Assessing Asymmetric Fault-Tolerant Software

Popov, Peter; Strigini, Lorenzo

doi:10.1109/issre.2010.10

Cited by 8 publications

(13 citation statements)

References 19 publications

(34 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Indeed, it is likely to affect their situation awareness (and thus their ability to detect potentially dangerous situations) and/or their trust in the AV (and thus their readiness to believe that their intervention is needed to resolve that situation). Also, the probability of a safety subsystem (like a human driver) taking successful action depends on the probability distribution of the demands on it created by the ML-based functions' failures [36,46,47], which will vary as the ML-based system evolves.…”

Section: Potential Fallacies In Using Disengagement Data And/or Extramentioning

confidence: 99%

Assessing safety-critical systems from operational testing: A study on autonomous vehicles

Zhao

Salako

Strigini

et al. 2020

Information and Software Technology

Self Cite

View full text Add to dashboard Cite

Context: Demonstrating high reliability and safety for safety-critical systems (SCSs) remains a hard problem. Diverse evidence needs to be combined in a rigorous way: in particular, results of operational testing with other evidence from design and verification. Growing use of machine learning in SCSs, by precluding most established methods for gaining assurance, makes evidence from operational testing even more important for supporting safety and reliability claims. Objective: We revisit the problem of using operational testing to demonstrate high reliability. We use Autonomous Vehicles (AVs) as a current example. AVs are making their debut on public roads: methods for assessing whether an AV is safe enough are urgently needed. We demonstrate how to answer 5 questions that would arise in assessing an AV type, starting with those proposed by a highly-cited study. Method: We apply new theorems extending our Conservative Bayesian Inference (CBI) approach, which exploit the rigour of Bayesian methods while reducing the risk of involuntary misuse associated (we argue) with now-common applications of Bayesian inference; we define additional conditions needed for applying these methods to AVs. Results: Prior knowledge can bring substantial advantages if the AV design allows strong expectations of safety before road testing. We also show how naive attempts at conservative assessment may lead to over-optimism instead; why extrapolating the trend of disengagements (take-overs by human drivers) is not suitable for safety claims; use of knowledge that an AV has moved to a "less stressful" environment. Conclusion: While some reliability targets will remain too high to be practically verifiable, our CBI approach removes a major source of doubt: it allows use of prior knowledge without inducing dangerously optimistic biases. For certain ranges of required reliability and prior beliefs, CBI thus supports feasible, sound arguments. Useful conservative claims can be derived from limited prior knowledge.

show abstract

Section: Potential Fallacies In Using Disengagement Data And/or Extramentioning

confidence: 99%

Assessing safety-critical systems from operational testing: A study on autonomous vehicles

Zhao

Salako

Strigini

et al. 2020

Information and Software Technology

Self Cite

View full text Add to dashboard Cite

show abstract

“…), and use "failure rate" both in its technical meaning as the parameter (dpm) of, say, a Poisson process, and for the probability of failure per mile in a Bernoulli model (pfm, pcm). 5 "A first approximation" because the evolution of the ML-based core changes the set of failures to be tolerated by the safety subsystem (cf [22]).…”

Section: Operational Testing and Failure Processesmentioning

confidence: 99%

Assessing the Safety and Reliability of Autonomous Vehicles from Road Testing

Zhao

Robu

Flynn

et al. 2019

2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE)

Self Cite

View full text Add to dashboard Cite

There is an urgent societal need to assess whether autonomous vehicles (AVs) are safe enough. From published quantitative safety and reliability assessments of AVs, we know that, given the goal of predicting very low rates of accidents, road testing alone requires infeasible numbers of miles to be driven. However, previous analyses do not consider any knowledge prior to road testing -knowledge which could bring substantial advantages if the AV design allows strong expectations of safety before road testing. We present the advantages of a new variant of Conservative Bayesian Inference (CBI), which uses prior knowledge while avoiding optimistic biases. We then study the trend of disengagements (take-overs by human drivers) by applying Software Reliability Growth Models (SRGMs) to data from Waymo's public road testing over 51 months, in view of the practice of software updates during this testing. Our approach is to not trust any specific SRGM, but to assess forecast accuracy and then improve forecasts. We show that, coupled with accuracy assessment and recalibration techniques, SRGMs could be a valuable test planning aid.

show abstract

“…If a system copes well in the presence of one type of disturbances but less well with another type, changing the relative weights of these two types of disturbances will change the degree of dependability that will be observed. There will not even be a single indicator of "stressfulness" of an environment, so that we can say that if a system exhibited -say -99% availability under the benchmark stress, it will exhibit at least 99% availability in any 'less stressful" environment [30]. Likewise, we won't be able to trust that if system A is more dependable (from the viewpoint of interest: e.g., more reliable) than system B in the benchmark environment, it will still be more dependable in another environment.…”

Section: The Difficulty Of Extrapolationmentioning

confidence: 99%

“…So, all "coverage" measures have to be defined with respect to some stated type, or mix, of faults or disturbances; and the difficulties of extrapolation that characterised measures of dependability under stress also affect, in principle, measures of coverage. In particular, the desirability but also the limits of "benchmark" scenarios apply when estimating coverage factors just as when measuring a dependability measure [30].…”

Section: Measures Of "Coverage Factors"mentioning

confidence: 99%

Fault Tolerance and Resilience: Meanings, Measures and Assessment

Strigini

2012

Resilience Assessment and Evaluation of Computing Systems

Self Cite

View full text Add to dashboard Cite

To assess in quantitative terms the "resilience" of systems, it is necessary to ask first what is meant by "resilience", whether it is a single attribute or several, which measure or measures appropriately characterise it. This chapter covers: the technical meanings that the word "resilience" has assumed, and its role in the debates about how best to achieve reliability, safety, etc.; the different possible measures for the attributes that the word designates, with their different pros and cons in terms of ease of empirical assessment and suitability for supporting prediction and decision making; the similarity between these concepts, measures and attached problems in various fields of engineering, and how lessons can be propagated between them.This a chapter of the book "Resilience Assessment and Evaluation of Computing Systems" (Wolter, K.; Avritzer, A.; Vieira, M.; van Moorsel, A. (Eds.). Springer, 2012, ISBN 978-3-642-29031-2

show abstract

Assessing Asymmetric Fault-Tolerant Software

Cited by 8 publications

References 19 publications

Assessing safety-critical systems from operational testing: A study on autonomous vehicles

Assessing safety-critical systems from operational testing: A study on autonomous vehicles

Assessing the Safety and Reliability of Autonomous Vehicles from Road Testing

Fault Tolerance and Resilience: Meanings, Measures and Assessment

Contact Info

Product

Resources

About