12 Sep 01
updated: 12 Oct01

In order to defeat a terrorist suicide mission or any form of unlawful interference, this anti-hijacking system is suggested:

The captain would have sole knowledge of his own personal (FAA issued) override "passivator" code (equivalent to a PIN no) which he would have to "punch in" (digit by digit) every 20 minutes (on the sounding of a warbler alert - that would otherwise rise in amplitude to a scream-pitch over the space of a minute).  That passivator code would radiate to the (let's call it mode T) satellite-based transponder and trigger a reply code giving him another 20 minutes flight command authority.  If the aircraft captain is unable (or unwilling) to radiate that code, it will not then "switch off" an otherwise automatically-incoming "disabler" code. Following receipt of a "disabler" code's pulse-train, passively retaining autonomous flight-control is no longer an option….it then becomes an automated procedure - with recovery being "at the nearest suitable".

 Of course the captain might then need the moral fortitude (for a short period), under extreme duress, not to divulge that code....  and perhaps while his passengers are brutalised and murdered.  But the outcome would be overall a better one and it would be an acceptable "fail-safe mode" in the war against terrorist suicide squads.  They'd soon get the message and start looking elsewhere for targets of opportunity.  The infrastructure for such a system would not be expensive in comparison to the main and auxiliary benefits it offered (see next para).    The Captain's "emergency activation" code could also be dialled in preflight and activated inflight (by quickly lifting a guard and pushing a button) as soon as there was an apparent "situation" on board, down the back. It would lead immediately to a data-dump (of the CVR/DFDR), loss of pilot flight-control authority, opening of an "open mike" one-way air-satellite-ground eavesdropping cockpit microphone broadcast link and a ground-commanded autoland at the nearest suitable airport.  It would cede complete control of your airplane to a ground-station at the selected divert airport (and for all intents and purposes the entire cockpit would "go dark" and be non-functional).  The autopilot would be unable to be disconnected or overpowered.  The throttles would be "in electrical disconnect" and disabling controls (such as fuel switches) would be solenoid-switched to failsafe ON. The flight-crew would have become passengers and the aircraft de-weaponized.

Moreover, if the crew were to be suddenly overpowered (or incapacitated), the timer would be running on the passive mode anyway.  The transponder link (for a directed autoland cruise/descent and approach and landing) would be the satellite transponder channel via which fuel, thrust, reconfiguration, system parameters and flight-control directives would be both uploaded and downloaded.  And that system interface should be so configured as to make it impossible for it to be interfered with inflight (i.e.  access via ground access-panel only). 

That same transponder link could be used as a DFDR/QAR/CVR data-dump for any inflight emergency (as outlined in this now-somewhat-dated study to be seen at link B below). That link discusses the IRIDIAN/Roadshow solution to the loss of CVR and DFDR black-box data and is intended to resolve the inability of many crash investigations (probably including SR-111) to come up with any conclusive bottom line causes.  The RAFT paper (pdf file at link A below) has a broadly similar idea behind it.

The reliability and redundancy of satellite comms and auto-land systems should enable this solution ( let's call it Robolander ) to become a reality for part 121 in the medium term and (maybe later) part 135 airliners and bizjets .  It could also cover the contingency of pilots being food-poisoned, depressurisation/ hypoxia (or falling asleep and overflying), dense continuous smoke - perhaps even some flight instrument or nav kit failures.  It may require the number of cat III ILS autoland-equipped airports to be increased so as to ensure one is always within range.  The Robolander system should also be able to remotely cope with some common systems or power-plant failures.  And it's not as if we are talking pilotless drones here - although system checkout on maintenance air-tests might require provision of a one-time-issue override key-code that could be quickly pilot-injected onboard (if the system appeared to be unreliable, inoperative or deficient).

Of course any such system, because it affects something as important as flight-control authority would need to be subjected to an intensive Failure Mode and Effects Analysis (FMEA). RoboLander transponder and control-panel access would be inhibited to the extent that any attempt to open it up (or destroy it) would trigger it anyhow. It would be required to have a failsafe (i.e. fail-operable) failure mode (i.e. latching) and to be compatible with Air Traffic Control systems internationally. This last factor has not proven to be insurmountable with many modern add-on systems such as TCAS, EGPWS, ELT, ACARS, RVSM, ADS-B etc. Some theoretical illustrative scenarios and failure modes are considered in the boxes below. In order to illustrate that Robolander's advantages and utility might extend beyond suicide terrorist hijackings by "sleeper" agents, we'll also consider two further non-hijack cases.

Solutions are always possible but in airline aviation there has to be a cost-benefit analysis and some real incentive for the industry and regulator to act.  Or at least that used to be the case.  I think that question has probably now been resolved.  But of course, even though technically possible and plausible now, this is all a bit futuristic and so, in the shorter term, crews (and the populace at large) must be protected by a heavy-duty metal flight-deck door - that being the only credible last-ditch defence.   

As the Global Hawk enters service with a number of Air Forces and demonstrates the maturity of unmanned aircraft operation, the technology that it commands, together with the equally mature autoland capabilities of most modern airliners, offers the best chance for survival in any future hijacking. I'd not give good odds against five or six out of the 500 odd passengers boarding an A380 not being unidentified bad guys. 1% is an easily missed target in any large undertaking. And given that the fanatics just keep coming, sooner or later they will penetrate security again. Layered defences and credible deterrents are the only real solution.




two horizonal bars one teal the other red staggered on top of each other

 banner with Spinoff in foreground of various images faded together



A high-performance navigation system used primarily for automatic aircraft touchdowns promises centimeter level landing accuracy.

Founded by alumni of the Stanford University Department of Aeronautics and Astronautics, IntegriNautics of Palo Alto, California has commercialized a precision landing system. The work has been assisted by Langley Research Center's Small Business Technology Transfer (STTR) Program.

But the real genesis of the idea was fostered by Stanford University work on a satellite test of Einstein's General Theory of Relativity. Called Gravity Probe B, this soon-to-orbit NASA spacecraft will rely on the Global Positioning Satellite (GPS) system for both precise orbit location and spacecraft attitude determination. To do so, researchers at Stanford designed new high-performance attitude-determining hardware that used GPS signals, then flight-tested the system on both spacecraft and aircraft.

It was this space project that sparked new thinking on a precision touchdown concept called the Integrity Beacon Landing System.

During a four-day period in October 1994, the idea was put to the test on Runway 35 at NASA's Crows Landing Flight Facility in California. These tests proved the validity of using what IntegriNautics terms integrity beacon "pseudolites." Compact in size, the ground-based low-power transmitters each fit entirely on a circuit board the size of a credit card. Capable of running on a 9-volt battery for over 12 hours, the inexpensive devices transmit just a few microwatts of power, emulating a GPS satellite. The beacons were situated in pairs on either side of the approach path to the runway. Power of the broadcast signals from the pseudolites was set low, measurable only inside a "bubble" emanating from the transmitter.

Boeing 737 air plane comes in for a landing
Boeing 737 conducts series of automatic aircraft touchdowns relying on a new precision navigation system.

Using signals from orbiting GPS satellites and the ground-generated pseudolite signals, 110 autopilot-in-the-loop landings of a United Airlines Boeing 737 were completed. The integrity beacons provided consistent accuracies on the order of a few centimeters during each of the autopiloted runway touchdowns. The successful series was sponsored by the Federal Aviation Administration (FAA) as part of that agency's satellite navigation program.

Evaluation of test results provides confidence that the level of integrity yielded by satellite positioning and the ground-based monitors would improve passenger safety. High integrity of the beacon landing system translates to just one failure in a billion approaches.

The company envisions a market for precision navigation, based on levels of performance beyond those provided by the current GPS satellite system. GPS is a worldwide navigation system providing 100-meter accuracy in its raw form.

IntegriNautics is now developing technology and products for a range of FAA, NASA, and Defense Department requirements, as well as commercial and international customers. Indeed, the first commercial sale of pseudolites took place in July 1997.

The first pseudolites were sold to customers for use in applications such as aircraft landing research, indoor GPS-based sensing, and robotic vehicle control. A key element of the IntegriNautics product selection is a processor that acts as a turnkey, high-performance positioning system. Several types of GPS pseudolites are presently offered. Work is continuing with Stanford through the STTR program, run through the Langley Research Center.

Built to operate indoors and outdoors, even in inclement weather, precision navigation devices are foreseen by IntegriNautics to have countless applications. Just a few potential pseudolite uses are obvious, such as commercial and general aviation aircraft, agricultural vehicles, open-pit mining, and automobiles.

  Previous Page / Home / Contents / Next page

ROBOLander example scenarios

Failure Mode (preflight)

"Seattle Delivery, United 456 ready for pushback, standing by for ATC clearance and, be advised, requesting Robo Flightwatch"  This indicates to Clearance Delivery that the a/c's RoboWatch system has failed its BITE (built-in test) check on prestart - but that they will be flying the route anyway under the provisions of a special ATC flightwatch - and be incapable of responding to a Roboland command.

"Robo status acknowledged, standby to copy ATC Clearance, your squawk now 4456. Readback"  (this ATC transponder squawk "thousands" block being now reserved for a/c flying with an unserviceable Robolander system and utilises the last three of the flight number). MEL certification would be for a onetime / one day (fix it overnight) dispensation.

Later (further down route)

Oakland ARTCC passes (on landline handoff) to Oakland Appch (or the Oceanic Controller))

"United 456 to you at FL350 on Robo Flightwatch".

What this simply means is that this a/c will be watched closely inflight for any unauthorised deviations from track and level, unexplained comms failure or ATC squawk change. If ATC suspected unlawful interference, the aircraft could then be asked to squawk the captain's personal mode T code ("United 456 squawk ROBO"). If it then did NOT (because the captain was dead, under threat or refused to squawk his personal code OR then set an incorrect code) then conclusions could be drawn and a USAF/ANG intercept and escort requested by ATC. Special handling might amount to about a hundred flights daily nation-wide, wouldn't lead to flight cancellations and shouldn't overstress controllers or the USAF ready alert pilots.

Failure Mode (inflight)

"Oakland Center, United 456 declaring ROBO DOWN at  time 1023 and requesting flightwatch"

"United 456, squawk 4456, your ROBO down acknowledged"

Situation: Warbler has failed to enunciate, system FAIL light has illuminated, Mode T transponder has not responded properly at the 20 minute mark - and an autoland intervention command would be expected to fail (so the crew declare their changed ROBO status).

Alternatively (or additionally), assuming the aircraft was seen to be deviating from track, without advising ATC, for reasons obviously other than weather.

"United 456 squawk ROBO" (this mode 3/A squawk would determine the presence of any unlawful interference). ATC would have the captain's personal code off the flightplan (via a secure database).

Special handling would continue if the a/c DID squawk the captain's personal code but intercept and escort would ensue if it DID NOT (or any other indication of unlawful interference emerged). As most airline a/c carry two ATC transponders as a backup, this system should be fairly reliable as a ROBO system backup.

Non-Hijack Emergency Scenario # 1

"Oakland Center United 456 declaring Mayday, Mayday, Mayday. Both pilots suffering extreme vomiting attacks and anticipating incapacitation. Request ROBO down."

In this instance, either before or after pilot incapacitation due to poisoning, food-poisoning or smoke inhalation, the Roboland system could be actuated from the nearest airport nominated by ATC. In an emergency even a flt attendant could lift the guard and push the emergency activation button. If no entry through the flight-deck door was possible, the 20 minute passivity timer would auto-initiate RoboDown.

Smoke-in-the-Cockpit Emergency Scenario # 2
"Mayday, Mayday,Mayday, United 456 has smoke in the cockpit, monitoring off all main busses and requesting radar vectors for nearest suitable, presently IMC in the cockpit at Flt Lvl 310 due dense smoke build-up" "United 456 Seattle Center roger your Mayday. Your mode Tango squawk appears normal. Select RoboDown for a pilot-monitored recovery. Your nearest suitable is Eugene in your 11 o'clock at 75 miles. Expect straight-in ILS runway 16 (8000ft available); remain this frequency throughout". Because RoboLander (as envisaged) has its own quite separate utility bus running off an ancillary load centre in the E&E bay, it enables pilots to quickly and necessarily get the normal power off the wire in the event of an electrical fire - and offers an alternative (i.e. not wholly irreversible) pilot-monitored solution to the presently insoluble dense continuous smoke in the cockpit problem. This would be modally different to the irreversible active "BRB" (or passively entered) anti-terrorist solution mentioned above.

See this link for further discussion of fail-operable and elective mode proposals:

A RoboLander status would normally be "irreversible" (by the pilots onboard) but not "irrevocable" (in the case of Robo-Link failure, ground flight-control would be automatically de-latched onboard and flight status would revert to autonomous on-board control). In certain scenarios, control could be relinquished back to the aircraft captain once he'd confirmed "operations normal" by inputting his ROBO code.

The "Pilot-Monitored" RoboLander Mode would be an onboard selection (as above) that would be reversible (i.e. de-selectable) and cover all situations and circumstances other than unlawful interference.

A.  http://www.iasa.com.au/folders/Publications/pdf_library/levine.pdf RAFT (the future in airliner data telemetry)

B.   http://www.geocities.com/Eureka/Concourse/7349/YourIridiumLegacy.html - Uploading your black-box data before the accident (Iridian/Roadshow)

Dagger Dirk (dagger_dirk@yahoo.com)

A Professional's View (of RoboLander)

Thank you for including me on this discussion.  Now let me throw my 2 cents worth into the hat. But first, in case either of you do not know my background, I am a flight control system design engineer, who has worked for both Boeing and McDonnell-Douglas.  Autoland and the reliability and safety requirements for such are my design speciality. Our "assault" to prevent such future acts must be layered.  The first must be to install MUCH more secure cockpit doors, even doubled-up if required, as well as much more strict procedures for securing the flight deck from engine start until engine shutdown.  These are the "cheap and quick" solutions. I would see the "code" solution you describe as a potential step #2. It would work well and be readily retrofittable onto the most modern fly-by-wire flight decks (777, A320, A330, A340 series).

Unfortunately, there are still gaping holes in this approach. The fact that I am trained to examine and analyze all possibilities and operations of a system and its requirements makes me uniquely qualified to champion such efforts and provide design guidance.

 The design must not only include the "lowest common denominator" aircraft type (the greatest number in the world-wide fleet) which still possess mechanical cable/pushrod flight control systems, but the analysis must also consider sabotage of other systems critical to flight.  Just two examples are:

1) On a non-fly-by-wire aircraft, one can overpower the autopilot (per design) without even having to disconnect it. Inputs on that control column are mechanically linked to the actuators.

2) One can still shut off the engines, shut off the fuel to the engines, shut off the electrical power to the fly-by-wire autopilot.

 These are just two of the reasons that I believe the cockpit must "go dark" and become completely non-functional, if we are to truly rob the terrorist of his opportunity to kill more than just those on the airplane.

 By no means am I criticizing your ideas.  As I say, they are excellent ideas and they can be envisioned as one layer in our new world of required aviation security.  I am simply, as called for by my profession, seeking to plug all the holes, and achieve probabilities of such events occurring ever again that are as low as losing an airplane that is executing an automatic landing (which is less than 1 in a billion, per certification requirements).

 Kindest regards to you, and any of your countrymen affected by this tragedy.  It is not just about America, it is about the global community of peace-loving nations.

 Rainman (Raymond Hudson)

Note: Implementation problems addressed above are addressed in robofaq.html

Raymond "Rainman" A. Hudson

Raymond.A.Hudson@boeing.com (may be now defunct)  
alternatively    Rainman.Hudson@worldnet.att.net or Rainman@tree-o-life.org



MD-11/MD-10 Autoflight System Design & Technology

Background as a control systems design engineer, initially for the military establishment. Worked for General Dynamics designing autonomous missile autopilots, and detection/launch control system equipment. Since 1988 I have worked in commercial aviation, first as a design engineer for McDonnell-Douglas Long Beach on the MD-11 autoflight system. I then went to work for FedEx as lead autopilot/CAT III project engineer for the FedEx fleet of 727, DC-10, MD-11, A300-600, and A310 aircraft. I am now back at MDC again doing trijet autoflight systems. I dabbled in FMS and EFIS, but my strengths are in autoflight and electronic aircraft maintenance systems.

First soloed in a C-172.

Principal Engineer

Autoflight Systems







Last modified: Tue Aug 5 12:05:05 1997

A Well Qualified Supporter (check his resumé below first)

To All Concerned With Stopping These Needless Aircraft Fatalities:

Sy Levine

About Sy Levine

Since retiring from the Northrop Corporation, Sy Levine has been working on a world wide, real time, remote monitoring system, called RAFT, that would significantly reduce air fatalities while enhancing air transportation security and operational efficiency.  Prior to this endeavor he was the Chief Engineer and Program Manager at the Northrop Grumman Corporation Electronic Systems Division in Hawthorne, California where he directed the work of several hundred engineers.  He's an internationally recognized expert in program management, systems, navigation and servo mechanisms.  During a forty year career in the aerospace industry, he managed advanced optical and laser sensor development, guidance navigation programs and new system developments from conception through production and operational field utilization.  He was also the Program Manager of the B-2, Peacekeeper, SR-71 and TR-1 Air Force programs.  In addition, he managed the Advanced Sensor Department that was responsible for a number of new developments including the laser based Obstacle Avoidance System (OASYS) for piloting rotorcraft.  This light detection and ranging (lidar) system introduced the concept of a window of safety to prevent helicopters from striking wires and other obstacles.  Sy was a Director for Litton Guidance & Control and Manager of the Advanced Guidance Systems Department at Sperry Gyroscope Company.  Sy Levine holds eleven patents, ranging from inertial navigation through holographyOne early patent was for the first commercial inertial navigation system, INS, which was put aboard Pan American aircraft, which dramatically changed commercial aircraft navigation.  The latest patent is for the Remote Aircraft Flight Recorder and Advisory Telemetry System (RAFT) that can substantially reduce air travel's fatal accident rate.  He was also the chief scientist aboard the USS Ethan Allen submarine - the one used in "The Hunt for Red October"- during its maiden voyage.  Sy has been a guest lecturer for the Institute of Navigation (ION) and have authored numerous papers including............:

Just as indicated in the email sent to me, providing ground control of a commercial aircraft for landing in the advent of an emergency/hijack is both easy to do technically and safe, as well as being the most practical way to handle a batch of problems. This technology is now being utilized in a multitude of military RPV (Remote Piloted Vehicle) programs and there are no technical or safety reasons for not doing it with commercial aircraft. The concerns of Raymond Hudson are relatively easily overcome with proper systems engineering and are already being addressed in the RPV programs. When the ground director takes control of the aircraft they can either land the aircraft safely at the original destination airport or at another depending on the situation. They could even give the control back to the pilot should all of the communication with the aircraft and its safe trajectory so indicate that this is safe to do. The ground control place can be made very secure as well as the communication just as we handle our ballistic missile control systems. All of this is old hat for the military. Once again it must be reiterated that GPS came out of the military and all of the commercial aviation industry never supported the program. Thank g-d that it came that way since now its being an integral part of all the people who tried to sink the program.  The key to all this is the RAFT technology which not only handles these cases but a host of other problems from ranging from the ground incursions (via visibility of aircraft braking, thrust as well as position etc.) It has been the information vacuum and stagnation that has stifled the safety, efficiency and security of commercial aircraft.

It has prevented the use of "expert systems" that contained all of the necessary data to be utilized properly. This is the major problem - all of the other problems, including security, are being tackled but the information vacuum has been left festering. That total visibly real-time problem is why the fatality rate for commercial aircraft hasn't been reduced since the 1960's (This period in which radar greatly increased the data available in comparison with visual control. There has been no substantial increase in the data shared between the controller and flight crew since then. If they'd had the technology back in the 1960's to do what we could do now I'm sure it would have been done already. Now you deal with all of the "can't and won't do" people. These status quo people present a major problem since they are preventing the "can do" people from doing what needs to be done now - ie: bringing the aviation control system into the modern information age.)



PS: (If you respond to my comments please give me a couple of weeks

since I need some time to myself and I'm going to the redwoods.)

safety@iasa-intl.com wrote:


> Sy

Ø       Look at the following URL's You might have some opinions - (and yes IASA is still going strong).

Ø       http://www.iasa.com.au/folders/RoboLander_files/RoboLander.htm  (also attached in Word 2000 format)

Ø http://www.airliners.net/discussions/general_aviation/read.main/336291/



Recently there was a posting describing an anti-terrorist scheme based on remotely controlling the hijacked aircraft so as to deny the hijackers the control necessary for them to achieve their objectives.

[http://www.avweb.com/toc/avmail.html ]  

I have seen this idea promoted on another forum, from a poster with impressive technical qualifications. Because of that, I believe that the concept is feasible; but it's ill advised, at least without serious thought and study.

 My concerns are related to the ultimate safety of any complex solution to what is a relatively simple problem. Remote control of a civilian airliner is a relatively complex task, and although it would likely use existing technology (guidance and control systems) the interlocks, oversight and safety systems that would be necessary would most certainly not be trivial.

The sensing devices and decision logic referred to in the poster's email gives one an idea of the complexity the designer would be looking at, and the possible failure modes.

 In proposing the solution, the poster compared it to the "Dead Man's Switch" employed by the railroad. Operationally speaking, this is an error, since there are fundamental differences in the operation, and safety of each environment.

 Consider the operation - the train is constrained to the tracks, and slowing down is inherently safe. For the aircraft, both statements are basically false. Regarding the safety, for the train, you would automatically progress from a slightly more dangerous state (train in motion) to one that is undeniably safer (train stationary). In the aircraft remote operation scenario, you are moving from a safer operational mode (aircraft under local control) to a less safe one (aircraft under remote operation). To implement remote operation, you would further degrade the safety. Even when it is not being used or needed. You will have to employ fairly complex software to allow transfer of control safely, and to prevent return of control accidentally or by force by any hijacker. You would also have to create a system with a number of interlocks, controls and sensors to prevent accidental deployment when it is not needed. In effect, you would be placing this software controlled, safety critical system in series with the rest of the safety critical aircraft systems you have running the plane.

That unavoidably reduces the safety that you had before.

 Furthermore, this complicated system, would likely have the ability to wrest control of an aircraft from the captain [probably irretrievably, since the goal would be to not allow anyone in the cockpit to be able to regain control].

 How many instances of this system going wrong could we bear, especially if there are other much more reliable measures that can be taken?

 I believe Mary Schiavo has part of the solution. It is abundantly clear that security is inadequate when one can smuggle prohibited weapons and devices past a screening system. But the weapons used in NY weren't prohibited, and if they were, others would likely replace them that are even harder to detect and easier to conceal. Nevertheless, improved screening would reduce hijacker's likelihood of success many fold, if implemented.

 The most security, and least additional risk in implementation (probably none) would involve making the cockpit inaccessible to any passenger during flight. If necessary, the barrier could be enhanced to improve it's effectiveness against attack, but adding complexity here has no effect on flight safety. Perhaps coupled with video monitoring and screening, many of the perceived shortcomings of locked cockpits and isolated crews could be overcome, but the fundamental fact is that if the hijacker doesn't have access to the cockpit he cannot control the aircraft.

 It's as simple as that.

  DGPS as an alternative to

 ILS Autoland


(a discussion on armed pilots)

    Robolander - FAQ's and

responses to queries

That Further Bastion

( a justification for RoboLander)

RoboLander Reliability -

Redundancy, Reliability, Fall-back Modes -

and The Potential for Failure

Classic Airliner Technology Developments

(which tend to support the RoboLander Concept)

Another Important Reason why RoboLander

is an idea whose time has come.

Text of President G.W. Bush's

Airline Security Speech of 28 Sep 01

(advocating a look at a RoboLander)

The Great Debate Informed Debate

See Main RoboLander Menu for a full List of Relevant Links

Click this button-link for a Word 2000 version of the above page.

                Any useful comments or criticisms to:  dagger_dirk@yahoo.com

to the RoboLander Menu