Avionics PanelGo For Luna Landing!

Graham O’Neil

United Space Alliance

March 2008

Background

• Software comparisons from Apollo to Cx– Functionality, size, process characteristics– Fault Tolerance, safety considerations

• Human Crew Integration and Training – Human Error in design– Human Error in operations– Automation Errors– Automation and Human handoffs

• Avionics Lessons Learned – Multi-use, multi connect computers [Apollo 13]– Crew Awareness support [Apollo 11]

Apollo Error Sources

• Switchology and mode management; Apollo 11

• Primary/backup mode switching; Apollo 10

Principles Learned

• Separation of criticalities• Redundancy at appropriate levels• Robustness of resources and behavior at the

margins• Simplicity• Re-inforced Situation Awareness• Training cycle based on credible sims, credible

failures, diagnostic signatures, recovery strategies, and next failure identifications.

Operational ModesOp Mode Description

Normal The system performs normal operations activities (polling, communications, etc.)

Simulator A specified system suspends activities to allow a simulator scenario to be performed. Systems could be set to mimic another vehicle:

Independent Each system could be run totally independent of the rest of the ship’s systems.

Emergency  

Each system could have a minimal back up program that would enable it to take charge of the entire ship in case of emergency.

Super Links vehicle computers together to solve high-powered computational tasks. This mode could also support sophisticated high-powered simulations.

Challenges

• Generation of Safe Designs and their translation into Verifiable Code.

• Safe management of modes and states.• Computer and Network architectures that can

support fault tolerant data communications.• For life cycle considerations;

– Maintain software at the model level– Design and integration tools support Composability,

and multi-level criticality function distribution.