Here’s an short piece from NASA on three approaches to designing high reliability systems:
- testing
- multiple independent implementations
- formal methods
It concludes that formal methods are the only way to achieve very high reliability because 1) rigorous testing takes too long, and 2) multiple implementations tend not to work, and can never be show to work because testing to compare would take too long.
It says multiple implementations will give the illusion of extra reliability, but that data suggests otherwise. So for us testing is good :-).