Conservative Bayesian Assessment of Software-based Systems Exhibiting Correlated Executions

This paper presents Bayesian methods that support conservative dependability claims for a software-based safety-critical system, particularly when evidence suggests the software's executions are not statistically independent. We formalise informal notions of "doubting" that the software's executions are independent, and incorporate such doubts into dependability assessments. We study the extent to which an assumption of independent executions can undermine conservatism in assessments, and identify conditions under which this impact is, or is not, significant. These techniques -- novel extensions of conservative Bayesian inference (CBI) methods -- are illustrated in two applications: the assessment of a nuclear power-plant safety protection system and the assessment of autonomous vehicle (AV) safety. Our analyses reveals: 1) the required amount of confidence an assessor should possess before subjecting a system to operational testing. Otherwise, such testing is shown to be futile -- no amount of favourable operational testing evidence will increase one's confidence in the system being sufficiently dependable; 2) the independence assumption supports optimistic claims in certain situations, and conservative claims in other situations; 3) in some scenarios, upon observing a system operate without failure, an assessor's confidence in the system being sufficiently dependable is less than it would be had the system exhibited some failures; 4) posterior confidence in a system being sufficiently dependable is very sensitive to failures -- each additional failure means significantly more operational testing evidence is required, in order to support a dependability claim.