnight on October 11th, and of course train the thousands of mechanics and pilots how to use the new system, and build the redundant infrastructure, and...

While it would be nice, there is no easy way to get from here to there.

The ability to crash a plane into buildings is not the reason why people crash planes into buildings. You can stop your car in the middle of the freeway and do a little jig in the carpool lane, and it would be a terrible thing to do, and people do it, but people don't talk about creating unstoppable-on-the-freeway/anti-carpool-jig technology. Why? First of all, it isn't really a problem. Second: people don't do it just because they can.

So, what am I saying? Crashing planes into buildings isn't really the problem.
Destroy all trusted users!

I agree (none / 0) (#39)
by Hefty on Fri Oct 05, 2001 at 09:54:19 AM EST

Even if at this present time if a no crash system was in place on commercial jetliners. It would be safe to assume that not every aircraft would have the system. Older/smaller aircraft no doubt could have had the same results on the WTC, especially if the aircraft was loaded with explosives. Think what a privately owned lear jet loaded with 150Kg of C4 would do if it was slammed into a building and simultaneously exploded. For that matter a Cessna or a ultralight could have the potential for being turned into a weapon. You don't need a commercial jet liner, and you don't need just a large plane to cause mass damage.

[ Parent ]
Shaped charges! (4.00 / 4) (#15)
by Signal 11 on Thu Oct 04, 2001 at 10:41:57 PM EST

I would say with a strong cabin lock, and the ability to hit a red button labeled "lockout control" would be a more effective deterrent. It's what the military has used on weapons guidance systems for a long time - after a certain point, the system locks, and no further changes can be committed. Perhaps airplanes need a similar feature - some way of simultaniously indicating both that a hijacking is occurring, and a way of locking out controls.

The military has also found the concept of a two or three person team to work on critical tasks, even when only one is required, to prevent the enemy from getting someone into said position. Give every flight crew member the ability to do a systems lockout, and you've effectively defeated the use of that airplane in an attack.

However, there's an even more dangerous possibility... They said Osama Bin Laden spent, what, $10 million for all of this, but he netted almost $1.3 billion in damages. A very good investment, if you're a terrorist. For $10 million, I think an enterprising team of engineers could easily make some shaped charges.

Pack a U-haul with *shaped charges* and aim it at the object of your desire. Shaped charges can have concussion waves that extend thousands of feet, and still be powerful enough to slice through 3.4 meters of high strength armor-steel. I don't think the superstructure supports of a skyscraper would survive what that cannot. And they can be compact too, easily fitted to a briefcase. Our own government is even helpful in explaining the basic physics (thanks uncle sam!), so anyone familiar with plastic explosives and a little engineering talent could probably fabricate a crude shaped charge. "For a real good time, call Dennis Baum at (925) 423-2236" *sighs*


--
Society needs therapy. It's having
trouble accepting itself.

Shaped Charges? (none / 0) (#53)
by phliar on Fri Oct 05, 2001 at 01:10:39 PM EST

Shaped charges can have concussion waves that extend thousands of feet, and still be powerful enough to slice through 3.4 meters of high strength armor-steel. ...
Your sentence seems to suggest that a shaped charge will penetrate 3.4 m of armor steel after propagating through the air for thousands of feet. If this was in fact what you meant, it is not correct. (The armor penetration is done by the jet of molten metal, not by the shock wave.)
Our own government is even helpful in explaining the basic physics (thanks uncle sam!), so anyone familiar with plastic explosives and a little engineering talent could probably fabricate a crude shaped charge.
There is a large difference though between knowing how one works ("basic physics") and actually building one. If the shape is not accurate, the shocks don't reinforce and become a super-shock. A "crude" shaped charge won't do much of anything except behave like an ordinary explosive charge. Design of shaped charges is also a key part of making efficient nuclear fission weapons so details remain classified. The various books on the nuclear designs of the 50s ("The Making of the Hydrogen Bomb" is one, if my memory doesn't fail me completely) discuss shaped charges. The speed of propagation of the explosion front has to be carefully controlled; it is extremely unlikely you could make a shaped charge with a little plastique.

Uncle Sam is not that generous.


Faster, faster, until the thrill of...
[ Parent ]

Shaped charges (none / 0) (#63)
by sigwinch on Sat Oct 06, 2001 at 01:04:08 AM EST

The speed of propagation of the explosion front has to be carefully controlled; it is extremely unlikely you could make a shaped charge with a little plastique.
That's the real problem: the explosive has to be very uniform (composition, entrained bubbles, grain size, grain orientation, etc). Likewise the shape has to be moderately precise. As far as I know, though, the calculations are straightforward. A lot like optics, really. You could probably use an optical refraction simulator with appropriate conversion constants for the calculations.

--
I don't want the world, I just want your half.
[ Parent ]

Pilot Identification? (3.00 / 1) (#17)
by cascino on Thu Oct 04, 2001 at 11:09:42 PM EST

How about some form of pilot ID system? You could mount thumbprint scanners on the yoke itself, and the plane simply would not respond to anyone other than the pilot. Although the occasional passenger-turned-pilot in an emergency situation would warrant a way to turn it off, perhaps remotely...

"Some of the best features of Internet Explorer 5 haven't even been invented yet." - microsoft.com
There already is (none / 0) (#22)
by sdh on Fri Oct 05, 2001 at 12:56:50 AM EST

It's called a pilot certificate. Of course, it's as useful as a drivers' license (and it doesn't have a picture on it... and you have to physically cut it out of a sheet of card stock!)

Granted, physical security on airplanes is very weak. It is a running joke that the more expensive, powerful, and complex and airplane gets, the easier it is to gain access to said airplane.

For example, a single engine airplane, roughly 160HP, such as a Piper Warrior, has a lockable door and a key to control the magnetos (think of it like an ignition switch). This airplane is about the smalles airplane you can fly (excluding ultralights which are not technically airplanes).

You move up to even a twin-engine piston airplane and you lose the key to the mags, rather just a switch to turn them on/off/start/etc.

An airliner has no physical security whatsoever for unauthorized entry. But then again, it doesn't need any... any access door requires the use of airstairs or a jetway to reach, and even a seasoned Private Pilot could not figure out how to start the engines on a 727. Not to mention the increased security now -- it would be impossible to steal a airplane from a major airport.

A thumbprint scanner on the yoke would not work for many reasons. First, the pilot doesn't always keep his hands on the yoke. Second, many, many different pilots fly any given airplane, airline, or rental. It would be impossible to keep a database.

I think most of the energy is misguided following the tradegy. Auto-land buttons are not needed, and are not necessary.

[ Parent ]
Backdoor backdoors (5.00 / 1) (#23)
by ZorbaTHut on Fri Oct 05, 2001 at 12:59:25 AM EST

The problem with all of this is that we just plain don't trust our computers enough. With good reason. They're not good enough. We can't afford to trust the lives of tens of thousands of people every day to possibly flawed computer systems. So any computer lockout is going to have to be disableable. And if it's disableable, it only makes it minutely harder for a terrorist to get control, but might inconvenience the pilot in a critical moment.

"He would have pulled out of it, but he barely missed the thumbprint scanners and it refused to acknowledge his command."

"Someone bumped the Don't Crash Button, and then they flew into a thunderstorm and lost radio contact. The programmers never thought to avoid thunderstorms, and the pilots couldn't control the plane."

Anything that someone sitting in the pilot's chair can't override is going to cause deaths. Anything that even might require overriding will cause deaths. (Though not as many.) And anything that can be overridden isn't going to do much against terrorists.

[ Parent ]
Wow (4.00 / 3) (#18)
by rebelcool on Thu Oct 04, 2001 at 11:31:23 PM EST

an article written by someone who knows what they're talking about. Will miracles never cease?

COG. Build your own community. Free, easy, powerful. Demo site

You must be a pilot! (3.66 / 3) (#20)
by phliar on Fri Oct 05, 2001 at 12:03:43 AM EST

If you're not, you should start lessons. Excellent summary of modern avionics. (EGPWS is already installed on some carriers - AA 757s have them, thanks to Cali.)

A terrorist could foil a satellite datalink by simply rolling the aircraft inverted, thus blocking the dorsal antenna with the aircraft's own structure.
There aren't many pilots who could fly a 757 inverted for extended periods!

A ground-controlled command with all its pitfalls is just impossible. A pilot activated mode is slightly more do-able, although to trust that many people and that much expensive equipment to automation without a trained pilot monitoring it... a system that reliable might be possible, but not in my lifetime.

You don't necessarily need EGPWS for such a system: the FMS already has all the airways/routes, arrivals and approaches it might need. (For non-pilots: a "route" or airway [high-altitude or low-altitide] is like the highway system, and have names like V-266 [lo-alt] or J-10 [hi-alt]; an "approach" is the procedure that allows you to fly the aircraft to some small distance [0-1 mile] and height [0-1000 feet] from the runway; an "arrival" links approaches to the airways. Obviously every one of these guarantees obstacle avoidance.) Before the flight you might inform the FMS++ of areas of weather to be avoided, and maybe preferred emergency airports. If the panic button is pressed, the FMS++ randomly picks a nearby designated airport, switches the transponder to 7700 (or maybe some other designated code) and flies the airplane to that airport, flies the approach, lands and shuts down on the runway. (No need for taxi instructions for the emergency.)

Even that much automation though... todays FMSs can fly approaches all the way down to the runway, land and deploy brakes; they can't hold the centerline below a certain speed. I'd still be very very nervous about trusting my ass to it. If this system were reliable enough, we could get rid of pilots altogether and free up some really nice window seats up front!

Maybe, just maybe we need to figure out if there's something about our actions that make people out there that want to kill us.

Faster, faster, until the thrill of...

Impossible the way things are now (none / 0) (#24)
by sdh on Fri Oct 05, 2001 at 01:13:33 AM EST

Obviously every one of these guarantees obstacle avoidance.

Right, but what if you are not on an airway, departure procedure, or terminal arrival route? Then you'd have to depend on the MSA or MEA (a MSA, or minimum safe altitude, is the altitude that guarantees you obstacle clearance but not necessarily navigation signal reception, MEA, or minimum enroute altitude, does both).

I suppose this could be done, but it would be a lot of work, and a huge liability issue. Look at how much the Cali incident cost American, Jeppessen, and Honeywell (IIRC) -- and that was for something that was technically correct, just misleading!

This also causes a ton of problems. Will every airplane with this system require a GPS and a worldwide navigation database? What if the airplane flies a route from Chicago to LA every day? What if it is not possible to integrate a database in the airplane (many older transport category airplanes have roughly the same navigation capabilities as the small airplanes you find at your local county airport!)

This is an impossible question to answer.

todays FMSs can fly approaches all the way down to the runway, land and deploy brakes

You're confusing an autopilot for FMS. The FMS does many things relating to flight management, but the actual flying is the autopilot's responsibility.



[ Parent ]
radar? (none / 0) (#41)
by garlic on Fri Oct 05, 2001 at 10:17:10 AM EST

I may be missing something, but why is a navigation database necessary? Wouldn't a radar be much cheaper and easier to implement?

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

Radar is not everywhere (none / 0) (#46)
by sdh on Fri Oct 05, 2001 at 11:56:03 AM EST

Radar coverage does not cover the entire United States, let alone the world. In just my area, radar service only goes down to 4000 ft. Out in the west, radar coverage is spotty at best in some places.

[ Parent ]
on the plane, not the ground (none / 0) (#48)
by garlic on Fri Oct 05, 2001 at 12:23:04 PM EST

sorry, I meant a radar on the plane.

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

Obstacle Avoidance (none / 0) (#49)
by phliar on Fri Oct 05, 2001 at 12:31:42 PM EST

Right, but what if you are not on an airway, departure procedure, or terminal arrival route? Then you'd have to depend on the MSA or MEA
Not the MEA - those are defined for airways. You'd want OROCAs for off-airways en-route ops. In any case, for Part-121 jet ops obstacles are not an issue en-route, only in the terminal area.


Faster, faster, until the thrill of...
[ Parent ]

Airplane or FMS? (none / 0) (#54)
by phliar on Fri Oct 05, 2001 at 01:23:15 PM EST

todays FMSs can fly approaches all the way down to the runway, land and deploy brakes

You're confusing an autopilot for FMS.

AAAAgh! Actually I meant to write "airplane" there, but the fingers typed FMS.

(Although I guess I should add the caveat that there are no Cat III.c approaches in the US.)


Faster, faster, until the thrill of...
[ Parent ]

Impossible right now? I agree (none / 0) (#55)
by phliar on Fri Oct 05, 2001 at 01:35:57 PM EST

I suppose [fully automatic airplane that lands at random airport] could be done, but it would be a lot of work, and a huge liability issue. Look at how much the Cali incident cost American, Jeppessen, and Honeywell (IIRC) -- and that was for something that was technically correct, just misleading!
I agree completely. Just in case my message gave anyone else the wrong idea: yes, it is technically feasible, but for such a system to be reliable enough for actual use on commercial airliners - not in my lifetime.

Furthermore, aviation is already the safest thing out there. All this stuff is in the noise. We kill as many people on the highways in four days. Does that mean we should do nothing? No, I'm not saying that; I'm saying let's accept that there is no way a free society can be an impregnable fortress. Of course we should try to apprehend the criminals and bring them to justice. But to prevent things like this from happening again, let's figure out if there might be, just a possibility, something we do that gets so many people so pissed off.


Faster, faster, until the thrill of...
[ Parent ]

In fact, I am. :) (5.00 / 1) (#27)
by EdFox on Fri Oct 05, 2001 at 03:15:24 AM EST

I'm a turboprop captain for a national Commuter airline. I won't say which. :)

After the Cali disaster, the FAA mandated EGPWS installations in all turbine aircraft regardless of the FAR part they are operated under (all flying including airline, air taxi, and private) by 2003. I'm not so sure on the date.

Yes, a Don't Crash Button could be made to work without an EGPWS but its terrain map would be very useful.

Anyway, as I've said in a few comments, I'm actually against the Don't Crash Button and wrote this as a mental exercise, but I'm still very pleased with the overall response. :)

Any new automated system, be it a Don't Crash Button, a yoke mounted fingerprint scanner, or a more benign "panic" button is fraught with problems that make the cure worse than the disease.

-- EdFox

[ Parent ]
Please don't truely consider this... (5.00 / 1) (#26)
by mathematician on Fri Oct 05, 2001 at 02:29:27 AM EST

Anything you can control by a remote control, a hacker can control by remote control. Wouldn't suicide bombing be easier without the suicide?

military UAVs (none / 0) (#40)
by garlic on Fri Oct 05, 2001 at 10:07:10 AM EST

So, shouldn't the military not use Unmanned Air Vehicles then? They must have thought of this and come up with a system that is difficult to impossible to decode (strong encryption), difficult to jam, and semi-autonomous if jammed. Now, you have to be more careful when the plane is nolonger Unmanned, but shouldn't these same techniques work for passenger flights?

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

Unmanned Air Vehicles (none / 0) (#43)
by ucblockhead on Fri Oct 05, 2001 at 10:53:42 AM EST

The whole point of "Unmanned Air Vehicles" in the army is that there are no people involved, so the craft is inherently less valuable, and can thus be used for more dangerous missions. They are generally much significantly cheaper than manned craft, so they figure that if they lose a bunch, it is no great shakes. You can lose a hell of a lot of $100,000 small, radio controlled recon planes before you've hit the price of one U-2 spy plane, not even counting the cost of the pilot.


-----------------------
This is k5. We're all tools - duxup
[ Parent ]

plane prices (none / 0) (#47)
by garlic on Fri Oct 05, 2001 at 12:21:31 PM EST

I was curious about your numbers, so I checked out the USAF and US Navy sites to see what they said.

cost of Predator UAV system: $25 million
cost of Global Hawk unit:$16-20 million predicted
cost of Navy Pioneer UAV: under $1 million

cost of U2: Classified
unit cost of F-15E: $31 million
unit cost of A-10: $9 million

So it looks like the price of the UAV is quite variable, just like the dollar price of the manned planes. However, I wouldn't want to try to measure the cost of a life lost.

HUSI challenge: post 4 troll diaries on husi without being outed as a Kuron, or having the diaries deleted or moved by admins.
[ Parent ]

Numbers were out of my ass... (none / 0) (#56)
by ucblockhead on Fri Oct 05, 2001 at 01:54:52 PM EST

That wasn't meant to be a real number, just one I heard for one version, which was just a glorified model airplane used for recon by the Isrealis.

There actually is a cost associated with a pilot. It takes millions just to train a jet fighter pilot, and good ones are definitely a rare resource. In the Battle of Britain, the British actually had more planes than pilots qualified to fly them, something that caused them lots of problems. This is also one of the reasons for the Japanese Kamakazis. They had an easier time getting the resources together to build planes than to train pilots.


-----------------------
This is k5. We're all tools - duxup
[ Parent ]

Multiple "Distress" Buttons (5.00 / 2) (#30)
by Wildgoose on Fri Oct 05, 2001 at 05:56:03 AM EST

As a programmer, I wouldn't feel safe in an aircraft on which the autopilot could override the human pilot.

But what is wrong with the concept of a several "distress" buttons (similar to fire alarms) scattered throughout the aircraft?

Upon activation, they could change the transponder to signal hijacking or other trouble, and then the autopilot would take over and land at the nearest airport. This would only work if the autopilot could not be overridden in these circumstances, but as this would not be the normal state of affairs it would not bother me.

Let's face it, in a hijacking most people would now feel much safer if the autopilot had control of the aircraft.

The only problem is when they are triggered either maliciously, or by idiots. However compared to the WTC tragedy I think these occasions would be acceptable.

Automated = death (none / 0) (#66)
by wnight on Sun Oct 07, 2001 at 02:07:14 PM EST

You say you don't like a system that could override the human pilot, but then mention one where it could? I don't understand.

I think we need multiple warning buttons, but they should only send a secret (not telling the cockpit) signal which alerts them to possible terrorism and scrambles the F16 interceptors who will, if needed, take action. Once alerted, ground control could talk to the pilots, assuring that they are the people who were in control when the plane took off, and talking them down to an airfield without any valuable targets around it.

Anything more automated than that seems like a bad idea.


[ Parent ]
windows :) (3.83 / 6) (#31)
by Stick on Fri Oct 05, 2001 at 06:49:26 AM EST

I thought this was going to be about a new windows feature.

abort, retry, don't crash


---
Stick, thine posts bring light to mine eyes, tingles to my loins. Yea, each moment I sit, my monitor before me, waiting, yearning, needing your prose to make the moment complete. - Joh3n
Silly. (2.66 / 3) (#32)
by Kasreyn on Fri Oct 05, 2001 at 07:26:34 AM EST

This just transfers the risk, it doesn't prevent it.

Say we follow your suggestion. We have air controllers with the ability to suddenly take over flight control from errant planes, and maybe security guards on the planes, and Islam-sniffing dogs at the terminal, and whatnot. So no terrorists can bother us on our little sky commutes, eh?

The terrorists will shrug, get new training, disguise themselves as air traffic controllers, get in there, and hijack them remotely FROM THE GROUND. This is great for them, since a handful of them could crash 50 planes in mere moments if the controls they're at are watching over enough planes.

Am I the only one to see this as a potential problem?


-Kasreyn


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
say YOU (none / 0) (#37)
by Ender Ryan on Fri Oct 05, 2001 at 09:27:32 AM EST

Let's say YOU actually read the f(ucking)|(ine) article, you would know that he is against this whole Big Red Button nonsense.

Unfortuneately, you, and many others, did not and are making total asses of themselves...

That said, you're right, this nonsense just transfers the problem to the ground, which is much worse for obvious reasons.


-
Exposing vast conspiracies! Experts at everything even outside our expertise! Liberators of the world from the oppression of the evil USian Empire!

We are Kuro5hin!


[ Parent ]

Marvelous Idea (3.50 / 4) (#33)
by CaptainZapp on Fri Oct 05, 2001 at 08:13:10 AM EST

No need anymore for highly payed, highly skilled professionals in a cockpit. We can just replace them with minimum wage "pilots" for 5.60$ a pop, per hour. This will result in even cheaper flights.

Hey, after all: Pilots then are only required to make the passengers feel good (sortof like airport security) and wouldn't need any skills whatsoever (else then looking and acting professional maybe, to make the passengers feel good).

Seriously, it would be a dumb idea. As a poster pointed out, evil terrorists just raid the control center and then amuse themselves by playing "Die Hard 2". Also: The captain is the captain is the captain is the captain, period. (S)he's the guy in charge with the ultimate power and responsibility. Such measures are degrading to the professional pride of anybody. So it's likely, that you just don't find anybody willing to play yokel in a cockpit. Save maybe for those, that don't give a flying fuck if they're flying a plane or flip burgers at McDonalds.

SSH into the cockpit (3.00 / 2) (#35)
by hardburn on Fri Oct 05, 2001 at 09:05:30 AM EST

This would be fine just as long as there is a very large firewall and some heavy encryption between the plane and the rest of the world. Having something wide open means that next time, the terrorists can stay at home and take over the plane from the comfert of their living room.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


Risk Factors.... (4.33 / 3) (#36)
by Elkor on Fri Oct 05, 2001 at 09:15:29 AM EST

Let's examine the potential attackers for a second:

The maximum number of hijackers on any given flight is the number of seats on the plane. (let's say 200).

At best you need at least one person per plane you are trying to hijack.Thus limiting you by the number of people you have.

The maximum number of hijackers that can try to hack into a plane is limited by the number of broadcast radios and computers they have. Which is effectively unlimited.

At worst you need one person per plane. More likely one person can take over multiple planes.

Let's think about this for a second.....

4 people to take over 1 plane, or 1 person to take over 4 planes.

Regards,
Elkor


"I won't tell you how to love God if you don't tell me how to love myself."
-Margo Eve
A Comparative Review of Risks (3.50 / 4) (#42)
by mcherm on Fri Oct 05, 2001 at 10:20:39 AM EST

First of all, THANK YOU for an overly lengthy but incredibly fact-filled and informative article.

This is an issue that I've been concerned about since shortly after 11-Sep when I first heard the (IMHO ridiculous) suggestion of introducing electronic guidance systems capable of overriding the pilot.

Whenever considering making a change to reduce risks, one must not forget to include consideration of OTHER risks which might be INCREASED by the change. And in this case, the other risks are enormous, while the risk that is reduced is quite small.

You point out (in exhaustive technical detail) how systems failures and technical glitches -- of a sort that we KNOW will happen from time to time -- bring risks that would be greatly increased by such a system. Let me point out a few MORE risks which would be increased.

  • The risk that a terrorist would grab the controls FROM THE GROUND (or wherever it's controlled from) and fly the plane into a building OR into the ground.
  • The risk that a non-terrorist would grab the controls from the ground. (More likely, IMHO, since there are many more nutcases in the world than terrorists.)
  • The risk that a terrorist would try to hijack a plane, asking only to be flown to some 3rd country and maybe receive some money, and when control is taken from the ground would start killing passengers or would simply blow up the plane.
And let's throw in your technical risks:
  • The risk that hardware without an override would go haywire and just crash the plane.
  • The risk hardware would go haywire and refuse to land the plane.
  • The risk that a software bug would generate either of the above.
  • The risk that communications with the ground would be lost, leading to a failure of the system.
  • The risk that terrorists would activate a "Don't Crash Button" and then prevent override.
Finally, let's compare these against the risks that are REDUCED:
  • The risk that hijackers will take over a plane, replace the pilot (no pilot can be compelled to fly himself into a building), avoid having the passengers storm the cabin (remember what happened on the one flight where the passengers DID realize that slamming into a building was a risk), and fly into a building, all before military aircraft or other intervention measures can be put in place.

In other words, this ONLY helps if the terrorists attempt the exact same scheme again. And that's pretty unlikely.

So PLEASE, people... don't put this in! Despite everything, I still have faith in the fundamental safety of the US air travel system. But a mechanical system which overrides the pilot... now THAT might cause me to lose my faith.



-- Michael Chermside
Failsafe - already implemented (none / 0) (#72)
by elsifer on Tue Oct 09, 2001 at 02:41:33 PM EST

Well, I have to tip my hat for to very informative article. Also, the Fail-Safe-Override button has already been created. The Russian Sukhoi 27 (su-27 - http://www.airforce-technology.com/projects/su27/)fighter plane and the MiG 31 (http://www.airforce-technology.com/projects/mig29/index.html) both have a magic button that will cause the airplane to cease it's current maneuver and begin straight and level flight, I am sure this could be modified to allow the airplane to climb back to a suitable altitude, and using the previously mentioned avionics systems to avoid a crash. Not too sure if the FAA wants to use "foreign" technology, but heck if the Russians can do it with welded and riveted airframes, perhaps the FAA can institute this into a much larger/slower airframe. I personally do not have any experience with this airframes, but from being a military junkie, I do know that these features are built into the Russian avionics package.

[ Parent ]
Good article (none / 0) (#44)
by Hefty on Fri Oct 05, 2001 at 11:09:07 AM EST

My thoughts when I first heard about this idea reflected back to the Airbus A-series of aircraft. These aircraft were built with the idea in mind that the flight systems were going to do much of the work and the pilots were there to just oversee their operation and make sure everything ran smoothly. I recall a number of situations were the on board flight control system would fight the pilots and try to the fly the plane first and regard the pilots inputs as second. Airline pilots from the U.S. that had the oppurtunity to fly an Airbus totally disliked the single hand flight stick. Airbus aircraft use a single handed flight stick that uses fly by wire systems to control the flight surfaces. They complained that you just couldn't get the same feel flying a plane with a flight stick as you could with a two handed yoke. I saw a video that someone on the ground toke of an Airbus Aircraft (not sure which) that was trying to do a barrel roll and the pilot was desperately fighting the aircraft's flight systems. The wings tilted back forth violently and passengers were hurt as they were thrown around the cabin. Replacing pilots with a computer will just change how we describe accident conditions. When a pilot messes up its called pilot error, when the computer has problems its a bug, glitch, or malfunction. Pilots can fall asleep or neglect flight duties and computers can lock up or respond to input incorrectly.

An airplane and its passengers are safest in the hands of a qualified pilot. However, as soon as a hijacker has the capacity to get anywhere near or on the controls of an airplane then immediately at that point peoples life are in danger and that just cannot happen. I like the idea of enclosed cockpits and reinforced bulkheads surrounding the cockpit. I like the idea that pilots have the right to control or manuever their plane however they see fit in order to incapacitate a hijacker. All the more reason to wear your seat belt at all times.



*BAD* idea (2.33 / 3) (#45)
by el_guapo on Fri Oct 05, 2001 at 11:12:10 AM EST

If there is an externally accessible system that can take over a plane then the hijackers now only need to take over that system, and NOT the plane. Bad Bad Bad
mas cerveza, por favor mirrors, manifestos, etc.
How about... (2.40 / 5) (#50)
by nickwkg on Fri Oct 05, 2001 at 12:38:00 PM EST

...a "don't shoot" button on guns and a "don't cut" button on knives.

WTF? (none / 0) (#59)
by Kaki Nix Sain on Fri Oct 05, 2001 at 03:24:40 PM EST

I don't understand your comment in the least. It seems that you might be trying to show the absurdity of having a "don't crash" button on planes. However, your examples aren't absurd at all. Guns do have "don't shoot" buttons; we call them safeties. Knives often have "don't cut" modes, like blades that fold into the handle, or sheaths that cover the blade.

Besides, guns are designed and made in order shoot, knives to cut, but we don't design and make planes in order to crash. To line up with your examples, we would need to be talking about a "don't fly" button on planes. That wasn't the suggestion (although, since such a button would take a large weapon away from terrorists, such a thing might be useful).



[ Parent ]

Great writeup (4.00 / 3) (#52)
by garbanzo on Fri Oct 05, 2001 at 01:09:53 PM EST

Really good writeup! A breath of fresh air too, since layman's reporting (I assume from your writeup you are not a layman) of aviation is notoriously poor: e.g. every single engine plane winds up being called a Piper Cub even though there are a lot more Cessnas flying now than Cubs.

My comfort zone for aircraft automation is this: never get rid of that nice red disconnect. If shit happens, I would always feel better if a pilot could go back to basics. It is just too easy to hack (physically or in software) a system, given enough time.

That said, I would not mind if there was a ground-link automation system. Example: suppose the pilots are dead. If ground control could push a flight plan (including a nice Cat 3 landing) into the FMS and someone could simply press an engage button, that would be nice. Pilots die from things other than hijackers--anything that penetrates that windshield has a good chance of taking out the guy looking through it.

The idea of "hijacker-proofing" an airplane is ludicrous. There are just too many ways that technology can be defeated. Disconnect the generators, for example, and once the batts are tapped, where is your FMS and your ground-based override? Better solution: keep hijackers off of planes.



sure, it's all fun and games--until someone puts an eye out

Crash Now button (3.00 / 2) (#57)
by labradore on Fri Oct 05, 2001 at 02:26:34 PM EST

Either Crash Now or Self Destruct would be better. Of course it would be prone to failure eventually but it's cheaper and safer than a "Don't Crash" button.

Don't always have a "red button" (4.00 / 2) (#58)
by sanj on Fri Oct 05, 2001 at 03:09:01 PM EST

Been there, studied that, wrote the dissertation: http://theses.mit.edu:80/Dienst/UI/2.0/Describe/0018.mit.theses%2f2000-92?abstract= Having said that, there is an extremely important mistake in this well written article: Airbus 320/330/340s have underlying behaviours which CANNOT be turned off. Examples include stall-prevention and overspeed-prevention. I believe that some Boeing aircraft (new 737s, 777) are starting to implement these capabilites. These sound like reasonable things to not be able to turn off, however, there was an incident where an A320's stall system "got confused" and prevented the aircraft from landing. For non-pilots, a landing ends in something very close to a controlled stall. Having said that, I think that a "don't crash" button is an incredibly bad idea. Machines just aren't that smart yet. Sanjay

How to have a SAFE "No Crash" button... (3.50 / 2) (#60)
by jd on Fri Oct 05, 2001 at 03:48:13 PM EST

  • Write the programs properly. Instead of giving 10 undergrads 3 days to develop the entire system from scratch, have a decent-sized development team, and use Formal Methods and Formal Proof. If the program is written correctly, tested and verified correctly, and is supplied correct data, it will work as intended. If it is not, it won't.
  • Write the programs =SIMPLY=. All you really need, for this, is a bunch of proximity sensors, and an evasion routine. You DON'T need to make it more complicated than that, and if you do, you risk introducing errors.
  • At last resort, have an "emergency cockpit" located somewhere else on the aircraft, and have the switch transfer the controls over. (Yes, I know, I've watched far too much trek, but a "High Availability" architecture should work as well for fly-by-wire as it does for servers.)


What gives the idea that tis ISN'T the case?? (none / 0) (#64)
by Bwah on Sat Oct 06, 2001 at 02:31:04 PM EST

Your first point worries me. Not to sound like a jerk, but do you have ANY idea what flight control system (FLCS) development is like? Avionics system development is usually fairly rigid and formalized. FLCS development (in my past experience anyway) _IS_ the the _DEFINITION_ of formal process driven development and rigorously tested software. Digital control systems tend to lend themselves fairly well to this type of thing.

I realize the 10 undergrads comment was an exageration, but it looked as if you are trying to say that flight control developement is haphazard and needs to change. Nothing could be further from the truth.

Sorry, but you hit a nerve ... :-)

--
To redesign an infinite ensemble of universes: what terrible responsibility, what arrogance ... It sounds just like the type of thing your average Homo sap would do for a dare. -- Stephen Baxter
[ Parent ]

Yes, I know what FLCS is like (none / 0) (#68)
by jd on Mon Oct 08, 2001 at 01:11:52 PM EST

I've also had a LOT of experience with supposedly "formal designs" being, uhhh..., well, less than formal.

Formal designs, to me, mean:

  • A proper formal specification
  • Black-box designs
  • Total seperation of I/O from core code
  • Formal testing (and ideally some formal proof, though that's usually impractical on any large scale)

Since I don't distinguish hardware from software, I would also include:

  • Fault-Tolerence (or, at least, High Availability), with the ability to fail-over any software or hardware component.
  • UPS (an obvious one! but one that does get missed!)
  • Some EMF resistance

It's this last one that's the real killer, for avionics. The electronic "smog" generated by, say, domestic & street lighting has knocked out RADAR installations at Heathrow Airport, one of Britain's busiest International airports. (Mind you, they have a lot better shielding, now.)

But this kind of noise is likely to be as bad for aircraft, if not worse. At 30,000 ft, during a large solar storm, your electronic systems are going to get a serious pounding, on top of the crap it's being blasted with from down below. This means you've got to add oodles of error correction, for a worst-possible case scenario. (There really isn't much point in having any, otherwise.) And that adds to the weight & energy requirements, both of which are severely restricted.

Ok, so let's say you've got everything you need, in terms of shielding, error-correction, fail-over, robust software & hardware, etc. What then? Then, you can add all the "Don't Crash" buttons you like, with the (nearly) absolute certainty that if you hit one, that aircraft will not crash. It might do a lot of other things. It might even solve Maxwell's Equations for a ring singularity. But crashing isn't going to be one of them.

[ Parent ]

... and watch it blow (none / 0) (#65)
by hesk on Sun Oct 07, 2001 at 11:30:44 AM EST

Write the programs properly. Instead of giving 10 undergrads 3 days to develop the entire system from scratch, have a decent-sized development team, and use Formal Methods and Formal Proof. If the program is written correctly, tested and verified correctly, and is supplied correct data, it will work as intended. If it is not, it won't.

And then watch it blow, like the European Arianne 5 rocket on first launch.

Riiiight.

Computers are programmed by humans. Humans make mistakes. It is as simple as that.

[ Parent ]

Arianne 5 (none / 0) (#69)
by jd on Mon Oct 08, 2001 at 01:24:03 PM EST

The software on Arianne 5, which swapped a + for a -, should NEVER have been able to pass even the most basic of software quality reviews, never mind a formal mathematical proving.

When it comes to multi-million dollar projects, you can afford to spend the extra few weeks, months or even years, to rigorously test and (ideally) prove everything.

As NASA has found out, it's easy to make mistakes, but when your vehicle is approaching Mars, it's much harder to fix them. However, mistakes are needless. Yes, humans err. But so what? If you have a validated, robust specification, and a program that is allegedly identical to it, then you can get the computer to comare them.

If you want to go one step further, you apply intensive testing. How does EVERY routine act, when given data which is normal, extreme or erronious? (With at least 10 examples of each.) This kind of test-harness approach is so utterly standard and so mindlessly trivial to do, and yet so very good at catching bugs, that this could easily be usable as a "fitness for use" test by consumer protection groups.

  • The most extreme testing, whereby the program is mathematically proven correct, line-by-line, is incredibly intensive on resources. You're talking a large team, over a LONG period of time, to even verify a moderate program, by this means. But, as I said, when it comes to rockets, where it can easily be $200,000,000 a throw, even spending that much again can be worth avoiding rebuilding and trying again.

    If the European Space Agency had hired 500 additional programmers, at $40,000 a piece, to go through the entire program, formally testing and verifying -everything-, Arianne 5 would have launched without a hitch, and the ESU would be years ahead of NASA on control software.

    [ Parent ]

  • Ariane 5 - Not a simple +/- mistake. (none / 0) (#71)
    by gorilla on Tue Oct 09, 2001 at 02:36:12 PM EST

    The software on Arianne 5, which swapped a + for a -,

    No it didn't.

    Ariane 501 was destroyed because of the shutdown of the SRI units, which are used to give the vehicle it's position.

    The code was reused from the Ariane 4, and because the Ariane 5 is a bigger and faster vehicle, the horizontal component can be bigger than is possible on the earlier vehicle. This value is read from a 64bit floating point number, and coverted to a 16bit integer value. This conversion overflowed, and as designed, the software halted, as the original Ariane 4 designers knew that this could only occur due to a hardware failure on the horizonal bias sensor. When the code was decided to be reused for Ariane 5 there was a review of the limitations, but the implications of the trajectory were not considered.

    In other words, the SRI behaved perfectly to spec, as designed. Unfortunatly the real world conditions were not what the humans designing the spec thought they would be. When the specifications where exceeded, the designed in recovery action - to shutdown, was performed. You could have had a million programmers all looking at the code, and you would have been wasting your money, because the problem wasn't there.

    This is a problem on any big project. No-one person can understand it all. The engineers designing the flight trajectory of the Ariane 5 understood that there would be 5x bigger horizontal movement. The engineers designing the SRI understood the possible range of values in the Ariane 4. No-one communicated that the values in the Ariane 5 would be bigger.

    [ Parent ]

    Regarding hijacking. (3.00 / 1) (#61)
    by mindstrm on Fri Oct 05, 2001 at 04:31:35 PM EST

    I'd imagine nobody for the forseeable future will try to hijack an airplane near American soil again.
    I'd imagine the passengers would, at all costs, rip the hijackers limb from limb and eat their corpses.

    In all seriousness, though.. I think half the battles is having passengers who don't just sit idly by like sheep waiting for it all to be over. Their lives are threatened as a unit, indiscriminately, so they should all rise up to protect each other.


    Well... how about this? (none / 0) (#62)
    by TheLaser on Fri Oct 05, 2001 at 07:45:17 PM EST

    Put the "Don't Crash" button in the cockpit, not on the ground. When the pilot pushes it, the plane goes into a circle at a safe altitude, and contacts ground control via a satellite. Ground control can then either remote control it down safely, or override and return control back to the airplane (maybe).

    The idea here is that hitting this button would prevent terrorists from using the plane as a weapon as it could not be overrided from on the plane. Allowing it to be overrided from the ground, but not invoked from there eliminate the problem of terrorists/script kiddies messing with the plane from the ground. The problem of "override the lockout, or I'll kill people" still exists however. Perhaps it should not be possible to do so until the plane has landed somewhere.

    Anyway, the problem here is that the pilot has to engage the lockout before the terrorist prevents him from doing so. It wouldn't always work, but then again, even stopping half of all attempts would be desireable.

    The best of a bad idea (none / 0) (#70)
    by wnight on Mon Oct 08, 2001 at 03:43:20 PM EST

    If a Don't Crash button is ever going to be implemented, that's the way to do it.

    I don't think it's really practical, but it's a lot moreso than any other idea I've heard for it.

    The only problem is that it's a flight-control system the pilot can't override, if the capability exists for this then the plane can also override the pilot in other cases. (If it's a fly-by-wire system that can simply ignore pilot input, it can decide for some other reason to ignore pilot input...)


    [ Parent ]
    Very good idea (nt) (none / 0) (#75)
    by Dwonis on Sat Oct 13, 2001 at 01:40:25 PM EST

    That's a very good idea.

    [ Parent ]
    Encryption (none / 0) (#74)
    by Dwonis on Sat Oct 13, 2001 at 01:29:36 PM EST

    Of course, the US government will demand use 56-bit DES encryption for the system.

    The "Don't Crash" Button | 75 comments (70 topical, 5 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!