Papers
Topics
Authors
Recent
Search
2000 character limit reached

Certus Method: Multidomain Approaches

Updated 6 July 2026
  • Certus method is a homonymous label for diverse research approaches, including fuzzy assurance-case confidence assessment, industry–academia collaboration, and graph-based entity linking.
  • Its assurance-case application uses a domain-specific language with fuzzy sets, explicit propagation operators, and defeater handling to improve interpretability and scalability.
  • The method also underpins a collaboration model with sequential phases and an entity linking system featuring graph profiles and provenance, ensuring structured, auditable outcomes.

Searching arXiv for papers on “Certus” to ground the article and confirm scope. arxiv_search(query="Certus", max_results=10, sort_by="submittedDate") Searching arXiv for “Certus method”. search_arxiv(query="Certus method", max_results=10) Certus denotes several distinct research methods and systems rather than a single standardized technique. In current arXiv usage, the name refers to a domain specific language for quantitative confidence assessment in assurance cases, together with a later scalability analysis of its decision complexity and effort (Diemert et al., 3 May 2025, Diemert et al., 13 Jun 2026); a seven-phase model for industry–academia research collaboration in software engineering (Marijan et al., 2022); and a graph-based entity linking and resolution system that models multiplicity and provenance (Liu et al., 2019). The shared label obscures major differences in semantics, workflow, representation, and evaluation, so precise identification by domain and paper is necessary.

1. Terminological scope

The main arXiv uses of the name are distinct in problem domain, technical substrate, and output artifact.

Usage of “Certus” Domain Defining features
Certus Assurance-case confidence assessment Fuzzy sets, linguistic confidence terms, DSL expressions, macros such as #MIN and #FUSE
Certus Model Industry–academia collaboration in software engineering Seven phases, Joint Team and Lead Team, governance, transfer, exploitation, adoption
Certus Entity linking and resolution Graph entity profiles, multiplicity, provenance, similarity-edges, HBase and Postgres implementations

A central interpretive point is that these are not variants of one method. The assurance-case Certus evaluates belief over an argument graph; the collaboration Certus Model structures participative research knowledge creation; the entity-linking Certus computes and stores links among heterogeneous entity profiles. This suggests that “Certus method” is best treated as a homonymous label rather than a single methodology.

2. Certus as a confidence-assessment DSL for assurance cases

In assurance cases, Certus is a mixed quantitative and qualitative method for confidence assessment that provides a domain-specific language for expressing and computing belief in claims and evidence across an argument graph (Diemert et al., 3 May 2025). Assurance cases are structured, explicit arguments supported by evidence that a system will satisfy a critical property in a defined context, typically represented as a directed acyclic graph in notations such as GSN, CAE, EA, and FAN. Certus was proposed in response to several reported barriers in quantitative confidence assessment methods: interpretation, subjectivity, scaling, dialectic reasoning, and trustworthiness.

The method represents confidence with fuzzy sets over β=[0,1]\beta = [0,1]. One presentation provides canonical terms such as zero, very_low, low, med, high, very_high, and certain, with zero and certain as crisp singletons {0}\{0\} and {1}\{1\}; the scalability analysis describes nine canonical levels, from reject (surely false) through uncertain (maximal uncertainty) to certain (surely true) (Diemert et al., 3 May 2025, Diemert et al., 13 Jun 2026). Users may work linguistically through named levels or numerically through degrees of membership in fuzzy sets. Certus permits convex, normalized membership functions, including triangular, trapezoidal, and Gaussian forms. The DSL is designed to keep outputs as fuzzy sets and linguistic labels rather than forcing crisp scalar outputs; if a crisp score is required, standard defuzzification such as the centroid can be applied externally:

x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.

Propagation is expressed declaratively. Each leaf node, typically evidence or a defeater, is assigned a belief level. Each internal node is annotated with a Certus expression specifying how child beliefs combine to produce a parent belief. The core constructs are confidence assignment, cases expressions, parameterized propagation operators, macros, comparison operators such as is, contains, overlaps, gt, and lt, and direct child-to-parent assignment. Greater-than and less-than relations between fuzzy sets are defined through Yager’s unit-interval ordering:

F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,

with gt(A,B)gt(A,B) holding if F(A)>F(B)F(A) > F(B) and lt(A,B)lt(A,B) if F(A)<F(B)F(A) < F(B).

The language does not impose a single global t-norm or s-norm calculus. Instead, it provides a transparent cases mechanism from which users can emulate conservative min-like aggregation, max-like aggregation, weighted aggregation, or domain-specific fusion logic. In the scalability study, conjunctive support is modeled with #MIN, for example

C(parent)=mini=1nC(childi),C(\text{parent}) = \min_{i=1}^n C(\text{child}_i),

while fusing multiple sources is modeled with #FUSE, described there as approximately an average:

{0}\{0\}0

The DSL paper gives a more explicit account of FUSE: it assigns integer scores to canonical terms, averages them with defeaters contributing negatively, applies floor, and maps the result back with {0}\{0\}1.

A major methodological distinction is defeater handling. Defeaters are first-class citizens rather than an afterthought. Users can write explicit cases clauses that incorporate negative premises, or use operators such as boundedInvert, whose purpose is to encode the idea that neutralizing a single defeater should not by itself produce very high confidence. Before evaluation, macros are expanded to explicit cases, and pre-flight static analyses check totality and consistent defeater handling. Evaluation is then performed bottom-up on the assurance-case DAG.

The worked automotive adaptive cruise control example in the DSL paper illustrates how Certus encodes domain reasoning that is difficult to express with fixed algebraic propagators. Source code inspection is capped at high; a defeater concerning potential misinterpretation of a specification is handled through boundedInvert; and a top-level branch fusion yields an overall result described as consistent with a previously reported Bayesian network confidence of {0}\{0\}2 (Diemert et al., 3 May 2025). The emphasis throughout is interpretability and auditability: propagation rules are readable, inspectable, and stored alongside the assurance case.

3. Decision complexity and scalability of the assurance-case Certus method

The later scalability analysis formalizes the effort required to apply Certus and two alternative quantitative confidence assessment methods, the Bayesian Belief Network method and the Dempster-Shafer Theory method (Diemert et al., 13 Jun 2026). The argument is modeled as an {0}\{0\}3-ary tree of claims with height {0}\{0\}4, where each parent has {0}\{0\}5 children and each leaf claim has {0}\{0\}6 child evidence nodes. Let {0}\{0\}7 denote the number of decisions per parent node, {0}\{0\}8 the number of decisions per evidence node, and in average-case analyses let {0}\{0\}9 and {1}\{1\}0 denote reduced decision counts under defaults or tooling support.

The worst-case number of user decisions is modeled as

{1}\{1\}1

and the average-case number as

{1}\{1\}2

If {1}\{1\}3 is the average time per propagation decision and {1}\{1\}4 the average time per leaf valuation decision, the total effort in minutes is

{1}\{1\}5

For Certus, the worst case is modeled by detailed custom cases expressions over {1}\{1\}6 children and nine belief levels, giving {1}\{1\}7 decisions per internal node and {1}\{1\}8 decision per evidence node. The average case assumes that, in {1}\{1\}9 percent of steps, users write a simple handcrafted expression across children with x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.0, while otherwise they use macros or a user-defined operator with x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.1; for leaves, x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.2. The resulting Certus decision-complexity forms are

x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.3

and

x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.4

The paper parameterizes the model from published assurance case studies. Solving

x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.5

with x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.6 yields x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.7 and x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.8. It further sets x=xμ(x)dxμ(x)dx.x^* = \frac{\int x \mu(x)\,dx}{\int \mu(x)\,dx}.9, F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,0 minutes, and F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,1 minutes.

Under those assumptions, Certus exhibits the following comparative profile:

Method Worst-case decisions / effort Average-case decisions / effort
Certus 10,141 / 270 h 390 / 13 h
BBN 971 / 18 h 480 / 14 h
DST 1,716 / 34 h 735 / 26 h

The central result is that Certus has the highest worst-case decision complexity but lower average-case effort than BBN and DST. The worst case is driven by combinatorial growth in custom cases expressions, especially when fan-in F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,2 is high and domain logic cannot be captured by macros. The average case is lower because common propagation idioms can be encapsulated in #MIN, #FUSE, or reusable operators, so most internal nodes require only one decision, and each leaf still requires only one belief assignment. In the paper’s small worked fragment with two evidence leaves and one parent using #MIN, total effort is F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,3 minutes: two leaf assignments at F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,4 minutes each plus one propagation configuration at F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,5 minutes (Diemert et al., 13 Jun 2026).

4. The Certus Model for industry–academia collaboration in software engineering

A different use of the name appears in software engineering research management. The Certus Model is a practical, end-to-end method for structuring and running industry–academia collaboration in software engineering to achieve participative knowledge co-creation (Marijan et al., 2022). It was derived empirically from an eight-year collaboration, from 2011 to 2019, between Simula Research Laboratory and multiple Norwegian industrial and public-sector partners, primarily in software verification and validation for real-time embedded, highly configurable, and data-intensive systems. Its core principles are participative knowledge co-creation, active dialog and goal alignment, and continuous commitment to joint problem solving.

The collaboration structure is explicitly role-based. Each scientific project is carried by a Joint Team consisting of researchers, often including PhD students and sometimes a research engineer, together with industrial engineers or managers and usually an industry champion. During transfer, a Lead Team on the partner side assumes responsibility for technology integration, organizational introduction, exploitation measurement, and adoption. Governance is provided through a Center Board with biannual meetings, a Center Director, and dedicated projects for management, research exploitation, training, and dissemination. Researchers colocate at company sites during practice analysis, pilot testing, integration, and training, while state-of-the-art analysis and conceptual design are performed at the research institute.

The method spans seven phases. Problem Scoping identifies a practical industrial problem, aligns expected benefits and measurable outcomes, and forms the Joint Team. Knowledge Conception translates the industrial problem into a research problem through state-of-the-practice and state-of-the-art analysis and fit-to-context assessment. Knowledge and Technology Development elaborates conceptual knowledge into prototype tools, methods, or methodological documents, followed by K&T Maturing and Verification, where technical issues are resolved, scalability is improved, pilot experiments are run, and a Development Plan is created and updated. K&T Transfer includes integration and adaptation to the partner’s toolchain and processes, followed by introduction, training, and maintenance planning. K&T Exploitation quantifies economic and strategic benefits, using approximations such as

F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,6

where F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,7 is gain from investment and F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,8 is cost of investment. Organizational Adoption then spreads the technology beyond the initial unit and sustains it over time. Market Research, when relevant, explores commercialization pathways such as spin-off, licensing, selling, or consultancy.

The model is explicitly artifact-driven. Across phases it produces industrial problem statements, context maps, research problem statements, state-of-the-art reviews, conceptual designs, prototype tools, methodological documents, Development Plans, pilot verification reports, interface specifications, training materials, maintenance plans, impact reports, adoption plans, market analyses, and commercialization plans. Decision gates separate phase transitions, while feedback loops allow later phases to refine earlier ones.

The empirical basis is substantial. The Certus Center engaged five large companies—Cisco, ABB Robotics, FMC Technologies, Kongsberg Maritime, and Esito—and two public sector organizations, Norwegian Customs and Toll and the Cancer Registry of Norway. Reported outputs include approximately 100 publications, five prototype tools deployed in industry contexts, one patent application, one open-source tool, and five PhD completions. The Cisco case is particularly detailed: the stated objective was a 20% reduction in regression testing time; approximately two person-years were required to reach a validated proof-of-concept before transfer; and the technology had to be changed from an Eclipse plugin to a service to ensure smooth integration and adoption. The paper also reports approximate annual funding of 21M NOK over eight years, with six senior researchers, six PhD students, and one research engineer committed.

The model is not presented as universally context-free. The paper explicitly notes external-validity limits: it was developed in a specific governance and funding environment and requires adaptation and testing in other contexts. It also emphasizes risks such as champion turnover, strategic discontinuities, and the difficulty of measuring exploitation impact precisely in evolving industrial toolchains.

5. Certus as an entity-linking and resolution system

In data management and knowledge fusion, Certus is a graph-based entity linking and resolution system that links entities across different databases and entities extracted from text (Liu et al., 2019). Its distinctive contribution is first-class support for multiplicity and provenance. A profile is represented as F(A)=01M(Aα)dα,F(A) = \int_0^1 M(A_\alpha)\, d\alpha,9, where gt(A,B)gt(A,B)0 is a list of attribute-objects and gt(A,B)gt(A,B)1 a list of relationship-objects. Each attribute-object or relationship-object is a set of ordered key–value pairs, with provenance positioned after the attribute or relation key–value pairs. Using lists rather than dictionaries allows multiple values for the same attribute or relation, and provenance attaches directly to each value. The paper’s examples use provenance fields such as from, to, and until; the introduction also mentions sources and security requirements.

At the graph level, the knowledge base is modeled as a labeled graph gt(A,B)gt(A,B)2. Profiles are nodes, relationships induce relation-edges, and pairwise linking evidence is stored as similarity-edges of the form gt(A,B)gt(A,B)3, where cfm is a binary indicator showing whether a predicted link has been confirmed by a user. Similarity-edges are maintained separately for performance reasons.

The linking pipeline has several stages. Profiles are ingested from databases, text, or a user interface and normalized into the profile graph model. The system then performs candidate generation through Elasticsearch-based blocking. A keyword-search and blocking index provides a loose bag-of-words view that ignores provenance and structure, replaces relation targets with summaries of their target profiles, and removes duplicates to maximize recall. A structured search index uses nested mappings to preserve value–provenance associations and is preferred when more precise candidate sets are required. For text-derived entities, the Text Parser and rule-based filtering component replaces coreferences, removes conditionals and indirect speech, and filters feelings and emotions; this improves triple-extraction gt(A,B)gt(A,B)4 by approximately 18% on the test datasets.

Pairwise similarity is computed through a score gt(A,B)gt(A,B)5 defined as a sum over attributes and relations gt(A,B)gt(A,B)6, combining a function indicating the level of approximate match between values for gt(A,B)gt(A,B)7 with a function returning the information level contributed by the match for gt(A,B)gt(A,B)8. Provenance is considered after values match within a user-specified threshold. For names, informativeness is based on rarity:

gt(A,B)gt(A,B)9

where F(A)>F(B)F(A) > F(B)0 is the number of profiles sharing F(A)>F(B)F(A) > F(B)1 and the paper reports that F(A)>F(B)F(A) > F(B)2 and F(A)>F(B)F(A) > F(B)3 worked well empirically. A rejection score, rejsc, imposes penalties when pairs are dissimilar on domain-specific key attributes or relations; the paper gives the example of adding a penalty of 1 for mismatch on birth date for persons or zip code for locations in law-enforcement contexts. Final match prediction is delegated to a data-dependency aided discovery algorithm described elsewhere, and high-precision settings can require human confirmation by checking cfm = true.

The physical model separates node and relation storage from similarity storage. The node/relation table stores one row per attribute or relation value, including provenance fields. The similarity-edge table stores id1, id2, simsc, rejsc, and cfm. Elasticsearch nested mappings are crucial because flat indexing can lose the semantics of multiplicity and provenance. The paper also evaluates several implementation options for the similarity structure in Postgres and HBase. Postgres uses a similarity table with two indexes to support search by either profile identifier. HBase uses column families keyed by id-pair, with one option duplicating both directions of a pair to simplify search.

The empirical evaluation focuses on update operations in the similarity structure. Tested scales range from 23K to 23M profile pairs, 23M to 468M profile pairs, and stress tests at 6, 30, and 54 billion profile pairs. The reported result is consistent across scales: HBase options outperform Postgres substantially for update transactions; HBase-1 is generally faster than HBase-2; and no significant difference was observed between single-node and two-node HBase clusters in the tested scenarios (Liu et al., 2019).

6. Comparative interpretation of the three Certus usages

The three arXiv usages share a preference for explicit structure, inspectable intermediate artifacts, and end-to-end workflows, but their methodological commitments are otherwise orthogonal (Diemert et al., 3 May 2025, Diemert et al., 13 Jun 2026, Marijan et al., 2022, Liu et al., 2019). In the assurance-case literature, Certus is a possibilistic and fuzzy, DSL-driven method whose central object is the argument graph and whose output is a fuzzy linguistic assessment of the top-level claim. In the collaboration literature, the Certus Model is a process model for participative knowledge creation, whose central object is the joint research-and-transfer lifecycle and whose outputs are technologies, plans, impact reports, and adoption pathways. In the entity-linking literature, Certus is a graph data-management system, whose central objects are heterogeneous entity profiles and similarity-edges, and whose outputs are candidate links, confirmation metadata, and update-efficient storage structures.

The main scalability bottlenecks are correspondingly different. For assurance-case Certus, worst-case growth is driven by custom cases expressions over multiple children and multiple belief levels. For the Certus Model, the limiting factors are organizational: absorptive capacity, champion continuity, governance, integration work, and maintenance planning. For entity-linking Certus, the bottleneck is the classical pairwise-comparison and update problem, mitigated by blocking, indexing, and alternative physical layouts. This suggests that the repeated use of the name does not signal a common formal lineage so much as a recurring preference for auditable, operationally explicit methods.

For bibliographic and technical use, exact citation is therefore essential. References to Certus in assurance cases should identify the DSL and, where relevant, the later scalability analysis; references to Certus in software-engineering collaboration should identify the seven-phase Certus Model; and references to Certus in databases or knowledge fusion should identify the entity-linking and resolution system with multiplicity and provenance.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Certus method.