Peter B. Ladkin with Frank Taylor
In German, the words for safety and security are the same. I used
to think this was a conflation of two different things, but then
came to realise that they both speak of failures with disastrous
consequences. In system safety engineering, the word "accident"
as it is defined does not distinguish between intentional and unintentional
failures, because the notion of intention does not enter.
An accident is defined as an "unwanted" event or occurrence (or
even process); some specify "unwanted" as meaning loss of life,
or of money, or environmental harm, or other specific modes of loss.
But logically it is a simple choice what counts as "unwanted". It
is some specified event, state, or chain of either, which it is
desired to avoid during operation.
Safety is defined as "lack of accidents", but this cannot distinguish
the common meaning of safety from that of security, if the notion
of accident does not. The distinction must come in the process which
leads to the accident: are there elements of human intention towards
the accident occurrence, or not?
The word to characterise things with a purpose is "teleological".
Most artificially engineered systems are teleological; they may
be said to have a purpose. Airplanes certainly do. But the process
that leads to an accident may or may not have teleological components.
Whether the process has purposeful components affects significantly
the way in which we much think about prophylactic measures in logical
terms. If an accident process does not purposefully aim towards
the goal (the accident) then all one must do to avoid a repeat is
to break one link in one of the causal chains leading to the accident.
If one succeeds, such an accident cannot occur. This is the approach
used by investigative body recommendations arising from accident
investigations, although of course one tries to do better. One tries
to be as general as possible, to "cover" the most potential future
incidents; one tries to be complete, "breaking" as many links as
reasonable; and recommendations may also arise from any observations
which do not relate directly to the accident.
If there is purpose involved, that is, if one is dealing with what
philosophers and cognitive scientists call an "intentional agent",
then things are a little more difficult. Break one causal chain,
and the intentional agent may find a substitute with the same outcome.
So one has to look at, not just links, but paths in the causal graph,
with endpoints, and ask not just how to break one link, but how
to break all physically possible paths with the same endpoints.
This is a much harder technical problem. But it has the same nature,
Technical safety and security analyses are thus logically similar.The
same (adequate set of) concepts used for safety analysis would suffice
in principle for technical security analysis (as I should like to
call it) but the analytical problem becomes much, much harder.
Common security analysis tries to control the existence of intentional
agents and the access of such agents to system processes. One could
surmise that this is because controlling the agents is regarded
as easier than solving the logical-analytic problem above, for the
In the aftermath of the horrendous events of September 11, 2001,
we might well like to think again about technical security analyses.
There is at least one major component of that deliberate "accident"
which has been looked at technically for a while, without resounding
success. So far.
The buildings collapsed because of the fire, estimated at some
800 degrees Celsius. It weakens, even melts, the metal support structure
through the concrete, and at some point the upper part of the building
can no longer be supported. There was an estimated 100,000-150,000
tonnes of building above the impact points and fire, and when that
collapses, it acts as a pile driver and inevitably brings the rest
down. A structural engineer, Chris Wise, who has worked on the Commerzbank
building in Frankfurt, said to be Europe's largest, said it on BBC
World on Tuesday, September 11. The BBC also talked to Prof. John
Knapton of Newcastle U. The story is on their WWW site. Smith said
he was surprised that the buildings withstood the fire for so long
(1 hour plus), and said it was a help to people trying to get out
that it lasted even that long. He is surely right. He also said
that the impact forces alone (that is, the kinetic energy delivered
on impact) could likely not destroy the buildings, and they would
likely have withstood, were it not for the fire.
Commercial aircraft are the largest incendiary devices, and probably
the devices with the highest kinetic energy, in the public domain.
Widebody fuel loads are of the order of 100 tonnes at departure;
a full fuel load on a B747-400 is upwards of 170 tonnes. A full
B747-400 weighs upwards of 400 tonnes and flies at roughly 300 to
800 kph in various phases of flight. Aircraft are also highly mobile
and can go virtually anywhere.
Commercial aircraft can not adequately be protected by physical
isolation with controlled boundaries, as with a static object such
as a nuclear power station. It would make no sense to accompany
every commercial flight with a couple of fighter aircraft.
Commercial aircraft have far more destructive power in their current
configuration than anything a small group can construct alone. If
one wants to bomb available targets in or near to civilian airspace,
without using obvious military devices, hikacking one is a way to
Various sectors have been planning for such an event for at least
30 years. When I worked for the UK CEGB (as it was then) in 1970-73,
the pressure vessels of the nuclear reactors in the power stations
were designed to withstand the impact caused by a direct hit from
a commercial aircraft (whether the analysis was adequate is a different
question, and I don't recall anyone working on the fire aspects).
I think it likely that the World Trade Center was well designed
to withstand an impact from a commercial aircraft. But not such
a fire, because it seems as if that would be a structural engineering
problem with no possible solution.
I hold it likely that commercial airplanes will remain targets
for those wishing to construct bombs in the civilian domain, until
the point at which one inerts the vaporised fuel.
The issue of vaporised fuel within a tank came to significant public
attention first with the accident to TWA flight 800 in 1996. A fire
requires a flammable agent (in this case, jet fuel), sufficient
oxygen for the duration (provided by the air in a tank with low
fuel), and a source of ignition. The US Federal Aviation Administration's
(FAA) attitude to the existing fuel-tank vapor problem extends back
beyond TWA 800, and consists in controlling and eliminating possible
sources of ignition through design and certification of the aircraft.
The US National Transportation Safety Board now recommends inerting
The FAA's solution cannot work against purposeful on-board ignition
devices, such as small explosives or incendiary devices. The idea
is to control these by controlling what is brought on board. However,
airports are big places with small fences; it is likely to remain
possible, although to become much harder, for someone to install
a small device while the aircraft is being serviced, or parked,
and for a subsequent passenger to ignite it with a pager-like device.
Inerting the tanks would significantly reduce this kind of threat.
One would need a much larger device to destroy the structure completely,
without help from a fuel conflagration, and such devices can more
easily be detected on a simple walk-around and walk-through before
There has been a search for some time for an anti-misting additive
or something that would hinder the burning of vaporised jet fuel
in all circumstances other than being ignited in a jet engine. People
working on aviation accidents know that many if not most victims
of most crashes die through asphyxiation or burns rather than through
trauma alone. Hindering the post-crash fire caused when a commercial
aircraft with significant fuel on board crashes is close to the
Holy Grail of accident prevention and mitigation. No one knows how
to do it yet. But one knows how to try a little bit.
NASA tried out a potential fuel inerting agent, so-called Anti-Misting
Kerosene (AMK), developed by UK's ICI over about 17 years, in a
controlled crash of a B720 in the Mojave Desert in 1984. The aircraft
was flown remotely into what amounted to a series of large knives
on a dirt runway. However, the fuel ignited and burned anyway. Not
the way normal kerosene would burn, and indeed large amounts of
data were collected on the fire, and on the impact, from the dummies
in the passenger seats. But it did burn, destructively and hot.
Frank Taylor commented:
- I believe that [AMK] would work in the majority of cases
and indeed might have minimised the fires in recent events so
that the structures held. However the problem remains of getting
a suitable AMK into the aircraft in the correct 'mix' day in day
out such that a wrong mix 'never' occurs that could stop all engines
with disastrous results. I use 'never' in the 'acceptably rare'
Fuel inerting in this form is about risk mitigation: the hazard
remains, but the severity of the outcome is much reduced. The accident
along with its severity can be considered a causal product of the
flight path of the aircraft bringing it into proximity and collision
with an object, the kinetic energy of the aircraft, and its potential
incendiary energy. We have looked at the incendiary aspects. There
is little one can reasonably do about the kinetic energy. What about
the flight path? People have mulled over the flight path problem.
Frank Taylor again:
He pointed out that such measures might not be perfect - the airplane
might still be prone to accident - but that one could avoid collisions
into a major target. Such measures were also suggested to me by a
well-known UK safety-critical systems expert (who suggested considering
passenger UAV's) and by an avionics engineer, who suggested an enforced
takeover by a ground controller.
- On the security side I reckon an effective answer might be
to ensure that [...] any threatening event caused an irreversible
(or apparently so) take over by the autopilot/autoland system
to send the aircraft to some designated airfield.
The technology is certainly there to implement some kind - many
kinds - of non-pilot control in the event of a hijacking, especially
if the measures are looked at as risk mitigation and not as outright
avoidance. Frank Taylor:
- [...] back in the early 1980s we were proposing a series
of crash tests using retired BA Tridents (which were of course
the first aircraft to have full all weather autoland). The CAA,
AAIB, BA and the manufacturer all agreed that it could be done
and to contribute. It was proposed to set the whole flight up
to take-off, circuit and land towards obstructions, etc. We couldn't
get the money to do it but the Americans did for their CID in
1984 using a radio controlled B720.
The ground control for the 1984 B720 crash also used video, as
do controllers for some UAV's. Video may be intentionally obscured
by hijackers, of course, but it is most significant only for approach
and landing. These tasks could likely be accomplished well enough
through telemetry and precision radar (say, augmented GCA radar
at appropriate military bases). It is, after all, only an remote
autoland. Even risky flight phases could be avoided by cruising
the aircraft to a point in space over a suitably-equipped air force
base, holding it until it runs low on fuel, and then giving control
back to the aircraft occupants, whose options would then be limited
to landing, inevitably, somehow and somewhere close.
Whether accomplished by on-board avionics, or by telemetry and
remote control, the technology exists to implement such risk mitigation
measures. The procedures to be used are another, more difficult,
matter, No technical analysis can reasonably be performed until
concrete proposals are put forward, because the details of such
plans could vary so widely. I have likely said enough for this short
Technical security analysis first involves constructing a causal
graph of the accident progression, as in traditional accident analysis.
It then involves selecting some part of some causal chain involved,
selecting its first node ("factor") and its last node ("outcome"),
and showing how all physically possible methods of proceeding from
factor to outcome may be confounded.
One may think for example to mitigate, or avoid, the outcome. I
have suggested one mitigation for intentional accidents similar
to those of September 11, 2001, namely developing procedures for,
and using, some form of anti-misting kerosene, or better performing
successors. Another way of avoiding, or mitigating, the outcome
consists of rigorous flight-path control, consisting in ensuring
rigorously that the flight path of no commercial aircraft can come
within collision range of such potential targets as population centers
and sensitive military facilities, whatever the intention of the
occupants. I have briefly mentioned some possibilities which could
be implemented using available technology.
Such measures have benefits also for inadvertent accidents. Here,
flammability reduction measures could have great impact. One thinks
of Manchester, of Habsheim 1988, Warsaw 1992, TWA 800, and Bangkok
2001, as well as others. Reducing flammability could significantly
reduce the number of deaths and injuries resulting from asphyxiation
and burning through post-crash fires. Comparatively, accidents in
which flight path coercion might have helped are much rarer. One
thinks maybe of Birgen Air in Puerto Plata or Korean Air in Guam,
but it very much depends on the type of coercion. Although coercion
measures are on the tip of many tongues, considering fuel flammability
could well have the greater impact on aviation overall.
Maybe it is time to spend a few billions of dollars on attempting
again to develop a fuel combination that will burn much less fiercely,
or not burn at all, when vaporised in air in the presence of ignitive
devices. That would reduce or remove the possibility for using commercial
airplanes as incendiary devices, and thereby any rationale for using
them as such.
Peter Ladkin is Professor of Computer Networks and Distributed
Systems at the University of BielefeF6d, Germany. His research is
concerned with the causal analysis of complex systems and their
failures. Frank Taylor is Director of the Cranfield Aviation Safety
Centre in the College of Aeronautics at Cranfield University, UK.
He is an expert inter alia on aviation fires and explosions.