Via Holger Arendt, a fascinating paper:

It is impractical to build a system that is guaranteed to never crash, even in the case of carrier class phone switches or high end mainframe systems. Since crashes are unavoidable, software must be at least as well prepared for a crash as it is for a clean shutdown. But then — in the spirit of Occam’s Razor — if software is crash-safe, why support additional, non-crash mechanisms for shutting down?