However, most relevant regulation (IEC61508, ISO26262, DO-178X) requires that systems controlling machines in automotive, rail or aerospace have a possibility of dangerous faults lower than 10^-9 (over the expected lifespan).
Many critical control systems like this are formally verified and/or extremely well-tested and have redundancy in both software and hardware.
However, most relevant regulation (IEC61508, ISO26262, DO-178X) requires that systems controlling machines in automotive, rail or aerospace have a possibility of dangerous faults lower than 10^-9 (over the expected lifespan).
Many critical control systems like this are formally verified and/or extremely well-tested and have redundancy in both software and hardware.