Certifying the people only really allows for punishing the people responsible for not anticipating problems in their systems. To make the certification worth anything you'll need a set of guidelines against which these kinds of systems should be engineered. Formally verifying the system as a whole against those guidelines seems like a far more effective approach, as it (theoretically) results in the system itself being verified as safe.