bearophile wrote:
Each of those parts must be pretty reliable if you want to design a globally reliable system. Space Shuttle control systems are redundant as you say, and probably each single point of failure has a backup, but each software system is pretty reliable by itself, probably they have proved some of its parts for each of the independently written redundant software systems. If your subsystems are crap, your overall system is crap, unless you have tons of them and they can be all used in "parallel" (with no single coordinator that can be a failure point).
The space shuttle computer systems that are on the critical path have redundant backups that are written with different algorithms by different groups, and they try very hard to not have any coupling between them.
Even so, there remain at least two obvious single points of failure. Also, of course, they still try to make each component as reliable as they can.
