A Proposal for Functional Software Identification Using Risk-Based Continuous Quality Control

Software environments have become increasingly sophisticated in recent years, giving rise to modern measuring instruments that use simple hardware sensors but defined with complex software. The conformity of such devices in the legally regulated sector is usually ensured by using version numbers or hashes over executable binaries, which is inefficient due to the sensitivity of hashes to even small changes in the code. However, the legal requirements could also be equally satisfied if the certified prototype and devices in field possess identical functional behavior, even when hashes differ. With such functional identification, the device manufacturers could gain the opportunity to introduce software patches or bugfixes without having to go through the complete mandatory certification process again. Based on the \(L^*\) algorithm, which learns the accepted language and hence the internal state model of the instrument software represented by deterministic finite automata, a risk-based method is proposed to realize automatic functional identification of software to a certain extent, thereby allowing continuous quality control of periodically updated measuring instruments without frequent manual certifications. Risk assessment is used to identify critical modifications introduced in monitored devices, which then triggers warnings for manual inspections when necessary. This article is an extended version of the work previously published in [7] and is envisioned to be a first step to realize fully automatic quality control for regulated measuring instruments.