Germanwings flight 4U9525: a victim of the deadlock between safety and security demands

Two up front for safety? Jason Calston/Airbus

It seems incredible that a pilot of a passenger airline could be locked out of the cockpit. But analysis from the cockpit voice recorder recovered from Germanwings flight 4U9525 after it ploughed into the Southern Alps in France has revealed that this is what happened and that one of the two pilots had been trying to get into the cockpit before the crash.

An initial explanation that the pilot at the controls was incapacitated, perhaps from a heart attack, has since given way to an alternative given by French investigators: that the co-pilot in the cockpit – named in reports as Andreas Lubitz – deliberately prevented the captain from entering in order to destroy the aircraft.

Following the September 11 attacks in New York in 2001, passenger aircraft cockpit doors have been reinforced in order to be made secure, and even bulletproof.

Access to the cockpit must be locked during flight, preventing passengers from forcing entry onto the flight deck so that pilots can safely fly the aircraft and manage any situation without worrying about potential hijackers. For the safety of the pilots the cockpit door must open at the pilot’s command from the flight deck, for example when there is no apparent risk of malicious attack. The outside of the cockpit door is secured by a keypad, to which the crew have the codes. But the request from the keypad to open the door must be confirmed by the pilot who remains inside.

It has become apparent that these two aspects – safety and security – are not always achievable at the same time. In the event of an incident like this, they even work against each other.

A trade-off between safety and security

People often confuse “security” and “safety”. In Chinese the two words are exactly the same. However, conceptually they are different.

Security offers protection from intentional attacks, while safety is to prevent from natural accidents. While some security incidents can be accidental, or made to look accidental, some element of usually malicious intent is involved.

The trade-off in both security and safety risks in this context is hard because the probability of accidents can be modelled while human intention cannot. One could try to estimate the probability of someone having bad intentions, especially pilots, but in the end it’s not possible to square one with the other – it is to compare apples with oranges.

With the ultimate goal of protecting the lives of those on board, the processes by which the cockpit door is open and closed is crucial. Closing the door is not always right, even though the flight may be threatened by potential terrorists. That a pilot on the flight deck must open the door to his fellow officer outside the door is not beneficial if the crew remaining on the deck inside are incapacitated or unwilling to do so.

Timing and context is key

Feature interaction manifests itself in the way hardware and software interacts, such as in the design of lifts, vehicles or even smart homes. In order to avoid problematic interactions priority needs to be assigned to those features that are paramount – on aircraft, this is protecting the lives of passengers. The key to this is context and timing.

How can the electronic, robotic controller of the cockpit doors collaborate with the human crew member desperately looking for ways to gain entry to the flight deck? Knocking, or even smashing down the door is not enough – because potential terrorists may do the same, and so these eventualities will have been catered for in the initial design.

In this case, an adaptive user interface mechanism, which has been used to simplify complicated software systems, could enhance the usability of an otherwise complex security system. Mobile payment systems, such as Apple Pay, have demonstrated it’s possible to simplify the interface to otherwise complex security systems. For example, users do not need to carry credit cards yet can still properly certify their transactions. Such time-saving elements to verify security could be, in such a contingency as this, a life-saving feature.

Control of the cockpit door must be adaptive to context of the situation, providing a means to bypass the risk of a situation where flight crew are locked out of the cockpit. Had the robotic door controller understood there was a reason the pilot at the controls could not confirm the entrance of the pilot outside – by registering a malfunctioning ejection seat, for example, or reading dying vital signs from a heart monitor – it could override the security requirements and allow the pilot to reenter the cockpit.

We need to reassess the risks and arguments around safety and security in the context of aviation, and find ways of bringing together hardware, software, and the flight crew themselves – perhaps through health monitoring devices – in order to ensure that both these demands work together, and do not become a threat in themselves.