Errors of Human or Machine

Were there mistakes here? Was the rendezvous radar mistakenly left on? No. Aldrin had planned to do that before the flight, and it was written into the procedures. The radar's mode switch was indeed in the wrong position, but the sync problem should not have occurred regardless of the position of the radar switch (and would have occurred were it in AUTO instead of SLEW). The radar-computer interface had been tested in a laboratory where both devices used the same power supplies, rather than in the LM itself where they had different power supplies, generating a subtle, invisible piece of unreality that masked what could have been a critical problem. Still, according to Don Eyles, the lack of synchronization of the power supplies had been realized years before, but never correctly addressed.22

It was at least an error of communications, if not of systems engineering practice. ''There were folks who knew about the RR [rendezvous radar] resolver'' interface issue, ran the IL report on the matter. ''There were also a great many people who knew the effect which a 15% TLOSS [loss of processor time] would have on the landing program's operation. These folks never got together on the subject.'' The report noted that ''scrutiny of the crew checklist by the hardware personnel'' could have prevented the problems.23

Robust processing and restart protection in the LGC saved the day, as the computer dropped only low-priority tasks while keeping the vehicle under control. Still, the 1201 and 1202 alarms had been put in only for testing, and nobody thought they would ever occur in a real situation. In light of the benign nature of the restarts, and the computer's effective responses, the ''program alarm'' should probably not have illuminated the master alarm, and was probably too dramatic and intrusive in proportion to the nature of the problem. In hindsight, an indicator that said something like ''tasks being dropped, critical functions still OK'' would have caused less distraction for the astronauts.

We can point to other aspects of the human-machine network that allowed the Apollo 11 landing to succeed despite the program alarms: Kranz's insistence before the flight that all possible program alarms be understood, part of the Apollo philosophy of ''no unexplained failure.'' He simply was not comfortable with the possibility of anything unexpected occurring during flight. The IL team's ability to quickly diagnose the problem when it occurred depended on having simulators ready to go in the laboratory, as well as the experience built up during the long hours of testing and simulation.

Most important, in response to the program alarms the human operators continued the mission while engineers on the ground diagnosed the problem. This behavior seemed to confirm the NASA philosophy of humans as critical backup components.

But how did Apollo 11 confirm the value of keeping the human in the loop? Recall that the only real problem caused by the program alarms was demanding the attention of the astronauts;a machine would not have been distracted. Had it been set on automatic landing, the LM would have come down anyhow, with less ballyhoo, though perhaps amid a field of boulders.

