Robin Bloomfield,John Rushby

DOI: https://doi.org/10.48550/arXiv.2004.10474

2020-04-22

Software Engineering

Abstract:System assurance is confronted by significant challenges. Some of these are new, for example, autonomous systems with major functions driven by machine learning and AI, and ultra-rapid system development, while others are the familiar, persistent issues of the need for efficient, effective and timely assurance. Traditional assurance is seen as a brake on innovation and often costly and time consuming. We therefore propose a modernized framework, Assurance 2.0, as an enabler that supports innovation and continuous incremental assurance. Perhaps unexpectedly, it does so by making assurance more rigorous, with increased focus on the reasoning and evidence employed, and explicit identification of defeaters and counterevidence.

Robin Bloomfield,John Rushby

DOI: https://doi.org/10.1007/978-3-031-66676-6_1

2024-09-17

Abstract:An assurance case should provide justifiable confidence in the truth of a claim about some critical property of a system or procedure, such as safety or security. We consider how confidence can be assessed in the rigorous approach we call Assurance 2.0. Our goal is indefeasible confidence and we approach it from four different perspectives: logical soundness, probabilistic assessment, dialectical examination, and residual risks.

Software Engineering

Odell Hegna

DOI: https://doi.org/10.48550/arXiv.1501.00820

2019-03-11

Abstract:Computers may control safety-critical operations in machines having embedded software. This memoir proposes a regimen to verify such algorithms at prescribed levels of statistical confidence. The United States Department of Defense standard for system safety engineering (MIL-STD-882E) defines development procedures for safety-critical systems. However, a problem exists: the Standard fails to distinguish quantitative product assurance technique from categorical process assurance method for software development. Resulting is conflict in the technical definition of the term risk. The primary goal here is to show that a quantitative risk-based product assurance method exists and is consistent with hardware practice. Discussion appears in two major parts: theory, which shows the relationship between automata and software; and application, which covers demonstration and indemnification. Demonstration is a technique for generating random tests; indemnification converts pass/fail test results to compound Poisson parameters (severity and intensity). Together, demonstration and indemnification yield statistical confidence that safety-critical code meets design intent. Statistical confidence is the keystone of quantitative product assurance. A secondary goal is resolving the conflict over the term risk. The first meaning is an accident model known in mathematics as the compound Poisson stochastic process, and so is called statistical risk. Various of its versions underlie the theories of safety and reliability. The second is called developmental risk. It considers software autonomy, which considers time until manual recovery of control. Once these meanings are separated, MIL-STD-882 can properly support either formal quantitative safety assurance or empirical process robustness, which differ in impact.

Logic in Computer Science

Robin Bloomfield,John Rushby

2024-05-03

Abstract:An assurance case is intended to provide justifiable confidence in the truth of its top claim, which typically concerns safety or security. A natural question is then "how much" confidence does the case provide? We argue that confidence cannot be reduced to a single attribute or measurement. Instead, we suggest it should be based on attributes that draw on three different perspectives: positive, negative, and residual doubts. Positive Perspectives consider the extent to which the evidence and overall argument of the case combine to make a positive statement justifying belief in its claims. We set a high bar for justification, requiring it to be indefeasible. The primary positive measure for this is soundness, which interprets the argument as a logical proof. Confidence in evidence can be expressed probabilistically and we use confirmation measures to ensure that the "weight" of evidence crosses some threshold. In addition, probabilities can be aggregated from evidence through the steps of the argument using probability logics to yield what we call probabilistic valuations for the claims. Negative Perspectives record doubts and challenges to the case, typically expressed as defeaters, and their exploration and resolution. Assurance developers must guard against confirmation bias and should vigorously explore potential defeaters as they develop the case, and should record them and their resolution to avoid rework and to aid reviewers. Residual Doubts: the world is uncertain so not all potential defeaters can be resolved. We explore risks and may deem them acceptable or unavoidable. It is crucial however that these judgments are conscious ones and that they are recorded in the assurance case. This report examines the perspectives in detail and indicates how Clarissa, our prototype toolset for Assurance 2.0, assists in their evaluation.

Artificial Intelligence

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Severin Kacianka,Alexander Pretschner

DOI: https://doi.org/10.1145/3442188.3445905

2021-01-20

Abstract:Accountability is an often called for property of technical systems. It is a requirement for algorithmic decision systems, autonomous cyber-physical systems, and for software systems in general. As a concept, accountability goes back to the early history of Liberalism and is suggested as a tool to limit the use of power. This long history has also given us many, often slightly differing, definitions of accountability. The problem that software developers now face is to understand what accountability means for their systems and how to reflect it in a system's design. To enable the rigorous study of accountability in a system, we need models that are suitable for capturing such a varied concept. In this paper, we present a method to express and compare different definitions of accountability using Structural Causal Models. We show how these models can be used to evaluate a system's design and present a small use case based on an autonomous car.

Software Engineering

Simon Diemert,Caleb Shortt,Jens H. Weber

2024-11-06

Abstract:CONTEXT: Assurance Cases (ACs) are prepared to argue that the system's desired quality attributes (e.g., safety or security) are satisfied. While there is strong adoption of ACs, practitioners are often left asking an important question: are we confident that the claims made by the case are true? While many confidence assessment methods (CAMs) exist, little is known about the use of these methods in practice OBJECTIVE: Develop an understanding of the current state of practice for AC confidence assessment: what methods are used in practice and what barriers exist for their use? METHOD: Structured interviews were performed with practitioners with experience contributing to real-world ACs. Open-coding was performed on transcripts. A description of the current state of AC practice and future considerations for researchers was synthesized from the results. RESULTS: A total of n = 19 practitioners were interviewed. The most common CAMs were (peer-)review of ACs, dialectic reasoning ("defeaters"), and comparing against checklists. Participants preferred qualitative methods and expressed concerns about quantitative CAMs. Barriers to using CAMs included additional work, inadequate guidance, subjectivity and interpretation of results, and trustworthiness of methods. CONCLUSION: While many CAMs are described in the literature there is a gap between the proposed methods and needs of practitioners. Researchers working in this area should consider the need to: connect CAMs to established practices, use CAMs to communicate with interest holders, crystallize the details of CAM application, curate accessible guidance, and confirm that methods are trustworthy.

Software Engineering

Simon Miller,Susan Appleby,Jonathan M. Garibaldi,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2823280

2013-01-01

International Journal of Secure Software Engineering

Abstract:The task of designing secure software systems is fraught with uncertainty, as data on uncommon attacks is limited, costs are difficult to estimate, and technology and tools are continually changing. Consequently, experts may interpret the security risks posed to a system in different ways, leading to variation in assessment. This paper presents research into measuring the variability in decision making between security professionals, with the ultimate goal of improving the quality of security advice given to software system designers. A set of thirty nine cyber-security experts took part in an exercise in which they independently assessed a realistic system scenario. This study quantifies agreement in the opinions of experts, examines methods of aggregating opinions, and produces an assessment of attacks from ratings of their components. We show that when aggregated, a coherent consensus view of security emerges which can be used to inform decisions made during systems design.

Danny Weyns,Nelly Bencomo,Radu Calinescu,Javier Cámara,Carlo Ghezzi,Vincenzo Grassi,Lars Grunske,Paola Inverardi,Jean-Marc Jézéquel,Sam Malek,Raffaela Mirandola,Marco Mori,Giordano Tamburrelli

DOI: https://doi.org/10.48550/arXiv.1903.04771

2019-03-12

Abstract:Providing assurances for self-adaptive systems is challenging. A primary underlying problem is uncertainty that may stem from a variety of different sources, ranging from incomplete knowledge to sensor noise and uncertain behavior of humans in the loop. Providing assurances that the self-adaptive system complies with its requirements calls for an enduring process spanning the whole lifetime of the system. In this process, humans and the system jointly derive and integrate new evidence and arguments, which we coined perpetual assurances for self-adaptive systems. In this paper, we provide a background framework and the foundation for perpetual assurances for self-adaptive systems. We elaborate on the concrete challenges of offering perpetual assurances, requirements for solutions, realization techniques and mechanisms to make solutions suitable. We also present benchmark criteria to compare solutions. We then present a concrete exemplar that researchers can use to assess and compare approaches for perpetual assurances for self-adaptation.

Software Engineering

Ilias Gerostathopoulos,Thomas Vogel,Danny Weyns,Patricia Lago

DOI: https://doi.org/10.48550/arXiv.2103.11481

2021-03-22

Abstract:With the increase of research in self-adaptive systems, there is a need to better understand the way research contributions are evaluated. Such insights will support researchers to better compare new findings when developing new knowledge for the community. However, so far there is no clear overview of how evaluations are performed in self-adaptive systems. To address this gap, we conduct a mapping study. The study focuses on experimental evaluations published in the last decade at the prime venue of research in software engineering for self-adaptive systems -- the International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS). Results point out that specifics of self-adaptive systems require special attention in the experimental process, including the distinction of the managing system (i.e., the target of evaluation) and the managed system, the presence of uncertainties that affect the system behavior and hence need to be taken into account in data analysis, and the potential of managed systems to be reused across experiments, beyond replications. To conclude, we offer a set of suggestions derived from our study that can be used as input to enhance future experiments in self-adaptive systems.

Software Engineering

Richard Hawkins,Matt Osborne,Mike Parsons,Mark Nicholson,John McDermid,Ibrahim Habli

DOI: https://doi.org/10.48550/arXiv.2208.00853

2022-08-01

Software Engineering

Abstract:Autonomous systems (AS) are systems that have the capability to take decisions free from direct human control. AS are increasingly being considered for adoption for applications where their behaviour may cause harm, such as when used for autonomous driving, medical applications or in domestic environments. For such applications, being able to ensure and demonstrate (assure) the safety of the operation of the AS is crucial for their adoption. This can be particularly challenging where AS operate in complex and changing real-world environments. Establishing justified confidence in the safety of AS requires the creation of a compelling safety case. This document introduces a methodology for the Safety Assurance of Autonomous Systems in Complex Environments (SACE). SACE comprises a set of safety case patterns and a process for (1) systematically integrating safety assurance into the development of the AS and (2) for generating the evidence base for explicitly justifying the acceptable safety of the AS.

John A. McDermid

DOI: https://doi.org/10.48550/arXiv.1404.6801

2014-04-28

Abstract:Effective software safety standards will contribute to confidence, or assurance, in the safety of the systems in which the software is used. It is infeasible to demonstrate a correlation between standards and accidents, but there is an alternative view that makes standards "testable". Software projects are subject to uncertainty; good standards reduce uncertainty more than poor ones. Similarly assurance or integrity levels in standards should define an uncertainty gradient. The paper proposes an argument -based method of reasoning about uncertainty that can be used as a basis for conducting experiments (tests) to evaluate standards.

Software Engineering

Ran Wei,Simon Foster,Haitao Mei,Fang Yan,Ruizhe Yang,Ibrahim Habli,Colin O’Halloran,Nick Tudor,Tim Kelly

DOI: https://doi.org/10.1016/j.jss.2024.112034

IF: 3.5

2024-03-26

Journal of Systems and Software

Abstract:Assurance cases are used to communicate and assess confidence in critical system properties such as safety and security. Historically, assurance cases have been manually created documents, which are evaluated by system stakeholders through lengthy and complicated processes. In recent years, model-based system assurance approaches have gained popularity to improve the efficiency and quality of system assurance activities. This becomes increasingly important, as systems becomes more complex, it is a challenge to manage their development life-cycles, including coordination of development, verification and validation activities, and change impact analysis in inter-connected system assurance artifacts. Moreover, there is a need for assurance cases that support evolution during the operational life of the system, to enable continuous assurance in the face of an uncertain environment, as Robotics and Autonomous Systems (RAS) are adopted into society. In this paper, we contribute ACCESS - Assurance Case Centric Engineering of Safety-critical Systems, an engineering methodology, together with its tool support, for the development of safety critical systems around evolving model-based assurance cases. We show how model-based system assurance cases can trace to heterogeneous engineering artifacts (e.g. system architectural models, system safety analysis, system behaviour models, etc.), and how formal methods can be integrated during the development process. We demonstrate how assurance cases can be automatically evaluated both at development and runtime. We apply our approach to a case study based on an Autonomous Underwater Vehicle (AUV).

computer science, theory & methods, software engineering

Mithila Sivakumar,Alvine B. Belle,Kimya Khakzad Shahandashti,Oluwafemi Odu,Hadi Hemmati,Segla Kpodjedo,Song Wang,Opeyemi O. Adesina

2024-01-30

Abstract:The execution failure of cyber-physical systems (e.g., autonomous driving systems, unmanned aerial systems, and robotic systems) could result in the loss of life, severe injuries, large-scale environmental damage, property destruction, and major economic loss. Hence, such systems usually require a strong justification that they will effectively support critical requirements (e.g., safety, security, and reliability) for which they were designed. Thus, it is often mandatory to develop compelling assurance cases to support that justification and allow regulatory bodies to certify such systems. In such contexts, detecting assurance deficits, relying on patterns to improve the structure of assurance cases, improving existing assurance case notations, and (semi-)automating the generation of assurance cases are key to develop compelling assurance cases and foster consumer acceptance. We therefore explore challenges related to such assurance enablers and outline some potential directions that could be explored to tackle them.

Software Engineering,Artificial Intelligence

Jinghui Cheng,Micayla Goodrum,Ronald Metoyer,Jane Cleland-Huang

DOI: https://doi.org/10.1145/3195836.3195838

2018-05-27

Abstract:Safety-critical software systems are those whose failure or malfunction could result in casualty and/or serious financial loss. In such systems, safety assurance cases (SACs) are an emerging approach that adopts a proactive strategy to produce structuralized safety justifications and arguments. While SACs are recommended in many software-intensive safety-critical domains, the lack of knowledge regarding the practitioners' perspectives on using SACs hinders effective adoption of this approach. To gain such knowledge, we interviewed nine practitioners and safety experts who focused on safety-critical software systems. In general, our participants found the SAC approach beneficial for communication of safety arguments and management of safety issues in a multidisciplinary setting. The challenges they faced when using SACs were primarily associated with (1) a lack of tool support, (2) insufficient process integration, and (3) scarcity of experienced personnel. To overcome those challenges, our participants suggested tactics that focused on creating direct safety arguments. Process and organizational adjustments are also needed to streamline SAC analysis and creation. Finally, our participants emphasized the importance of knowledge sharing about SACs across software-intensive safety-critical domains.

Andreas Schwierz,Håkan Forsberg

DOI: https://doi.org/10.48550/arXiv.1803.09427

2018-03-26

Software Engineering

Abstract:Dealing with Commercial off-the-shelf (COTS) com- ponents is a daily business for avionic system manufacturers. They are necessary ingredients for hardware designs, but are not built in accordance with the avionics consensus standard DO- 254 for Airborne Electronic Hardware (AEH) design. Especially for complex COTS hardware components used in safety critical AEH, like Microcontroller Units (MCUs), additional assurance activities have to be performed. All of them together shall form a convincing confident, that the hardware is safe in its intended operation environment. The focus of DO-254 is one approach called Design Assurance (DA). Its aim is to reduce design errors by adherence of prescribed process objectives for the entire design life cycle. The effort for certain COTS assurance activities could be reduced if it is possible to demonstrate, that the COTS design process is based on similar effective design process guide- lines to minimize desgin errors. In the last years, semiconductor manufacturers released safety MCUs in compliance to the ISO 26262 standard, dedicated for the development of functional safe automotive systems. These products are COTS components in the sense of avionics, but they are also developed according to a process that focuses on reduction of design errors. In this paper an evaluation is performed to figure out if the ISO 26262 prescribes a similar DA approach as the DO-254, in order to reduce the COTS assurance effort for coming avionic systems.

Lester Lipsky

DOI: https://doi.org/10.1145/174215.1044951

1993-12-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:The purpose of this book, in the author's own words is "... two-fold. First, it should be usable as a text for a one or two semester graduate course in the theory and practice of performance evaluation with strong emphasis on analytic modeling. Second, it should be useful as a reference to both researchers and practitioners in the performance evaluation field". The recommended prerequisite courses are "probability theory, operating systems, and computer architecture." If one throws in a course in linear algebra or matrix theory (how can Markov chains be studied without it?) then one has the typical undergraduate major (or a good minor) degree in Computer Science/Engineering.

Samuel Ackerman,Guy Barash,Eitan Farchi,Orna Raz,Onn Shehory

DOI: https://doi.org/10.48550/arXiv.2201.00355

IF: 5.414

2022-01-02

Machine Learning

Abstract:The crafting of machine learning (ML) based systems requires statistical control throughout its life cycle. Careful quantification of business requirements and identification of key factors that impact the business requirements reduces the risk of a project failure. The quantification of business requirements results in the definition of random variables representing the system key performance indicators that need to be analyzed through statistical experiments. In addition, available data for training and experiment results impact the design of the system. Once the system is developed, it is tested and continually monitored to ensure it meets its business requirements. This is done through the continued application of statistical experiments to analyze and control the key performance indicators. This book teaches the art of crafting and developing ML based systems. It advocates an "experiment first" approach stressing the need to define statistical experiments from the beginning of the project life cycle. It also discusses in detail how to apply statistical control on the ML based system throughout its lifecycle.

Brett W Israelsen

DOI: https://doi.org/10.48550/arXiv.1708.00495

2017-09-05

Abstract:As technology become more advanced, those who design, use and are otherwise affected by it want to know that it will perform correctly, and understand why it does what it does, and how to use it appropriately. In essence they want to be able to trust the systems that are being designed. In this survey we present assurances that are the method by which users can understand how to trust this technology. Trust between humans and autonomy is reviewed, and the implications for the design of assurances are highlighted. A survey of research that has been performed with respect to assurances is presented, and several key ideas are extracted in order to refine the definition of assurances. Several directions for future research are identified and discussed.

Computers and Society,Artificial Intelligence,Human-Computer Interaction,Machine Learning