Document 6514516
Transcription
Document 6514516
The Goal Structuring Notation (GSN) High Integrity Systems Engineering Group Introduction Purpose of GSN Purpose of a Goal Structure The Goal Structuring Notation (GSN) is a framework used to capture and graphically represent assurance arguments. It has evolved and been used for over ten years, motivated by the inadequacy of plain text to clearly and traceably represent the inferences in an argument. GSN offers sufficient concept richness to depict the reasoning in an assurance case. To show how goals are broken down into sub-goals, and eventually supported by evidence ( solutions) whilst making clear the strategies adopted, the rationale for the approach (assumptions, justifications) A/J and the context GSN Elements Goal: A goal communicates a claim about the system and they represent post-conditions. Context: Captures and enables citation of information that are relevant to the argument. in which goals are stated GSN Six Step Method The Six step method provides guidance on how to create GSN structures. 1. Identify goals to be supported Strategy: Strategies explain the inference between parent and children goals. 2. Define basis on which goals are stated Solution: Represents information that can directly (without further inferences) support a goal. 4. Define basis on which strategy is stated 3. Identify strategy to support goals 5. Elaborate strategy – goto step 1 Solved By: Shows support (decomposition) of argument elements. 6. Identify solution In Context Of: Captures association with context. GSN Structure Example – Industrial (Mechanical) Press Safety Argument The Goal Structuring Notation High Integrity Systems Engineering Group What is an Argument Reusing Arguments Patterns: Patterns provide the concepts to capture a generalised argument. Instantiating the argument for the system in question and in its context, will systematically guide the developers through the considerations of the argument (i.e. the particular hazards for the system). An argument is described as being a connected series of statements or reasons intended to establish a position. Arguments consist of claims and inferences. Evolution of an argument usually takes place until the claims can be directly supported by the available evidence. Insufficiency of evidence to support the developed argument structure reveals the need for activities that will produce additional evidence (e.g. additional system testing). Modular GSN: Modular extensions allow cohesive arguments to be captured as argument modules, which can be referenced from other argument modules. Contracts document the dependencies between the arguments. Modular arguments benefit the maintenance of the case as often a change can be contained within an argument module. context. Argumentation can be used to capture any position about the system that the stakeholders chose to communicate, irrespective of the viewpoint of this position. For example although safety and security use different concepts, assurance about the overall position regarding these attributes (i.e. secure and safe system) can be captured using argumentation. Both argument and evidence are crucial elements of a dependability case. An argument without evidence is unfounded whereas evidence without argument is unexplained. A set of evidence does not constitute by itself an argument. position. The way an argument is structured will affect the confidence with which it supports a position. Modular GSN Below: Module view of part of a (safety) case. A top level safety argument is supported by individual arguments about the safety of functions A and B. This in the context of an argument claiming independence (i.e. the functions do no have common means of compromising safety) of the functions. FnAArgument Function A Safety Argument TopLevelArg IndependenceArg Top Level System X Safety Argument Functional Independence Argument SysAccSafe {System X} is acceptably safe SRFunctions Safety Related functions of {System X} ArgOverFunctions Argument over all identified safety related functions of {System X} FunctionsInd All functions are independent IndependenceArg FnASafe Function A operation is acceptably safe FnBArgument Function B Safety Argument FnBSafe Function B operation is acceptably safe FnCSafe Function C operation is acceptably safe FnBArgument Right: Argument modules contain standard GSN. Additions of modular GSN specific constructs to enable inter-module referencing. FnBSafe: away goal, FunctionsInd: away context. FnAArgument Safety Argument for Function A FnBSafe is referencing a Goal in another module FunctionsInd is contained in another module, and used to provide context. Further Reading and Resources (Hyperlinks) http://wwwusers.cs.york.ac.uk/ ~tpk/tpkthesis.pdf http://wwwusers.cs.york.ac.uk/ ~ihabli/Papers/200 7Habli_SSS07.pdf More details and latest version at http://bit.ly/cEWA5B http://wwwusers.cs.york.ac.uk/ ~tpk/Compositional SafetyCases.pdf http://despotou.eu/index .php/publications/34conference-papers/93supporting-through-lifesafety-assurance-ofcots-based-upgrades 2010 © University of York http://despotou.eu/index .php/publications/35misc/65-managing-theevolution-ofdependability-cases-forsystems-of-systems http://www.originconsulting.com/gsn club/ Document maintenance: George Despotou GSN Reference Card v.1.2