Avionics Panel Go For Luna Landing! Graham O’Neil United Space Alliance March 2008

Background Software comparisons from Apollo to Cx Functionality, size, process characteristics Fault Tolerance, safety considerations Human Crew Integration and Training Human Error in design Human Error in operations Automation Errors Automation and Human handoffs Avionics Lessons Learned Multi-use, multi connect computers [Apollo 13] Crew Awareness support [Apollo 11]

Apollo Error Sources Switchology and mode management; Apollo 11 Primary/backup mode switching; Apollo 10

Principles Learned Separation of criticalities Redundancy at appropriate levels Robustness of resources and behavior at the margins Simplicity Re-inforced Situation Awareness Training cycle based on credible sims, credible failures, diagnostic signatures, recovery strategies, and next failure identifications.

Operational Modes Op Mode Description Normal Simulator Independent The system performs normal operations activities (polling, communications, etc.) Simulator A specified system suspends activities to allow a simulator scenario to be performed. Systems could be set to mimic another vehicle: Independent Each system could be run totally independent of the rest of the ship’s systems. Emergency   Each system could have a minimal back up program that would enable it to take charge of the entire ship in case of emergency. Super Links vehicle computers together to solve high-powered computational tasks. This mode could also support sophisticated high-powered simulations.

Challenges Generation of Safe Designs and their translation into Verifiable Code. Safe management of modes and states. Computer and Network architectures that can support fault tolerant data communications. For life cycle considerations; Maintain software at the model level Design and integration tools support Composability, and multi-level criticality function distribution.