David coursey who wrote this article is looking for views and points on what Steve has written with the intention of presenting it to the FAA.

If fellow PPRuners don't mind I would forward the replies to David and Steve.

What are your thoughts ?


How do we prevent airline hijackings? Already we're hearing proposals to put plainclothes sky marshals back on board--presumably to shoot it out with bad guys. After all, the end of skyjackings to Cuba roughly coincided with the arrival of the first generation of sky marshals...or was it Fidel's jailing of a few of these just-arrived revolutionaries? All I am sure of is gunfire and aircraft are a deadly combination, no matter who fires first.

Improved airport security is another way to make planes safer. But eventually the perceived threat decreases while the impatience of passengers increases. Once these two lines cross we end up back where we were Tuesday morning. And, of course, it's impossible to keep all knives off airplanes unless the meals are changed to Jell-O and PowerBars.

WHAT WE NEED is a way to make planes impossible to hijack. My friend Steve Kirsch thinks he has just such an idea, using mostly proven, off-the-shelf technology

First, however, an introduction is in order. Steve is best known as the founder of Infoseek, the search engine and Web portal he sold to Disney while the selling was good. His newest company is called Propel and creates software to eliminate database bottlenecks.

A few years ago, he used a million of his own dollars, got several million of Bill Gates' dollars, and raised other millions in order to save the United Way in San Jose from a huge budget deficit.

ANYWAY, HERE'S STEVE'S IDEA, which is based on the fact that all modern-day planes have global positioning systems (GPS) and are capable of landing on autopilot.

"(Install) 'safe mode' panic buttons that put the plane on forced autopilot that cannot be overridden, except in special circumstances," Steve says. He'd have them mounted in the cockpit, one for each side, with additional optional buttons in crew areas on each side of the plane in both the forward and aft cabins.

Once a plane is in safe mode, suggests Steve, it would randomly select one of the 10 nearest airports capable of accommodating that plane type, and automatically land the aircraft there.

"This technique works because you take both the pilots and the terrorists out of a control situation," he explains. "A terrorist can no longer threaten the pilot to 'Do this or I will kill people' because the terrorist knows that the pilot can't accommodate the demand no matter what."

UNDER STEVE'S PLAN, the terrorist can't get what he wants. His only option then is to kill all the people on the plane, and if his only objective is loss of life, a plane is a mighty tough target when there are easier ones (like buses) available.

Bottom line: there's no more motivation to hijack a plane. All that the hijacker could accomplish is causing the plane to land at a randomly selected airport.

"In fact, it's much worse than hijacking a bus because in the plane case, the hijacker is completely locked up and directly transported to a random jail location that he can't plan for," Steve notes.

Under what circumstances could forced safe mode be overridden?

Here are some highlights.

Safe mode disables on touchdown so the pilot can raise flaps, put on the brakes, and reduce the throttle.

Safe mode can be disabled twice per flight if the pilot keys in a 4-digit recall code within 20 seconds of the safe button being pushed. Each pilot has his own 4-digit code that can be used only once per flight. So disabling two false alarms requires the cooperation of both pilots. There are audio warnings in the cockpit as well as lights flashing when someone hits the safe button. If there are further panic button presses after that, the plane will be forced down.

The pilot is allowed to manually vary the altitude of the plane between 15,000 and 40,000 feet above ground level, even when safe mode is engaged, to enable the pilot to maneuver around obstacles and some weather. The pilot can also inform the autopilot of weather areas to avoid.

As soon as a panic button has been pressed, whether accidental or not, ground crews are notified.
The big benefit of Steve's proposal is not necessarily that it is ever used, but that just a belief that it exists and works would be enough to prevent skyjackings. In this way, I see safe-mode jetliners as accomplishing what time-lock safes did for convenience stores and fast-food joints. Sure you can rob them--but only if you are willing to hang around 10 or 20 minutes for the safe to open. Steve's plan likewise takes the incentive out of skyjacking.

Steve is hoping that someone out there can punch holes in his idea or, alternately, help present it to the FAA, the airlines, aircraft manufacturers, the pilot's union, passenger organizations, and others who might help make our skies safer

Steve's idea is ok, but;

Not all planes have GPS.

They will blow up the plane simply because they might not be able to hijack it.

All this doesn't address the ROOT CAUSE of these idiot's activities. And that's the job the Western World has right now.

A very high tech solution is interesting, but it would probably be simpler and more cost effective to install a toilet and mini galley in each cockpit and surround the whole lot with an armoured door/bulkhead.

I do not think that it is realistic to tackle the root cause of this particular problem. There will always be some disaffected nutter whether he is protesting about the Middle East, abortion rights or the lack of free school milk.

Depressed of Glasgow

Technically, a feasible and not unrealistic idea, notwithstanding that Budgie's approach is probably easier to certify. I suspect that the largest difficulty in certification is that you have a system which can disable the primary cockpit controls, including fuel cocks, throttles, transponder, etc. but presumably not the radios. Not a huge problem with a modern electric jet.

I think personally that the idea of allowing the crew to disable the AP after operation is unrealistic - consider the hijacker that forces the pilot down the back and then holds a knife to his throat until he gives the code. May I suggest the following: -

(1) System can be manually operated by crew, or (with aid of ID tags or whatever) triggers automatically if no flight crew are in the cockpit for more than (say) 5 seconds.

(2) System automatically aligns for diversion field, and squawks 7500.

(3) System can only be de-activated by transmission from the ground of an encrypted code. They would no-doubt do this on a calm discussion on company frequency from the Captain, but any sounds of stress in his voice, etc. they simply refuse. At worst case severe embarrassement,some peeved SLB, and a blocked runway. Any sensible planner would only use military airfields if possible for the diversion anyway - who can cope with a blocked runway rather better than most civil airports (and have an existing supply of people with guns, which may be helpful).


I think it could only be done in an aircraft with full FBW without manual reversion (such as an Airbus), and possessing a cat-3 autoland. You also need to find some way to override the trimmers, which are usually mechanical and required in case of primary control system failure on an airliner - without taking away their availability in the case of a more mundane emergency.

I'm an airworthiness Engineer by profession and would be glad to stick my oar in if it would help, but to be honest I've never worked on these complex AFCS controlled aircraft and there are better heads than I out there.

Incidentally the existence or lack of GPS is irrelevant. A modern airliner uses a combined Nav system which takes INS, GPS, and other sources of data to give a best position. In fact reliance on GPS alone would be foolhardy, since it's extremely easy to jam. INS then ILS is probably the most secure method.

G

[ 14 September 2001: Message edited by: Genghis the Engineer ]

Well to start with this would only work on fly by wire airplanes. I don’t consider it an attractive idea to introduce this kind of computer program.
Secondly this would mean that a pilot-less airplane will fly the pax, this involves the whole discussion if this is acceptable.
Third problem is that by allowing some input you could for instance tell the computer about a fictive thunderstorm that it should avoid so it flies to a area of your choice, blowing up an airplane over the wrong area is bad enough.

The idea is noble but in reality everything isn’t coded as it is in the computer world. Every situation needs interpretation and man can only do this.

Great Idea!

From there on, terrorists only have to break in the central computer, and can steer a much greater number of planes at the same time from the ground!!
You don´t have to find fanatics anymore, who are ready to die, only guys who would be happy with a lot of money, and a capable software, because as soon you have a link from the ground to the flight controls, you have the infrastructure for any kind of software...

Unrealistic? If I told you last week, that the WTC, the pentagon, 4 planes .... and so on...

If it exists, another desaster will happen. And then the whole world will cry out: "We need a big red knob in the cockpit, so the pilots can disengage!!"

I was thinking of a similar idea as well, but implementing it would be a huge challange. Though many FBW systems could have their FMC programmed with such scenarios, you would have to modify the A/C to be able to configure flaps/gear for landing even if it is CATIII certified. And that still leaves out the whole thousands of older A/C that don't offer any of these features.

I like the idea of placing some sort of chloroform/knock out gas system in the cabin that could be activated by the cockpit crew in the event of trouble; a few seconds to don your oxy mask and punch the button, within 10-20 seconds everyone is passed out. Divert to the nearest suitable field and by the time everyone wakes up, the cabin is filled with SWAT teams.

In addition, does anyone know if it would be possible to train cockpit crew in various types of high-G manouvers that could disable anyone who wasn't strapped in...i.e. a high-G split-S or Immelman that would throw anyone not strapped in to the back of the A/C and probably knock them out and/or break a few bones in the process. I don't know what the load limits are on a large airliner, but I'm under the impression that they're higher than most people in the cabin could stand. I've read numerous reports of FA's breaking ankles during encounters with clear air turbulence. Would not some crazy manouvering of the A/C have the force to disable anyone/thing not secured?

Lets hope it doesn't divert itselt to somewhere with a fourty knots x/w component, contaminated runway and windsheer!

I'd venture to suggest Ecam that an airliner with a bent undercarriage, and run off the edge of a military airfield somewhere, is considerably better than the recent alternative.

All things considered, I think the actual solution that will happen is obvious - cockpit visits of any description are likely to become a thing of the past.

G

A great idea - even if it isnt in operation, informing the media that this piece of equipment has been installed would deter some I believe.
Lets face it the Americans had the whole world beliving that they had a Star Wars programme in the 1980s. I was only recently that the truth came out, that it was just a gov ploy. It certainly had the Ruskies pooing Bricks.

If it saves one aircraft it is worth it.

While the idea sounds good in theory just imagine the number of lines of code that such a program would require both in the aircraft and on the ground.

In practise would you be happy to trust your life with an interactive system that would rely on it being absolutely bug free in every conceivable set of circumstances ?.

[ 16 September 2001: Message edited by: henry crun ]

Great initiative, but I'm afraid it won't work. Everyone agrees that there should be some kind of way to override the system once engaged. Well, won't it be very easy for the hijachers to demand the system to be taken offline or else... . :(
And even in the most sophisticated aircraft, say a FBW airbus, a pilot is still required to engage the approach mode, lower flaps and gear etc. ... .

Anyway I don't think you'll find a guy who 'd be interested in debugging it! :eek:

but please keep ideas like this coming, we'll find something one day....I hope.

ADM

As a point of interest, I recently suggested a much similar approach in a post on another forum at pprune. The bottomline concept - to make success impossible for a repeat of the murderous WTC strategy - is important as a deterrent to future attempts; the final technical details of implementation are important and must be left to appropriate experts, but the functional objective of preventing takeover kamikazi missions is clearly essential - and it is clearly achievable with current aircraft using readily available reliable technology.

FWIW, my 091201 post to pprune in re same topic:
--------------------------
Controlling hijackers is a problem with onion-like layers. Although the possibility of a disaster like the WTC takeovers has long been a danger that risk analysts could forsee, the financial and political motivation to put teeth behind its prevention have been lacking. The DB Cooper model of 'benign' hijacking seems to have prevailed. Now we clearly perceive a broader and deeper threat that requires more powerful counter layers.
At the top level, Control Access - to the aircraft, to weapons, especially to the cockpit. The classic formula.

In the middle levels, Limit Ability of pax to take control of the cabin - via shotgun guards, mace, karate-trained stews, thin air, lighting, etc.

At the next level, Limit Ability of any hijacker in control of the cabin to enter the cockpit - with physical barriers, crew weapons, and other kinds of gotchas.

At the final level, Eliminate the possibility of completing the hijacking mission - at least the WTC/Pentagon style and preferably most others types - by auto limiting control / course/ range/ speed options when authorized crew not at controls, by including automated squawk functions when specific crew members absent or inop, and maybe for FBW aircraft something along the lines of a deadman's control that limits power in hijack case as soon as aircraft is within x-range of a suitable airport, perhaps triggered by combination of inop crew and ground signals or chase plane telemetry.

Desperate measures, but more benign and therefore more likely to be invoked than shooting a wayward airliner out of the sky. All the above - and more - relatively cheap with contemporary technology - somewhat analogous to an ejection seat - powerful stuff, not for casual use.

The ultimate objective is to convince methodical would-be hijackers, before the fact, that they cannot successfully achieve targeted kamikazee style mission objectives.

Personaly I dont think such a complex high tech solution would will solve the problem. After all if it can be disengaged or manuplited in any way before the aircraft has landed, then its safe to assume that it will be. Either by pilots forced to give out codes or ground authorities being tricked into releasing the mechanism remotly under the threat that the hijacker will murder everyone on board until they do.

However if a solution is prevented where manipluation or disengaging cannot be performed its going to cause serious problems of false alarms and dangerious situations where the pilot has no control what so ever over the aircraft.

[ 17 September 2001: Message edited by: Captain-Ireland ]

Any computer system is open to hacking, and freezing. Any 'safe mode' that must be able to be over-ridden, can be over-ridden. Any 'sky marshall' with a gun is liable to have that same gun used against him. Any martial arts trained cabin crew member is liable to come up against better trained, more capable and/or more numerous opponents.

Increased security on the ground is all well and good- but some one will beat it if they try hard enough.

Removing a high-jackers "win" scenario is THE most effective way to remove high-jackers from acft. They simply won't get on board in the first place.

The simplest, most effective and most guarranteed way to accomplish this is to remove the cabin's access to the cockpit. Self contained cockpit, also with it's own environmental system. "Holy sh*t" buttons for cabin crew to press should there be any ruckus in the cabin to alert the cockpit. Flight crew or "sky marshal" (in this case lets call him/her "video surveillance") are warned and monitor events in the cabin on closed circuit cameras. If situation warrants, captain orders KO gas released into cabin. Rule addition to include "All flights must carry sufficient 'KO gas' to reach closest suitable alternate at any stage of flight" - or some such. Ground crew alerted, acft lands, pax wake up with headaches, Mr High-jacker and friends wake up on death row sans appeal.

I'm a driver, not a fixer nor a maker- so please excuse my "oh lets just make the cockpit and the cabin separate environmental systems". I figure it cannot be too easy nor cheap to make two separate pressue hulls, but then again maybe it can be done relatively cheaply by one of you brilliant folk.

Then again, maybe there is call for both ideas- so the captain has a "sh*t, the co-pilot is a nucking fut and is trying to kill us all" button. But making your computer system fail safe will prove much harder than installing my bulkhead.

At least i think so... :confused:

And I got all excited when I read "Silicon Valley's Plan To Stop Skyj...:

I thought that you were about to offer some intellence on how chipmakers plan to stop the falling prices of silicon chips! DOH!

Unfortunately I own a few AMD and Intel stocks...

Not a bad idea, but my toes curl at the tought of Coke-Bottle Man in Silicon Valley programming an airliner to fly. Flight 2000 (apparently the best) is cr@p. Ask your mate to have another latte and think again.