Following the events of 11 September 2001 (now commonly referred to as “9-11”), when terrorists seized control of 4 airborne aircraft over the United States and demonstrated a new potential consequence of aircraft hijacking, the air transport industry, regulators and airlines in particular have instituted a range of physical and procedural defences to deter and prevent such acts. For larger aeroplanes, regulatory changes followed. With effect from 1 November 2003, ICAO Annex 6 was amended so that under Chapter 13.2.2 “all passenger-carrying aeroplanes of a maximum certificated take-off mass in excess of 45 500 kg or with a passenger seating capacity greater than 60 shall be equipped with an approved flight crew compartment door that is designed to resist penetration by small arms fire and grenade shrapnel, and to resist forcible intrusions by unauthorised persons. This door shall be capable of being locked and unlocked from either pilot’s station”.
Whereas the armoured and locked flight deck door was extremely successful in mitigating the risk of hijack and preventing a repeat of a 9/11-type event, the accident of the Germanwings flight 4U9525 highlighted the potential for a pilot to exclude other crew members from the flight deck and interfere with the safe progress of the flight. Therefore, on 27 March 2015, based on the information that was available at the time and pending the outcome of the technical investigation conducted by the French Bureau d’Enquetes et d’Analyses (BEA), EASA issued a Safety Information Bulletin (SIB 2015-04) for airlines to:
“re-assess the safety and security risks associated with flight crew members leaving the flight crew compartment due to operational or physiological needs during non-critical phases of flight.
Based on this assessment, operators are recommended to implement procedures requiring at least two persons authorised in accordance with CAT.GEN.MPA.135 to be in the flight crew compartment at all times, or other equivalent mitigating measures to address risks identified by the operator’s revised assessment.
Any additional risks stemming from the introduction of such procedures or measures should be assessed and mitigated.”
Prior to the Gernmanwings 4U9525 accident, some states had required at least two crew members should remain on the flight deck at all times during the operation of the flight, principally to ensure flight deck access would be possible if a lone pilot became incapacitated; after the Germanwings 4U9525 the requirement became generally accepted internationally to additionally mitigate the risk of a lone pilot taking sole charge of the flight. Subsequently, there have been proposals to always have two pilots on the flight deck but most airlines/regulators have not adopted this practice. Design solutions incorporating rest and relief facilities forward of the secure door would also allow all flight deck crew to remain within the flight deck area.
Editor's Note: This article is intended to specifically highlight the operational flight safety issues associated with flight deck security and does not cover specific procedures, protocols and operational aspects of the overall security system.
Flight Deck Access
Controlling access to the flight deck is part of the process of ensuring that legitimate control of an aircraft can be maintained. Except on very small passenger aircraft the door must be lockable and of reinforced construction so that access is only possible if it is opened normally and such that it is resistant to penetration (e.g. with a bullet) or intrusion (e.g. by being hit by a trolley) when closed. Access through the door to the flight deck should be procedurally controlled both in the air and on the ground and should be limited to personnel for whom entry is essential.
On the ground, this means that only designated flight crew and maintenance personnel should normally have access; if cleaners need to enter, then they should have already been subject to an identity validation check at aircraft boarding and be directly supervised by authorised operational or engineering personnel whilst in the flight deck.
In the air, procedures vary from airline to airline and from region to region, but the principle that only those with legitimate need must be permitted flight deck access must be paramount. Beyond the pilots at the controls, this will include relief, check and training pilots. Exceptionally, such flight deck occupancy may exceptionally be extended to include other specifically-authorised employees of the operator - pilots, cabin crew and maintenance personnel. Flight Operations Inspectors carrying out observations on behalf of the State Regulatory Body may also be permitted access at the discretion of the aircraft commander subject to valid identification being presented prior to entry approval.
In flight, the door should always remain locked unless there is a legitimate reason to open it and it should remain open only long enough for someone to pass through it. There must be SOPs in place for access to / exit from the flight deck between engine start at the beginning of a flight and the completion of engine shutdown procedures at the end of a flight.
Flight Crew Cabin Surveillance Systems and electronic or manual locks which can be operated by the flight crew without leaving their seats, and sometimes also from the passenger cabin, are essential and often exist as Regulatory Requirements. Robust procedures must be in place to prevent unauthorised entry to the flight deck, especially when the door is opened to allow a pilot to exit the flight deck for (e.g.) a comfort break and another crewmember to take their place and when the pilot returns to the flight deck.
Crews should be aware that disturbance might be generated in the passenger cabin in order to distract the operating crew from their normal SOPs and that, in such circumstances, it should be expected that the flight crew will remain on the flight deck with entry denied.
An example of one manufacturer’s guidance on flight deck security is at
Locked Door Flight Safety Issues
- Communication. A locked flight deck door reduces the situational awareness of the flight crew in respect of conditions in the passenger cabin in the event of an on-board security issue. Also, the situational awareness of the cabin crew is reduced in respect of conditions on the flight deck in the event of an emergency.
- Crew Incapacitation. In the case of total incapacitation of flight deck occupants, cabin crew may not be aware and may not always have a means of accessing the flight deck to assist.
- CRM. The locking of the flight deck door reduces routine interaction between the flight crew and the cabin crew during the flight. This emphasises the importance of the aircraft commander using pre flight preparation and turnround time to confirm any exceptional preparations for effective CRM beyond those routinely prescribed.
- Physiological Need. Naturally, the need for flight crew to use toilets, access designated crew rest facilities or be supplied with food and drink, requires access through the flight deck door during flight. Procedures for door opening mean that egress and access will take longer with the result that the flight deck crew are not always able to go to the toilet at a time of their exact choice, which may cause them to be distracted and, exceptionally, might exacerbate an existing underlying medical issue in a way that would not otherwise have occurred.
- Unlawful Interference. While the purpose of the flight deck doors is to prevent unauthorised access to the flight deck, there is an attendant risk that one of the pilots may themselves unlawfully interfere with the flight for example to commit suicide. Consequently procedures should be in place to ensure that at least two operating crewmembers, including at least one qualified pilot at the controls, are in the Flight Crew compartment at all times.
- Communications protocols. Cabin crew should avoid routinely contacting the flight deck during times when they are likely to be occupied with a high workload. Most airlines use a signalling system for the flight crew to indicate to their cabin crew that it is safe to commence cabin service after take off. In some airlines, subject to this call being received, the cabin crew make no intercom calls to the flight deck until top of climb, when they will make a courtesy call to confirm that the pilots are not incapacitated. More commonly, a maximum time interval is set between intercom calls from the cabin crew to the flight deck which applies throughout the en route phase of the flight and is typically 20 to 30 minutes. In the event of an emergency, the senior cabin crew member will normally take personal responsibilty for liaison with the flight crew who may be especially in need of intercom reports of conditions in the passenger cabin in order to decide on the appropriate crew response.
- Emergency Flight Deck Access from the Cabin. Most flight deck doors can be unlocked from the cabin in an emergency. Such systems usually have safeguards built in to allow those on the flight deck to prevent such access, for example by building in delays between selection of external unlock and actual door lock release to allow flight crew, if not incapacitated, to override the selected lock release.
- Double Door system. A few aircraft types have an "air lock" type door system, with 2 doors and a toilet in between. The airlock system ensures that there is never an open door to the flight deck. However, such systems take up space and normally are only found on some larger aircraft.
- Door Construction. Strong, lightweight, composite materials often provide the required security with minimal increase in weight, which makes the door no more difficult to operate once unlocked than a non-security door.
- CRM. The ‘locked flight deck door’ presents a physical barrier to crew communication and coordination between flight deck and cabin crewmembers. This makes a crew briefing for at least the Senior Cabin Crew Member at the start of duty even more important; where arrangements permit, this should occur at the crew briefing facility. Crew should also make the most of any incidental time, such as on a shared crew bus, as a means to get to know each other. While there will be no requirement for pilots to carry out a pre flight cabin inspection on a passenger aircraft in service unless the aircraft is so small as not to require cabin crew to be carried, if circumstances make it practicable, it can be beneficial for one of the pilots to make a point of walking down to the back of the aircraft to briefly re-establish personal contact with all the cabin crew team before passengers board.
The Germanwings flight 4U9525 accident indicated the need to ensure that 2 members of the operating crew are present on the flight deck at all times during operations. Such an SOP implies that pilots and cabin crew liaise more closely and brief more extensively on the need for and timing of pilot physiological breaks and other situations necessitating exit from the flight deck. Operators will need to consider the protocols for access to and presence on the flight deck.
Longer term, design change could also ensure that all operating flight crew should be secured on the flight-deck before the passenger boarding doors are closed prior to departure and remain secured on the flight-deck until after the passenger doors are opened at the destination. This would prevent any unlawful entry from the cabin and minimise any unlawful seizure by a single flight crew member.
To enable this, existing aircraft could be modified and new aircraft designed with all required crew facilities forward of the secure flight-deck door. On short/medium haul aircraft this would require a toilet, safe food & water storage and a reclining crew rest seat. Additionally on aircraft used for long range operations where in-flight relief is required provision of bunk/s.
This is not a new concept, many long range aircraft already have toilet and crew rest facilities forward of the secure flight-deck door.
Accidents & Incidents
Events on the SKYbrary Database which list Locked Flight Deck Door as a contributory factor:
On 24 March 2015, after waiting for the Captain to leave the flight deck and preventing his return, a Germanwings A320 First Officer put his aircraft into a continuous descent from FL380 into terrain killing all 150 occupants. Investigation concluded the motive was suicide, noted a history of mental illness dating from before qualification as a pilot and found that prior to the crash he had been experiencing mental disorder with psychotic symptoms which had not been detected through the applicable process for medical certification of pilots. Conflict between the principles of medical confidentiality and wider public interest was identified.
On 1 August 2008, an en-route Embraer 195 despatched with one air conditioning pack inoperative lost all air conditioning and pressurisation when the other pack’s Air Cycle Machine (ACM) failed, releasing smoke and fumes into the aircraft. A MAYDAY diversion was made to the Isle of Man without further event. The Investigation found that the ACM failed due to rotor seizure caused by turbine blade root fatigue, the same failure which had led the other air conditioning system to fail failure four days earlier. It was understood that a modified ACM turbine housing was being developed to address the problem.