Safety is an emergent property of systems, not a component property.
Nancy Leveson
2.
Software−related accidents are usually caused by flawed requirements.
Nancy Leveson
3.
Reliability engineers often assume that reliability and safety are synonymous, but this assumption is true only in special cases.
Nancy Leveson
4.
What [software] must not do is not the inverse of what it must do. .
Nancy Leveson
5.
Requirement completeness: Requirements are sufficient to distinguish the desired behavior of the software from that of any other undesired program that might be designed. .