Program logic bugs vs input/environmental errors

[Sean Kelly via Digitalmars-d]

On Saturday, 4 October 2014 at 08:15:51 UTC, Walter Bright wrote:
> On 10/3/2014 8:43 AM, Sean Kelly wrote:
>> My point, and I think Kagamin's as well, is that the entire 
>> plane is a system
>> and the redundant internals are subsystems.  They may not 
>> share memory, but they
>> are wired to the same sensors, servos, displays, etc.
>
> No, they do not share sensors, servos, etc.

Gotcha.  I imagine there are redundant displays in the cockpit as 
well, which makes sense.  Thus the unifying factor in an airplane 
is the pilot.  In a non-mannned system, it would be a control 
program (or a series of redundant control programs).  So the 
system in this case includes the pilot.

>> Thus the point about shutting down the entire plane as a 
>> result of a small failure is fair.
>
> That's a complete misunderstanding.

Right.  So the system relies on the intelligence and training of 
the pilot for proper operation.  Choosing which systems are in 
error vs. which are correct, etc.  I still think an argument 
could be made that an entire airplane, pilot included, is 
analogous to a server infrastructure, or even a memory isolated 
program (the Erlang example).

My only point in all this is that while choosing the OS process 
is a good default when considering the potential scope of 
undefined behavior, it's not the only definition.  The pilot 
misinterpreting sensor data and making a bad judgement call is 
equivalent to the failure of distinct subsystems corrupting the 
state of the entire system to the point where the whole thing 
fails.  The sensors were communicating confusing information to 
the pilot, and his programming, as it were, was not up to the 
task of separating the good information from the bad.

Do you have any thoughts concerning my proposal in the "on 
errors" thread?