Protecting Cities from Hijacked Planes

Kong99 writes "A group at UC-Berkeley has proposed Soft Walls to stop hijacked planes from entering a protected airspace. Interesting read especially since they claim it is 'hack' proof."

Hack proof

[Gog]

Because the system is not dependant on ground input.

So I suppose there was nobody in those 4 planes...

Gog

Re:How close can they get?

[robslimo]

what's to stop the hijackers from busting the autopilot controls

Because I'm guessing they're talking about a layer which is actually integrated into the fly-by-wire controls. And you don't want to smash those, eh? Then neither a pilot nor an auto-pilot could control the danged thing.

Re:Sounds dangerous to me

[DarkMan]

That's covered. It's a 'soft' wall - as you get ner to the wall, it generates a small opposition to the pilots actions, and that opposition increases as they get closer.

So, with a mid air collision scenario, unless both planes are right on the limit of the wall, then the pilots can steer fine. One direction will be slightly less preffered by the autopilot, but that should not be significant, at the outside of the area.

Note also: That aircraft should not be near the wall off area's anyway, so the situation aught not to arise. It's totally software controlled, so interfacing with teh current mid air collision systems [0] and breaking the wall in that case would be perfeclty feasable.

I think that's one of the lesser problems with the idea.

Personally, I'm with the 'bulkhead without a door school of thought (The pilots have a seperate external door. That makes it impossible to physically coerce pilots, because you can't get to them. Problem solved.

[0] As it stands, the computers in two aircraft nearing collision have a chat, and decide on the two optimal vectors, and then move the planes along those vectors automatically, after ensureing that they will not collide.

Re:Emp

[uberdave]

True, the hydrolics would work, but how would they be controlled? The EMP would ruin the electronics that read the yoke and pedal positions. You wind up with a dead stick plane.

Re:Sounds dangerous to me

[blibbleblobble]

"What if the only way to avoid a mid-air collision is to bank into one of these "soft walls"?"

This is why pilots don't like the idea.

What if I setup my own NDB/DME and get it to transmit an identifier saying "new york". Then put it at the end of a runway...

Re:SoftWalls

[int2str]

Article not read, huh? :p

There is no ground link required for this. The "SoftWalls" are defined by GPS data stored into the planes computer. So it's not like you can aim your pringles can in the air at LAX and "create" a SoftWall.

The only way to "create" a wall would be to upload it to the plane(s). That's where their "hack proof" claim comes in... THAT is a whole new topic :p

Cheers,
André

Not a good idea.........

[Scrumper]

For the same reason Airbus removed certain features from it's autopilot. At an air show in France Airbus was demonstrating their new autopilt system which overrides pilot control, to supposedly keep him from crashing, and lands the plane safely. During the demonstration, the plane misread the runway and overrode the pilto crash into a stand of trees. I feel much more safe with a human at the controls, than a computer (insert windows bashing here).

Re:Sounds dangerous to me

[florin]

I'm assuming you're talking about Chicago Meigs airfield, which lies within walking distance of the Sears tower - supposedly an attractive target. Unfortunately, that airport was recently shut down in an overnight guerrilla action by Chicago mayor Daley, quoting terrorist concerns. A further tragedy in the wake of Sep 11 that this historical airfield was shut down without any consideration for the interests of aviation enthusiasts.

oops! Corrections

[SuperBanana]

Got a few facts wrong, I just realized. Here's a good article with the facts of the case; it was a combination of throttle malfunction at low altitude, and improper altitude display. http://www.airdisaster.com/investigations/af296/af 296.shtml

Re:Emp

[Laur]

An EMP would disable all electronics, and radios, transponders, etc, but the hydraulic controls for the rudder/etc would still function.

Nope, sorry. In a fly-by-wire plane there are no mechanical links to the control surfaces. If the flight control computer completely dies, you have absolutely no control over the plane.

Re:I'm sure pilots will love this

[timeOday]

Brainstormed back in the day? The Russians built it [aeronautics.ru], and it does work.

BAD IDEA!

[Lodragandraoidh]

There are several reasons why this is a bad idea:

1. Most large metropolitan airports are in or near areas where these 'softwalls' would be deployed. Take a look at the restrictions placed on takeoff and landings from Washington International (you basically have to fly down the Patomac River and make a hard left on short final to avoid restricted airspace over the White House and Congress. I don't know about you, but I wouldn't want an autopilot to take control of the aircraft on short final if it didn't like my flight path. On takeoff - from the south - you have to similarly make a hard left turn barely wheels-up).

Putting this into effect would leave very little leeway for situations where the aircraft can not meet the minimum flight parameters (climb rate not up to snuff due to engine failure, damage to a control surface that prevents a turn at the proper rate to miss the restricted area, etc...) What was an emergency will become a disaster if control is removed from the pilot.

2. Legally a pilot is responsible for the safety of the flight. Many times the cause of accidents can be traced to pilot error. With this system in place, every accident near a restricted zone would raise questions - to what degree did the pilot and the autopilot contribute to the accident? This would be a legal can of worms (the cost of which would be born by the traveling public).

3. Who would certify that these systems are infallable without pilot control? If a pilot can not 'hack' the system - i.e. turn it off, then it had better be perfectly safe, as per FAA standards for other avionics. Avionics and flight instruments are designed to allow redundancy in the form of multiple backup systems - if one breaks, the pilot is trained to use backup systems to correlate the data lost from the main indicator. Unfortunately, since a pilot is prohibited from interacting with this system - how would we be 100% sure that the system would function under all conditions?

History has shown too many times that misapprehension of a technology's limitations often leads to disaster - the Titanic comes to mind. Until we can certify that a computer can function with uncertain and incomplete information effectively under all conditions (currently humans are the only ones that can do this satisfactorily), then I would not want to stake my life on this technology.

I am both a pilot and a software developer, having the hubris to think I have insight into this problem.

Re:bulkhead without a door

[DarkMan]

Well, that's already covered by the current policies.

As it stands, (and this is pre attack on two towers) the door is ment to be locked. If anyone is held hostage, they are expendable until, and unless, the plane is safely landed.

That stands.

However, note that the pilots are in communication with air traffic control. The ability to communicate is powerful, but it also works to help the pilots. Put them on to an anti-terrorist specialist (as is, and has been, in the procedure for several years), and book an appointment with a counseller for the pilots.

The point of the 'no door' is to refuse the pilots options that will cause more harm. It's harsh, but you're dealing with people who are prepared to kill.

Re:There's no practical future in this project

[Snowdog668]

"the only reason it may be a one-time thing is because people are being vigilant in their defenses and security regarding this".

I'm not so sure about how much faith I have in air security. How about the 727 that's currently missing in Africa? Here's an airliner that was converted to a fuel tanker that two guys just climbed aboard and flew off in. The story is that it was "most likely" stolen to be used for smuggling. For some reason that doesn't make me feel safe.

http://taipeitimes.com/News/world/archives/2003/ 06 /25/2003056687

Re:hack' proof

[marc_gerges]

Yes, there are. The whole range of Airbus planes (except for the A300/A310 series) are as fly-by-wire as can be. Joysticks in the cockpit, no linkage between the pilot and the wings.

These planes do not request from their pilots to manipulate the moving surfaces in such a way as to obtain the desired attitude of the plane, they just need input as to what the attitude should be and then move the plane like that. Rather like a computer game, really.

The most visible advantage of this is that the pilot cannot 'stall' the airplane. The airplane will not put itself in a situation where it would stop flying. One simply cannot 'pull up' or deccelerate so much that the airplane would crash. Quite amazing technology, an entirely not Microsoft powered. ;-)

Univ. of Berkley != U.C. Berkeley

[Khelder]

This story is about researchers from the University of California at Berkeley [berkeley.edu] (a.k.a. U.C. Berkeley or Cal), not the University of Berkley [uofb.com].

Re:hack' proof

[Anonymous Coward]

here's an interesting discussion [princeton.edu] of expert systems, particularly about flight control and nuke plant systems. and it's by yet another UCB faculty (plugs to my alma mater :-)

Re:Repeat after me!

[kenshaffer]

Well, noone will hack into the current Air Traffic control system because it is too old to be hacked. Analog, think 1950's. As a pilot. I have had things break (no matter how redundent) and software usually ramps up the complexity so much as to make that worse. No thank you for a box that overrides what I tell the airplane to do. (I know fly by wire is out there but only on heavy iron and really well tested and pricey). I don't need this on my little airplane. Ken

Re:Sounds dangerous to me

[ptbarnett]

GPS can't be used as a primary navigation device because it's not accurate or reliable enough.

Actually, GPS is accurate enough for navigation. It's accurate enough for an approach, but not necessarily a full landing landing. With differential GPS, it can be accurate enough for landing.

Reliability is another issue. That's the function of WAAS: monitor and ensure the integrity of the GPS signal, warning the user if it is out-of-spec.

There's a reason the autopilot cut-off switch is so prominent (by the pilot's thumb on a helicopter; big red button in a plane), which is because the pilot is the failsafe.

This is exactly right. Even in a non-autoland instrument approach, it's the non-flying pilot's job to monitor everything and call for an missed approach if all the criteria for a safe landing is not met.

A solution already exists - and it's chemical.

[Chemware]

As many people here have pointed out, there would be many ways to circumvent any software protection, and such software would surely be an extremely large and complex project - and hence buggy. Anyone brave enough to try out such a system at say, Hong Kong International ?

The real problem of crashing large planes (airliners) into buildings is not their kinetic energy, but the chemical energy of the 100 tons or so of fuel they have on board. crudely speaking, that's the same chemical energy as 100 tones of high explosive.

What makes the 100 tons of explosive extremely dangerous is that all that energy is released in a few milliseconds. What makes an airliner a really dangerous weapon is that most of that 100 tons of fuel burns in a fireball in a few seconds. This occurs because the fuel "mists" on impact, as it it is violently expelled from broken fuel tanks and lines.

This was realised by ICI Paints Division over 30 years ago, who started work on how to prevent misting of aircraft fuel to prevent or minimize aircraft fires in crashes. This work recieved a huge impetus when two Jumbo jets collided on the ground at Teneriffe, and 500 people died.

ICI eventually developed a special fuel additive "FM9" that reduced misting greatly. A number of tests with old WWII bombers on rocket sleds demonstrated just how effective it was.

The FAA started to become keen on the idea, and got NASA to crash a remotely-controlled 707 with the modified fuel into a specially-prepared site at Edwards. Unfortunatly NASA did not do a sterling job: the remote control of the plane barely worked. The plane was crashed at double the planned sink rate, and in a slow flat spin. During the slideout, a "Tomahawk" sliced sideways through an engine, which exploded in a huge fireball. Burning fuel from the damaged engine entered the plane through a cargo door that burst open. The plane ended up a burnt-out hulk, and the senior managers present abandoned the project on the spot. It was a public relations disaster of the first magnitude.

It was a few months before all the troops got reassigned, so in the meantime the FAA guys did a thorough analysis of the crash. They found:

* only 50 gal / 12,000 burned up in the fireball
* the aircraft was not damaged by the fireball: the black soot could be rubbed off the airframe to reveal undamaged paint below.
* most of the fires went out just after the plane slid to a stop
* if you had been on board, you could have walked away (unlike the most similar crash on their database)
* the plane was burnt out by a fire in the cargo bay. the fire-fighters had used up all their foam on the wings and fuselage, and by the time they realised that there was fire _inside_ the cargo bay they did not have any left.

The FAA then did some rather dramatic experiments with jet engines and large quantities of fuel. When normal fuel was poured into the exhaust of a running engine, a large fireball developed, and when that impacted on a aluminium panel it melted and caught fire, with tempertures quickly exceeding 600 C. When the same was done with modified fuel, a small fireball developed, and the temperature of the aluminium panel rose to about 180 C - the boiling point of the fuel. When the test was finished the panel was intact, but blackened.

In the final tests, the modified fuel was poured into the _inlet_ of the running engine. A large fire developed, and so the engine was quickly shut down. When the same test was re-run with normal fuel, the engine exploded and the test site was wrecked.

Our conclusion was that the "FM9" additive worked in that it prevented misting, and hence extreme temperatures, however it was not able to provide perfect protection in the event of large quantities of fuel entering a major ignition source like a running engine.

My understanding is that the Twin Towers collapsed because the intense fire from the initial fireball overwhelmed the fire protection systems in the buildings, and led to sever