[nmrm2]

> This means we're stuck with a compiler nobody ever heard of that contains known (and unknown) bugs that can't be fixed because that would mean losing the certification.

This is why regulators should embrace formal methods as an alternative to process-heavy regulation. They're actually measuring ground truth, and today are not that much more expensive after accounting for all the costs associated with certification processes.

[w_t_payne]

... or highly intensive 8-years-of-in-service-operation-equivalent testing at the system level ...

[nmrm2]

System-level testing doesn't always suffice; see the Toyota UA case.

Or, more topically, see the VW case for examples of why testing "in-service-operation-equivalent" requires a certain level of trust that's not ideal in a regulatory relationship.