Measuring Assurance Case Confidence Using Baconian Probabilities

advertisement
Measuring Assurance Case
Confidence using
Baconian Probabilities
Charles B. Weinstock
John B. Goodenough
Ari Z. Klein
May 19, 2013
© 2013 Carnegie Mellon University
Copyright 2013
Carnegie Mellon University and IEEE
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with
Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE
MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without
requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software
Engineering Institute at permission@sei.cmu.edu.
DM-0000387
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
2
The Problem
C1
The system is safe
C2
C3
Hazard A has
been eliminated
Hazard B has
been eliminated
Ev1
Ev2
Ev3
Evidence
Evidence
Evidence
How confident in C1? Why?
What does it mean to have confidence?
What could be done to improve confidence? Why?
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
3
How is Confidence in a Hypothesis Increased?
A classic philosophical problem:
• Determining the basis for belief in a hypothesis when it is impossible to
examine every possible circumstance covered by the hypothesis
Use Induction
• Enumerative: number of confirming instances (Pascalian)
• Eliminative: variety of reasons for doubt (Baconian)
• Measuring support for a hypothesis/claim
– Enumerative: support increases with number of confirmations
– Eliminative: support increases with the number of excluded alternative
explanations, i.e., by eliminating reasons for doubting the claim
• Defeaters: reasons for doubting a claim
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
4
A Baconian Theory of AC Confidence
Confidence is the degree of belief
We grade “degree of belief” in terms of the number of eliminated defeaters
(reasons for doubt)
•
•
•
•
i out of n reasons for doubt (i/n)
0/n – no confidence
n/n – no remaining reasons for doubt
8/10 – residual doubt
Fundamental principle: Build confidence by eliminating reasons to doubt the
validity of:
• Claims (look for counter-examples and why they can’t occur)
• Evidence (look for reasons the evidence might be invalid and show those
conditions do not hold)
• Inference rules (look for conditions under which the rule is not valid and why those
conditions do not hold)
As reasons for doubt are eliminated, confidence grows (eliminative
induction)
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
5
Citigroup Tower – New York
C1.1
Citigroup Tower
is safe
R2.1
Unless there
is a design
error
IR2.2
If the design of the
system is shown
to be safe, then
the system is safe
Ev3.1
Wind tunnel
tests
showing safe
design
UM4.1
•
•
•
•
The design accounted
passed all reviews
for straight
on wind, not quartering wind
The wind tunnel (and other) tests
werehad
Still
successful
adequate safety margins
All parties
But
construction
involved
replaced
were welded
convinced
joints
with bolted
the building
jointswas safe
• The
But…
margin of safety was lost
But the model of the
building tested does
not match the actual
building
UC3.2
Unless salient attributes
of the design were
overlooked
UM4.2
But not all
real-world wind
conditions were
simulated
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
7
Concerns with the Baconian Approach
•
•
•
•
What if a relevant defeater has not been identified?
What if a defeater cannot be completely eliminated?
Surely not all defeaters are of equal importance. How is this handled?
Baconian probability seems rather weak in contrast to Bayesian or Pascalian
probability. What is being gained or lost?
• The potential number of defeaters seems incredibly large for a real system. Is
this approach practical?
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
8
Unidentified Defeaters
Issue: Does the failure to identify a relevant defeater lead to an inflated
sense of confidence?
• The inability to identify some defeaters is itself a reason for doubt that needs
to be recognized in a case.
• An assessment process for reviewing a case will need to take the possibility
of missing defeaters into account.
• A similar problem exists with the use of assurance cases. How can you be
sure that your hazard analysis has covered all potential hazards?
• We always admit the possibility that additional defeaters will be identified in
the future (this is what defeasible reasoning is all about).
– When we say that we have “complete” confidence in a claim (i.e., that the
claim has Baconian probability n|n) we understand that this only reflects
what we knew at a particular point in time.
The concepts of eliminative induction and defeasible reasoning help in
developing sound and complete arguments.
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
9
Partially Eliminated Defeaters
Issue: How are defeaters that cannot be completely eliminated dealt
with?
• An argument should state a claim that, if true, serves to completely eliminate
an associated defeater.
• There may be residual doubts about the truth of such a claim, in which case,
the same doubts apply to the defeater’s elimination
– as an argument is refined, one eventually develops defeaters that are
“obviously” eliminated by associated evidence
• If it is impossible to eliminate some lowest level defeaters, then the
associated doubt leads to incomplete elimination of a higher level defeater
(and the claim that it defeats.)
A goal in developing a convincing argument is to formulate low level
defeaters that can be eliminated by appropriate evidence.
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
10
Defeaters of Different (Relative) Importance
Issue: It seems reasonable that eliminating some defeaters would lead
to higher levels of confidence than eliminating others (of lesser
importance).
• Independent of relative defeater importance, 1|2 (some doubts eliminated)
always represents more confidence than 0|2 (no doubts eliminated), and 2|2
(all doubts eliminated) always represents complete confidence
• Even though the hazards that are represented in a safety case have different
likelihoods and impacts relative to one another, they all must be demonstrably
mitigated in order to establish sufficient confidence that the system is safe.
– Assessing the relative importance of hazards is not practically profitable.
• A system developer would not use the elimination of low impact defeaters to
justify an increase in confidence any more than he would represent minimally
unlikely and impactful safety hazards in a safety case.
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
11
Why Baconian Probability?
Issue: What is being gained and lost (over Pascalian or Bayesian
probability) with this approach?
• With eliminative induction we learn something concrete about why a system
works, and with enumerative induction, we may learn something statistical
about the system.
• The Baconian approach allows us to articulate both the reasons why a
system can fail and the reasons why the argument can be defective
– Uneliminated defeaters serve to focus additional assurance efforts.
• the Baconian approach allows evaluation of a system prior to its operational
use
• The Baconian approach avoids confirmation bias
The Baconian, Pascalian, and Bayesian approaches inform each other.
• Make Pascalian claims about system reliability and then elucidate the
possibilities that would make you doubt the validity of the claim.
• Take repeated samples to understand the operational reliability of the system.
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
12
Scalability and Practicality of the Approach
Issue: is this approach practical?
• The number of defeaters relevant to an argument is quite large for a real
system.
– But the amount of relevant argument and evidence for a real system is
inherently quite large.
• We believe that the Baconian approach allows one to develop a more
thorough and cost-effective basis for developing confidence in system
behavior than current methods.
• We hope that this approach will lead to more effective and focused assurance
efforts.
This all remains to be seen. Our initial interactions with systems
developers have been promising.
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
13
Summary
The identification of defeaters and how they are eliminated provides
framework for assessing confidence
The framework provides useful ways of thinking about assurance case
deficiencies
• Identification of deficiencies is the first step towards their mitigation
• The end result is a stronger assurance case
The approach is still under development. We welcome your ideas
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
14
Contact Information
Charles B. Weinstock
Senior Member of the Technical
Staff
Software Solutions Division
Telephone: +1 412-268-7719
Email: weinstock@sei.cmu.edu
U.S. Mail
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213-2612
USA
John B. Goodenough
SEI Fellow (retired)
Software Solutions Division
Telephone: +1 412-268-6391
Email: jbg@sei.cmu.edu
Ari Z. Klein
Ph.D. Candidate – Rhetoric
Software Solutions Division
Telephone: +1 412-268-7700
Email: azklein@sei.cmu.edu
Measuring Assurance Case Confidence
Weinstock/Goodenough/Klein, May
2013
© 2013 Carnegie Mellon University
15
Download