What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... ·...
Transcript of What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... ·...
![Page 1: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/1.jpg)
Exmouth House 3–11 Pine Street London EC1R 0JH T +44 20 7832 5850 F +44 20 7832 5853 E [email protected] W www.adelard.com
What is a case? From “What is..” to “What should it be …” Assurance cases as modern art
Robin E Bloomfield Kate Netkachova, Xingyu Zhao and Bev Littlewood [email protected] VerisureWorkshop July 2015 PT/2ab/3017/11
![Page 2: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/2.jpg)
© ADELARD
Overview
• Pseudo ethnographic approach • What is a case • What do users do
• Factoring inductive and deductive • Interpretation of CAE Blocks
• An example • pnp and confidence
• Discussion and conclusions • From “What is..” to “What should it be …”
Slide 2
![Page 3: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/3.jpg)
© ADELARD
Definitions
• Standards • terminological, referential,
denotational
• Operational • How is it constructed
• Empirical • Investigate artifacts that are
defined as cases by users
• Sociological • What it is used for
– Decision making, getting
past regulator, commodity, recoding personal understanding
• Emotions • Belief
• Analogical and metaphorical • What is it like, how do
people describe them?
• Normative • What should it be
Slide 3
![Page 4: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/4.jpg)
© ADELARD
Ethnographic and empirical approach
• Supports decision making • Important ones • Persuasive - documenting reasoning • Assist in understanding or in compliance
• Public and private • Many stakeholders
• Content • Word and pictures • Many variants • Tool large cases… HC
• Process • Engineering process – journey matters • Decision making process
Slide 4
![Page 5: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/5.jpg)
© ADELARD
FDA example
Slide 5
•Intended Use •Device Description •Environments of Use •Users •Patient Population
Context
Hazards List / Safety Requirements
Traceability
We have confidence that Device X is
reasonably safe and effective for its
intended use within its environment of use when being used by
intended users
Device Remains safe in use
The manufactured device is safe
The device design is safe
Hazards are identified, safety requirements are developed, and
evidence verifies implementation into final design
Hazards Identification Argument
A risk management process is in place that is capable of reasonably identifying all hazards for the device.
Hazards Identification
•ISO 14971 – Risk Management •Preliminary Hazards List •Failure Modes & Effects Analysis •Fault Tree Analysis •Hazops •System Hazards Analysis •Health Hazards Analysis •Medical Device Reports •Predicate Device Performance •Recalls •Standards
Safety Requirements mitigate hazards,
traceability assures that all hazards are
covered, and residual risks are acceptably
low
Design Process reduces the risk of
introducing hazards through design errors
Residual Risk
Argument
Residual Risk
Evidence
Safety Requirements Implementation Evidence
Design Process
Risk Argument
Design Process
Evidence
Functional performance
Evidence
Clinical Evidence
/ Justification
Reliability goals are clinically
acceptable
Reliability for
safety goals
System reliability goals are established for
safety and evidence demonstrates final
design meets the goals
Reliability
Evidence
Reliability Analysis and tests
demonstrate compliance with
goals with consideration of environments of use, duration of
use, and intended users
Evidence
The manufacturing
process produces the
designed device
The user receives the
designed device
Evidence
Effective processes are
in place to assure that
field problems are fixed
correctly and efficiently
Evidence
Field experience is
used to inform and improve
hazards identification and reliability
processes
Evidence
Performance over time Performance
Risk Management
Quality Systems as it relates to safety
Real life experience and feedback into design for safety
Device is designed for
manufacturability
Evidence
21 CFR 860.7(b)(1) 21 CFR 860.7(b)(2)
21 CFR 860.7(b)(4)
21 CFR 860.7(d)(1)
Functional performance is verified and valid for its indications for use
21 CFR 860.7(b)(3) 21 CFR 820.30(f) 21 CFR 820.30(g) 21 CFR 860.7(b)(3)
21 CFR 860.7(b)(4) 21 CFR 820.30(h)
21 CFR 820
21 CFR 820 21 CFR 803 21 CFR 806
The device design is effective
21 CFR 860.7(e)(1)
Safety Requirements
are clinically valid
Evidence
21 CFR 860.7
![Page 6: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/6.jpg)
© ADELARD
Reasoning, communication, confidence
Slide 6
Meta-case Case about the case
Case development and challenge
![Page 7: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/7.jpg)
© ADELARD
Development of assurance
��� ��� ����������������
������ ����������� ����#�������������� ��
�������
����� ��� � �� ���������! �����������
� ������������� �������������������������
�������������������!������ ����
� ����������� ��������
� ������� ����� ������������ ����
����� ��#������������������������
����� ����� #��������������
���� ����������"��#
���� ������������ ��#
���� ���#���������� ����
---
���� ���������������
������������ ���#�
����������
Increased work load
�������#---
more difficult access
-----
-----
++
Claim C
Argument A
sub Claim C11
sub Claim C12
W: C11 /\ C12 => C1
Argument A
sub Claim C11
sub Claim C12
W: C11 /\ C12 => C1
Argument A
sub Claim C11
sub Claim C12
W: C11 /\ C12 => C1
Argument A
sub Claim C11
sub Claim C12
W: C11 /\ C12 => C1
Influence diagram CAE structure
Engineeering modelsMental models
![Page 8: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/8.jpg)
© ADELARD
Different types of case
• Extreme behaviourist • Vs standards compliance person
• Modified with other principles • Good design • Defence in depth • Quality components
Property-based
Vulnerability assessment
Standards compliance
Safetyjustification
![Page 9: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/9.jpg)
© ADELARD
Structured Safety or Assurance Case
• “a documented body of evidence that provides a convincing and valid argument that a system is adequately safe for a given application in a given environment”
Claim
Sub-Claim
Argument
Evidence
![Page 10: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/10.jpg)
© ADELARD
In practice … the engineering
Slide 10
![Page 11: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/11.jpg)
© ADELARD
In practice …
Main notations GSN and CAE
![Page 12: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/12.jpg)
© ADELARD
FDA example
Slide 12
•Intended Use •Device Description •Environments of Use •Users •Patient Population
Context
Hazards List / Safety Requirements
Traceability
We have confidence that Device X is
reasonably safe and effective for its
intended use within its environment of use when being used by
intended users
Device Remains safe in use
The manufactured device is safe
The device design is safe
Hazards are identified, safety requirements are developed, and
evidence verifies implementation into final design
Hazards Identification Argument
A risk management process is in place that is capable of reasonably identifying all hazards for the device.
Hazards Identification
•ISO 14971 – Risk Management •Preliminary Hazards List •Failure Modes & Effects Analysis •Fault Tree Analysis •Hazops •System Hazards Analysis •Health Hazards Analysis •Medical Device Reports •Predicate Device Performance •Recalls •Standards
Safety Requirements mitigate hazards,
traceability assures that all hazards are
covered, and residual risks are acceptably
low
Design Process reduces the risk of
introducing hazards through design errors
Residual Risk
Argument
Residual Risk
Evidence
Safety Requirements Implementation Evidence
Design Process
Risk Argument
Design Process
Evidence
Functional performance
Evidence
Clinical Evidence
/ Justification
Reliability goals are clinically
acceptable
Reliability for
safety goals
System reliability goals are established for
safety and evidence demonstrates final
design meets the goals
Reliability
Evidence
Reliability Analysis and tests
demonstrate compliance with
goals with consideration of environments of use, duration of
use, and intended users
Evidence
The manufacturing
process produces the
designed device
The user receives the
designed device
Evidence
Effective processes are
in place to assure that
field problems are fixed
correctly and efficiently
Evidence
Field experience is
used to inform and improve
hazards identification and reliability
processes
Evidence
Performance over time Performance
Risk Management
Quality Systems as it relates to safety
Real life experience and feedback into design for safety
Device is designed for
manufacturability
Evidence
21 CFR 860.7(b)(1) 21 CFR 860.7(b)(2)
21 CFR 860.7(b)(4)
21 CFR 860.7(d)(1)
Functional performance is verified and valid for its indications for use
21 CFR 860.7(b)(3) 21 CFR 820.30(f) 21 CFR 820.30(g) 21 CFR 860.7(b)(3)
21 CFR 860.7(b)(4) 21 CFR 820.30(h)
21 CFR 820
21 CFR 820 21 CFR 803 21 CFR 806
The device design is effective
21 CFR 860.7(e)(1)
Safety Requirements
are clinically valid
Evidence
21 CFR 860.7
![Page 13: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/13.jpg)
© ADELARD
CAE Blocks – generic fragments
• Design goal • Empirically based – sufficiently expressive • Technically sound and able to link to more formal approaches
• Support structuring • Useful as restrict choice • In practice cases might combine blocks, use understood and
problem specific approaches – Many different styles
• Maturity • Ideas around ~5 yrs • Used in nuclear industry case studies and R&D and part of our
thinking • Technical paper available and draft guidance
Slide 13
![Page 14: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/14.jpg)
© ADELARD
5 Building Blocks
Concretion
Decomposition
Substitution Calculation
Evidence
incorporation
• Decomposition Partition some aspect of the claim
• Substitution Refine a claim about an object into claim about an equivalent object
• Evidence incorporation Evidence supports the claim
• Concretion Some aspect of the claim is given a more precise definition
• Calculation or proof Some value of the claim can be computed or proved
• Also composite blocks
![Page 15: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/15.jpg)
© ADELARD
A helping hand with CAE
Slide 15
!
![Page 16: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/16.jpg)
© ADELARD
CAE stack
Generic guidance
Application specific
Slide 16
![Page 17: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/17.jpg)
© ADELARD
General structure of a block
General block structure
Claim
Subclaim nSubclaim 2
Argument
Subclaim 1 - - -
Sidewarrant
Systeminformation
Externalbacking
CAE blocks are a series of archetypal argument fragments. They are based on the CAE normal form with further simplification and enhancements.
Slide 17
![Page 18: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/18.jpg)
© ADELARD
Side warrants
• The argument node can be descriptive
• The side warrant helps make the argument and can be supported with backing
• It address the “because ..?” questions in more detail • Simple semantics is • C11 /\ C12 /\ W => C1
• When we use a block we need to show: • Verification of the block • Validity with respect to the real world e.g. whether“1+1 = 2”
Slide 18
![Page 19: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/19.jpg)
© ADELARD
Decomposition block
• A claim that an object X has property P is justified from claims about other objects and properties
Slide 19
P(X)
- - -
Decomposition
P1(X1) P2(X2) Pn(Xn)
Side-warrants depend onparticular application. See
discussion.
![Page 20: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/20.jpg)
© ADELARD
Decomposition block – single property
Example of a single object decomposition
Slide 20
![Page 21: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/21.jpg)
© ADELARD
Slide 21
= +
![Page 22: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/22.jpg)
© ADELARD
Oranges – 1+ 1 =2
• Pressure, temperature
• Timescales • Rotting
• Hidden • Extra
• Fake • Explosive (looks like an orange …)
• Dropped, squashed • Process of combining
• What does “two” oranges mean • Juice, contents, dimensions as a whole fruit
• Claim(X, property, environment) + Block
Slide 22
![Page 23: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/23.jpg)
© ADELARD
Inductive/deductive – Verify/validate
Slide 23
M(I) has propM(P, C)
substitutionby model
concretion byprecise
definition
I has prop P0under cond C
I has prop Punder cond C
Model is adequate. 'Ihas prop P under cond
C' is implied by 'M(I)has prop M(P, C)'
decompositionby components
M(I), M(P),M(C) areadequate
Model iscomposed of
M(I), M(P), M(C)and Tool
Tool andtheory areadequate
P0 isinterpreted
as P
Deductive
Inductive
![Page 24: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/24.jpg)
© ADELARD
Application
Slide 24
![Page 25: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/25.jpg)
© ADELARD
Simple example – smart device
• Seek perfection, achieve high reliability – engineering
• Population of devices à very high reliability claims for 95% confidence no death from product line
• Equivalent claim – pnp < 5%
• Also John, Bev, Andrey Povyakalo’s work on architectures
Slide 25
![Page 26: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/26.jpg)
© ADELARD
Slide 26
![Page 27: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/27.jpg)
Slide 27
Proverresults"True"
M(I) has propM(P, C)
I has prop P0under cond C
I has prop Punder cond C
P0 isinterpreted
as P
concretion byprecise
definition
evidenceincorporation
substitutionby model
Model is adequate. 'Ihas prop P under cond
C' is implied by 'M(I)has prop M(P, C)'
substitutionby model
concretion byprecise
definition
P0 isinterpreted
as P
substitution byequivalentproperty
Satisfies Reqsis equivalent to
P
I has prop Punder cond C
I has prop P0under cond C
Model is adequate. 'Ihas prop SR under
cond C' is implied by'M(I) has prop M(P, C)'
M(I) has propM(SR, C)
Proverresults"True"
evidenceincorporation
I has propSatisfies Reqs
(SR) undercond C
![Page 28: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/28.jpg)
Experimental environment
Slide 28
Analysis report of exceptions
Auto proof failedbut still true
Showconditions met
by alternateanalysis
Only types ofexception are prooffailed or not shown
decompositionby types ofexception
Argue that eitherfalse positive, are
really true and doesot matter
Auto proof notable to decide
but still true
decomposition byexception condition
MX does not haveMP - with exception
conditions CX
MX has MP -without exception
conditions CX
Evidenceincorporation
Report of applicationof tool and results
M(I) has propM(P, C)
Fail unrevealednot credible
givenassumptionsabout model
MX has MP is composedof true cases without
exceptions CX and withexception conditions CX
Could define an "adequate tool" block. Adress no unrevealed
failures of analysis, toolreliability based on theory
validity and correctimplementation of it
[^]
![Page 29: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/29.jpg)
© ADELARD
Evidence incorporation – explicit trust
Evidencedemonstrates X
decompositionby subproperty
Demonstration requiresdirect trustworthy evidence
Evidence istrustworthy
evidenceincorporation
Report showing X
Evidence purports todemonstrate X
"Trustworthy" could beexpanded into attributes such
as relevant, traceable.However, evidence about
evidence could get horriblyrecursive.
Slide 29
![Page 30: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/30.jpg)
Model fidelity
Slide 30
Evidenceincorporation
MX has MP is composedof true cases without
exceptions CX and withexception conditions CX
MX does not haveMP - with exception
conditions CX
Analysis report of exceptions
MX has MP -without exception
conditions CX
Auto proof failedbut still true
decomposition byexception condition
Showconditions met
by alternateanalysis
Only types ofexception are prooffailed or not shown
decompositionby types ofexception
Argue that eitherfalse positive, are
really true and doesot matter
Report of applicationof tool and results
M(I) has propM(P, C)
Auto proof notable to decide
but still true
substitutionby model
I has prop Punder cond C
I has prop P0under cond C
concretion byprecise
definition
P0 isinterpreted
as P
Model is adequate. 'Ihas prop P under cond
C' is implied by 'M(I)has prop M(P, C)'
decompositionby components
Model iscomposed of
M(I), M(P), M(C)and Tool
Fail unrevealed notcredible given
assumptions aboutmodel fidelity and
tool reliability
Could define an "adequate tool" block. Adress no unrevealed
failures of analysis, toolreliability based on theory
validity and correctimplementation of it
M(I), M(P),M(C) areadequate
Tool andtheory areadequate
Validation reportshowing validity of
model
Model is adequate. 'Ihas prop P under cond
C' is implied by 'M(I)has prop M(P, C)'
decompositionby components
Model iscomposed of
M(I), M(P), M(C)and Tool
Could define an "adequate tool" block. Adress no unrevealed
failures of analysis, toolreliability based on theory
validity and correctimplementation of it
M(I), M(P),M(C) areadequate
Tool andtheory areadequate
Validation reportshowing validity of
model
![Page 31: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/31.jpg)
Slide 31
Experimental sentencing
Model validity
Trustworthiness of evidence
Requirements derivation and validity
Evidenceincorporation
MX has MP is composedof true cases without
exceptions CX and withexception conditions CX
MX does not haveMP - with exception
conditions CX
Analysis report of exceptions
MX has MP -without exception
conditions CX
Auto proof failedbut still true
decomposition byexception condition
Showconditions met
by alternateanalysis
Only types ofexception are prooffailed or not shown
decompositionby types ofexception
Argue that eitherfalse positive, are
really true and doesot matter
Report of applicationof tool and results
M(I) has propM(P, C)
Auto proof notable to decide
but still true
substitutionby model
I has prop Punder cond C
I has prop P0under cond C
concretion byprecise
definition
P0 isinterpreted
as P
Model is adequate. 'Ihas prop P under cond
C' is implied by 'M(I)has prop M(P, C)'
decompositionby components
Model iscomposed of
M(I), M(P), M(C)and Tool
Fail unrevealed notcredible given
assumptions aboutmodel fidelity and
tool reliability
Could define an "adequate tool" block. Adress no unrevealed
failures of analysis, toolreliability based on theory
validity and correctimplementation of it
M(I), M(P),M(C) areadequate
Tool andtheory areadequate
Validation reportshowing validity of
model
Tool reliability and validity
Evidencedemonstrates X
decompositionby subproperty
Demonstration requiresdirect trustworthy evidence
Evidence istrustworthy
evidenceincorporation
Report showing X
Evidence purports todemonstrate X
"Trustworthy" could beexpanded into attributes such
as relevant, traceable.However, evidence about
evidence could get horriblyrecursive.
![Page 32: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/32.jpg)
© ADELARD
Doubts – epistemic uncertainties
• Drivers – real world risks and probabilistic requirements • Implicit or explicit
• What are these and how to combine • Irony of diversity
• Research on conservative approaches • Sum of doubts • Inclusion/exclusion principle • Sum of doubts not conservative
– BBN – Littlewood Wright • Argument is not precise enough
– So in CAE terms its nodes + argument – Lack of analysis and confusing abstract evidence for test
reports
• Whatever approach need data or judgments on doubts
Slide 32
![Page 33: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/33.jpg)
© ADELARD
Applying safety analysis to cases
• Analysis of decision making
• Hazops
• Preliminary hazard list • Experience • Common vulnerabilities • Common fallacies
• Develop analysis approach
Slide 33
![Page 34: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/34.jpg)
© ADELARD
Avoiding the McNamara fallacy
“The first step is to measure whatever can be easily measured. This is OK as far as it goes. The second step is to disregard that which can't be easily measured or to give it an arbitrary quantitative value. This is artificial and misleading. The third step is to presume that what can't be measured easily really isn't important. This is blindness. The fourth step is to say that what can't be easily measured really doesn't exist. This is suicide.”
• —Daniel Yankelovich "Corporate Priorities: A continuing study of the new demands on business." (1972)
• http://en.wikipedia.org/wiki/McNamara_fallacy
Slide 34
![Page 35: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/35.jpg)
© ADELARD
Types of doubt
Slide 35
![Page 36: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/36.jpg)
© ADELARD
Example
• If case uses accepted blocks with high level of trust
Slide 36
![Page 37: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/37.jpg)
© ADELARD
Calculus of doubt/confidence
• Speculation …
Slide 37
![Page 38: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/38.jpg)
© ADELARD
Discussion and conclusions
• From “What is..” to “What should it be …” • Examined actual use of cases
• Develop structuring approach • Useful to see in deductive/inductive split
• Experimenting with conservative approach to doubts • Calculus options and when valid • Types of doubt • Evaluation – how?
• Next steps – more normative view • Modularity, templates • Beta application via courses, industry workshops • Tool support • Assess transition challenge and maturity
Slide 38
![Page 39: What is a case? - SRI Internationalfm.csl.sri.com/VeriSure2015/talks/Bloomfield_CAE... · 2020-03-17 · July 2015 PT/2ab/3017/11 ... and tests demonstrate compliance with goals with](https://reader033.fdocuments.us/reader033/viewer/2022042420/5f36c35b9a303b31534bf5a0/html5/thumbnails/39.jpg)
© ADELARD
WOSD 2015
• Workshop at ISSRE 2015
• Fifth Workshop on Open Systems Dependability (WOSD 2015)
Slide 39