Touch screen systems are control systems that are commonly used to control electrical, mechanical and computer systems (hereinafter, “commanded systems”). Touch screen systems present information to an operator with a display screen that is adapted to detect a touch (e.g., physical contact or near physical contact made using a body part, a stylus, a light projector or by some other means of contact). The operator provides an input into a touch screen system by touching the touch sensitive screen. For example, the operator may be presented with images on the display screen that include both text and collocated or associated graphics (e.g., a textual question and closely located “yes” and “no” boxes) and the operator may input a selection into the touch screen system by touching the graphics that corresponds with the operator's choice.
Multiple technologies are available to detect the occurrence and location of the operator's touch on the display screen. Some of the more common technologies include resistive, surface capacitive, projected capacitive, infrared, surface acoustic wave, acoustic pulse recognition, and camera based technologies. Each technology, while generally reliable, experiences occasional errors. It is postulated that each touch screen system employing any one of these technologies may occasionally incorrectly determine the location of the operator's touch or may detect a touch at a time when the operator did not touch the touch sensitive screen.
For some uses, such as selecting a radio station on a stereo, an occasional error may be inconsequential, especially as the operator soon recognizes the error, and thus the use of a touch screen system to control a commanded system in such instances may be acceptable. For other applications, however, an error, especially one undetected by the operator, could potentially have very serious consequences. This may be for safety reasons (as in avionics or industrial control), customer satisfaction reasons (e.g., in an automobile selecting high and low beams), or even financial reasons (in an automatic teller machine transferring money). For example, the avionics system of an aircraft in flight would require a control system that has an exceedingly low error rate, especially if undetectable by the operator, because the commanded system on the aircraft may directly control the aircraft's flight performance and could therefore have a direct impact on passengers and flight crew.
The Federal Aviation Administration (hereinafter, “FAA”) has ranked various aircraft functions for safety needs on a sliding scale that ranges from minor to catastrophic events. If an aircraft function failure creates a failure condition whose severity is deemed to be “minor”, then that function may be controlled by a control system having a postulated failure probability that exceeds 1/100,000 per flight hour. If an aircraft function failure creates a failure condition whose severity is deemed to be “major”, then that function must be controlled by a control system having a postulated failure probability that is less than 1/100,000 per flight hour. If the function failure creates a failure condition whose severity is deemed to be “hazardous”, then that function must be controlled by a control system having a postulated failure probability that is less than 1/10,000,000 per flight hour. And if the function creates a failure condition whose severity deemed to be “catastrophic”, then that function must be controlled by a control system having a postulated failure probability that is less than 1/1,000,000,000 per flight hour. A minor failure condition has a slight reduction in aircraft safety margins; a major failure condition has a significant reduction in safety margins and may result in some occupant discomfort; a hazardous failure condition has a large reduction in safety margins and may have adverse effects upon occupants; a catastrophic failure condition can result in conditions which prevent safe landing and loss of aircraft. Similar definitions and categories are used in other industries such as industrial control, and by other safety authorities.
The concept of “failure” has several aspects which include detection and permanence. “Failure” denotes the inability to operate in situations where the pilot either knows that the equipment is nonoperational and takes appropriate action, or the system is designed such that a failure of one element results in another part of the system compensating with or without the pilot's knowledge thus averting a failure condition. An example of this is an automatic cabin temperature controller. If this equipment fails, the pilot may feel uncomfortable and can switch to manual control or activate a secondary temperature controller. Alternatively, several controllers can operate in parallel and one may be designed to automatically takes over when another fails without pilot interference and possibly without the pilot knowledge.
In another aspect, “failure” means an uncorrected equipment failure that the pilot is not aware of. This undetected failure can result in a condition typically called an “undetected hazard” or “undetected misleading data”. This has the possibility of providing misleading data or control information to the pilot. An example of this is an altimeter malfunction. If the altimeter is showing the wrong altitude and if there is no indication to the pilot that the altimeter is operating improperly and if there are no other means to detect the malfunctioning altimeter, the consequences could be quite serious. For this reason, there are typically several independent sources of altitude and altimeters in the flight deck which the pilot can scan to verify that all are registering the same altitudes, within appropriate limits.
As used herein, the term “failure” refers to failures which are both permanent and transitory in nature. For example, a permanent failure can be the breaking of a wire or the cracking of a resistor. A transitory failure may include radiation or radio interference changing a bit in a register, components drifting in and out of specification due to environmental conditions, or other similar short term variations.
The term “integrity” is an attribute of an item indicating that it can be relied upon to work correctly on demand. Therefore an item having “high integrity” can be relied upon to perform the most critical functions such as an autopilot and items having “low integrity” can be relegated to non-critical functions such as lighting control. In the avionics industry, “integrity” has several aspects. One aspect is the probability at which undetected failures occur. Another aspect is the probability at which undetected failures caused by errors (as opposed to equipment failures) occur.
In the current state of the art, the use of touch screens in avionics is predominately for actions where failures of integrity will result only in minor failure conditions or, at most, in a limited number of major failure conditions. In the current state of the art, if a failure condition supported by a touch screen requires a higher level of integrity, then one mitigating technique is for the pilot to observe that the command from the touch screen has reached the commanded system, and to allow the control action to take place only after the pilot confirms that the system being commanded has received the proper request from the touch screen. For example, to lower the aircraft's landing gear, the pilot selects a gear down graphic on the touch screen. The touch screen then displays a query initiated by the landing gear system asking the pilot to confirm the “gear down” command is the intended command. If the pilot agrees that a “gear down” request was made via the touch screen system, then the pilot selects a confirming graphic (i.e., a “yes” button) to actuate the mechanism for lowering the landing gear. Once the confirming graphic has been selected, the landing gear will be lowered. In this manner, a higher integrity is provided by the touch screen because the touch screen's buttons and sensors, the touch screen's display, and the landing gear system must all fail in order to have the incorrect data transferred. The landing gear is only taken as an example and the description is not intended to imply the actual failure condition severity.
While this approach is adequate, it requires multiple pilot actions to execute a single command and this may be awkward or time consuming in certain flight situations such as in an emergency condition or upon takeoff or landing. At these times, the pilot will want to take a single rapid action, not multiple actions.