3. Assurance Case
• A structured argument, supported by a body of
evidence that provides a compelling, comprehensible
and valid case that a system is safe for a given
application in a given environment (City Univ
Evidence
London)
Ex fault tree analysis result
ゴール
Evidence
Ex. System is safe
Evidence
Argument
Structure
4. Assurance Case
• Case: All the reasons that one side in a legal
argument can give against the other side.
• Assurance Case is called safety case when
arguing safety, dependability case when
dependability, …
• The term “Assurance Cases” is defined in
ISO/IEC 15026: Systems and software engineering -- Systems
and software assurance
Assurance Case
Safety Case
Dependability Case
Security Case
…
5. Background of Assurance Cases
• Piper Alpha Disaster (1988,167 dead) and many serious
disasters since 1970– Not only prescriptive procedures, but argument why the safety is
achieved by such procedures, based on evidence
• Prescriptive and Goal Based regulations
– Prescriptive: check safety lists given by standards
– Goal Based: develop argument that the given safety goal is
achieved -> Safety Cases (Lord Cullen’s Piper Alpha Disaster
Report)
– ISO26262 (automotive functional safety standard), EUROCONTROL
(Eurocontrol, 2006), the Rail Yellow Book (Rail Track, 2000), and MoD
Defense Standard 00-56 (MoD, 2007) require safety cases
6. Safety Cases in UK and World
• UK (EU): “Using safety cases in industry and
health care”, UK Health Foundation, 2012.12
– Avionics, Automobile, Defense, Atomic Plant, Oil,
Railway, Medical and Health Devices
http://www.health.org.uk/publications/using
-safety-cases-in-industry-and-healthcare/
• World
– USA: medical device such as infusion pomp
– Japan: New, but because of ISO26262, several
companies are now studying safety cases
7. Assurance Case Notation
• Mostly by natural languages
• Graphical Notations
– CAE(Claim, Argument, Evidence) by Adelard, UK
– GSN(Goal Structuring Notation) by Univ of Yok, UK
CAE
GSN
CAE and GSN
are essentially
the same, and
the metamodel
is standardized as
OMG SACM
(structured assurance
case metamodel)
9. Cons for Safety Cases
• Most papers about safety cases express
personal opinions or deal with how to prepare
a safety case, but not whether it is effective.
(Nancy Leveson, MIT)
11. DEOS and D-Case
DEOS (Dependable Embedded Operating
System) project funded by Japan Science and
Technology Agency (2006.10 – 2014.3)
•http://www.dependable-os.net/osddeos/index-e.html, or google “DEOS”
•D-Case project, a sub project for assurance
cases (2010.4-) (Dependability)
– Tool Implementation, Lectures, meetings, case
studies, standardization, …
ⓒ 2013 UEC Tokyo.
12. D-Case Meetings
• 2012.9.14(Nagoya), 12.20(Nagoya),
2013.4.19(Tokyo), 2013.10.22(Tokyo)
Discussions
Introduction of assurance cases in industries
Use in ISO26262
Visibility of GSN, etc
Participants
Toyota、Yokogawa Electronics、Japan IBM、
Ogis RI、NTT Data、Denso Create、
Fuji Xerox, etc
More than 60 participants
http://www.dcase.jp (English page soon to be open)
ⓒ 2013 UEC Tokyo.
13. D-Case Editor
• An Open, Eclipse based GSN editor (2010.4-)
– http://www.dependable-os.net/tech/DCaseEditor/index-e.html
– GitHub https://github.com/d-case/d-case_editor
• From Oct 2013, Eclipse Public Lisence
• Purposes
– Writing, presenting, sharing GSN
• A few hundred downloads, tested by D-Case meeting
participants and researchers in world
– Prototyping for research
ⓒ 2013 UEC Tokyo.
18. Compliance to
Assurance Cases Standards
• Compliance to standards is important
– OMG SACM at OMG system assurance task force
• SACM = Structured Assurance Case Metamodel
• Harmonizing CAE and GSN
– GSN Community Standard v1.0 (2011)
• When implementing GSN Community
Standard, we have several design choices
• By showing our design choices, we hope to
facilitate assurance case tool implementation
ⓒ 2013 UEC Tokyo.
19. GSN Community Standard v1.0
• Part 0 Introduction and Concepts
• Part 1 Definition of GSN
• Annexes to Part 1
– Extension to GSN to support argument patterns
– Modular extensions to GSN
• Part 2 Guidance on the development and
evaluation of goal structures
• Annexes to Part 2
ⓒ 2013 UEC Tokyo.
20. GSN Modules
B1.3.2.3 Contract modules can be
used in the support relationship
between modules to aid decoupling
as shown in Figure 32.
This de-coupling permits argument
module construction in cases
where the eventual source of
support for an argument is unknown at
the time of authoring or can be
changed for example through re-use
or planned product improvement or
reconfiguration.
(GSN Standard, p23)
Current
Implementation
ⓒ 2013 UEC Tokyo.
22. Design Choices for Modules
(GSN Standard, p.17)
• What is module?
“module” is not
so clearly defined
– Interpret module as
“a GSN tree with one top goal”
Argument =
GSN?
• Away goals, solutions, contexts, …
We do not want to
introduce “away”
nodes for each
kind of GSN nodes
(too many kinds of
nodes)
ⓒ 2013 UEC Tokyo.
23. Design Choices for Modules
(GSN Standard p.17)
• Away goals by color change
Referring node as
green
Referred node as
orange
ⓒ 2013 UEC Tokyo.
25. Snapshot of GSN modules for
LAN device management system
Architecture
ⓒ 2013 UEC Tokyo.
26. Some issues in Parameters
We focus on
parameters
How to define parameters?
What is the scope of parameters?
In {System X}, what is “System”?
ⓒ 2013 UEC Tokyo.
27. Design Choices for Patterns
• Use context nodes to define parameters
• Scope is subtree of goal of the context
• Introduce types for parameters
– Currently Int, double, string, enum
ⓒ 2013 UEC Tokyo.
28. A Snap Shot of Parameter
Definition of
Availability
Definition of
SIL
Scope of
SIL
Scope of
Availability
ⓒ 2013 UEC Tokyo.
29. Publically available tools
we have tested
Tool Name
Platform
Notations
GSN Modules
GSN Patterns
ASCE
(Adelard)
None
(Windows XP
or later)
GSN, CAE
Partly?
Not yet?
Visio Plug-in
(York)
Visio
GSN
Not yet?
Not yet?
NASA CertWare
(Open Source)
Eclipse
GSN, CAE, etc
Not yet
Not yet
GSN Editor
Web browser
GSN
Not yet
Not yet
Eclipse
GSN
Partly
(Contract nodes
are not done)
Partly
(Only
Parameters)
(Dependable Computing
LLC)
D-Case Editor
(DEOS)
Others: AdvoCATE(NASA, will be open source),
AutoFOCUS3, acedit(York, not tested)
E-Safety Case(Praxis), GSN CaseMaker(ERA), ISCADE, ISIS High
ⓒ 2013 UEC Tokyo.
Integrity Solution, TACE,…
30. Concluding Remarks
• D-Case Editor, an open source assurance case
editor
• Tool Implementation, Use in Industries,
Standardization should be co-developed
Tool
Implementation
Open Source
Development
Standardization
Use in industries
ⓒ 2013 UEC Tokyo.