Can Certification Be Made More Scientific?
John Rushby
SRI International
Stringent certification must consider every contingency and
malfunction that may arise among and between the system, its
components, and its environment. These considerations involve human
judgment (to pare the vast space of potentially relevant issues),
technical analysis (to provide evidence for correct and appropriate
behavior in all cases), and human judgment again (to evaluate the
evidence produced).
I will sketch some conventional processes for certification and
outline more recent approaches based on "safety cases". All aspects
of these processes are hugely expensive and I will suggest how the
costs might be reduced by expanding and automating the technical
analysis component (i.e., making the overall activity "more
scientific"). I will also describe issues in attempting to make
certification compositional.
|