fda assurance cases 21 22 feb 2008 based on open group
play

FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 - PowerPoint PPT Presentation

Sep 12, 2023 •178 likes •472 views

FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop, Alexandria, Oct 5,6 2006 Based on University of Illinois ITI

  1. FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop, Alexandria, Oct 5,6 2006 Based on University of Illinois ITI Distinguished Lecture Wednesday 5 April 2006 based on ITCES invited talk, Tuesday 4 April 2006

  2. Assurance Cases and Ultra-High Confidence John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Assurance Cases and Ultra-High Confidence: 1

  3. Justifiable Confidence • Let’s look at an area where ultra-high confidence is justified • Software in modern civil aircraft • Enough flight experience to substantiate failure rates close to 10 − 9 per hour in critical software • Largely standards-based ◦ DO-178B (software) ◦ DO-254 (complex hardware) ◦ DO-297 (integrated modular avionics) • Can we learn from these? John Rushby, SR I Assurance Cases and Ultra-High Confidence: 2

  4. Maybe Not: They Are Fallible • Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) • Toward the end of a flight from Hong Kong to London: two engines shut down, crew discovered they were critically low on fuel, declared an emergency, landed at Amsterdam • Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the “healthiest” one drives the outputs to the data bus • Both FCMCs had fault indications, and one of them was unable to drive the data bus • Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it • Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Assurance Cases and Ultra-High Confidence: 3

  5. Safety Culture • See also incident report for Boeing 777, 9M-MRG (Malaysian Airlines, near Perth Australia) • We don’t know what in DO-178B makes it work ◦ Most of the time But sometimes fail • Maybe current development and certification practices may be insufficient in the absence of safety culture • Current business models are leading to a loss of safety culture ◦ Outsourcing, COTS • Safety culture is implicit knowledge • Surely, a certification regime should be effective on the basis of its explicit requirements John Rushby, SR I Assurance Cases and Ultra-High Confidence: 4

  6. Maybe Not: They Focus On Correctness More Than Safety safety goal system rqts system specs safety verification software rqts software specs correctness verification code The (premature?) focus on correctness is hugely expensive John Rushby, SR I Assurance Cases and Ultra-High Confidence: 5

  7. Maybe Not: We Don’t Know Why Some Things Are Required E.g., MC/DC testing • Structural test coverage criterion required for Level A software • Tests are generated from requirements • Coverage is measured on the code • Can only get high coverage if the requirements are highly detailed Is it evidence for good testing or good requirements? John Rushby, SR I Assurance Cases and Ultra-High Confidence: 6

  8. Maybe Not: We Don’t Know Why We Have To Do More • Level A software requires MC/DC test coverage • Level B does not • Static analysis finds significant anomalies in avionics code ◦ A worrying discovery on its own • No discernible difference in anomaly rates between Levels A and B • So what did the extra work buy us? • Actually, there is lots of work on the efficacy of testing • But does this remain valid when tests are auto-generated? ◦ Auto-generated tests are often minimal John Rushby, SR I Assurance Cases and Ultra-High Confidence: 7

  9. Maybe Not: Why Are Multiple Forms of Evidence Required? • More evidence is required at higher Levels/EALs/SILs • What’s the argument that these deliver increased assurance? • Generally an implicit appeal to diversity ◦ And belief that diverse methods fail independently ◦ Not true in n -version software, should be viewed with suspicion here too John Rushby, SR I Assurance Cases and Ultra-High Confidence: 8

  10. Critique of Standards-Based Approaches • Goals, evidence, argument are surely present ◦ What other basis for certification is there? But they are mostly implicit • Explicitly they define only the evidence to be produced • The goals and arguments are implicit • Hence, hard to tell whether given evidence meets the intent • On the other hand: can work well in fields that are stable or change slowly ◦ Can institutionalize lessons learned, best practice ⋆ e.g. evolution of DO-178 from A to B to C • What can we adopt for assurance cases for medical devices? ◦ Airplanes are much simpler than physiology John Rushby, SR I Assurance Cases and Ultra-High Confidence: 9

  11. Rational Safety Cases • Currently, we apply safety analysis methods (HA, FTA, FMEA etc.) to an informal system description ◦ Little automation, but in principle ◦ These are abstracted ways to examine all reachable states • Then, to be sure the implementation does not introduce new hazards, require it exactly matches the analyzed description ◦ Hence, DO-178B is about correctness, not safety • Instead, use a formal system description ◦ Then have automated forms of reachability analysis ◦ Closer to the implementation, smaller gap to bridge • Analyze the implementation for preservation of safety, not correctness ◦ Favor methods that deliver unconditional claims John Rushby, SR I Assurance Cases and Ultra-High Confidence: 10

  12. Formal Methods (aside) • Formal methods are not about priestly ways to complicate life • They are about automated analyses that consider all possible executions • To make them tractable, may need to approximate ◦ Crude: downscaling ◦ Principled: predicate abstraction, abstract interpretation, etc • Most of the action is in improved automation, and automated abstraction John Rushby, SR I Assurance Cases and Ultra-High Confidence: 11

  13. Formal Methods • The move to model based development presents a (once in a lifetime) opportunity to move analytic methods into the early lifecycle, mostly based on formal methods • Modern automated formal methods can deliver unconditional claims about small properties very economically ◦ Static analysis, model checking, infinite bounded model checking and k-induction using SMT solvers, hybrid abstraction (which uses theorem proving over reals) • Larger properties will require combined methods (cf. the Evidential Tool Bus) • The applications of formal methods extend beyond verification and refutation (bug finding): test generation, fault tree analysis, human factors,. . . • Tool diversity may be an alternative to tool qualification John Rushby, SR I Assurance Cases and Ultra-High Confidence: 12

  14. Traditional Vee Diagram (Much Simplified) time and money system requirements test unit/integration design/code test John Rushby, SR I Assurance Cases and Ultra-High Confidence: 13

  15. Vee Diagram Tightened with Formal Methods time and money system requirements test unit/integration design/code test Example: Rockwell-Collins John Rushby, SR I Assurance Cases and Ultra-High Confidence: 14

  16. Multi-Legged Arguments • Need to know the arguments supported by each item of evidence, and how they compose • Want to distinguish rational multi-legged cases from nervous demands for more and more and . . . John Rushby, SR I Assurance Cases and Ultra-High Confidence: 15

  17. Two Kinds of Uncertainty In Certification • One kind concerns failure of a claim, usually stated probabilistically (frequentist interpretation) ◦ E.g., 10 − 9 probability of failure per hour, or 10 − 3 probability of failure on demand • The other kind concerns failure of the assurance process ◦ Seldom made explicit ◦ But can be stated in terms of subjective probability ⋆ E.g., 95% confident this system achieves 10 − 3 probability of failure on demand ⋆ Note: this does not concern sampling theory and is not a confidence interval • Demands for multiple sources of evidence are generally aimed at the second of these John Rushby, SR I Assurance Cases and Ultra-High Confidence: 16

  18. Bayesian Belief Nets • Bayes Theorem is the principal tool for analyzing subjective probabilities • Allows a prior assessment of probability to be updated by new evidence to yield a rational posterior probability ◦ E.g., P(C) vs. P(C | E) • Math gets difficult when the models are complex ◦ i.e., when we have many conditional probabilities of the form p(A | B and C or D) • BBNs provide a graphical means to represent these, and tools to automate the calculations • Can allow principled construction of multi-legged arguments John Rushby, SR I Assurance Cases and Ultra-High Confidence: 17

  19. A BBN Example Z Z: System Specification O O: Test Oracle S: System’s true quality S T V T: Test results V: Verification outcome C: Conclusion C John Rushby, SR I Assurance Cases and Ultra-High Confidence: 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on

Runtime Verification Workshop, Budapest, March 2008 FDA Assurance Cases, 21, 22 Feb 2008 Based on Open Group Paris 23 April 2007, slight revisions of Open Group San Diego 31 January 2007, major rewrite of HCSS Aviation Safety Workshop,

690 views • 31 slides
Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on Open Group, 23 July 2008,

Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on Open Group, 23 July 2008,

Layered Assurance Workshop 13, 14 August 2008, BWI Hilton based on Open Group, 23 July 2008, Chicago MILS Policy Architecture And Layered Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I

418 views • 21 slides
Open Group, Sydney, Australia, 17 April 2013 based on Dagstuhl Seminar 13051, January 2013

Open Group, Sydney, Australia, 17 April 2013 based on Dagstuhl Seminar 13051, January 2013

Open Group, Sydney, Australia, 17 April 2013 based on Dagstuhl Seminar 13051, January 2013 Software Certification: Methods and Tools Logic and Epistemology in Assurance Cases John Rushby Computer Science Laboratory SRI International Menlo

339 views • 30 slides
Toward combined index-based group and indemnity-based individual insurance for smallholder

Toward combined index-based group and indemnity-based individual insurance for smallholder

Toward combined index-based group and indemnity-based individual insurance for smallholder farmers: Review of some issues and questions Elisabeth Sadoulet Assurance climatique indicielle et assurance classique: vers une approche hybride 21-22

332 views • 18 slides
The Indefeasibility Criterion For Effective Assurance Cases John Rushby Computer Science

The Indefeasibility Criterion For Effective Assurance Cases John Rushby Computer Science

The Indefeasibility Criterion For Effective Assurance Cases John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Indefeasible Assurance 1 Introduction A safety case is a structured

307 views • 15 slides
Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE

Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE

Assurance Based Development of Critical Systems AUTHORS: P. GRAYDON, J. KNIGHT, E. STRUNK PRESENTED BY: MIKE MAKSIMOV 1 Overview 1. Introduction to Assurance Cases 2. Overview of the Problem 3. Assurance Based Development (ABD)

599 views • 37 slides
Introducing Automated Unit T esting into Open Source Projects Christopher Oezbek Freie

Introducing Automated Unit T esting into Open Source Projects Christopher Oezbek Freie

Failing test cases Passing test cases 250 200 Tests 150 100 50 A M J J A S O N D J F M A M J J A S O N D J F M A M J J A 2007 2008 2009 Month Introducing Automated Unit T esting into Open Source Projects

220 views • 10 slides
Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 &

Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 &

Assignm ent of Assignm ent of Design Assurance Levels Design Assurance Levels SAE S1 8 & EUROCAE W G-6 3 Presented by Steve Beland Associate Technical Fellow Boeing Com m ercial Airplanes August 20, 2008 FAA Software & AEH

504 views • 34 slides
Todays Legal Landscape: An Update on Recent Interesting Cases, Financial Assurance and

Todays Legal Landscape: An Update on Recent Interesting Cases, Financial Assurance and

OCS ADVISORY BOARD WORKSHOP Todays Legal Landscape: An Update on Recent Interesting Cases, Financial Assurance and Predecessor Liability, and Other Regulatory and Policy Matters Impacting the OCS Paul J. Goodwine Looper Goodwine P.C.

987 views • 80 slides
Use Cases Agenda Introductions Learning Programs Use Cases Takeaways Whats

Use Cases Agenda Introductions Learning Programs Use Cases Takeaways Whats

Use Cases Agenda Introductions Learning Programs Use Cases Takeaways Whats Next? Audit & Assurance Practice Areas Tax Financial Advisors Supply Chain Financial Services Healthcare Industry Nonprofits

865 views • 57 slides
CO CASES OF COVID-19 BY AGE GROUP, HOSPITALIZATION AND OUTCOME SAFER AT HOME Vulnerable

CO CASES OF COVID-19 BY AGE GROUP, HOSPITALIZATION AND OUTCOME SAFER AT HOME Vulnerable

CO CASES OF COVID-19 BY AGE GROUP, HOSPITALIZATION AND OUTCOME SAFER AT HOME Vulnerable populations and older adults must stay at home except Retail businesses open for when absolutely necessary curbside delivery and phased-in public opening

844 views • 22 slides
Quality Assurance and Com m unity Based Day Support Community Based Day Services Provider

Quality Assurance and Com m unity Based Day Support Community Based Day Services Provider

Quality Assurance and Com m unity Based Day Support Community Based Day Services Provider Events 2017 Com m unity Based Day Support Specification and Quality Assurance Commissioners of services under the Care Act 2014 have a duty to

140 views • 9 slides
ACT ACTIONS IONS TRE REND: ND: 39 cases YTD 40 cases for the last 10 years 39

ACT ACTIONS IONS TRE REND: ND: 39 cases YTD 40 cases for the last 10 years 39

SHAREHOLDER AREHOLDER CL CLAS ASS S ACT ACTIONS IONS TRE REND: ND: 39 cases YTD 40 cases for the last 10 years 39 10 20 13 10 5 4 3 3 1 1 2001 2004 2005 2006 2007 2008 2009

252 views • 10 slides
Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical Systems Alan Wassyng work with Zinovy Diskin, Nicholas Annable, and Mark Lawford CyPhyAssure, 20 March 2019 GSN-like Assurance Cases Pros

720 views • 33 slides
ACC ANSI Work Group Open Meeting October 15, 2008 Arlington, VA Agenda Introductions Dave

ACC ANSI Work Group Open Meeting October 15, 2008 Arlington, VA Agenda Introductions Dave

ACC ANSI Work Group Open Meeting October 15, 2008 Arlington, VA Agenda Introductions Dave Peters The ANSI process Susan Blanco The standards Anne Stieffenhofer Why combine them Ed Bisinger Proposed structure Catherine Croke

523 views • 29 slides
The Open IoT Stack: Architecture and Use Cases James Kirkland Chief IoT Architect, Red Hat

The Open IoT Stack: Architecture and Use Cases James Kirkland Chief IoT Architect, Red Hat

The Open IoT Stack: Architecture and Use Cases James Kirkland Chief IoT Architect, Red Hat Marco Carrer CTO, Eurotech 1 TODAYS IoT CHALLENGES Lack of Open Standards Vendor Lock-in Fragmentation Avoid being locked in by a single

644 views • 28 slides
Ava Thomas Wright AV.wright@northeastern.edu Postdoctoral Research Fellow in AI and Data Ethics

Ava Thomas Wright AV.wright@northeastern.edu Postdoctoral Research Fellow in AI and Data Ethics

Ava Thomas Wright AV.wright@northeastern.edu Postdoctoral Research Fellow in AI and Data Ethics here at Northeastern University JD, MS (Artificial Intelligence), PhD (Philosophy) I am here today to talk about Value Sensitive

510 views • 26 slides
QI World Caf Sharing quality improvement experiences & creating connections March 21, 2019

QI World Caf Sharing quality improvement experiences & creating connections March 21, 2019

QI World Caf Sharing quality improvement experiences & creating connections March 21, 2019 Presented by the Center for Community Health and Evaluation World Caf Goals Share with and learn from peers about doing QI in both clinical and

289 views • 7 slides
1 2 3 4 Addressing three aspects of engineering education Students: Academic Pathways

1 2 3 4 Addressing three aspects of engineering education Students: Academic Pathways

CAEE/APS team Findings from the Academic Pathways Study of Leadership team: Robin Adams, Cynthia Atman, Engineering Undergraduates Sheri Sheppard, Lorraine Fleming, Larry Leifer, Ronald Miller, Barbara Olds, Karl Smith, Reed 2003 2008

117 views • 9 slides
Use of Protg-2000 to Encode Clinical Guidelines Ravi D. Shankar, MS, Samson W. Tu, MS, and

Use of Protg-2000 to Encode Clinical Guidelines Ravi D. Shankar, MS, Samson W. Tu, MS, and

Use of Protg-2000 to Encode Clinical Guidelines Ravi D. Shankar, MS, Samson W. Tu, MS, and Mark A. Musen, MD, PhD Stanford Medical Informatics, Stanford University School of Medicine, Stanford, California, USA base. Abstract Several

393 views • 6 slides
The homogeneity theorem for ten- and eleven-dimensional supergravities Jos e

The homogeneity theorem for ten- and eleven-dimensional supergravities Jos e

The homogeneity theorem for ten- and eleven-dimensional supergravities Jos e Figueroa-OFarrill 13 February 2013 Jos e Figueroa-OFarrill Homogeneous supergravity backgrounds 1 / 26 Supergravity result of ongoing effort to marry GR

1.6k views • 148 slides
The Andromeda Effect: Dark Matter Halos in a Local Group Configuration with James Bullock, Jose

The Andromeda Effect: Dark Matter Halos in a Local Group Configuration with James Bullock, Jose

The Andromeda Effect: Dark Matter Halos in a Local Group Configuration with James Bullock, Jose Oorbe, Shea Garrison-Kimmel UC Irvine Mike Boylan-Kolchin, and Kyle Lee Thursday, August 16, 12 The Local Volume Thursday, August 16, 12

467 views • 36 slides
Symmetries Marco Chiarandini Department of Mathematics & Computer Science University of

Symmetries Marco Chiarandini Department of Mathematics & Computer Science University of

DM826 Spring 2014 Modeling and Solving Constrained Optimization Problems Lecture 13 Symmetries Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark [ Slides by Marco Kuhlmann, Guido Tack and

936 views • 57 slides
Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2019 Agenda for FACT Session

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2019 Agenda for FACT Session

Faculty-Administrator Collaboration Team(FACT) FDP Meeting Jan 2019 Agenda for FACT Session Introductions 5 min Mission and Strategic Issues 5 min Review Year One Projects 15 min Introduce Year Two Projects 15

663 views • 25 slides

More recommend