Security of Aircraft in the Future European Environment (SAFEE)

The SAFEE project addressed security on board an aircraft as a response to several security related incidents in the past. All SAFEE studies were driven by investigating prevention of terrorism by direct human acts and by electronics means. The baseline of the project was the assumption that upstream identification control and airport specific security measures have all been completed. The project focused on the implementation of a wide spectrum of threat sensing systems, and the corresponding response actions against physical person(s) or electronic intruders. One of the key aspects of the project was an integrated information management system underpinned by a secure communication system.

The operational goals in SAFEE were:
- to identify a large set of threat scenarios including threats coming from persons, goods and materials, and attacks on data and communications;
- to identify weaknesses in current systems;
- to produce and demonstrate technologies and systems allowing the detection of such threats with a high probability;
- to produce alarms and propose actions to the on-board crew (and possibly the ground staff);
- to launch automatic actions such as data restoring, emergency avoidance of terrain impact, or clearing aircraft of terrain and obstacle hazards;
- to test these systems on ground in realistic environments;
- to assess the acceptability and deployment conditions of these systems;
- to contribute to international standardisation and to operational procedures.

For reaching these objectives SAFEE had five key activities (sub-projects):
- SP1: Onboard threat detection: an integrated threat detection system based on multiple sensor information has been specified, prototyped and evaluated.
- SP2: Threat assessment and response management system: an urgency decision making tool.
- SP3: Flight protection, which includes an emergency avoidance system and an automatic control of the aircraft for a safe return.
- SP4: Data protection system securing all the data exchanges (in and out the aircraft).
- SP5: Security evaluation activities, including legal and regulatory issues about citizens' privacy and rights, economic analysis, and dissemination activities.

The operational concept was further detailed in the operational concept description (OCD) to ensure that the lower level objectives were understood on a project wide basis whilst defining a general strategy to address the specific needs of SAFEE. The OCD takes into account the cockpit crew - as being instrumental in the handling and safety of the aircraft. The SAFEE concept recognises the commander as the most important decision-maker in the aircraft.

In the decision making process on the ground, the government - as final and decisive actor - has ultimate responsibility, i.e. governmental decision-making is instrumental in handling hijack and renegade situations. Military operations and air traffic control (ATC) and airline operations centre (AOC) are involved when such a threat occurs.

The SAFEE systems have interfaces for the pilot (in the cockpit), for the cabin crew and security staff (in the cabin), on-board crew communication links, and air / ground (voice and data) communication links. The SAFEE systems output (in flight) comprises:
- alert / information / advice to the cockpit crew;
- alert / information / advice to the cabin crew;
- alert / information / advice to security staff;
- commands to aircraft systems (only after authorisation of the pilot or failed authenication of the cockpit crew);
- 'information' to the ground when necessary (only after authorisation of the pilot).

SAFEE systems input includes:
- pre-flight data (loaded pre-flight into threat assessment and response management (TARMS) and onboard threat detection system (OTDS)): passenger data; luggage data; cargo data; threat level update data; pre-determined indicators (PDI) data.
- in-flight data input: security sensor data; manual crew input to TARMS via HMI; aircraft systems input (e.g. position, time, etc.); updates of the pre-flight data.
- Input from other decision support systems (e.g. ERRIDS).
One of the first steps in the validation process, as part of the OCD, was to define the operational scenarios. The security threat assessment indentified the following eleven of SAFEE scenarios related to in-flight threats.

After evaluation of these eleven operational scenarios it appeared that two scenarios are out of the scope of SAFEE technologies. These scenarios are number 4 (biological attack) and number 8 (use another aircraft to crash into the 'target' aircraft). Consequently, they have not been considered for assessment purposes. In addition, it has to be noted that the threat of MANPADS is covered in other studies and as such as not been taken into account in SAFEE.

The remaining SAFEE operational scenarios are the basis for the design of the SAFEE sub-systems steering the implementation of the solutions to avoid or, at least minimise, the occurrence and impact of such scenarios. Based on the threats selected for assessment in SAFEE, operational scenarios were described for each of them.

The validation scenarios were also derived from the nine threat scenarios taking into consideration the remarks from the analysis performed in the risk assessment by security experts and end users. This analysis is included in the threat assessment of the current situation. The replication of the threat scenarios by the validation scenarios proved to be conditioned by the resources available for the validation exercises, the skill of the team working, and the performance of the validation platforms, tools and actors participating in the experiment.

The onboard threat detection system (OTDS, developed in SP1) as an integrated means to detect upcoming threats onboard an aircraft has been integrally evaluated in an operational context. The following functions have been evaluated:
- aircraft access control;
- detection of suspicious personal behaviour; and
- detection of dangerous materials.

For the detection of dangerous goods and materials, the corresponding trials have been conducted in a stand-alone demonstrator of an aircraft lavatory at EADS in Ottobrunn. The integrated evaluation facility then has been equipped with an alternate sensor, which provided the same signal characteristics to the integrated system as the original sensor, but could be triggered by a light source with a clear defined intensity instead of harmful substances. The other evaluation campaigns have been conducted in a mock-up of an Airbus aircraft cabin (in Airbus Hamburg).

The TARMS validation trials had five aims:
- Aim 1: Validation of the usefulness of TARMS in assessing threats: is TARMS any better at threat assessment than crews currently are without the provision of TARMS on-board?
- Aim 2: Validation of the response management module (RMM) in TARMS: given a certain threat assessment, does TARMS' RMM suggest appropriate courses of action? Are these different to the actions the crew would currently take without the provision of TARMS on-board?
- Aim 3: Validation of the TARMS (cockpit and cabin) HMI: the experiment aims to gather subjective feedback and usability issues on the HMI.
- Aim 4: Workload: the introduction of TARMS will add an extra element to the workload of the crew, but is it an increase that is considered acceptable and worthwhile?
- Aim 5: Validation of the SAFEE-TARMS concept: is having a threat assessment and response management system on-board accepted in principle by the users?

To meet these aims, TARMS and some of the data protection systems were deployed in the generic research aircraft cockpit environment (GRACE) simulator, allowing the cockpit crew to interact with TARMS in a realistic situation. To allow the cabin crew to interact with TARMS, a special room was prepared where a TARMS HMI was provided. A presentation of what was happening in the cabin was also displayed, whilst extra detail and explanations were given by a story teller. The cabin crew also had a headset and microphone to contact the cockpit crew whilst the cockpit was able to trigger a gong that gave the cabin crew a signal to contact the cockpit.

The systems deployed in GRACE were tested through scenarios developed to cover various security situations. Six scenarios were developed of which five of these have been augmented with PDIs which could be detected by the SAFEE systems (OTDS and data protection systems), aircraft systems, and cabin crew as the scenario unfolds. The fifth scenario (the inside job) dealt with a threat that did not produce any PDIs during the flight. It was considered not useful to expose the flight crew to this threat for validation purposes.

Flight protection constitutes an important element of the responses envisioned in SAFEE for hostile attempts countering. It includes two main components, the emergency avoidance system (EAS) and the flight reconfiguration function (FRF). Both are set in motion in response to TARMS requests and remain under the control of TARMS during operation.

The EAS provides protection against:
- controlled flight into terrain, obstacles or areas prohibited for security reasons;
- malicious or inappropriate actions on cockpit systems (function referred to as function protection or FP).

The objectives were mainly:
- to produce a preliminary specification of what would be the intended EAS system in the near future, taking into account the appropriate safety-related considerations and requirements, as well as the integration constraints associated with the implementation of such a system into avionics;
- to get from the users - mainly pilots - a feedback on the EAS requirements with regards to the most critical aspects on the basis of evaluation experiments performed with pilots.

The access control function was successfully tested. The reading devices for the electronic boarding passes worked perfectly, and the involved experts were impressed by the high reliability of the face recognition system.

However, it must be noted that the system had to be adjusted to cope with the adverse lighting conditions at the OTDS evaluation facility. In daily operation, even more adverse and, in addition, rapidly changing lighting conditions have to be considered. To cope with this, the robustness of the system will have to be improved. This concerns both, the camera technology and the software algorithms for image pre-processing and evaluation.

In the same way cultural aspects, which could not be extensively considered in the evaluation campaigns in SAFEE, could impact the face recognition function. Even if the system was proven to be robust against effects of wearing glasses or large hats, there is other specific clothing like veils that make the recognition of a human face completely impossible. This is an issue that cannot be solved technically, but requires adequate operational procedures.

The sub-system for the detection of suspicious personal behaviour worked fine for some pre-defined behaviour patterns. Single PDIs like nervousness and aggressiveness could be successfully detected, and the system was also capable to detect complex scenarios that comprised a sequence of several PDIs.

However, as for the access control function, the reliability of the system strongly on environmental conditions, in particular on the lighting conditions. More than that, even the definition of suspicious behaviour is currently not fully completed and validated. Particularly, cultural aspects need to be better considered when aiming at the development of a system that can be used in daily operation.

The sub-system for the onboard detection of dangerous goods was successfully tested for specific substances. A stand-alone prototype has shown the performance of the developed sub-system and how it could be integrated in the lavatory compartment of an aircraft.

The basic issue with the detection of dangerous substances is that for each substance specific sensors and environmental conditions are required. This makes the installation and operation of such a system on board an aircraft more complicated. One option to overcome this issue is a careful selection and combination of several types of sensors. The progressing development of effective and small sensor types supports this approach.

Concluding, it must be noted that the OTDS, as it was implemented, was far from being industrialised. However, the basic feasibility of the implemented functions could be proven, and needs for further improvements of both, hardware and software algorithms could be identified.