[mehrdadn]

> Safe and unsafe is not a binary.

You could make it a reasonable binary if you define unsafe as "has known bugs that could lead to deaths", which is what the top comment was doing. Not sure if any already-in-use planes satisfy that criterion though.

[zaroth]

There are a vast number of “known bugs that could lead to deaths” in these devices.

But when the bug is known to be hit only is astronomically slim scenarios, they don’t rework the entire stack to eliminate it because, well perhaps it is more likely to cause more harm than good?

[mehrdadn]

Maybe it depends on what you'd call a "bug". Even a flip-flop always has a nonzero probability of failure via metastability, but I wouldn't classify every system that uses a flip-flop as "buggy". Though to be honest now I'm not really sure what a consistent and useful definition of a "bug" is, if it's even clear and noncircular. (Maybe the best definition is "has a failure mode unaccepted by the users"? Not sure.)

[Senderman]

The state of "Bug" vs. "not a bug" is similarly non-binary.

"unaccepted by users" is circular in this particular discussion, because it started with trying to tease out whether a rare* safety* risk was "acceptable."

* All these debatable words tell me GuB-42's comment is taking the right approach.

[mehrdadn]

Yeah, I think you're probably right.

[nradov]

What about the unknown bugs that could lead to deaths? I guarantee that every modern aircraft has some. But we don't know how many.

[mehrdadn]

> What about the unknown bugs that could lead to deaths?

I wouldn't include that since it wouldn't be useful. In any case it clearly wasn't included in whatever definition the top commenter intended.

[slededit]

You would be incentivizing them to not look very hard as finding a bug would ground the fleet and be extremely expensive. The same way a lawyer will tell you never to see if your violating a patent lest you pay treble damages for "knowing".

[mikeash]

That sounds terrible. This would push toward non-redundant “perfect” designs which are more likely to kill you when they fail. I’d rather have two imperfect engines than one engine with zero known bugs.