Dragon vs Starliner instrument panel

Factual Questions
1

There have been discussions on touchscreen panels in cars and it’s my impression that the SpaceX Dragon capsule is predominantly touchscreen (perhaps that’s a misconception on my part, if so please correct me).

Today I saw a “tour” of the Starliner on the news and ISTM that it is much more “traditional” in terms of being a glass cockpit with multifunction buttons surrounding the various panels, as well as various toggle switches etc.

Are there astronauts familiar with the use of both panel philosophies or are SpaceX drivers SpaceX drivers only, and similarly with the Starliner? And have there been any comparative reviews by operators of the two different philosophies (eh touch screens vs buttons & knobs)?

2

Your impression is correct. Starliner has lots of buttons, no touchscreens, and relatively small displays (and aesthetically, it just looks like a traditional cockpit). Crew Dragon has minimal physical controls and three large touchscreen displays. The various abort buttons have physical backups, though. The launch abort system has a large handle.

No astronauts have trained on both yet. Possibly some have seen both, but if so I haven’t seen word from them.

At least according to Wikipedia, none of the astronauts currently set to ride on Starliner have ridden on Dragon. Most of them are still to be determined, though, so it’s not impossible.

That said, astronauts tend to be diplomatic and they’re unlikely to just say that one is better than the other. They’ll hedge and just say that both have their strong points. Though maybe a foreign astronaut will spill the beans. This Japanese astronaut was pretty blunt in proclaiming Dragon a better ride than either Shuttle or Soyuz:

In general, there really isn’t much for the passengers to do in either capsule. The launch and docking are all automated. They just watch the pretty pictures unless something goes wrong.

3

Hard to know what sits behind the buttons and switches. In all the previous US manned spacecraft you could trace paths right back to the devices being controlled. But the most recent of those was the Shuttle.

A modern car runs just about every driver control over CAN Bus, and just about every device is controlled over CAN or Flexray.
So from the standpoint of the various computers running the show it doesn’t matter where the input comes from. Manufacturers cheerfully remove physical controls to save money. In the limit you end up with a Tesla, where prior to the release of the latest iteration of the model 3 rumours were that even indicator stalks would vanish.

The counterpoint is an argument about user interfaces and the need to have clear and positive identification of controls. In aircraft this is done with some deliberation. Controls for different functions should be separated, and if you can, distinct in form. In an emergency, finding the right control in a hurry, and with error, may be critical. Don’t shut-down the good engine.

OTOH, look at the sea of identical switches in the Apollo CM and work out if you could set SCE to Aux when it mattered. (Hint.)
(Pics link to Heroicrelics.org - which really is a lot of fun to visit.)

Setting SCE to Aux exemplifies the value of exactly these controls. The switch directly selected the power source of the signal conditioning equipment to auxiliary power. These was no intermediate computer, just wires. The spacecraft were designed with multiple paths to do just about everything. There were a lot of such workarounds used in anger to route power in odd ways to route around faults. Especially in, but not limited to, Apollo 13.

Boeing are a company with long roots in aviation. And despite the modern ills have something of a reputation for conservativeness. Thus the question that comes to mind is what a lot of the switches in Starliner control. Are they just inputs to software, or are they in the paths controlling the devices.

This comes down to how much control the astronauts/passengers have over the systems. In the face of problems or outright failure, can they do useful stuff to work around problems by reconfiguring stuff that. Or are they dependent upon external control?

It might be noted that even the Apollo spacecraft could be controlled from the ground. By the simple expedient of having a data link that could push the buttons on the Apollo Guidance Computer. (Whether it interfaced via the DSKY or some other path I’m not sure.) But if the spacecraft suffered a fault that required resetting the various configuration switches, Mission Control would be out of luck.

Nowadays computers are a vastly different question, and reliability comes in somewhat different forms. So there is a lot of progress that has been made. We have a lot of unmanned spacecraft doing amazing duty even in the face a serious problems. But we usually have the luxury of time. Less so with fleshy critters aboard.

So, we might then ask, where is the line drawn in the new spacecraft? Enquiring minds and all that.

4

I was a warfare officer in a warship ops room (or CIC for other navies) in the '80s and a lot of switches on the bulkheads were fairly large things that I’m sure that civilians would think we’re absurd. If I recall correctly they were called barrel switches.

Absurd? Yes. Easy to find in the dark in a rolling and pitching room? Absolutely. Is that mindset ever necessary in a space craft? I obviously have no idea. It is, however, really interesting to see the different approaches.

5

I guess the logic - same as with a Tesla automobile - is that if the computer(s) stop working, you’re toast anyway. A hundred switches won’t save you. I’m guessing multiple redundant screens, computers, power sources, etc. are a feature of a Dragon capsule where you can’t just coast to the side of the road.

6

So have we reached a level of advancement such that a Neal Armstrong/Gemini 8 event is now so unlikely that piloting skills are no longer necessary?

7

I’m beginning to think so.

Spacecraft in the future are apparently going to become cans of meat. If there’s mission equipment onboard, there will be mission specialists engaged with it, but otherwise even the nominal pilot will just be a passenger.

8

In your Tesla or Ford or Toyota, if the headlights or the door locks are controlled by a computer, then there’s no simple “ON” button to push if the control network goes down. I suppose second layer redundancy is that the headlight button sends its code to the headlight controller directly, not to the computer telling it to tell the headlights to turn on. But then if the computer is down, the display screen won’t display “headlights on” symbol even if the lights are actually on.

The alternative is hundreds of miles of cable, connecting every switch A with the device B that it triggers. Plus the cost of verifying every connection, etc. How do ensure that switch C fires the right attitude jet, other than firing it? (Whereas, presumably, you can add a computer routine to “test each item on the bus in the floowing sequence”) I assume too the fact that bus failure is pretty much unheard of (as opposed to computer failure) indicates the robustness of this approach.

Note Teslas have a manual door pull - no electricity necessary. The only downside is without power, you could pull the trim off where the top of the window sits in the slot.

In the Gimli Glider scenario, where they ran out of fuel, reports were the controls without power assist were so stiff the crew together had to stand on the pedals and haul the yoke a hard as they could for any controls. But fortunately, it was still direct connect hydraulics(?) not fly-by-wire. IIRC the Department of Transport does not allow most (any?) vehicles to have only drive-by-wire steering for a similar reason.

I guess the ultimate question is how many belts and suspenders are too many?

9

The Tesla Cybertruck is full steer-by-wire. Two redundant motors and three redundant sensors. Probably the first example of such without a physical backup.

10

The Shuttle delivered some interesting redundancy in controls.

The control surfaces were under computer control. They flew the hypersonic part totally under computer control and could in principle land it. There were four separate computers all running the same code, and four separate hydraulic control systems each controlled by one flight control computer. Any three systems could physically overpower a failed one. Even if the failure was Byzantine. A fifth computer ran a different system and oversaw operations. It could disable a malfunctioning computer.

The main engine control computers were built from four 68000 microprocessors. They were performance matched to the extent that they needed to come off the same wafer. Each processor ran the same code and external logic checked that every processor executed exactly the same way. Down the to the clock cycle.

The thing about modern cars is that there are a huge number of separate computers. Many are very custom designs, often with architectural support for hard real time control. The code that runs the dashboard or entertainment system is quite separate to the engine management or drivetrain control. Same for safety systems. Anti skid, antilock brakes, automatic emergency braking. More computers, often from different manufacturers. These systems are coded with extraordinary care. Testing is rigorous and there is a very conservative level of engineering involved. Millions of journeys every day happen with this code directly in the loop. Failure really is not an option.

Body control (door locks, power windows, folding wing mirrors) are separate again. These systems run on different control buses and a lot of effort is made to separate any possible interaction.
Modern in car entertainment systems exemplify the other end of the spectrum. Random crashes, disconnects, glitches, and idiotic behaviour. If the safety systems were coded to this level of quality there would be carnage.

An example from cars might translate to spacecraft. Hydraulic brake systems have had redundancy since forever. Two separate runs of lines from a dual piston master cylinder. The lines and slave cylinders in the brakes are set up so that loss of fluid in one line will allow the car to safely stop using the other line. Car may soon become undrivable, but it won’t just lose all braking.

So a spacecraft has multiple redundant systems and cross connections between them. Physical switches may be provided to allow all these possible cross connections to be configured to route around a failure.
Say a reaction control valve sticks. You want to disable the entire system, then see if there is a way of reconfiguring the feed system to get back functionality.

A car might just stop on the side of the road, having failed safe, and not killed the passengers. There is no such possibility in a spacecraft. It would be a bad look to have a Gemini 8 type of failure now and not be able to get the spacecraft operational.

Entirely possible to have computer control of all the redundant configuration. We do it in our unmanned spacecraft. But as I noted above, time is usually not as pressing.

11

I remember reading that and wondering how they got away with it. I presume too there are multiple batteries feeding those multiple units. The whole idea of systems where redundancy is absolutely necessary because failure is not acceptable, is of course that no single component causes RUD.