Nancy Leveson Quotes
-
Highly reliable components are not necessarily safe.
-
Reliability engineers often assume that reliability and safety are synonymous, but this assumption is true only in special cases.
-
Software−related accidents are usually caused by flawed requirements.
-
Safety is an emergent property of systems, not a component property.
-
What software must not do is not the inverse of what it must do.
-
Requirement completeness: Requirements are sufficient to distinguish the desired behavior of the software from that of any other undesired program that might be designed.