Sunday, August 10, 2008

What the Pentagon Wants

The Pentagon (that's the "bombs and missiles Pentagon, not the demon-summoning sort," as I remember having to clarify seven years over a poor intercom, when I was told that it was on fire) wants aircraft to be fitted with a Kill Switch. Not to actually kill the occupants, and specifically not to interfere with the crew, but to disable the aircraft. They specify that the innovation should allow the aircraft to be quickly (and presumably economically) returned to operation, but that it should block the aircraft from taking off.

This runs against the entire design of aircraft, which strive to avoid any single point of failure. As soon as you design one in, you have one, and it can fail, thereby making the airplane more dangerous. The simple fact that you have designed the airplane with a single system that can independently shut down the airplane, means that someday it will, unintentionally. I promise that every other single thing that can break has happened to an airplane.

The strategists have divided their desire into disabling an aircraft before take-off and then preventing an aircraft in flight from overflying a particular area. Let's look at the first. If they wanted a legitimate aircrew to abort a flight by remote command, that would be simple: turn on a fire bell. Immediate abort of a takeoff in progress, or if it occurred after V1, an inflight engine shutdown and immediate return for landing. There's nothing wrong with the aircraft, you just ask the crew to perform one of the highest risk procedures in aviation, at the most critical phase of flight. Usually this can be accomplished without injuries or significant damage, because aircrews practice and pass a test in it at every renewal, and recite to one another the procedures for doing it before every take-off. That's how critical it is.

But of course that's not even on topic, because it's unauthorized take-offs they want to prevent, and for an unauthorized take-off, that wouldn't work. If you are breaking the rules, you probably break all of them. If you're planning to die you might as well do it on one engine at take-off power, so the airplane has to be actually disabled. This is where an airplane is not like a car. Take the example of the fuel pump issue I had a while ago. It was fixed with a few taps of a rubber mallet, and I went on my way. A reader expressed concern that I didn't have it checked out more thoroughly. "What would happen," he asked, "if it were to refreeze most of the way through a take-off?" The answer, as people who read the comments know (some don't, which is why I am repeating myself) is "nothing at all." The other, engine-driven, fuel pump for that engine would supply sufficient fuel pressure to keep the engine operating at full power. I would not even notice that the electric pump had failed until the next time I went to start the engine. Not only the electric fuel pump, but the entire electrical system--both alternators and a battery--could spontaneously shut down and my take-off would be unimpeded. At night I would notice my lights going out, and probably abort. By day I might notice the sudden cessation of radio chatter. But the essential functions of my airplane would still function. A more complex airplane, is more reliant on electrical systems, but has even more redundancy, (although, as discussed recently, the A320 could use a bit more), so a kill switch would have to cut a wider swath through systems, making the airplane more vulnerable.

Most airplanes have what's called a squat switch, a sensor that tells systems whether or not there is weight on the landing gear. Systems may be squat switch limited (e.g. landing gear retraction or operation of heaters that require significant airflow) so that they won't work on the ground even if the pilot tries to turn them on, or squat switch activated (e.g. transponders), turning on automatically as the airplane leaves the ground. I would expect Pentagon-mandated disabling mechanisms to be squat-switch limited. But this doesn't solve the problems that whatever measure the kill switch takes--cutting off fuel, deflating tires, deploying spoilers--could for one, happen accidentally once it has been rigged to happen, and for two, happen at the end of the take-off roll, after V1 when an abort is exceptionally dangerous. And I should mention that the squat switch can fail just like anything else: it's not like it gets tested before every flight, so the accidental kill could happen in the middle of the Pacific, or during climb out, too.

The 'prevent the airplane from flying over a particular area' part is a little more science fictional, but presents the same sort of safety issues. It could be done by requiring airplanes to fly by autopilot at all times, with clearances physically enforced, but the danger of that should be apparent. There are plenty of approach plates that warn pilots to take independent action if not cleared to turn onto the ILS, because of high terrain beyond. And there are plenty of cases where ATC radios have failed. I don't think I have ever flown across the country without hearing reroutes or accommodations being made for failed ATC equipment. And then the terrorists can forget about going after aircraft and just go straight for the ground stations that control them, or by breaking the code of the transmissions made to the control mechanisms. Aircraft must be able to navigate independently.

I understand the military desire for a way to stop errant aircraft in their tracks, but I think it's an issue of design philosophy rather than just finding the right switch to throw. And I haven't even bothered to address the issue of the implications of a remote control off switch for airplanes. Airplanes malfunction quite enough on their own without help; what's keeping us in the air is redundant design that opposes single points of failure, and pilots who are trained to troubleshoot and take appropriate action.

Edit: I neglected to include a reference for this entry. I don't remember where I heard about it, but here is the Pentagon RFP. The anti-aircraft measures are Objective C on that page.


Anonymous said...

A remote "off" switch for an airplane? This has got to be the single dumbest suggestion I have ever heard.

What idiot at the pentagon thought this one up?

Anonymous said...

Sounds like one more instance of people who have little to no knowledge about a subject being in a position to regulate it. It's amazing how much aviation is a part of the world's transportation system when such a relatively few number of people actually know how it works. Just stand around a commercial airport waiting for a flight and listen to random conversations or listen to a self-designated expert talking head analyze the latest aviation incident.

Anonymous said...

Don't many aircraft these days have autobrakes/autothrottles used during landings/emergency situations?

I would presume that an "emergency" braking system that can be triggered from within the cockpit could just as easily "go wrong" at the wrong time. On the other hand if it can safely be managed from the cockpit then could it just as easily be managed remotely? Aviatrix doesn't site her source but she does say "stop it from taking off" so I assume we're talking about aircraft on the ground.

I agree, it sounds like someone doesn't know what they're talking about. However, I also believe that this might just be the reporter and his or her editor rather than folks at the Pentagon.

Aviatrix said...

Thanks for pointing out that I gave no reference for the entry. I may have lost the link during the editing process. I've added a link to the Pentagon RFP that all the articles are based on.

dpierce said...

The Pentagon is a massive bureaucracy that serves two basic functions: 1) it's the purchasing department for Department of Defense, 2) it likes to study stuff. Solicits are one of the many ways it has to study stuff.

It works like this. Someone says, "Hey -- is there a way we could proactively prevent an airplane from hitting a building? Maybe with a kill switch or something?" "Maybe. Let's put together a massive program to study it, thus ensuring our continued employment for the next few months."

At any given time, the Pentagon has giant piles of programs and studies and analyses going on. The vast majority don't get past initial stages. Of course, every now and then, they actually output a completed project. But a meteor is expected to hit the earth sometime, too.

If this came to pass, by the time the FAA, and the Congress, and media were done with it, it would be materialized as something else entirely. (What? Me, cynical?)

Anonymous said...

My TCraft doesn't even have an electrical system. I wonder how they would solve that problem.

Anonymous said...

One engineer I work with observed one day that the goal of DoD security "is to create a single point of failure".

There seem to be two schools of security thought. First: make everything controllable at one point, then put armed guards and badges, "clearance required" signs and other security procedures in place around that one point. This, of course, creates that single point of failure. It's also popular with various governments.

Second, have a defense in layers strategy where there are multiple blocks for the "bad guys" and no single points of failure. This latter strategy is like the safety strategy in aviation where checklists and redundancy are used to prevent safety problems.

The second approach is more redundant, avoids may problems, and is more reliable in security things too.

Anonymous said...

Pentagon's asking "How do we keep from being hit by another airplane?!".
How about a better means for a pilot to avoid flight or takeoff under duress?

Anonymous said...

I've been instructed to disable an aircraft before disembarking during a hijack-type scenario. I always thought that removable thrust levers would be a simple way to accomplish the feat. Other ideas were more destructive, like breaking off the engine start select switch with the fire axe.


Dagny said...