[Phillipharryt]

I hope you're arguing in favour of the space shuttle there. It has no contextual buttons. I'll always argue that contextual controls do not belong in critical systems. Every button on that shuttle will do the same thing every time you press it. A touch screen looks nice but isn't safe. Mission control is telling you to press X button, but X button isn't actually on your display right now?? That's a big problem.

[Aser]

The crew dragon is designed to be completely autonomous. 99% of the time, the astronaut is just a passenger, so there is less requirement for physical controls.

In terms of mission control telling you to press X button, it is almost certain that mission control would have a simulation of the cockpit running that would show them exactly what the astronaut is seeing on their display. So they will always be able to direct the astronaut correctly.

I definitely think a touch screen in this situation can be safer, because it can display information in a way that makes it quicker for the astronaut to understand the situation. It in theory requires less training because there is less requirement to remember the position and function of every single switch.

[Phillipharryt]

Space missions need to account for the times when things really hit the fan, that's when design really matters. If shit goes haywire why should I assume my touchscreen is now displaying the same thing as mission controls? If it's not then instructions go out the window. If shit goes haywire in the shuttle, mission control can safely assume they're looking at the EXACT control scheme the pilot is, and can read out controls accordingly. I get that automation is intended, but for emergencies a touch screen really doesn't cut it.

[bumby]

>Every button on that shuttle will do the same thing every time you press it.

I agree with you in spirit, but would disagree with this particular point. Apollo had an erroneous "Abort" signal because a particular switch didn't do what it was supposed to, because it had some interesting failure modes in zero-gravity.

I think is dangerous to assume that one design is flawless over the other; both touch-screens and mechanical systems have their own unique failure modes. Maybe one is more reliable than the other, which I think is currently the case here.

[Phillipharryt]

Ok perhaps I could change that to "every working button on the shuttle will do the same thing every time I press it".

Your mention of zero gravity has brought up another consideration for me. Assuming it's a capacitive touchscreen you need to ensure no conductive material ever floats into contact with it by mistake. Switches and buttons have covers and rails to prevent accidental pressing but how do you manage that with touchscreens? Apple manages it on your phone because a false negative is ok in that case, I don't think you can allow that on a spacecraft. How is a floating glove finger differentiated from a glove actually attached to hand?

[bumby]

I don't think the "every working button" buys you much here because is could just as easily be stated as "every working touchscreen does the same thing every time I press it". The point from reliability engineering is that everything works until it doesn't. The difficulty with software systems is that they often have complexity that is tough to understand all the paths let alone test/mitigate them (see Boeing 737 Max as a recent example).

You bring up really good points on the zero gravity considerations. It would be interesting to see SpaceX's FMEA on this system to see what all they've considered.

[Phillipharryt]

?? Touchscreen interfaces almost always have contextual displays. So no touching it doesn't always do the same thing every time I press it. The space where a spacebar is on your phone is the same space that is sometimes the camera button. I think contextual design does not suit important interfaces.

[bumby]

I meant it in terms of pressing a working contextual display. I think we're saying the same thing. Software introduces many more failure pathways so it's often not suitable for primary hazard mitigation.