[extension]

Simulations suffer from the same flaw as any kind of automated testing: you can't verify the correctness of the test, except possibly with another test, which then presents the same problem. At some point, an intuitive leap must be made to call the overall process correct.

This is true of any kind of engineering, but generally the assumptions can be reduced to obvious ones with a reasonable amount of overhead. The complexity and transience of software development makes it the exception.

I have little first hand experience building ultra-critical software, but my impression is that it takes ridiculous amounts of beurocracy to bring the failure rate down to tolerable levels, making the cost astronomical and prohibiting development on the scale of commodity software.