investigating the use of argument modularity to optimise ... - CiteSeerX

INVESTIGATING THE USE OF ARGUMENT MODULARITY TO OPTIMISE THROUGH-LIFE SYSTEM SAFETY ASSURANCE G. Despotou, T. Kelly High Integrity Systems Engineering Research Group, Department of Computer Science, University of York, York, YO10 5DD, UK

Keywords: Safety case maintenance, argument contracts, system assurance.

Abstract

modular

GSN, •

operation, which will need to be integrated to the system’s existing safety case. Obsolescence of components or subsystems will force developers to offer alternatives for specific parts of the system. These parts may have a different operational behaviour, and development or testing regimes. Upgrades as part of an ongoing process of perfective and corrective maintenance. System updates may invalidate the reasoning and supporting evidence that existed in the system’s original safety case.

Safety cases are now regularly used to communicate the argument about the achievement of acceptable levels of safety • for safety critical systems. Increasingly, safety standards such as Defence Standard 00-56 [6] require the scope of the safety case to cover not only the development of the system, but also operating and maintenance through life, including decommissioning. This involves two dimensions of safety The Goal Structuring Notation (GSN) is a popular means of case management: safety case development and safety case representing the underlying argument of a safety case – and maintenance. can be used to create a compositional safety case. By creating argument modules that focus on a particular aspect of the The development of modular safety cases is considered to system, potential changes should affect only the relevant address to some extent a number of challenges during argument modules, minimising the impact of change. development and maintenance. In modular safety cases, the Moreover, referencing other argument modules, GSN allows safety case argument and evidence are organised into separate the addition of arguments about aspects of the changing part but interrelated and cross-referenced modules. However, the of the system; hence maintaining the degree of assurance of adoption of modular safety case development approach is not the overall safety case. a panacea. Alongside the advantages listed, modular safety cases can bring a number of new challenges that need to be 2 Degree of assurance in safety cases taken into account. This paper discusses some of these difficulties, together with suggested mitigation strategies. The overall purpose of a safety case is to communicate an argument capturing the position of achievement of acceptably safe system operation. The argument is supported by 1 Introduction evidence that demonstrates that its (argument) claims are true. A safety argument explains how the available evidence It is important that adequate evidence supports the argument. supports the claim that the system in question meets its safety Traditionally, (process based) standards such as the IEC requirements. The safety argument should communicate 61508, the UK Defence Standard 00-55 [5] and the DO-178B, assurance regarding the entire lifecycle of the system, have a predetermined set of activities (and associated including decommissioning. This involves managing changes evidence), which, when followed by the system developers, that will take place throughout the system lifecycle, which are considered to sufficiently support a claim about the inevitably will affect parts of the reasoning that constitutes acceptable safety of a system. the safety case. Consequently, it may compromise the validity of the argument that the safety case communicates, This approach is presently considered to incubate a number of resulting in changes in the argument structure. The safety challenges in terms of the confidence with which a position case should be able to maintain the degree of assurance of the regarding the system is communicated [2]. UK Def Stan 00safety claims of the system dealing with: 56 issue 4 requires that “the quantity and quality of the evidence shall be commensurate with the potential risk posed • Reuse of a certified COTS. Use of pre-certified COTS by the system and the complexity of the system” [6]. As may provide advantages over the effort and cost of stated in Def Stan 00-56, sufficiency of available evidence is developing bespoke solutions. Often, COTS are not only related to quantity. There are a number of other accompanied by evidence supporting claims about their attributes, which determine the quality of the association between the supported position of the argument and the

evidence. Weaver [8] presents a framework identifying how 3 Compositional safety cases using GSN the quality of evidence contributes to the assurance of the overall argument. Moreover, he states that the correct The Goal Structuring Notation (GSN) [4] provides a balance depends on the suitability of evidence, which is based framework (consisting of a notation and method) that can be on how well the evidence assures the claims of the safety used to capture and graphically represent any argument. GSN case. Assurance is not expressed in definite terms. The has become an increasingly popular means of capturing the degree of assurance depends on subjective evaluation of its argument of a safety case. Often, when establishing a case contributing attributes. For example, it is common that the there is a need to reuse arguments that are either: trustworthiness of evidence cannot be measured. Nevertheless a process (producing evidence), which has been • Generalised argument approaches, whose concepts apply irrespective of a particular system and applicable context. used in a period of years, and many developers could be For example, arguing about mitigation of identified justifiably considered as being ‘highly trustworthy’. Similarly hazards is a very common argument used in the reasoning evidence can be considered more trustworthy depending on of the majority of safety cases. the type of the analysis method used. For example, formal methods evidence is considered highly trustworthy. • Context dependent but cohesive and reusable arguments. For example an argument about a component, sub-system or COTS component, that can be integrated to the Assurance reasoning of the safety case of any system.

Relevance

Directness

Coverage

Trustworthiness

Independence

Conceptual and mechanistic Conceptual but not mechanistic Mechanistic but not conceptual No independence

Figure 1: A potential safety case architecture and system changes. Introducing a change to the design can affect the assurance of the argument even in the case when the argument structure remains valid. For example, outsourcing the generation of evidence (i.e. testing) to an independent company is not uncommon in order to reduce cost, or to remove potential bias. In this case the argument would not undergo any structural changes. However, the trustworthiness of the evidence could potentially be challenged, since factors such as the rigour of the followed process and the competency of the personnel will change. Similarly, the other attributes of assurance can be affected by a change. An example when relevance is compromised is with the use of a COTS component that has been tested to a narrower range of values than the associated safety case claim suggests. Rectifying assurance in the presence of a change would require additional support to the affected part. Recovering from the impact of change can be achieved by referencing argument modules that present the reasoning concerning the affected argument. For example, additional arguments may be needed to communicate compliance to a certain ‘trusted’ process. Moreover, justification can be associated with specific individual arguments, communicating the trustworthiness of the available evidence (e.g. by appeal to competence of the personnel). This way, a ‘compositional’ safety case is created comprising of multiple individual arguments. Using GSN, a compositional safety case can be created using the modular argumentation extensions.

Two GSN extensions offer provisions for reusing arguments; patterns and modular argumentation. Patterns provide the concepts to capture a generalised argument. Instantiating the argument for a particular context (i.e. the system in question) will systematically guide the developers through the considerations of the argument (e.g. the particular hazards for the system). Modular GSN extensions allow cohesive arguments (and evidence) to be captured as argument modules, which can be referenced from other argument modules. This results in a chain of reasoning, which consists of the linked claim structures communicated by individual argument modules. Goals Supported by contract High level dependability argument

GSN Contracts

TOM Argument