Over-Engineering Software

Safe software needs to be not only correct (meet its specification) but also robust (function sensibly in abnormal situations). Formal methods are attacking the first problem, but what of the second? Today's software is notoriously fragile: stress it even slightly outside its design envelope, and, rather than degrading (gracefully or otherwise), it shatters.

'Real' engineers get round this problem by over-engineering, building in a safety factor, traditionally of about 3. Software 'engineers' need something analogous: a technique for making software robust in the face of unanticipated, unsafe, usage.

The sort of questions we need to ask (and possibly even to answer!) include: