Correctness

• Well, yeah

• Even if you “prove” modules are correct, composing the modules’ behaviors to determine the system’s behavior is hard

• And those of you taking Leveson’s safety class know already that a system can fail even when each of the pieces work properly

  • Many systems have “emergent” properties

Previous slide

Next slide

Back to first slide

View graphic version