On Saturday, 18 January 2014 at 03:07:30 UTC, H. S. Teoh wrote:
You missed his point. The complaint is that the car has a *single* software system that handles everything. That's a single point of failure. When that single software system fails, *everything* fails.
I didn't miss the point at all. My point is that you should always target the cost of improving the statistical overall safety of the system rather than optimizing the stability of a single part that almost never fail.
Having multiple independent software implementations only works for very simple systems. And in that case you can prove correctness by formal proofs. It is more likely to fail due to a loose wire or electrical components.
