How to prevent commercial air hijackings

This is BACKGROUND info on the disable idea.... some old thoughts that I went through in thinking about this...and deleted text from the main article

Be sure to read: How to prevent air hijackings as that is the official document.

(described in detail), but it's longer term. SAFE mode, would be extremely effective on fly-by-wire planes (Airbus, 777, etc). Yet SAFE mode (which is not much more than a "stuck" auto-pilot switch!) would still be useful a useful hijacking deterrent in older models (where auto-pilot can be "physically" overridden) because 1) in the event the pilots are killed, there is a chance it would save the plane and 2) at a minimum, it would tie up 2 terrorists who would have to be in the cockpit 100% of the time to override the controls (they would also have to be more skilled pilots than the 9/11 hijackers).

All modern day commercial aircraft have GPS systems and virtually all are capable of landing on autopilot. So why not put “panic” buttons mounted in the cockpit (one on each side of the cockpit) and a panic keypad in crew areas (one on each side of the plane in the forward and aft cabins) that put the plane into a SAFE mode. Once a plane is in SAFE mode, if the pilot deviates significantly (in altitude or direction) from the primary pre-arranged flight plan (or from three pre-programmed alternates that the pilot can choose from due to weather, air traffic, or airport closures), the auto-pilot automatically will temporarily engage just long enough to put the plane back on course, even landing the plane (using ILS) if necessary. We've had the technology to do this for years... in fact, it exists on virtually all commercial planes.... it's called the "gosh darn, the auto-pilot engage switch is stuck." On fly-by-wire aircraft, it can be done in a way that cannot be over-ridden by the pilot... Airbus planes keep a pilot from doing anything "fishy" (by engaging the autopilot temporarily, exactly as we suggest here) and this mode is active 100% of the time! But in all other planes, even if they are not fly-by-wire, the "stuck autopilot"  becomes a nuisance to a hijacker (who must man the cockpit as well as be an excellent pilot) and a potential lifesaver to those in the plane (if the pilot is killed and the hijacker doesn't know how to fly the plane).

There is also a good argument for randomly locking in one of the nearest airports (chosen at random when SAFE mode is enabled and after electronically querying the airport to ensure that the weather is good and which runway to land on and if no response/"bad weather" response from the airport, the system will try another airport so that the choice of airport is done automatically)...it gives the hijackers much less time to think and it avoids weather problems (although fuel dumping might be an issue). In crowded areas such as JFK, the "allowed zone" would be very tight, i.e., the closer you get to the ground, the less tolerance you'd have so that it would be impossible to hit any buildings (all commercial planes are required by the FAA to have building height info by 2002).

All modern day planes have GPS systems and are capable of landing on autopilot. So put "SAFE mode" panic buttons mounted in the cockpit (one on each side of the cockpit) and (optionally) in crew areas (one on each side of the plane in the forward and aft cabins) that put the plane on forced autopilot that cannot be overridden (except as specified below). Once a plane is in SAFE mode, it will randomly choose from the 5 nearest airports capable of accommodating that plane type, and land it. 

This technique works because you take both the pilots and the terrorists out of a control situation. A terrorist can no longer threaten the pilot to "do this or I will kill people" because the terrorist knows that the pilot can't accommodate the demand no matter what. So the terrorist can't get what he wants...the only thing he can do is kill all the people on the plane...and if he just wanted to kill people, bus hijackings are MUCH easier than plane hijackings. Bottom line: no more motivation to hijack a plane. In fact, it's worse than hijacking a bus because in the plane case, the hijacker is completely locked up and directly transported to a random jail location that the hijacker can't plan for.

Here are a few details (there are lots of different variations of the same general idea):

  • SAFE mode disables on touchdown so the pilot can raise flaps, put on the brakes, and reduce the throttle. 
  • SAFE mode can be disabled twice per flight if the pilot keys in a 4 digit recall code within 10 seconds of the SAFE button being pushed. Each pilot has his own 4 digit code that can be used only once per flight. So to disable two "false alarms" requires the cooperation of both pilots. There are audio warnings in the cockpit as well as lights flashing when someone hits the SAFE button. If there are further panic button presses after that, the plane is forced to land at a randomly selected airport. The pilots would also have video surveillance cameras in the body so they could see what is going on without having to open the door. 
  • The pilot is allowed to manually vary the altitude of the plane between 15,000 and 40,000 feet above ground level even when SAFE mode is engaged to enable the pilot to maneuver around obstacles and some weather. The pilot (or ground) can also inform the autopilot of weather areas to avoid.
  • As soon as any panic button has been pressed, whether accidental or not, ground crews are notified. If they contact the plane and if a secret pass phrase is NOT provided, they absolutely know there is trouble (and should prepare for trouble in any case).
  • The airport will be randomly chosen and the selected airport will be immediately radioed to ground control (and not available to the pilots until just before landing). This prevents the terrorists from having a getaway plan at the airport, and gives airport authorities plenty of warning.
  • SAFE mode is automatically enabled if the cockpit door is damaged or opened without an authorization code, and the 4 digit recall codes are disabled. So even if a terrorist knew the recall codes, and could disable all the crew, they couldn't enter the cabin without triggering SAFE mode.
  • An additional security measure is to distribute 2 wireless devices to passengers at random right before takeoff. So even if both pilots are corrupt, and the crew is corrupt, the passengers could transition the plane into SAFE mode. In the more normal case, any single "unmarked" passenger could press the panic button. Joking would be unlikely since both passengers acting together can't put the plane into safe mode if both pilots are OK. 

Optional variations:

  • A wireless panic button is distributed to one of the passengers chosen at random right before the plane takes off (or an unmarked sky marshall). So the system can be activated by pilots, crew, or the "unmarked" passenger. 
  • You could give wireless panic buttons to 20 adult passengers chosen at random. If > 5 of the passengers hit the button at roughly the same time, the plane will go into SAFE mode unless overridden by both pilots and at least three crew members who would have 30 seconds to cancel the request.
  • All pilots and crew are given a 3 digit panic code right before takeoff. These codes are for the panic keypads in the cabin (the cockpit panic buttons and the wireless panic button given to a passenger are simple buttons). Each pilot is also given a 3-digit recall code. The recall code allows the pilots to recall and disable the passenger panic button if entered within 15 seconds (the pilots would be given audio and visual signals of a panic press). So in the normal case, a passenger, crew member, or pilot could cause the plane to enter SAFE mode. Even if both pilots were terrorists, a single honest crew member could either enter the code himself, or yell out the code for anyone on the plane to enter in any location.
  • Allow SAFE mode to be disabled if the airline radios the pilot a special 6 digit 30 minute bypass code associated with the plane. Each 6 digit bypass code is good for 30 minutes (and cannot be re-enabled by pressing the panic button), so the airline can give out the next code if everything is being done normally and there is just some joker on the plane pulling a prank. The airlines must be legally forbidden to release the code unless it can be verified that there is no hijacking (e.g., at a minimum, both "pass phrases" described below must be supplied). This is a bit problematic as it still allows a hijacker to threaten the airline for the codes. It is much safer just to always force the plane down to a known safe location whenever the panic button has been pressed. There are known confidential "phrases" to use when a pilot radios for the 6 digit bypass code. So even at gunpoint, the pilot can let the airline know there is trouble without alerting the hijacker. If both pilots do not supply the pass phrase when requesting the 6 digit code (this is critical...you can't depend on a "there is trouble" phrase...it is much better to use the absence of a secret phrase to indicate trouble), the airline knows the plane is in trouble. The airline can then give the pilot a code that forces the plane down, e.g., to dump fuel, reduce throttle, or just force an autopilot landing no matter what. The pass phrases are different for each pilot.

Don't we ever learn? We keep focusing on airport security... but it is the wrong place to put our energies for two reasons: (a) It's just too hard to be perfect and (b) there are easy ways to make airplanes undesirable targets. In fact, we could have had perfect security in this case and it still would not have prevented the incident because the knives used were made of ordinary material and are easily concealed and virtually impossible to detect. Unless we do something quite different from what we've been doing in the past, what happened on Sept 11, will happen again.

So we've got to think of a different angle from the way we've been thinking in the past.

Do you every hear about bus hijackings? train hijackings? Do you go through metal detectors and screening questions when you board a bus or a train?

The idea above would make it as unattractive to hijack a plane as it is to hijack a bus.

 

Optional variations/refinements (not as good as the preferred idea above)

  • Each uniformed crew member is given a wireless transmitter that they conceal on their person or in a hidden location. Pressing the two buttons on that transmitter in the proper sequence that only that the crewmember knows (e.g. "button 1 twice, then button 2" for crewmember A, a different code for crew member B, etc.) will put the plane into "SAFE" mode.
  • In "SAFE" mode, the plane enters a forced auto pilot. It will use the GPS to determine its location, determine the 10 nearest airports than can accommodate the aircraft, select one at random, fly the plane there, and land it using IFR.
  • Once enabled (after a 20 second grace period), the ONLY way to get plane out of SAFE mode is for the pilot to enter in a 6 digit "unlock" code. The pilots don't know this code and it is different for each plane. The only way to get the code is for the pilots to radio down and speak to someone at the airline who should  verify that the plane isn't under attack and should speak with all crewmembers before giving the code. Once the code is used, it will be changed for future flights.
  • In SAFE mode, the plane would still allow the pilots to climb manually, make a limited number of maneuvers to avoid weather situations (i.e., temporarily deviate from the current heading) and descend very slowly until the autopilot resumed full control. This allows pilots to avoid any obstacles like mountains, buildings, etc. but not allow a terrorist to steer a plane into an obstacle on the ground (because it won't allow the plane to descend except on autopilot to the nearest airport) or allow a terrorist to land the plane at a location the terrorist wants.
  • After the plane has hit ground, SAFE mode disables so the pilots can cut the engines, apply the brakes, and raise the flaps.
  • SAFE mode could bring the plane down other ways, e.g., lock the throttle at 40% maximum after a certain period of time to ensure that the plane must come down soon.
  • SAFE mode could initiate a fuel dump. This would limit the planes range and minimize explosions on impact.
  • SAFE mode could gas passengers to put them (and the terrorists) to sleep.
  • Have "panic" buttons scattered through out the plane within easy reach of passengers. When pushed, the crew is alerted of a pending panic. Any crew member can cancel the panic within 2 minutes by entering a 4 digit code. If no crewmember has "recalled" the panic in 2 minutes, the plane enters the "SAFE" mode and the pilot will have to radio down for assistance to get control back. Also, whenever a panic has been pushed, the ground is notified of the panic and will try to get radio contact with the pilots. If the pilots can't get an unlock code from the ground in 30 minutes (assuming the GPS said that they are in locations where there is radio contact), the plane will enter SAFE mode. So even if a terrorist discovers or forces a crew member for the recall code, the terrorist will only have 30 minutes or less of control. The recall code does not apply to wireless transmitters. Those put the plane into SAFE mode immediately (or perhaps with a 30 second time window that only can be revoked by BOTH pilots each entering their own code).
  • Disable the "SAFE" feature on takeoff and landings.
  • Allow the "unlock code" that the airline told the pilot to enter to only be in effect for 30 minutes or less (possibly determined by the situation, e.g., the airline might give the pilot the 20 minute code or the 40 minute code, etc. depending on the situation). That way, the "unlock" is in effect only for the necessary time period so that if there is a terrorist, he has only a small time window of control even if he were to "fool" all the ground crew into parting with the unlock code. Also, a passenger could "re-trigger" the panic button which would then go through the sequence again as above.
  • Allow the "unlock" code may also be transmitted up from the ground to the plane to re-enable it.
  • Require the pilot to enter a 4 digit code required to make any significant course adjustments from the initial flight destination
  • The plane radios an "SOS" if it deviates from the originally entered flight plan or someone has hit the panic button (crew wireless transmitter or publicly available panic button)
  • Even if the transmitter is lost, the pilot can enter in a 2 digit emergency code if attacked.
  • The "unlock" code given to the pilot by the airline might in fact be a code that forces the plane into a mode that will force the plane down unconditionally, i.e., if the airline security ground personnel are suspicious, they can have the crew enter a code that the crew/terrorist is thinking will unlock the plane when in fact what it will do is bring the plane down quickly.
  • Pilot can enter emergency code on his instrument panel if attacked, push an emergency button on his instrument panel, use his wireless transmitter, enter a code to disable from various areas on the plane (which could NOT be overriden by crew)  or 'give' the emergency code to a terrorist that puts it into "permanent" autopilot that can only be reset after the plane has landed, i.e., the ground crew might provide this code instead of the real unlock code.
  • Allow the airline to transmit a code up to the plane to put the plane into "SAFE" mode.

In older planes (i.e., not the fly by wire planes), a terrorist who got inside the cockpit could use the mechanical throttle to bring the plane down in an unsafe manner.

Many other variations are possible. This is just a sampling. Just doing the simple basic idea above would probably make airlines one of the least attractive vehicles for a terrorist.

We already have the technology to do autopilot landings, avoid ground obstacles, and there are transponder codes a pilot can enter to indicate that the plane is being hijacked (this happened in this case).

Hit Counter