Odell Hegna

DOI: https://doi.org/10.48550/arXiv.1501.00820

2019-03-11

Abstract:Computers may control safety-critical operations in machines having embedded software. This memoir proposes a regimen to verify such algorithms at prescribed levels of statistical confidence. The United States Department of Defense standard for system safety engineering (MIL-STD-882E) defines development procedures for safety-critical systems. However, a problem exists: the Standard fails to distinguish quantitative product assurance technique from categorical process assurance method for software development. Resulting is conflict in the technical definition of the term risk. The primary goal here is to show that a quantitative risk-based product assurance method exists and is consistent with hardware practice. Discussion appears in two major parts: theory, which shows the relationship between automata and software; and application, which covers demonstration and indemnification. Demonstration is a technique for generating random tests; indemnification converts pass/fail test results to compound Poisson parameters (severity and intensity). Together, demonstration and indemnification yield statistical confidence that safety-critical code meets design intent. Statistical confidence is the keystone of quantitative product assurance. A secondary goal is resolving the conflict over the term risk. The first meaning is an accident model known in mathematics as the compound Poisson stochastic process, and so is called statistical risk. Various of its versions underlie the theories of safety and reliability. The second is called developmental risk. It considers software autonomy, which considers time until manual recovery of control. Once these meanings are separated, MIL-STD-882 can properly support either formal quantitative safety assurance or empirical process robustness, which differ in impact.

Logic in Computer Science

Stuart G. Reid

DOI: https://doi.org/10.1016/j.ymssp.2012.07.016

IF: 8.4

2013-05-01

Mechanical Systems and Signal Processing

Abstract:Reliability assessments are commonly carried out to provide a rational basis for risk-informed decisions concerning the design or maintenance of engineering systems and structures. However, calculated reliabilities and associated probabilities of failure often have significant uncertainties associated with the possible estimation errors relative to the ‘true’ failure probabilities. For uncertain probabilities of failure, a measure of ‘probabilistic confidence’ has been proposed to reflect the concern that uncertainty about the true probability of failure could result in a system or structure that is unsafe and could subsequently fail. The paper describes how the concept of probabilistic confidence can be applied to evaluate and appropriately limit the probabilities of failure attributable to particular uncertainties such as design errors that may critically affect the dependability of risk-acceptance decisions. This approach is illustrated with regard to the dependability of structural design processes based on prototype testing with uncertainties attributable to sampling variability.

engineering, mechanical

M. Lehman

DOI: https://doi.org/10.1002/SMR.4360010103

1989-09-01

Abstract:Computers are being applied more and more broadly to address applications in all areas of human activity, penetrating ever deeper into the very fabric of society. As a consequence, mankind is becoming, collectively and individually, ever more dependent on software and on the integrity of that software. In this context the term software includes both the systems software that constitutes a fundamental part of the operational configuration and the programs that implement each individual application. Integrity is a many faceted concept that has to do with the availability of programs whenever they are needed and their correctness in relation to the circumstances at the moment of execution or, more precisely, when the results of computation are applied. A program must produce a solution that is correct and relevant when used. It must continue to do so whenever required over the lifetime of an application and of the systems that realize and support it. All this is required despite continuing change in a dynamic world. This paper discusses some properties of software and of software technology and identifies fundamental issues that must be addressed if program integrity is to be achieved initially, and if a program is to be maintained as satisfactory in a continuously changing operational environment. The discussion leads to formulation of a ‘Principle of Uncertainty’ that applies, in general, to all computer applications in the real world. The principle follows from the fact that any program is a model, albeit many times removed by abstraction and reification from the real world it reflects and addresses. The consequences of this basic fact lead to a need for a disciplined technology associated with a controlled process for definition of each application, its operational domain, the envisaged system and software, and for its development, application and evolution (maintenance). This paper concludes with a brief mention of the implications of the analysis on relevant technological issues. Fundamental concepts and observations that underlie the development of a software engineering discipline and its supporting technology are introduced. Software engineering is seen as the discipline that permits one to limit uncertainty and its consequences through the introduction and control of appropriate development processes and the systematic and disciplined applications of methods and tools. The emergence of such tools, of computer assisted software engineering (CASE) and of programming and project support environments (IPSEs) is briefly discussed. Finally the paper addresses issues that arise in transferring this still developing technology to industry and introducing it into practice, outlining briefly how this may be approached.

Engineering,Computer Science

Kizito Salako,Xingyu Zhao

DOI: https://doi.org/10.1109/tse.2022.3233802

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:When assessing a software-based system, the results of Bayesian statistical inference on operational testing data can provide strong support for software reliability claims. For inference, this data (i.e., software successes and failures) is often assumed to arise in an independent, identically distributed (i.i.d.) manner. In this paper we show how conservative Bayesian approaches make this assumption unnecessary, by incorporating one's doubts about the assumption into the assessment. We derive conservative confidence bounds on a system's probability of failure on demand (pfd), when operational testing reveals no failures. The generality and utility of the confidence bounds are illustrated in the assessment of a nuclear power-plant safety-protection system, under varying levels of skepticism about the i.i.d. assumption. The analysis suggests that the i.i.d. assumption can make Bayesian reliability assessments extremely optimistic – such assessments do not explicitly account for how software can be very likely to exhibit no failures during extensive operational testing despite the software's pfd being undesirably large.

engineering, electrical & electronic,computer science, software engineering

Rob Ashmore

DOI: https://doi.org/10.48550/arXiv.1404.7528

2014-05-08

Abstract:We argue that quantifying software reliability is important in demonstrating that system-level risks are As Low As Reasonably Practicable (ALARP). Furthermore, we demonstrate that such quantification is possible in at least one meaningful case. It is, however, unlikely to be practical in every case. This means it is unlikely to be included as an explicit objective in standards. Hence, for those cases where software reliability can be quantified, merely following a standard may lead to risk-reduction opportunities being missed.

Software Engineering

M. M. LElHMAN

Abstract:SUMMARY Computers are being applied more and more broadly to address applications in all areas of human activity, penetrating ever deeper into the very fabric of society. As a consequence, mankind is becoming;, collectively and individually, ever more dependent on software and on the integrity of that software. In this context the term software includes both the systems software that constitutes a fundamental part of the operational configuration and the programs that implement each individual application. Integrity is a many faceted concept that has to do with the availability of programs whenever they are needed and their correctness in relation to the circumstances at the moment of execution or, more precisely, when the results of computation are applied. A program must produce a solution that is correct and relevant when used. It must continue to do so whenever required over the lifetime of an application and of the systems that realize and support it. All this is required despite continuing change in a dynamic world. This paper discusses some properties of software and of software technology and identifies fundamental issues that must be addressed if program integrity is to be achieved initially, and if a program is to be maintained as satisfactory in a continuously changing operational environment. The discussion leads to formulation of a ‘Principle of Uncertainty’ that applies, in general, to all computer applications in the real world. The principle follows from the fact that any program is a model, albeit many times removed by abstraction and reification from the real world it reflects and addresses. The consequences of this basic fact lead to a need for a disciplined technology associated with a controlled process for definition of each application, its operational domain, the envisaged system and software, and for its development, application and evolution (maintenance). This paper concludes with a brief mention of the implications of the analysis on relevant technological issues. Fundamental concepts and observations that underlie the development of a software engineering discipline and its supporting technology are introduced. Software engineering is seen as the discipline that permits one to limit uncertainty and its consequences through the introduction and control of appropriate development processes and the systematic and disciplined applications of methods and tools. The emergence of such tools, of computer assisted software engineering (CASE) and of programming and project support environments (IPSEs) is briefly discussed, Finally the paper addresses issues that arise in transferring this still developing technology to industry and introducing it into practice, outlining briefly how this may be approached

Computer Science

Stuart G. Reid

DOI: https://doi.org/10.1016/j.strusafe.2020.102043

IF: 5.712

2021-01-01

Structural Safety

Abstract:A limitation of current reliability-based design Standards is their dependence on imprecise estimates of the probability of failure. These imprecise estimates do not, by themselves, provide a dependable basis for explicit risk-based decision-making. Therefore reliability-based Standards depend on Code calibration to determine acceptable levels of the estimated nominal probabilities of failure, which hinders further rationalisation and innovation. The paper discusses uncertain failure probabilities and defines a related characteristic failure probability that provides a dependable basis for risk-based decision-making. Uncertain probability estimates arise from epistemic uncertainty and they can be described by their own probability distributions. The paper discusses probability distributions of uncertain probabilities of failure, with examples of uncertainty arising from the sampling variability for design based on prototype testing in accordance with provisions in Australian Standards and an AISI Standard, and also sampling variability in the estimation of a design wind load based on wind speed data. It is shown that the characteristic failure probability provides a dependable basis for assessing the acceptability of extremely uncertain probabilities of structural failure.

engineering, civil

Kizito Salako,Xingyu Zhao

DOI: https://doi.org/10.1002/qre.3460

2023-10-29

Quality and Reliability Engineering International

Abstract:This paper presents Bayesian techniques for conservative claims about software reliability, particularly when evidence suggests the software's executions are not statistically independent. We formalise informal notions of "doubting" that the executions are independent, and incorporate such doubts into reliability assessments. We develop techniques that reveal the extent to which independence assumptions can undermine conservatism in assessments, and identify conditions under which this impact is not significant. These techniques – novel extensions of conservative Bayesian inference (CBI) approaches – give conservative confidence bounds on the software's failure probability per execution. With illustrations in two application areas – nuclear power‐plant safety and autonomous vehicle (AV) safety – our analyses reveals: (1) the confidence an assessor should possess before subjecting a system to operational testing. Otherwise, such testing is futile – favourable operational testing evidence will eventually decrease one's confidence in the system being sufficiently reliable; (2) the independence assumption supports conservative claims sometimes; (3) in some scenarios, observing a system operate without failure gives less confidence in the system than if some failures had been observed; (4) building confidence in a system is very sensitive to failures – each additional failure means significantly more operational testing is required, in order to support a reliability claim.

engineering, industrial, multidisciplinary,operations research & management science

Robin Bloomfield,John Rushby

DOI: https://doi.org/10.1007/978-3-031-66676-6_1

2024-09-17

Abstract:An assurance case should provide justifiable confidence in the truth of a claim about some critical property of a system or procedure, such as safety or security. We consider how confidence can be assessed in the rigorous approach we call Assurance 2.0. Our goal is indefeasible confidence and we approach it from four different perspectives: logical soundness, probabilistic assessment, dialectical examination, and residual risks.

Software Engineering

Robin Bloomfield,John Rushby

2024-05-03

Abstract:An assurance case is intended to provide justifiable confidence in the truth of its top claim, which typically concerns safety or security. A natural question is then "how much" confidence does the case provide? We argue that confidence cannot be reduced to a single attribute or measurement. Instead, we suggest it should be based on attributes that draw on three different perspectives: positive, negative, and residual doubts. Positive Perspectives consider the extent to which the evidence and overall argument of the case combine to make a positive statement justifying belief in its claims. We set a high bar for justification, requiring it to be indefeasible. The primary positive measure for this is soundness, which interprets the argument as a logical proof. Confidence in evidence can be expressed probabilistically and we use confirmation measures to ensure that the "weight" of evidence crosses some threshold. In addition, probabilities can be aggregated from evidence through the steps of the argument using probability logics to yield what we call probabilistic valuations for the claims. Negative Perspectives record doubts and challenges to the case, typically expressed as defeaters, and their exploration and resolution. Assurance developers must guard against confirmation bias and should vigorously explore potential defeaters as they develop the case, and should record them and their resolution to avoid rework and to aid reviewers. Residual Doubts: the world is uncertain so not all potential defeaters can be resolved. We explore risks and may deem them acceptable or unavoidable. It is crucial however that these judgments are conscious ones and that they are recorded in the assurance case. This report examines the perspectives in detail and indicates how Clarissa, our prototype toolset for Assurance 2.0, assists in their evaluation.

Artificial Intelligence

Richard L. Warr,Jace Ritchie,Michael Hamada

DOI: https://doi.org/10.1080/00224065.2023.2287747

IF: 2.182

2024-01-26

Journal of Quality Technology

Abstract:To successfully determine if a system meets some reliability standard, typically assurance tests are conducted on the full system. This proven approach is extremely effective. However, it can be cost prohibitive when full system tests are expensive. Previous work has incorporated component and subsystem data to supplement the component prior distributions before a full system assurance test. Although this can be helpful, we propose an additional advance of allowing component and subsystem tests as part of the assurance test. We show that by augmenting full system tests with component and subsystem tests, in some cases, we can reduce the cost of the assurance test. For a system that can be decomposed into independent series and parallel parts, the theory works perfectly. In the case where we cannot accurately classify parts using the series or parallel structure, we add a generalization that works for systems that are "almost-series" or "almost-parallel."

engineering, industrial,operations research & management science,statistics & probability

Mario Fusani,Giuseppe Lami

DOI: https://doi.org/10.48550/arXiv.1404.6805

2014-04-28

Abstract:Difficulty of safety-related software standards to help producing software for safe systems is discussed. Some research activity and other actions are proposed to focus on and possibly resolve long-lasting related problems.

Software Engineering

Richard Cheng,Richard M. Murray,Joel W. Burdick

DOI: https://doi.org/10.48550/arXiv.2103.03388

2021-03-25

Abstract:When autonomous robots interact with humans, such as during autonomous driving, explicit safety guarantees are crucial in order to avoid potentially life-threatening accidents. Many data-driven methods have explored learning probabilistic bounds over human agents' trajectories (i.e. confidence tubes that contain trajectories with probability $\delta$), which can then be used to guarantee safety with probability $1-\delta$. However, almost all existing works consider $\delta \geq 0.001$. The purpose of this paper is to argue that (1) in safety-critical applications, it is necessary to provide safety guarantees with $\delta < 10^{-8}$, and (2) current learning-based methods are ill-equipped to compute accurate confidence bounds at such low $\delta$. Using human driving data (from the highD dataset), as well as synthetically generated data, we show that current uncertainty models use inaccurate distributional assumptions to describe human behavior and/or require infeasible amounts of data to accurately learn confidence bounds for $\delta \leq 10^{-8}$. These two issues result in unreliable confidence bounds, which can have dangerous implications if deployed on safety-critical systems.

Robotics,Multiagent Systems,Systems and Control

赵亮,王建民,孙家广

DOI: https://doi.org/10.3724/sp.j.1001.2008.01379

2008-01-01

Journal of Software

Abstract:This paper studies statistical test's assurance ability on different programs and brings forward to incorporating effectiveness information into software reliability assessment.This can improve the accuracy of reliability assessment.This paper empirically investigates the reasonableness of this method.The conclusion provides a new way for high reliable software assurance.

Liang ZHAO,Jian-Min WANG,Jia-Guang SUN

DOI: https://doi.org/10.3321/j.issn:0254-4164.2007.06.013

2007-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Software testability and reliability are two important quality features. Till now, the intuition about the relationship between testability and reliability still lacks support from solid theory proof and adequate empirical validation. This paper gives a new testability definition from the view of testing effectiveness, brings forward a quantification testability representation model, builds a formal relationship between testability and reliability, and empirically validates the impact of software testability on test effort for certain reliability assurance target. The conclusion suggests that classical black-box based reliability estimation model is blind to certain degree and testability-based model can give more accurate and specific result.

Uwe Becker

DOI: https://doi.org/10.1007/978-3-319-24249-1_35

2015-01-01

Abstract:Today’s situation in operating theaters is characterized by many different devices from various manufacturers. Missing standards for device intercommunication lead to the fact that inter-device communication in most cases is either difficult or even impossible. A system oriented approach with networked devices is envisioned to improve this heterogeneous situation. Every device in the operating theater shall be able to interchange data with every other device in the network. Even remote control of other devices shall be possible. Therefore, concepts for safe and secure dynamic networking of components in operation theaters and hospitals have to be provided. This paper will show methods to test such systems of systems and provide a way to increase the robustness of the interfaces. This will be part of the evidence described in multidimensional dependability arguments provided to certification authorities.

Neil Walkinshaw,Gordon Fraser

DOI: https://doi.org/10.48550/arXiv.1608.03181

2016-08-10

Abstract:We can never be certain that a software system is correct simply by testing it, but with every additional successful test we become less uncertain about its correctness. In absence of source code or elaborate specifications and models, tests are usually generated or chosen randomly. However, rather than randomly choosing tests, it would be preferable to choose those tests that decrease our uncertainty about correctness the most. In order to guide test generation, we apply what is referred to in Machine Learning as "Query Strategy Framework": We infer a behavioural model of the system under test and select those tests which the inferred model is "least certain" about. Running these tests on the system under test thus directly targets those parts about which tests so far have failed to inform the model. We provide an implementation that uses a genetic programming engine for model inference in order to enable an uncertainty sampling technique known as "query by committee", and evaluate it on eight subject systems from the Apache Commons Math framework and JodaTime. The results indicate that test generation using uncertainty sampling outperforms conventional and Adaptive Random Testing.

Software Engineering

Kevin Taylor-Sakyi

DOI: https://doi.org/10.48550/arXiv.1605.01097

2016-05-03

Software Engineering

Abstract:This paper presents the core principles of reliability in software engineering - outlining why reliability testing is critical and specifying the process of measuring reliability. The paper provides insight for both novice and experts in the software engineering field for assessing failure intensity as well as predicting failure of software systems. Measurements are conducted by utilizing information from an operational profile to further enhance a test plan and test cases, all of which this paper demonstrates how to implement.

S. S. Riaz Ahamed,S.S.Riaz Ahamed

DOI: https://doi.org/10.48550/arXiv.1001.4193

2010-01-23

Software Engineering

Abstract:Software testing is a critical element of software quality assurance and represents the ultimate review of specification, design and coding. Software testing is the process of testing the functionality and correctness of software by running it. Software testing is usually performed for one of two reasons: defect detection, and reliability estimation. The problem of applying software testing to defect detection is that software can only suggest the presence of flaws, not their absence (unless the testing is exhaustive). The problem of applying software testing to reliability estimation is that the input distribution used for selecting test cases may be flawed. The key to software testing is trying to find the modes of failure - something that requires exhaustively testing the code on all possible inputs. Software Testing, depending on the testing method employed, can be implemented at any time in the development process.

Feng Xu,Jing Pan,Wen Lu

DOI: https://doi.org/10.1007/s11390-009-9231-6

2009-01-01

Abstract:Emerging with open environments, the software paradigms, such as open resource coalition and Internetware, present several novel characteristics including user-centric, non-central control, and continual evolution. The goal of obtaining high confidence on such systems is more difficult to achieve. The general developer-oriented metrics and testing-based methods which are adopted in the traditional measurement for high confidence software seem to be infeasible in the new situation. Firstly, the software development is changed from the developer-centric to user-centric, while user's opinions are usually subjective, and cannot be generalized in one objective metric. Secondly, there is non-central control to guarantee the testing on components which formed the software system, and continual evolution makes it impossible to test on the whole software system. Therefore, this paper proposes a trust-based approach that consists of three sequential sub-stages: 1) describing metrics for confidence estimation from users; 2) estimating the confidence of the components based on the quantitative information from the trusted recommenders; 3) estimating the confidence of the whole software system based on the component confidences and their interactions, as well as attempts to make a step toward a reasonable and effective method for confidence estimation of the software system in open environments.