We Can Build a Hijack-Proof Airplane But Should We?
Experts have tested a system that wrests control of a plane from a pilot who might be suicidal or crazed, but no one knows what would happen after the pilot is out of the picture.
Just how lax is Lufthansa’s screening of wannabe pilots?
The revelation by a Duesseldorf prosecutor that Andreas Lubitz, who crashed his Germanwings Airbus A320 into a mountain a week ago, had been treated by a psychotherapist “for what is documented as being suicidal” tendencies was a shocking indication that, apparently, the airline had no access to his earlier medical history—and no interest in it.
As with many of the official statements made so far about Lubitz’s state of mind this one raised as many issues as it answered. The prosecutor said that the suicidal condition was treated “before he became a pilot.”
That’s a key phrase, and ambiguous. Lubitz had actually been a pilot since when, in his teens, he learned to fly gliders. He began training for commercial airline flights in 2008 but it was not until 2013 that he qualified to fly for Lufthansa’s subsidiary, Germanwings. If this is, indeed, the date that the prosecutor is citing, it implies that Lubitz was being treated by the psychotherapist while already being trained to become a copilot—and that this alarming condition was never either discovered in his medical examinations or disclosed by him.
There is also so far no information about medication that the 27-year-old was taking during his Germanwings years, and what its effects might have been on his proficiency as a pilot.
But the hard reality remains that Lubitz represents a threat to aviation safety, the suicidal pilot, which will always be extremely difficult to detect.
Which raises the question: As well as taking the steps now being advocated to make cockpits less vulnerable—to tighten the screening of applicant pilots and never leaving one person alone on the flight deck—is there a technology solution that would neutralize the actions of a crazed pilot or a hijacker?
Honeywell, a major supplier of avionics to airplane manufacturers, tested after 9/11 a system that would take control away from a pilot who, for whatever reason, was heading straight for a building, terrain, another airplane, or into restricted airspace—like over Washington, D.C., and the White House.
Honeywell took its existing enhanced ground proximity warning system (EGPWS) that is fitted to thousands of airplanes and added a new ability to the software, an “assisted recovery system.”
The standard EGPWS detects any dangers in the flight path of the airplane via radar and gives a pilot adequate warning to execute avoidance—on the Germanwings A320 the warning is reportedly audible on the tape from the cockpit voice recorder but was ignored by Lubitz.
The assisted recovery technology—“assisted” being a polite euphemism for “you are relieved of command”—allowed the autopilot to immediately steer clear of a threat using a range of maneuvers well within the safety margins of a flight.
The problem is, however: what then?
I am told that there were several reasons why the new smart system has not been implemented. The first is that in the event of deliberate criminal action, rather than just pilot negligence, the autopilot would need to be capable of retaining command of the airplane until it made a safe landing—but a really determined pilot could disengage the autopilot and still crash. Another is that pilots have always been extremely wary of anything that removes command from them, and this would also raise tricky legal liability problems for an airline.
However, evidence that the technology is ready and fit for the purpose came last November, when General Atomics, which builds military drones, revealed that it had successfully tested the same system on a Predator drone. The pressure to equip military drones arises because they increasingly use airspace close to that used by commercial flights. In the event that the drone pilot, often thousands of miles away on a military base, lost control the automatic avoidance control would be activated. Because a drone is already a robot there is no issue of depriving somebody in a cockpit of his authority.
The maturing of this technology means that there is, at least in theory, a middle way between leaving authority with pilots and the far-fetched idea of pilotless airliners. In the event of a rogue or otherwise incapacitated pilot a controller on the ground could assume command and bring the airplane down safely to an airport. Given how automated both the airplanes and the air traffic control system will be by 2025 that is not as much of a stretch as it might seem—but each advance opens a new threat, and in this scenario it could be the ground-control system that’s compromised and not the airplane.
Meanwhile, searchers at the crash site have not yet located the flight data recorder. They found the casing of the second “black box,” but the impact of the crash was so violent that the guts were torn out. The casing is designed to survive an impact of up to 310 mph but the A320 hit the mountain at more than 400 mph, instantly disintegrating into thousands of pieces.
The data in the recorder is stored in chips on a circuit board no bigger than an iPad Mini. Without its casing the circuit board would be unprotected from the effects of weather as well as the forces of the impact itself. If it is to be of any value it must be found soon.
So this is yet another case to add to many others where the absence of data streamed in real time from the airplane to the ground is leaving investigators without an essential tool for understanding the “how” of this crash, even if nobody will ever be able to explain the “why.”