Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css">
h1 {
text-decoration: underline;
}
h1, h2, h3, h4 {
color: #336699;
}
span.bold {
font-weight: bold;
}
span.italic {
font-style: italic;
}</style>
</head>
<body>
<h1> ExplicitCase - An Assurance Case Editor in AF3</h1>
<p>AutoFOCUS3 contains an editor, named ExplicitCase, which supports the
construction of modular assurance cases, in compliance with the Goal
Structuring Notation (GSN) standard.</p>
<h2>Support for Assurance Case Creation</h2>
<p> Assurance cases constitute a proven technique to systematically
demonstrate the safety/security/reliability of such systems using existing
information about the system, its environment and development context,
facilitating the bridging of the regulatory gap. Three parts can be
identified as part of an assurance case. First, the <span class="bold">goal</span>
that has to be achieved. Second, the <span class="bold">evidence</span>
for achieving this goal and third, the structured argument constituting
the <span class="bold"> systematic relationship between the goal the
evidence</span>. Assurance cases can be designed in a modular approach,
by subdividing complex assurance cases into interconnected modules of
assurance arguments and evidence.</p>
<h3>What is the Goal Structuring Notation (GSN)? Why shall assurance cases
be satisfied via this notation?</h3>
<p> The Goal Structuring Notation (GSN) is a well-known description
technique for the development of engineering arguments to construct
assurance cases. GSN uses a graphical argument notation to explicitly
document the elements and structure of an argument and the argument's
relationship of this evidence. An argument, based on GSN, may consists of
several elements: <span class="italic">Goals</span> are the claims of an
argument, whereas items of evidences are captured under <span class="italic">Solutions</span>.
When documenting how claims are said to be supported by sub-claims, the <span
class="italic">Strategy</span>-element is used and can be linked to <span
class="italic">Goals</span>. A <span class="italic">Context</span>
element captures and enables citation of information that is relevant to
the argument. Rationale for a strategy can be described by a <span class="italic">Justification</span>
element. GSN provides two types of linkage between elements: <span class="italic">SupportedBy</span>
and <span class="italic">InContextOf</span>. <span class="italic">SupportedBy</span>
relationships indicate inferential or evidential relationships between
elements. <span class="italic">InContextOf</span> relationships declare
contextual relationships. The benefit of having a structured graphical
notation for assurance cases is that it supports the presentation of
assurance cases to non-safety experts in a comprehensive manner.</p>
<h4> GSN-based assurance cases in AF3</h4>
<p> ExplictCase is based on a metamodel derived from the GSN standard and
offers a graphical editor facilitating the model-based development of
assurance cases. An overview of the editor is shown in Fig. 1. The editor
provides complies with the GSN standard, by allowing the user to build
assurance cases via:</p>
<ul>
<li> GSN defined node elements (i.e., Goal, Strategy, Solution,
Assumption, Context, Justification);</li>
<li> GSN defined relationships between node elements (i.e., SupportedBy
and InContextOf);</li>
</ul>
<h3>Steps to create an assurance case for your project</h3>
<ol>
<li> Go to an AF3 project, in the <span class="italic"><span class="bold">Model
Navigator</span></span> view and right-click on it;</li>
<li> Select the <span class="italic"><span class="bold">Assurance
Argumentation Package</span></span> item from the context menu;</li>
<p> <img src="./pictures/SC.2.png"></p>
<li> Go to the newly created <span class="italic"><span class="bold">Assurance
Argumentation Package</span></span>, in the <span class="italic"><span
class="bold">Model Navigator</span></span> view, and right-click on
it;</li>
<li> Select the <span class="italic"><span class="bold">Assurance Case</span></span>
item from the context menu;</li>
<p> <img src="./pictures/SC.3.png"></p>
<li> Go to the newly created <span class="italic"><span class="bold">Assurance
Case</span></span>, in the <span class="italic"><span class="bold">Model
Navigator</span></span> view, and double-click on it, so that the
editor (a <span class="italic"><span class="bold">Modeling Diagram</span></span>)
in which you can model the assurance case appears.</li>
<p> <img src="./pictures/SC.4.png"></p>
</ol>
<h3>Steps to add argumentation nodes</h3>
<ol>
<li> Go to one of your assurance case modules from the <span class="italic"><span
class="bold">Model Elements</span></span> view and double-click on
it, so that the editor (a <span class="italic"><span class="bold">Modeling
Diagram</span></span>) in which you can model the assurance case
module appears;</li>
<li> To add an <span class="italic"><span class="bold">Argumentation Node</span></span>,
drag and drop a <span class="italic"><span class="bold">Goal/Away Goal</span></span>
<span class="italic"><span class="bold">/Strategy/Solution/Away
Solution/Optional Entity/Strategy</span></span> <span class="italic">
<span class="bold">/Justification/Assumption/Context/Away Context</span></span>
from the <span class="italic"><span class="bold">Model Elements</span></span>
view on the right side to your diagram; <span class="bold">Note</span>:
To move an argumentation node, just pick the module somewhere in the
middle and move. To resize it, pick it in the lower right corner and
move the mouse to resize.</li>
<p> <img src="./pictures/SC.7x.png"></p>
<li> In order to create relationships between your argumentation nodes,
namely <span class="italic"><span class="bold">SupportedBy</span></span>
and <span class="italic"> <span class="bold">InContextOf</span></span>
relationships, as specified in the <span class="bold">GSN</span>
standard, press the <span class="bold">alt-Key</span> (<span class="bold">ctrl-Key</span>
under Linux) on your keyboard and drag the relationship from one
argument element to another. Invalid relationships (e.g., between a
solution and a context) are avoided by disabling the dragging.</li>
<p> <img src="./pictures/SC.8.png"></p>
</ol>
<h3> Setting properties of assurance argumentation nodes</h3>
<p> Properties of assurance argumentation nodes can be set in the <span class="italic"><span
class="bold">Properties</span></span> view. There are two types of
properties, namely general properties, which may be set to all types of
GSN nodes and specific properties, which may be set only to particular
types of GSN nodes. The following properties are properties to be set to
any type of GSN node:</p>
<ol>
<li> Name of the GSN node in the <span class="italic"><span class="bold">Name</span></span>
text box;</li>
<li> Comment regarding the GSN node in the <span class="italic"><span class="bold">Comment</span></span>
text box;</li>
<li> ID of the argumentation node in the <span class="italic"><span class="bold">Element
identifier</span></span> text box;</li>
<li> Claim of the GSN node in the <span class="italic"><span class="bold">Comment</span></span>
text box. This text may and should be filled in for all types of GSN
nodes, except for <span class="italic">solution</span> nodes.
Furthermore, you cannot set claims to away entities, as they have the
same claim as the assurance argument element the point to.;</li>
<li> Add a reference to a document to the GSN node by pressing the <span
class="italic"><span class="bold">Add document</span></span> button. A
file browser will open and you can select any file of type
pdf/Word/Excel;</li>
<li> To delete a reference, press the <span class="italic"><span class="bold">Remove
document</span></span> button;</li>
<li> To give some further explanation of the reference to a certain
document, use the <span class="italic"><span class="bold">Reference
Explanation</span></span> text box;</li>
</ol>
<p><img src="./pictures/sc_document_ref.png"></p>
<h4> Setting properties of <span class="italic">SupportedBy</span> and <span
class="italic">InContextOf</span> relationships</h4>
<ol>
<li> As you create an assurance case pattern, you can assign a
multiplicity to a relationship, by writing any number higher than 0 in
the <span class="italic">Multiplicity</span> text box. You can give a
short explanation of the multiplicity in the corresponding text box;</li>
<li> Mark the relationship as <span class="italic">Optional</span>, by
checking the corresponding check button.</li>
<li> For SupportedBy relationships, set the relevance, support and
strength levels of your relationships by selecting from the drop-down
lists.</li>
<p> <img src="./pictures/sc_connection_prop.png"></p>
</ol>
<h4> Setting properties of <span class="italic">Option Entities</span></h4>
<ol>
<li>You can select the assurance argument elements you want to keep for
your assurance argumentation structure, by right-clicking on the option
entity node, and selecting the <span class="italic"><span class="bold">Make
a choice</span></span> context menu element. A wizard will appear in
order to select from the optional elements. </li>
<p> <img src="./pictures/sc_option_entity.png"></p>
<li>You can write down in the <span class="italic"><span class="bold">The
minimum required</span></span> text box from the <span class="italic"><span
class="bold">Properties</span></span> view, the minimum number of
assurance argument elements that should be selected to be kept in your
assurance argumentation structure.</li>
<p> <img src="./pictures/sc_option_prop.png" width="454" height="574"></p>
</ol>
<h4> Setting particular properties of <span class="italic">Goals</span></h4>
<ol>
<li> Scope a goal to a particular AF3 logical component by pressing the <span
class="italic">Add scope</span> button;</li>
<li> Remove the scope of a goal to a particular AF3 logical component by
pressing the <span class="italic">Delete scope</span> button;</li>
</ol>
<img src="./pictures/sc_goal_scope.png" width="400" height="500">
<p></p>
<h4> Setting particular properties of <span class="italic">Away Entities</span></h4>
<p> Right-click on the away entity. A context menu will appear. Click on the
<span class="italic"><span class="bold">Connect 2 Goal/Solution/Context</span></span>
menu item A wizard will appear. Select from the assurance argument nodes
that appear in the wizard, one to which you want your away entity to point
to. If the selected node was set as private, you will be asked if you want
to change the visibility of the node. If not, the reference will not be
done. Only public nodes may be referenced by away entities. In the <span
class="italic"><span class="bold">Properties</span></span> view, in the
<span class="italic"><span class="bold">Referenced module ID</span></span>
the ID of the module containing the node referenced by the away entity
node is automatically filled in.</p>
<p> </p>
<p> <img src="./pictures/sc_away.png" width="300" height="500"></p>
<h4>Setting states to GSN nodes</h4>
<p>According to the GSN standard, a node may take different states in the
course of the assurance case development. One may right-click on a GSN
node and select the following states: private/public,
instantiated/uninstantiated, developed/undeveloped and supported by
contact. </p>
<p><img src="./pictures/sc_gsn_node_states.png"></p>
<h2>Tool-based Support for Handling Large Arguments</h2>
<h3> What are modular assurance cases? Why shall assurance cases be modular?</h3>
<p> One way of designing assurance cases is by following the modular
approach. In GSN, an assurance case module contains the objectives,
evidence, argument and context associated with one aspect of the assurance
case. In addition to the GSN argument elements presented in the previous
paragraph, a module may contain away entities such as <span class="italic">away
goals</span>, <span class="italic">away solutions</span> and <span class="italic">away
context</span> elements. Away entities are references to the goal,
solution or context in another module. Away goals cannot be
(hierarchically) decomposed and further supported by sub-entities within
the current module; rather, decomposition needs to occur within the
referenced module. Inter-modular relationships are of two types: namely <span
class="italic"> supported by</span> and <span class="italic">in context
of</span> relationships. A supported by relationship denotes that
support for the claim presented by the away goal or away solution in one
module is intended to be provided from an argument in another module. When
there is an away context element in a module, that module is connected to
another module by an in context of relationship; relationship that
indicates that the context of a certain claim will be presented in details
in another module.</p>
<p>Modularity of assurance cases has various advantages, namely:</p>
<ul>
<li> Separation of concerns, as modules usually correspond to sub-systems;</li>
<li> Improved comprehensibility;</li>
<li> Minimization of the impact of required changes to an assurance case;</li>
</ul>
<h3>Modular assurance cases in AutoFOCUS3</h3>
<p> ExplicitCase enables the user to model an assurance case containing
several modules which are connected to each other through intra-module
connections (see Fig. 4). Each such module contains an assurance
argumentation structure, build up by GSN-defined elements specific to
modularity in assurance cases (i.e., Away Goals, Optional Entities, Away
Solutions, Away Contexts, Contracts) connected to each other by
GSN-defined relationships. Each argumentation node within a module has a
public indicator, which determines whether the element may be referenced
in another module, or not.</p>
<figure> <img src="./pictures/sc_modules.png"> <figcaption>Fig. 4 -
Assurance case modules.</figcaption> </figure>
<h3> Steps to create an assurance case module</h3>
<p> </p>
<ol>
<li> After creating your assurance case, you can now specify the contained
assurance case modules. To add an assurance case module (called <span class="italic"><span
class="bold">Argument Module</span></span> in AF3), drag and drop an
<span class="bold"><span class="italic">Argument Module</span></span>
from the <span class="italic"><span class="bold">Model Elements</span></span>
view on the right side to your diagram; <span class="bold">Note</span>:
To move a module, just pick the module somewhere in the middle and move.
To re-size it, pick it in the lower right corner and move the mouse to
re-size.</li>
<li> To specify properties of the module, go to the <span class="italic"><span
class="bold">Properties</span></span> view. There you can assign the
assurance case module an id (in the <span class="italic"><span class="bold">Element
Identifier</span></span> text box). All other text box may not be
filled in;</li>
<p> <img src="./pictures/sc_module_creation.png" width="600" height="500"></p>
<li> To generate intra-module connections, based on the away entities, go
to your assurance case, in the <span class="italic"><span class="bold">Model
Elements</span></span> view and right-click on it. Select the <span
class="italic"><span class="bold">Generate Module Connections</span></span>
item from the context menu. Do consider that, if you do not have any
away entities in your assurance case modules, you will not have any
relationship between your modules.</li>
<p> <img src="./pictures/SC.6.png"></p>
</ol>
<p> </p>
<h3> Steps to specify the contained elements of an assurance case module</h3>
<p> Once you are done with specifying the modules of your assurance case,
you can describe the assurance argument structure contained by these
modules by adding argumentation nodes.</p>
<p> Here is an example of the assurance argumentation structure an assurance
case module modeled in AF3:</p>
<p> <img src="./pictures/SC.24.png"></p>
<h2>Visual aids</h2>
<p> Different coloring of GSN elements raises the assurance case developer's
awareness about the existence of undeveloped or uninstantiated entities
(see Fig. 5). In addition, contract modules have a distinct coloring in
order to distinguish them from regular argumentation modules. We do not
allow users to color nodes by themselves, in order to keep a certain
meaning of each coloring so that anyone can easily "read" the coloring.
This is motivated, by the fact that the GSN Standard says that, <span class="italic">In
cases where the elements defined in these sections are used in the
development of instantiations of the patterns to produce individual
assurance arguments, it is important to ensure that they are all
removed, or instantiated, in the final, delivered, version of the
argument</span>. </p>
<figure> <img src="./pictures/sc_coloring.png"> <figcaption>Fig. 5 -
Different coloring for different node properties.</figcaption> </figure>
</body>
</html>