Sorry, that's a common misconception but it's not true.
A program can work most of the time (be reliable), be extensively tested,
and yet be unsafe:
Reliability does not imply safety.
For example, if there were only a one in a million chance per hour that
a program would do the wrong thing, but that wrong thing would kill
a million people, most would agree that the software is "unsafe".
It is notoriously difficult to quantify the probability of a piece of
software doing the wrong thing, since such quantification usually leaves
out important possibilities, so even when someone says "only one in a million"
the actual probabilities are usually much greater.
"Extensive testing" is always an illusion -
it's impossible to test most real programs for all possible circumstances,
so testing only handles a very small subset of the actual situations the program
Trivial programs that have only ten 16-bit integers have 2^160 different
possible states; such a trivial program couldn't be totally
tested in the lifetime of the universe.
may go back to the question
You may also:
David A. Wheeler (email@example.com)
The master copy of this file is at