Newer
Older
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- Documentation on Modeling GSN-based Assurance Cases. -->
<head>
<link rel="stylesheet" type="text/css" href="../layout/stylesheet.css">
<title>Modeling GSN-based Assurance Cases</title>
</head>
<body>
<div class="header">
<div class="box">
<div class="navbar">
<!--a href="https://www.fortiss.org/" align="left">
<img src="fortiss-logo.png" width="90px" height="20px" align="left">
</a-->
<div class="dropdown">
<button class="btn" id="hamburger">
<label for="hamburger" class="hamburger">
<span class="hamburgerLine"></span>
<span class="hamburgerLine"></span>
<span class="hamburgerLine"></span>
</label>
</button>
<div class="dropdown-content">
<a href="../getting_started.html"> Main Page</a>
<a href="../ModandSim/model_element_attributes.html">Modeling and Simulation</a>
<a href="../ta/technical_viewpoint.html">Deployment and Code Generation</a>
<a href="../dse/dse_perspective.html">Design Space Exploration (DSE)</a>
<a href="../assuranceCases/creation.html">Assurance Case Modeling</a>
<a href=".././af3_further_resources.html">Further Resources</a>
</div>
</div>
<div class="dropdown">
<button class="dropbtn">Assurance Case Modeling <i class="triangle"></i></button>
<div class="dropdown-content">
<a href="assessment.html">Quantitative Assessment of Assurance Cases</a>
<a href="maintenance.html">Change Impact Analysis</a>
</div>
</div>
<div class="topnav-right">
<a href="mailto:af_user@lists.fortiss.org?subject=Reporting 'creation.html' Documentation Problem!&body= Dear Af3 team, I am reporting an issue related to Glossary Creation Page.
{Please specify the problem precisely here.}.">Report a Problem?</a>
</div>
</div>
</head>
</div>
</div>
<div class="box">
<h2> ExplicitCase - An Assurance Case Editor in AF3</h2>
<p>AutoFOCUS3 contains an editor, named ExplicitCase, which supports the
construction of modular assurance cases, in compliance with the <a href="https://www.goalstructuringnotation.info/">Goal
Structuring Notation (GSN) standard</a>.</p>
<h3>Support for Assurance Case Creation</h3>
<p> Assurance cases constitute a proven technique to systematically
demonstrate the safety/security/reliability of such systems using existing
information about the system, its environment and development context,
facilitating the bridging of the regulatory gap. Three parts can be
identified as part of an assurance case. First, the <span class="bold">goal</span>
that has to be achieved. Second, the <span class="bold">evidence</span>
for achieving this goal and third, the structured argument constituting
the <span class="bold"> systematic relationship between the goal the
evidence</span>. Assurance cases can be designed in a modular approach,
by subdividing complex assurance cases into interconnected modules of
assurance arguments and evidence.</p>
<h3>What is the Goal Structuring Notation (GSN)?</h3>
<p> The Goal Structuring Notation (GSN) is a well-known description
technique for the development of engineering arguments to construct
assurance cases. GSN uses a graphical argument notation to explicitly
document the elements and structure of an argument and the argument's
relationship of this evidence. An argument, based on GSN, may consists of
several elements: <span class="italic">Goals</span> are the claims of an
argument, whereas items of evidences are captured under <span class="italic">Solutions</span>.
When documenting how claims are said to be supported by sub-claims, the <span
class="italic">Strategy</span>-element is used and can be linked to <span
class="italic">Goals</span>. A <span class="italic">Context</span>
element captures and enables citation of information that is relevant to
the argument. Rationale for a strategy can be described by a <span class="italic">Justification</span>
element. GSN provides two types of linkage between elements: <span class="italic">SupportedBy</span>
and <span class="italic">InContextOf</span>. <span class="italic">SupportedBy</span>
relationships indicate inferential or evidential relationships between
elements. <span class="italic">InContextOf</span> relationships declare
contextual relationships. The benefit of having a structured graphical
notation for assurance cases is that it supports the presentation of
assurance cases to non-safety experts in a comprehensive manner.</p>
<h4> GSN-based assurance cases in AF3</h4>
<p> ExplictCase is based on a metamodel derived from the
<a href="https://www.goalstructuringnotation.info/">GSN standard</a> and
offers a graphical editor facilitating the model-based development of
assurance cases. An overview of the editor is shown in Fig. 1. The editor
allows the user to build assurance cases via GSN, as follows:</p>
<ul>
<li> GSN defined node elements (i.e., Goal, Strategy, Solution,
Assumption, Context, Justification);</li>
<li> GSN defined relationships between node elements (i.e., SupportedBy
and InContextOf);</li>
</ul>
<h3>Steps to create an assurance case for your project</h3>
<ol>
<li> Go to an AF3 project, in the Model
Navigator View and right-click on it;</li>
<li> Select the Assurance Package item from the <span class="italic">Context Menu</span>;</li>
<p> <img src="./pictures/create-assurance-package.png"></p>
<li> Go to the newly created assurance package in the
Model Navigator View, and right-click on it;</li>
<li> Select the Assurance Case item from the <span class="italic">Context Menu</span>;</li>
<p> <img src="./pictures/create-assurance-case.png"></p>
<li> Go to the newly created assurance case, in the Model
Navigator View, and double-click on it, so that the
editor (Modeling Diagram) in which you can model the assurance case opens.</li>
<h3>Tool-based Support for Handling Large Arguments: Modular Assurance Cases</h3>
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<h3> What are modular assurance cases? Why shall assurance cases be modular?</h3>
<p> One way of designing assurance cases is by following the modular
approach. In GSN, an assurance case module contains the objectives,
evidence, argument and context associated with one aspect of the assurance
case. In addition to the GSN argument elements presented in the previous
paragraph, a module may contain away entities such as <span class="italic">away
goals</span>, <span class="italic">away solutions</span> and <span class="italic">away
context</span> elements. Away entities are references to goals,
solutions or context elements in another module. Away goals cannot be
(hierarchically) decomposed and further supported by sub-entities within
the current module; rather, decomposition needs to occur within the
referenced module. Inter-modular relationships are of two types: namely <span
class="italic"> supported by</span> and <span class="italic">in context
of</span> relationships. A supported by relationship denotes that
support for the claim presented by the away goal or away solution in one
module is intended to be provided from an argument in another module. When
there is an away context element in a module, that module is connected to
another module by an in context of relationship; relationship that
indicates that the context of a certain claim will be presented in details
in another module.</p>
<p>Modularity of assurance cases has various advantages, namely:</p>
<ul>
<li> Separation of concerns, as modules usually correspond to sub-systems;</li>
<li> Improved comprehensibility;</li>
<li> Minimization of the impact of required changes to an assurance case;</li>
</ul>
<h3> Modular assurance cases in ExplicitCase</h3>
<p> ExplicitCase enables the user to model an assurance case containing
several modules which are connected to each other through intra-module
connections. Each such module contains an assurance
argumentation structure, build up by GSN-defined elements specific to
modularity in assurance cases (i.e., Away Goals, Away
Solutions, Away Contexts, Contracts) connected to each other by
GSN-defined relationships. Each argumentation node within a module has a
public indicator, which determines whether the element may be referenced
in another module, or not.</p>
<figure> <img src="./pictures/argumentation-modules.png"> <figcaption>
Assurance case modules.</figcaption> </figure>
<h3> Steps to create an assurance case module</h3>
<p> </p>
<ol>
<li> After creating your assurance case, you can specify the contained
assurance case modules. To add an assurance case module, drag and drop an
Argument Module from the <span class="italic">Model Elements View</span> on the right side to your diagram;
<li> To specify properties of the module, go to the <span class="italic">Properties View</span>.
There you can assign the
assurance case module an id (in the Element Identifier text box), a comment and a name.
All other text box may not be filled in;</li>
<p> <img src="./pictures/module-creation.png"></p>
<li> To generate intra-module connections, based on the away entities, go
to your assurance case, in the <span class="italic">Model Elements View</span> and right-click on it. Select the
"Generate Module Connections" item from the <span class="italic">Context Menu</span>. Do consider that, if you do not have any
away entities in your assurance case modules, you will not have any
relationship between your modules.</li>
<p> <img src="./pictures/generate-module-connections.png"></p>
</ol>
<h3>Steps to add argument elements in modules</h3>
<p> Once you are done with specifying the modules of your assurance case,
you can describe the assurance argument structure contained by these
modules by adding argumentation elements.</p>
<li> Go to one of your assurance case modules from the <span class="italic">Model Elements View</span> and double-click on
it, so that the editor (a Modeling Diagram) in which you can model the assurance case
<li> To add an argument element,
drag and drop a goal/away goal/strategy/solution/away solution/strategy/justification/assumption/context/away context
from the <span class="italic">Model Elements View</span> on the right side to your diagram;
<p> <img src="./pictures/add-argument-elements.png"></p>
<li> In order to create relationships between your argument elements,
namely SupportedBy and InContextOf relationships, as specified in the
<a href="https://www.goalstructuringnotation.info/">GSN standard</a>,
add exit and entry points to the elements correspondingly and then connect the points with each other.
The tool constraints the user to only be able to create valid relationships (as described in the standard). </li>
<p> <img src="./pictures/add-relationships.png"></p>
<h3> Setting properties of assurance argumentation elements</h3>
<p> Properties of assurance argumentation elements can be set in the
<span class="italic">Properties View</span>. There are two types of
properties, namely general properties, which may be set to all types of
GSN elements and specific properties, which may be set only to particular
types of GSN elements. The following properties can be set to any type of GSN node:</p>
<li> Name of the GSN element in the <span class="bold">Name</span>
<li> Comment regarding the GSN element in the <span class="bold">Comment</span>
<li> Element identifier of the argumentation element in the <span class="bold">ID</span> text box;</li>
<li> Claim of the GSN element in the <span class="bold">Claim</span>
text box. This text may and should be filled in for all types of GSN
Furthermore, you cannot set claims to away entities, as they have the
same claim as the assurance argument element they point to;</li>
<li> Add a reference to a document to the GSN element by pressing the <span class="bold">Add document</span> button. A
file browser will open and you can select any file of type
pdf/Word/Excel;</li>
<li> To delete a reference, press the <span class="bold">Remove
document</span> button;</li>
<li> To give some further explanation of the reference to a certain
document, use the <span class="bold">Reference
Explanation</span> text box;</li>
<p><img src="./pictures/argument-element-properties.png"></p>
<h3> Setting particular properties of <span class="italic">Away Entities</span></h3>
<p> Away entities act as interface of argument modules. An away entity references an argument element
in another module. Right-click on the away entity in the Model Navigator View. A <span class="italic">Context Menu</span> will appear.
Click on the
<span class="bold">Connect to Goal/Solution/Context</span>
menu item and a wizard will appear. Select from the assurance argument elements
that appear in the wizard one to which you want your away entity to point
to. If the selected node was set as private, you will be asked if you want
to change the visibility of the node. If you do not that, the reference will not be
done. Only public elements may be referenced by away entities.
In the <span class="italic">Properties View</span>, in the
<span class="bold">Referenced module ID</span>
the ID of the module containing the node referenced by the away entity
node is automatically filled in. After setting a reference to an entity,
you can go again in the <span class="italic">Model Navigator View</span>
and right-click on the away entity and select "Go To Refenced ..." button from
the <span class="italic">Context Menu</span>.</p>
<h3>Setting states to GSN elements</h3>
<p>According to the <a href="https://www.goalstructuringnotation.info/">GSN standard</a>,
an argument element may take different states in the
course of the assurance case development. One can right-click on a GSN
element in the <span class="italic">Model Navigator View</span>
and select the following states: <span class="italic">private/public</span>,
<span class="italic">instantiated/uninstantiated</span>,
<span class="italic">developed/undeveloped</span> and <span class="italic">supported by
contract</span>. </p>
<p><img src="./pictures/argument-element-states.png"></p>
<h3>Visual aids</h3>
<p> Different coloring of GSN elements raises the assurance case developer's
awareness about the existence of undeveloped or uninstantiated entities
(see Fig. 5). In addition, contract modules have a distinct coloring in
order to distinguish them from regular argumentation modules. We do not
allow users to color elements by themselves, in order to keep a certain
meaning of each coloring so that anyone can easily "read" the coloring.
This is motivated, by the fact that the
<a href="https://www.goalstructuringnotation.info/">GSN standard</a>
says that, <span class="italic">In
cases where the elements defined in these sections are used in the
development of instantiations of the patterns to produce individual
assurance arguments, it is important to ensure that they are all
removed, or instantiated, in the final, delivered, version of the
argument</span>. </p>
<figure> <img src="./pictures/argument-element-coloring.png"> <figcaption>
Different coloring for different node properties.</figcaption> </figure>
<h3>Built-in Assurance Case Model Constraints.</h3>
<p> Model constraints define semantic conditions that cannot be defined in
the syntactic structure of a metamodel. Since different stakeholders may
have different interpretations and the underlying assumptions may be
overlooked, ExplicitCase requires to document goal decompositions via
strategies. Therefore, a constraint on the assurance case model enforces
the existence of a strategy node whenever the user wants to connect two
goals. ExplicitCase checks many more constraints to ensure the integrity
of assurance cases (e.g., to prevent the creation of invalid
relationships). For example, another constraint to ensure the integrity of
assurance cases is that only GSN connections permitted by the
<a href="https://www.goalstructuringnotation.info/">GSN standard</a>
can be modeled (e.g., a context node cannot be connected to a
justification node). Avoidance of circular argumentation is another
built-in constraint on the semantic level. </p>
<button onclick="topFunction()" id="upBtn" title="Go to top">Top</button>
</div>
<script src="../layout/jsscript/topBtn.js">
</script>
</body>