FAA Rules Out Cockpit Redesign to Thwart Pilots’ Sabotage

Updated on
GRAPHIC: Co-Pilot May Have Initiated Descent

More than a year after the Malaysia Air disappearance raised questions about pilot sabotage, the U.S. Federal Aviation Administration confided to investigators it has found no legal or technologically feasible way to make cockpit electronics impervious to tampering.

The finding came in a written response to a National Transportation Safety Board recommendation to redesign black box recorders and other critical electronics so they can’t be switched off during flight. The main impediment is that pilots sometimes need to cut the power in the event of overheating or fire, the FAA said in the letter obtained by Bloomberg News.

“There appears to be no safe way to ensure recorders cannot be intentionally disabled while keeping the airplane safe from electrical failure that could become hazardous,” FAA Administrator Michael Huerta wrote in the April 22 letter.

The FAA also rejected the NTSB’s calls for adding video recorders in cockpits, saying there is “no compelling evidence” it would help investigations. The FAA’s positions add new complexity to the issues underlying attempts to prevent another disappearance of a plane like Malaysia Air Flight 370 and to combat intentional acts such as the pilot who this year crashed a Deutsche Lufthansa AG Germanwings plane into the French Alps.

The FAA declined to comment beyond the letter, spokesman Les Dorr said in an e-mail. The agency has been taking steps to address the risk of pilot tampering. Last month it formed an advisory panel to examine how it can better screen pilots for mental illness, and it’s also part of a United Nations group studying broader flight-tracking suggestions.

Malaysia Air

The NTSB has been seeking ways to make flight-data recorders tamper resistant since 2000. Its original recommendation was prompted by the 1997 crash of a SilkAir plane in Indonesia that killed 104 people. The NTSB concluded that the captain, who had growing debts and was in trouble at work, cut power to the recorders and dove the plane into a river.

The issue was raised again last year when a Malaysian Airline System Bhd flight with 239 people aboard vanished without a trace on a flight from Kuala Lumpur to Beijing. A months-long search of the Indian Ocean was complicated because it appears the Boeing Co. 777 was deliberately turned off course and its radios and tracking equipment were switched off, according to Malaysian Prime Minister Najib Razak.

Nine Recommendations

Because of that case and pilot suicides that preceded this year’s Germanwings crash, the NTSB in January issued nine recommendations calling for better aircraft tracking, improved flight recorders and systems that couldn’t be disabled by pilots.

The FAA’s response to the NTSB laid out reasons why such changes weren’t feasible. Huerta cited aviation regulations that require aircraft designers to give pilots the ability to switch off electrical power from components in the event they overheat and threaten to cause a fire.

One example occurred in 1998 when pilots of a Swissair flight detected smoke in the cockpit but were unable to cut power to the in-flight entertainment system to diagnose and contain the problem, the FAA said. A fire spread and the plane crashed in the Atlantic Ocean near Nova Scotia, killing all 229 aboard.

“The FAA does not want to introduce design requirements that could expose the airplane to system risks that can lead to cascading failure and fires,” the FAA’s letter said.

Pilot Opposition

Pilot groups, such as the Air Line Pilots Association union, have also opposed measures that limit their ability to shut off power to aircraft components as a result of the Swissair accident and other fire incidents.

While some manufacturers have moved circuit breakers for some electrical components out of the cockpit, it’s still possible to disconnect them by cutting power to broader circuits, according to the agency.

“With such designs, a determined, malicious, technically competent crew member could still manipulate flight deck accessible circuit breakers to disable data recorders,” the FAA said.

The issue of whether electronics can be made tamper-proof without causing additional safety risks has sparked debate.

Rick Castaldo, a consultant and former FAA engineer, said in interviews last year that a new generation of sophisticated circuit breakers could protect against electrical fires without giving pilots the option of shutting critical equipment.

Some electronic systems are already designed to operate without input from the cockpit and it’s possible to design them so they can’t be disabled, Chris Benich, vice president of aerospace regulatory affairs at Honeywell International Inc., told the NTSB at a forum Oct. 7.

The UN’s International Civil Aviation Organization, which sets global standards for airlines, endorsed steps to improve flight tracking at a session on Feb. 3. An ICAO statement didn’t specify whether it would back a standard for making flight recorders and other cockpit equipment tamper-resistant.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE