2nd international workshop on argument for agreement and
play

2nd International Workshop on Argument for Agreement and Assurance - PowerPoint PPT Presentation

Jan 03, 2023 •470 likes •764 views

2nd International Workshop on Argument for Agreement and Assurance (AAA 2015), Kanagawa Japan, November 2015 On the Interpretation Of Assurance Case Arguments John Rushby Computer Science Laboratory SRI International Menlo Park, CA John

  1. 2nd International Workshop on Argument for Agreement and Assurance (AAA 2015), Kanagawa Japan, November 2015

  2. On the Interpretation Of Assurance Case Arguments John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Interpretation of Assurance Case Arguments 1

  3. Introduction • I’m focused on the assurance and certification of software for commercial airplanes • Currently assured by DO-178C ◦ Enumerates 71 “objectives” that must be satisfied for the most critical software ◦ e.g., “Ensure that each High Level Requirement (HLR) is accurate, unambiguous, and sufficiently detailed, and that the requirements do not conflict with each other” [Section 6.3.1.b] • It seems to work: no incidents due to flaws in software implementation ◦ DO-178C is about correctness of implementation wrt HLR ◦ ARP 4754 and others are concerned with safety of HLR John Rushby, SR I Interpretation of Assurance Case Arguments 2

  4. Introduction (ctd.) • But the world is changing ◦ NextGen integrates once separate air and ground systems ◦ Unmanned vehicles in same airspace ◦ More autonomous systems ◦ New methods of software development and assurance • We don’t really know why DO-178C works ◦ So difficult to predict impact of changed environment ◦ And difficult to update (10 years to go from B to C) • So look at Assurance Cases as a possible way forward ◦ Retrospective reformulation of DO-178C as an assurance case (Michael Holloway) ◦ Then look for a scientific basis to assurance cases John Rushby, SR I Interpretation of Assurance Case Arguments 3

  5. Assurance Cases • The idea is that we “make the case” to justify deployment of some system by ◦ Stating the claim that it must satisfy ⋆ Generally safety- or correctness-related ◦ Developing evidence about its assumptions, design, implementation, performance etc. ◦ Constructing a structured argument that justifies the claim, based on the evidence • How should we interpret these arguments? • And what are the expectations on them? ◦ “compelling, comprehensible and valid” [00-56] ◦ Are these all the same? John Rushby, SR I Interpretation of Assurance Case Arguments 4

  6. Complications: Inductive and Deductive Arguments • The world is an uncertain place (random faults and events) • Our knowledge of the world is incomplete, may be flawed • Our reasoning may be flawed also • So an assurance case cannot expect to prove its claim • Hence, the overall argument is inductive ◦ Evidence & subclaims strongly suggest truth of top claim • Rather than deductive ◦ Evidence & subclaims imply or entail the top claim John Rushby, SR I Interpretation of Assurance Case Arguments 5

  7. Complications: Confidence Items • If the overall argument is inductive • Does that mean all its steps may be inductive too? • Traditionally, yes! ◦ Considered unrealistic to be completely certain ◦ cf. ceteris paribus hedges in science • Can add ancillary confidence items to bolster confidence in inductive steps ◦ Evidence or subclaims that do not directly contribute to the argument ◦ i.e., their falsity would not invalidate the argument ◦ But their truth increase our confidence in it • Eh? John Rushby, SR I Interpretation of Assurance Case Arguments 6

  8. Complications: Graduated Assurance • Assurance is expensive, so most standards and guidelines allow less assurance effort for elements that pose lesser risks • E.g. DO-178C ◦ 71 objectives for Level A, 33 with independence ◦ 69 objectives for Level B, 21 with independence ◦ 62 objectives for Level C, 8 with independence ◦ 26 objectives for Level D, 5 with independence • So if Level A is “compelling, comprehensible and valid” • The lower levels must be less so, or not so • We need some idea what is lost, and a measure of how much John Rushby, SR I Interpretation of Assurance Case Arguments 7

  9. Proposed Interpretation • Clearly need a semantics to account for all this • I’m going to propose a simple, even obvious, semantics for a sound assurance case • I further propose that only sound assurance cases should be accepted • However, sound assurance cases can have different strengths John Rushby, SR I Interpretation of Assurance Case Arguments 8

  10. Structured Argument In a generic notation (GSN shapes, CAE arrows) C C: Claim AS: Argument Step AS SC: Subclaim E: Evidence A hierarchical arrangement SC E of argument steps, each of which justifies a claim or subclaim on the basis of AS further subclaims or evidence E E John Rushby, SR I Interpretation of Assurance Case Arguments 9

  11. Argument Steps and Layered Arguments • We decompose top-level claim into conjunction of subclaims • And iterate • Until we get down to subclaims supported by evidence • Provide a narrative justification for each step • Easier to understand when just two kinds of argument steps ◦ Reasoning steps: subclaim supported by further subclaims ◦ Evidential steps: subclaim supported by evidence • Call this a simple form argument ◦ Can normalize to this form by adding subclaims ◦ In the paper I explain how to give a direct interpretation John Rushby, SR I Interpretation of Assurance Case Arguments 10

  12. Normalizing an Argument to Simple Form C C AS RS SC E SC SC AS ES ES E E E E E RS : reasoning step; ES : evidential step John Rushby, SR I Interpretation of Assurance Case Arguments 11

  13. Why Focus on Simple Form? • The two kinds of argument step are interpreted differently • Evidential steps ◦ These are about epistemology: knowledge of the world ◦ Bridge from the real world to the world of our concepts ◦ Have to be considered inductive ◦ Multiple items of evidence are “weighed” not conjoined • Reasoning Steps ◦ These are about logic/reasoning ◦ Conjunction of subclaims leads us to conclude the claim ⋆ Deductively: subclaims imply claim (my preference) ⋆ Inductively: subclaims suggest claim • Combine these to yield complete arguments ◦ Those evidential steps whose weight crosses some threshold of credibility are treated as premises in a classical deductive interpretation of the reasoning steps John Rushby, SR I Interpretation of Assurance Case Arguments 12

  14. Weighing Evidential Steps • We measure and observe what we can ◦ e.g., test results • To infer a subclaim that is not directly observable ◦ e.g., correctness • Different observations provide different views ◦ Some more significant than others ◦ And not all independent • “Confidence” items can be observations that vouch for others ◦ Or provide independent backup • Need to “weigh” all these in some way • Probabilities provide a convenient metric • And Bayesian methods and BBNs provide tools John Rushby, SR I Interpretation of Assurance Case Arguments 13

  15. The Weight of Evidence? • Plausible to suppose that we should accept claim C given evidence E when P ( C | E ) exceeds some threshold • These are subjective probabilities expressing human judgement • Experts find P ( C | E ) hard to assess • And it is influenced by prior P ( C ) , which can express ignorance. . . or prejudice • Instead, factor problem into alternative quantities that are easier to assess and of separate significance • So look instead at P ( E | C ) ◦ Related to P ( C | E ) by Bayes’ Rule ◦ But easier to assess likelihood of observations given claim about the world than vice versa John Rushby, SR I Interpretation of Assurance Case Arguments 14

  16. Confirmation Measures • We really are interested in the extent to which E supports C . . . rather than its negation ¬ C • So focus on the ratio or difference of P ( E | C ) and P ( E | ¬ C ) , . . . or logarithms of these • These are called confirmation measures • They weigh C and ¬ C “in the balance” provided by E • Suggested that these are what criminal juries should be instructed to assess (Gardner-Medwin) log P ( E | C ) • Good’s measure: P ( E | ¬ C ) • Kemeny and Oppenheim’s measure: P ( E | C ) − P ( E | ¬ C ) P ( E | C ) + P ( E | ¬ C ) • Much discussion on merits of these and other measures John Rushby, SR I Interpretation of Assurance Case Arguments 15

  17. Application of Confirmation Measures • I do not think the specific measures are important • Nor do I advocate applying these methods to the evaluation of individual arguments • Rather, use BBNs and confirmation measures for what-if investigations ◦ Can help in selection of evidence for evidential steps ◦ e.g., refine what objectives DO-178C should require • Example (next slides) use of “artifact quality” objectives as confidence items in DO-178C John Rushby, SR I Interpretation of Assurance Case Arguments 16

  18. Weighing Evidential Steps With BBNs Z Z: System Specification O A O: Test Oracle S: System’s true quality S T: Test results T V V: Verification outcome A: Specification “quality” C: Conclusion C Example joint probability table: successful test outcome Correct System Incorrect System Correct Oracle Bad Oracle Correct Oracle Bad Oracle 100% 50% 5% 30% John Rushby, SR I Interpretation of Assurance Case Arguments 17

  19. Example Represented in Hugin BBN Tool John Rushby, SR I Interpretation of Assurance Case Arguments 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60

The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60

The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60 59 50 51 40 30 35 20 10 0 2015 2016 2017 2018 "Argument(ation) Mining" Number of registered # of results in Google Scholar

315 views • 7 slides
Workshop Argument Strength Bochum, 2 December 2016 The importance of argument strength in

Workshop Argument Strength Bochum, 2 December 2016 The importance of argument strength in

Workshop Argument Strength Bochum, 2 December 2016 The importance of argument strength in policy-making: the case of European Union directives Corina Andone ( University of Amsterdam ) and Florin Coman-Kund ( Erasmus University Rotterdam )

407 views • 3 slides
Argument Strength and Probability Henry Prakken Workshop on Argument Strength Bochum

Argument Strength and Probability Henry Prakken Workshop on Argument Strength Bochum

Argument Strength and Probability Henry Prakken Workshop on Argument Strength Bochum 30-11-2016 Argumentation and Probability Theory Argumentation-as-inference is a form of nonmonotonic logic Qualitative approaches to reasoning with

574 views • 40 slides
Essay Writing Workshop ENG2D What is an essay? - Written argument - Analytical form of writing

Essay Writing Workshop ENG2D What is an essay? - Written argument - Analytical form of writing

Essay Writing Workshop ENG2D What is an essay? - Written argument - Analytical form of writing (uses logical reasoning) to provide evidence to convince the reader of your side of the argument - An introduction, body, and conclusion -

650 views • 27 slides
ARGUMENT NOTES M R S . P E R RY E N G L I S H I ARGUMENT TERMS Claim: a statement that asserts

ARGUMENT NOTES M R S . P E R RY E N G L I S H I ARGUMENT TERMS Claim: a statement that asserts

ARGUMENT NOTES M R S . P E R RY E N G L I S H I ARGUMENT TERMS Claim: a statement that asserts a main point of an argument (a side) Example: T eaching is a great career. 1. Write your own example of a claim. ARGUMENT TERMS Reason(s): the

344 views • 17 slides
Schools, Skills, and Synapses James J. Heckman University of Chicago The Argument Argument

Schools, Skills, and Synapses James J. Heckman University of Chicago The Argument Argument

Schools, Skills, and Synapses James J. Heckman University of Chicago The Argument Argument Polarization Skills Abilities and Outcomes Explanations Critical and Sensitive Periods Circuits Summary The Argument Argument Many major

1.08k views • 80 slides
The SPS Agreement & International Standards Codex standard setting procedures Current

The SPS Agreement & International Standards Codex standard setting procedures Current

The SPS Agreement & International Standards Codex standard setting procedures Current activities of International Standard setting at Inception Workshop: Principles & further activities for Codex implementation (17-19 September 2012,

952 views • 39 slides
The Kalam Cosmological Argument Cosmological Arguments A cosmological argument is one that

The Kalam Cosmological Argument Cosmological Arguments A cosmological argument is one that

The Kalam Cosmological Argument Cosmological Arguments A cosmological argument is one that argues that there must be a God to explain the existence of the universe. There are different forms of the argument depending on what is to be

486 views • 14 slides
1 The Problem of Truth Successful Argumentation: (Truth versus Persuasion) (cont d) The

1 The Problem of Truth Successful Argumentation: (Truth versus Persuasion) (cont d) The

Argument Not a fight or a debate The connotation that an argument is a heated disagreement does not apply here We are not concerned with formal pro-con debates where one position or another is argued. Argument An

162 views • 3 slides
The structure of the argument Evidence from Polish: Argument 1 Predication from within a PP and

The structure of the argument Evidence from Polish: Argument 1 Predication from within a PP and

The structure of the argument Evidence from Polish: Argument 1 Predication from within a PP and Case assignment with Numeral Phrases Certain raising verbs in Polish selects PPs whose predicate-phrasal Przepiorkowski (2000) daughters

413 views • 9 slides
SYMBOLIC LOGIC UNIT 1: INTRODUCTION TO LOGIC What is an argument? An argument is the public,

SYMBOLIC LOGIC UNIT 1: INTRODUCTION TO LOGIC What is an argument? An argument is the public,

SYMBOLIC LOGIC UNIT 1: INTRODUCTION TO LOGIC What is an argument? An argument is the public, linguistic expression of reasoning. An argument is (or could be rephrased as) a set of sentences consisting of one or more premises , which contain

670 views • 35 slides
The Bonn Agreement 1969 and BE-AWARE Project Alexander von Buxhoeveden Representing the Bonn

The Bonn Agreement 1969 and BE-AWARE Project Alexander von Buxhoeveden Representing the Bonn

The Bonn Agreement 1969 and BE-AWARE Project Alexander von Buxhoeveden Representing the Bonn Agreement HELCOM OpenRisk Workshop June 2017 History of the Bonn-Agreement The Bonn Agreement is the oldest regional agreement established by

617 views • 23 slides
End-to-End Argument Jeff Chase Duke University End-To-End Argument Application TCP Where to

End-to-End Argument Jeff Chase Duke University End-To-End Argument Application TCP Where to

End-to-End Argument Jeff Chase Duke University End-To-End Argument Application TCP Where to Place Functionality? IP Router End-to-End Argument Functionality should be implemented at a lower layer if and only if it can be

694 views • 12 slides
Teaching Argument Blanqui Valledor SURN April 20, 2018 Introducing Argument Amys Murder

Teaching Argument Blanqui Valledor SURN April 20, 2018 Introducing Argument Amys Murder

Teaching Argument Blanqui Valledor SURN April 20, 2018 Introducing Argument Amys Murder Discussion Who Dunnit? Persuasion versus Argument Subtle, but Significant differences between.. The Goals: Persuasive Argumentative To

557 views • 33 slides
Acquired by AVIC International TCM CONFIDENTIAL AND PROPRIETARY Transaction Highlights

Acquired by AVIC International TCM CONFIDENTIAL AND PROPRIETARY Transaction Highlights

December 14, 2010 Agreement to be Acquired by AVIC International TCM CONFIDENTIAL AND PROPRIETARY Transaction Highlights Teledyne Technologies Incorporated and AVIC International Holding Corporation announced an agreement for Technify

485 views • 14 slides
INTERNATIONAL YEAR GLOBAL UNDERSTANDING REGIONAL ACTION CENTER OF SPAIN Signatureof the agreement

INTERNATIONAL YEAR GLOBAL UNDERSTANDING REGIONAL ACTION CENTER OF SPAIN Signatureof the agreement

INTERNATIONAL YEAR GLOBAL UNDERSTANDING REGIONAL ACTION CENTER OF SPAIN Signatureof the agreement between the University of Santiago de Compostela and the International Year of Global Understanding Last March the agreement to operationalize

163 views • 5 slides
USING DOMAIN KNO WLEDGE IN MA CHINE LEARNING Inductiv e vs Analytical Learning

USING DOMAIN KNO WLEDGE IN MA CHINE LEARNING Inductiv e vs Analytical Learning

USING DOMAIN KNO WLEDGE IN MA CHINE LEARNING Inductiv e vs Analytical Learning Carolina Ruiz Motiv ation Inductiv e Learning induction Examples

534 views • 21 slides
Where are we? Knowledge Engineering Semester 2, 2004-05 Last time . . . Michael Rovatsos

Where are we? Knowledge Engineering Semester 2, 2004-05 Last time . . . Michael Rovatsos

Introduction Introduction An Example An Example Inductive Logic Programming Inductive Logic Programming Summary Summary Where are we? Knowledge Engineering Semester 2, 2004-05 Last time . . . Michael Rovatsos Knowledge Evolution

422 views • 5 slides
Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London

Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London

Logic-based inductive synthesis of efficient programs Andrew Cropper Imperial College London String transformations Outpu Input t Computer Aided Verification CAV Principles Of Programming Languages POPL International Conference on

334 views • 12 slides
Beyond Inductive Definitions Induction-Recursion, Induction-Induction, Coalgebras Anton

Beyond Inductive Definitions Induction-Recursion, Induction-Induction, Coalgebras Anton

Beyond Inductive Definitions Induction-Recursion, Induction-Induction, Coalgebras Anton Setzer Swansea University, Swansea UK 1 March 2012 1/ 26 A Proof Theoretic Programme Sets in Martin-L of Type Theory Induction-Recursion,

295 views • 26 slides
Recursion and Induction

Recursion and Induction

CoSc 450: Programming Paradigms 02 Recursion and Induction

529 views • 38 slides
Ultra-Strong Machine Learning Comprehensibility of Programs Learned with Inductive Logic

Ultra-Strong Machine Learning Comprehensibility of Programs Learned with Inductive Logic

Ultra-Strong Machine Learning Comprehensibility of Programs Learned with Inductive Logic Programming Stephen Muggleton, Ute Schmid, Christina Zeller, Alireza Tamaddoni-Nezhad, Tarek Besold Department of Computing Imperial College, London, UK

523 views • 13 slides
Homotopy Type Theory in Agda 17|7|7 1 Goal synthetic homotopy theory in Agda + other needed

Homotopy Type Theory in Agda 17|7|7 1 Goal synthetic homotopy theory in Agda + other needed

Homotopy Type Theory in Agda 17|7|7 1 Goal synthetic homotopy theory in Agda + other needed theories 2 Goal synthetic homotopy theory in Agda + other needed theories Agda and Coq were the only two immediately usable systems for HoTT 2

360 views • 14 slides
Induction & Recursion Weiss: ch 7.1 Recursion a programming strategy for solving

Induction & Recursion Weiss: ch 7.1 Recursion a programming strategy for solving

Induction & Recursion Weiss: ch 7.1 Recursion a programming strategy for solving large problems Think divide and conquer Solve large problem by splitting into smaller problems of same kind Induction A

662 views • 26 slides

More recommend