The exception that occurred was due not to random failure but to a design error. The exception was detected but was handled inappropriately because the view had been taken that software should be considered correct until it is shown to be at fault. The … opposite view [is] that software should be assumed to be faulty until application of the currently accepted best practice methods can demonstrate that it is correct. This means that critical software must be identified at a very detailed level, that exceptional behavior must be confined, and that a reasonable back-up policy must take software failures into account. -Society for Industrial and Applied Mathematics, 1996-