Germanwings Flight 4U9525: Deadlock Between Safety and Security
As the Germanwings tragedy shows, the aims of safety and security are not always on the same team.
It seems incredible that a pilot of a passenger aircraft could be locked out of the cockpit. But analysis from the cockpit voice recorder recovered from Germanwings Flight 4U9525, which ploughed into the Southern Alps in France on March 24, has revealed that this is what happened, and that one of the two pilots had been trying to get into the cockpit before the crash.
An initial explanation that the pilot at the controls was incapacitated, perhaps from a heart attack, has since given way to an alternative given by French investigators: that the co-pilot in the cockpit — named as Andreas Lubitz — deliberately prevented the captain from entering, in order to destroy the aircraft.
Access to the cockpit must be locked during flight, preventing passengers from forcing entry onto the flight deck so pilots can safely fly the aircraft and manage any situation without worrying about potential hijackers. For the safety of pilots, the cockpit door must open at the pilot’s command from the flight deck, for example, when there is no apparent risk of malicious attack. The outside of the cockpit door is secured by a keypad, of which the crew have the codes. But the request from the keypad to open the door must be confirmed by the pilot who remains inside.
It has become apparent that these two aspects — safety and security — are not always achievable at the same time. In the event of an incident like the Germanwings tragedy, they even work against each other.
A Trade-Off Between Safety and Security
People often confuse “security” and “safety.” In Chinese, the two words are exactly the same, but conceptually they are different.
Security offers protection from intentional attacks, while safety is there to prevent from natural accidents. While some security incidents can be accidental, or made to look accidental, some element of usually malicious intent is involved.
The trade-off in both security and safety risks in this context is hard, because the probability of accidents can be modeled while human intention cannot. One could try to estimate the probability of someone having bad intentions, especially pilots, but in the end it’s not possible to square one with the other — it is to compare apples with oranges.
With the ultimate goal of protecting the lives of those on board, the processes by which the cockpit door is open and closed is crucial. Closing the door is not always right, even though the flight may be threatened by potential terrorists. That a pilot on the flight deck must open the door to his fellow officer is not beneficial if the crew member remaining on the deck is incapacitated or unwilling to comply.
Feature interaction manifests itself in the way hardware and software interacts, such as in the design of lifts, vehicles or even smart homes. In order to avoid problematic interactions, priority needs to be assigned to those features that are paramount — on aircraft, this is protecting the lives of passengers. The key to this is context and timing.
How can the electronic, robotic controller of the cockpit doors collaborate with the human crew member desperately looking for ways to gain entry to the flight deck? Knocking or even smashing down the door is not enough because potential terrorists may do the same, and so these eventualities will have been catered for in the initial design.
In this case, an adaptive user interface mechanism, which has been used to simplify complicated software systems, could enhance the usability of an otherwise complex security system. Mobile payment systems, such as Apple Pay, have demonstrated that it’s possible to simplify the interface to otherwise complex security systems. For example, users do not need to carry credit cards, yet they can still properly certify their transactions. Such time-saving elements to verify security could be a life-saving feature.
Control of the cockpit door must be adaptive to context of the situation, providing a means to bypass the risk of a situation where flight crew are locked out of the cockpit. Had the robotic door controller understood there was a reason the pilot at the controls could not confirm the entrance of the pilot outside — by registering a malfunctioning ejection seat, for example, or reading dying vital signs from a heart monitor — it could override the security requirements and allow the pilot to reenter the cockpit.
We need to reassess the risks and arguments around safety and security in the context of aviation, and find ways of bringing together hardware, software and the flight crew themselves — perhaps through health monitoring devices — in order to ensure that both these demands work together and do not become a threat in themselves.
*[This article was originally published by The Conversation.]
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.