Defending Against the Crazy Pilot Scenarios

There's strong evidence that the co-pilot aboard the Germanwings flight that crashed in the French Alps was, in a word, crazy. It appears he locked the post-9/11 reinforced cockpit door while the captain was using the toilet, and he also blocked the door override code as any cockpit occupant is allowed to do. The captain couldn't reenter the cockpit, and the co-pilot intentionally crashed the plane, killing himself and 149 others.

Exactly the same thing happened in 2013 in a murder-suicide crash in Africa that killed 33 people (including the perpetrator). And the same thing may have happened on at least three other occasions in the past several years.

Once is a fluke, but twice is a pattern. As my previous post described, aviation safety experts knew that the FAA's (and other regulators') orders to reinforce cockpit doors would result in more fatalities associated with crazy pilot scenarios. We're now seeing their unheeded warnings become real. And unfortunately copycat incidents are quite possible.

In the immediate aftermath of the Germanwings crash, airlines around the world are requiring that the cockpit always have two occupants, at all times (except when parked at the gate). Typically this would mean that when a pilot wants to step out to use the toilet a flight attendant would take his/her place. What this means in practice is that an 80 kilo crazy pilot now would have to incapacitate a 50 kilo flight attendant in order to commit murder-suicide.

While I appreciate the airlines' prompt change in operating practices, this change in policy will only help a little bit. The last line of defense will be, typically, a 50 kilo flight attendant with no knowledge of the switches and controls in the cockpit and no ability to pilot the airplane. If the crazy pilot wants to incapacitate that flight attendant, he/she will have the advantage of complete surprise. Maybe the airlines think differently, but I don't think this last line of defense is going to be much of a defense. Moreover, that flight attendant now has the opportunity to be the crazy one, and that's another, new risk.

What I think the regulators now need to do is not allow any occupant in the cockpit to disable the override code to open the door. According to press reports, on an Airbus A320 any knowledgeable cockpit occupant -- and the Germanwings co-pilot certainly was -- can block the override code from opening the door. That block lasts either 5 minutes or indefinitely -- press reports vary.

Why? I assume it's because the regulators were afraid that a crazy crewmember would open the door with the override code, storm the cockpit, incapacitate the pilots, and crash the plane. Well, yes, that's a possibility. But obviously there can be one or more crazy people in front of the door, in the cockpit.

There is an effective solution here, even if the regulators don't want to go back to pre-9/11 bashable (eventually) doors: a plane-wide alarm. That is, whenever the door is left open for a certain number of seconds, or whenever anybody uses the override code to open the door, a plane-wide alarm would sound. It could be a coded alarm that only the crew (and particularly knowledgeable passengers) understand, or it could be a general alarm that everybody understands ("Warning: Cockpit Door Open!"). But it would be an alarm that effectively declares, "We have a problem. Everybody work together now to save the plane." There should not be a 5 minute (or indefinite) block on the override code. That block should be about 10 seconds, during which time the door alarm sounds, plane-wide. It should not be possible to disable this particular alarm, though eventually it could stop sounding if the door is closed.

Let's hope the FAA and other regulators act more thoughtfully this time.

Is 9/11 Overreaction Now Killing Airline Passengers?

With the important caveat that press reports are sketchy and could be in error, there are reports that one of the two pilots of the Germanwings flight that crashed in the French Alps, killing 150 people, was locked out of the cockpit and couldn't get back in. If that's what happened, unfortunately this accident (and others like it, in the future) was predicted. Public officials may be learning a hard lesson: their overreaction could be killing (and will surely kill) people.

After the 9/11 terrorist attacks in the United States, public officials ordered the aviation community to improve security, understandably. Airline passengers around the world are now often taking their shoes off, removing laptops from bags, surrendering their large bottles of cologne and tubes of toothpaste that exceed liquid and gel limits, and so forth. Most of these "improvements" are annoying and costly but relatively harmless.

Public officials also ordered aircraft manufacturers and airlines to reinforce cockpit doors and to keep them locked as often as possible. They also ordered airlines to adopt protocols restricting passengers from lingering near the cockpit door and to block access to the door (using a beverage cart, for example) when a pilot needs to open the door, to visit the toilet for example.

All of these cockpit door measures rely on a critical underlying safety assumption that public officials probably did not fully comprehend or consider: both pilots must be infallible. If one pilot decides to strangle the other pilot, for example -- or simply lock the other pilot out of the cockpit while he's visiting the toilet -- then there's literally nothing anybody can do to save the airplane and the people aboard it. It simply doesn't matter if America's finest military pilot is sitting in seat 28C, ready to save the plane. Reinforced cockpit doors are remarkably effective in separating the passenger cabin from the cockpit, by design. However, the doors have no way of adjudicating whether the cabin occupants or the cockpit occupant are/is crazy or medically distressed.

In other words, after many decades working to eliminate single points of failure in aviation, with tremendous safety benefits in saving lives, the post-9/11 introduction of mandatory reinforced cockpit doors introduced a new single point of failure in the aviation safety system. If either pilot wants to commit murder-suicide, or if the one pilot left on duty simply has an incapacitating medical problem while the other pilot is visiting the toilet, the airplane is lost. These safety risks are thoroughly predictable, and many aviation experts predicted them.

What's also frustrating is that anybody logically analyzing 9/11, taking into account human behavior, would realize that that type of attack is extremely unlikely to happen again. The 9/11 attack taught passengers and flight crew that resisting attack, in the air, promptly and with massive force, is the only viable option. In fact, 9/11 taught that lesson so well, so effectively, so quickly that passengers and crew aboard United Airlines Flight 93, having heard the fate of other hijacked airliners that same morning, resolved to resist their hijackers. They did, and they saved probably hundreds of lives on the ground as UA93 crashed in rural Pennsylvania, far away from populated areas. They had a chance to save not only people on the ground but themselves, and they took it. Their sacrifice should have taught public officials that 9/11 simply will not happen again, certainly not that way.

But instead public officials overreacted in at least one area. They overruled many safety experts, and they ordered the installation of impenetrable cockpit doors. And thus they put the lives of all airline passengers and flight crew in the hands of a single point of failure, on every flight.

Fortunately most pilots don't commit murder-suicide, and fortunately most pilots don't have strokes or other incapacitating medical events while the other pilots are using the toilet. But a few will, and the reinforced cockpit door will effectively block the non-crazy and the healthy from preventing crashes and fatalities. That's exactly what might have happened aboard Germanwings 9525 and even possibly Malaysian Airlines 370. But if it didn't happen aboard those flights, it surely will happen at some point in the future.