B.3.3 — Assurance Subtypes & Levels
Preface node
heading:b-3-3-assurance-subtypes-levels:34882
What this page is
This is generated FPF reference text from the specification preface or supporting sections. It helps interpret FPF; it is not FPF Reference product documentation.
Methodology
Use it to understand how the specification wants to be read, then return to a route, pattern, or work packet for active work. Cite generated IDs only when the wording changes the task decision.
Content
Problem Frame
A complex project may generate hundreds of assurance targets and evidence carriers: design specifications, simulation models, test suites, and operational logs. While the Trust & Assurance Calculus provides a framework for evaluating these assurance targets and their evidence, teams often face a critical challenge: how to aggregate this diverse evidence into a single, meaningful signal of an assurance target's maturity. Simply counting the number of tests or documents can lead to "paper compliance," where an assurance target appears well-supported but has critical, unexamined weaknesses in its formal structure or conceptual alignment.
Problem
How do we create an objective, auditable, and balanced Standard for what constitutes "trustworthiness" at each stage of an assurance target's development state cycle? FPF requires a mechanism that moves beyond simple evidence counting to a qualitative assessment of assurance. This mechanism must prevent common failure modes, such as over-investing in run-time validation (LA) at the expense of design-time verification (VA), or neglecting the critical work of ensuring concepts are correctly mapped and typed (TA).
Solution
FPF establishes a formal Standard that links three distinct Assurance Subtypes to three computable Assurance Levels. An assurance target's level is not assigned manually by an author; it is derived automatically by its anchored evidence. This creates a transparent and falsifiable system for tracking an assurance target's progression from a speculative idea to a robust, reliable holon.
Assurance Subtypes: The Three Pillars of Trust
These three subtypes categorize the kind of question an assurance activity answers, ensuring a balanced approach to building confidence.
Computed Assurance Levels: Evidence-support progression
An assurance target's level is computed based on the evidence it has accumulated. This creates a declared progression for increasing trust without treating assurance as a generic ladder.
Didactic Note for Managers: What 'Level 1' Really Means
Think of moving from Level 0 to Level 1 as the first step toward professional seriousness.
- Level 0 is an idea on a whiteboard. It has potential, but no receipts.
- Level 1 means you have at least one receipt. You have anchored the idea to something concrete: a passing test, a formal sketch, a simulation result. It's no longer just an opinion.
Crucially, Level 1 also demands Concept-Bridge Assurance. This sounds technical, but its business impact is simple: it means the project has named its terms in a way that survives movement across documents, diagrams, and specialist vocabularies. You've used the Domain-Concept Bridge (Pattern B.5.3) to check whether "Sensor" in requirements and "Sensor" in an architecture view name the same entity, characteristic, role assignment, interface, or publication claim. This basic alignment work is what prevents costly integration failures and endless meetings where teams talk past each other.
Conformance Checklist
To ensure the integrity of the assurance calculus, the following rules are normative. A Target of Assurance (ToA) is any working-model element designated as a root claim (e.g., a root system requirement, safety goal, or core hypothesis).
- CC-B3.3.1 (L1 Anchor Mandate): A ToA SHALL NOT be considered to have reached
AssuranceLevel:L1unless it is linked to at least one evidence carrier viaverifiedByorvalidatedBy. - CC-B3.3.2 (Concept-Bridge Mandate): A ToA at
AssuranceLevel:L1or higher MUST be supported by Concept-Bridge Assurance. This includes, at a minimum, that its core terms are mapped through the Domain-Concept Bridge (Pattern B.5.3) and conform to their declared schemas, slot relations, or bridge records. - CC-B3.3.3 (L2 V&V Mandate): A ToA at
AssuranceLevel:L2MUST satisfy all L1 criteria. In addition, it MUST be supported by Verification Assurance (VA) withFV ≥ threshold_FV. For holons designated as safety-critical (e.g.,criticality ≥ SIL-2), the ToA MUST also be supported by Validation Assurance (LA) withEV > 0. For non-critical holons, LA SHOULD be present.- Exemption Note: Purely formal epistemes (e.g., mathematical axioms) may justify an exemption from the LA requirement, provided this is documented in the formal episteme's rationale.
- CC-B3.3.4 (Concept-Bridge Completeness): For any mechanism used in a model at
AssuranceLevel:L1or higher, its load-bearing local terms, slots, and governed values MUST be mapped to their declared FPF kinds, relations, characteristics, method values, work values, publication-use relations, or evidence-use relations via the Domain-Concept Bridge (Pattern B.5.3). - CC-B3.3.5 (Scope Separation): Assurance claims MUST maintain a strict separation between
design-timeandrun-timescopes (Pattern A.4). An assurance tuple for aMethodDescription(design-time) SHALL NOT be conflated with one for its correspondingWork/Trace(run-time). The Evidence Graph Ref (verifiedBy,validatedBy) must point to evidence carriers or records with the appropriate scope. - CC-B3.3.6 (CT2R‑LOG Handshake): If a ToA depends on structural claims, those claims SHALL be published as Working‑Model relations and, when used to justify
L2, SHALL declarevalidationMode=axiomaticand provide Constructive grounding withtv:groundedBy → Γₘ.(sum|set|slice)(see B.3.5 and C.13). - CC-B3.3.7 (Downward‑Only Dependence): Assurance publications or records (Mapping, Logical, Constructive, and Evidence) SHALL NOT impose vocabulary or layout back onto the Working‑Model surface (E.14).
Common Anti-Patterns and How to Avoid Them
Consequences
Rationale
This pattern transforms the assurance framework from a descriptive taxonomy into a prescriptive, actionable Standard. By binding the computed AssuranceLevel to mandatory, well-defined evidence coverage, it makes the notion of "trustworthiness" in FPF an objective and auditable property. The rules ensure that as an assurance target's formality and claimed reliability increase, the rigor and balance of its supporting evidence increase in lockstep, operationalizing the principle of "no blind trust." The separation of design-time and run-time evidence, mandated by CC-B3.3.5, further ensures that claims made about a blueprint are not confused with claims made about a running system, preserving the integrity of the whole design-time and run-time evidence history.
Relations
- Builds on:
B.3 Trust & Assurance Calculus,C.2.1 U.Episteme,C.16/A.19characterization discipline,A.10 Evidence Graph Referring,A.4 Temporal Duality. - Constrains: The computation and interpretation of
AssuranceLevelfor all holons. - Enables: Objective quality gates in the Canonical Evolution Loop (B.4) and reliable inputs for D.4 Ethical Mediation and Decision Use.
B.3.3:End
Last Updated: 2026-07-03 — upstream FPF commit f7c7e93f (github.com/ailev/FPF)