On Saturday, 18 January 2014 at 02:48:38 UTC, Walter Bright wrote:
I didn't mention that the dual autopilots also have a
comparator on the output, and if they disagree they are both
shut down. The deadman is an additional check. The dual system
has proven itself, a third is not needed.
The pilot is engaged as the third.
There are situations where you cannot have a third "intelligent"
agent take over, so you should have 3 systems, and reboot and
resync the one that diverges, but this is rather off topic. I
don't think D is a language that should be used for these kind of
systems.
Please reread what I wrote. I said it shuts itself off and
engages the backup, and if there is no backup, you have failed
at designing a safe system.
A car driver that is doing an emergency manoeuvre is not part of
a safe system, indeed!
If you want one system to take over for another you need a safe
spot to do it in. Just disappearing instantly isn't optimal
because instantly changing responsiveness is a gurantee for
failure.
In fact, being instantly disruptive is usually the wrong thing to
do. You should spin down gracefully.
I don't see why you cannot do that with null-pointers. You
obviously can do it with division by zero errors. I think you
associate null-pointers with memory corruption, which truly is an
invalid state for which you might want to instantly shut down.
I have experience with this stuff, Ola, from my years at Boeing
designing flight critical systems. What I outlined is neither
irrational nor emotionally driven, and has the safety record to
prove its effectiveness.
In a very narrow field where the pilot is monitoring the system
and can take over. The pilot is the ultimate source for failure
(in a political sense). So you basically shut down the technology
and blame the pilot if you end up with a crash. That only works
if the computer has been made to replace a human being.
