FAA Assessment of Anti-terrorist Devices
An Assessment of Automatic or Remote Control of Distressed Commercial Transports As a Means of Mitigating a Hijacked Transport Being Used as a Weapon

By Harman A. Rediess, PhD
Director, Office of Aviation Research
Federal Aviation Administration

Several suggestions have been made to develop systems that in some form would take unrestricted control of the aircraft away from the pilot. In some cases the automatic system would prevent a pilot from controlling the aircraft into specific defined airspace or proximity to the ground, i.e., "refuse-to-crash system" or "automated ground proximity avoidance system". Such systems might be considered an extension of the envelope limiting system implemented by Airbus on A-320, in which pilot control is restricted to prevent the aircraft from entering unsafe portions of the flight envelope. Other cases would take total control away from the pilot and either control the plane automatically to pre-determined holding maneuvers and/or land it at a secure airport or control the plane remotely from the ground or another aircraft.

1. The objective is to prevent terrorist hijackers from crashing a commercial transport into high value civil or military assets with the loss of many innocent people, such as happened on September 11, 2001. Clearly the first priority should be to prevent terrorists from boarding commercial aircraft or getting any type of weapon on board. (See Point-by-Point Comments.)

2. Second priority is to prevent terrorists from over powering the crew and taking control of the aircraft, if they get on board. Only if the other interventions are unsuccessful, would we want to deal with preventing hijackers from crashing the aircraft. In that case, clearly concepts that might preserve the lives of the passengers and crew would be preferred to any action that would destroy the aircraft. (See Point-by-Point Comments.)

3. All of the automatic or remote control concepts that have been suggested are technically feasible. Most are derivatives of systems currently operational for military missions. The most challenging aspects are not technical but policy acceptance, safety and implementation issues that would have to be resolved before a decision to use the concept could be made. If any of these concepts were to be considered for implementation, it should be demonstrated on commercial transport in an operational situation. However, before considering such demonstrations, the associated policy, acceptance, safety and implementation issues must be addressed. Some issues are so serious that if not resolved, would preclude its implementation or render it ineffective from mitigating terrorist acts. (See Point-by-Point Comments.)  

4. Technical Issues - A common feature of all concepts is that unrestricted control of the aircraft is taken away from the pilot and the pilot must not be able to override the actions of the automatic system. In the refuse-to-crash type concepts, the pilot retains control everywhere accept in the restricted areas, but would not be allowed to override the system imposed restrictions. In order to implement the restrictions, the aircraft primary control system and probably engine throttles would have to be modified to preclude the pilot from overriding the restriction. This is the most difficult technical aspect of the concepts. (See Point-by-Point Comments.)

5. Primary flight control and throttle systems are designed specifically to assure that the pilot never losses control of the aircraft. A small percent of current commercial transports have fly-by-wire (FBW) primary flight control systems that might be modified in a relatively short time to prevent pilot override. Only about 20% of the Boeing and Airbus commercial jet transports have FBW systems: Boeing 777, and, Airbus A-319, A-320, A-321, A-330, A-340. Even those aircraft would have to be assessed by the manufacturer to determine how difficult it would be to modify. Boeing and Airbus have different design philosophies for FBW. Boeing aircraft would be more difficult to limit pilot control with no ability to override than Airbus aircraft. As mentioned above, Airbus has already implemented an envelope limiting system on the A-320. Only Airbus aircraft have "FBW" throttles. I believe Concord, some Russian transports, and the soon to be certified Embraer-RJ170 and Domier-728 have FBW systems, but I'm not familiar with those systems. 

6. The remaining Boeing, Airbus, and all other transports, and business aircraft would be much more difficult, costly or even totally impractical to modify. When considering effectiveness of such systems to mitigate terrorist actions, we must assume that terrorists are smart enough to figure this out and stay away from FBW type aircraft in the future. (See Point-by-Point Comments.)

7. Primary flight control, engine throttle systems, and the way in which autopilots, flight management systems and stability augmentation systems interface with them, vary widely across the transport fleet and in some cases across different models of the same type of aircraft. Each system would have to be assessed individually. At a minimum, their primary actuation and throttle systems would have to be modified to provide a fail-safe method of locking out the pilot input in the distressed situation, or installing a FBW system. If the concept is to land the aircraft after taking over control, other subsystems such as the flaps, slats, landing gears, brakes, etc., would have to be controlled by the automatic system with no way for an on board pilot to override. All of those are very costly retrofits, and for many of the older aircraft totally impractical - too many systems and subsystems would have to be replaced. If such modification were made, safety considerations for normal operations would require more redundancy and complex systems. (See Point-by-Point Comments.)

9. All aircraft, FBW or not, would require significant modifications to the flight management system, autopilot, auto-throttle, autoland, and/or installation of  entirely new avionics, depending on the concept. The refuse-to-crash type concepts would probably require less avionics modifications than the automatic or remote control concepts. (See Point-by-Point Comments.)

10. Safety Issues - Safety is always the most critical issue of any new aircraft system, particularly systems that affect primary control. All of these concepts violate the fundamental safety tenant of commercial transport control, that the pilotis ultimately responsible for aircraft's safety. These concepts purposely take  that responsibility away from the pilot. The basic safety design philosophy of commercial transport control would be changed. Airbus design philosophy may be the closest to accepting such systems based on their experience with envelope limiting systems. Even though these systems would be used for very rare occurrences and operate for a relative short period of time, they must meet strict safety requirements and be certified. (See Point-by-Point Comments.)

11. FAA and industry would have to establish requirements both for normal operations, when these automatic systems must not engage, and the emergency situation when it is to take over control from the pilot. The system elements that prevent unwanted engagement of the.  (See Point-by-Point Comments.)

12. automatic systems would have to have at least the same reliability as FBW systems, including critical subsystems, such as the electrical and hydraulic systems. If the system depends on a digital terrain data base, the data base becomes a flight critical item which must be certified and maintained up to date for all geographic areas in which the aircraft could operate. One would also have to investigate non-normal conditions, such as loose of both engines or loose of navigation capability. (See Point-by-Point Comments.)

13. Policy and Acceptance Issues - It's not clear if there are formal government policy issues or not, but some form of agreement among the U.S. and foreign governments, and international aviation industry, transport operators, and pilot associations would be needed. For the concepts to be effective deterrent, all transports and similar aircraft capable of operating near high value assets, would have to incorporate the systems. There are acceptance issues that pilot associations and transport operators would have to address. Even going from an Airbus envelope limiting system, which pilots understand are for their safety, to a refuse-to-crash type system, that limits the pilot's ability to fly in certain airspace, may not be that easy for pilots to accept. What if, during an emergency condition on take-off, a pilot needs to fly through the restricted airspace in order to recover the aircraft and the system prevented him from doing that? It might also raise new legal issues of responsibility among aircraft manufacturers, air carriers and "owners" of the automatic systems, when control and safety responsibility is taken away from the pilot. (See Point-by-Point Comments.)

14. Implementation Issues - Modifying the world fleet of commercial transports, including jets, turboprops and others, of sufficient size to be considered a possible threat if hijacked, would be an enormous and costly task. Just considering  the world-wide fleet of Boeing and Airbus aircraft, there are about 2,304 with FBW systems: 358 B-777; 1,549 A-319, A-320, and A-321; 196 A-330; and 201 A-340. There are 8,663 non-FBW Boeing and Airbus commercial transports. To cover all aircraft that could be commandeered by terrorists, it would be necessary to modify all the other transports, regional and commuter aircraft, cargo, chartered or leased aircraft, and even the larger business aircraft. For the near future, no airline will have the financial resources to even modify the FBW aircraft. It's not clear that they would ever have sufficient funds to retrofit the non-FBW aircraft. A cost analysis has not been done, but the modification and retrofit costs could easily be in the tens of billions of dollars or more worldwide and take several decades to complete. (See Point-by-Point Comments.)

In the long term such systems might be considered for future aircraft as the fleet needs to be replaced. Even in that situation, implementation is more likely if there are associated financial and/or safety benefits. (See Point-by-Point Comments.)

17. Terrorist Mitigation Effectiveness Issues - How effective would these concepts  in mitigating terrorist attacks using an aircraft as a weapon? The suggestions have focused on the September 11th scenario. We must analyze how a terrorist might defeat these systems through abnormal actions. For example, if the refuse-to-crash system only protected against normal aircraft maneuvers, a terrorist might fly well above the protected airspace then put the aircraft in a high speed suicide dive towards the target from which the aircraft could not be safely recovered even with an automatic system. To be effective, the system would have to consider all conceivable abnormal maneuvers and prevent those maneuvers well out side the protected areas. Considering all the variations that might exist for all the desired protected areas would be a significant and complicating factor. One must also consider all the ways in which a terrorists might sabotage the aircraft if an automatic system takes control of the aircraft, such as shutting down the engines. It may prevent using the aircraft as a weapon against a ground target but the passengers and crew would be killed - a terrorist act we must also prevent.  (See Point-by-Point Comments.)

18. Looking to the future, we need to be very innovative to identify all the otherways in which a terrorist might use aircraft as a weapon or delivery of weapons and then develop the best overall security measures, which may or may not include these suggestions. If all the world's fleet of commercial transports were protected, what about chartered, purchased or leased transport aircraft? With the financial backing the Al Qaeda seems to have, they could purchase an unmodified used transport or business jet as a personal aircraft with their own pilots. Terrorists could lease or purchase large GA aircraft, load them with high explosives, and fly them into ground targets. It is possible to modify the autopilots and add a remote control data link and turn an ordinary transport business jet or high end GA aircraft into a remote controlled UAV. We must also consider that either the piloted or UAV versions of a private aircraft could be used to deliver weapons of mass destruction.  (See Point-by-Point Comments.)

19. None of these concepts, including the refuse-to-crash type, are potential near-term interventions. Airlines are in no financial condition to make required modifications, even for the easier modified Airbus transports. Modifications of non-FBW aircraft are likely to be several decades off, if ever. Modifying 18% to 20% of the fleet does nothing to increase security, because terrorists would just select unmodified non-FBW aircraft as their target for hijacking. (See Point-by-Point Comments.)

20. With all the options open to misuse aircraft, a rigorously analysis of potential terrorist scenarios and mitigation options should be conducted before choosing which combination of interventions are needed to provide the best overall security. (See Point-by-Point Comments.)

Note: This paper represents the views of the author. The following people provided comments, information and/or criticism: 

John Hansman, MIT
Joe Jackson, Honeywell
Stephen Luckey, ALPA
Tony Lambregis, FAA
George Greens, FAA
Dres Zellweger, ERAU/NASA
Doug Arbuckle, NASA Langley