Worked Example: Incorrect Inference and Correction

Purpose

This example demonstrates how M45 handles incorrect or overly narrow intent inference, and how human judgment establishes final authority. For the normal inference process, see the worked example of inference and alignment.

Source artifact

Consider the following requirement.

R4

In protected mode, the system shall limit reliance on GNSS signals and prioritize inertial and available radio navigation sources to maintain situational awareness.

This requirement is intentionally broad.

Initial inferred intent

From R4, M45 infers:

Components

  • GNSS receiver
  • Inertial navigation source
  • Radio navigation source

Functions

  • Limit reliance on GNSS
  • Prioritize inertial and radio navigation sources

Modes

  • Protected mode

Safety themes

  • Graceful degradation
  • Fault tolerance

At this point, the inferred intent is plausible.

Incorrect inferred scenario

Based on common patterns, M45 also infers the scenario:

  • GNSS signal loss or degradation

This inference is not justified by the requirement.

The requirement does not state:

  • That GNSS loss has occurred
  • That protected mode is triggered by GNSS degradation
  • That degradation is external rather than internal

The inference reflects a plausible assumption, not explicit evidence.

Human review

An engineer reviews the inferred intent and identifies the issue.

Observation:

Protected mode is entered under multiple conditions. The scenario "GNSS signal loss" is too narrow and misleading.

Correction and decision

The engineer:

  • Rejects the inferred scenario
  • Replaces it with a broader one

Corrected scenario

  • Navigation source integrity concern

This avoids introducing unstated assumptions and better reflects system intent.

Decision record

M45 records this in a decision record:

  • The original inferred scenario
  • The rejection decision
  • The corrected scenario
  • The engineer's rationale
  • Timestamp and artifact context

The rejected inference remains inspectable. See the Decision Record Schema for the formal structure.

Updated intent snapshot

The revised intent snapshot includes:

  • Components: GNSS, inertial, radio navigation sources
  • Functions: GNSS limitation, source prioritization
  • Modes: protected mode
  • Scenarios: navigation source integrity concern
  • Safety themes: graceful degradation, fault tolerance

This new snapshot supersedes the previous one (referenced via supersedesSnapshotId) without erasing it. Intent snapshots are immutable and accumulate over time. See the Intent Snapshot Schema for the complete structure and how versioning works.

What this demonstrates

This example shows that:

  • Inference can be wrong
  • Incorrect inference is visible
  • Authority remains with engineers
  • Corrections are explicit and traceable

M45 treats inferred intent as a hypothesis, not a fact.

Why this matters

In safety-critical systems, the risk is not incorrect inference.

The risk is unexamined inference.

M45 makes assumptions visible so they can be challenged before they propagate.