Systematic Analysis of Critical Systems Certification

Any given regulatory agency, such as the US Food and Drug Administration, strives to protect the public interest through certification of systems in the agency's purview. Modern safety-critical systems have significant software components. Due to the deterministic nature of software failures, certifiers cannot apply traditional statistical risk assessment methods. Thus, certifiers struggle to assess whether safety-critical systems are adequately safe. Current practice for certification revolves around two different types of standards: (a) prescriptive and (b) goal-based. Both types of standards exhibit significant faults; these faults can lead to the regulatory approval of systems that are not adequately safe.

To facilitate analysis and repair of certification faults, this work presents the filter model of certification. The filter model views any given certification mechanism as a safety-critical system in itself. This insight allows certifiers to apply systematic safety engineering to their certification mechanisms.

The filter model is evaluated for feasibility through a case study. First, common hazard analysis techniques are adapted and applied to a specimen certification mechanism, the Graydon-Knight-Green mechanism (GKG). The results of hazard analysis are used to adjudge certification faults. Second, GKG is used in hypothetical certification of a safety-critical system, the Diabetes Advanced Information System (DAIS). The results of the hypothetical certification are used to inform the adaptation and application of common fault mitigation techniques to GKG.