Thursday, March 26, 2015

Risk Analysis of the Flight 9525



The crash of Germanwings Flight 9525 is really a great tragedy. It is even more sad to remember that there were multiple large-scale aviation accidents, including MH370, MH17 and TNA222, in the past two years. Many people, including myself, would wish that we can have better technologies and policies to reduce the likelihood of such events or even prevent them completely.

In the ongoing investigation of the Flight 9525 accident, we learn that the co-pilot locked the cockpit while the caption was outside, and then brought down the plane. The exact motive of the co-pilot is unknown. Apparently, airlines have tests the mental conditions of pilots, but currently there is no report indicating that the co-pilot is abnormal [1].

In this article, I would like to discuss how we might be able to decrease the risk of such accident. I am inspired by the following article written by professor Juliette Kayyem [2]: Was 9/11 safety precaution a flaw? From the title, we can already know one main point of that article: the cockpit lock-up mechanism designed to prevent 9/11-style attack becomes a problem when one of the pilots goes wrong. The author has suggested to have an emergence password so that no one can block the access to the cockpit. I definitively think this is a good idea, but we should think deeper by considering the risks of different threats, and how these risks tangle together.

There are many threats to an airplane: hijacking, mechanical errors, pilot errors and malicious pilots. Each threat has a risk value which can be simply calculated as likelihood * impact. We will only focus on the likelihood part in this article. We want to reduce the likelihood of every threat to be lower than certain threshold. However, this case clearly shows the difficulty, because one mechanism that reduces the likelihood of a threat (e.g. hijacking in this case) could increase the likelihood of another threat (e.g. malicious pilot). In this particular case, the cockpit lock-up mechanism is not good because the likelihood of malicious pilot has been increased above the threshold.

One might think it is necessary to have the lock-up mechanism to defend against hijackers, and we have to sacrifice on other aspects. But I don't think so. I think there are many other ways to reduce the likelihood of hijacking, such as security check points, on-board security guards which I've seen in Chinese domestic flights several years ago, and background check of passengers. This line of defenses are probably able to reduce the likelihood of hijacking to an acceptable level. On the other hand, however, we do not have reliable methods to prevent malicious pilots. As we have discussed previously, mental tests are not useful in this case at least. And due to the complexity of this job, we have to give many authorities to the pilots. Being able to unlock the cockpit, therefore, become an important defense line for malicious pilots. But unfortunately, this defense line was turned off for Flight 9525...

Another idea is to consider self-flying airplanes. After all, we already have self-driving cars. At least, the airplane could become a remotely controlled drone in emergence. This would not only help Flight 9525, but other cases when the pilots lost conscious, such as the Helios Airways Flight 522. But having an self-flying system introduces new threats such as software bugs or even vulnerabilities, which are major threats of all kinds of digital systems now. Should we trust human or machine?



References:

[1] Lufthansa CEO: Germanwings copilot passed medical exams http://www.cnn.com/2015/03/26/europe/lufthansa-ceo-germanwings-crash/index.html

[2] http://www.cnn.com/2015/03/26/opinions/kayyem-germanwings-co-pilot/index.html