This paper presents Bayesian methods that support conservative dependability claims for a software-based safety-critical system, particularly when evidence suggests the software's executions are not statistically independent. We formalise informal notions of "doubting" that the software's executions are independent, and incorporate such doubts into dependability assessments. We study the extent to which an assumption of independent executions can undermine conservatism in assessments, and identify conditions under which this impact is, or is not, significant. These techniques -- novel extensions of conservative Bayesian inference (CBI) methods -- are illustrated in two applications: the assessment of a nuclear power-plant safety protection system and the assessment of autonomous vehicle (AV) safety. Our analyses reveals: 1) the required amount of confidence an assessor should possess before subjecting a system to operational testing. Otherwise, such testing is shown to be futile -- no amount of favourable operational testing evidence will increase one's confidence in the system being sufficiently dependable; 2) the independence assumption supports optimistic claims in certain situations, and conservative claims in other situations; 3) in some scenarios, upon observing a system operate without failure, an assessor's confidence in the system being sufficiently dependable is less than it would be had the system exhibited some failures; 4) posterior confidence in a system being sufficiently dependable is very sensitive to failures -- each additional failure means significantly more operational testing evidence is required, in order to support a dependability claim.
翻译:本文介绍了支持对基于软件的安全临界系统提出稳妥可靠要求的巴伊西亚方法,特别是当有证据表明软件的处决在统计上不独立时。我们正式确定了软件处决是独立的非正式“摇晃”概念,并将这种怀疑纳入可靠性评估。我们研究了独立处决假设在多大程度上会破坏评估中的保守主义,并查明了这种影响是否重要的条件。这些技术 -- -- 保守的巴伊西亚推断方法的新扩展 -- -- 在两种应用中加以说明:核电厂安全保护系统的评估和自主车辆安全评估。我们的分析表明:(1) 在对系统进行操作测试之前,评估者应当拥有必要的信任度。 否则,这种测试被证明是徒劳的 -- -- 任何有利的操作测试证据都不会增加人们对系统足够依赖性的信心;(2) 独立假设支持某些情况下的乐观主张和在其他情况下的保守主张;(3) 在某些情况下,在观察一个系统运行不失败的情况下,评估者对自主车辆安全的评估者应当拥有多少信任度,在对操作测试系统进行操作测试之前,每个系统必须有足够的信心;在测试失败之前,一个足够可靠的是足够可靠的手段。