What exactly is the barrier between just having two way satellite communications on every plane for the purposes of tracking and reporting its location?
I used to build devices for aerospace. These were groundside, never ever airside. The systems (and thus costs) for building these devices were extensive and complex. Every item, every component, every screw, every washer, all the chemicals (paint, conformal coating, etc) could be traced from a finished unit (via its serial number) back through the manufacturing chain. When my company moved from a paperworks systems (suprisingly good) to computers (unsurprisingly flawed) they kept the paperwork system for these products because it was so important to never fail audit.
It's easy to look at consumer grade off the shelf systems and think that the cost would be maybe four or five times higher, but I think the cost would be significantly greater.
Add to that the difficulty of getting any component on a circuit diagram changed and the need to continue producing these units for every aircraft for many years and there's additional complication there.
Such a system also wouldn't be immune to being disabled as the current tracking systems are. People need to learn to live with uncertainty instead of trying to remove it.
- The iridium satellite network, which provides phone service, also provides a Short Burst Data service, which I suspect could be used for this purpose.
- The Argo network tracks thousands of ocean drifters (http://www.argos-system.org/?nocache=0.9626778103411198). Some of those drifters are using the Iridium network now.
Iridium only has ~8Mhz of bandwidth, that is fine for a sensor platform that probably only transmits a couple of times a day, but could quickly run into trouble with constant positional updates from thousands of planes (especially with streaming of cockpit data recorders, as has been argued for as well). And the saturation of the Iridium network is not something that can be controlled without extensive re-engineering to enable QOS.
I don’t think the fixed cost should be as high as you suggest because the functionality would (arguably) not be safety-critical, in contrast to your examples, and therefore subject to weaker regulations.
Emergency geolocation doesn’t affect flight safety, only rescue operations. What happens if the new GPS location functionality fails? The only deleterious consequence is if the other locations systems fail (ELT) and the error causes, in the event that saving passengers is possible, for SAR to look in the wrong place when they otherwise would have looked in the correct one.
I am not sure of that. Consider the implications of an electrical fire. If the system can be turned off it wouldn't have helped here. If it couldn't be turned on then you have electrical fires killing people.
I am not sure the problem of this incident can be fixed by looking at the plane. I think we need to know more about who, why, and how first.
You need to read my comment in context of the linked blog post I was responding to which addressed only the cost of adding additional emergency geolocation and the reason why it was expensive.
I suggest that it shouldn't actually be expensive because the safety impact is negligible.
Rough specs of something that might be respectable:
- wind & solar powered
- externally-mounted, self-contained, near zero maintenance
- compatible with deicing chemicals & equipment
- multiple redundant location sources: GPS, GLONASS, LORAN, cell-tower
- jam-resistant multi antennnae / recvr config
- highly compressed satellite telemetry with cellular, pager and HF backups
- location & alt delta every 3 minutes (12 bits +- 100m)
- absolute location & alt every 8 hours (46 bits +- 100m)
- physically hardened against several hours blunt-force phsyical damage
- (eg enough to slow down a die-grinder w/ a diamond cutoff wheel)
- pretty app similar to google earth where carrier operators can see their fleet live or in the past
Shoe-string budget dev costs: $1.2 mil for a bump to fit the most popular model of jet first, then expand to others and airbus if successful.
Assumes engrs that can bust it out quickly and hustlers that can finagle enterprise & get distribution (Eg make it an FAA mandatory device for classes of airframes).
This contrasts to small aircraft which typically have Mode A/C only (no mode S).
All airplanes should have a MAC address. No plane should have a user-servicable-power-switch to the transponder.
Can you tell why the opposite woud be needed?
A plane being hijacked in this way is so incredible rare that having always-on transponders is not worth the safety trade off.
Protecting the passengers from the pilot is anyway a false goal. You can't really do it without removing the pilot.
Sound like utter BS.
Show me a case where an IN-FLIGHT transponder shutdown is a needed issue, or where this does not need a better engineered solution.
Also - Don't tell me why this is not done (based on past issues) - tell me why this is impossible to fix.
I challenge you to give me any reason in the universe which is acceptable for not tracking, in real time - uninterrupted streams, flying packages of hundreds of humans.
Give me any reasonable response to why this is not something that should be fixed.
Planes doing something strange doesn't happen often enough for it to be the most important thing in the universe.
The whole point of security is risk management. You address your most common risks first, and then the less common risks later. Electrical fires are more common than hijackings, especially after you figure in airport security. Therefore in plane design you worry about electrical fires far more than you do hijackings.
Additionally this is the first incident of its kind. This is not a typical hijacking. In fact it is entirely unprecedented. For this reason it is a game changer, and I think you are right to point that out. But electrical fires are orders of magnitude more common so you aren't going to ever risk one based on a much less likely possibility here.
To be honest, I have faith that investigators will eventually track the culprits down. Then once we know who and why we can decide what to do about it. However consider what is required to pull this off:
1. Having an airport capable of landing a 777 that nobody knows about
2. Having refuling equipment and fuel.
3. Having a hangar capable of storing the 777 out of the eyes of satellites.
These are not small requirements. Whoever did this was quite prepared. It was not pilot suicide based on the data we have. Whoever did this was large, organized, and had tons of resources (we are talking about a large drug ring or a small country here). Against a determined enemy like that I don't know that you really can stop them at the plane. Instead you need real defence in depth, and we can't even talk about that until we know more.
Certainly. There's always more than one transponder on board a big jet, for safety and redundancy reasons. If a transponder begins to misbehave, it might position the aircraft incorrectly on the ATC screen, very dangerous, or the transponder could be getting bad information from the altimeter (class C transponder), which would cause ATC to paint the aircraft at the wrong altitude -- also very dangerous.
These are just two reasons among many, for flight deck officers to require an immediate way to disable a transponder.
> Give me any reasonable response to why this is not something that should be fixed.
There's something you need to understand about the relationship between an aircraft and its pilot. The aircraft is designed to protect the pilot and the passengers, not the other way around. All this talk about protecting the aircraft from the pilot and passengers has it backwards. Obviously this means if a pilot goes crazy or someone unauthorized gets into the cockpit, the results can be catastrophic.
How would the system determine it is in-flight and thus prevent a maintenance shut down? You would need another device to determine in-flight from ground operations, and thus another device that can malfunction and thus can be defeated by an attacker.
>Give me any reasonable response to why this is not something that should be fixed.
Give me a reasonable response why spending a bunch of money to fix this rare issue is worth it over other safety improvements? Old aircraft, poor maintenance, and overworked pilots kill many times more people than hijackers.
P.S. Why don't we track buses? Why don't we track cars? Why don't we track everybody?
How would the system determine it is in-flight and thus
prevent a maintenance shut down?
If you had a transponder in parallel with each engine, on the ground you could shut down all engines; or for an in-flight fire you could shut down a single engine; but you could not shut down all engines (transponders) while in flight.
Why don't we track buses? Why don't we track cars?
Dual transponders linked to engines is not a safe design. You are significantly increasing the chance of an aircraft crash for a slight reduction in uncertainty of the location of crashed/hijacked aircraft.
>You've heard of LoJack, right? We track cars worth far less than a jet airliner.
People voluntarily deploying tracking systems is different from mandating tracking systems.
Cars and buses are at a much higher risk of hijacking per passenger/travel distance than planes.
Buses are at alt==0 and never over an ocean - you're an idiot for comparing the two.
Why don't we track everybody? Do you understand what the NSA has been doing?
Be civil. ...
When disagreeing, please reply to the argument
instead of calling names. E.g. "That is an
idiotic thing to say; 1 + 1 is 2, not 3" can be
shortened to "1 + 1 is 2, not 3."
And what does that have to do with it? In the event of a passenger jet crashing into the ocean an enhanced transponder system would not raise passenger survival by any notable rate (because aircraft crashes where the passengers survive and aren't immediately rescued are incredibly rare in the modern age).
Aircraft hijacking where the craft and passengers go missing is incredibly rare even among hijacking incidents.
When changing squawk codes, it is procedure at most airlines to put the transponder into stand-by mode. This prevents inadvertent transmission of incorrect squawks should the pilots mis-key.
e.g. once squawk 7500 Hijack is transmitted, ATC must implement appropriate measures regardless of what the crew subsequently do or say. Consider that fact given 7050 is a valid non-emergency squawk.
Once the squawk has been confirmed as correct the transponder is returned to active status.
Now, who here would say that the NSA isn't backdoored into every cell tower on that planet. I wouldn't be surprised if they are. How could we not know as soon as one of the cells on that plane popped up on a tower anywhere in the world? So, exclude all cell tower coverage areas in projected flight area and search there to rule out potential hijack/landing.
But assuming that a phone does make contact, there would be massive cooperation required to detect it. The airline and victims' families would have to give a list of phone numbers that could be on the flight, and all the carriers in the region would search through their towers' logs to see if any of those IMEIs (assuming they keep those logs for at least a week).