Blog: Aviation Cyber Security
TL;DR
- Through reverse engineering a cockpit door lock controller several years ago, we’ve known about the auto-unlatch issue
- We couldn’t publish owing to the risk to flight safety, even though some airplane type manuals already described the behaviour in a depressurisation event
- Now that the Alaska 1282 incident has demonstrated this behaviour publicly, it’s time to share our findings
Several years ago we bought an aircraft cockpit door lock controller from a breaker’s yard from a decommissioned aircraft. The controller was manufactured in 2004, though represents similar behaviour to those manufactured today.
After the appalling events of September 11th 2001, all commercial aircraft are required to have an armoured cockpit door that can resist attacks from the cabin, including from smalls arms fire. The door has an electronic locking mechanism so it is kept secure during flight. This normally works in the following modes:
- Both pilots are in the cockpit, and a cabin crew member wants access: the call button is pressed on an external keypad, a chime sounds in the cockpit, the pilots review CCTV and then move the switch to “unlock” and the door opens.
- The switch in the “norm” position: a valid access code is entered on the cabin keypad, a chime sounds in the cockpit, after 30 seconds the door automatically opens unless the switch is moved to the “lock” position.
- With the switch in the “lock” position, no access is possible from the cabin even with a valid access code. No chime will sound.
The latter case was instrumental in the Germanwings 9525 incident, and subsequent requirement that if one pilot needs to leave the cockpit a member of cabin crew swaps with them temporarily.
In the recent Alaska 1282 incident, once the aircraft became rapidly depressurised after the loss of one of the plug doors, the cockpit door automatically swung open. This actually led to the loss of paper Quick Reference Handbook (QRH, or emergency checklist) notes and the pilots had to fly their emergency actions from memory. Apparently this behaviour was not known or expected.
The cockpit door has blowout or kick out panels and it is understood that the pilots thought these would allow the equalisation of pressure, but these are more for emergency exits in the event the lock controller malfunctions.
When we examined our door lock controller a few years back, we found the dual pressure transducers that detect the sudden drop in differential pressure and automatically unlock the door.
The pressure transducers (highlighted above) are connected to air pressure pipes, routed to the cockpit and cabin to sense a differential. The reason for the auto unlock behaviour is to reduce the forces on the bulkhead between the cockpit and cabin in the event of a depressurisation event, given it contains extensive wiring and controls. Any damage to the bulkhead could threaten the safety of the flight.
We felt that at the time that this knowledge was probably not safe to draw widespread attention to, even though it is found in some aircraft manuals and is described on several web sites
However now that it is pivotal for pilots to be aware of cockpit door behaviour in an explosive decompression, we’re publishing this timely information.