Skip to content
Snippets Groups Projects
Commit 84628d19 authored by Alexander Diewald's avatar Alexander Diewald
Browse files

Fix reference to export images 

Issue-Ref: 3751
Issue-Url: https://af3-developer.fortiss.org/issues/3751


Signed-off-by: default avatarAlexander Diewald <diewald@fortiss.org>
parent 086425ea
No related branches found
No related tags found
1 merge request!5The documentation of the exporter added
Hide whitespace changes
Inline Side-by-side
org.fortiss.af3.rcp.application/html/.ratings
+ 1
1
View file @ 84628d19
......@@ -43,7 +43,7 @@ refactoring.html cdfd1f78f6cb543ad3643eecf8f7c5f5130fe9b6 RED
refinement.html da2696e355081a2c1f4baac4629b9e2dd621a9d4 RED
refinement_testing.html 3c1ba760015bf4d12bad1567d65d913255416437 RED
safety.html 5f7d5b677b31bc916ec2c62d82b44502c0705a2d RED
safety_cases.html b46e5b538193672f94633e629cbcbee4dcf858fb YELLOW
safety_cases.html 50f3f6f97c8fa23f1790924333897ce1d0073e96 YELLOW
scheduling.html 94646464662c1745795ab1954dfcc5f469fdaee7 RED
simulation_with_af3.html 36223384af0af325642fe1dce007aecafa62843f RED
state_automaton.html 5850977b2e0f2b760e15340ee8eca319ec16c71f RED
......
org.fortiss.af3.rcp.application/html/safety_cases.html
+ 606
581
View file @ 84628d19
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type" />
<title></title>
<style type="text/css">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css">
h1 {
text-decoration: underline;
}
......@@ -15,581 +17,604 @@ font-weight: bold;
span.italic {
font-style: italic;
}</style>
<h1>
ExplicitCase - An Assurance Case Editor in AF3</h1>
<p>AutoFOCUS3 contains an editor, named ExplicitCase, which supports the construction of modular assurance cases,
in compliance with the Goal Structuring Notation (GSN) standard.</p>
<h2>
Feature 1: Assurance Case Editing.</h2>
<p>
Assurance cases constitute a proven technique to systematically demonstrate the safety/security/reliability of such systems using existing information about
the system, its environment and development context, facilitating the bridging of the regulatory gap. Three parts can be identified as
part of an assurance case. First, the <span class="bold">goal</span> that has to be achieved. Second, the
<span class="bold">evidence</span> for achieving this goal and third, the structured argument constituting the <span class="bold">
systematic relationship between the goal the evidence</span>. Assurance cases can be designed in a modular approach, by subdividing complex
assurance cases into interconnected modules of assurance arguments and evidence.</p>
<h3>What is the Goal Structuring Notation (GSN)? Why shall assurance cases be satisfied via this notation?</h3>
<p>
The Goal Structuring Notation (GSN) is a well-known description technique for the development of engineering arguments to construct
assurance cases. GSN uses a graphical argument notation to explicitly document the elements and structure of an argument and the
argument's relationship of this evidence. An argument, based on GSN, may consists of several elements:
<span class="italic">Goals</span> are the claims of an argument, whereas items of evidences are captured under
<span class="italic">Solutions</span>. When documenting how claims are said to be supported by sub-claims,
the <span class="italic">Strategy</span>-element is used and can be linked to <span class="italic">Goals</span>.
A <span class="italic">Context</span> element captures and enables citation of information that is relevant to the argument.
Rationale for a strategy can be described by a <span class="italic">Justification</span> element. GSN provides two types of linkage between
elements: <span class="italic">SupportedBy</span> and <span class="italic">InContextOf</span>. <span class="italic">SupportedBy</span>
relationships indicate inferential or evidential relationships between elements. <span class="italic">InContextOf</span> relationships
declare contextual relationships. The benefit of having a structured graphical notation for assurance cases is that it supports the presentation
of assurance cases to non-safety experts in a comprehensive manner.</p>
<h4> GSN-based assurance cases in AF3</h4>
<p> ExplictCase is based on a metamodel derived from the GSN standard and offers a graphical editor facilitating the model-based development of
assurance cases. An overview of the editor is shown in Fig. 1. The editor provides complies with the GSN standard, by allowing the user to build assurance cases via:</p>
<ul>
<li> GSN defined node elements (i.e., Goal, Strategy, Solution, Assumption, Context, Justification);</li>
<li> GSN defined relationships between node elements (i.e., SupportedBy and InContextOf);</li>
</ul>
<figure>
<img src="./pictures/sc_gsn_basic.png">
<figcaption>Fig. 1 - GSN compliance.</figcaption>
</figure>
<h2>Feature 2: Hyperlinking</h2>
<p> There are several types of hyperlinking offered by ExplicitCase. First, we distinguish between hyperlinking words in claims and linking an entire GSN node
to another artifact. Second, hyperlinks can link the assurance case with external documents containing assurance reports, analysis or verification results or even
system models (see Fig. 2). AF3 provides the "native" internal system models that may be linked to elements of assurance cases
modeled in ExplicitCase. The novelty of our hyperlinking system lays in the fact that words in claims or GSN nodes are deeply integrated with the system artifacts created
by the user in the AF3 model-based development tool. The user may link words in claims, or entire GSN nodes to AF3 artifacts from different phases of the (safety) assurance process
(e.g., <span class="italic">requirement and <span class="italic">deployment models), as well as implementation (e.g., <span class="italic">generated code), and verification artifacts
(e.g., <span class="italic">simulation, <span class="italic">formal verification or <span class="italic">testing results). </span></span></span></span></span></span></p>
<figure>
<img src="./pictures/sc_hyperlinks.png">
<figcaption>Fig. 2 - Linking GSN nodes with AF3 and external artifacts.</figcaption>
</figure>
<h2>Feature 3: Reference to external documents</h2>
<p> Since the most common approach for describing safety assurance cases in the industry is free text, the user can add to any modeled GSN node a reference to
the document in which further explanation of the claim in the node may be found. Furthermore, the user can add a string, which depicts a reference
to the paragraph from the referenced document in which the node is explained in detail (see Fig. 3). This feature is motivated by the fact that
pure graphical notation can demonstrate links between argument sections and differentiate between different types of argument components,
but without narrative there is no "meat" against which the soundness of the argument may be judged. </p>
<figure>
<img src="./pictures/sc_document_ref.png">
<figcaption>Fig. 3 - Reference to an external document.</figcaption>
</figure>
<h2>Feature 4: Tool-based Support for Handling Large Arguments</h2>
<h3>
What are modular assurance cases? Why shall assurance cases be modular?</h3>
<p>
One way of designing assurance cases is by following the modular approach. In GSN, an assurance case module contains the objectives,
evidence, argument and context associated with one aspect of the assurance case. In addition to the GSN argument elements presented in
the previous paragraph, a module may contain away entities such as <span class="italic">away goals</span>, <span class="italic">away
solutions</span> and <span class="italic">away context</span> elements. Away entities are references to the goal, solution or context
in another module. Away goals cannot be (hierarchically) decomposed and further supported by sub-entities within the current module;
rather, decomposition needs to occur within the referenced module. Inter-modular relationships are of two types: namely <span class="italic">
supported by</span> and <span class="italic">in context of</span> relationships. A supported by relationship denotes that support for the
claim presented by the away goal or away solution in one module is intended to be provided from an argument in another module. When there
is an away context element in a module, that module is connected to another module by an in context of relationship; relationship that
indicates that the context of a certain claim will be presented in details in another module.</p>
<p>Modularity of assurance cases has various advantages, namely:</p>
<ul>
<li> Separation of concerns, as modules usually correspond to sub-systems;</li>
<li> Improved comprehensibility;</li>
<li> Minimization of the impact of required changes to an assurance case;</li>
</ul>
<h3>Modular assurance cases in AutoFOCUS3</h3>
<p>
ExplicitCase enables the user to model an assurance case containing several modules which are connected to each
other through intra-module connections (see Fig. 4). Each such module contains an assurance argumentation structure, build up by GSN-defined elements
specific to modularity in assurance cases (i.e., Away Goals, Optional Entities, Away Solutions, Away Contexts, Contracts) connected to each
other by GSN-defined relationships. Each argumentation node within a module has a public indicator, which determines whether the element
may be referenced in another module, or not.</p>
<figure>
<img src="./pictures/sc_modules.png">
<figcaption>Fig. 4 - Assurance case modules.</figcaption>
</figure>
<h2>Feature 5: Visual aids</h2>
<p> Different coloring of GSN elements raises the assurance case developer's awareness about the existence of undeveloped or
uninstantiated entities (see Fig. 5). In addition, contract modules have a distinct coloring in order to distinguish them
from regular argumentation modules. We do not allow users to color nodes by themselves, in order to
keep a certain meaning of each coloring so that anyone can easily "read" the coloring. This is motivated, by the fact that the GSN Standard says that,
<span class="italic">In cases where the elements defined in these sections are used in the development of instantiations of the patterns to produce individual assurance arguments,
it is important to ensure that they are all removed, or instantiated, in the final, delivered, version of the argument</span>. </p>
<figure>
<img src="./pictures/sc_coloring.png">
<figcaption>Fig. 5 - Different coloring for different node properties.</figcaption>
</figure>
<h2>Feature 6: Built-in Assurance Case Model Constraints.</h2>
<p> Model constraints define semantic conditions that cannot be defined in the syntactic structure of a metamodel. Since different stakeholders
may have different interpretations and the underlying assumptions may be overlooked, ExplicitCase requires to document goal decompositions via
strategies. Therefore, a constraint on the assurance case model enforces the existence of a strategy node whenever the user wants to connect two goals.
ExplicitCase checks many more constraints to ensure the integrity of assurance cases (e.g., to prevent the creation of invalid relationships).
For example, another constraint to ensure the integrity of assurance cases is that only GSN connections permitted by the GSN standard can be modeled
(e.g., a context node cannot be connected to a justification node). Avoidance of circular argumentation is another built-in constraint on the semantic level. </p>
<h2>Feature 7: Status Notifications</h2>
<p> ExplicitCase offers on-the-fly checks of arbitrary complexity. We define two types of notifications: warnings and errors. Errors
signal missing or erroneous information, whereas warnings indicate assurance case nodes that need to be given further consideration.
The type of notifications to be get may be manually selected by the user. For example, an error is signaled when a goal is changed and
the supporting solution should be reconsider (see Fig. 6). Warnings are, for instance, raised for option entities that cannot be
left in the final version of the assurance case, but must be appropriately resolved (see Fig. 7).</p>
<figure>
<img src="./pictures/sc_error.png">
<figcaption>Fig. 6 - Error reports in ExplicitCase.</figcaption>
</figure>
<figure>
<img src="./pictures/sc_warning.png">
<figcaption>Fig. 7 - Warning reports in ExplicitCase.</figcaption>
</figure>
<h2>
Feature 8: Maintenance</h2>
<p> Throughout the operational life of any system, changing regulatory requirements, additional assurance evidence and a changing design can
challenge the corresponding assurance case. In order to maintain an accurate account of the assurance of the system, all such challenges must
be assessed for their impact on the original assurance argument.</p>
<h3>Why do we need maintenance? </h3>
<p>An assurance case consists of many inter-dependent parts: requirements, argument, evidence, design and process information. As a result,
a single change to an assurance case may necessitate many other consequential changes - creating a 'ripple effect'. It is significant to recognize
the importance of every challenge to an assurance case. Furthermore, the indirect impact is crucial and one of the biggest challenges.
Any of these challenges imply re-certification and by extension re-generation of the assurance case of a system. The construction
and maintenance of assurance case arguments is expensive and tedious, as it is mainly a manual process that requires a considerable amount of time.
Therefore, offering safety engineers tool-supported re-evaluation is a big step forward.</p>
<h3>What is the algorithm for maintenance? </h3>
<p>The maintenance algorithm includes the handling of challenges regarding the following different argument elements.</p>
<ul>
<li>
<p>If the challenged item is a Goal, it challenges its relationship to both the parent Goal and to the supporting evidence provided. It also challenges the solutions that support the Goal.</p>
</li>
<li>
<p>If the challenged item is a Solution, it challenges its role as a solution to all goals relying upon it through the SupportedBy relationship.</p>
</li>
<li>
<p>If the challenged item is a Context, it challenges the relationship with all goals previously expressed in the context of that item using the
InContextOf relationship. More specifically, changing a Context challenges all goals, strategies and solutions that introduce this Context. In addition, it challenges all goals, strategies and solutions which inherit this Context.</p>
</li>
</ul>
<h3>Potential vs. actual change effect</h3>
<p>The rules described above constitute the potential change effect and not necessarily the actual change. There is a significant difference between actual and potential change. The nodes to which the impact of the challenge in a connected GSN
node propagates are called impacted nodes. The potential change includes further analysis of the possible effects on the
rest of GSN nodes after one element is challenged. A safety engineer has to review all the potential challenges and decide upon them. ExplicitCase implements as a starting point, the potential change effect.</p>
<h3>Assurance Case maintenance in ExplicitCase</h3>
<p> The assurance case maintenance in ExplicitCase requires the participation of different entities and stakeholders (see Fig. 8). The system modeling is done by the system engineer and the GSN modeling of the assurance cases by the safety engineer. The safety engineer
has also responsibilities such as hyperlinking GSN with System Models and annotating GSN assurance cases with maintainability information. ExplicitCase recognizes challenges to validity of GSN assurance cases and identifies the impact of a GSN node challenge.
Finally, the safety engineer gives input to the system engineer regarding the reasons why, after a change in one system model element, other system model elements, should be reviewed.</p>
<figure>
<img src="./pictures/MaintenanceExplicitCase.PNG" />
<figcaption>Fig. 8 - Stakeholders in ExplicitCase.</figcaption>
</figure>
<h3>Steps to maintenance in ExplicitCase</h3>
<ol>
<li>
Follow the steps in the section <span class="italic"><span class="bold">"Steps to specify the contained elements of a assurance case module"</span></span> and build an assurance case module;
</li>
<p> <img src="./pictures/Maintenance1.PNG" /></p>
<li>
Select the Solution Argument Element and right-click on it. Click 'Is Challenged';
</li>
<p> <img src="./pictures/Maintenance2.PNG" /></p>
<li>
The challenged solution has changed its color to red;
</li>
<p> <img src="./pictures/Maintenance3.PNG" /></p>
<li>
Right-click again on the challenged solution. Click 'Show potential change impact';
</li>
<p> <img src="./pictures/Maintenance4.PNG" /></p>
<li>
The potentially impacted argument elements, by the challenged solution, have turned their color to yellow;
</li>
<p> <img src="./pictures/Maintenance5.PNG" /></p>
</ol>
<h2>
Feature 9: Exporter</h2>
<p>
GSN diagrams do not model the entire assurance case and,
as such, they do not replace all the documents within an
assurance case. Instead, they represent an abstract overview
of the argumentation and are included in other documents.
Therefore, there is a need to export the GSN diagrams created
in ExplicitCase into a format so that they can be easily
integrated in text-based documents as figures.
</p>
<h3>Steps to export assurance cases in ExplicitCase</h3>
<p>
ExplicitCase offers the option to export a GSN-based diagram in three different formats: SVG, PNG, PDF. To do that, the user shall follow the following steps:
</p>
<ol>
<li>
Go to any assurance case module and open the editor;
</li>
<li>
Right-click anywhere in the editor. Click 'Export Module Diagram ...';
</li>
<p> <img src="./pictures/Export1.PNG" /></p>
<li>
In the first dialogue, choose the preferred format;
</li>
<p> <img src="./pictures/Export2.PNG" /></p>
<li>
In the second dialogue, confirm the preferred format and choose the destination of the exported file;
</li>
<p> <img src="./pictures/Export3.PNG" /></p>
</ol>
</p>
<h3>Explanation of the colors</h3>
<p>
<p>
The following legend explains the different colors used in the exported document.
</p>
<p> <img src="./pictures/Export4.PNG" /></p>
<h2>Assurance Case Patterns</h2>
<p> Apart from the aforementioned features, ExplicitCase enables its users to create assurance case patterns store them in an AF3 library. However, this feature is
currently under construction.</p>
<h1>
Steps to create an assurance case for your project</h1>
<ol>
<li>
Go to an AF3 project, in the <span class="italic"><span class="bold">Model Navigator</span></span> view and right-click on it;</li>
<li>
Select the <span class="italic"><span class="bold">Assurance Argumentation Package</span></span> item from the context menu;</li>
<p>
<img src="./pictures/SC.2.png" /></p>
<li>
Go to the newly created <span class="italic"><span class="bold">Assurance Argumentation Package</span></span>, in the <span class="italic"><span class="bold">Model Navigator</span></span> view, and right-click on it;</li>
<li>
Select the <span class="italic"><span class="bold">Assurance Case</span></span> item from the context menu;</li>
<p>
<img src="./pictures/SC.3.png" /></p>
<li>
Go to the newly created <span class="italic"><span class="bold">Assurance Case</span></span>, in the <span class="italic"><span class="bold">Model Navigator</span></span> view, and double-click on it, so that the editor (a <span class="italic"><span class="bold">Modeling Diagram</span></span>) in which you can model the assurance case appears.</li>
<p> <img src="./pictures/SC.4.png" /></p>
</ol>
<h2>
Steps to create an assurance case module</h2>
<p>
<ol>
<li>
After creating your assurance case, you can now specify the contained assurance case modules. To add an assurance case module
(called <span class="italic"><span class="bold">Argument Module</span></span> in AF3), drag and drop an
<span class="bold"><span class="italic">Argument Module</span></span> from the
<span class="italic"><span class="bold">Model Elements</span></span> view on the right side to your diagram;
<span class="bold">Note</span>: To move a module, just pick the module somewhere in the middle and move.
To re-size it, pick it in the lower right corner and move the mouse to re-size.</li>
<li>
To specify properties of the module, go to the <span class="italic"><span class="bold">Properties</span></span> view.
There you can assign the assurance case module an id (in the <span class="italic"><span class="bold">Element Identifier</span></span>
text box). All other text box may not be filled in;</li>
<p>
<img src="./pictures/sc_module_creation.png" width="600" height="500"/></p>
<li>
To generate intra-module connections, based on the away entities, go to your assurance case,
in the <span class="italic"><span class="bold">Model Elements</span></span> view and right-click on it.
Select the <span class="italic"><span class="bold">Generate Module Connections</span></span> item from the context menu.
Do consider that, if you do not have any away entities in your assurance case modules, you will not have any relationship
between your modules.</li>
<p>
<img src="./pictures/SC.6.png" /></p>
</ol>
<p>
&nbsp;</p>
<h2>
Steps to specify the contained elements of an assurance case module</h2>
<p>
Once you are done with specifying the modules of your assurance case, you can describe the assurance argument structure contained by these modules as such:</p>
<ol>
<li>
Go to one of your assurance case modules from the <span class="italic"><span class="bold">Model Elements</span></span> view and double-click on it, so that the editor (a <span class="italic"><span class="bold">Modeling Diagram</span></span>) in which you can model the assurance case module appears;</li>
<li>
To add an <span class="italic"><span class="bold">Argumentation Node</span></span>, drag and drop a <span class="italic"><span class="bold">Goal/Away Goal</span></span>
<span class="italic"><span class="bold">/Strategy/Solution/Away Solution/Optional Entity/Strategy</span></span> <span class="italic">
<span class="bold">/Justification/Assumption/Context/Away Context</span></span> from the <span class="italic"><span class="bold">Model Elements</span></span> view on the right
side to your diagram; <span class="bold">Note</span>: To move an argumentation node, just pick the module somewhere in the middle and move. To resize it, pick it in the lower
right corner and move the mouse to resize.</li>
<p>
<img src="./pictures/SC.7x.png" /></p>
<li>
In order to create relationships between your argumentation nodes, namely <span class="italic"><span class="bold">SupportedBy</span></span> and <span class="italic">
<span class="bold">InContextOf</span></span> relationships, as specified in the <span class="bold">GSN</span> standard, press the <span class="bold">alt-Key</span>
(<span class="bold">ctrl-Key</span> under Linux) on your keyboard and drag the relationship from one argument element to another. Invalid relationships (e.g., between a
solution and a context) are avoided by disabling the dragging.</li>
<p>
<img src="./pictures/SC.8.png" /></p>
</ol>
<p>
Here is an example of the assurance argumentation structure an assurance case module modeled in AF3:</p>
<p>
<img src="./pictures/SC.24.png" /></p>
<h3>
Setting properties of assurance argumentation nodes</h3>
<p>
Properties of assurance argumentation nodes can be set in the <span class="italic"><span class="bold">Properties</span></span> view. There are two types of properties, namely general
properties, which may be set to all types of GSN nodes and specific properties, which may be set only to particular types of GSN nodes. The following properties are properties
to be set to any type of GSN node:</p>
<ol>
<li>
Name of the GSN node in the <span class="italic"><span class="bold">Name</span></span> text box;</li>
<li>
Comment regarding the GSN node in the <span class="italic"><span class="bold">Comment</span></span> text box;</li>
<li>
ID of the argumentation node in the <span class="italic"><span class="bold">Element identifier</span></span> text box;</li>
<li>
Claim of the GSN node in the <span class="italic"><span class="bold">Comment</span></span> text box. This text may and should be filled in for all types of GSN nodes, except for
<span class="italic">solution</span> nodes. Furthermore, you cannot set claims to away entities, as they have the same claim as the assurance argument element the point to.;</li>
<li>
Add a reference to a document to the GSN node by pressing the <span class="italic"><span class="bold">Add document</span></span> button.
A file browser will open and you can select any file of type pdf/Word/Excel;</li>
<li>
To delete a reference, press the <span class="italic"><span class="bold">Remove document</span></span> button;</li>
<li>
To give some further explanation of the reference to a certain document, use the <span class="italic"><span class="bold">Reference Explanation</span></span> text box;</li>
</ol>
<p><img src="./pictures/sc_document_ref.png" /></p>
<h4>
Setting properties of <span class="italic">SupportedBy</span> and <span class="italic">InContextOf</span> relationships</h4>
<ol>
<li>
As you create an assurance case pattern, you can assign a multiplicity to a relationship, by writing any number higher than 0 in the <span class="italic">Multiplicity</span> text box.
You can give a short explanation of the multiplicity in the corresponding text box;</li>
<li>
Mark the relationship as <span class="italic">Optional</span>, by checking the corresponding check button.</li>
<li>
For SupportedBy relationships, set the relevance, support and strength levels of your relationships by selecting from the drop-down lists.</li>
<p>
<img src="./pictures/sc_connection_prop.png" /></p>
</ol>
<h4>
Setting properties of <span class="italic">Option Entities</span></h4>
<ol>
<li>You can select the assurance argument elements you want to keep for your assurance argumentation structure,
by right-clicking on the option entity node, and selecting the
<span class="italic"><span class="bold">Make a choice</span></span> context menu element.
A wizard will appear in order to select from the optional elements.
</li>
<p> <img src="./pictures/sc_option_entity.png" /></p>
<li>You can write down in the <span class="italic"><span class="bold">The minimum required</span></span> text box from the
<span class="italic"><span class="bold">Properties</span></span> view, the minimum number of assurance argument
elements that should be selected to be kept in your assurance argumentation structure.</li>
<p>
<img src="./pictures/sc_option_prop.png" width="454" height="574"/></p>
</ol>
<h4>
Setting particular properties of <span class="italic">Goals</span></h4>
<ol>
<li>
Scope a goal to a particular AF3 logical component by pressing the <span class="italic">Add scope</span> button;</li>
<li>
Remove the scope of a goal to a particular AF3 logical component by pressing the <span class="italic">Delete scope</span> button;</li>
</ol>
<img src="./pictures/sc_goal_scope.png" width="400" height="500"/></p>
<h4>
Setting particular properties of <span class="italic">Away Entities</span></h4>
<p> Right-click on the away entity. A context menu will appear. Click on the <span class="italic"><span class="bold">Connect 2 Goal/Solution/Context</span></span>
menu item A wizard will appear. Select from the assurance argument nodes that appear in the wizard, one to which you want your away entity to point to.
If the selected node was set as private, you will be asked if you want to change the visibility of the node. If not, the reference will not be done.
Only public nodes may be referenced by away entities. In the <span class="italic"><span class="bold">Properties</span></span> view, in the
<span class="italic"><span class="bold">Referenced module ID</span></span> the ID of the module
containing the node referenced by the away entity node is automatically filled in.<p>
<p>
<img src="./pictures/sc_away.png" width="300" height="500"/></p>
<h2>Setting states to GSN nodes</h2>
<p>According to the GSN standard, a node may take different states in the course of the assurance case development. One may right-click on a GSN node and select the
following states: private/public, instantiated/uninstantiated,
developed/undeveloped and supported by contact. </p>
<p><img src="./pictures/sc_gsn_node_states.png" /></p>
<h2>
Hyperlinking <span class="italic">Goal</span> nodes</h2>
<p> Connect a goal to a modeled assurance requirement from the <span class="italic"><span class="bold">Requirements Analysis</span></span> of the project,
by right-click on the goal node, and pressing the <span class="italic"><span class="bold">Connect 2 Requirement</span></span> element from the context menu
that will appear after right-clicking. When connecting a goal to a requirement, the name and the claim of
the goal will be the same as the name and the description of the requirement. To go directly to the requirement referenced by the goal, go to your goal in the
<span class="italic"><span class="bold">Model Elements</span></span> view, right-click on it and select the <span class="italic"><span class="bold">Go To
Referenced AF3 Element</span></span> menu item. If you want to delete the reference, just right-click on the node, and select the
<span class="italic"><span class="bold">Eliminate Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_goal_context_menu.png" /></p>
<h2>
Hyperlinking <span class="italic">Solution</span> nodes</h2>
<p> Connect a solution to an already modeled AF3 element, by right-click on the solution node, and pressing either the
<span class="italic"><span class="bold">Connect 2 Platform</span></span> (for referencing to an AF3 element of type <span class="italic">platform</span>),
the <span class="italic"><span class="bold">Reference Test Coverage</span></span> (for referencing to an AF3 element of type <span class="italic">result constraint</span>),
the <span class="italic"><span class="bold">Reference Test Results</span></span> (for referencing to an AF3 element of type <span class="italic">coverage constraint</span>), or
the <span class="italic"><span class="bold">Connect 2 Generated Code</span></span> (for referencing to files containg AF3 generated code) elements from the context menu
that will appear after right-clicking. When selecting the test results or test coverage as evidence for the solution, the results, or, respectively, the coverage, of the
test suite, referenced by the context of the goal supported by the solution are regarder. If no test suite is refered by the context of the goal node, a notification is
raised. When connecting a solution to an AF3 element, the name of the solution will be the same as the name AF3 element. To go directly to the element referenced
by the solution, go to your solution in the <span class="italic"><span class="bold">Model Elements</span></span> view, right-click on it
and select the <span class="italic"><span class="bold">Go To Referenced AF3 Element</span></span> menu item. If you want to delete the reference,
just right-click on the node, and select the <span class="italic"><span class="bold">Eliminate Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_sol_references.png" width="301" height="304"/></p>
<h2>
Hyperlinking <span class="italic">Context</span> nodes</h2>
<p> Connect a context node to <span class="italic"><span class="bold">Test Suite</span></span> of a certain logical component in the project,
by right-click on the context node, and pressing the <span class="italic"><span class="bold">Connect 2 Test Suite</span></span> element from the context menu
that will appear after right-clicking. Only test suites of the component that is scoped by goal node to which the context node is associated the my be selected.
To go directly to the test suite referenced by the context, go to your goal in the
<span class="italic"><span class="bold">Model Elements</span></span> view, right-click on it and select the <span class="italic"><span class="bold">Go To
Referenced AF3 Element</span></span> menu item. If you want to delete the connection, just right-click on the node, and select the
<span class="italic"><span class="bold">Eliminate Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_context_references.png" width="465" height="378"/></p>
<h2>
Hyperlinking <span class="italic">Assumption</span> nodes</h2>
<p> Connect an assumption node to a <span class="italic"><span class="bold">State</span></span> or <span class="italic"><span class="bold">Mode</span></span>
of the component scoped by the goal node for which the assumption node was created,
by right-click on the assumption node, and pressing the <span class="italic"><span class="bold">Connect 2 State</span></span> or
<span class="italic"><span class="bold">Connect 2 Mode</span></span> element from the context menu
that will appear after right-clicking. To go directly to the requirement referenced by the assumption node, go to your goal in the
<span class="italic"><span class="bold">Model Elements</span></span> view, right-click on it and select the <span class="italic"><span class="bold">Go To
Referenced AF3 Element</span></span> menu item. If you want to delete the connection, just right-click on the node, and select the
<span class="italic"><span class="bold">Eliminate Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_assumption_references.png" width="365" height="344"/></p>
<h2>
Assurance Case Patterns in AF3</h2>
<h3>
Steps to create an assurance case pattern in AF3</h3>
<ol>
<li>
Create a new assurance case module;</li>
<li>
Specify the assurance argumentation structure of this module;</li>
<li>
Make sure that all the assurance argument elements contained by your module are marked as uninstantiated entities.</li>
</ol>
<p>
When you are done with modeling your pattern, do the following steps:</p>
<ol>
<li>
Go to the <span class="italic"><span class="bold">File</span></span> on the menu bar and click on it;</li>
<li>
Select <span class="italic"><span class="bold">New AF3 Library</span></span> from the drop-down menu;</li>
<p>
<img src="./pictures/SC.17.png" /></p>
<li>
Go to the <span class="italic"><span class="bold">Model Navigator</span></span> view and select the <span class="italic"><span class="bold">Toggle library view</span></span> button;</li>
<p>
<img src="./pictures/SC.18.png" /></p>
<li>
Select the newly created <span class="italic"><span class="bold">AF3 Library</span></span> from the <span class="italic"><span class="bold"><span class="italic"><span class="bold">Model Navigator</span></span></span></span> view and right-click on it;</li>
<li>
Select <span class="italic"><span class="bold">New Package (for assurance argument patterns)</span></span> from the drop-down menu;</li>
<p>
<img src="./pictures/SC.19.png" /></p>
<li>
Go to the <span class="italic"><span class="bold">Model Navigator</span></span> view and deselect the Toggle library view button;</li>
<li>
When you are done with the modeling of the assurance argumentation pattern, go to the newly created Argument Module from the <span class="italic"><span class="bold">Model Navigator</span></span> view and right-click on it;</li>
<li>
Then select <span class="italic"><span class="bold">Add to Library</span></span> from the drop-down menu;</li>
<p>
<img src="./pictures/SC.20.png" /></p>
<li>
From the opened dialog, select the newly created assurance argument patterns package.</li>
<p>
<img src="./pictures/SC.21.png" /></p>
</ol>
<h3>
Steps to apply a pattern into your assurance case</h3>
<ol>
<li>
Go to your assurance case in the <span class="italic"><span class="bold">Model Navigator</span></span> view and double-click on it. This will open your assurance case in the <span class="italic"><span class="bold">Modeling Diagram</span></span> view;</li>
<li>
Apply the pattern you created to your assurance case by drag-and-drop from the <span class="italic"><span class="bold">Model Elements</span></span> view.</li>
<p>
<img src="./pictures/SC.22x.png" /></p>
</ol>
<p>
<span class="bold">Note:</span> All the available assurance case patterns in your workspace are to be found under Library -&gt; assurance argument patterns in the <span class="italic"><span class="bold">Model Elements</span></span> view.</p>
<h3>
Instantiate an assurance case pattern</h3>
<ol>
<li>
Go to the newly imported Argument Module from the <span class="italic"><span class="bold"><span class="italic"><span class="bold">Model Navigator</span></span></span></span> view and right-click on it;</li>
<li>
Select <span class="italic"><span class="bold">Disconnect from library</span></span> item from the context menu;</li>
<li>
Go to the Safety Argument Properties view for each of the elements of the module and do the following steps:
<ol>
<li>
Fill in the <span class="italic"><span class="bold">Element Identifier</span></span> text box;</li>
<li>
Replace the words in curly brackets from the claim of the safety argument element, by editing the claim or by pressing the <span class="italic"><span class="bold">Instantiate the words in curly brackets from the claim button</span></span>;</li>
<li>
Deselect the <span class="italic"><span class="bold">Uninstatiated</span></span> entity button.</li>
</ol>
</li>
</ol>
</head>
<body>
<h1> ExplicitCase - An Assurance Case Editor in AF3</h1>
<p>AutoFOCUS3 contains an editor, named ExplicitCase, which supports the
construction of modular assurance cases, in compliance with the Goal
Structuring Notation (GSN) standard.</p>
<h2> Feature 1: Assurance Case Editing.</h2>
<p> Assurance cases constitute a proven technique to systematically
demonstrate the safety/security/reliability of such systems using existing
information about the system, its environment and development context,
facilitating the bridging of the regulatory gap. Three parts can be
identified as part of an assurance case. First, the <span class="bold">goal</span>
that has to be achieved. Second, the <span class="bold">evidence</span>
for achieving this goal and third, the structured argument constituting
the <span class="bold"> systematic relationship between the goal the
evidence</span>. Assurance cases can be designed in a modular approach,
by subdividing complex assurance cases into interconnected modules of
assurance arguments and evidence.</p>
<h3>What is the Goal Structuring Notation (GSN)? Why shall assurance cases
be satisfied via this notation?</h3>
<p> The Goal Structuring Notation (GSN) is a well-known description
technique for the development of engineering arguments to construct
assurance cases. GSN uses a graphical argument notation to explicitly
document the elements and structure of an argument and the argument's
relationship of this evidence. An argument, based on GSN, may consists of
several elements: <span class="italic">Goals</span> are the claims of an
argument, whereas items of evidences are captured under <span class="italic">Solutions</span>.
When documenting how claims are said to be supported by sub-claims, the <span
class="italic">Strategy</span>-element is used and can be linked to <span
class="italic">Goals</span>. A <span class="italic">Context</span>
element captures and enables citation of information that is relevant to
the argument. Rationale for a strategy can be described by a <span class="italic">Justification</span>
element. GSN provides two types of linkage between elements: <span class="italic">SupportedBy</span>
and <span class="italic">InContextOf</span>. <span class="italic">SupportedBy</span>
relationships indicate inferential or evidential relationships between
elements. <span class="italic">InContextOf</span> relationships declare
contextual relationships. The benefit of having a structured graphical
notation for assurance cases is that it supports the presentation of
assurance cases to non-safety experts in a comprehensive manner.</p>
<h4> GSN-based assurance cases in AF3</h4>
<p> ExplictCase is based on a metamodel derived from the GSN standard and
offers a graphical editor facilitating the model-based development of
assurance cases. An overview of the editor is shown in Fig. 1. The editor
provides complies with the GSN standard, by allowing the user to build
assurance cases via:</p>
<ul>
<li> GSN defined node elements (i.e., Goal, Strategy, Solution,
Assumption, Context, Justification);</li>
<li> GSN defined relationships between node elements (i.e., SupportedBy
and InContextOf);</li>
</ul>
<figure> <img src="./pictures/sc_gsn_basic.png"> <figcaption>Fig. 1 - GSN
compliance.</figcaption> </figure>
<h2>Feature 2: Hyperlinking</h2>
<p> There are several types of hyperlinking offered by ExplicitCase. First,
we distinguish between hyperlinking words in claims and linking an entire
GSN node to another artifact. Second, hyperlinks can link the assurance
case with external documents containing assurance reports, analysis or
verification results or even system models (see Fig. 2). AF3 provides the
"native" internal system models that may be linked to elements of
assurance cases modeled in ExplicitCase. The novelty of our hyperlinking
system lays in the fact that words in claims or GSN nodes are deeply
integrated with the system artifacts created by the user in the AF3
model-based development tool. The user may link words in claims, or entire
GSN nodes to AF3 artifacts from different phases of the (safety) assurance
process (e.g., <span class="italic">requirement and <span class="italic">deployment
models), as well as implementation (e.g., <span class="italic">generated
code), and verification artifacts (e.g., <span class="italic">simulation,
<span class="italic">formal verification or <span class="italic">testing
results). </span></span></span></span></span></span></p>
<figure> <img src="./pictures/sc_hyperlinks.png"> <figcaption>Fig. 2 -
Linking GSN nodes with AF3 and external artifacts.</figcaption> </figure>
<h2>Feature 3: Reference to external documents</h2>
<p> Since the most common approach for describing safety assurance cases in
the industry is free text, the user can add to any modeled GSN node a
reference to the document in which further explanation of the claim in the
node may be found. Furthermore, the user can add a string, which depicts a
reference to the paragraph from the referenced document in which the node
is explained in detail (see Fig. 3). This feature is motivated by the fact
that pure graphical notation can demonstrate links between argument
sections and differentiate between different types of argument components,
but without narrative there is no "meat" against which the soundness of
the argument may be judged. </p>
<figure> <img src="./pictures/sc_document_ref.png"> <figcaption>Fig. 3 -
Reference to an external document.</figcaption> </figure>
<h2>Feature 4: Tool-based Support for Handling Large Arguments</h2>
<h3> What are modular assurance cases? Why shall assurance cases be modular?</h3>
<p> One way of designing assurance cases is by following the modular
approach. In GSN, an assurance case module contains the objectives,
evidence, argument and context associated with one aspect of the assurance
case. In addition to the GSN argument elements presented in the previous
paragraph, a module may contain away entities such as <span class="italic">away
goals</span>, <span class="italic">away solutions</span> and <span class="italic">away
context</span> elements. Away entities are references to the goal,
solution or context in another module. Away goals cannot be
(hierarchically) decomposed and further supported by sub-entities within
the current module; rather, decomposition needs to occur within the
referenced module. Inter-modular relationships are of two types: namely <span
class="italic"> supported by</span> and <span class="italic">in context
of</span> relationships. A supported by relationship denotes that
support for the claim presented by the away goal or away solution in one
module is intended to be provided from an argument in another module. When
there is an away context element in a module, that module is connected to
another module by an in context of relationship; relationship that
indicates that the context of a certain claim will be presented in details
in another module.</p>
<p>Modularity of assurance cases has various advantages, namely:</p>
<ul>
<li> Separation of concerns, as modules usually correspond to sub-systems;</li>
<li> Improved comprehensibility;</li>
<li> Minimization of the impact of required changes to an assurance case;</li>
</ul>
<h3>Modular assurance cases in AutoFOCUS3</h3>
<p> ExplicitCase enables the user to model an assurance case containing
several modules which are connected to each other through intra-module
connections (see Fig. 4). Each such module contains an assurance
argumentation structure, build up by GSN-defined elements specific to
modularity in assurance cases (i.e., Away Goals, Optional Entities, Away
Solutions, Away Contexts, Contracts) connected to each other by
GSN-defined relationships. Each argumentation node within a module has a
public indicator, which determines whether the element may be referenced
in another module, or not.</p>
<figure> <img src="./pictures/sc_modules.png"> <figcaption>Fig. 4 -
Assurance case modules.</figcaption> </figure>
<h2>Feature 5: Visual aids</h2>
<p> Different coloring of GSN elements raises the assurance case developer's
awareness about the existence of undeveloped or uninstantiated entities
(see Fig. 5). In addition, contract modules have a distinct coloring in
order to distinguish them from regular argumentation modules. We do not
allow users to color nodes by themselves, in order to keep a certain
meaning of each coloring so that anyone can easily "read" the coloring.
This is motivated, by the fact that the GSN Standard says that, <span class="italic">In
cases where the elements defined in these sections are used in the
development of instantiations of the patterns to produce individual
assurance arguments, it is important to ensure that they are all
removed, or instantiated, in the final, delivered, version of the
argument</span>. </p>
<figure> <img src="./pictures/sc_coloring.png"> <figcaption>Fig. 5 -
Different coloring for different node properties.</figcaption> </figure>
<h2>Feature 6: Built-in Assurance Case Model Constraints.</h2>
<p> Model constraints define semantic conditions that cannot be defined in
the syntactic structure of a metamodel. Since different stakeholders may
have different interpretations and the underlying assumptions may be
overlooked, ExplicitCase requires to document goal decompositions via
strategies. Therefore, a constraint on the assurance case model enforces
the existence of a strategy node whenever the user wants to connect two
goals. ExplicitCase checks many more constraints to ensure the integrity
of assurance cases (e.g., to prevent the creation of invalid
relationships). For example, another constraint to ensure the integrity of
assurance cases is that only GSN connections permitted by the GSN standard
can be modeled (e.g., a context node cannot be connected to a
justification node). Avoidance of circular argumentation is another
built-in constraint on the semantic level. </p>
<h2>Feature 7: Status Notifications</h2>
<p> ExplicitCase offers on-the-fly checks of arbitrary complexity. We define
two types of notifications: warnings and errors. Errors signal missing or
erroneous information, whereas warnings indicate assurance case nodes that
need to be given further consideration. The type of notifications to be
get may be manually selected by the user. For example, an error is
signaled when a goal is changed and the supporting solution should be
reconsider (see Fig. 6). Warnings are, for instance, raised for option
entities that cannot be left in the final version of the assurance case,
but must be appropriately resolved (see Fig. 7).</p>
<figure> <img src="./pictures/sc_error.png"> <figcaption>Fig. 6 - Error
reports in ExplicitCase.</figcaption> </figure>
<figure> <img src="./pictures/sc_warning.png"> <figcaption>Fig. 7 -
Warning reports in ExplicitCase.</figcaption> </figure>
<h2> Feature 8: Maintenance</h2>
<p> Throughout the operational life of any system, changing regulatory
requirements, additional assurance evidence and a changing design can
challenge the corresponding assurance case. In order to maintain an
accurate account of the assurance of the system, all such challenges must
be assessed for their impact on the original assurance argument.</p>
<h3>Why do we need maintenance? </h3>
<p>An assurance case consists of many inter-dependent parts: requirements,
argument, evidence, design and process information. As a result, a single
change to an assurance case may necessitate many other consequential
changes - creating a 'ripple effect'. It is significant to recognize the
importance of every challenge to an assurance case. Furthermore, the
indirect impact is crucial and one of the biggest challenges. Any of these
challenges imply re-certification and by extension re-generation of the
assurance case of a system. The construction and maintenance of assurance
case arguments is expensive and tedious, as it is mainly a manual process
that requires a considerable amount of time. Therefore, offering safety
engineers tool-supported re-evaluation is a big step forward.</p>
<h3>What is the algorithm for maintenance? </h3>
<p>The maintenance algorithm includes the handling of challenges regarding
the following different argument elements.</p>
<ul>
<li>
<p>If the challenged item is a Goal, it challenges its relationship to
both the parent Goal and to the supporting evidence provided. It also
challenges the solutions that support the Goal.</p>
</li>
<li>
<p>If the challenged item is a Solution, it challenges its role as a
solution to all goals relying upon it through the SupportedBy
relationship.</p>
</li>
<li>
<p>If the challenged item is a Context, it challenges the relationship
with all goals previously expressed in the context of that item using
the InContextOf relationship. More specifically, changing a Context
challenges all goals, strategies and solutions that introduce this
Context. In addition, it challenges all goals, strategies and
solutions which inherit this Context.</p>
</li>
</ul>
<h3>Potential vs. actual change effect</h3>
<p>The rules described above constitute the potential change effect and not
necessarily the actual change. There is a significant difference between
actual and potential change. The nodes to which the impact of the
challenge in a connected GSN node propagates are called impacted nodes.
The potential change includes further analysis of the possible effects on
the rest of GSN nodes after one element is challenged. A safety engineer
has to review all the potential challenges and decide upon them.
ExplicitCase implements as a starting point, the potential change effect.</p>
<h3>Assurance Case maintenance in ExplicitCase</h3>
<p> The assurance case maintenance in ExplicitCase requires the
participation of different entities and stakeholders (see Fig. 8). The
system modeling is done by the system engineer and the GSN modeling of the
assurance cases by the safety engineer. The safety engineer has also
responsibilities such as hyperlinking GSN with System Models and
annotating GSN assurance cases with maintainability information.
ExplicitCase recognizes challenges to validity of GSN assurance cases and
identifies the impact of a GSN node challenge. Finally, the safety
engineer gives input to the system engineer regarding the reasons why,
after a change in one system model element, other system model elements,
should be reviewed.</p>
<figure> <img src="./pictures/MaintenanceExplicitCase.PNG"> <figcaption>Fig.
8 - Stakeholders in ExplicitCase.</figcaption> </figure>
<h3>Steps to maintenance in ExplicitCase</h3>
<ol>
<li> Follow the steps in the section <span class="italic"><span class="bold">"Steps
to specify the contained elements of a assurance case module"</span></span>
and build an assurance case module; </li>
<p> <img src="./pictures/Maintenance1.PNG"></p>
<li> Select the Solution Argument Element and right-click on it. Click 'Is
Challenged'; </li>
<p> <img src="./pictures/Maintenance2.PNG"></p>
<li> The challenged solution has changed its color to red; </li>
<p> <img src="./pictures/Maintenance3.PNG"></p>
<li> Right-click again on the challenged solution. Click 'Show potential
change impact'; </li>
<p> <img src="./pictures/Maintenance4.PNG"></p>
<li> The potentially impacted argument elements, by the challenged
solution, have turned their color to yellow; </li>
<p> <img src="./pictures/Maintenance5.PNG"></p>
</ol>
<h2> Feature 9: Exporter</h2>
<p> GSN diagrams do not model the entire assurance case and, as such, they
do not replace all the documents within an assurance case. Instead, they
represent an abstract overview of the argumentation and are included in
other documents. Therefore, there is a need to export the GSN diagrams
created in ExplicitCase into a format so that they can be easily
integrated in text-based documents as figures. </p>
<h3>Steps to export assurance cases in ExplicitCase</h3>
<p> ExplicitCase offers the option to export a GSN-based diagram in three
different formats: SVG, PNG, PDF. To do that, the user shall follow the
following steps: </p>
<ol>
<li> Go to any assurance case module and open the editor; </li>
<li> Right-click anywhere in the editor. Click 'Export Module Diagram
...'; </li>
<p> <img src="./pictures/Export1.png"></p>
<li> In the first dialogue, choose the preferred format; </li>
<p> <img src="./pictures/Export2.png"></p>
<li> In the second dialogue, confirm the preferred format and choose the
destination of the exported file; </li>
<p> <img src="./pictures/Export3.png"></p>
</ol>
<p></p>
<h3>Explanation of the colors</h3>
<p> </p>
<p> The following legend explains the different colors used in the exported
document. </p>
<p> <img src="./pictures/Export4.PNG"></p>
<h2>Assurance Case Patterns</h2>
<p> Apart from the aforementioned features, ExplicitCase enables its users
to create assurance case patterns store them in an AF3 library. However,
this feature is currently under construction.</p>
<h1> Steps to create an assurance case for your project</h1>
<ol>
<li> Go to an AF3 project, in the <span class="italic"><span class="bold">Model
Navigator</span></span> view and right-click on it;</li>
<li> Select the <span class="italic"><span class="bold">Assurance
Argumentation Package</span></span> item from the context menu;</li>
<p> <img src="./pictures/SC.2.png"></p>
<li> Go to the newly created <span class="italic"><span class="bold">Assurance
Argumentation Package</span></span>, in the <span class="italic"><span
class="bold">Model Navigator</span></span> view, and right-click on
it;</li>
<li> Select the <span class="italic"><span class="bold">Assurance Case</span></span>
item from the context menu;</li>
<p> <img src="./pictures/SC.3.png"></p>
<li> Go to the newly created <span class="italic"><span class="bold">Assurance
Case</span></span>, in the <span class="italic"><span class="bold">Model
Navigator</span></span> view, and double-click on it, so that the
editor (a <span class="italic"><span class="bold">Modeling Diagram</span></span>)
in which you can model the assurance case appears.</li>
<p> <img src="./pictures/SC.4.png"></p>
</ol>
<h2> Steps to create an assurance case module</h2>
<p> </p>
<ol>
<li> After creating your assurance case, you can now specify the contained
assurance case modules. To add an assurance case module (called <span class="italic"><span
class="bold">Argument Module</span></span> in AF3), drag and drop an
<span class="bold"><span class="italic">Argument Module</span></span>
from the <span class="italic"><span class="bold">Model Elements</span></span>
view on the right side to your diagram; <span class="bold">Note</span>:
To move a module, just pick the module somewhere in the middle and move.
To re-size it, pick it in the lower right corner and move the mouse to
re-size.</li>
<li> To specify properties of the module, go to the <span class="italic"><span
class="bold">Properties</span></span> view. There you can assign the
assurance case module an id (in the <span class="italic"><span class="bold">Element
Identifier</span></span> text box). All other text box may not be
filled in;</li>
<p> <img src="./pictures/sc_module_creation.png" width="600" height="500"></p>
<li> To generate intra-module connections, based on the away entities, go
to your assurance case, in the <span class="italic"><span class="bold">Model
Elements</span></span> view and right-click on it. Select the <span
class="italic"><span class="bold">Generate Module Connections</span></span>
item from the context menu. Do consider that, if you do not have any
away entities in your assurance case modules, you will not have any
relationship between your modules.</li>
<p> <img src="./pictures/SC.6.png"></p>
</ol>
<p> &nbsp;</p>
<h2> Steps to specify the contained elements of an assurance case module</h2>
<p> Once you are done with specifying the modules of your assurance case,
you can describe the assurance argument structure contained by these
modules as such:</p>
<ol>
<li> Go to one of your assurance case modules from the <span class="italic"><span
class="bold">Model Elements</span></span> view and double-click on
it, so that the editor (a <span class="italic"><span class="bold">Modeling
Diagram</span></span>) in which you can model the assurance case
module appears;</li>
<li> To add an <span class="italic"><span class="bold">Argumentation Node</span></span>,
drag and drop a <span class="italic"><span class="bold">Goal/Away Goal</span></span>
<span class="italic"><span class="bold">/Strategy/Solution/Away
Solution/Optional Entity/Strategy</span></span> <span class="italic">
<span class="bold">/Justification/Assumption/Context/Away Context</span></span>
from the <span class="italic"><span class="bold">Model Elements</span></span>
view on the right side to your diagram; <span class="bold">Note</span>:
To move an argumentation node, just pick the module somewhere in the
middle and move. To resize it, pick it in the lower right corner and
move the mouse to resize.</li>
<p> <img src="./pictures/SC.7x.png"></p>
<li> In order to create relationships between your argumentation nodes,
namely <span class="italic"><span class="bold">SupportedBy</span></span>
and <span class="italic"> <span class="bold">InContextOf</span></span>
relationships, as specified in the <span class="bold">GSN</span>
standard, press the <span class="bold">alt-Key</span> (<span class="bold">ctrl-Key</span>
under Linux) on your keyboard and drag the relationship from one
argument element to another. Invalid relationships (e.g., between a
solution and a context) are avoided by disabling the dragging.</li>
<p> <img src="./pictures/SC.8.png"></p>
</ol>
<p> Here is an example of the assurance argumentation structure an assurance
case module modeled in AF3:</p>
<p> <img src="./pictures/SC.24.png"></p>
<h3> Setting properties of assurance argumentation nodes</h3>
<p> Properties of assurance argumentation nodes can be set in the <span class="italic"><span
class="bold">Properties</span></span> view. There are two types of
properties, namely general properties, which may be set to all types of
GSN nodes and specific properties, which may be set only to particular
types of GSN nodes. The following properties are properties to be set to
any type of GSN node:</p>
<ol>
<li> Name of the GSN node in the <span class="italic"><span class="bold">Name</span></span>
text box;</li>
<li> Comment regarding the GSN node in the <span class="italic"><span class="bold">Comment</span></span>
text box;</li>
<li> ID of the argumentation node in the <span class="italic"><span class="bold">Element
identifier</span></span> text box;</li>
<li> Claim of the GSN node in the <span class="italic"><span class="bold">Comment</span></span>
text box. This text may and should be filled in for all types of GSN
nodes, except for <span class="italic">solution</span> nodes.
Furthermore, you cannot set claims to away entities, as they have the
same claim as the assurance argument element the point to.;</li>
<li> Add a reference to a document to the GSN node by pressing the <span
class="italic"><span class="bold">Add document</span></span> button. A
file browser will open and you can select any file of type
pdf/Word/Excel;</li>
<li> To delete a reference, press the <span class="italic"><span class="bold">Remove
document</span></span> button;</li>
<li> To give some further explanation of the reference to a certain
document, use the <span class="italic"><span class="bold">Reference
Explanation</span></span> text box;</li>
</ol>
<p><img src="./pictures/sc_document_ref.png"></p>
<h4> Setting properties of <span class="italic">SupportedBy</span> and <span
class="italic">InContextOf</span> relationships</h4>
<ol>
<li> As you create an assurance case pattern, you can assign a
multiplicity to a relationship, by writing any number higher than 0 in
the <span class="italic">Multiplicity</span> text box. You can give a
short explanation of the multiplicity in the corresponding text box;</li>
<li> Mark the relationship as <span class="italic">Optional</span>, by
checking the corresponding check button.</li>
<li> For SupportedBy relationships, set the relevance, support and
strength levels of your relationships by selecting from the drop-down
lists.</li>
<p> <img src="./pictures/sc_connection_prop.png"></p>
</ol>
<h4> Setting properties of <span class="italic">Option Entities</span></h4>
<ol>
<li>You can select the assurance argument elements you want to keep for
your assurance argumentation structure, by right-clicking on the option
entity node, and selecting the <span class="italic"><span class="bold">Make
a choice</span></span> context menu element. A wizard will appear in
order to select from the optional elements. </li>
<p> <img src="./pictures/sc_option_entity.png"></p>
<li>You can write down in the <span class="italic"><span class="bold">The
minimum required</span></span> text box from the <span class="italic"><span
class="bold">Properties</span></span> view, the minimum number of
assurance argument elements that should be selected to be kept in your
assurance argumentation structure.</li>
<p> <img src="./pictures/sc_option_prop.png" width="454" height="574"></p>
</ol>
<h4> Setting particular properties of <span class="italic">Goals</span></h4>
<ol>
<li> Scope a goal to a particular AF3 logical component by pressing the <span
class="italic">Add scope</span> button;</li>
<li> Remove the scope of a goal to a particular AF3 logical component by
pressing the <span class="italic">Delete scope</span> button;</li>
</ol>
<img src="./pictures/sc_goal_scope.png" width="400" height="500">
<p></p>
<h4> Setting particular properties of <span class="italic">Away Entities</span></h4>
<p> Right-click on the away entity. A context menu will appear. Click on the
<span class="italic"><span class="bold">Connect 2 Goal/Solution/Context</span></span>
menu item A wizard will appear. Select from the assurance argument nodes
that appear in the wizard, one to which you want your away entity to point
to. If the selected node was set as private, you will be asked if you want
to change the visibility of the node. If not, the reference will not be
done. Only public nodes may be referenced by away entities. In the <span
class="italic"><span class="bold">Properties</span></span> view, in the
<span class="italic"><span class="bold">Referenced module ID</span></span>
the ID of the module containing the node referenced by the away entity
node is automatically filled in.</p>
<p> </p>
<p> <img src="./pictures/sc_away.png" width="300" height="500"></p>
<h2>Setting states to GSN nodes</h2>
<p>According to the GSN standard, a node may take different states in the
course of the assurance case development. One may right-click on a GSN
node and select the following states: private/public,
instantiated/uninstantiated, developed/undeveloped and supported by
contact. </p>
<p><img src="./pictures/sc_gsn_node_states.png"></p>
<h2> Hyperlinking <span class="italic">Goal</span> nodes</h2>
<p> Connect a goal to a modeled assurance requirement from the <span class="italic"><span
class="bold">Requirements Analysis</span></span> of the project, by
right-click on the goal node, and pressing the <span class="italic"><span
class="bold">Connect 2 Requirement</span></span> element from the
context menu that will appear after right-clicking. When connecting a goal
to a requirement, the name and the claim of the goal will be the same as
the name and the description of the requirement. To go directly to the
requirement referenced by the goal, go to your goal in the <span class="italic"><span
class="bold">Model Elements</span></span> view, right-click on it and
select the <span class="italic"><span class="bold">Go To Referenced AF3
Element</span></span> menu item. If you want to delete the reference,
just right-click on the node, and select the <span class="italic"><span class="bold">Eliminate
Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_goal_context_menu.png"></p>
<h2> Hyperlinking <span class="italic">Solution</span> nodes</h2>
<p> Connect a solution to an already modeled AF3 element, by right-click on
the solution node, and pressing either the <span class="italic"><span class="bold">Connect
2 Platform</span></span> (for referencing to an AF3 element of type <span
class="italic">platform</span>), the <span class="italic"><span class="bold">Reference
Test Coverage</span></span> (for referencing to an AF3 element of type
<span class="italic">result constraint</span>), the <span class="italic"><span
class="bold">Reference Test Results</span></span> (for referencing to
an AF3 element of type <span class="italic">coverage constraint</span>),
or the <span class="italic"><span class="bold">Connect 2 Generated Code</span></span>
(for referencing to files containg AF3 generated code) elements from the
context menu that will appear after right-clicking. When selecting the
test results or test coverage as evidence for the solution, the results,
or, respectively, the coverage, of the test suite, referenced by the
context of the goal supported by the solution are regarder. If no test
suite is refered by the context of the goal node, a notification is
raised. When connecting a solution to an AF3 element, the name of the
solution will be the same as the name AF3 element. To go directly to the
element referenced by the solution, go to your solution in the <span class="italic"><span
class="bold">Model Elements</span></span> view, right-click on it and
select the <span class="italic"><span class="bold">Go To Referenced AF3
Element</span></span> menu item. If you want to delete the reference,
just right-click on the node, and select the <span class="italic"><span class="bold">Eliminate
Reference</span></span> context menu element.</p>
<p><img src="./pictures/sc_sol_references.png" width="301" height="304"></p>
<h2> Hyperlinking <span class="italic">Context</span> nodes</h2>
<p> Connect a context node to <span class="italic"><span class="bold">Test
Suite</span></span> of a certain logical component in the project, by
right-click on the context node, and pressing the <span class="italic"><span
class="bold">Connect 2 Test Suite</span></span> element from the
context menu that will appear after right-clicking. Only test suites of
the component that is scoped by goal node to which the context node is
associated the my be selected. To go directly to the test suite referenced
by the context, go to your goal in the <span class="italic"><span class="bold">Model
Elements</span></span> view, right-click on it and select the <span class="italic"><span
class="bold">Go To Referenced AF3 Element</span></span> menu item. If
you want to delete the connection, just right-click on the node, and
select the <span class="italic"><span class="bold">Eliminate Reference</span></span>
context menu element.</p>
<p><img src="./pictures/sc_context_references.png" width="465" height="378"></p>
<h2> Hyperlinking <span class="italic">Assumption</span> nodes</h2>
<p> Connect an assumption node to a <span class="italic"><span class="bold">State</span></span>
or <span class="italic"><span class="bold">Mode</span></span> of the
component scoped by the goal node for which the assumption node was
created, by right-click on the assumption node, and pressing the <span class="italic"><span
class="bold">Connect 2 State</span></span> or <span class="italic"><span
class="bold">Connect 2 Mode</span></span> element from the context
menu that will appear after right-clicking. To go directly to the
requirement referenced by the assumption node, go to your goal in the <span
class="italic"><span class="bold">Model Elements</span></span> view,
right-click on it and select the <span class="italic"><span class="bold">Go
To Referenced AF3 Element</span></span> menu item. If you want to
delete the connection, just right-click on the node, and select the <span
class="italic"><span class="bold">Eliminate Reference</span></span>
context menu element.</p>
<p><img src="./pictures/sc_assumption_references.png" width="365" height="344"></p>
<h2> Assurance Case Patterns in AF3</h2>
<h3> Steps to create an assurance case pattern in AF3</h3>
<ol>
<li> Create a new assurance case module;</li>
<li> Specify the assurance argumentation structure of this module;</li>
<li> Make sure that all the assurance argument elements contained by your
module are marked as uninstantiated entities.</li>
</ol>
<p> When you are done with modeling your pattern, do the following steps:</p>
<ol>
<li> Go to the <span class="italic"><span class="bold">File</span></span>
on the menu bar and click on it;</li>
<li> Select <span class="italic"><span class="bold">New AF3 Library</span></span>
from the drop-down menu;</li>
<p> <img src="./pictures/SC.17.png"></p>
<li> Go to the <span class="italic"><span class="bold">Model Navigator</span></span>
view and select the <span class="italic"><span class="bold">Toggle
library view</span></span> button;</li>
<p> <img src="./pictures/SC.18.png"></p>
<li> Select the newly created <span class="italic"><span class="bold">AF3
Library</span></span> from the <span class="italic"><span class="bold"><span
class="italic"><span class="bold">Model Navigator</span></span></span></span>
view and right-click on it;</li>
<li> Select <span class="italic"><span class="bold">New Package (for
assurance argument patterns)</span></span> from the drop-down menu;</li>
<p> <img src="./pictures/SC.19.png"></p>
<li> Go to the <span class="italic"><span class="bold">Model Navigator</span></span>
view and deselect the Toggle library view button;</li>
<li> When you are done with the modeling of the assurance argumentation
pattern, go to the newly created Argument Module from the <span class="italic"><span
class="bold">Model Navigator</span></span> view and right-click on
it;</li>
<li> Then select <span class="italic"><span class="bold">Add to Library</span></span>
from the drop-down menu;</li>
<p> <img src="./pictures/SC.20.png"></p>
<li> From the opened dialog, select the newly created assurance argument
patterns package.</li>
<p> <img src="./pictures/SC.21.png"></p>
</ol>
<h3> Steps to apply a pattern into your assurance case</h3>
<ol>
<li> Go to your assurance case in the <span class="italic"><span class="bold">Model
Navigator</span></span> view and double-click on it. This will open
your assurance case in the <span class="italic"><span class="bold">Modeling
Diagram</span></span> view;</li>
<li> Apply the pattern you created to your assurance case by drag-and-drop
from the <span class="italic"><span class="bold">Model Elements</span></span>
view.</li>
<p> <img src="./pictures/SC.22x.png"></p>
</ol>
<p> <span class="bold">Note:</span> All the available assurance case
patterns in your workspace are to be found under Library -&gt; assurance
argument patterns in the <span class="italic"><span class="bold">Model
Elements</span></span> view.</p>
<h3> Instantiate an assurance case pattern</h3>
<ol>
<li> Go to the newly imported Argument Module from the <span class="italic"><span
class="bold"><span class="italic"><span class="bold">Model Navigator</span></span></span></span>
view and right-click on it;</li>
<li> Select <span class="italic"><span class="bold">Disconnect from
library</span></span> item from the context menu;</li>
<li> Go to the Safety Argument Properties view for each of the elements of
the module and do the following steps:
<ol>
<li> Fill in the <span class="italic"><span class="bold">Element
Identifier</span></span> text box;</li>
<li> Replace the words in curly brackets from the claim of the safety
argument element, by editing the claim or by pressing the <span class="italic"><span
class="bold">Instantiate the words in curly brackets from the
claim button</span></span>;</li>
<li> Deselect the <span class="italic"><span class="bold">Uninstatiated</span></span>
entity button.</li>
</ol>
</li>
</ol>
</body>
</html>
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment