© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

Slides:



Advertisements
Similar presentations
Reason and Argument Induction (Part of Ch. 9 and part of Ch. 10)
Advertisements

Introductory Mathematics & Statistics for Business
By Anthony Campanaro & Dennis Hernandez
Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
Why We Do Research Chapter 1. Ordinary Versus Systematic Biased Question: A question that leads to a specific response or excludes a certain group Nonscientific.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
Chapter 10.  Real life problems are usually different than just estimation of population statistics.  We try on the basis of experimental evidence Whether.
© 2010 Carnegie Mellon University B OXES : A Symbolic Abstract Domain of Boxes Arie Gurfinkel and Sagar Chaki Software Engineering Institute Carnegie Mellon.
NOTE: CORRECTION TO SYLLABUS FOR ‘HUME ON CAUSATION’ WEEK 6 Mon May 2: Hume on inductive reasoning --Hume, Enquiry Concerning Human Understanding, section.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© Carnegie Mellon University The CERT Insider Threat Center.
Classifying Arguments Deductive (valid/invalid) Inductive (strong/weak) Arguments may be divided into two types: in which the intention is certainty of.
Critical Thinking: Chapter 10
© 2015 Carnegie Mellon University Property Directed Polyhedral Abstraction Nikolaj Bjørner and Arie Gurfinkel VMCAI 2015.
1 Procedural Analysis or structured approach. 2 Sometimes known as Analytic Induction Used more commonly in evaluation and policy studies. Uses a set.
1 A Bayesian Non-Inferiority Approach to Evaluation of Bridging Studies Chin-Fu Hsiao, Jen-Pei Liu Division of Biostatistics and Bioinformatics National.
Me Talk Good One Day When Language and Logic Fail to Coincide.
© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.
© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.
Scientific method - 1 Scientific method is a body of techniques for investigating phenomena and acquiring new knowledge, as well as for correcting and.
Purpose of the Standards
Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.
Causality, Reasoning in Research, and Why Science is Hard
CHAPTERCHAPTER McGraw-Hill/Irwin©2008 The McGraw-Hill Companies, All Rights Reserved Rules of Construction NINENINE.
© 2010 Carnegie Mellon University Team Software Process.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 1 Professor Donald P. Linden LEAD 1200 CRN Workforce Development and Critical Thinking.
S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.
Basics of Probability. A Bit Math A Probability Space is a triple, where  is the sample space: a non-empty set of possible outcomes; F is an algebra.
Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.
Inductive Generalizations Induction is the basis for our commonsense beliefs about the world. In the most general sense, inductive reasoning, is that in.
West Virginia University Towards Practical Software Reliability Assessment for IV&V Projects B. Cukic, E. Gunel, H. Singh, V. Cortellessa Department of.
1 The Scientist Game Chris Slaughter, DrPH (courtesy of Scott Emerson) Dept of Biostatistics Vanderbilt University © 2002, 2003, 2006, 2008 Scott S. Emerson,
Copyright © 2008 by West Legal Studies in Business A Division of Thomson Learning Chapter 25 Product Liability: Warranties and Torts Twomey Jennings Anderson’s.
CHAPTER 17: Tests of Significance: The Basics
SINTEF Telecom and Informatics EuroSPI’99 Workshop on Data Analysis Popular Pitfalls of Data Analysis Tore Dybå, M.Sc. Research Scientist, SINTEF.
Lecture 16 Section 8.1 Objectives: Testing Statistical Hypotheses − Stating hypotheses statements − Type I and II errors − Conducting a hypothesis test.
Uncertainty Management in Rule-based Expert Systems
INDUCTIVE LOGIC DEDUCTION= DRAWING OUT IMPLICIT “KNOWLEDGE” OR CLAIMS FROM PREMISES. INDUCTION= EXPANDING “KNOWLEDGE” BY TESTING TRUTH OF THE PREMISES.
RECOGNIZING, ANALYZING, AND CONSTRUCTING ARGUMENTS
5 th May 2009 Assurance, Confidence and Software Safety Dr. Richard Hawkins.
 An article review is written for an audience who is knowledgeable in the subject matter instead of a general audience  When writing an article review,
Author Software Engineering Institute
Finishing up: Statistics & Developmental designs Psych 231: Research Methods in Psychology.
Philosophy 148 Inductive Reasoning. Inductive reasoning – common misconceptions: - “The process of deriving general principles from particular facts or.
© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.
Transient Unterdetermination and the Miracle Argument Paul Hoyningen-Huene Leibniz Universität Hannover Center for Philosophy and Ethics of Science (ZEWW)
Philosophy 104 Chapter 8 Notes (Part 1). Induction vs Deduction Fogelin and Sinnott-Armstrong describe the difference between induction and deduction.
Introduction  Based on something other than the consequences of a person’s actions  Unlike Egoism  People should act in their own self-interest  Unlike.
CAS Managebac update CAS opportunity for someone with a scanner. Cambodia?
Development, Validation, Implementation and Enhancement for a Voluntary Protection Programs Center of Excellence (VPP CX) Capability for the Department.
Department of Defense Voluntary Protection Programs Center of Excellence Development, Validation, Implementation and Enhancement for a Voluntary Protection.
Critiquing Quantitative Research.  A critical appraisal is careful evaluation of all aspects of a research study in order to assess the merits, limitations,
Department of Defense Voluntary Protection Programs Center of Excellence Development, Validation, Implementation and Enhancement for a Voluntary Protection.
1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.
Chapter 26: Generalizations and Surveys. Inductive Generalizations (pp ) Arguments to a general conclusion are fairly common. Some people claim.
Secure Software Workforce Development Panel Session
IE 102 Lecture 6 Critical Thinking.
Michael Spiegel, Esq Timothy Shimeall, Ph.D.
Unit 5: Hypothesis Testing
Inductive / Deductive reasoning
(Additional materials)
LATIHAN MID SEMINAR AUDIT hiday.
Metrics-Focused Analysis of Network Flow Data
Week 3 Class Discussion.
QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation
Significance Tests: The Basics
Significance Tests: The Basics
OMGT LECTURE 10: Elements of Hypothesis Testing
Developing Useful Metrics
Presentation transcript:

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein May 19, 2013

2 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Copyright 2013 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at DM

3 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University The Problem How confident in C1? Why? What does it mean to have confidence? What could be done to improve confidence? Why?

4 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University How is Confidence in a Hypothesis Increased? A classic philosophical problem: Determining the basis for belief in a hypothesis when it is impossible to examine every possible circumstance covered by the hypothesis Use Induction Enumerative: number of confirming instances (Pascalian) Eliminative: variety of reasons for doubt (Baconian) Measuring support for a hypothesis/claim – Enumerative: support increases with number of confirmations – Eliminative: support increases with the number of excluded alternative explanations, i.e., by eliminating reasons for doubting the claim Defeaters: reasons for doubting a claim

5 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University A Baconian Theory of AC Confidence Confidence is the degree of belief We grade “degree of belief” in terms of the number of eliminated defeaters (reasons for doubt) i out of n reasons for doubt (i/n) 0/n – no confidence n/n – no remaining reasons for doubt 8/10 – residual doubt Fundamental principle: Build confidence by eliminating reasons to doubt the validity of: Claims (look for counter-examples and why they can’t occur) Evidence (look for reasons the evidence might be invalid and show those conditions do not hold) Inference rules (look for conditions under which the rule is not valid and why those conditions do not hold) As reasons for doubt are eliminated, confidence grows (eliminative induction)

6 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University

7 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Citigroup Tower – New York The design passed all reviews The wind tunnel (and other) tests were successful All parties involved were convinced the building was safe But… The design accounted for straight on wind, not quartering wind Still had adequate safety margins The design accounted for straight on wind, not quartering wind Still had adequate safety margins But construction replaced welded joints with bolted joints The margin of safety was lost

8 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Concerns with the Baconian Approach What if a relevant defeater has not been identified? What if a defeater cannot be completely eliminated? Surely not all defeaters are of equal importance. How is this handled? Baconian probability seems rather weak in contrast to Bayesian or Pascalian probability. What is being gained or lost? The potential number of defeaters seems incredibly large for a real system. Is this approach practical?

9 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Unidentified Defeaters Issue: Does the failure to identify a relevant defeater lead to an inflated sense of confidence? The inability to identify some defeaters is itself a reason for doubt that needs to be recognized in a case. An assessment process for reviewing a case will need to take the possibility of missing defeaters into account. A similar problem exists with the use of assurance cases. How can you be sure that your hazard analysis has covered all potential hazards? We always admit the possibility that additional defeaters will be identified in the future (this is what defeasible reasoning is all about). – When we say that we have “complete” confidence in a claim (i.e., that the claim has Baconian probability n|n) we understand that this only reflects what we knew at a particular point in time. The concepts of eliminative induction and defeasible reasoning help in developing sound and complete arguments.

10 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Partially Eliminated Defeaters Issue: How are defeaters that cannot be completely eliminated dealt with? An argument should state a claim that, if true, serves to completely eliminate an associated defeater. There may be residual doubts about the truth of such a claim, in which case, the same doubts apply to the defeater’s elimination – as an argument is refined, one eventually develops defeaters that are “obviously” eliminated by associated evidence If it is impossible to eliminate some lowest level defeaters, then the associated doubt leads to incomplete elimination of a higher level defeater (and the claim that it defeats.) A goal in developing a convincing argument is to formulate low level defeaters that can be eliminated by appropriate evidence.

11 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Defeaters of Different (Relative) Importance Issue: It seems reasonable that eliminating some defeaters would lead to higher levels of confidence than eliminating others (of lesser importance). Independent of relative defeater importance, 1|2 (some doubts eliminated) always represents more confidence than 0|2 (no doubts eliminated), and 2|2 (all doubts eliminated) always represents complete confidence Even though the hazards that are represented in a safety case have different likelihoods and impacts relative to one another, they all must be demonstrably mitigated in order to establish sufficient confidence that the system is safe. – Assessing the relative importance of hazards is not practically profitable. A system developer would not use the elimination of low impact defeaters to justify an increase in confidence any more than he would represent minimally unlikely and impactful safety hazards in a safety case.

12 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Why Baconian Probability? Issue: What is being gained and lost (over Pascalian or Bayesian probability) with this approach? With eliminative induction we learn something concrete about why a system works, and with enumerative induction, we may learn something statistical about the system. The Baconian approach allows us to articulate both the reasons why a system can fail and the reasons why the argument can be defective – Uneliminated defeaters serve to focus additional assurance efforts. the Baconian approach allows evaluation of a system prior to its operational use The Baconian approach avoids confirmation bias The Baconian, Pascalian, and Bayesian approaches inform each other. Make Pascalian claims about system reliability and then elucidate the possibilities that would make you doubt the validity of the claim. Take repeated samples to understand the operational reliability of the system.

13 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Scalability and Practicality of the Approach Issue: is this approach practical? The number of defeaters relevant to an argument is quite large for a real system. – But the amount of relevant argument and evidence for a real system is inherently quite large. We believe that the Baconian approach allows one to develop a more thorough and cost-effective basis for developing confidence in system behavior than current methods. We hope that this approach will lead to more effective and focused assurance efforts. This all remains to be seen. Our initial interactions with systems developers have been promising.

14 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Summary The identification of defeaters and how they are eliminated provides framework for assessing confidence The framework provides useful ways of thinking about assurance case deficiencies Identification of deficiencies is the first step towards their mitigation The end result is a stronger assurance case The approach is still under development. We welcome your ideas

15 Measuring Assurance Case Confidence Weinstock/Goodenough/Klein, May 2013 © 2013 Carnegie Mellon University Contact Information Charles B. Weinstock Senior Member of the Technical Staff Software Solutions Division Telephone: U.S. Mail Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA USA John B. Goodenough SEI Fellow (retired) Software Solutions Division Telephone: Ari Z. Klein Ph.D. Candidate – Rhetoric Software Solutions Division Telephone:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.