1 Introduction
Safety cases are used in several critical industrial sectors to justify safety of installations and operations. As defined in the standard [UKDef3]: "a Safety Case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment". An important research work has also been initiated to deliver guidelines to document safety cases. An initial work developed at York University [KEL98], based on an adaptation of Toulmin argumentation model [TOU58], led to the proposal of the Goal Structuring Notation (GSN). Other proposals such as CAE for ClaimsArgumentEvidence [CAE] and KAOS (Knowledge Acquisition and autOmated Specification) [DAR93], but they did not reach the maturity of GSN [GSN11]. The Object Management Group (OMG) has also delivered a metamodel for the argumentation approach [OMGARM]. The goal of these approaches is to make more explicit the supporting arguments for a toplevel claim.
Given a claim and a supporting argument, an important and growing issue is to understand how much confidence one could have in the claim and how the different arguments contribute to such confidence. For instance, let us consider the classical example of the claim "{System X} is safe", supported by the evidence that all specific hazards have been eliminated as presented in Figure 1. Main concepts of GSN are presented here: goals present claims forming part of the argument; Strategies describe the nature of inferences that exist between a goal and its supporting subgoal(s); Solutions present a reference to an evidence item (results of a fault tree analysis for instance); Contexts present contextual artifacts (they could be a reference to contextual information, or statements). Other elements are used in GSN but not presented here as our proposal focuses on these main components of GSN. Each element of such an argument may be subject of uncertainties, such as "do all the hazards have been identified?" or "is the treatment of hazard effective?". Moreover, considering that argument structures tend to grow excessively, it may become too complex for third parties to analyse the argument. Therefore, appropriate methods to assess confidence in the argument structures and supporting evidence are required. Three main challenges are of particular interest: how confidence could be formally defined, how confidence could be quantitatively estimated, and how confidence in argument leaves could be propagated to assess the impact on the main claim confidence.
In this paper we mainly address the first and third issues by introducing a new method for defining and propagating a quantitative estimation of confidence of a safety case. After presenting related work in Section 2, we introduce our definition of confidence based on belief theory in Section 4. This definition is used in Section 5 where details about confidence propagation are given. Finally, in the conclusion we will discuss about first results and open issues in this area.
2 Related Work
The issue of confidence in argument structures has already been addressed by several works, with slightly different objectives and scopes. Table 1 presents a common framework to analyze some relevant related work considering the following dimensions:

Argument modelling: construction of the "case" which may be based on GSN or other notations

Argument uncertainties identification: uncertainties in inferences and arguments elements are identified

Confidence modelling: construction of a confidence case, with explicit representation of dependencies between the uncertainties

Confidence estimation: theoretical framework for quantitative estimation of the confidence

Decision support: provide support based on the quantitative estimation in order to make a decision for the acceptability of the argument, or its improvement.
Argument modelling  Argument uncertainties identification  Confidence modelling  Confidence estimation  Decision support  
[LIT07]  Bayesian network  Probability law  
[Zhao12]  Argumentation Metamodel (ARM) based case  Based on Toulmin model  Bayesian network (with Hitchcock criteria)  Probability law (with basic logical gates)  
[DEN11]  GSN  Bayesian network  Probability law and tool support with AgenaRisk  
[CYR11]  Trust case based on Toulmin model  DempsterShafer Theory  Decision level associated to confidence level  
[ANA13]  GSN  DempsterShafer Theory  Decision based on the confidence value  
[ANA12]  GSN  Common Characteristic Map (CCM)  Confidence case based on GSN  
[GOO12]  GSN  Based on Assurance Claim Points (ACP)  Confidence case in GSN  Baconian probability  
[HAW11]  GSN  Based on Assurance Claim Points (ACP)  Assurance case in GSN  

Qualitative Approaches
In [HAW11], the inventors of GSN address the confidence issue, by proposing to split a traditional safety case in two pieces. The first is the safety argument, showing all evidences, and the second is a confidence argument that addresses confidence in evidences, contexts, and individual inferences. This confidence argument is also represented with GSN. It starts by adding to the safety case some possible uncertainty sources, which are called Assurance Claim Points (ACP), that are attached to inferences (the arrows connecting claims), contexts (explanatory information), or solutions. Then, for each ACP, an argumentation mainly focuses on demonstrating that the ACP is trustworthy and appropriate, which is built using GSN. Another proposal [ANA12], is based on the ACP but only focuses on Context and Solution elements. The authors propose to use a map (Common Characteristic Map) as a check list to identify sources of uncertainties, with recursive dependencies. For instance, if a safety case includes a solution which is a "Process result", they propose the generic uncertainties related to "the use of a language", "the use of a tool", "the use of a mechanism", "the involved artifacts", etc. All those characteristics are then refined, with possible recursive dependencies.
The proposed approach in [GOO13] is quite similar, adapting the defeater concept from Defeasible Reasoning theory introduced by [POL08]. These defeaters that could be compared to previous ACP, or weaknesses in the argumentation, are then analyzed to be reduced one by one.
Both previous proposals focus on the identification of the weaknesses in an argumentation, and present methods for a well structured approach. Nevertheless, such approaches may lead to complex confidence cases. Although controversial, we believe that quantitative estimation approaches may help to analyze the safety case confidence. For instance, it can support sensitivity analyses to identify the weak elements of an argumentation.
Quantitative Approaches
This group of approaches tries to apply mathematical formalism to capture lack of confidence in argument elements. Apart from some proposals based on simple mathematical models as in [GOO12] where the number of uncertainties is estimated, two main ways of approaching the problem can be identified:

Bayesian Belief Networks (BBNs): in this case the uncertainty is interpreted as a probability. BBNs are then applied to deduce the confidence in a goal from credibility of its backing arguments. Some authors directly use BBNs for modeling arguments and confidence. For instance, in [HOB12], they only use BBNs and commercial tools to calculate "trustworthy", which is actually a conditional probability. With a similar approach, authors of [LIT07]
particularly focus on the diversification in argumentation, calculating how a "multilegged" argument (a claim is supported by two evidences) impacts the probability (interpreted as a confidence level) of achieving the main claim. However, they directly use BBNs, without any safety case. On the contrary,
[Zhao12] propose to apply to each claim of a Toulmin model argument, a Bayesien network pattern showing relationships between uncertainties in the argumentation based on Hitchock criteria [HIT05]. However, confidence propagation is not clearly analyzed and justified. In [DEN11], the authors present an interesting approach to build a BBN from the safety case, and use the work of [FEN12], to define a distribution of confidence for each argument element, but they do not propose transformation rules between safety case in GSN and the confidence BBN. The confidence propagation formulas are also not justified. 
Dempster–Shafer (DS) theory of evidence. These approaches are based on the belief theory developed by P. Dempster in 1967, and extended by G. Shafer in 1976. A common justification for its use, is that probability theory does not make difference between epistemic and aleatory uncertainties
[AGU13]. In the DS approach, belief, disbelief and epistemic uncertainty are explicitly quantified. An important work by [CYR11] is based on this theory. The authors, propose to build "Trust cases" based on Toulmin concepts, and to directly associate levels for belief and uncertainties, linked with a decision to accept or not an argument element. In this case, they do not build a confidence case, but directly propose a method and a tool for decision support. As presented later, they do not explicitly take into account confidence in the inferences of the argument. Authors of [ANA13], directly reuse the previous work, with a limited version, only considering that for each argument element it exists a level for "sufficiency".
In summary, defining and measuring confidence in assurance claims is an important and open issue. A framework for determining confidence is needed, and this paper presents some initial steps to fulfill this objective.
3 Proposed Approach Overview
Our objective is to propose a method to identify weaknesses in safety case, in order to improve it. Referring to Table 1, our contribution focuses on the following steps presented Figure 2:

Argument modelling: the safety case is built using GSN

Confidence modelling: we propose to annotate the GSN models and transform them into a confidence network

Confidence estimation: confidence in the network leaves are estimated and propagation formulas are used

Sensitivity analysis: impact of confidence variations is analyzed to identify weaknesses of the safety case.
4 Measuring Confidence
Confidence may be used as a common concept for different theories, including probability, and DS. As in [CYR11, ANA12], we define confidence using the DS approach. In this theory, a belief function is defined from the powerset of possible events into . For instance, let be the state of an indicator light that can have two values and , then and . In this example the belief function , is defined as the mass of belief such as represents the credibility of the light to be . As an example, a possible estimation would be , et . When events are Boolean, like in this example, we can sumup the DS concepts with the Figure 3 (Plausibility is another DS concept which will not be included in this paper).
We will consider in a safety case that all elements leaves are observed, and that they cannot be false. Hence, for an element , . This led us to define confidence and uncertainty as the belief functions:
(1) 
In the context of safety case, we consider two types of uncertainty sources, which are similar to those presented in [HAW11] named "appropriateness" and "trustworthiness". For instance, in the very simple safety case presented in Figure 4, two sources of uncertainties may be identified:

uncertainty in the fact that B is appropriate for the inference "A is Supported by B"

uncertainty in the solution B itself : are the tests trustworthy?
5 Propagating Confidence
5.1 Argument Types
The very basic inference is the simplest one, "A is Supported by B". Nevertheless, most of arguments are more complex than direct onetoone inference. For instance, let us consider the example presented with the main claim "A: System is fit for use", supported by both "B: Tests are conclusive" and "C: Formal verification has been performed". In that case, we can expect that both evidences independently increase the level of confidence in A. This concept is presented as "alternative argument" in [CYR11]: even if there is no confidence in B, the fact that C also independently supports A will preserve some level of confidence.
An another form of inference, is presented in the GSN «Hazard Avoidance Pattern» proposed in [KEL97], presented Figure 1. In that case, the main Goal "System is Safe", depends on all the sub goals together (we do not consider "Strategy" as a node, because it is only a descriptive element). Each of the premises covers a part of the goal. [CYR11] propose to name such an argument a "complementary argument".
Figure 5 present those two types of arguments, with the inference "A supported by B and C". We also illustrate the fact that in both types of argument, the sub nodes may have a different weight in the overall confidence in the claim A. Other types of arguments may be included, as introduced in [CYR11, ANA13], but they are not included in this paper.
5.2 Simple Argument
The basic inference, "A is supported by B" can apply to the cases (a) a goal is refined into a subgoal and (b) a goal is supported by an evidence, as presented in Figure 6.
In this case, the confidence network is represented like a BBN, using two nodes and one edge. We propose to use the following table to describe the confidence propagation:
g(B)  0  1 

g(A)  0  p 
In this table, the confidence in A is estimated when there is no confidence in B (i.e. when ), then , and when there is a maximum confidence in . In this case, the confidence in A depends on a factor , which represents the confidence in the inference "A is supported by B". The final confidence is obtained using this table as a probability table: . The result is a linear dependency , illustrated in Figure 6 considering different values for p and g(B).
5.3 Alternative Arguments
As presented Figure 5, several arguments may support a claim with an independent influence. It is important to note that in this Figure, we do not represent the confidence, but the way each argument supports the main claim. In this case, the confidence in A, may be increased by the confidence in both B and C. Such approach could be applied to Solutions or subgoals as presented Figure 7.
The Strategy node is not part of the confidence network, as it only gives explanations on the choices made for argumentation.
We chose for this argument type to use a leaky noisyor as defined in probability theory [DIE07]. It was originally introduced in [PEA88], and it is based on a logical OR between parent nodes () and a child node(), but it includes the fact that the relationship between parents and the child node are not necessary deterministic. The effect corresponds to the fact that even when both parents (B and C) have 0value probability, there is still a "leaky" probability for the child node. For probabilities, the mathematical function is, with the set of in state :
(2) 
with . In its application to confidence, we do not consider the leaky effect, it is indeed obvious that if there is no confidence in B and C (), then the confidence in A is zero, i.e. . Consequently, we obtain the following equation:
(3) 
According to 3, the resulting table for two parents is:
g(B)  0  1  

g(C)  0  1  0  1 
g(A)  0  q  p  1(1p)(1q) 
This leads to the confidence formula . and respectively represent the confidence in A in case one only has confidence in B or C. Figure 8 illustrates the evolution of confidence g(A) for different situations:

Figure (a) where illustrates that increasing the confidence in alone or alone, automatically increases . For instance, for and , the resulting confidence is 0.875. Confidence of 1 for A, occurs only if or reaches 1.

Figure (b) shows influence of p on . For a low confidence in the inference "A is supported by B", the confidence in A only depends on confidence in C ( is constant for ).

Figure (c) shows that for a low value of (0.1), the variation of , which is the confidence in the inference "A supported by C", has no effect on .
(a)  (b)  (c) 
5.4 Complementary Arguments
Complementary arguments are used when a set of solutions or subgoals are required simultaneously for supporting the main goal. However, a weight for each element is assigned to rate its relative importance. For instance, in the "Hazard Avoidance Pattern", some hazards may have a less impact on the overall safety, and the lack of confidence in their treatment, may induce less reduction in the main confidence, than for other more severe hazards. Several models are used in the literature for such arguments, such as simple Andgate [Zhao12], weighted mean [DEN11], or NoisyAnd [HOB12]. In our case, after several simulations, we decided to define our own NoisyAnd, to obtain the trends that are relevant for complementary argumentation. In this case, we based our calculation on the uncertainty as defined in equation 1 and using the leaky noisyor defined in equation 2, but taking for the leak . We then obtain the following confidence table:
0  1  

0  1  0  1  
To calculate the confidence table, we apply the relation , and we also decided to fix when (which should be obtain for whatever weight of B and C). We thus obtain the following table:
1  0  

1  0  1  0  
One main difference with other research works, lies in the interpretation of the parameters. In our case, and represent the weight of B and C to decrease confidence (increase uncertainty). In the context of confidence calculation, we also propose to introduce a relation between leak value , ,and such as: . Indeed, when p and q are lower than 1, it means that the confidence in the inference is less than one. The generalization of this constraint to a complementary argument with parents is:
(4) 
The values in the confidence table are:
where represent the weight of in the argument.
(a)  (b)  (c) 
We consider in the following discussion that having a value of 0, for any confidence is not considered, has such an element (no confidence at all), will be removed from a safety argument. Figure 9 presents the result for 2 parents, B, and C, and one child, A. In (a) and (b) we illustrate that when q decreases (q=1, q=0.5) then the influence of decreases. On the figure, the lines for different values of are close depending only on (with a value of 0.5, not presented here due to limitation space). We also illustrate in (b), that when p and q are less than 1, we obtain a residual confidence when and . This is actually an expected result, because, when the weights are less than one, this means that the argument is not a perfect AND gate. In (c), p is low (0.1), which is interpreted as a low influence of , and characterized by the fact that all lines are nearly horizontals (i.e. with no influence of ). A complete analysis of limits, which is not presented here, has demonstrated that the variations of are compliant with a complementary argument [DOH15].
5.5 Mixed Arguments
The previous arguments could be used also to integrate the confidence in the GSN "Context" element. Indeed, a context is actually a complementary element for the considered argument. Figure 10 presents a complementary argument, where a context has also been defined. In this case, the resulting network, is a node A, with three parents (B, C, D), and a noisyand table for node A. When an alternative argument is used between B and C, then, an intermediate node I_BC is included, with an alternative table for B and C. The confidence table in A is a noisyand between D and I_BC.
5.6 Sensitivity Analysis
We propose to perform a sensitivity analysis using a tornado graph. It is a simple statistical tool, which shows the positive or negative influence of basic elements on main function. Basically, considering a function , where values of the variables have been estimated, the tornado analysis consists in the estimation for each , of the values and , where and the maximum and minimum admissible values of variables . Hence for each , we get an interval of possible variations of function . The tornado graph is a visual presentation with ordered intervals. In our case, we estimate the intervals of with and .
If we take the example of alternative argument, with arbitrary values and , we get the following table:
g(B)  0  1  

g(C)  0  1  0  1 
g(A)  0  0.7  0.9  0.97 
If we choose the values of and , the confidence table leads to the value , also computed with the tool AgenaRisk^{1}^{1}1http://www.agenarisk.com, presented Figure 11.
In this example, to determine the sensitivity to , we keep all the values for p, q, and , and only calculate the values for and (we obtain the values 0.49 and 0.949).
The same approach is used for other variables p, q, and . The result is presented Figure 11 (b). In this tornado graph, g(B) appears to be the most influent parameter to decrease or increase the confidence in A. The left part is between 0.49 and 0.872, which means that if g(B) is equal to its lower limit, then the confidence in A could be reduced to 0.49. On the opposite, with a maximum value of g(B), then confidence in A could reach 0.949.
Such an analysis leads to identify some sensitive points in a confidence network. This could be used to increase the confidence focusing first on the most positive sensitive points, or to focus on the elements where confidence should never be decreased (to consolidate the safety case confidence). Nevertheless, two main limits appear: it is not possible to identify combination of confidence variations, and such a diagram does not identify which variables are the easiest to increase. For instance, even if appears to be less influent, it may be easier to increase its confidence than the one in . Our approach does not focus on those aspects, but they are important points to study.
6 Conclusion
This paper proposed a new approach for the definition and estimation of confidence in a safety case. We argue that it is important to have a separation between the safety case and the confidence case. Our aim is to analyze uncertainties that may be present in a safety case, using a sensitivity analysis. Our approach is based on the DempsterShafer theory for the definitions of confidence and uncertainty. But the constraint , brings the main benefit of letting use mathematical tools, such as BBN. Hence, we proposed for most common safety case models in GSN, some transformation rules into a confidence network. We particularly introduce the use of noisyor for alternative arguments, and an adapted version of noisyand for complementary arguments. An experiment on a real case study of a rehabilitation robot [GUI13] has been carried out [DOH15]. A confidence graph of 65 nodes has been identified with only two alternative arguments (all the others were complementary). The complete analysis is still under development but, we were able to compute the complete graph and get a tornado graph in few minutes with the AgenaRisk tool with consistent results. In this paper, we only focus on the feasibility of a quantitative estimation of confidence, and its propagation in a confidence network. But this is obviously completely dependent on the determination of the confidence values themselves. As already mentioned, this important issue is not addressed in this paper, but is part of our future work.
Comments
There are no comments yet.