SlideShare a Scribd company logo

Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabled Autonomous Systems

Ivan Ruchkin, profile picture
Ivan Ruchkin

The document discusses the integration of confidence monitoring and composition in autonomous systems to ensure safety in dynamic environments. It outlines the challenges in bridging design-time guarantees with run-time monitors and presents a structured approach involving formal verification, assumption effect analysis, monitoring, and composition of confidence measures. Future research directions are identified, focusing on dependencies between assumptions and automated functions for confidence composition.

Technology
Related topics:
Cyber-Physical Systems
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabled Autonomous Systems Ivan Ruchkin, Matthew Cleaveland, Oleg Sokolsky, Insup Lee University of Pennsylvania Klaus Havelund Festschrift October 24, 2021
Confidence in assurance Req: no obstacle collisions Req: no pipeline loss Safety verification Detection confidence Detection confidence Dynamics confidence How to combine confidences?
● Goal: − Compute confidence in the guarantees of safety reqs − Given confidences from run-time monitors ● Challenge: − Design-time guarantees ←?→ run-time monitors Confidence in assurance
design-time phase run-time phase requirements no collisions no pipe loss environment system model dynamics control perception planning sensing
design-time phase run-time phase requirements no collisions no pipe loss verification environment system model dynamics control perception planning sensing
design-time phase run-time phase requirements no collisions no pipe loss verification system model dynamics control perception planning sensing ? environment
design-time phase run-time phase requirements no collisions no pipe loss verification “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 environment
design-time phase run-time phase requirements no collisions no pipe loss “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 environment
design-time phase run-time phase requirements no collisions no pipe loss “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 assumption effect analysis (A1 V A2) ∧ A3 ∧ A4 composition logic environment
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 obstacle assumption model M1 AM2 AM1 (A1 V A2) ∧ A3 ∧ A4 dynamics assumption model M2 AM4 AM3 requirements assumption models/monitors composition logic no collisions no pipe loss environment
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic no collisions no pipe loss M1 AM2 AM1 M2 AM4 AM3 obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment
probabilistic modeling system model design-time phase (vguar , cguar ) run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
Assumption effect analysis
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” A2: “No false-negative obstacle detections” A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations”
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations” Yes Yes
Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations” Yes Yes Composition logic: (Mode1 → A1 ∧ A3 ∧ A4) ∧ (Mode2 → A2 ∧ A3 ∧ A4)
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
● Random variables: − Reported distance (RD) − True distance (TD) ● An assumption is an assertion over variables: − A1: | RD – TD | ≤ 1m (bounded error) − A2: RD = ∞ → TD = ∞ (no false negatives) ● Goal: compute queries over assns given observations − P( f(A1, A2) | RD ), where f is a given Boolean function Probabilistic modeling of assumptions
Assumption monitoring
Assumption monitoring
Assumption monitoring P(A1) = 0.78 P(A2) = 0.97 P(A1 V A2) = 0.98
probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
Fundamental Research - Contract No. FA8750-18-C-0090 A1 A2 A1 ∧ A2 C(AM1, AM2) AM1 AM2 Safety Safe when satisfied, otherwise likely unsafe Calibrated, conservative confidence Conditional independence Calibrated, conservative confidence Options: - AM1*AM2 - w1*AM1 + w2*AM2 - AM1 + AM2 - 1 - LogReg(AM1, AM2) - Bayes(AM1, AM2) Confidence composition theory Calibrated, conservative confidence
Demo 1: guarantees hold, confidence high
Demo 2: guarantees fail, confidence drops
Future research directions ● Dependencies between assumptions and monitors ● Automated selection of composition functions ● Non-exhaustive design-time assurance: testing, simulation ● Recovery and adaptation based on composed confidence ● Second-order assumptions (of our assumption monitors)
Summary ● Monitoring confidence in assurance requires closing a gap: − Design-time guarantees ←?→ run-time monitors ● We address this problem in four steps: − Formal verification − Assumption effect analysis − Assumption monitoring − Composition of monitors

More Related Content

PDF
Confidence Composition (CoCo) for Dynamic Assurance of Learning-Enabled Auton...
Ivan Ruchkin
 
PDF
Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabl...
Ivan Ruchkin
 
PDF
JacobSiegler_Research_2015
Jacob Siegler
 
PDF
SERENE 2014 Workshop: Paper "Verification and Validation of a Pressure Contro...
SERENEWorkshop
 
PDF
Confidence Composition for Monitors of Verification Assumptions
Ivan Ruchkin
 
PDF
Conen 442 module1b: Traffic Studies
Wael ElDessouki
 
PDF
Improving time to-collision estimation by IMM based Kalman filter
Yixin Chen
 
PDF
Verify-then-Monitor: Calibration Guarantees for Safety Confidence
Ivan Ruchkin
 
Confidence Composition (CoCo) for Dynamic Assurance of Learning-Enabled Auton...
Ivan Ruchkin
 
Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabl...
Ivan Ruchkin
 
JacobSiegler_Research_2015
Jacob Siegler
 
SERENE 2014 Workshop: Paper "Verification and Validation of a Pressure Contro...
SERENEWorkshop
 
Confidence Composition for Monitors of Verification Assumptions
Ivan Ruchkin
 
Conen 442 module1b: Traffic Studies
Wael ElDessouki
 
Improving time to-collision estimation by IMM based Kalman filter
Yixin Chen
 
Verify-then-Monitor: Calibration Guarantees for Safety Confidence
Ivan Ruchkin
 

Similar to Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabled Autonomous Systems (20)

PPT
FMECA is a condition monitoring technique
PareshMishra11
 
PPT
criticality-analysis-milstd1629-approach.ppt
ssuser88bcad1
 
PPT
tracking.ppt
BangalirecipeLaboni
 
PDF
A Multifunctional Aerospace Smart Skin Emerges from Computational Models and ...
Altair
 
PPTX
Navigation System for Emergency Vehicles
rm6968
 
PDF
Overcoming Heterogeneity in Autonomous Cyber-Physical Systems
Ivan Ruchkin
 
PPT
Breinstorm@HUMIQ - Automotive functionalsafety
ipebesma
 
PDF
Development of Over-Line Survey Systems for Monitoring Pipelines v1.0 - uploa...
David Simmonds
 
PDF
Time-Predictable Communication in Service-Oriented Architecture - What are th...
RealTime-at-Work (RTaW)
 
PDF
Collaborative Sensing and Heterogeneous Networking Leveraging Vehicular Fleets
Center for Transportation Research - UT Austin
 
PDF
Smart Systems for Urban Water Demand Management
Pantelis Sopasakis
 
PPTX
Automated Fault Analysis - IVPower for Transmission System Operators and Dist...
AFAS - Automated Fault Analysis NetCeler
 
PDF
ST-AUT_Guidelines_VI3e.pdf
Pourchet Jean Claude
 
PPS
Check interval escalation
Mohammed Awad
 
PDF
Short-Term Conflict Resolution for Unmanned Aircraft Traffic Management
Lyft
 
PPT
FAULT DETECTION ON OVERHEAD TRANSMISSION LINE USING ARTIFICIAL NEURAL NET...
Politeknik Negeri Ujung Pandang
 
PDF
Bridge Assessment & Monitoring
RekaNext Capital
 
DOCX
Time series analysis use E-views programer
Al-Qadisiya University
 
PPT
Wg Wf Ms Presentation Td
Jalal Uddin Ahammad
 
PDF
Tracy–Widom distribution based fault detection approach: Application to aircr...
ISA Interchange
 
FMECA is a condition monitoring technique
PareshMishra11
 
criticality-analysis-milstd1629-approach.ppt
ssuser88bcad1
 
tracking.ppt
BangalirecipeLaboni
 
A Multifunctional Aerospace Smart Skin Emerges from Computational Models and ...
Altair
 
Navigation System for Emergency Vehicles
rm6968
 
Overcoming Heterogeneity in Autonomous Cyber-Physical Systems
Ivan Ruchkin
 
Breinstorm@HUMIQ - Automotive functionalsafety
ipebesma
 
Development of Over-Line Survey Systems for Monitoring Pipelines v1.0 - uploa...
David Simmonds
 
Time-Predictable Communication in Service-Oriented Architecture - What are th...
RealTime-at-Work (RTaW)
 
Collaborative Sensing and Heterogeneous Networking Leveraging Vehicular Fleets
Center for Transportation Research - UT Austin
 
Smart Systems for Urban Water Demand Management
Pantelis Sopasakis
 
Automated Fault Analysis - IVPower for Transmission System Operators and Dist...
AFAS - Automated Fault Analysis NetCeler
 
ST-AUT_Guidelines_VI3e.pdf
Pourchet Jean Claude
 
Check interval escalation
Mohammed Awad
 
Short-Term Conflict Resolution for Unmanned Aircraft Traffic Management
Lyft
 
FAULT DETECTION ON OVERHEAD TRANSMISSION LINE USING ARTIFICIAL NEURAL NET...
Politeknik Negeri Ujung Pandang
 
Bridge Assessment & Monitoring
RekaNext Capital
 
Time series analysis use E-views programer
Al-Qadisiya University
 
Wg Wf Ms Presentation Td
Jalal Uddin Ahammad
 
Tracy–Widom distribution based fault detection approach: Application to aircr...
ISA Interchange
 
Ad

More from Ivan Ruchkin (20)

PDF
Neural Approximation of Vision-Controlled Systems for Reachability Analysis
Ivan Ruchkin
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PPTX
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification o...
Ivan Ruchkin
 
PDF
Four Principles for Physically Interpretable World Models
Ivan Ruchkin
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification o...
Ivan Ruchkin
 
PDF
Four Principles for Physically Interpretable World Models (poster)
Ivan Ruchkin
 
PDF
Accelerating Neural Policy Repair with Preservation via Stability-Plasticity ...
Ivan Ruchkin
 
PDF
Distributionally Robust Statistical Verification with Imprecise Neural Networks
Ivan Ruchkin
 
PDF
Autonomous Drift Detection and Online Road Friction Estimation
Ivan Ruchkin
 
PDF
Neuro-Symbolic Bridge: From Perception to Estimation & Control
Ivan Ruchkin
 
PDF
Towards Physically Interpretable World Models: Meaningful Weakly Supervised R...
Ivan Ruchkin
 
PDF
How Safe Will I Be Given What I See? Calibrated Visual Safety Chance Predict...
Ivan Ruchkin
 
PDF
Bridging Dimensions: Confident Reachability for High-Dimensional Controllers...
Ivan Ruchkin
 
PDF
Poster: Bridging Dimensions: Confident Reachability for High-Dimensional Cont...
Ivan Ruchkin
 
PDF
Bridging Dimensions: Confident Reachability for High-Dimensional Controllers
Ivan Ruchkin
 
PDF
Poster: How Safe Am I Given What I See? Calibrated Prediction of Safety Chanc...
Ivan Ruchkin
 
PDF
Language-Enhanced Latent Representations for Out-of-Distribution Detection in...
Ivan Ruchkin
 
PDF
​Poster: Zero-shot Safety Prediction for Autonomous Robots with Foundation Wo...
Ivan Ruchkin
 
PDF
Curating Naturally Adversarial Datasets for Learning-Enabled Medical Cyber-Ph...
Ivan Ruchkin
 
Neural Approximation of Vision-Controlled Systems for Reachability Analysis
Ivan Ruchkin
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
NeuroStrata: Harnessing Neuro-Symbolic Paradigms for Improved Testability and...
Ivan Ruchkin
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification o...
Ivan Ruchkin
 
Four Principles for Physically Interpretable World Models
Ivan Ruchkin
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification o...
Ivan Ruchkin
 
Four Principles for Physically Interpretable World Models (poster)
Ivan Ruchkin
 
Accelerating Neural Policy Repair with Preservation via Stability-Plasticity ...
Ivan Ruchkin
 
Distributionally Robust Statistical Verification with Imprecise Neural Networks
Ivan Ruchkin
 
Autonomous Drift Detection and Online Road Friction Estimation
Ivan Ruchkin
 
Neuro-Symbolic Bridge: From Perception to Estimation & Control
Ivan Ruchkin
 
Towards Physically Interpretable World Models: Meaningful Weakly Supervised R...
Ivan Ruchkin
 
How Safe Will I Be Given What I See? Calibrated Visual Safety Chance Predict...
Ivan Ruchkin
 
Bridging Dimensions: Confident Reachability for High-Dimensional Controllers...
Ivan Ruchkin
 
Poster: Bridging Dimensions: Confident Reachability for High-Dimensional Cont...
Ivan Ruchkin
 
Bridging Dimensions: Confident Reachability for High-Dimensional Controllers
Ivan Ruchkin
 
Poster: How Safe Am I Given What I See? Calibrated Prediction of Safety Chanc...
Ivan Ruchkin
 
Language-Enhanced Latent Representations for Out-of-Distribution Detection in...
Ivan Ruchkin
 
​Poster: Zero-shot Safety Prediction for Autonomous Robots with Foundation Wo...
Ivan Ruchkin
 
Curating Naturally Adversarial Datasets for Learning-Enabled Medical Cyber-Ph...
Ivan Ruchkin
 
Ad

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Approach and Philosophy of On baking technology
30anthuong17
 
A Presentation on Artificial Intelligence
memembruh336
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Cloud computing and distributed systems.
kkkkkhan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabled Autonomous Systems

  • 1. Confidence Monitoring and Composition for Dynamic Assurance of Learning-Enabled Autonomous Systems Ivan Ruchkin, Matthew Cleaveland, Oleg Sokolsky, Insup Lee University of Pennsylvania Klaus Havelund Festschrift October 24, 2021
  • 2. Confidence in assurance Req: no obstacle collisions Req: no pipeline loss Safety verification Detection confidence Detection confidence Dynamics confidence How to combine confidences?
  • 3. ● Goal: − Compute confidence in the guarantees of safety reqs − Given confidences from run-time monitors ● Challenge: − Design-time guarantees ←?→ run-time monitors Confidence in assurance
  • 4. design-time phase run-time phase requirements no collisions no pipe loss environment system model dynamics control perception planning sensing
  • 5. design-time phase run-time phase requirements no collisions no pipe loss verification environment system model dynamics control perception planning sensing
  • 6. design-time phase run-time phase requirements no collisions no pipe loss verification system model dynamics control perception planning sensing ? environment
  • 7. design-time phase run-time phase requirements no collisions no pipe loss verification “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 environment
  • 8. design-time phase run-time phase requirements no collisions no pipe loss “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 environment
  • 9. design-time phase run-time phase requirements no collisions no pipe loss “The obstacle is >10m away” “Vehicle follows the given dynamics equations” “No false-negative obstacle detections” “Reported distance is within 1m of true distance “ system model dynamics control perception planning sensing A1 A2 A3 A4 assumption effect analysis (A1 V A2) ∧ A3 ∧ A4 composition logic environment
  • 10. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 obstacle assumption model M1 AM2 AM1 (A1 V A2) ∧ A3 ∧ A4 dynamics assumption model M2 AM4 AM3 requirements assumption models/monitors composition logic no collisions no pipe loss environment
  • 11. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic no collisions no pipe loss M1 AM2 AM1 M2 AM4 AM3 obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment
  • 12. probabilistic modeling system model design-time phase (vguar , cguar ) run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment
  • 13. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
  • 14. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
  • 16. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” A2: “No false-negative obstacle detections” A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
  • 17. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
  • 18. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” A4: “Vehicle follows the given dynamics equations”
  • 19. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations”
  • 20. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations” Yes Yes
  • 21. Assumption effect analysis Is this assumption required for R1: no collisions? Mode1: obstacle detected Mode2: obstacle not detected A1: “Reported distance is within 1m of true distance” Yes No A2: “No false-negative obstacle detections” No Yes A3: “The obstacle is >10m away” Yes Yes A4: “Vehicle follows the given dynamics equations” Yes Yes Composition logic: (Mode1 → A1 ∧ A3 ∧ A4) ∧ (Mode2 → A2 ∧ A3 ∧ A4)
  • 22. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
  • 23. ● Random variables: − Reported distance (RD) − True distance (TD) ● An assumption is an assertion over variables: − A1: | RD – TD | ≤ 1m (bounded error) − A2: RD = ∞ → TD = ∞ (no false negatives) ● Goal: compute queries over assns given observations − P( f(A1, A2) | RD ), where f is a given Boolean function Probabilistic modeling of assumptions
  • 26. Assumption monitoring P(A1) = 0.78 P(A2) = 0.97 P(A1 V A2) = 0.98
  • 27. probabilistic modeling system model design-time phase run-time phase dynamics control perception planning sensing A1 A2 assumption effect analysis A3 A4 (A1 V A2) ∧ A3 ∧ A4 requirements composition logic (AM1 V AM2) ∧ AM3 ∧ AM4 assurance confidence monitor M1 AM2 AM1 M2 AM4 AM3 (v1 , c1 ) (v2 , c2 ) (v3 , c3 ) (v4 , c4 ) no collisions no pipe loss obstacle assumption model M1 AM2 AM1 dynamics assumption model M2 AM4 AM3 assumption models/monitors environment (vguar , cguar )
  • 28. Fundamental Research - Contract No. FA8750-18-C-0090 A1 A2 A1 ∧ A2 C(AM1, AM2) AM1 AM2 Safety Safe when satisfied, otherwise likely unsafe Calibrated, conservative confidence Conditional independence Calibrated, conservative confidence Options: - AM1*AM2 - w1*AM1 + w2*AM2 - AM1 + AM2 - 1 - LogReg(AM1, AM2) - Bayes(AM1, AM2) Confidence composition theory Calibrated, conservative confidence
  • 29. Demo 1: guarantees hold, confidence high
  • 30. Demo 2: guarantees fail, confidence drops
  • 31. Future research directions ● Dependencies between assumptions and monitors ● Automated selection of composition functions ● Non-exhaustive design-time assurance: testing, simulation ● Recovery and adaptation based on composed confidence ● Second-order assumptions (of our assumption monitors)
  • 32. Summary ● Monitoring confidence in assurance requires closing a gap: − Design-time guarantees ←?→ run-time monitors ● We address this problem in four steps: − Formal verification − Assumption effect analysis − Assumption monitoring − Composition of monitors