Where the Danger
(Does not) Lurk

Why I was relieved to find out that the GermanWings crash was due to
deliberate pilot action


It’s hard to imagine how horrifying those final minutes on the doomed GermanWings plane must have been. The pilot, locked out, trying to smash the cockpit door with an ax, as the co-pilot, in sole control of the plane, caused it to slowly descend, finally crashing into the Alps.

As a frequent flier, and as someone who flew with GermanWings just a few weeks ago, I must confess that I was relieved to find out that the crash seemed to be the result of premeditated mass murder and suicide by the errant co-pilot, Andreas Lubitz, who spent his last days on earth researching “information on how cockpit doors worked” and “suicide”.

Yes, you read that right. I was relieved to find out it was deliberate pilot action, even as the horrifying details become known. But I was scared as well: from all the calls for changes to design of airplanes, including suggestions such as weakening the cockpit door, and worst, for remote control of planes from the ground to guard against future misbehaving pilots.

Hear me out.

I’m worried that people will use this incident to fundamentally change design of planes, or their security features, since almost all the suggestions are actions that will make things more dangerous (with one exception, which I’ll discuss later).

There are two issues at play here. First, some things are almost impossible to completely prevent, fail proof, without significant downsides or real trade-offs. Second, some things are so rare, so errant, and so quirky even in their almost unfathomable terribleness that it is not feasible — or desirable — to turn life upside down to try to avoid them.

Guarding against the errant, suicidal murderous pilot belongs to a category called “wicked problems” — the complexity of the system and the conflicting incentives mean that every solution introduces another set of problems, so the only way forward is always going to be an imperfect one. Second, and perhaps more importantly, is that this once again reveals how, as humans, we are lousy at risk assessment, and also lousy of accepting this weakness. The problem is wicked, but its occurrence is so rare that it is almost unheard of — partly why it terrifies us so. Our imagination, biases and fears are terrible guides to what should actually be done to keep us safer, and this has significant consequences in a whole host of fields, ranging from terrorism to childcare to health-care.

Hardened cockpit doors, like the one that kept out the locked out pilot of the doomed GermanWings flight, were put in place after 9/11/2001. During that terrible event, terrorists, trained as pilots and willing to die themselves, were able to use their ability to gain access to the cockpit to turn those planes into terrifying guided missiles full of innocents. Hardening the doors was an obvious, and good step forward. That tragedy has not been repeated in the same way since.

But here’s the thing: you cannot equally guard against murderous hijackers with piloting abilities and the errant suicidal murderous pilot. Those things are in conflict by design: you can make it harder to get in, or you can make it harder to be involuntarily locked out. One necessarily goes with the other. There are some subtleties to this space of possible design for this problem, but most of those already have been built in. The rule that breaks out of that trade-off dichotomy is not leaving anyone alone in the cockpit, and now, most airlines that didn’t already have this rule (US ones already did) are instituting it. Many planes, including this one, already have schemes for pilots who are locked out to get back into the cockpit using special codes, for cases like medically incapacitated pilots. But there are also ways the pilot inside the cockpit can keep others out, in case those outside trying to force their way in are malevolent actors. That is a reasonable choice because the frequency of the former scenario is almost immeasurably rarer than the latter. There are many many more would-be hijackers than mass murderer pilots — pilots are a heavily regulated, watched, selected bunch compared with the ease of buying an airplane ticket. Besides, we know from one of those other rare cases a pilot suicide causing a crash, that of Egypt Air 990 in 1999, where the pilot had briefly stepped out, and then returned to find the co-pilot taking the plane down, had forcefully intervened, but being in the cockpit does not necessarily prevent a tragic crash if one pilot is determined to murder, and die. Our defense remains the same: this is a strikingly rare event.

Another suggested solution, allowing for remote control for airplanes from the ground, or more automation that cannot be overridden by humans, are both bad ideas that will make us even less safe.

First, remote control of airplanes from the ground separates who’s doing the controlling of the plane from who’s doing the dying, which is in general a bad design idea if safety is the concern.

There are more ill-intentioned actors willing to kill than those who are willing to die while also killing, and forcing people into the second group greatly decreases risk (but doesn't make it zero because nothing will make it zero). Remote ground control also increases the target space that must be guarded because it creates many more entry points into the control of the plane. In other words, it’s the opposite of hardening the cockpit door: we’d be building multiple entry ramps into the cockpit which can be taken over, hacked, or just have a catastrophic glitch or error. Assistance of automation in flying has greatly increased safety, but only because human pilots can override the system in cases of glitches, bugs and errors, which are almost inevitable given the complexity of these systems.

Here’s why I was relieved, in terms of safety, to learn that the crash was due to pilot action, rather than a murky, unknown mechanical issue with the widely flown Airbus model. Errant suicidal murderous pilots are more than rare. They are almost unheard of. They are so rare, especially on regular commercial flights, that the whole list going back to 1976 needs less than fingers of two hands to count — or about the number of airplanes that take off from Atlanta in the space of a few minutes on any given day. For purposes of design, this is effectively zero. Mechanical glitches, however, can reoccur and given the speed with which this unfortunate plane crashed into the mountains, it might have never been possible to reconstruct what had happened from the disintegrated pieces had that been the cause.

In human history, it probably made sense to exaggerate that crackle in the bushes and imagine a potential predator, just in case. Better safe than sorry, as the saying goes. But modern complex systems cannot and should not be redesigned to fit our deeply human, but ultimately, irrational fears. And this applies not just to plane safety, where the current methods of deeply studying each error or crash, and then tweaking it all, have resulted in a spectacularly safe system, especially in commercial flight.

Many of our imagined solutions to our exaggerated fears are more destructive than the problem, or needlessly limit our lives without really making us any safer. And our inability to accept the existence of wicked problems without ultimate solutions can cause us to make unattainable demands about rare risks which get in the way of focusing on common risks. We worry about strangers kidnapping our children — incredibly rare events — and keep them inside where most dangers lurk (bathtubs are the worst offenders). Anxious about flying, we drive which is much much deadlier. We worry about rare, but tragic incidents of terrorism which capture our fears, and draped in anxiety, go to war, always a destructive whirlwind.

There are some lessons from this tragedy, including perhaps real-time transmission of cockpit data in case black boxes aren’t easily recoverable, or even the increasing number of people in cockpits at any given time. A policy of requiring two people be in the cabin at all times is a way to to reduce the frailties of the “lone pilot” situation. Since both people are on the plane, it doesn’t create those grave dangers of the “remote control” scenario— which will be targeted and eventually likely hacked — or “full automation with no override” option— which will have bugs and glitches as all software does. This policy of no lone people in the cockpit is already in place in the United States, and now more European airlines are announcing the step.

But the true recommendations about plane safety remain the same as before: wear your seatbelt on your way to the airport, and don’t text while driving. On the plane, try to stretch occasionally to lessen risk of blood clots from those sardine seats. Those, and not errant pilots, are the systemic risks of flying we should all worry about.


(Image source: Nando Machado/AP)