Abstract
The paper describes an approach to improve Assurance Case applicability through structured argumentation. We started from approach based on use of twice argumentation step including reasoning step and evidential step with structured text support. After that, we improve the existing method with the following issues: 1) a general algorithm for the development of the Assurance Case is proposed; b) relations between the argumentation graph and templates of structured text are explicitly explained; c) structured text is supplied with clear templates. We implement a case study applying the obtained method for arguing functional safety compliance. A general conclusion is this method makes Assurance Case methodology more practical and understandable.
History and Concept of Assurance Case
For safety-critical and security-critical applications we always need to we argue or assert that some system is safe. Obviously, a number of criteria must be introduced for that. However, we need to determine how are reliable our knowledge about the analyzed system. Why can we trust this knowledge? What makes our arguments and reasoning credible? Having delved into such problems, one cannot do without philosophical disciplines such as ontology, epistemology and logic. The next step is to understand how should we justify or assess safety and security in a reasonable and logical way. Such approach is based on the theory of argumentation. The Assurance Case (AC) is a structured argument that some system has some properties we desire; that it is safe, or reliable, or secure against attack.
The British philosopher Stephen Toulmin gave a new impetus to the modern development of argumentation in the work entitled "The Uses of Argument", published in 1958. Tulmin extended the logical implicative inference with additional parameters and proposed to represent this operation in graphical form. Tulmin's notation operates with the following entities: data (D) – initial data for analysis, claim (C) – the purpose of logical implication inference (If D So C), warrant (W) – an additional argument, qualifier (Q) – the degree of confidence in the results of the logical output, rebuttable (R) – additional counterargument. Argument maps were used to visualize reasoning before Toulmin, but it was he who most successfully generalized the structural model for the analysis and verification of arguments. Note that modern argument maps do not use directly the Tulmin's notation, because more simplification.
In the 1990s, researchers continue to seek new approaches to assessing safety. The idea seems to be on the surface: let's develop a special notation to justify compliance with the requirements of man-made objects and systems. Two British university teams took over, including City, University of London, where the spin-off company Adelard was formed, and University of York. Today Adelard and University of York also still occupy leading positions in the promotion of the AC. For the development of notations, the emphasis was placed on the logical reasoning that a property or component of the system meets the stated requirements. The works of Stephen Toulmin, which we have already considered, were chosen as the theoretical basis. As a humanitarian, Toulmin hardly thought about technical systems, however, he went down in history, among other things, as the founder of the argumentation for the AC. As the result, University of York developed Goal Structuring Notation (GSN), while Adelard developed Claim, Argument and Evidence (CAE) notation, as well as a software tool Adelard ASCE (Assurance and Safety Case Environment). Despite all benefits and some successful applications, the AC is well known only for some restricted areas.
Developing evidence to support compliance is a creative process that is highly human-driven. So, what is the most practical and realistic method for developing the AC? Some drawbacks are associated with the lack of argumentation techniques. One of the authors who have attempted to bridge this gap is John Rushby, who proposed a modified GSN approach to structured argument development. In this paper, we adopt structured argument approach as the basis, and go ahead to make it more usable and practical.
Improvement of Argumentation
A new wave of AC researches appeared after some critical notes made in the as named Nimrod Report published in 2009. It became clear, that neither the philosophy literature nor other disciplines that use argument seem to offer a universal theory of knowledge that is applicable to safety arguments. Normative models of informal argumentation do not offer clear guidance on when a argument should cite evidence rather than appeal to a more detailed argument. Therefore, improvement of argumentation stimulated a lot papers devoted to this issue, taking into account there is not any completed agreement which kind of evidence could be sufficient.
Epistemology based approach takes into account the study of the nature of knowledge, justification, and the rationality of belief (“What makes justified beliefs really justified?”). Recognition is a set of rules for what counts as sufficient evidence for a given kind of claim under given circumstances would provide developers, assessors, and regulators with a practical means to make justified decisions about how much detail an argument should have and whether an argument is sufficiently compelling.
Eliminative induction was suggested firstly by Sir Francis Bacon for evaluating confidence in a claim. The idea is, confidence in a hypothesis (or claim) increases as reasons for doubting its truth are identified and eliminated (Baconian confidence).
Transformation of Typical Arguments in a Structured Argument Form
There are some shortcomings in the existing works, which are due to the lack of satisfactory practical argumentation techniques. Thus, in order to apply the AC methodology, it is necessary to select and improve the appropriate mathematical and methodological approaches for structuring the argumentation. The argumentation in the AC corresponds to the implication in logic, when the truth of the conclusion depends on the truth of the conditions. A logical rule involves a logical multiplication in the form of: SC1 AND SC2… AND SCn IMPLIES C, where SCi are subgoals, which also can be complex expressions.
As noted above, there are some drawbacks in the existing papers that are related to the lack of argumentation techniques. One of the few authors who have attempted to address this gap is John Rushby, who in his technical report offers an approach to developing structured arguments based on a modified GSN. In this section we use and update this approach.
Classical application of GSN (Fig. 1) is characterized by support for argumentation steps (AS) of any claim (C) with both subclaims (SC) and evidences (E). This approach has some drawbacks, which are due to the inability to have always a regular and typical argument structure.
Modification of argumentation steps is proposed to reduce them to a typical two-step structure. The first step, called the reasoning step (RS), is an analysis of subgoals that are aimed at achieving the primary goal, but there is no recourse to the evidence at that step. In the second step, called the evidential step (ES), the evidence for supporting the subgoals that was formulated in the previous step is formulated. Thus, the graph of the argumentation structure is transformed as shown in Fig. 1. This allows us to make a connection between the concept of safety and security (goal) and our knowledge of the physical world (evidence).
To further formalize the steps of RS and ES it is suggested to use structured text. This approach is appropriate, but in our opinion, it has a number of opportunities for improvement, such as the following: a) there is not a general algorithm for the development of the Assurance Case; b) relations between the argumentation graph and templates of structured text are not explicitly explained; c) structured text does not have clear templates.
Argumentation Improvement: Hierarchy of Requirements and Templates of Structured Text
In addition, the development of the AC is in many ways a creative process, which many depends on the human factor. The below is an improvement of the approach, which, in our view, will allow us to move further in structuring the arguments of the AC and eliminate the above shortcomings. We demonstrate the opportunity of explicitly combining the AC with structured text components. Let's present a hierarchy of requirements that create the structure of the AC in the form of a pyramid. In most regulatory requirements for control systems, the structure of requirements includes 3 or 4 levels (Fig. 2).
Zero level is a meta-goal according to which the control system must meet all safety requirements. At the first level, global safety goals are achieved, for example, according to functional safety requirements:
- The safety and security management system shall achieve all safety objectives;
- Safety and security life cycle should be implemented during system development;
- A sufficient set of measures against random failure must be applied to the system;
- A sufficient set of measures against systematic and software failures, including cyberattack defense, must be applied to the system.
The requirements groups contain related requirements and support one or other of the global goals. For example, the requirements for safety and security management in IEC 61508 include requirements to human resource management, configuration management, documentation management, and others.
The structure of the links between the zero, first and second levels is a tree transparent enough and does not require detailed elaboration of the arguments, since these arguments are typical and well tested. However, structured arguments are required when moving from the second level to the lower levels. The requirements of the lower levels may be either composite (such as include a number of separate requirements) or separate. If all requirements are separate, this level becomes third, and then it is directly related to the subgroups of requirements.
Fig. 2 combines the overall structure of the AC and the algorithm for constructing structured arguments. Such arguments should be developed for the second, third and fourth (if any) levels. An approach to argument structure is introduced in Fig. 1. For the lowest level, besides the RS, the ES should also be applied. Since it is not appropriate to add detailed information about the content of the arguments on the graph structure, each of the nodes of the AC, starting with the second level, is marked with an argument description using so-called structured text (ST). Notice, that the AC is not a strict tree because the same evidence can support different arguments or subgoals.
Let's develop a typical structured text configuration for the reasoning and evidential steps using the GSN components. The structured text has a template with a set of fields that are denoted by service words that correspond to the GSN components. We need to provide two templates, for the RS and for the ES (Fig. 3,4). In these templates, the names of the service words are given in bold, and italics provide a brief description of the content that should fill the template fields.
Fig. 3. A template of structured text for a reasoning step
Fig. 4. A template of structured text for a evidential step
Algorithm for the Structured Argumentation Method
Based on the results obtained in the preliminary section, we can draw a formalized algorithm for the structured argumentation method (Fig. 5). For that, we use activity diagram notation of the UML. Steps of the algorithm are related with levels of a hierarchy of requirements that is represented on Fig. 2. The input data for the method application include a database of standards applicable for the domain of the licensed system.
Fig. 5. An algorithm for application of the structured argumentation method
The first step of the method application contains analysis of the standards database. The expected result does extract a general set of requirements which has to support a top level of global goals (GG) for safety and security. A typical set of GG for safety related application includes requirements to management, life cycle, protective measures and assessment. GG can be represented in a view of a simple mind map.
The next step is decomposition of GG to groups of requirements (GR). It contains top-down analysis of all requirements which are related with any specific GG. It is possible to use only one target standard as well as a set of standards specified in the requirements to the licensed system. The expected result has to contain sets of the text fragments which cover GG by GG.
For the first step a separate GR can be represented in a view of a mind map. Later it can be transformed in GSN with use of software tools. It is reasonable to draw the AC graph (GSN graph) for each of the separated set of the group of requirements. However, if any relations between subgoals or evidences of different GRs of one GG are discovered, then the AC graph should be built for the GG in general. The next step is the first RS, which decompose GR to SGs. For this step we use the template of ST (see Fig. 2). An issue is some SGs can be composite, so such SGs requests the future decomposition to separate SGs.
Case Study: Application of the Structured Argumentation Method
Let’s synchronize the AC with the hierarchy of requirements (Fig. 2). For this, we implement the obtained method (Fig. 5). The meta-goal (Level 0) is a compliance of some abstract system with all identified requirements to safety and security. Goals of the Level 1 correspond to the main parts of safety and security issues like concept and functions, standards and regulations, system architecture etc. In this paper we consider the Level 1 goal related with safety & security management and assessment.
The transition from the Level 1 to the Level 2 groups of requirements contains an analysis of existing requirements to safety & security management and assessment like human resource management, configuration management, software tools selection and evaluation etc. Let’s consider documentation management on the Level 2. The goal is documentation management complies with all identified requirements.
The transition from the Level 2 to the Level 3 requirements contains the RS, which is based on an analysis of IEC 61508 requirements to documentation management. Such requirements are contained in IEC 61508, Part 1 “General requirements”, Section 5 “Documentation”. This RS transforms the text of IEC 61508 into a set of subclaims related with the Level 2 claim (documentation management complies with all identified requirements). Also, during the subclaims identification and analysis we shall identify composite requirements for which we need one more level to obtain separate requirements from composite requirements, so more argumentation steps will be performed for transition from the Level 3 to the Level 4. Fig. 6 represents RS for the Level 2, and demonstrates that the most parts of the subclames requirements are separate and the next step for it is ES. Exception are the SC6 and SC10 with are composite requirements, so for them we need one more RS to transit from the Level 3 to separate requirements of the Level 4 (Fig. 6).
Reasoning Step (Documentation Management)
Context
Connection between the group of Documentation Management requirements of the Assurance Case Level 2 and composite and separate requirements of Level 3
Docs
Documentation Management Plan
Claim
Documentation Management complies with IEC 61508 requirements
Subclaim SC1 (IEC 61508-1, 5.2.1), SEPARATE
Documentation supports all phases of safety life cycle
Subclaim SC2 (IEC 61508-1, 5.2.2), SEPARATE
Documentation supports functional safety management
Subclaim SC3 (IEC 61508-1, 5.2.3), SEPARATE
Documentation supports functional safety assessment
Subclaim SC4 (IEC 61508-1, 5.2.4), SEPARATE
Documentation complies with standards
Subclaim SC5 (IEC 61508-1, 5.2.5), SEPARATE
Documents are available
Subclaim SC6 (IEC 61508-1, 5.2.6a,…,d), COMPOSITE
Documents have sufficient quality
Subclaim SC7 (IEC 61508-1, 5.2.7), SEPARATE
Documents have title and content
Subclaim SC8 (IEC 61508-1, 5.2.8), SEPARATE
Documents comply with procedures and practices
Subclaim SC9 (IEC 61508-1, 5.2.9), SEPARATE
Documents have version numbers
Subclaim SC10 (IEC 61508-1, 5.2.10a,b), COMPOSITE
Documents have structure for search support. The last version of documents can be identified
Subclaim SC11 (IEC 61508-1, 5.2.11), SEPARATE
Document control system is implemented
Justification
Structure and content of Documentation Management Plan
END Reasoning Step
Fig. 6. Structured text for the reasoning step of Level 2
The future analysis of the point 5.2.6 of the IEC 61508-1 shows that there is a list with four additional requirements. All these requirements are related with quality of documents so they can be covered with the same ES. The same situation is the point 5.2.10 of the IEC 61508-1.
That case does not affect the structured argument form. We propose an additional operation of convolution for framework of structured argumentation. We can implement the convolution, if separate requirements related with one composite requirement are supported with the same evidence step. Also the convolution entails simplification of the Assurance Case graph in the part of transition between the Level 3 and the Level 4. At the Level 4 we have six more separate SCs (four plus two), so no more decomposition is needed. The next is application of the ES as per the developed template. The results of the ES implementation are given on Fig. 7.
Evidential Step ES1,…,ES11
Context
Connection with the subclaims of the Levels 3 and
the Level 4
Docs
Documentation Management Plan; Project Repository
Claim
SC1,…, SC11
Evidence E1
Strategy of documentation for functional safety
Evidence E2
Documents access rights
Evidence E3
Documents preparation review and approval
Evidence E4
Documents list and responsibilities
Evidence E5
Documents format and templates
Evidence E6
Documents version and change control
Evidence E7
Project repository structure
Evidence E8
Document control
system
Claim à Evidence
SC1 à E1; SC2 à E1; SC3 à E1; SC4 à E1; SC5 à E2&E3&E4; SC6 à
E5; SC7 à E5; SC8 à E1; SC9 à E6; SC10.1 à E5; SC10.2 à E6; SC11 à E7&E8
Justification
Structure and content of E1,…,E11
END Evidential Step
Fig. 7. Structured text for the evidential step
Fig. 8. GSN graph for the Assurance case based on structured argumentation
Conclusion
The analysis of existing approaches to the development of the Assurance Case is conducted. Existing works have some drawbacks due to the lack of satisfactory practical argumentation techniques. One of the few authors who attempted to address this gap is John Rushby, who in his technical report offers an approach to developing structured arguments based on modified GSN and structured text. In this paper, we use and develop this approach.
Thus, in order to apply the methodology of the Assurance Case, a mathematical and methodological apparatus for structuring the argumentation was selected and improved. We obtained the structured argumentation method including the following: the overall algorithm of the Assurance Case development; the proposed structure of the Assurance Case graph, which is based on the typical structure of the arguments and is developed in connection with the structured text of the description of these arguments; improved structured text templates for arguments description. The obtained method can be used as the basis of the appropriated argumentation framework supported with a set of formal operations performed with the Assurance Case graph and supported structural text.
We applied the proposed structured argumentation method for the group of requirements related with documentation management. As the result, we get the template with the Assurance Case graph and structural text related with typical reasoning and evidential steps. The obtained practical and theoretical results may be used for any kinds of safety and security critical systems and applications.
No comments:
Post a Comment