An autopilot could disengage (that may count as going into a failure mode and request human intervention). Very critical software can be programmed with two different methods (different teams, different programming languages, even different hardware) to avoid common failure modes. -----Ursprüngliche Nachricht----- Von:Tiago Freire via Std-Proposals <std-proposals_at_[hidden]> Gesendet:Di 02.06.2026 09:03 Betreff:Re: [std-proposals] What a non-reallocating version of the standard would look like. An:std-proposals_at_[hidden]; CC:Tiago Freire <tmiguelf_at_[hidden]>; Likely what happens in those devices when a critical error occurs is that it keeps running regardless because stopping is worse, it may go into a failure mode, it may try to reset things and recover from the error while trying to keep whatever device it is controlling in a safe state as best as possible, maybe it has to trigger an alarm and request human intervention right now, but it can never stop.