AutoFOCUS3 contains an editor, named ExplicitCase, which supports the construction of modular assurance cases, in compliance with the Goal Structuring Notation (GSN) standard.
Assurance cases constitute a proven technique to systematically demonstrate the safety/security/reliability of such systems using existing information about the system, its environment and development context, facilitating the bridging of the regulatory gap. Three parts can be identified as part of an assurance case. First, the goal that has to be achieved. Second, the evidence for achieving this goal and third, the structured argument constituting the systematic relationship between the goal the evidence. Assurance cases can be designed in a modular approach, by subdividing complex assurance cases into interconnected modules of assurance arguments and evidence.
The Goal Structuring Notation (GSN) is a well-known description technique for the development of engineering arguments to construct assurance cases. GSN uses a graphical argument notation to explicitly document the elements and structure of an argument and the argument's relationship of this evidence. An argument, based on GSN, may consists of several elements: Goals are the claims of an argument, whereas items of evidences are captured under Solutions. When documenting how claims are said to be supported by sub-claims, the Strategy-element is used and can be linked to Goals. A Context element captures and enables citation of information that is relevant to the argument. Rationale for a strategy can be described by a Justification element. GSN provides two types of linkage between elements: SupportedBy and InContextOf. SupportedBy relationships indicate inferential or evidential relationships between elements. InContextOf relationships declare contextual relationships. The benefit of having a structured graphical notation for assurance cases is that it supports the presentation of assurance cases to non-safety experts in a comprehensive manner.
ExplictCase is based on a metamodel derived from the GSN standard and offers a graphical editor facilitating the model-based development of assurance cases. An overview of the editor is shown in Fig. 1. The editor provides complies with the GSN standard, by allowing the user to build assurance cases via:
Properties of assurance argumentation nodes can be set in the Properties view. There are two types of properties, namely general properties, which may be set to all types of GSN nodes and specific properties, which may be set only to particular types of GSN nodes. The following properties are properties to be set to any type of GSN node:
Right-click on the away entity. A context menu will appear. Click on the Connect 2 Goal/Solution/Context menu item A wizard will appear. Select from the assurance argument nodes that appear in the wizard, one to which you want your away entity to point to. If the selected node was set as private, you will be asked if you want to change the visibility of the node. If not, the reference will not be done. Only public nodes may be referenced by away entities. In the Properties view, in the Referenced module ID the ID of the module containing the node referenced by the away entity node is automatically filled in.
According to the GSN standard, a node may take different states in the course of the assurance case development. One may right-click on a GSN node and select the following states: private/public, instantiated/uninstantiated, developed/undeveloped and supported by contact.
One way of designing assurance cases is by following the modular approach. In GSN, an assurance case module contains the objectives, evidence, argument and context associated with one aspect of the assurance case. In addition to the GSN argument elements presented in the previous paragraph, a module may contain away entities such as away goals, away solutions and away context elements. Away entities are references to the goal, solution or context in another module. Away goals cannot be (hierarchically) decomposed and further supported by sub-entities within the current module; rather, decomposition needs to occur within the referenced module. Inter-modular relationships are of two types: namely supported by and in context of relationships. A supported by relationship denotes that support for the claim presented by the away goal or away solution in one module is intended to be provided from an argument in another module. When there is an away context element in a module, that module is connected to another module by an in context of relationship; relationship that indicates that the context of a certain claim will be presented in details in another module.
Modularity of assurance cases has various advantages, namely:
ExplicitCase enables the user to model an assurance case containing several modules which are connected to each other through intra-module connections (see Fig. 4). Each such module contains an assurance argumentation structure, build up by GSN-defined elements specific to modularity in assurance cases (i.e., Away Goals, Optional Entities, Away Solutions, Away Contexts, Contracts) connected to each other by GSN-defined relationships. Each argumentation node within a module has a public indicator, which determines whether the element may be referenced in another module, or not.
Once you are done with specifying the modules of your assurance case, you can describe the assurance argument structure contained by these modules by adding argumentation nodes.
Here is an example of the assurance argumentation structure an assurance case module modeled in AF3:
Different coloring of GSN elements raises the assurance case developer's awareness about the existence of undeveloped or uninstantiated entities (see Fig. 5). In addition, contract modules have a distinct coloring in order to distinguish them from regular argumentation modules. We do not allow users to color nodes by themselves, in order to keep a certain meaning of each coloring so that anyone can easily "read" the coloring. This is motivated, by the fact that the GSN Standard says that, In cases where the elements defined in these sections are used in the development of instantiations of the patterns to produce individual assurance arguments, it is important to ensure that they are all removed, or instantiated, in the final, delivered, version of the argument.