Nancy Leveson quotes:

Requirement completeness: Requirements are sufficient to distinguish the desired behavior of the software from that of any other undesired program that might be designed. .

Reliability engineers often assume that reliability and safety are synonymous, but this assumption is true only in special cases.

Highly reliable components are not necessarily safe. .

Softwareâ??related accidents are usually caused by flawed requirements.

Safety is an emergent property of systems, not a component property.

What [software] must not do is not the inverse of what it must do. .