what might a science of certification look like
play

What Might A Science of Certification Look Like? John Rushby - PowerPoint PPT Presentation

Apr 09, 2024 •286 likes •774 views

What Might A Science of Certification Look Like? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Overview Some tutorial introduction Implicit vs.

  1. What Might A Science of Certification Look Like? John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1

  2. Overview • Some tutorial introduction • Implicit vs. explicit approaches to certification • Making (software) certification “more scientific” • Compositional certification John Rushby, SR I Scientific Certification: 2

  3. Certification • Judgment that a system is adequately safe/secure/whatever for a given application in a given environment • Based on a documented body of evidence that provides a convincing and valid argument that it is so • Some fields separate these two ◦ e.g., security: certification vs. evaluation ◦ Evaluation may be neutral wrt. application and environment (especially for subsystems) • Others bind them together ◦ e.g., passenger airplane certification builds in assumptions about the application and environment ⋆ Such as, no aerobatics—though Tex Johnston did a barrel roll (twice!) in a 707 at an airshow in 1955 John Rushby, SR I Scientific Certification: 3

  4. View From Inside Inverted 707 During Tex Johnston’s barrel roll John Rushby, SR I Scientific Certification: 4

  5. Certification vs. Evaluation • I’ll assume the gap between these is small • And the evaluation takes the application and environment into account • Otherwise the problem recurses ◦ The system is the whole shebang, and evaluation is just providing evidence about a subsystem • And I’ll use the terms interchangeably John Rushby, SR I Scientific Certification: 5

  6. “System is Safe for Given Application and Environment” • So it’s a system property ◦ e.g., the FAA certifies only airplanes and engines (and propellers) • Can substitute secure, or whatever, for safe ◦ Invariably these are about absence of harm • So, generically, certification is about controlling the downsides of system deployment • Which means that you know what the downsides are ◦ And how they could come about ◦ And you have controlled them in some way ◦ And you have credible evidence that you’ve done so John Rushby, SR I Scientific Certification: 6

  7. Knowing What the Downsides Are And How They Could Come About • The problem of “unbounded relevance” (Anthony Hall) • There are systematic ways for trying to bound and explore the space of relevant possibilities ◦ Hazard analysis ◦ Fault tree analysis ◦ Failure modes and effects (and criticality) analysis: FMEA (FMECA) ◦ HAZOP (use of guidewords) • These are described in industry-specific documents ◦ e.g., SAE ARP 4761, ARP 4754 for aerospace John Rushby, SR I Scientific Certification: 7

  8. Controlling The Downsides • Downsides are usually ranked by severity ◦ e.g. catastrophic failure conditions for aircraft are “those which would prevent continued safe flight and landing” • And an inverse relationship is required between severity and frequency ◦ Catastrophic failures must be “so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of the type” John Rushby, SR I Scientific Certification: 8

  9. Subsystems • Hazards, their severities, and their required (im)probability of occurrence flow down through a design into its subsystems • The design process iterates to best manage these • And allocates hazard “budgets” to subsystems ◦ e.g., no hull loss in lifetime of fleet, 10 7 hours for fleet lifetime, 10 possible catastrophic failure conditions in each of 10 subsystems, yields allocated failure probability of 10 − 9 per hour for each • Another approach could require the new system to do no worse than the one it’s replacing ◦ e.g., in 1960, big jets averaged 2 fatal accidents per 10 6 hours; this improved to 0.5 by 1980 and was projected to reach 0.3 by 1990; so set the target at 0.1 ( 10 − 7 ), then subsystem calculation as above yields 10 − 9 per hour again John Rushby, SR I Scientific Certification: 9

  10. Design Iteration • Might choose to use self-checking pairs to mask both computer and actuator faults • Must tolerate one actuator fault and one computer fault simultaneously actuator 1 actuator 2 4 1 3 2 P M self−checking pair • Can take up to four frames to recover control John Rushby, SR I Scientific Certification: 10

  11. Consequences of Slow Recovery • Use large, slow moving ailerons rather than small, fast ones • As a result, wing is structurally inferior • Holds less fuel • And plane has inferior flying qualities • All from a choice about how to do fault tolerance John Rushby, SR I Scientific Certification: 11

  12. Design Iteration: Physical Averaging At The Actuators An alternative design uses averaging at the actuators • e.g., multiple coils on a single solenoid • Or multiple pistons in a single hydraulic pot John Rushby, SR I Scientific Certification: 12

  13. Design Margin and Redundancy • Can often calculate the stresses on physical components • May then sometimes be able to build in a safety margin ◦ e.g., airplane wing must take 1.5 times maximum expected load • In other cases, historical experience yields failure rates • Can tolerate these through redundancy ◦ e.g., multiple hydraulic systems on an aircraft • And can calculate probabilities ◦ Assuming no common mode failures ◦ i.e., no overlooked design flaws John Rushby, SR I Scientific Certification: 13

  14. Design Failure • Possibility of residual design faults is seldom considered for physical systems ◦ Relatively simple designs, much experience, accurate models, massive testing of the actual product • But it still can happen ◦ e.g., 737 rudder actuator Especially when redundancy adds complexity • But software is nothing but design • And it is often complex • So, can we tolerate software design faults, or must we eliminate them? John Rushby, SR I Scientific Certification: 14

  15. Diversity As Defense For Design Faults? • Use of redundancy to tolerate faults rests on the assumption of independent failures • Achievable when physical failures only are considered • To control common mode failures, may sometimes use diverse mechanisms ◦ e.g., ram air turbine for emergency hydraulic power • And some advocate software redundancy with design diversity to counter software flaws • Many arguments against this ◦ Need diversity all the way up the design hierarchy ◦ Diverse designs often have correlated failures ◦ Better to spend three times as much on one good design • So usually must show that software is free of design faults John Rushby, SR I Scientific Certification: 15

  16. Software Certification • Software is usually certified only in a systems context • Hazards flow down to establish properties that must be guaranteed, and their criticalities ◦ Unrequested function ◦ And malfunction ◦ Are generally more serious than loss of function • How to establish satisfaction of such requirements? • Generally try to show that software is free of design faults • Try harder for more software critical components ◦ i.e., for higher software integrity levels (SILs) John Rushby, SR I Scientific Certification: 16

  17. Approaches to System and Software Certification The implicit standards-based approach • e.g., airborne s/w (DO-178B), security (Common Criteria) • Follow a prescribed method • Deliver prescribed outputs ◦ e.g., documented requirements, designs, analyses, tests and outcomes, traceability among these • Internal (DERs) and/or external (NIAP) review Works well in fields that are stable or change slowly • Can institutionalize lessons learned, best practice ◦ e.g. evolution of DO-178 from A to B to C (in progress) But less suitable when novelty in problems, solutions, methods Implicit that the prescribed processes achieve the safety goals John Rushby, SR I Scientific Certification: 17

  18. Does The Implicit Approach Work? • Fuel emergency on Airbus A340-642, G-VATL, on 8 February 2005 (AAIB SPECIAL Bulletin S1/2005) • Two Fuel Control Monitoring Computers (FCMCs) on this type of airplane; they cross-compare and the “healthiest” one drives the outputs to the data bus • Both FCMCs had fault indications, and one of them was unable to drive the data bus • Unfortunately, this one was judged the healthiest and was given control of the bus even though it could not exercise it • Further backup systems were not invoked because the FCMCs indicated they were not both failed John Rushby, SR I Scientific Certification: 18

  19. Approaches to System and Software Certification (ctd.) The explicit goal based approach • e.g., aircraft, air traffic management (CAP670 SW01), ships Applicant develops an assurance case • Whose outline form may be specified by standards or regulation (e.g., MOD DefStan 00-56) • The case is evaluated by independent assessors An assurance case • Makes an explicit set of goals or claims • Provides supporting evidence for the claims • And arguments that link the evidence to the claims ◦ Make clear the underlying assumptions and judgments • Should allow different viewpoints and levels of detail John Rushby, SR I Scientific Certification: 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Citizen Science Certification San Juan Bay Estuary Program Citizen Science Citizen science

Citizen Science Certification San Juan Bay Estuary Program Citizen Science Citizen science

Citizen Science Certification San Juan Bay Estuary Program Citizen Science Citizen science is the involvement of the public in scientific research whether community-driven research or global investigations. Citizen science mobilizes the

346 views • 10 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO

CAPLA CERTIFICATION PROGRAM EVERYTHING YOU NEED TO KNOW ABOUT THE CERTIFICATION EXAM HOW TO APPLY TO WRITE Once you have logged into the Then under Certification The Certification committee Application Forms may be CAPLA website using

687 views • 37 slides
Just-In-Time Certification John Rushby Computer Science Laboratory SRI International Menlo

Just-In-Time Certification John Rushby Computer Science Laboratory SRI International Menlo

Just-In-Time Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Just-In-Time Certification: 1 Certification Provides assurance that deploying a given system does not pose

234 views • 21 slides
1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA

1 CERTIFICATION Coming to you soon! 2 What is OPTA VIA Certification? OPTA VIA Certification is based on Dr. As Habits of Health Transformational System and is available to all Coaches who want to apply and reinforce their knowledge of

613 views • 19 slides
Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the

ASHA Certification Pathway to CCC-A Todd R. Philbrick, CAE Director, Certification Ex Officio to the CFCC Presentation Overview What is Certification? CCC-A Certification Standards CCC-A Application Process FAQs Keep your

209 views • 19 slides
New Challenges In Certification For Aircraft Software John Rushby Computer Science Laboratory

New Challenges In Certification For Aircraft Software John Rushby Computer Science Laboratory

New Challenges In Certification For Aircraft Software John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Aircraft Software Certification 1 Overview The basics of aircraft certification The

430 views • 32 slides
Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in

Timer Certification Clinic Timer Certification A prerequisite for training and certification in all other positions (Descriptions in some of the following slides are as indicated in the rules, although it is not unusual for the referee to

378 views • 10 slides
Certification Opportunities for IMA John Rushby Computer Science Laboratory SRI International

Certification Opportunities for IMA John Rushby Computer Science Laboratory SRI International

Certification Opportunities for IMA John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Certification Opportunities for IMA: 1 Imagine. . . Maybe 10 years from now New guidelines: DO-297B and

259 views • 14 slides
Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

522 views • 17 slides
Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park,

Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park,

Scientific Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Scientific Certification: 1 Does The Current Approach Work? Fuel emergency on Airbus A340-642, G-VATL, on 8

998 views • 21 slides
Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory

Wastewater Laboratory Certification Overview 1 What is laboratory certification? Laboratory certification is a process that provides formal recognition to the managerial and technical competence of a laboratory performing specific analyses

853 views • 50 slides
AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM

AEROREADY CERTIFICATION Components to AEROready TM Certification In order to award an AEROready TM certification, our consulting team analyses hundreds of site selection criteria with emphasis on the following 10 items Assessment of airport

1.08k views • 75 slides
IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA

IIBA Certification Overview 1 Topics A. Benefits of Attaining an IIBA Certification B. IIBA Certification Options C. Applying for Certification D. Exam Activities Register and Prepare E. Benefits of BABOK studying 2/13/2018, p. 1

127 views • 10 slides
SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us

SOUTH DAKOTA DEPARTMENT OF EDUCATION OFFICE OF EDUCATOR CERTIFICATION Certification@state.sd.us OUTCOME OF PRESENTATION Understand the importance of educator certification Ability to create a user id and apply for certification

698 views • 53 slides
Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings

Voluntary EU certification for Voluntary EU certification for non-residential buildings Definition of an Energy Performance Scale Jana Bendalov BUILDING TESTING AND RESEARCH INSTITUTE / Slovakia 09 January 2012 1 Context

609 views • 19 slides
Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter

Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter

Systeme hoher Qualitt und Sicherheit Universitt Bremen WS 2015/2016 Lecture 04 (02.11.2015) Hazard Analysis Christoph Lth Jan Peleska Dieter Hutter SSQ, WS 15/16 Where are we? 01: Concepts of Quality 02: Legal Requirements:

634 views • 26 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides adopted from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning Engineering."

1.27k views • 84 slides
Using FMEA to Improve So4ware Reliability Kraig Strong -

Using FMEA to Improve So4ware Reliability Kraig Strong -

Using FMEA to Improve So4ware Reliability Kraig Strong - Tektronix What dont we like about (most) quality processes? They are Jme consuming

893 views • 35 slides
Holger Hermanns dependable systems and software Saarland University Saarbrcken, Germany

Holger Hermanns dependable systems and software Saarland University Saarbrcken, Germany

Holger Hermanns dependable systems and software Saarland University Saarbrcken, Germany Safety? Safety by design? Make sure hazardous situations are unreachable! Safety by design? Make sure hazardous situations are unreachable! Safety by

1.38k views • 62 slides
Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP)

Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP)

Plan for Quality to Improve Patient Safety at the POC SHARON S. EHRMEYER, PH.D., MT(ASCP) PROFESSOR, DEPARTMENT OF PATHOLOGY AND LABORATORY MEDICINE SCHOOL OF MEDICINE AND PUBLIC HEALTH MADISON, WI = Quality Meeting the requirements or needs

834 views • 55 slides
efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd

efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd

Practices in model component reuse for efficient dependability analysis Fumio Machida University of Tsukuba April 8, 2019 In the 2nd Workshop on Education and Practice of Performance Engineering Outline Dependability analysis in practice

515 views • 26 slides
Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly

Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly

Structuring and potentially formalising (Assurance) Case Arguments Tim Kelly tim.kelly@york.ac.uk Overview Safety Cases and Safety Arguments Structured (but Informal) Arguments Considerations in Formalisation Structured

586 views • 27 slides

More recommend