•Well, yeah
•Even if you “prove” modules are
correct, composing the modules’ behaviors to determine the
system’s behavior is hard
•Leveson and others have shown clearly
that a
system can fail even when each of the pieces work properly
–Many systems have “emergent” properties