How Do We Certify for the Unexpected?

Abstract

By their very nature, loss of control accidents are unanticipated and rare, and their precursors are rare also. Onboard systems to detect and mitigate these precursors must work—and work correctly—when required but must not introduce new malfunctions or unintended functions. How can we provide assurance that software invoked in such rare and unanticipated circumstances is fit for certification? We argue that software systems such as these are but an extreme example of general trends that undermine much of the standards-based approach to software assurance used in aircraft certification. These trends include component-based software, complex integration, continuous modification, and load- and run-time adaptation. We propose that safety cases based on explicit goals, evidence, and argument provide a firmer foundation for assurance, and a framework within which it is possible to address the rare and the unexpected. Specifically, we propose that just as methods to prevent loss of control move certain software adaptation processes to runtime, so should some of the assurance and verification processes move to runtime also. The paper outlines a technical approach to such “just-in-time certification.”