We begin with the case where either channel can bring the system to a safe state. The reasoning is divided into two steps. The first concerns aleatory uncertainty about (i) whether channel A will fail on a randomly selected demand and (ii) whether channel B is imperfect. It is shown that, conditional upon knowing p_A (the probability that A fails on a randomly selected demand) and p_B (the probability that channel B is imperfect), a conservative bound on the probability that the system fails on a randomly selected demand is simply p_A x p_B. That is, there is conditional independence between the events "A fails" and "B is imperfect". The second step of the reasoning involves epistemic uncertainty represented by an assessor's beliefs about the distribution of (p_A, p_B). We show that under quite plausible assumptions, a conservative bound on epistemic uncertainty can be constructed from point estimates for just three parameters. We discuss the feasibility of establishing credible estimates for these parameters.
We extend our analysis from faults of omission to those of commission, and then combine these to yield an analysis for monitored architectures of a kind proposed for aircraft.
gzipped postscript,
or
plain postscript
or
PDF
or
crude ascii (for your Palm Pilot)
gzipped postscript,
or
plain postscript
or
PDF
or
crude ascii (for your Palm Pilot)
TBD