2nd International Workshop on Argument for Agreement and Assurance (AAA 2015), Kanagawa Japan, November 2015

Similar documents
The Interpretation and Evaluation of Assurance Cases

THE ROLE OF COHERENCE OF EVIDENCE IN THE NON- DYNAMIC MODEL OF CONFIRMATION TOMOJI SHOGENJI

Outline. The argument from so many arguments. Framework. Royall s case. Ted Poston

Semantic Entailment and Natural Deduction

Logic is the study of the quality of arguments. An argument consists of a set of

Against Coherence: Truth, Probability, and Justification. Erik J. Olsson. Oxford: Oxford University Press, Pp. xiii, 232.

Computational Metaphysics

Discussion Notes for Bayesian Reasoning

Is Epistemic Probability Pascalian?

Truth and Evidence in Validity Theory

Argumentation Module: Philosophy Lesson 7 What do we mean by argument? (Two meanings for the word.) A quarrel or a dispute, expressing a difference

Semantic Foundations for Deductive Methods

TWO VERSIONS OF HUME S LAW

Contradictory Information Can Be Better than Nothing The Example of the Two Firemen

HANDBOOK (New or substantially modified material appears in boxes.)

1.5 Deductive and Inductive Arguments

MISSOURI S FRAMEWORK FOR CURRICULAR DEVELOPMENT IN MATH TOPIC I: PROBLEM SOLVING

No Love for Singer: The Inability of Preference Utilitarianism to Justify Partial Relationships

Logic: inductive. Draft: April 29, Logic is the study of the quality of arguments. An argument consists of a set of premises P1,

REASONING ABOUT REASONING* TYLER BURGE

Richard L. W. Clarke, Notes REASONING

NICHOLAS J.J. SMITH. Let s begin with the storage hypothesis, which is introduced as follows: 1

HANDBOOK (New or substantially modified material appears in boxes.)

Does Deduction really rest on a more secure epistemological footing than Induction?

2.1 Review. 2.2 Inference and justifications

Detachment, Probability, and Maximum Likelihood

CS485/685 Lecture 5: Jan 19, 2016

Rawls s veil of ignorance excludes all knowledge of likelihoods regarding the social

A FORMAL MODEL OF LEGAL PROOF STANDARDS AND BURDENS

2.3. Failed proofs and counterexamples

1. Lukasiewicz s Logic

I think, therefore I am. - Rene Descartes

Scientific Progress, Verisimilitude, and Evidence

Critical Thinking 5.7 Validity in inductive, conductive, and abductive arguments

Reasoning and Decision-Making under Uncertainty

The argument from so many arguments

Williams on Supervaluationism and Logical Revisionism

Illustrating Deduction. A Didactic Sequence for Secondary School

Informalizing Formal Logic

Philosophy 5340 Epistemology Topic 4: Skepticism. Part 1: The Scope of Skepticism and Two Main Types of Skeptical Argument

Weighing Evidence in the Context of Conductive Reasoning

HANDBOOK. IV. Argument Construction Determine the Ultimate Conclusion Construct the Chain of Reasoning Communicate the Argument 13

Assessing Confidence in an Assurance Case

Evaluating Arguments

Rawls, rationality, and responsibility: Why we should not treat our endowments as morally arbitrary

Philosophy 12 Study Guide #4 Ch. 2, Sections IV.iii VI

The Problem of Induction and Popper s Deductivism

C. Problem set #1 due today, now, on the desk. B. More of an art than a science the key things are: 4.

6.041SC Probabilistic Systems Analysis and Applied Probability, Fall 2013 Transcript Lecture 3

Introduction to Philosophy

Comments on Lasersohn

The Critical Mind is A Questioning Mind

what makes reasons sufficient?

Appendix: The Logic Behind the Inferential Test

2016 Philosophy. Higher. Finalised Marking Instructions

King and Kitchener Packet 3 King and Kitchener: The Reflective Judgment Model

Comments on Truth at A World for Modal Propositions

A. Problem set #3 it has been posted and is due Tuesday, 15 November

The problems of induction in scientific inquiry: Challenges and solutions. Table of Contents 1.0 Introduction Defining induction...

PHILOSOPHIES OF SCIENTIFIC TESTING

MPS 17 The Structure of Persuasion Logos: reasoning, reasons, good reasons not necessarily about formal logic

Can A Priori Justified Belief Be Extended Through Deduction? It is often assumed that if one deduces some proposition p from some premises

Critical Thinking - Section 1

Introduction: Belief vs Degrees of Belief

ON CAUSAL AND CONSTRUCTIVE MODELLING OF BELIEF CHANGE

An Inferentialist Conception of the A Priori. Ralph Wedgwood

A Note on Straight-Thinking

Philosophy Of Science On The Moral Neutrality Of Scientific Acceptance

the negative reason existential fallacy

A BRIEF INTRODUCTION TO LOGIC FOR METAPHYSICIANS

General Philosophy. Dr Peter Millican,, Hertford College. Lecture 4: Two Cartesian Topics

The St. Petersburg paradox & the two envelope paradox

Criticizing Arguments

Induction, Rational Acceptance, and Minimally Inconsistent Sets

Chapter 9- Sentential Proofs

Final grades will be determined by 6 components: Midterm 20% Final 20% Problem Sets 20% Papers 20% Quizzes 10% Section 10%

In Search of the Ontological Argument. Richard Oxenberg

Logic and Pragmatics: linear logic for inferential practice

What is a counterexample?

2017 Philosophy. Higher. Finalised Marking Instructions

Vol. II, No. 5, Reason, Truth and History, 127. LARS BERGSTRÖM

Philosophy 220. Truth Functional Properties Expressed in terms of Consistency

Ramsey s belief > action > truth theory.

The Problem of the External World

Reason and Argument. Richard Feldman Second Edition

Predicate logic. Miguel Palomino Dpto. Sistemas Informáticos y Computación (UCM) Madrid Spain

Artificial Intelligence I

1/19/2011. Concept. Analysis

Constructive Logic, Truth and Warranted Assertibility

There are two common forms of deductively valid conditional argument: modus ponens and modus tollens.

VAGUENESS. Francis Jeffry Pelletier and István Berkeley Department of Philosophy University of Alberta Edmonton, Alberta, Canada

Richard Carrier, Ph.D.

Issue 4, Special Conference Proceedings Published by the Durham University Undergraduate Philosophy Society

Asking the Right Questions: A Guide to Critical Thinking M. Neil Browne and Stuart Keeley

Kelly James Clark and Raymond VanArragon (eds.), Evidence and Religious Belief, Oxford UP, 2011, 240pp., $65.00 (hbk), ISBN

Merricks on the existence of human organisms

A Layperson s Guide to Hypothesis Testing By Michael Reames and Gabriel Kemeny ProcessGPS

UNDERSTANDING, JUSTIFICATION AND THE A PRIORI

Bootstrapping and The Bayesian: Why The Conservative is Not Threatened By Weisberg s Super-Reliable Gas Gauge

ECONOMETRIC METHODOLOGY AND THE STATUS OF ECONOMICS. Cormac O Dea. Junior Sophister

Transcription:

2nd International Workshop on Argument for Agreement and Assurance (AAA 2015), Kanagawa Japan, November 2015

On the Interpretation Of Assurance Case Arguments John Rushby Computer Science Laboratory SRI International Menlo Park, CA John Rushby, SR I Interpretation of Assurance Case Arguments 1

Introduction I m focused on the assurance and certification of software for commercial airplanes Currently assured by DO-178C numerates 71 objectives that must be satisfied for the most critical software e.g., nsure that each High Level Requirement (HLR) is accurate, unambiguous, and sufficiently detailed, and that the requirements do not conflict with each other [Section 6.3.1.b] It seems to work: no incidents due to flaws in software implementation DO-178C is about correctness of implementation wrt HLR ARP 4754 and others are concerned with safety of HLR John Rushby, SR I Interpretation of Assurance Case Arguments 2

Introduction (ctd.) But the world is changing NextGen integrates once separate air and ground systems Unmanned vehicles in same airspace More autonomous systems New methods of software development and assurance We don t really know why DO-178C works So difficult to predict impact of changed environment And difficult to update (10 years to go from B to C) So look at Assurance Cases as a possible way forward Retrospective reformulation of DO-178C as an assurance case (Michael Holloway) Then look for a scientific basis to assurance cases John Rushby, SR I Interpretation of Assurance Case Arguments 3

Assurance Cases The idea is that we make the case to justify deployment of some system by Stating the claim that it must satisfy Generally safety- or correctness-related Developing evidence about its assumptions, design, implementation, performance etc. Constructing a structured argument that justifies the claim, based on the evidence How should we interpret these arguments? And what are the expectations on them? compelling, comprehensible and valid [00-56] Are these all the same? John Rushby, SR I Interpretation of Assurance Case Arguments 4

Complications: Inductive and Deductive Arguments The world is an uncertain place (random faults and events) Our knowledge of the world is incomplete, may be flawed Our reasoning may be flawed also So an assurance case cannot expect to prove its claim Hence, the overall argument is inductive vidence & subclaims strongly suggest truth of top claim Rather than deductive vidence & subclaims imply or entail the top claim John Rushby, SR I Interpretation of Assurance Case Arguments 5

Complications: Confidence Items If the overall argument is inductive Does that mean all its steps may be inductive too? Traditionally, yes! Considered unrealistic to be completely certain cf. ceteris paribus hedges in science Can add ancillary confidence items to bolster confidence in inductive steps vidence or subclaims that do not directly contribute to the argument i.e., their falsity would not invalidate the argument But their truth increase our confidence in it h? John Rushby, SR I Interpretation of Assurance Case Arguments 6

Complications: Graduated Assurance Assurance is expensive, so most standards and guidelines allow less assurance effort for elements that pose lesser risks.g. DO-178C 71 objectives for Level A, 33 with independence 69 objectives for Level B, 21 with independence 62 objectives for Level C, 8 with independence 26 objectives for Level D, 5 with independence So if Level A is compelling, comprehensible and valid The lower levels must be less so, or not so We need some idea what is lost, and a measure of how much John Rushby, SR I Interpretation of Assurance Case Arguments 7

Proposed Interpretation Clearly need a semantics to account for all this I m going to propose a simple, even obvious, semantics for a sound assurance case I further propose that only sound assurance cases should be accepted However, sound assurance cases can have different strengths John Rushby, SR I Interpretation of Assurance Case Arguments 8

Structured Argument In a generic notation (GSN shapes, CA arrows) C AS C: Claim AS: Argument Step SC: Subclaim : vidence SC AS A hierarchical arrangement of argument steps, each of which justifies a claim or subclaim on the basis of further subclaims or evidence John Rushby, SR I Interpretation of Assurance Case Arguments 9

Argument Steps and Layered Arguments We decompose top-level claim into conjunction of subclaims And iterate Until we get down to subclaims supported by evidence Provide a narrative justification for each step asier to understand when just two kinds of argument steps Reasoning steps: subclaim supported by further subclaims vidential steps: subclaim supported by evidence Call this a simple form argument Can normalize to this form by adding subclaims In the paper I explain how to give a direct interpretation John Rushby, SR I Interpretation of Assurance Case Arguments 10

Normalizing an Argument to Simple Form C AS C RS SC SC SC AS S S RS: reasoning step; S: evidential step John Rushby, SR I Interpretation of Assurance Case Arguments 11

Why Focus on Simple Form? The two kinds of argument step are interpreted differently vidential steps These are about epistemology: knowledge of the world Bridge from the real world to the world of our concepts Have to be considered inductive Multiple items of evidence are weighed not conjoined Reasoning Steps These are about logic/reasoning Conjunction of subclaims leads us to conclude the claim Deductively: subclaims imply claim (my preference) Inductively: subclaims suggest claim Combine these to yield complete arguments Those evidential steps whose weight crosses some threshold of credibility are treated as premises in a classical deductive interpretation of the reasoning steps John Rushby, SR I Interpretation of Assurance Case Arguments 12

Weighing vidential Steps We measure and observe what we can e.g., test results To infer a subclaim that is not directly observable e.g., correctness Different observations provide different views Some more significant than others And not all independent Confidence items can be observations that vouch for others Or provide independent backup Need to weigh all these in some way Probabilities provide a convenient metric And Bayesian methods and BBNs provide tools John Rushby, SR I Interpretation of Assurance Case Arguments 13

The Weight of vidence? Plausible to suppose that we should accept claim C given evidence when P (C ) exceeds some threshold These are subjective probabilities expressing human judgement xperts find P (C ) hard to assess And it is influenced by prior P (C), which can express ignorance... or prejudice Instead, factor problem into alternative quantities that are easier to assess and of separate significance So look instead at P ( C) Related to P (C ) by Bayes Rule But easier to assess likelihood of observations given claim about the world than vice versa John Rushby, SR I Interpretation of Assurance Case Arguments 14

Confirmation Measures We really are interested in the extent to which supports C... rather than its negation C So focus on the ratio or difference of P ( C) and P ( C),... or logarithms of these These are called confirmation measures They weigh C and C in the balance provided by Suggested that these are what criminal juries should be instructed to assess (Gardner-Medwin) Good s measure: log P ( C) P ( C) Kemeny and Oppenheim s measure: P ( C) P ( C) P ( C) + P ( C) Much discussion on merits of these and other measures John Rushby, SR I Interpretation of Assurance Case Arguments 15

Application of Confirmation Measures I do not think the specific measures are important Nor do I advocate applying these methods to the evaluation of individual arguments Rather, use BBNs and confirmation measures for what-if investigations Can help in selection of evidence for evidential steps e.g., refine what objectives DO-178C should require xample (next slides) use of artifact quality objectives as confidence items in DO-178C John Rushby, SR I Interpretation of Assurance Case Arguments 16

Weighing vidential Steps With BBNs Z O A Z: System Specification O: Test Oracle T S V S: System s true quality T: Test results V: Verification outcome A: Specification quality C C: Conclusion xample joint probability table: successful test outcome Correct System Incorrect System Correct Oracle Bad Oracle Correct Oracle Bad Oracle 100% 50% 5% 30% John Rushby, SR I Interpretation of Assurance Case Arguments 17

xample Represented in Hugin BBN Tool John Rushby, SR I Interpretation of Assurance Case Arguments 18

valuating Reasoning Steps When all evidential steps cross our threshold for credibility, we use them as premises in a classical interpretation of the reasoning steps Deductive: p 1 AND p 2 AND AND p n IMPLIS c Inductive: p 1 AND p 2 AND AND p n SUGGSTS c I advocate the deductive interpretation, for three reasons There is no classical interpretation for inductive reasoning Many proposals: Dempster-Shafer, fuzzy logic, probability logic But none universally accepted And they flatten the argument (forthcoming slide) Inductive reasoning is not modular: must believe either the gap is insignificant (so deductive), or taken care of elsewhere (so not modular) There is no way to evaluate the size of the gap in inductive steps (next slide) John Rushby, SR I Interpretation of Assurance Case Arguments 19

The Inductive Gap Must surely believe inductive step is nearly deductive and would become so if some missing subclaim or assumption a were added p 1 AND p 2 AND AND p n SUGGSTS c a AND p 1 AND p 2 AND AND p n IMPLIS c If we knew anything at all about a it would be irresponsible not to add it to the argument Since we did not do so, we must be ignorant of a Follows that we cannot estimate the doubt in inductive argument steps John Rushby, SR I Interpretation of Assurance Case Arguments 20

Probabilistic, Fuzzy and D-S Interpretations Insensitive to logical content of reasoning steps ffectively replace each subclaim by its supporting evidence Thereby flattening the argument C AS C S SC AS John Rushby, SR I Interpretation of Assurance Case Arguments 21

Flattened Arguments There s a reason we don t do this An assurance case is not just a pile of evidence That s DO-178C, for example It is an argument With a structure based on our reasoning about the system So the reasoning steps should be interpreted in logic John Rushby, SR I Interpretation of Assurance Case Arguments 22

Graduated Assurance I ll say an assurance case is valid if its reasoning steps are judged to be deductively valid xpect to see justification in some form A valid case is sound if in addition its evidential steps cross the threshold for credibility All inductive doubts located here For graduated assurance, need some additional notion of argument strength One approach to weakening an argument for lower levels is to reduce the threshold on evidential steps But others actually change the argument.g., Level D of DO-1788C removes the Low Level Requirements (LLR) and all attendant steps John Rushby, SR I Interpretation of Assurance Case Arguments 23

valuating Argument Strength Under Reduced Thresholds Although I don t advocate flattening then BBNs As a way to evaluate soundness of an argument It could be a way to quantify strength of a sound argument More simply Just sum (Adams Uncertainty Accumulation) Or multiply (independence assumption) The probabilities calculated (by BBNs) for evidential steps Beware of gaming: Combining subclaims to maximize strength measure Could do this on an ordinal scale (low, medium, high, etc.) Note that it s a weakest link calculation Graduated assurance retains soundness, reduces strength John Rushby, SR I Interpretation of Assurance Case Arguments 24

valuating Argument Strength Under Changes Recall Level D of DO-1788C changes the argument Removes everything to do with LLR Reason for LLR is not just more evidence, but the credibility of the overall argument strategy More credible to go from HLR to OC via LLR (Levels A, B, C) Than in a single leap (Level D) So there s more to it than just evidential strength Topic for future work: related to ability to withstand defeaters John Rushby, SR I Interpretation of Assurance Case Arguments 25

Conclusion Interpretation is a combination of probability and logic (Possibly informal) probabilities for evidential steps Logic for reasoning steps Case is sound if evidential steps cross some threshold and reasoning steps are deductively valid All inductive doubt is located in the evidential steps Inductive reasoning steps are too low a bar Graduated Assurance may weaken evidential support Overall strength of a sound case is then determined by weakest evidential step Can formalize this in probability logic, but I think the real appeal has to be to intuition and consensus... Deeper notion of strength needed for other forms of graduated assurance: defeaters and argumentation frameworks may be the way to go here John Rushby, SR I Interpretation of Assurance Case Arguments 26

Links Lengthy report: http: //www.csl.sri.com/~rushby/abstracts/assurance-cases15 What do you think? John Rushby, SR I Interpretation of Assurance Case Arguments 27

2024 © religiondocbox.com Privacy Policy | Terms of Service | Feedback