Dependability through redundancy?
nGood
in its place
nBut
need independent failures
oCan’t usually get it for software
▬Example: Ariane 5
oEven harder for specs
▬The unavoidable price of reliability is simplicity—Hoare
nAnd
a way to combine the results