By Bjorn Fehrm
August 15, 2018, © Leeham News.: The theft of the Horizon Air Bombardier Q400 Friday brings the question how easy airliners are to steal and what can be made about it.
Having never flown an airliner before, I recently learned how to start one from cold and get it into the air. Here’s my take on how easy (or not) it is to get an airliner in the air by a novice and what can be done to make it harder.
As a former fighter pilot, I hadn’t piloted an airliner until a couple of years ago. I got invited to test-fly the Airbus A350 with three other media pilots. I wasn’t worried about the flying when preparing for the test flight. Airliners are flown like School Buses compared with flying the Super Sports car a fighter is. So, the flying was the easy bit.
The problem is the “knobbery” of an airliner. Airliners have hundreds of knobs in the cockpit and even turning the electric system on from a cold aircraft needs knowledge. And you need other systems on before you can start the engines.
Normally you first turn battery electrics on, then you start the APU to get enough power to start the engines. All this must be done in the right way and the knobs should be pressed in the right order. Getting the engines started is the next hurdle, but it’s normally not more complicated than getting the aircraft active from a cold start.
I know the cockpit of the Dash 8 Q400 that Richard Russell stole at Seattle–Tacoma International Airport (SEATAC). It’s no easier to get going than the A350 I flew.
So what hurdles did Russell get through and why?
The first hurdle is access to the apron where the aircraft is parked. If you’re an airport or airline employee with the right to access to the apron, this is no hurdle. According to press reports, Richard Russell was a Horizon employee and part of a team which towed Horizon’s aircraft within the airport.
Towing an airliner most of the time means one person driving the truck and another sitting in the cockpit with access to the brakes, a safety precaution. If Russell was given the job to brake the aircraft in case of an emergency, he knew how to open the aircraft, get into the cockpit and sit and work in the pilot’s seat. He also knew how to get the electric system going and how to start the APU, to get the hydraulic system running, so the brakes would work.
Getting the engines going is the next hurdle. Starting the Dash 8 Pratt & Whitney PW150 engines is a tiny bit more complicated than starting a jet engine. Turboprops have a throttle and a condition lever (for changing the prop blades angles) which also doubles as fuel valves. Starting an engine involves throwing the right switch, placing the throttle and condition levers in the right position and wait. The spinning up of the engine is automatic.
Taxing the aircraft is like driving a bus or a lorry. It’s not difficult unless the airport is congested. If someone had realized it was a rouge airliner taxing, it’s easy to block it on a taxiway by putting a car in front of it. There is little chance of the Pilot getting around this. Turning around on a taxiway is almost impossible and crossing over grass to the next taxiway or to the runway is equally difficult, even with a Q400, let alone a large jetliner.
Take-off is easy. An empty turboprop on low fuel will jump into the air after a short run. Even when flaps are not correctly set. But the throttle and condition levers must be handled correctly. Directional control in the early phase of the take-off can be a bit tricky.
Flying a Q400 or an A350 is no different from flying a Cessna 152. The mechanics are the same. Russell flew around for a while. He knew enough to check his fuel consumption, showing he had some Q400 specific knowledge.
Russell then did a barrel roll. This is not straightforward. You need to do it right or you end in the ground before it’s finished.
So how could he get this far? He seemingly had no pilot training?
The PC simulators based on such commodity games as Microsoft Flight Simulator are amazingly detailed and correct today. I trained on an A320 and A330 simulator before flying the A350 (there was no A350 simulator at the time). They were close to the real thing.
Russell apparently trained on such simulators before stealing the plane. It should have been a Dash 8 simulator, otherwise, it’s difficult to understand how he got as far as getting the engines started.
Handling the aircraft brakes during towing could explain how he got an aircraft going from cold. Starting the engines is then a smaller step. Take-off is the same in all planes, full power and a gentle pull on the yoke when the aircraft starts getting light.
The flying before the barrel roll is also straightforward. But a barrel roll is not. You have to do it right or you end up flying straight down in the second vertical. Russell did the roll surprisingly correct. Yet he wasn’t far from touching the water after the second vertical.
Landing an aircraft, any aircraft, is another ball game. Russell didn’t plan to, according to what he told Air Traffic Control. Had he tried, the chances he would have got the aircraft down unharmed would have been small. He might have survived, but the aircraft escaping undamaged is less probable. Landing is the difficult part of a flight.
How to stop this from happening again?
Airliners are normally not locked. If they are, the ground crew doing towing has the keys. Including access to the cockpit. And they know how to get the aircraft systems on and how to start the APU.
The step which could be made harder to pass would be starting the engines. There are no reasons for a ground crew to have authority to do an engine start. The few engine ground test runs which are done in connection with engine maintenance are done by specialized personnel and in special engine test areas.
As modern engines are controlled by computers (FADECs), a code lock or other authority check could be easily implemented. A keyboard/keypad is in the cockpit, controlling the FMS. It has contact with the engine FADECs.
Other authority checks seem more difficult to implement. Service is often done on the flight control system on the ground. After service the correct function must be verified by ground personnel, making an authority check less effective.
That an airliner is so easy to steal by a non-authorized person is unacceptable. Russell was a disturbed mind with no plan to harm society. Next time a rogue pilot might have other priorities.
In the radiation oncology field in which I work, in order to generate radiation with the particle accelerators that are used to generate high energy and high dose rate x-ray and particle beams for cancer treatments, you have to log into the accelerator control computer. The control computer software has the capability to assign user rights by login, and many departments assign each employee a unique login with rights tailored to each employee’s job function, training, and supervisory level. For instance, treatment techs can load parameters for a prescribed treatment and deliver the treatment, but only physicians can prescribe treatments or modify prescriptions. Machine service engineers can adjust technical parameters such as electron filament voltage or beam steering, but cannot access patient medical records, treat a prescribed treatment, prescribe a treatment, or modify a prescription. What obstacles, if any, are there to implementing a similar scheme with aircraft control computers, i.e. people whose job is it to taxi the plane with the engines off can start the APU and operate ground steering and brakes, but you would need a login with pilot or engine test rights to start the engines, and need pilot rights to unlock the flight controls?
In the examples you give not being able to log in is not a problem. it may be a nuisance but not a life threatening problem.
compare railway save ( stopped is save ) to airplane save ( keep going under all circumstances, stopped is dead )
I agree – imagine if you lose one or more engines in flight for whatever reason and the password or code required for a re-start is not accepted by the system. It is possible that more lives could be lost in these circumstances than by rouge pilots illegally getting an aircraft into the air.
Once logged in, the pilot could continue to be authorized until the aircraft lands, for example. Not a major issue in such a system.
software controlled user access controls would be fairly trivial in a 787/A350 generation aircraft as every single function is computer controlled with reasonably modern computers (not to say inexpensive or quick to develop, but all the hardware and basic software functionality is there already).
retrofitting it to older generation aircraft is somewhere between difficult and impossible, particularly as you go further down the technology/modern design ladder, at that point, you are stuck with physical and process safeguards (locks and 2 man rules)
Software controlled user access controls are most definitely not trivial, especially for a 787 or A350 (or any other airliner with a computerised flight deck), and especially in the way that you’d end up wanting.
About the only system out there that manages user credentials in anything like a decent enterprise-ish way across a whole organisation is a Windows domain. There’s an immense amount of thought and care gone into it. The closest anyone else has come is Samba, which has simply reimplemented as open source the protocols used by Microsoft in Windows. Other attempts, e.g. Sun’s NIS / Yellow Pages, were pretty feeble both in functionality and security.
So for the present, it’s Windows/Samba or nothing. Anyone attempting to recreate the same sorts of functionality is going to spend a lot of money, make a lot of mistakes, and do so for (in this context) a pretty small market.
I don’t think the world is ready for Windows for Airliners, to replace the existing OS (Integrity 178B?) and software stack (Airbus / Boeing bespoke).
A user rights system like the one I describe above could keep those not employed by an operator as pilots from taking off, but would not provide protection against currently employed pilots with pilot rights going nuts and ramming a terminal or building.
As long as the aircraft has network connectivity (sitting on the tarmac at a North American or European airport this is not a major hurdle) it becomes much easier to check: the system can check not only whether the person is an authorized pilot, but also whether the authorization is valid AT THIS TIME.
And it would also be able to inform the airline’s monitoring centre of the fact that pilot X has just authenticated on board aircraft Y.
Regarding: “And it would also be able to inform the airline’s monitoring centre of the fact that pilot X has just authenticated on board aircraft Y.”
I think that this in and of itself could be a valuable security check. Even if the login did not prevent operation of flight controls, it could automatically generate a security alert if someone who was not assigned to be operating an aircraft, or not authorized to perform a certain function, was attempting to do so, for instance, a baggage handler starting engines, or a pilot suspended for being a suspect in a murder case trying to start an aircraft at 1 AM in the morning that was not scheduled for its next flight until 7 AM in the morning.
Remember Malaysia 370? Would history have been different if the aircraft’s flight control computer was programmed to automatically send out an alert if the aircraft deviated in a major way from its scheduled flight path, and this function could not be disabled by the pilot? I know that there will be many minor adjustments of flight route for air traffic control, thunderstorms, turbulence, etc., but perhaps there would be some deviation tolerance that could be set (100 miles, 200 miles?) that would not generate an unmanageable number of false alarms.
Of course, one would hope that air traffic control would notice that an aircraft under their control was off course or long before it was 100 or 200 miles off course, but in the region of the world where MH370 was operating, this was apparently not the case.
The advent of space base adsb see aiteon and AFIRS make this no longer an issue anywhere on the globe not just land. That combined with job function policy permissions common in all computer systems would both prevent unauthorized personnel from accessing non job essential aircraft functions for those authorized only automated alerts would be sent, for the deranged pilot only two people up front at all times could stop that problem (germanwings)
That is an outstanding idea. Simple to implement. AFIRS could easily be alerted and thus all relevant authorities.
“FADEC, .. code lock or other authority check could be easily implemented…”
Then authorization becomes part of the Checklist for
engine restart? Is this really a bright idea?
There is a multitude of functions in an aircraft which are only active when the landing gear is extended and the “gear is compressed” switch is triggered.
An authorisation function would only be active when the aircraft engines are started on the ground.
Regarding: “Then authorization becomes part of the Checklist for
engine restart? Is this really a bright idea?”
In the accelerator control systems I described above, once you are logged in you are able to do all the things that you have the rights to do, as many times as you want to do them. In an analogous system in an airliner, if you had the rights to start engines, once you were logged in as a pilot you would be able to start and stop engines as many times as you wanted to do so, until you logged off at the end of the flight. This type of login works like an old fashioned mechanical key, once it is inserted and turned to on, everything is on until you turn the key to off and pull it out. This is the way computer security levels usually work, for instance, if you have a particular level of administrative rights on a system, you can perform administrative tasks at that level as long as you are logged in as an administrator at the appropriate level. If you need to inactivate user accounts for 25 terminated employees, you can log in once to take care of all 25 accounts, you do not need to log in 25 times and delete the accounts one at a time.
In many implementations of the type of control system I described above, the tasks that you do not have the rights to perform will be greyed out on the system’s digital displays. Many users of Windows computers in large corporations will be familiar with this type of display, typically corporate IT will have disabled some Windows functions for non-administrative users and these functions will be greyed out on Windows menus. In other implementations, menu items or controls that you do not have the rights to use become invisible to you and are not shown at all on your display.
You have not understood how that log in works.
You are using the wrong paradigm wrapper to handle it in your mind. This happens to be a major problem in our modern society.
The system holds “state”. you have a session running from
an I/O device that is known to the system.
Now reboot. 🙂
No, it’s not and it can become a source of another typ of failure.
… for what? Because of one strange guy we have to rebuild all airplanes?
Next step: Block all selling of MS Flight Sim? Come on.
Solution should come from Horizon work management. Period.
You do not necessarily need a Dash simulator to learn how to start then engines. There are also tutorial videos showing that basics freely available.
So you can use the simulator to learn the basic flying and the videos to get the details for an aircraft type
another airliner theft, although maybe harder to stop as the perp was a pilot.
That is part of Bjorns main point, but this while not common has a number of incidents of identical nature.
But that is true of any machine that can be turned into a weapon as it were.
Great write up Bjron, I would like to add a few things.
Run ups are no always done in a special area. They can be but for smaller aircraft, often its done where they are serviced (not at the gate).
I strongly suspect that Richard in his time as an aircraft handler had been around mechanics starting engine as well as avionics tech doing their work. He clearly was a very bright person (shame to loose someone like that ) and between what he observed and the simulators, getting one going would clearly (now) would not be an issue.
It will be interesting to find out if he did a trial run or two on the sly. Opportunity being the key with no one around. More is likely to come out.
My brother who was not a trained pilot but was an avionics tech could take off an airplane as well as I could as well as fly it. He was a great auto pilot!
I suspect he could have landed it as well but not something we ever tried.
I’ve never done acrobatics but it was impressive to see it pulled off though I too noted he almost hit the water on the one.
All in all though its pretty much a one off event. We should not drive policy or make changes for such a rare situation.
All that really needs doing is a heads up and alert that it could happen (orientation training) and let it go at that.
The real lesson is that perfectly normal seeming people can commit suicide.
We have a long ways to go on understanding mental health and will never understand it in any near term future, likely never all of it.
Bjorn: We have already seen a number of cases where a disturbed pilot committed suicide.
Any lock out system has to have a well thought out redundancy and all failure paths clearly understood.
The locking cockpit door that failed to ensure a second person was in the cockpit has killed more people in the aircraft than terrorists ever manged (as near as I can figure. )
Things like Boeing auto throttle turning itself off when the command was for another mode ?
Regarding: “The locking cockpit door that failed to ensure a second person was in the cockpit has killed more people in the aircraft than terrorists ever manged (as near as I can figure. )”
By my math 2,977 – 150 = at least 2,827 more people killed by unauthorized people acting as pilots than by pilots locked out of the cockpit. See below. Death toll for German Wings accident was 150.
“Nineteen men hijacked four fuel-loaded US commercial airplanes bound for west coast destinations. A total of 2,977 people were killed in New York City, Washington, DC and outside of Shanksville, Pennsylvania. ”
You don’t think that reinforced doors which must be kept locked in flight have nothing to do with there being no 9-11 style hijackings since 9-11?
I would have thought for anyhone who is noted for details, you of all people would have noticed.
ON THE AIRCRAFT!
I need to count up MH370 (99.999% pilot suicide), The A320, Siklkair, Africa)
The point being that the locking cockpit door has moved the stats from Terrorists to Pilot.
And back to trying to insert bombs.
In the mechanical world we call it the law of unintended consequences.
And as noted, as this is a once in 100 years incident, do we whig out over that?
This is worth reading.
Some more good background.
The idiotic comment from the author of this article blows my mind. Comparing flying an airliner to driving a School bus is a pretty ignorant comment coming from a professional pilot. I’ve been instructing airline pilots for the last 25 years and some of my worse students were ex hot shot fighter jocks…I’ve been in both worlds so I know…
the professional who drives a School bus use his skill to drive with maximum safety and driving so the kids, who shall grow up as responsible traffic participants, learn a calm and smooth conduct is the most enjoyable and prefered way to conduct yourself in the traffic. This is very much the skills of good airliner pilots as well. A large proportion of the cabin are afraid to fly. We don’t have to discuss the safety aspect, this is paramount. The other aspect is the deliberate smooth flying with basic restrained manoeuvres, without any unnecessary or fast movements.
My description was not condescending re. airliner flying. It was as I see it an analytical observation of the two ways of conducting a flying job with pilot roles and aircraft types which are drastically different in their characteristics. The fighter job stresses advanced flying, to the limits, but is light on procedure knowledge and crew resource management among many things. They both require high skills and one is not better or more advanced than the other. They are just different.
That’s why I’m not surprised about the fighter jocks being bad airliner pilot candidates. The sought skills are quite different.
With respect, Mallard, Bjorn compared taxying with driving: “Tax[y]ing the aircraft is like driving a bus or a lorry.” The flying comparison inolved a light aircraft not a road vehicle.
Back when I learned to fly, fighter pilots were what turned into airline pilots.
One was the GI bill. One was up and out, if you did not get promoted out you went. One was twin jet (F-4) was considered multi engine and there were a lot of F-4 drivers post Viet Nam.
Advantage may have been having GIB.
But also, I would contend the ability to master a subject and the military dicipoines pays when you go to study a complex civilian aircraft and all the process and procedures inherent in it.
What was funny was one of my instructors was just amazed at my ability to hold a course withing a degree under any conditions as well as little altitude deviation.
I learned to hold courses in a small boat in rough weather with my dad getting quite irritated if you deviated half a degree.
The military (which is where my dad got that from as he was ex Navy) are not very forgiving.
The acronym KISS has always been the best place to start designing anything, and in my opinion the most simple solution is already in plain sight and in use today.
Go and buy a new car…. you get a “key”, but there is no lock – you start the car by being in the seat with the “key” and pressing a button. The sensor “knows” the “key” is nearby and the starter responds, but without the “key” nearby nothing happens.
All of the aircraft fleet in an airline could have the sensor fitted to the start sequencer, and all of the Captains and required maintenance engineers be provided with “keys”. As a pilot makes Captain or as a Captain moves to another fleet they get the appropriate “key” (and as a vital part of the tools for the job it would probably end up hanging on the neckstrap with their security and ID badges).
The APU need not be part of the protections, since that usually needs to be started by ground maintenance personnel or the FO on reaching the aircraft.
BTW, for the uninitiated, KISS = Keep It Simple, Sucker (that’s the nice version, anyway!).
Lock the chocks.
Like the Denver Boot?
California Aircraft Boots would probably work better than Denver Boots.
Make the sidestick or some other necessary input device removable.
Voila. you have your “airplane key” 🙂
Or not make it any more complicated than it is as a one off?
Sucker vs Stupid, take your pick
What these are called is a one off driving a needless issue.
Richard was clearly a Unicorn in today’s parlance.
Focus on things that really matter.?
Or work into a frenzy over something that is not going to ever happen again?
I actually have a pretty simple one, but it too has issues.
Sooner or latter your solution bites you in another way.
In some countries taxi drivers has to insert their smart Taxi drivers licence in a small box to run the car. A similar Aerospace box that allows different modes of operation depending on which drivers license is inputted into the reader.
And back to the basics