pith. sign in

arxiv: 2605.22213 · v1 · pith:L2DXTM73new · submitted 2026-05-21 · 💻 cs.AI

Towards a compositional semantics for quantitative confidence assessment in assurance arguments

Benjamin Herd , Jessica Kelly , Jan Sabsch , Lydia Gauerhof This is my paper

Pith reviewed 2026-05-22 05:42 UTC · model grok-4.3

classification 💻 cs.AI
keywords assurance argumentssubjective logicconfidence assessmentgoal structuring notationGSNcompositional semanticssafety cases
0
0 comments X

The pith

Assurance arguments gain quantitative confidence by mapping their elements to subjective logic opinions and their relations to combining operators.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a uniform way to calculate overall confidence in a structured assurance argument from the confidence attached to its individual parts. It represents each claim, strategy, or solution as an opinion in subjective logic that carries degrees of belief, disbelief, and uncertainty. Relations between these elements, such as how one claim supports another, are then interpreted as operators that combine the opinions according to how confidence should flow through the structure. This conversion produces an analyzable network whose top-level value reflects the net confidence in the main claim even when evidence is incomplete or subjective. A reader would care because it supplies an operational method for deriving a single, principled confidence measure instead of relying solely on structural checks or qualitative judgment.

Core claim

We propose a confidence semantics that represents argument elements as SL opinions and maps relations between elements to SL operators modelling how confidence flows, effectively turning the argument into an analyzable confidence network. The approach provides explicit warrants, principled handling of context, preserved provenance, and compatibility with GSN, along with practical guidance using an exemplary assurance confidence assessment.

What carries the argument

A mapping from Goal Structuring Notation elements and relations to Subjective Logic opinions and operators that composes local confidence values into a global assessment for the top claim.

Load-bearing premise

The chosen subjective logic operators for each type of argument relation correctly capture the intended flow of confidence without introducing artifacts from the way uncertainty is represented.

What would settle it

A concrete case study in which the top-level confidence value produced by the semantics on a real GSN argument differs markedly from the overall confidence assigned by independent experts who reviewed the same argument.

Figures

Figures reproduced from arXiv: 2605.22213 by Benjamin Herd, Jan Sabsch, Jessica Kelly, Lydia Gauerhof.

Figure 1
Figure 1. Figure 1: Simple GSN argument representing a composition of [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Support relation modelled as conditional deduction. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Context relation: conditional interpretation [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Context relation: unconditional interpretation [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Input opinion configurations for the evidence nodes [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Top-level opinion distributions (ωG1) under three assumption opinions (ωA1): full uncertainty, partial belief, and full belief. Each curve shows the probability P(G1) after considering ωA1 under the High Belief conditional scenario with Partial Confidence input opinions. The dotted vertical lines mark the expected probability for each case. mappings between SL opinions and qualitative confidence levels to … view at source ↗
read the original abstract

Assurance arguments provide a clear and structured way to explain why stakeholders should trust that a system satisfies certain properties, yet widely used notations, e.g.Goal Structuring Notation (GSN), typically lack an operational semantics for deriving assurance confidence. Existing approaches address structure and soundness but largely reason over truth values, not over confidence in the justification of claims. Subjective Logic (SL) offers a calculus of belief, disbelief, and uncertainty with operators for combining opinions, enabling confidence propagation under incomplete, conflicting, or subjective evidence. However, existing SL-based approaches do not provide a uniform, compositional semantics that covers all argument elements and relations to enable overall confidence assessment. We propose a confidence semantics that represents argument elements as SL opinions and maps relations between elements to SL operators modelling how confidence flows, effectively turning the argument into an analyzable confidence network. The approach provides explicit warrants, principled handling of context, preserved provenance, and compatibility with GSN, along with practical guidance using an exemplary assurance confidence assessment.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper proposes a compositional semantics for quantitative confidence assessment in assurance arguments based on Goal Structuring Notation (GSN). Argument elements are represented as Subjective Logic (SL) opinions, and relations between elements are mapped to SL operators that model confidence flow, turning the argument structure into an analyzable confidence network. The approach claims explicit warrants, principled context handling, provenance preservation, and GSN compatibility, illustrated by an exemplary assessment.

Significance. If the operator mappings prove faithful and compositional across GSN constructs, the work would address a recognized gap by enabling quantitative propagation of confidence under uncertainty, conflict, and incomplete evidence. The absence of free parameters, direct use of existing SL operators, and explicit provenance claims are strengths that could support practical adoption in assurance cases.

major comments (1)
  1. [Abstract and exemplary assessment section] The central claim that the chosen SL operators provide a uniform, compositional semantics for all GSN relations (including decomposition, context, and multi-claim cases) without introducing artifacts in uncertainty or conflict handling rests on an unproven assumption. The exemplary assessment offers only limited illustration; no general proof of faithfulness, no counter-example analysis, and no comparison with alternative operator choices are provided to confirm that confidence values match stakeholder intent for arbitrary argument structures.
minor comments (2)
  1. Clarify the exact SL opinion notation and operator definitions in the main text with a small self-contained example before the full exemplary assessment.
  2. Add a brief discussion of how the semantics handles cycles or shared sub-claims if such structures are permitted in the target GSN usage.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the potential of the proposed semantics. We address the major comment below with clarifications on our approach and indicate specific revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [Abstract and exemplary assessment section] The central claim that the chosen SL operators provide a uniform, compositional semantics for all GSN relations (including decomposition, context, and multi-claim cases) without introducing artifacts in uncertainty or conflict handling rests on an unproven assumption. The exemplary assessment offers only limited illustration; no general proof of faithfulness, no counter-example analysis, and no comparison with alternative operator choices are provided to confirm that confidence values match stakeholder intent for arbitrary argument structures.

    Authors: The semantics is compositional by construction: each GSN relation is mapped to an SL operator whose algebraic properties (e.g., associativity and commutativity of consensus for independent decomposition) directly mirror the intended confidence flow, without free parameters. The exemplary assessment illustrates this for a representative structure rather than serving as exhaustive validation. We agree that additional analysis would strengthen the presentation. We will revise the exemplary assessment section to include (i) a counter-example with a multi-claim decomposition under conflicting evidence, explicitly tracing uncertainty and conflict propagation to show absence of artifacts, and (ii) a brief comparison of the chosen operators against alternatives such as simple averaging or discounting, justifying the selections on grounds of provenance preservation and fidelity to GSN intent. These additions will better substantiate the claim for the illustrated cases and provide guidance for generalization. revision: yes

Circularity Check

0 steps flagged

No significant circularity: proposal defines new mapping without reducing to inputs or self-referential premises

full rationale

The paper introduces a compositional confidence semantics by representing GSN elements as SL opinions and mapping relations to SL operators. This is a definitional construction that extends existing Subjective Logic and GSN structures rather than deriving results from fitted parameters or self-citations that collapse the central claim. No equations or steps in the provided abstract and description reduce by construction to the inputs; the approach claims explicit warrants, provenance preservation, and compatibility without invoking uniqueness theorems or ansatzes from the authors' prior work as load-bearing. The exemplary assessment serves as illustration only, leaving the mapping as an independent proposal open to verification against stakeholder intent.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that Subjective Logic provides a suitable calculus for confidence propagation in assurance arguments and that the proposed mappings preserve intended meaning without distortion.

axioms (1)
  • domain assumption Subjective Logic operators correctly model how confidence combines across argument relations such as support, context, and strategy links.
    This mapping is the load-bearing step that turns the argument into a calculable network; it is introduced as the core of the proposed semantics.

pith-pipeline@v0.9.0 · 5703 in / 1271 out tokens · 31590 ms · 2026-05-22T05:42:35.816391+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    We propose a confidence semantics that represents argument elements as SL opinions and maps relations between elements to SL operators modelling how confidence flows, effectively turning the argument into an analyzable confidence network.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages

  1. [1]

    The goal structuring notation–a safety argu- ment notation,

    T. Kelly and R. Weaver, “The goal structuring notation–a safety argu- ment notation,” inProceedings of the dependable systems and networks 2004 workshop on assurance cases, vol. 6, Citeseer Princeton, NJ, 2004

    work page 2004

  2. [2]

    Informing assurance case review through a formal interpretation of GSN core logic,

    V . Bandur and J. McDermid, “Informing assurance case review through a formal interpretation of GSN core logic,” pp. 3–14, 09 2015

    work page 2015

  3. [3]

    Composition of safety argument patterns,

    E. Denney and G. Pai, “Composition of safety argument patterns,” in International Conference on Computer Safety, Reliability, and Security, pp. 51–63, Springer, 2016

    work page 2016

  4. [4]

    Representing confidence in assurance case evidence,

    L. Duan, S. Rayadurgam, O. Sokolsky, and I. Lee, “Representing confidence in assurance case evidence,” pp. 15–26, 09 2015

    work page 2015

  5. [5]

    A Subjective Logic-based approach for assessing confidence in assurance case,

    C. Yuan, J. Wu, C. Liu, and H. Yang, “A Subjective Logic-based approach for assessing confidence in assurance case,”International Journal of Performability Engineering, vol. 13, no. 6, p. 807, 2017

    work page 2017

  6. [6]

    A deductive approach to safety assurance: Formalising safety contracts with Subjective Logic,

    B. Herd, J.-V . Zacchi, and S. Burton, “A deductive approach to safety assurance: Formalising safety contracts with Subjective Logic,” inSAFE- COMP 2024 Workshops, Springer Nature Switzerland, 2024

    work page 2024

  7. [7]

    Systems and software engineering — systems and software assur- ance,

    ISO, “Systems and software engineering — systems and software assur- ance,” Tech. Rep. ISO/IEC/IEEE 15026:2019, International Organization for Standardization, 2019

    work page 2019

  8. [8]

    Hawkins, T

    R. Hawkins, T. Kelly, J. Knight, and M. Graydon,A New Approach to creating Clear Safety Arguments, pp. 3–23. 11 2011

    work page 2011

  9. [9]

    Jøsang,Subjective logic, vol

    A. Jøsang,Subjective logic, vol. 3. Springer, 2016

    work page 2016

  10. [10]

    A new approach to creating clear safety arguments,

    R. Hawkins, T. Kelly, J. Knight, and P. Graydon, “A new approach to creating clear safety arguments,” inAdvances in Systems Safety: Proceedings of the Nineteenth Safety-Critical Systems Symposium, Southampton, UK, 8-10th February 2011, pp. 3–23, Springer, 2010

    work page 2011

  11. [11]

    Inte- grating defeaters into Subjective Logic-based quantitative assurance ar- guments,

    B. Herd, J. Kelly, J.-V . Zacchi, C. Heinemann, and S. Diemert, “Inte- grating defeaters into Subjective Logic-based quantitative assurance ar- guments,” in20th European Dependable Computing Conference, IEEE, 2025

    work page 2025

  12. [12]

    Analysis of competing hypotheses using Subjective Logic,

    S. Pope and A. Josang, “Analysis of competing hypotheses using Subjective Logic,” 2005

    work page 2005

  13. [13]

    Informing assurance case review through a formal interpretation of GSN core logic,

    V . Bandur and J. McDermid, “Informing assurance case review through a formal interpretation of GSN core logic,” inInternational Conference on Computer Safety, Reliability, and Security, pp. 3–14, Springer, 2014

    work page 2014

  14. [14]

    Formal assurance arguments: A solution in search of a problem?,

    P. J. Graydon, “Formal assurance arguments: A solution in search of a problem?,” in2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 517–528, IEEE, 2015

    work page 2015

  15. [15]

    A formal basis for safety case patterns,

    E. Denney and G. Pai, “A formal basis for safety case patterns,” in International Conference on Computer Safety, Reliability, and Security, pp. 21–32, Springer, 2013

    work page 2013

  16. [16]

    Towards a formal basis for modular safety cases,

    E. Denney and G. Pai, “Towards a formal basis for modular safety cases,” inInternational Conference on Computer Safety, Reliability, and Security, pp. 328–343, Springer, 2014

    work page 2014

  17. [17]

    Weaving an assurance case from design: a model-based approach,

    R. Hawkins, I. Habli, D. Kolovos, R. Paige, and T. Kelly, “Weaving an assurance case from design: a model-based approach,” in2015 IEEE 16th International Symposium on High Assurance Systems Engineering, pp. 110–117, IEEE, 2015

    work page 2015

  18. [18]

    Confidence assessment in safety argument structure - Quantitative vs. qualitative approaches,

    Y . Idmessaoud, D. Dubois, and J. Guiochet, “Confidence assessment in safety argument structure - Quantitative vs. qualitative approaches,” International Journal of Approximate Reasoning, 2024

    work page 2024

  19. [19]

    Automating safety argument change impact analysis for machine learning components,

    C. C ˆarlan, L. Gauerhof, B. Gallina, and S. Burton, “Automating safety argument change impact analysis for machine learning components,” in 2022 IEEE 27th Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 43–53, IEEE, 2022

    work page 2022

  20. [20]

    Structured Assurance Case Metamodel (SACM),

    Object Management Group, “Structured Assurance Case Metamodel (SACM),” tech. rep., Object Management Group, 2020

    work page 2020

  21. [21]

    How do practitioners gain confidence in assurance cases?,

    S. Diemert, C. Shortt, and J. H. Weber, “How do practitioners gain confidence in assurance cases?,”Information and Software Technology, 2025

    work page 2025