Intentional Enterprise Architecture

URN in place of GSN

Design Rationale

1

27-May-16

versus Assurance Argument

© 2016 Ray Feodoroff

Target Audience Principally – Requirement Engineers

– System Engineers – System Architectures

– Engineering Managers

Secondarily – Argumentation Authors – Safety Analysts

2

27-May-16

© 2016 Ray Feodoroff

URN versus GSN on a page User Requirements Notation (URN) – comprises 2 modelling notations: 1. Goal-oriented Requirement Language (GRL) which is an Actor/Agent Oriented notation, which supports Goal Satisfaction based argument - including Allocation of Goals to Agents 2. Use Case Maps (UCM) are a causal thread notation that is akin to the notion of System Threads

Goal Structured Notation (GSN) – Comprises 1. A Goal Satisfaction notation similar to NFR

meme mēm/ noun An element of a culture or system of behaviour that may be considered to be passed from one individual to another by non-genetic means, especially imitation. An idea, behaviour, or style that spreads from person to person within a culture.

– rather simply relates to how well read One is … says smugly

13

27-May-16

© 2016 Ray Feodoroff

Leveson stirs the pot … RATIONALE ≡ Means-Ends (aka Goal Oriented)

Leveson demands Safety Cases are not the way to go

http://sunnyday.mit.edu/SafetyCases.pdf

‘argument’ should be part of the Design Rationale behind System Engineering Design Leveson demands that Decisions

Intent Specifications based upon an MIT interpretation of

Cognitive Science

(Jens Rasmussen and therefore thinking from the European/CDN meme channel) http://sunnyday.mit.edu/papers/intent-tse.pdf

stirred UK/US and European/CDN academic meme channels together Leveson has

– at the edges at least 14

27-May-16

© 2016 Ray Feodoroff

Aim RATIONALE ≡ Ends-Means ≡ Argument http://orbit.dtu.dk/ws/files/88456750/ris_m_2871.pdf

Harmonize ideas from Cognitive Engineering and System Assurance by looking at: – Jens Rasmussen et al and:

Goal Intention/Refinement (Ends-Means) – Goal* Oriented Requirements Engineering (GORE) which is based on Jens Rasmussen – *Also masquerades as Agent Oriented

Inject Rationale into Design Artefacts that acts as Argument! 15

27-May-16

© 2016 Ray Feodoroff

Temporal Slices of Argument http://www.hse.gov.uk/research/crr_pdf/2001/crr01336.pdf

In 2001 UK Health Safety Executive (HSE) suggest 5 phased Assurance Arguments, namely 1) Preliminary Safety Justification 2) Architectural Safety Justification 3) Implementation Safety Justification

4) Installation Safety Justification 5) Operational Safety Justification

Makes distinction between Rationale and Argument “fuzzy”

Makes sense for: – Systems as development time is long – Certification so no surprises at the end as Assurance is driven into design

The term “Justification” makes sense as it is a use (opens up other questions, especially about semantics) 16

27-May-16

© 2016 Ray Feodoroff

of Argument

Interesting because … https://www-users.cs.york.ac.uk/tpk/tpkthesis.pdf

Kelly’s1998 starting position was:

𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒 𝑟 ≠ 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 ∵ 𝑟 ∉ 𝑠𝑡𝑟𝑎𝑡𝑒𝑔𝑦, 𝑠𝑜𝑙𝑢𝑡𝑖𝑜𝑛, 𝑎𝑠𝑠𝑢𝑚𝑝𝑡𝑖𝑜𝑛, 𝑗𝑢𝑠𝑡𝑖𝑓𝑖𝑐𝑎𝑡𝑖𝑜𝑛 Also says 𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒=Aspiration or ‘early’, so must have meant that 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 is ‘late’ (?) Kelly2008 later advocates phased safety cases … including ‘early’ 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 but refrains from calling that 𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒 https://www.umsec.umn.edu/sites/www.umsec.umn.edu/files/TimKelly.pdf

a·nach·ro·nism əˈnakrəˌnizəm/ noun 1. an act of attributing a custom, event, or object to a period to which it does not belong. 17

27-May-16

© 2016 Ray Feodoroff

Interesting because … Kelly uses Justification in the formal sense only when discussing:

– formal argument; – DEF-STAN 00-55; – “safety justification process”; – “safety justification domain” – “constructing a safety justification”

– that is the entire goal tree

Therefore one needs to observe that the entire goal tree as the Justification in the formal Argument sense

18

27-May-16

© 2016 Ray Feodoroff

Interesting because … https://online.missouri.edu/exec/data/courses/2341/public/lesson01/lesson01.aspx

Explanation Explanation is a

is another

use of Argument

synonym of Rationale!?

Begs the question:

Are Goal Intention/Refinement and Justification/Explanation just “tenses” of Argument?

19

27-May-16

© 2016 Ray Feodoroff

That is … Levesonearly vs. Kellylate UK/US Meme

European/CDN Meme

Intention (Ends)

(Solved) Justification

Justification is to Explanation what Intention is to Refinement

… so

ai n l

captured

Early versus Late?

Refinement (Means) 20

27-May-16

ra·tion·ale ˌraSHəˈnal/ noun 1.a set of reasons or a logical basis for a course of action or a particular belief.

© 2016 Ray Feodoroff

(By) Explanation

Or … Levesoninside vs. Kellyoutside Might be the difference between Cogitation and Design, or just the act of writing it down … … we did say Cognitive Science

Justification Explanation

Intention Refinement

Wikimedia Commons openclipart.org

Might be the same thing … 21

27-May-16

© 2016 Ray Feodoroff

Leveson says Rasmussen says … RATIONALE ≡ Means-Ends (aka Goal Oriented)

Leveson suggests the way to capture the “argument” is via design rationale based upon Abstraction Hierarchy (AH) aka

Ends-Means aka Goal Oriented

Rasmussen et al. warn, however, Abstraction Hierarchy (AH)

describes Problem

Space

Space

Cognitive Systems Engineering 1st Edition 1994 by Jens Rasmussen, Annelise Mark Pejtersen, L. P. Goodstein

How do we transform into the:

Solution Space?

22

27-May-16

© 2016 Ray Feodoroff

rather than

Solution

URN and the Argumentation Terrain RATIONALE ≡ Means-Ends (aka Goal Oriented) © Ray Feodoroff, 2015 Titled: URN and the Argumentation Terrain DOI: 10.13140/RG.2.1.1295.1766

Various authors have contributed to an Argumentation Terrain for Architecture: 𝑃𝑟𝑜𝑏𝑙𝑒𝑚𝑠 ↦ 𝑆𝑜𝑙𝑢𝑡𝑖𝑜𝑛 𝑠 , 𝑠 ∈ 𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑚𝑒𝑛𝑡𝑠, 𝐹𝑒𝑎𝑡𝑢𝑟𝑒𝑠, 𝐴𝑠𝑝𝑒𝑐𝑡𝑠, 𝑇𝑎𝑐𝑡𝑖𝑐𝑠

User Requirements Notation (URN) is Agent Oriented (with a touch of Goal Oriented) provides Rationale capture for decisions related to: 𝑃𝑟𝑜𝑏𝑙𝑒𝑚𝑠 ↦ 𝑆𝑜𝑙𝑢𝑡𝑖𝑜𝑛 𝑠 , 𝑠 ∈ 𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑚𝑒𝑛𝑡𝑠, 𝐹𝑒𝑎𝑡𝑢𝑟𝑒𝑠, 𝐴𝑠𝑝𝑒𝑐𝑡𝑠, 𝑇𝑎𝑐𝑡𝑖𝑐𝑠

Kellypage 65 was actually not arguing about arguing, but was arguing notation v notation using: https://www-users.cs.york.ac.uk/tpk/tpkthesis.pdf

𝐺𝑆𝑁 > 𝑋 ∵ 𝑋 ≠ 𝐺𝑆𝑁 Circular reasoning (Latin: circulus in probando, "circle in proving"; also known as circular logic) is a logical fallacy in which the reasoner begins with what they are trying to end with. http://www.cs.virginia.edu/~jck/publications/issc.06.final.pdf

23

27-May-16

© 2016 Ray Feodoroff

Prima Face case for GRL over GSN Muddying of the Waters

Prima Facie case for URN over GSN URN and the Concretisation of Goals

24

27-May-16

© 2016 Ray Feodoroff

Basic claims Argument by Appeal to Authority

Coming principally from looking at arguments made for GSN in Design Rationale space, where: NFR = Goal

GSN+BW = Goal+(Object+Operation)*

versus URN = Agent+Goal+Object+Operation+Obstacle As introduced into the debate by York University * In terms of modelling idioms used in KAOS BUT not as carried out in KAOS Introduced into the debate by Hall-May and Kelly, and by BW=Bate and Wu

25

27-May-16

© 2016 Ray Feodoroff

The short history being … Kelly’s 1998 starting position was:

𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒 𝑟 ≠ 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 ∵ 𝑟 ∉ 𝑠𝑡𝑟𝑎𝑡𝑒𝑔𝑦, 𝑠𝑜𝑙𝑢𝑡𝑖𝑜𝑛, 𝑎𝑠𝑠𝑢𝑚𝑝𝑡𝑖𝑜𝑛, 𝑗𝑢𝑠𝑡𝑖𝑓𝑖𝑐𝑎𝑡𝑖𝑜𝑛 2007+ we appear to be arguing:

𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒 = 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 + 𝑋 ∵ 𝐺𝑆𝑁 + 𝑋 > 𝑌 Although in 2005 we were arguing: GSN≈KAOS

– The formal goal oriented notation … – Not the evil empire … … or is it an evil empire as:

“ve dernt goal-orient here!” 26

27-May-16

© 2016 Ray Feodoroff

http://villains.wikia.com/wiki/Siegfried_(Get_Smart)

GSN ≈ NFR (GSN ≡ Goal Satisfaction) ≈ NFR 𝑁𝐹𝑅

⊊ 𝐾𝐴𝑂𝑆 𝑘

ARGUMENT ≡ RATIONALE ≡ ENDS-MEMES ((«Agents» + Actors)* ⊨ Socio-Technical) ⊨ Accidents in Cognitive Science Sense

Bate and Wu (2007/8) propose that: ARGUMENT ≡ RATIONALE but only when:

Goals + 𝑂𝑏𝑗𝑒𝑐𝑡, 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛

Leveson argues: RATIONALE ≡ Ends-Means

Leveson argues: RATIONALE ≡ NFR?

– Object + Operation = Actor – Actor = Technical – «Agents» = Social

Where are the Agents? ∵ 𝐺𝑆𝑁 ≈ 𝐾𝐴𝑂𝑆

Is Solution Space Goal or Agent Oriented?

* Two senses here, 1) the Rasmussen sense and 2) the Orientedness of the software solution context. Both system design context and ensuing assurance argument should be in Rasmussen Socio(Agent)-Technical(Actor) sense for the purposes of the debate. In the Orientedness of software solution sense, evidence from AI is that Agency is based upon the Rasmussen sense.

33

27-May-16

© 2016 Ray Feodoroff

RATIONALE ≡ AGENT ORIENTED GSN pulls up short and does not model Actor/Agent, Object, Operation, nor Obstacle Intent Specifications are potentially a Vulnerability style Safety Case so act as the First Temporal Slice of Argument 34

27-May-16

© 2016 Ray Feodoroff

STPA is designed, based upon Rasmussen's views on Accidents within Socio-Technical systems Any Agents there?

STPA ⊨ Agency + Actor High level Intentional (aka Agent/Actor Oriented) Meta-Model interpretation of Rasmussen’s Control-Theoretic model, as used in STPA. Model incorporates of the notion of the Hierarchy of Controls, and some ideas from Resilience Engineering.

Variability

Procedure

Isolation

Harm (UCM)

Engineering Control

Modeling of Tractable Processes (UCM) © Ray Feodoroff Resilient URN - STAMP : In support of the next wave of System Safety Analysis methods Working Paper · May 2016 DOI: 10.13140/RG.2.1.2566.7443

35

27-May-16

© 2016 Ray Feodoroff

UCM ⊨ Object + Operation + Obstacle 𝑈𝑅𝑁 ≈ 𝐾𝐴𝑂𝑆 Modeling Idiom

KAOS

GSN

URN

Actor/«Agent»

X

-

URN

Goal

X

X

GRL

Object

X

-

UCM

Operation

X

-

UCM

Obstacle*

X

-

URN

* UCM causal threads can play “good” cop or “bad” cop. Contributions in GRL can act Goal Obstacles.

URN covers all modelling idioms that KAOS does 36

27-May-16

© 2016 Ray Feodoroff

QED 𝑈𝑅𝑁 ≫

𝐺𝑆𝑁 ≈ 𝑁𝐹𝑅 ⊊

𝑈𝑅𝑁 ≈ 𝐾𝐴𝑂𝑆 − 𝐵𝑊 𝑏𝑤

≪𝐴𝑔𝑒𝑛𝑡≫ , 𝐺𝑜𝑎𝑙, 𝑂𝑏𝑗𝑒𝑐𝑡, 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛, 𝑂𝑏𝑠𝑡𝑎𝑐𝑙𝑒 𝐴𝑐𝑡𝑜𝑟

𝑈𝑅𝑁 𝑢 , 𝑢 ∈

**** 𝐾𝐴𝑂𝑆 𝑘 , 𝑘 ∈ 𝐴𝑔𝑒𝑛𝑡, 𝐺𝑜𝑎𝑙, 𝑂𝑏𝑗𝑒𝑐𝑡, 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛, 𝑂𝑏𝑠𝑡𝑎𝑐𝑙𝑒 **** in KAOS Agent can be either Technical or Social, think Actor/«Agent»

𝑈𝑅𝑁 𝑢 *** ≈ 𝐾𝐴𝑂𝑆 𝑘

*** only in terms of count of modelling idioms

*

𝐵𝑊 𝑏𝑤 , 𝑏𝑤 ∈ 𝑂𝑏𝑗𝑒𝑐𝑡, 𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛 **

∴ 𝐾𝐴𝑂𝑆 𝑘 ⊋ 𝐺𝑆𝑁 + 𝐵𝑊 𝑏𝑤 ** only brings “Goal Satisfaction”

* describes intent of Bate and Wu using KAOS idioms. Note Wu used UCM component of URN but not as Object, Operation notation. Whether Obstacle is in or out of BW is moot as size of BW is only indication of what modelling idioms GSN does not support as part of its use in Design Rationale capture claims. Overhead of integration of approaches then counts against GSN if approaches fall into the same classes of idioms.

𝑼𝑹𝑵 𝒖 ≈ 𝑲𝑨𝑶𝑺 𝒌 ⊨ 𝑼𝑹𝑵 ≫ 𝑮𝑺𝑵 ∵ 𝑲𝑨𝑶𝑺 𝒌 ⊋ 𝑮𝑺𝑵 + 𝑩𝑾 𝒃𝒘 37

27-May-16

© 2016 Ray Feodoroff

Or simply …

𝐴=𝐵∴𝐵=𝐴

If there is an argument for a graphical Goal Satisfaction based Argumentation notation to move into the graphical Goal Satisfaction based Design Rationale notation space … then the converse is true, a graphical Goal Satisfaction based Design Rationale notation can move into the graphical Goal Satisfaction based Argumentation notation space Indeed, URN is ready to move into graphical Argumentation space but GSN is not ready to provide Argument for the Act of Design 38

27-May-16

© 2016 Ray Feodoroff

Qualification of GSN … ¬ https://www.itu.int/rec/T-REC-Z.150/en

𝐺𝑆𝑁 + 𝐵𝑊 𝑏𝑤

↦ 𝑍. 150

https://www.itu.int/rec/T-REC-Z.151/en

No claims that attempts to morph GSN into Design Rationale space have meet prescriptive norms set by community of practice through academic, industry, standards groups – albeit European/CDN and not UK/US meme based

URN is the subject of International Telecommunication standards (since 2003): – ITU-T Z.150 User Requirements Notation (URN) - Language requirements and framework; and – ITU-T Z.151 User Requirements Notation (URN) - Language definition

39

27-May-16

© 2016 Ray Feodoroff

Interesting because … 𝐴𝑟𝑔𝑢𝑚𝑒𝑛𝑡 ≠ 𝑅𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑒

Prescriptive norms by York used to establish Argumentation Patterns where previously there where none http://www.goalstructuringnotation.info/archives/category/resources/patterns Would likely be required if GSN derived Design Rationale approaches were to be used in High Assurance, since ratification of argument pattern necessary to support claims Rather also relates to qualification of tools since certification will be based upon Design Rationale provided, and cannot hinge on GSN modelling idiom alone 40

27-May-16

© 2016 Ray Feodoroff

Prima Facie case for GRL over GSN Muddying of the Waters Prima Facie case for URN over GSN

URN and Concretisation of Goals

41

27-May-16

© 2016 Ray Feodoroff

URN and Concretisation of Goals Goal Intention Causal Logic/Calculus Temporal Logic/Calculus Dependability and Security

Design Decisions

42

27-May-16

© 2016 Ray Feodoroff

Goal Intention 𝐺𝑆𝑁 𝑧 , 𝑧 ∈ 𝐴𝑡𝑡𝑎𝑖𝑛𝑚𝑒𝑛𝑡 , 𝑧 ∉ 𝑀𝑎𝑖𝑛𝑡𝑒𝑛𝑎𝑛𝑐𝑒, 𝐶𝑒𝑠𝑠𝑎𝑡𝑖𝑜𝑛, 𝐴𝑣𝑜𝑖𝑑𝑎𝑛𝑐𝑒 Goal Oriented Attainment Maintenance Cessation Avoidance

Has roots in philosophy (Aristotle), AI (Simon), Cognitive Science (Rasmussen and others), Psychology (various) Vouched for by MIT 43

27-May-16

© 2016 Ray Feodoroff

Supported by Goaloriented Requirement Language (GRL) component of URN

Causal Logic/Calculus 𝐺𝑆𝑁 ∅

Goal Oriented

Casual Logic/ Calculus

Attainment

Causes

Maintenance

Sustains

Cessation

Terminates

Avoidance

Prevents

Semi-formal specification either for mid to lower levels of assurance, or preliminary specifications ahead of concretization of design for higher levels of assurance 44

27-May-16

© 2016 Ray Feodoroff

Supported by Use Case Map (UCM) component of URN Various authors use Causal Logic as basis for Requirement Patterns

Temporal Logic/Calculus 𝐺𝑆𝑁 ∅ Formality

Goal Oriented

Casual Logic/ Calculus

Temporal Logic/ Calculus

Attainment

Causes

C⇒◊T

Maintenance

Sustains

□(C⇒T)

Cessation

Terminates

C⇒◊¬T

Avoidance

Prevents

□(C⇒¬T)

Transition to formal specification Refinement towards formality in parallel with Assurance needs 45

27-May-16

© 2016 Ray Feodoroff

Supported by alignment of semi-formal semantics of UCM

Dependability and Security © Ray Feodoroff 2015 URN and the Argumentation Terrain - Agility through Design Rationale fit for use as Temporal Assurance Justifications Research · October 2015 DOI: 10.13140/RG.2.1.1295.1766

𝐺𝑆𝑁 ∅

46

Connotes various methods from CMU SEI including QUASAR, ATAM, QAW Insert URN based Argumentation Terrain here:

Avizienis , Laprie, Randell, Landwehr, "Basic concepts and taxonomy of dependibility and secure computing" (c) 2004

– Threats ≡ Problems

– Means can be articulated using:  Requirements

 Features  Aspects  Tactics 27-May-16

© 2016 Ray Feodoroff

Design Decisions 𝐺𝑆𝑁 ∅

Goal Oriented

Casual Logic/ Calculus

Temporal Logic/ Calculus

Design Decisions (aka Means)

Attainment

Causes

C⇒◊T

Fault Forecasting

Maintenance

Sustains

□(C⇒T)

Fault Tolerance

Cessation

Terminates

C⇒◊¬T

Fault Removal

Avoidance

Prevents

□(C⇒¬T)

Fault Prevention

Means driven by the Threats( )

47

27-May-16

© 2016 Ray Feodoroff

Supported by accompanying toolset with GRL based risk modelling, decision support, feature modelling, MSC generation

Stirring the memes … 𝐺𝑆𝑁 ∅ © Ray Feodoroff 2015 URN and the Argumentation Terrain - Agility through Design Rationale fit for use as Temporal Assurance Justifications Research · October 2015 DOI: 10.13140/RG.2.1.1295.1766

Argumentation Terrain Elements in red

48

Xu et al. (2005) provide guidance here pointing out that NFR (aka Quality Attributes al la Avizienis et al. or CMU SEI style, and not the notation NFR