| The software itself isn't necessarily the issue, though- it's also all the sensors and actuators involved. Suppose, for instance, that an aircraft needs more yaw stability. There's all sorts of design choices that could be made, but consider either A: a larger vertical stabilizer or B: automatic application of the rudder to damp oscillations. The vertical stabilizer here is essentially a bit of metal. We know very, very well what can go wrong with bits of metal. Fatigue, corrosion, manufacturing defects, bad repairs... But, in 2019, we've pretty much figured out the failure modes of big bits of metal on an aircraft, and we generally know how to prevent and/or minimize them. Now, the dynamic stabilization approach. We'll need gyroscope data (from the IRS, probably), a software model of flight dynamics (which almost certainly already exists and is running), and possibly faster servo valves for the rudder actuator. This can work! We can formally verify that the control system we've created damps oscillations throughout all normal flight regimes. The gyroscopes are already redundant and well-tested. And you might not even need the faster servos. Problem is, now avionics failures are even scarier. Will the stabilization here still operate when you get dropped into secondary mode? Probably not- so now, in unexpected situations, pilots need to keep in the back of their minds that yaw oscillations are more possible, that they may need to damp them manually, etc, etc. Now you throw in some extra factors- turbulence, IMC (which would probably make detecting those oscillations manually that much more stressful), and trying to solve whatever problem dropped you into secondary mode in the first place... and you have something a bit concerning! A bit of metal won't do that to you. We can make much better estimates of a bit of metal's reliability, and its failures are also less correlated- they aren't much more likely to crop up when you already have another problem. |