Assessing the Overall Sufficiency of Safety Arguments

Similar documents
A Simple Regression Problem

Soft Computing Techniques Help Assign Weights to Different Factors in Vulnerability Analysis

Non-Parametric Non-Line-of-Sight Identification 1

Inspection; structural health monitoring; reliability; Bayesian analysis; updating; decision analysis; value of information

Finite fields. and we ve used it in various examples and homework problems. In these notes I will introduce more finite fields

Kinetic Theory of Gases: Elementary Ideas

The Transactional Nature of Quantum Information

Importance of Sources using the Repeated Fusion Method and the Proportional Conflict Redistribution Rules #5 and #6

INTELLECTUAL DATA ANALYSIS IN AIRCRAFT DESIGN

Kinetic Theory of Gases: Elementary Ideas

Experimental Design For Model Discrimination And Precise Parameter Estimation In WDS Analysis

Feature Extraction Techniques

Example A1: Preparation of a Calibration Standard

Importance of Sources using the Repeated Fusion Method and the Proportional Conflict Redistribution Rules #5 and #6

BALLISTIC PENDULUM. EXPERIMENT: Measuring the Projectile Speed Consider a steel ball of mass

LONG-TERM PREDICTIVE VALUE INTERVAL WITH THE FUZZY TIME SERIES

Using EM To Estimate A Probablity Density With A Mixture Of Gaussians

Proc. of the IEEE/OES Seventh Working Conference on Current Measurement Technology UNCERTAINTIES IN SEASONDE CURRENT VELOCITIES

Supervised assessment: Modelling and problem-solving task

Pattern Recognition and Machine Learning. Learning and Evaluation for Pattern Recognition

Fast Montgomery-like Square Root Computation over GF(2 m ) for All Trinomials

Analyzing Simulation Results

Model Fitting. CURM Background Material, Fall 2014 Dr. Doreen De Leon

Pattern Recognition and Machine Learning. Artificial Neural networks

Optical Properties of Plasmas of High-Z Elements

This model assumes that the probability of a gap has size i is proportional to 1/i. i.e., i log m e. j=1. E[gap size] = i P r(i) = N f t.

AiMT Advances in Military Technology

Block designs and statistics

Ensemble Based on Data Envelopment Analysis

Efficient Filter Banks And Interpolators

16 Independence Definitions Potential Pitfall Alternative Formulation. mcs-ftl 2010/9/8 0:40 page 431 #437

A LOSS FUNCTION APPROACH TO GROUP PREFERENCE AGGREGATION IN THE AHP

COS 424: Interacting with Data. Written Exercises

are equal to zero, where, q = p 1. For each gene j, the pairwise null and alternative hypotheses are,

A note on the multiplication of sparse matrices

Department of Physics Preliminary Exam January 3 6, 2006

Chapter 6: Economic Inequality

Energy and Momentum: The Ballistic Pendulum

Bayesian Approach for Fatigue Life Prediction from Field Inspection

In this chapter, we consider several graph-theoretic and probabilistic models

Course Notes for EE227C (Spring 2018): Convex Optimization and Approximation

OBJECTIVES INTRODUCTION

Extension of CSRSM for the Parametric Study of the Face Stability of Pressurized Tunnels

Curious Bounds for Floor Function Sums

Interactive Markov Models of Evolutionary Algorithms

Multi-Scale/Multi-Resolution: Wavelet Transform

Measuring Temperature with a Silicon Diode

1 Proof of learning bounds

Physics 215 Winter The Density Matrix

The Weierstrass Approximation Theorem

Pattern Recognition and Machine Learning. Artificial Neural networks

The Use of Analytical-Statistical Simulation Approach in Operational Risk Analysis

Chaotic Coupled Map Lattices

What is Probability? (again)

Intelligent Systems: Reasoning and Recognition. Artificial Neural Networks

2 Q 10. Likewise, in case of multiple particles, the corresponding density in 2 must be averaged over all

13.2 Fully Polynomial Randomized Approximation Scheme for Permanent of Random 0-1 Matrices

Estimating Parameters for a Gaussian pdf

Newton's Laws. Lecture 2 Key Concepts. Newtonian mechanics and relation to Kepler's laws The Virial Theorem Tidal forces Collision physics

E0 370 Statistical Learning Theory Lecture 6 (Aug 30, 2011) Margin Analysis

Kernel Methods and Support Vector Machines

USEFUL HINTS FOR SOLVING PHYSICS OLYMPIAD PROBLEMS. By: Ian Blokland, Augustana Campus, University of Alberta

List Scheduling and LPT Oliver Braun (09/05/2017)

Sampling How Big a Sample?

Chapter 6 1-D Continuous Groups

MAKE SURE TA & TI STAMPS EVERY PAGE BEFORE YOU START

. The univariate situation. It is well-known for a long tie that denoinators of Pade approxiants can be considered as orthogonal polynoials with respe

About the definition of parameters and regimes of active two-port networks with variable loads on the basis of projective geometry

The Thermal Dependence and Urea Concentration Dependence of Rnase A Denaturant Transition

TEST OF HOMOGENEITY OF PARALLEL SAMPLES FROM LOGNORMAL POPULATIONS WITH UNEQUAL VARIANCES

ASSUME a source over an alphabet size m, from which a sequence of n independent samples are drawn. The classical

THERMAL ENDURANCE OF UNREINFORCED UNSATURATED POLYESTERS AND VINYL ESTER RESINS = (1) ln = COMPOSITES & POLYCON 2009

Construction of an index by maximization of the sum of its absolute correlation coefficients with the constituent variables

Chapter 1: Basics of Vibrations for Simple Mechanical Systems

ESTIMATING AND FORMING CONFIDENCE INTERVALS FOR EXTREMA OF RANDOM POLYNOMIALS. A Thesis. Presented to. The Faculty of the Department of Mathematics

Polygonal Designs: Existence and Construction

UNCERTAINTIES IN THE APPLICATION OF ATMOSPHERIC AND ALTITUDE CORRECTIONS AS RECOMMENDED IN IEC STANDARDS

Solutions of some selected problems of Homework 4

On Constant Power Water-filling

Research in Area of Longevity of Sylphon Scraies

On Poset Merging. 1 Introduction. Peter Chen Guoli Ding Steve Seiden. Keywords: Merging, Partial Order, Lower Bounds. AMS Classification: 68W40

Fault Tree Modeling Using CBHRA and SAF Method. Korea Atomic Energy Research Institute Hyun Gook Kang

Multi-Dimensional Hegselmann-Krause Dynamics

ma x = -bv x + F rod.

The accelerated expansion of the universe is explained by quantum field theory.

Symbolic Analysis as Universal Tool for Deriving Properties of Non-linear Algorithms Case study of EM Algorithm

Uniaxial compressive stress strain model for clay brick masonry

Best Arm Identification: A Unified Approach to Fixed Budget and Fixed Confidence

Intelligent Systems: Reasoning and Recognition. Perceptrons and Support Vector Machines

A Model for the Selection of Internet Service Providers

A method to determine relative stroke detection efficiencies from multiplicity distributions

26 Impulse and Momentum

8.1 Force Laws Hooke s Law

Ufuk Demirci* and Feza Kerestecioglu**

A Note on the Applied Use of MDL Approximations

Chapter 2 General Properties of Radiation Detectors

Tight Bounds for Maximal Identifiability of Failure Nodes in Boolean Network Tomography

Physically Based Modeling CS Notes Spring 1997 Particle Collision and Contact

Estimation of ADC Nonlinearities from the Measurement in Input Voltage Intervals

Sexually Transmitted Diseases VMED 5180 September 27, 2016

Transcription:

University of Pennsylvania ScholarlyCoons Departental Papers (CIS) Departent of Coputer & Inforation Science 2-203 Assessing the Overall Sufficiency of Safety Arguents Anaheed Ayoub University of Pennsylvania, anaheed@seas.upenn.edu Jian Chang University of Pennsylvania, jianchan@cis.upenn.edu Oleg Sokolsky University of Pennsylvania, sokolsky@cis.upenn.edu Insup Lee University of Pennsylvania, lee@cis.upenn.edu Follow this and additional works at: http://repository.upenn.edu/cis_papers Recoended Citation Anaheed Ayoub, Jian Chang, Oleg Sokolsky, and Insup Lee, "Assessing the Overall Sufficiency of Safety Arguents", 2st Safety- Critical Systes Syposiu (SSS'3), 27-44. February 203. 2st Safety-critical Systes Syposiu (SSS'3), Bristol, United Kingdo. http://scsc.org.uk/p9 This paper is posted at ScholarlyCoons. http://repository.upenn.edu/cis_papers/744 For ore inforation, please contact libraryrepository@pobox.upenn.edu.

Assessing the Overall Sufficiency of Safety Arguents Abstract Safety cases offer a eans for counicating inforation about the syste safety aong the syste stakeholders. Recently, the requireent for a safety case has been considered by regulators for safety-critical systes. Adopting safety cases is necessarily dependent on the value added for regulatory authorities. In this work, we outline a structured approach for assessing the level of sufficiency of safety arguents. We use the notion of basic probability assignent to provide a easure of sufficiency and insufficiency for each arguent node. We use the concept of belief cobination to calculate the overall sufficiency and insufficiency of a safety arguent based on the sufficiency and insufficiency of its nodes. The application of the proposed approach is illustrated by exaples. Keywords safety cases, safety arguent assessent, Depster-Shafer Theory Coents 2st Safety-critical Systes Syposiu (SSS'3), Bristol, United Kingdo. http://scsc.org.uk/p9 This conference paper is available at ScholarlyCoons: http://repository.upenn.edu/cis_papers/744

Assessing the Overall Sufficiency of Safety Arguents Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee Coputer and Inforation Science Departent, University of Pennsylvania Philadelphia, PA, USA Abstract Safety cases offer a eans for counicating inforation about the syste safety aong the syste stakeholders. Recently, the requireent for a safety case has been considered by regulators for safety-critical systes. Adopting safety cases is necessarily dependent on the value added for regulatory authorities. In this work, we outline a structured approach for assessing the level of sufficiency of safety arguents. We use the notion of basic probability assignent to provide a easure of sufficiency and insufficiency for each arguent node. We use the concept of belief cobination to calculate the overall sufficiency and insufficiency of a safety arguent based on the sufficiency and insufficiency of its nodes. The application of the proposed approach is illustrated by exaples. Introduction A safety assurance case presents an arguent, supported by a body of evidence, that a syste is acceptably safe to be used in the given context (Menon et al. 2009). Recently, the U.S. Food and Drug Adinistration (FDA) has been highlighting the upcoing call for certain 50(k) edical device subissions to include safety assurance cases (FDA 200). Adopting safety cases necessarily requires the existence of proper reviewing echaniss. Safety cases are, by their nature, often subjective (Kelly 2007). The objective of safety case developent, therefore, is to facilitate utual acceptance of this subjective position. The goal of safety case evaluation, therefore, is to assess if there is a utual acceptance of the subjective position. We define the safety arguent assessent as answering a question about the overall sufficiency of the arguent, i.e., are the preises of the arguent strong enough to support the conclusions being drawn. The siplest way to assess a safety arguent is to ask an expert reviewer to evaluate the overall sufficiency of the arguent. Although this is a coonly accepted practice, ost probably the final decision is not accurate enough. Research in experiental psychology shows that the huan ind does not deal properly with coplex inferences based on uncertain sources of University of Pennsylvania 203. Published by the Safety-Critical Systes Club. All Rights Reserved

2 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee knowledge (Cyra and Gorski 2008a), which is coon in safety arguents. Therefore, reviewers should only be required to express their opinions about the basic eleents in the safety arguent. Then a echanis should provide a way to aggregate the reviewer opinions to counicate a essage about the overall sufficiency of the safety arguent. A potential proble with evaluating the safety arguents lies in psychology and the notion of a indset. A indset is a set of assuptions, ethods or notations held by one or ore people or groups of people which is so established that it creates a powerful incentive within these people or groups to continue to adopt or accept prior behaviours, choices, or tools (Wikipedia 202b). An iportant coponent of indset is the concept of confiration bias. Confiration bias is a tendency for people to favour inforation that confirs their preconceptions or hypotheses regardless of whether the inforation is true (Leveson 20). Confiration bias is a prie exaple of a indset that can produce defective decision aking. The proble of the confiration bias is not easy to eliinate. But it can be reduced by changing the goal. In other words, the reviewer should take the opposite goal: try to show that the provided safety arguent is insufficient to support the syste safety conclusion. We propose assessing the safety arguent insufficiency as well as its sufficiency. In this paper, we outline a structured ethod for assessing the level of sufficiency and insufficiency of safety arguents (Section 4). The reviewer assessents and the results of their aggregation are represented in the Depster-Shafer odel (Sentz and Ferson 2002). We use the notion of basic probability assignent (also referred to as a degree of belief or a ass) to provide a easure of the degree of belief in the sufficiency and insufficiency of each arguent node to do its role. For exaple, a ass of the sufficiency and insufficiency of an evidence node Ev, which is directly addressing a conclusion node n, is a easure of the degree of belief in the sufficiency and insufficiency of Ev to support n. We propose aggregation rules (Section 3) to calculate the ass of the overall sufficiency and insufficiency of a safety arguent by aggregating the ass of the sufficiency and insufficiency of the safety arguent nodes. The selection of the appropriate aggregation rule is discussed in Section 4.. The assessing of the issing support (if any) and its ipact on the degree of beliefs is given in Section 4.2. The application of the proposed ethod is illustrated by a coplete exaple in Section 5. The related work is discussed in Section 6, and Section 7 concludes the paper. 2 Safety cases Recently, safety cases are being explored as ways for counicating ideas and inforation about the safety-critical systes aong the syste stakeholders. The anufactures subit safety cases (to present a clear, coprehensive and defensible arguent supported by evidence) to the regulators to show that their products are acceptably safe to operate in the intended context (Kelly 999). There are dif-

Assessing the Overall Sufficiency of Safety Arguents 3 ferent approaches to structure and present safety cases. The Goal Structuring Notation (GSN) is one of the description techniques that have been proven to be useful for constructing safety cases (Kelly and Weaver 2004). In this work, we use the GSN notation in presenting safety cases. In GSN a top-level goal (i.e., conclusion) is decoposed into sub-goals through iplicit or explicit strategy, and eventually supported by evidence. In this paper, we use the ter conclusion to describe the relation between any goal, sub-goal or strategy and its child nodes. Also we use the ter supporting node to describe how any sub-goal, strategy or evidence node is related to its parent node. For exaple, Strategy S in Figure 7 is a conclusion for G2 and G3, and a supporting node for G. A new approach for creating clear safety cases is introduced in (Hawkins et al. 20). This new approach basically separates the ajor coponents of the safety cases into safety arguent and confidence arguent. A safety arguent is liited to give arguents and evidence that directly target the syste safety. A confidence arguent is given separately to justify the sufficiency of confidence in this safety arguent. The separation between safety and confidence related aspects facilitates the developent and reviewing processes for safety cases. In this paper, we introduce a structured echanis to assess the overall sufficiency and insufficiency of safety arguents. Confidence arguents should be used by the reviewer to ake his/her assessents on the sufficiency and insufficiency of the evidence nodes. 3 Aggregation rules We define the safety arguent assessent as answering the question about the overall sufficiency of the arguent, i.e., are the preises of the arguent strong enough to support the conclusions being drawn. The first step of the proposed assessent procedure is to ask the reviewer to express his/her opinion about the basic eleents in the safety arguent. Then a systeatic echanis is used to aggregate the reviewer opinions to counicate a essage about the overall sufficiency of the safety arguent. The process of assessing the arguent basic eleents is nothing but a decision-aking process. Decision aking can be regarded as the ental processes resulting in the selection of a course of action aong several alternative scenarios (Wikipedia 202a). Every decision aking process produces a final choice. In the case of evaluating the safety arguent node, the output would be a choice either the node under evaluation is sufficient or not. According to psychologists, a natural phenoenon known as confiration bias containates the ental process of the decision-aking. Confiration bias is a tendency for people to favour inforation that confirs their preconceptions or hypotheses regardless of whether the inforation is true (Leveson 20). For exaple, in the case of evaluating the safety arguent nodes, the reviewer ay have an existing belief that the subitter of the safety arguent is trusted based on his reputation, and probably the syste is safe based on past success. In this case, the reviewer will choose to focus on the facts that confor to his/her existing belief. If the reviewer is not careful, his/her ind that is biased toward confiring the safety ar-

4 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee guent sufficiency would prevent hi/her fro seeing any contrary evidence that is actually there. Consequently, the reviewer decision would be that the node is sufficient; however this ay not be the truth. This is one of the ain probles of the Nirod safety case (NSC) (Haddon-Cave 2009), the safety case was built and reviewed with the indset that the syste is safe based on past success. Consequently, NSC failed to identify the design flaws that led to the total loss of the Nirod. The case of NSC shows how the consequences of confiration bias to decision aking are serious. In order to fight the confiration bias the reviewer should do the opposite; assess the safety arguent insufficiency. Although assessing the insufficiency fights the confiration bias, it increases the vulnerability to negative confiration bias. The existing belief in case of negative confiration bias would be that the node is insufficient. To fight confiration bias and negative confiration bias, we propose that the reviewer assesses his/her belief in the sufficiency and insufficiency of the arguent nodes. This forces the reviewer to evaluate the node fro two different perspectives; the positive one (the node is sufficient) and the negative one (it is insufficient). In addition, the reviewer ay not be able to precisely deterine if the node is sufficient or insufficient, eaning that he/she has a belief that this node could either be sufficient or insufficient. In other words, the reviewer describes his/her belief in the node sufficiency and insufficiency, and then the gap between these two beliefs presents the uncertainty. 3. Depster-Shafer theory Depster-Shafer Theory (DST) is a atheatical theory of evidence (Sentz and Ferson 2002). It offers an alternative to traditional probabilistic theory for the atheatical representation for uncertainty, which is required for the safety arguents assessent. DST is a potentially valuable tool when knowledge is obtained fro expert s elicitation, which is the case of safety arguents assessent. We use the Depster-Shafer odel to present the reviewer assessents and the results of their aggregation. The ost iportant part of DST is basic probability assignent (BPA), also referred to as a degree of belief or a ass. Let x be a finite set known as frae of discernent. In the safety arguent assessent, x = {Sufficient, Insufficient}. The power set P(x) is the set of all subsets of x including itself and null set. For x = {Sufficient, Insufficient} then P(x) = {, {Sufficient}, {Insufficient}, {Sufficient, Insufficient}}. The BPA, represented by, defines a apping fro every subset of the power set to interval between 0 and. Forally, :P(x) [0, ]. The BPA satisfies the following two conditions: The BPA of the null set is 0. Forally, ( ) = 0. The suation of the BPA's of all the subsets of the power set is. That is, ( A), where A is a set in the power set ( A P ( x ) ). A P ( x ) Every set in the power set of the frae of discernent which has ass > 0 is a focal eleent (i.e., hypotheses). For the safety arguent assessent, P(x) has three focal eleents: hypothesis S = {Sufficient} that the node is sufficient, hy-

Assessing the Overall Sufficiency of Safety Arguents 5 pothesis I = {Insufficient} that it is insufficient, and (universe) hypothesis U = {Sufficient, Inefficient} that the node is either sufficient or insufficient. For each arguent node n, n (S) and n (I) represent the degree of belief in the sufficiency and insufficiency of n. And n (U) represents the uncertainty; n is either sufficient or insufficient, where n (S) + n (I) + n (U) =. Exaple. Suppose the reviewer checked the confidence arguent/easure provided for node n, and got a belief of 0.5 that n is sufficient ( n (S) = 0.5). However, he/she got a belief in n insufficiency with a degree 0.2 ( n (I) = 0.2). The reaining ass of 0.3, which is the gap between the 0.5 supporting n sufficiency on one hand and the 0.2 for n insufficiency on the other hand is indeterinate. Which eans that n could either be sufficiency or insufficient ( n (U) = 0.3). One of the ain attractions of DST is the availability of a rule to cobine the data obtained fro ultiple sources. It allows one to cobine evidence fro different sources and arrive at a degree of belief. This is the case of addressing a conclusion supported by different nodes, where each supporting node arrives with a degree of belief. DST is based on the assuption that these supporting nodes are independent. The original cobination rule of ultiple BPA's is known as Depster s rule of cobination (Voorbraak 202). Definition. Given two BPA's and 2, the cobination (called joint ) is calculated fro the aggregation of and 2 as: ( ) 0 ( C ) ( C ) ( C ) 2 K ( A ) * ( B ). A B 2 ( A ) * ( B ) A B C 2 where C K The denoinator, K, is a noralization factor, which is a easure of the aount of conflict between the two supporting nodes. For the safety arguent assessent, C is S, I, or U. The Depster s rule of cobination is coutative and associative. For the siple case shown in Figure, a conclusion node n (i.e., GSN goal, sub-goal, or strategy node) is addressed by two supporting nodes and (i.e., GSN sub-goal, strategy, or evidence nodes). The pairs for A and B sets for which A B S are (S and S), (S and U), and (U and S). The pairs for A and B sets for which A B I are (I and I), (I and U), and (U and I). The pairs for A and B sets for which A B are (S and I), and (I and S). n Fig.. A siple case

6 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee The following definition, which we will frequently use in the rest of the paper, is the application of Definition to the siple case given in Figure. Definition 2. ( S ) ( S ) ( S ) n n 2 n 3 ( S ) * ( S ) ( S ) * ( U ) ( U ) * ( S ) n 2 n 3 n 2 n 3 n 2 n 3 K ( I ) ( I ) ( I ) n n 2 n 3 ( I ) * ( I ) ( I ) * ( U ) ( U ) * ( I ) n 2 n 3 n 2 n 3 n 2 n 3 K K ( S ) * ( I ) ( I ) * ( S ). n 2 n 3 n 2 n 3 There is a known proble with the noralization of Depster s rule of cobination as explained in (Zadeh 84). We avoid this issue because the eleents of our sets (S, I and U) are not independent. 3.2 Mixing In addition to using Depster s rule of cobination, we also use a ixing (i.e., weighted averaging) rule. w * ( C ) w * ( C ) Definition 3. The ixing rule: 2 2 ( C ) w w 2, where w and w are the weights assigned to the supporting nodes. These weights represent the 2 coverage of the conclusion by each supporting node. The weighted averaging rule of cobination is coutative and associative. The following definition, which we will frequently use in the rest of the paper, is the application of Definition 3 to the siple case given in Figure. Definition 4. n ( C ) w * ( C ) w w w 2 * ( C ) n 2 2 n 3, where w and w represent 2 the coverage of n by and respectively. The use of ixing rules with Depster-Shafer structures is justified in (Sentz and Ferson 2002). Definitions and 3 give the general for of the aggregation rules. Definitions 2 and 4 are the case of instantiation to the safety arguent assessent settings for two supporting nodes. Discussions for the criteria to select between the aggregation rules (Definition 2 and Definition 4), and how to apply these rules to aggregate the degree of belief in the sufficiency and insufficiency of the arguent nodes, are given in Section 4..

4 Assessent echanis Assessing the Overall Sufficiency of Safety Arguents 7 The ove toward using safety cases in certification and regulation requires a way to review the. Safety cases are, by their nature, often subjective (Kelly 2007). The goal of safety case evaluation, therefore, is to assess if there is a utual acceptance of the subjective position. We propose an assessent ethod to assess the overall sufficiency and insufficiency of safety arguents. This ethod consists of the two steps shown in Algorith. The sufficiency and insufficiency of the top goal is the overall sufficiency and insufficiency of the safety arguent. Step. Evidence assessent Algorith. Assessent procedure Estiate the sufficiency and insufficiency of each evidence node to address the goal it is used to support. These estiations express the degree of the reviewer belief in the sufficiency and insufficiency of the evidence (e.g., Ev) to support its goal. We use the notion of the BPA to represent these estiations. Forally, ( C ), where C { S, I, U }. Ev Step 2. Autoatic aggregation Starting fro the leaves of the safety arguent, apply the next steps for each conclusion node. Aggregate the estiates of the supporting nodes to obtain the degree of belief in the sufficiency and insufficiency of the conclusion (Section 4.). Recalculate the degree of belief in the sufficiency and insufficiency of the conclusion, in case of identifying issing supports (Section 4.2). Repeat the process until the top goal has been reached. Confidence. The reviewer should use the confidence arguents (Ayoub et al. 202, Hawkins et al. 20) or any confidence easure (Bloofield et al. 2007, Denney et al. 20) in the evidence assessent. Assuptions. We assue that the safety arguent is understandable, free fro structural errors (e.g., no circular arguents), fully connected (i.e., no dangling evidence or unsupported goal), sufficiently expressed (e.g., no issing context), and contains no conflicts (e.g., assuptions attached to all the arguent nodes are consistent). These assuptions can be satisfied by applying the step-by-step reviewing echanis (Kelly 2007) before running the proposed assessent ethod. More discussion of the copleentary use of these two ethods is given in Section 6.

8 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee 4. Arguent types Note that the degree of belief in the support given to a conclusion by its supporting nodes depends on the kind of inference used to derive the conclusion. We therefore begin by characterizing inference types (i.e., arguent types). We use the case shown in Figure to define the ain arguent types. Let n be a goal node claiing that {the syste satisfies 0 safety requireents; SRs -0}. Table shows exaples of different arguent types for the sae conclusion. For the case shown in Figure, we distinguish four arguent types (see Figure 2). Table : Arguent types exaple Description the syste is forally verified against SRs -0 the syste is tested against SRs -0 the syste is forally verified against SRs -3 the syste is tested against SRs 4-0 the syste is forally verified against SRs -4 the syste is tested against SRs 4-0 the syste is forally verified against SRs -4 the syste is tested against SRs -0 Arguent Type Alternative Disjoint, w 3 and w 7 2 Overlap, w 3, w, and w 6 2 Overlap Containent, w 4 and w Containen t 6 Ev (a) Alternative (b) Disjoint (c) Overlap (d) Containent Fig. 2. Arguent types Alternative relates to a situation where ore than one independent support of the coon conclusion is provided. In other words, each of the supporting nodes supports the whole conclusion (e.g., the first row in Table ). In this case, the rule given in Definition 2 is used to aggregate the ass of the sufficiency and insufficiency of and to obtain the ass of the sufficiency and insufficiency of n. Disjoint relates to a situation where the supporting nodes provide copleentary support for the conclusion. This eans, each of the supporting nodes covers part of the conclusion (e.g., the second row in Table ). In such a case, not only the assessents of the supporting nodes but also the weights, representing the coverage, associated with each supporting node are taken into account. The final assessent of the conclusion is a sort of weighed average (i.e., Definition 4) of the contribution of all the supporting nodes.

Assessing the Overall Sufficiency of Safety Arguents 9 Overlap relates to a situation where the supporting nodes support overlap parts of the conclusion. So each of the supporting nodes covers not disjoint part of the conclusion (e.g., the third row in Table ). In such a case, the weights associated with each supporting node and the weight of the overlap are taken into account. For the siple exaple given in Figure 2c, first the two overlapped nodes are restructured into three disjoint parts as shown in Figure 3a. This restructuring is valid under the assuption that the degree of belief in a node equals the degree of belief in its pieces. E.g., the degree of belief in an evidence node referring to the testing results for 3 safety requireents SR, SR2, and SR3 is the sae as the degree of belief in the testing results for each single safety requireent SR, SR2, and SR3. In other words, this cobined evidence can be seen as three saller evidence nodes each of which points to the testing results for one safety requireent. In this case, the degree of belief in each sall piece of evidence equals the degree of belief in the cobined evidence as the sae testing echanis and settings are used for the three safety requireents. The iddle part in Figure 3a is covered by both evidence nodes, so Definition 2 is applied for hypothesis C { S, I, U } Overlap ( C n 2 n 3 C ) ( C ) ( ). The result is three disjoint nodes as shown in Figure 3a, so Definition 4 is applied twice. We can copute this by cobining any pair of,, and with n 2 O v e rla p n 3 the corresponding weights, and then cobine the result with the reaining third ass. Let s first cobine and n 2 O v e rla p int erediate ( C ) w * n 2 ( C ) w w w Overlap Overlap * Overlap ( C ). Then cobine the result with n 3 n ( C ) ( w w The result would be n ( C ) ) * Overlap int erediate 2 n 3. w * ( w ( C ) w w Overlap * ( C ) w ) w 2 2 * ( C ) w ( C ) * ( C ) n 2 Overlap Overlap 2 n 3, w w Overlap w where w, w and w represent the coverage of n by only, the overlap, O v e rla p 2 and only respectively. Containent relates to a situation where one supporting node coverage is included in a bigger supporting node coverage. In other words, each of the supporting nodes covers part of the conclusion; this part is covered also by the next larger support (e.g., the last row in Table ). In such a case, the weights associated with each supporting node are taken into account. For the siple exaple given in Fig-

0 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee ure 2d, first the two nodes are restructured into two disjoint parts as shown in Figure 3b. This restructure is valid under the sae assuption given for the overlap case. In Figure 3b, the degree of belief in the part covered by both supporting nodes is calculated by applying the rule given in Definition 2. Containen t ( C ) ( C ) ( C ) n 2 n 3 The result is two disjoint nodes, so Definition 4 is used: n ( C ) w * n 2 ( C ) w w Containen w t Containen * t Containen t ( C ) represent the coverage of n by only and the con- where w, and w tainent respectively. C o n ta in en t Ev Ev (a) The overlap case Figure 3. Arguent types restructure (b) The containent case Exaple 2. Table 2 shows the results of applying the aggregation rules for each arguent type with different weights for each supporting node. Table 2. Exaple of different arguent type aggregation results Alternative Disjoint { w, w } 2 Overlap { w, w, w } Overlap 2 Containent { w, w Containen t } weights {6, 4} {6,,3} {5,3,2} {4,5,} {8, 2} {5, 5} {2, 8} n ( ) 0.848 0.58 0.592 0.6344 0.785 0.563 0.657 0.752 S n ( ) 0. 0.6 0.6 0.533 0.343 0.82 0.56 0.29 I We can see that for the overlap case, when the overlapping is significant then the results are close to the alternative case, and when the overlapping is insignificant then the results are close to the disjoint case (using the sae weights). For the containent case, when one of the supports is very sall, then its contribution is negligible, and the results are deterined by the significant support. But when the coverage of the saller support increases, the results becoe closer to the alternative case. These observations are useful in practice, because it is not always obvious how to characterize the overlapping part. In such cases, the overlap is approxiated to either alternative or disjoint case based on the reviewer assessent for the overlapping significance. In the sae way, the containent can be ap-

Assessing the Overall Sufficiency of Safety Arguents proxiated to either alternative case or the significant evidence nubers based on the reviewer assessent for the sall evidence coverage. It is assued that the reviewer is an expert with sufficient copetence to assess the arguent nodes and express his/her opinion (as required for Step in Algorith ), and to deterine the arguent type of each decoposition in the safety arguent. The expert defines the arguent type based on his/her understanding to the conclusion and its basis, and the supporting nodes and their basis. Where the node basis is defined by all context, justification, and assuption nodes attached to this node. Exaple 3. Figure 4 is an exaple to show how the node basis is iportant in identifying the arguent type. By checking the supporting nodes G and G2, it is clear that the arguent type is alternative as both G and G2 cover the whole G0 conclusion. However, by checking A the expert ay believe that testing reveals only 80% of the cases but there is 20% of the cases will not be covered by testing. That eans G covers only 80% of G0, but G2 covers the whole conclusion. So the arguent type is not alternative but containent where G is the sall support, its weight is 0.8. G0 Hardware has no systeatic flaw A G G2 Test will reveal all iswiring and isconfiguration A Test have not revealed any systeatic hardware flaws Established design iplies there will be no systeatic hardware flaws Fig. 4. Identify the arguent type In the general case, i.e., when ore than two nodes support the conclusion, the four arguent types are still valid. In addition, a general arguent type, called arbitrary, can be found. The arbitrary arguent type corresponds to the situation where there is no coon part to all supporting nodes, though soe supporting nodes ay cover a coon part. Figure 5 shows an exaple of such case. The arbitrary arguent type can be structured as a cobination of alternative and disjoint cases. Although Depster s rule of cobination and the ixing rule are associative and coutative, they do not have the sae precedence and so when both rules are applied the order atters. It is the sae as the case of the ultiplication and addition operators, both are associative and coutative but that does not ean that a + b + c = (a + b) * c = a + (b * c). The precedence of the aggregation rules ipacts significantly the calculations for the arbitrary arguent type. For this paper, we focus on the basic four arguent types (alternative, disjoint, overlap, and containent). Elaborating the ipact of the aggregation rule prece-

2 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee dence on the degree of belief calculations for the arbitrary case is one of the directions for future work. Ev n4 n6 n5 n nk Fig. 5. Arbitrary arguent type 4.2 Missing support The first step in the aggregation process (Step 2 in Algorith ) is applying the corresponding aggregation rules (i.e., Definition 2 and/or Definition 4) based on the arguent type. Then independently fro the arguent type, there ay be part of the conclusion that is not covered by any of the supporting nodes. This uncovered part is represented by the shading in Figures 2, 3 and 5. For all the arguent types, the uncovered part of the conclusion can be presented as a issing supporting node; node n in Figure 6, where ns represents the part of n that is covered by the provided supporting nodes. As n is issing then we know nothing about it. Which eans, unless the reviewer has a different opinion, the degree of belief in the sufficiency and insufficiency of n are set to 0; ( S ) ( I ) 0. In this case, n is defined with the issing coverage weight w and the weight of the part of n that is covered by ns is w. In this case, the relation between n as s a conclusion and ns and n can be seen as the disjoint case. For n, the ass for hypothesis D { S, I } is recalculated using Definition 4 as: n n n ( D ) w s * ns ( D ) w w s w * n ( D ) w s * w s ns w ( D ) () n ns n Fig. 5. Representing the issing coverage

Assessing the Overall Sufficiency of Safety Arguents 3 If the issing coverage is significant, then this recalculation will significantly decrease the ass of the conclusion sufficiency and insufficiency. On the other hand, the uncertainty about the conclusion increases. Worth notice is that based on the discussion given in Section 4. regarding the different precedence for the aggregation rules, the order of applying the rules atters. And as ns can be calculated by applying any aggregation rule based on the arguent type, then to get consistent results the recalculation because of the issing support would be the last step to be done for any conclusion node (as shown in Algorith ). There are three possible sources of issing supports. We use Figure 7 as an exaple to show these sources. G All identified hazards eliinated/sufficiently itigated C Identified Hazards (H, H2 and H3) S Arguent over all identified hazards G2 G3 J Hazard H has been eliinated Probability of H2 occuring <*0-6 *0-6 liit for catastrophic hazards J Ev Froal verification results Ev2 Fault tree analysis Ev3 Testing results Fig. 6. A siple safety arguent exaple Case. The expert assesses the uncovered part of the conclusion by checking the conclusion, the supporting nodes, and their basis including the inherited basis (i.e., the context, justification, and assuption nodes attached to the conclusion, the supporting nodes, and any node higher in the arguent tree). For exaple, S inherits context C for G (Kelly 999). For S, C identifies three hazards, but only two hazards are covered by G2 and G3, so only 2/3 of S is covered. In this case, using Equation, 2 * ( D ) S ( D ). S 3

4 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee Case 2. In case of explicit or iplicit strategy node, the expert assesses the uncovered part by evaluating the used inference. For exaple, for G, the inference rule given in the explicit strategy S states {arguent by hazards itigation}. This inference supports G by showing that each individual hazard is adequately itigated, but nothing is given to cover the situation of accuulated hazards. If the probability of getting accuulated hazards is 30%, then there is a issing support to G with a weight of 0.3. In this case, D ) 0.7 * ( ) ( D. G G Case 3. Another source of the issing support is a defective definition for the conclusion basis. For exaple, for G, the sufficiency of the identified hazards list should be taken into consideration. In other words, if the hazards are not sufficiently identified then a issing support is identified. For exaple, the expert would believe that only three hazards are identified in C, while there are three other hazards that were not entioned. In this case, G ( ) is recalculated as 3 * ( D ) G ( D ). G 6 As shown, ore than one source of issing supports can be found for the sae conclusion. E.g., Case 2 and Case 3 define issing supports to G in Figure 7. It is clear that the issing itigation for H3 is already ipacted the calculations for S. And so for G, Case does not define issing supports. It is also clear that it is not iportant which source of issing supports is assessed first as the ultiplication operator is associative and coutative. But the iportant thing is to check all sources (e.g., for the given exaple, the resultant calculations for G would be 0.7 * 3 * ( D ) G ( D ) ). G 6 Note that, we assue the expert is certain about his/her opinion about the node basis, so that the expert is certain about his/her opinion that C in Figure 7 is issing three hazards. This ay not always be the case. The expert ay be uncertain about his/her opinion in any different ways. For exaple, the expert ay have a belief that soe hazards are not defined but cannot certainly tell how any hazards are issing. This uncertainty should be considered in the calculations; this is one of the directions for the future work to extend the proposed echanis. D 5 Illustrated exaple We use the coplete siple exaple given in Figure 7, inspired by the exaple given in (Weaver et al. 2003), to illustrate how to apply the proposed procedure given in Algorith. Step. Evidence assessent

Assue the expert estiates as: ( S ) 0. 8 Ev ( I ) 0., ( S ) 0. 5 2 3 Step 2. Autoatic aggregation Starting fro the leaves For G2 Assessing the Overall Sufficiency of Safety Arguents 5 Ev, Ev ( I ) 0., E ( S ) 0. 7, Ev and ( I ) 0. 2 Ev. 3 2 o Only one evidence Ev supports G2, so ( S ) ( S ) 0. 8 and G 2 Ev o ( I ) ( I ) 0.. G 2 Ev Missing support o o o For G2 o o Case. Assue the expert opinion is that Ev covers the whole G2 conclusion. Case 2. Not applicable as there is no iplicit or explicit strategy between G2 and Ev. Case 3. The conclusion node G2 has no basis and so no diensioning is required. Assue the expert opinion is that both Ev2 and Ev3 cover the whole G3 conclusion so the rule given in Definition 2 is applied. G ( S ) 0.85 and G ( I ) 0.. 3 Missing support Repeat the process For S o o 3 o Case. Assue the expert opinion is that conclusion G3 is totally covered by Ev2 and Ev3. o Case 2. Not applicable as there is no iplicit or explicit strategy. o Case 3. Assue the expert opinion is that the justification J covers only 80% of the cases. By applying equation, G ( S ) 0.652 and G ( I ) 0. 089. 3 3 It is clear that the arguent type is disjoint. Assue all hazards have the sae iportance; the weights of all hazards are equal. Using Definition 4, S ( S ) 0. 726 and S ( I ) 0. 094. Missing support: this is given as exaple in Section 4.2. The recalculation result: S ( S ) 0. 484 and S ( I ) 0. 063. For G o Strategy S is the only support to G, so S ) ( S ) 0. 484 and I ) ( I ) 0. 063 (. G S ( G S

6 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee o Missing support: this is the exaple discussed in Section 4.2. The result is that G ( S ) 0. 69 and G ( I ) 0. 022. The calculations are suarized in Figure 8. In this case, the ass of the overall sufficiency and insufficiency of the safety arguent given in Figure 7 equal 0.69 and 0.022 respectively, and the uncertainty equals 0.809. Using these nubers the expert can decide if this safety arguent should be rejected or not. In the given exaple, ost probably the expert would reject this safety arguent as the degree of uncertainty is very high relative to the degree of belief of the arguent sufficiency which is quite low. In addition, the expert can provide aclear feedback to the subitter guiding where enhanceents are required. For the given arguent, it is clear that the first effective weakness of this arguent is issing itigation for H3. The inappropriate identification for the hazards has a significant negative ipact as well.. 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0. 0. Sufficient Uncertian Insufficient Fig. 7. The exaple nubers 6 Related work The proposed assessing echanis can be used in conjunction with the step-bystep review echanis proposed in (Kelly 2007) to answer the question given in the last step of this reviewing echanis, which is of the overall sufficiency of the safety arguent. At the sae tie, applying the step-by-step reviewing echanis guarantees the assuptions of the proposed echanis as given in

Assessing the Overall Sufficiency of Safety Arguents 7 Section 4. In other words, the step-by-step review echanis provides a skeleton for a systeatic review process; however the proposed assessent echanis provides a systeatic procedure to easure the sufficiency and insufficiency of the safety arguents. An appraisal echanis is proposed in (Cyra and Gorski 2008a) to assess the trust cases. Although this echanis targets trust cases and the proposed echanis targets safety cases, both echaniss use the Depster-Shaffer odel. Both echaniss propose different aggregation rules based on the arguent types. However, the arguent types are not identical. The proposed arguent types cover the case when the falsification of one of the preises decreases, but not nullifies, the support for the conclusion. This case is also covered for the trust cases appraisal echanis, however only two arguent types are defined; alternative and copleentary (i.e., disjoint). The additional arguent types we defined (i.e., overlap and containent) are treated as an alternative or a copleentary type based on the overlap significance. Another case defined for the appraisal echanis is when the falsification of a single preise leads to the rebuttal of the conclusion or to the rejection of the whole arguent because nothing can be inferred about the conclusion. Two arguent types are defined for this case; necessary and sufficient condition list (NSC-arguent) and sufficient condition list (SCarguent). These two arguent types are not considered in the proposed echanis because we believe that for safety cases, each preise should have a contribution in supporting the conclusion. So no single preise has such a huge ipact that it ay lead to the rejection of the whole arguent. And in case of a single preise that is sufficient to reject the whole arguent then it is a siple process to check that preise and decide about the arguent rejection without any aggregation. The linguistic scales given in (Cyra and Gorski 2008b) to express the expert opinions and the aggregation results are appealing. In their work, the linguistic values are apped into the interval [0, ] and then quantitative rules are used for the aggregation (Cyra and Gorski 2008a). Although linguistic scales are ore appropriate for huan decisions than nubers, the apping has a significant ipact on the coputed results and there is no evidence that the used apping is proper. 5 Conclusion In this paper, we propose an assessent ethod to assess the overall sufficiency and insufficiency of safety arguents. For the proposed echanis, there are various parts that require interaction with the reviewer. The reviewer has to assess the evidence hypotheses, the arguent types, the existence and the weight of issing supports, and the inference deficits. In other words, the proposed ethod does not replace the reviewer; instead it provides a fraework to lead the reviewer through the evaluation process and to cobine the reviewer estiates. One of the ain liitations of the proposed ethod is that the evidence nodes have to be independent as required by Depster-Shafer Theory. However in any

8 Anaheed Ayoub, Jian Chang, Oleg Sokolsky and Insup Lee safety arguents, evidence nodes are not independent. Extending the proposed echanis to cover this dependency is one of the directions for future work. Our preliinary experience of applying the proposed ethod has revealed that the assessing echanis yields the expected benefits in guiding the safety arguent reviewer and helping hi/her to reduce the effect of the confiration bias indset. Acknowledgents This work is supported in part by the NSF CPS grant CNS-03575 and the NSF/FDA Scholar-in-Residence grant CNS-042829. References Ayoub A, Ki B, Lee I, Sokolsky O (202) A systeatic approach to justifying sufficient confidence in software safety arguents. In: SAFECOMP Bloofield R, Littlewood B, Wright D (2007) Confidence: its role in dependability cases for risk assessent. In: DSN Cyra L, Gorski J (2008a) Supporting expert assessent of arguent structures in trust cases. In: PSAM Cyra L, Gorski J (2008b) Expert assessent of arguents: a ethod and its experiental evaluation. In: SAFECOMP Denney E, Pai G, Habli I (20) Towards easureent of confidence in safety cases. In: ESEM' FDA (200) Guidance for industry and FDA staff total product life cycle: infusion pup prearket notification [50(k)] subissions. US Food and Drug Adinistration Center for Devices and Radiological Health Haddon-Cave C (2009) The Nirod review: an independent review into the broader issues surrounding the loss of the RAF Nirod MR2 aircraft XV230 in Afghanistan in 2006. Technical report, The Stationery Office (TSO) Hawkins R, Kelly T, Knight J, Graydon P (20) A new approach to creating clear safety arguents. In: Dale C, Anderson T (eds) Advances in systes safety. Springer Kelly T (999) Arguing safety. A systeatic approach to anaging safety cases. PhD thesis, Departent of Coputer Science, University of York Kelly T (2007) Reviewing assurance arguents - a step-by-step approach. In Proceedings of Workshop on Assurance Cases for Security The Metrics Challenge, DSN '07. Kelly T, Weaver R (2004) The goal structuring notation a safety arguent notation. In: DSN 2004 Workshop on Assurance Cases Leveson N (20) The use of safety cases in certification and assurance. Working paper Menon C, Hawkins R, McDerid J (2009) Defense standard 00-56 issue 4: towards evidencebased safety standards. In: Dale C, Anderson T (eds) Safety-critical systes: probles, process and practice. Springer Sentz K, Ferson S (2002) Cobination of evidence in Depster-Shafer theory. Technical report, Sandia National Laboratories, SAND 2002-0835 Voorbraak F (202) Depster-Shafer theory. www.blutner.de/uncert/dsth.pdf. Accessed 30 Septeber 202 Weaver R, Fenn J, Kelly T (2003) A pragatic approach to reasoning about the assurance of safety arguents. In the Australian workshop on Safety critical systes and software Wikipedia (202a) Decision aking. http://en.wikipedia.org/wiki/decision_aking. Accessed 30 Septeber 202 Wikipedia (202b) Mindset. http://en.wikipedia.org/wiki/mindset. Accessed 30 Sept 202 Zadeh L (984) Book review: A atheatical theory of evidence. AI Magazine, 5(3):8-83

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback