Confidence arguments help to justify that main arguments in assurance cases are sound and trustworthy. While the main argument directly addresses system safety or security, the purpose of the confidence argument is to answer the question why we should trust that the main argument is right. Some standards and guidelines, and also some certifiers require an explicit demonstration of the confidence argument, that is a consistent and complete justification that the main argument is trustworthy.
The starting point is demonstrating confidence in a single argumentation step. There are a few ways how you may do this. Here, we present the use of Justification type of argument elements. GSN Community Standard version 3 in section 1:2.2.18 says: “A justification can also be connected to a strategy, to provide backing for the argument described by the strategy.” That’s the point. We need explicit backing for the argumentation reasoning step described by a strategy. The backing should say why should trust that the reasoning is sound, it covers the full context of the claim, all required premises are available and all known problems or weaknesses are resolved. To create such backing we have extended the Justification element to allow it to be supported by an argument. We also allow justifications to be linked to confidence claims. This approach allows to keep the main argument and the confidence argument separate.
PREMIS extends the GSN argument structure to allow justifications to be supported by arguments. The diagram below shows on the left a simple safety argument with justification J1 that is a link (a citation) of a confidence claim CC1. Its argument structure is presented on the right. This example illustrates how the confidence argument can be implemented and how it is related to the main safety argument.
This approach can be used for individual argumentation steps and for complete assurance cases.
- The main argument asserts that an acceptable level of system safety has been achieved. Each claim in this argument contributes to achievement of the system safety.
- The confidence argument should justify that each argumentation step of the main argument is valid. This does not contribute directly to the system safety, but it is required to trust in the main safety argument. If we cannot provide a convincing confidence argument for a given step of the main argument, we cannot trust its validity.
Example of safety and process reliability argument branches
The argument map diagram below presents this approach applied to a simple assurance case. The argument map shows the pages of the argument diagrams. The top claim name for each page is displayed. The left part of the diagram contains the main safety argument and the confidence argument is shown on the right. You can also browse this assurance case online in PREMIS using this link.
The confidence argument presented here includes just five claims, which is sufficient to demonstrate its structure. It should be based directly on the system development process or its life cycle. The confidence argument should follow the development process and at same time it should be consistent with the structure of the main safety argument. An adequate confidence claim should be provided for each step of the main argument. In practice, there will be hundreds of confidence claims and links to the safety argument. While the use of quality gates and other checkpoints implemented in the safety assurance process can simplify the linking of two arguments, the confidence argumentation must still cover all the requirements of the relevant standards for the development process.
This approach can be extended with additional layers of the argument. For example MISRA Guidelines for Automotive Safety Arguments proposed the next argument layer named Organizational environment that should contain an argument demonstrating that all system life cycle activities are performed by an organization with an appropriate environment, which includes, among others, a Quality Management System (QMS), continuous improvement process, adequate team qualifications.
Separating the argument layers into different argument branches or separate argument modules can make managing large assurance cases easier for development, reviews and maintenance. The relations between the main argument and the layers of the confidence argument are easy to maintain in PREMIS when the structure of the main argument is consistent with the system development process.