Reliability engineers often assume that reliability and safety are synonymous, but this assumption is true only in special cases.

- Nancy Leveson

Safety is an emergent property of systems, not a component property.

- Nancy Leveson

Requirement completeness: Requirements are sufficient to distinguish the desired behavior of the software from that of any other undesired program th…

- Nancy Leveson

What [software] must not do is not the inverse of what it must do. .

- Nancy Leveson

Software−related accidents are usually caused by flawed requirements.

- Nancy Leveson

Highly reliable components are not necessarily safe. .

- Nancy Leveson