This paper presents Bayesian methods that support conservative dependability claims for a software-based safety-critical system, particularly when evidence suggests the software's executions are not statistically independent. We formalise informal notions of "doubting" that the software's executions are independent, and incorporate such doubts into dependability assessments. We study the extent to which an assumption of independent executions can undermine conservatism in assessments, and identify conditions under which this impact is, or is not, significant. These techniques - novel extensions of conservative Bayesian inference (CBI) methods - are illustrated in two applications: the assessment of a nuclear power-plant safety protection system and the assessment of autonomous vehicle (AV) safety. Our analyses reveals: 1) the required amount of confidence an assessor should possess before subjecting a system to operational testing. Otherwise, such testing is shown to be futile - no amount of favourable operational testing evidence will increase one's confidence in the system being sufficiently dependable; 2) the independence assumption supports optimistic claims in certain situations, and conservative claims in other situations; 3) in some scenarios, upon observing a system operate without failure, an assessor's confidence in the system being sufficiently dependable is less than it would be had the system exhibited some failures; 4) posterior confidence in a system being sufficiently dependable is very sensitive to failures - each additional failure means significantly more operational testing evidence is required, in order to support a dependability claim.
翻译:本文介绍了支持对基于软件的安全临界系统提出稳妥可靠要求的巴伊西亚方法,特别是当有证据表明软件的处决在统计上不独立时。我们正式确定了软件处决是独立的非正式“摇晃”概念,并将这种怀疑纳入可靠性评估。我们研究了独立处决假设在多大程度上会破坏评估中的保守主义,并查明了这种影响是否重要的条件。这些技术——保守的巴伊西亚推断方法的新扩展——在某些情况中支持保守的巴伊西亚推断(CBI)方法的新扩展——在两种应用中加以说明:对核电厂安全保护系统的评估和对自主车辆安全的评估。我们的分析表明:(1) 在对系统进行操作测试之前,评估者应当拥有必要的信任程度,并将这种信任纳入到操作测试之前。 否则,这种测试被证明是徒劳无益的,没有多少有利的操作测试证据将提高人们对系统足够依赖性的信心;(2) 独立假设支持在某些情况中支持乐观的主张,在其他情况下的保守主张;(3) 在某些情况中,观察一个系统运行不失败时,评估者对操作失败的信赖程度要小得多。