Touch screen systems are control systems that are commonly used to control electrical, mechanical and computer systems (hereinafter, “commanded systems”). Touch screen systems present information to an operator with a display screen that is adapted to detect a touch (e.g., physical contact or near physical contact made using a body part, a stylus, and/or a light projector (infra red, laser, etc. . . . ). The operator provides an input into a touch screen system by touching the touch sensitive screen. For example, the operator may be presented with images on the display screen that include both text and collocated or associated graphics (e.g. a textual question and closely located “yes” and “no” boxes) and the operator may input a selection into the touch screen system by using a finger to touch the graphics that corresponds with the operator's choice.
Multiple technologies are used to detect the occurrence and location of the operator's touch on the display screen or to protect against false touch indications. Some of the more common technologies include resistive, surface capacitive, projected capacitive, infrared, surface acoustic wave, acoustic pulse recognition, and camera based technologies. Each technology, while generally reliable, has an associated error rate. Accordingly, each touch screen system employing any one of these technologies may occasionally incorrectly determine the location of the operator's touch or may detect a touch at a time when the operator did not touch the touch sensitive screen.
For some uses, such as selecting a radio station on a stereo, an occasional error may be inconsequential and thus the use of a touch screen system to control a commanded system in such instances may be acceptable. For other applications, however, an error could have very serious consequences. For example, the avionics system of an aircraft in flight would require a control system that has an exceedingly low error rate because the commanded system on the aircraft may directly control the aircraft's flight performance and could therefore have a direct impact on passengers and flight crew.
The Federal Aviation Administration (hereinafter, “FAA”) has ranked various aircraft functions for safety needs on a sliding scale that ranges from minor to catastrophic events. If an aircraft function failure event is deemed to be “minor”, then that function may be controlled by a control system having a postulated failure rate that exceeds 1/100,000 per flight hour. If an aircraft function failure event is deemed to be “major”, then that function must be controlled by a control system having a postulated failure rate that is less than 1/100,000 per flight hour. If the function failure event is deemed to be “hazardous”, then that function must be controlled by a control system having a postulated failure rate that is less than 1/10,000,000 per flight hour. And if the function is deemed to be “catastrophic” failure event, then that function must be controlled by a control system having a postulated failure rate that is less than 1/1,000,000,000 per flight hour. A minor event has a slight reduction in safety margins; a major event has a significant reduction in safety margins and may result in some occupant discomfort; a hazardous event has a large reduction in safety margins and may have adverse effects upon occupants; a catastrophic event can result in conditions which prevent safe landing and loss of aircraft. Similar definitions and categories are used in other industries such as industrial control.
Failure rate has several aspects. One aspect is simply failure to operate, but where the pilot either knows equipment is nonoperational and takes appropriate action, or the system is designed such that a failure of one element results in another part of the system compensating with or without the pilot's knowledge. An example is an automatic cabin temperature controller. If this equipment fails, the pilot would know by several means, even as crude as being uncomfortable, and switch to manual control or to another controller. Or, several controllers can operate in parallel and one automatically takes over for the failure of the other without pilot interference and perhaps even without the pilot's knowledge. As used herein, the term “failure” refers to failures which are both permanent and transitory in nature. For example, a permanent failure can be the breaking of a wire or the cracking of a resistor. A transitory failure includes many conditions including, for example, radiation or radio interference changing a bit in a register, components drifting in and out of specification due to environmental conditions, or other such short term variations.
Another more concerning aspect is an equipment failure but the pilot does not know it has occurred. This is typically called in the industry an “undetected hazard” or “undetected misleading data” or similar names. This has the possibility of providing misleading data or control commands with serious results. An example is an altimeter. If it has failed such that it is showing the wrong altitude yet there is no indication to the pilot that it is operating improperly, the resulting failure condition can be catastrophic. For that reason, typically there are several independent altimeters in the cockpit which the pilot scans to verify all are registering the same altitudes, within appropriate limits, or automatic systems perform such checks alleviating some of the pilot need to constantly scan.
The term “Integrity” has two aspects in the avionics industry of which undetected hazard caused by an equipment failure is one. Another is undetected failure conditions in flight caused by errors as opposed to equipment failures. Examples of such errors are improper software coding and improper hardware design. These errors are typically referred to as “generic errors”.
Accordingly, a high integrity touch screen system is required to command, or to monitor, many of the systems employed onboard an aircraft. As used herein, the term “high integrity touch screen” refers to a touch screen that has an exceedingly low undetected failure rate, whether caused by equipment failures or by errors. For, example, with reference to the aviation industry, a high integrity touch screen which can support a major event is one which has an undetected failure rate of less than 1/100,000.
In the current state of the art, the use of touch screens in avionics is predominately for actions where failures result only in no flight events, minor events or at most limited number of major events. In the current state of the art, if a higher level event must be supported that requires a higher level of integrity, then a mitigating technique is for the pilot to observe that the command from the touch screen has reached the system to be controlled, but to allow the control action to take place only after the pilot confirms the requested setting is correct. This is referred to herein as the “arm/command” approach. For example, to turn a knob to set a temperature, the controller displays the temperature requested, and if the pilot agrees that was what was input via the knob, then the pilot pushes another device (e.g. button) to execute the temperature command. Thus, both the setting device (e.g. knob with a potentiometer) and the readout device must fail in order to have the incorrect data transferred, rather than just the knob.
Assuming the setting device and the readout device are independent, then the integrity probability can be computed by multiplying together the integrity of each device. For example, assuming both are working at the start of a flight, and both devices have a hardware failure rate of 10−5, then the integrity due to a failure of hardware is 10−5 multiplied by 10−5 which improves the integrity beyond a 10−9 per flight hour failure rate.
In many cases the “arm/command” is sufficient. This general approach is also used in many non-avionic systems where integrity must be high. However, this is an awkward approach in many flight situations. For example, currently in flight decks without a touch screen, the pilot simply toggles a switch or just turns a knob to command a system with high integrity—a single pilot action. To reach high integrity, the typical approach is for the switch to have two or more independent outputs and they are read by a system designed for high integrity usually with several independent processors and conversion devices. The term “independent” as used herein refers to freedom from common failures or errors as understood in the art.
Using the touch screen “arm/execute” approach requires more pilot actions:                1. The pilot must touch the simulated switch on the screen        2. The pilot must then await for the system to display, usually on the touch panel but perhaps on another cockpit display, that the system is “armed” to the on state        3. The pilot then needs to push a button or take other action to “command” the action.        
This is much more awkward than simply using a common switch. It is cumbersome, inconvenient, and time consuming And, in some flight conditions it increases the pilot workload to unacceptable levels, such as in an emergency condition as in a fire or upon takeoff or landing. Here the pilot wants to take a single rapid action, not three actions. Even in other non-emergency situations, this is very awkward, such as setting or resetting of tens of electronic circuit breakers; rather than just “pulling out” or pushing in” the breaker, the pilot needs to perform several actions for each.
Also, the overall system is complex in that the controller system needs to be designed to provide the feedback to a display and to react to an “arm” and “command” condition.
Accordingly, it is desirable to provide a high integrity touch screen system suitable for the desired probability of avoiding a specified level of safety event that is not cumbersome, inconvenient, or time consuming. Additionally, it is desirable to provide a high integrity touch screen system that is suitable for use in various high integrity aviation applications that does not require a three step process in order to transmit a command to a commanded system. Furthermore, other desirable features and characteristics of the present invention will become apparent from the subsequent detailed description of the invention and the appended claims, taken in conjunction with the accompanying drawings and this background of the invention.