Everyone who writes safety critical software should read this

[Walter Bright]

On 11/2/2013 6:59 AM, Timon Gehr wrote:
> Well, I think it is funny to consider a methodology adequate in hindsight if it
> has resulted in a crash. Have the techniques advocated by Walter been thoroughly
> applied in this project?

One downside of system redundancy is it adds weight, and spacecraft are 
catastrophically sensitive to weight.

When space probes fail, they don't kill people. So while the failures cost money 
and are embarrassing, the weight penalty of redundancy may have meant the 
mission wasn't practical in the first place.

Tradeoffs, tradeoffs.

I don't know much about failsafe redundancy in, for example, Mars probes. I have 
seen discussions about the lack of failsafes in many aspects of the Shuttle 
design. They are well known tradeoffs, though, and they know the risks.

Nobody has even figured out how to make failsafe helicopter rotor blades. 
Instead, they opt for expensive maintenance and inspections. If a rotor blade 
fails, the helicopter crashes and kills everyone aboard.