Shuichiro Yamamoto Nagoya Universityaofa.csce.kyushu-u.ac.jp/documents/Yamamoto-2014-01.pdf ·...
Transcript of Shuichiro Yamamoto Nagoya Universityaofa.csce.kyushu-u.ac.jp/documents/Yamamoto-2014-01.pdf ·...
Agenda
Assurance case
Issues of assurance case development
Related work
Argument algebra
Argument interpretation of Assurance case
Freeness of pattern application
Summary and future issues
Copyright Prof. Dr. Shuichiro Yamamoto 2014 2
Assurance Case example
Copyright Prof. Dr. Shuichiro Yamamoto 2014 3
Claim
Evidence
Strategy Context
Assurance Case, Safety Case, Dependability Case, … Originally, the term “Safety Case” is used
Then the term “Assurance Case” is introduced to generalize Safety Cases
“Dependability Case” for dependability,
“Security Case” for security, ….
Copyright Prof. Dr. Shuichiro Yamamoto 2013 4
Safety case on ISO 26262
ISO_26262 Part 10 for automotive safety case Functional safety guideline
Safety case description method GSN
CAE(Claims- Argument- Evidence )
Argument on safety Product as the target of system development
Process for system development and assessment
Safety case development cycle Iterative activity integrated with safety lifecycle
Copyright Prof. Dr. Shuichiro Yamamoto 2013 5
Ref. ISO_26262-‐10_2012(E)-‐ Road vehicles — Functional safety — Part 10:Guideline on ISO 26262
Claim decomposition
What should the claim be and how should it be expressed?
What should be written as strategies?
How much should the argument be decomposed using the strategies?
What should be written as context?
What should be written as evidence?
How far should the hierarchical structure be extended?
How should the relationships between context and evidence be analyzed?
Copyright Prof. Dr. Shuichiro Yamamoto 2013 6
Related work Safety Case Construction and Reuse using Patterns
T. Kelly and J. McDermid, 1998 A Software Safety Argument Pattern Catalogue
R. Hawkins and T. Kelly A Lightweight Methodology for Safety Case Assembly
Ewen Denny and Ganesh Pai, 2012 A Pattern-‐Based Method for Safe Control Systems Exemplified within Nuclear Power
Production A. Hauge and K. Stolen, 2012
Towards a Case-‐Based Reasoning Approach for Safety Assurance Reuse A. Ruiz, I. Habli, H. Espinoza, 2012
Assessing Software Interference Management When Modifying Safety-‐Related Software Graydon, P., Kelly T. , 2012
Formal verification of a safety argumentation and application to a complex UAV system AdvoCATE: An Assurance Case Automation Toolset
Ewen Denny and Ganesh Pai, 2012 Safety Argument Strategies for Autonomous Vehicles
Andrzej Wardzinski, 2008
Copyright Prof. Dr. Shuichiro Yamamoto 2014 7
Claim Decompositions
8
types explanation
Architecture splitting a component into several sub-‐components
functional splitting a component into several sub-‐functions
Attributes splitting a property into several attributes
Infinite set inductive partitioning from a base case (e.g., over time)
complete capturing the full set of values for risks, requirements, etc
monotonic the new system only improves on the old system
concretion making informal statements less vague
Robin Bloomfield and Peter Bishop, Safety and Assurance Cases: Past, Present and Possible Future – an Adelard Perspective
Copyright Prof. Dr. Shuichiro Yamamoto 2014
Safety case patterns
Improved or Maintained Safety Argument Improved Safety Argument Maintained Safety Argument At Least As Safe Argument Risk Acceptance Argument ALARP (As Low as Reasonably Practicable) Argument Top Level System-to-Software Hazard Mitigation Argument Top Level System-to-Software Hazard Contribution Argument Software Hazard Contributions Argument Hazardous Software Failure Mode (HSFM) Classification Argument Hazardous Software Failure Mode Acceptability Argument Hazardous Software Failure Mode Absence Argument Safe Adaptation Argument Behavioural vs. Model-Building Adaptation Argument
Copyright Prof. Dr. Shuichiro Yamamoto 2014 9
Cf. Robert Alexander, Tim Kelly, Zeshan Kurd, John McDermid, Safety Cases for Advanced Control Software: Safety Case Patterns, 2007
Definition 1 (Partial Safety Case Argument Structure).
Let {s, g, e, a, j, c} be the node types strategy, goal, evidence, assumption, justification, and context respectively.
A partial safety case argument structure S is a tuple N, l, t,→, comprising the set of nodes, N, the labeling functions l : N → {s, g, e, a, j, c} that gives the node type,
t : N → E giving the node contents, where E is a set of expressions, and the connector relation, →: N,N, which is defined on nodes. the transitive closure, →∗: N,N, is defined in the usual way.
Copyright Prof. Dr. Shuichiro Yamamoto 2014 10 Ref. Ewen Denney and Ganesh Pai, A Formal Basis for Safety Case Patterns, SAFECOMP 2013, LNCS 8153, pp. 21–32, 2013
Definition Pattern A pattern P is a tuple N, l, t, p,m, c,→, where N,→ is a directed hyper-‐graph in which each hyperedge has a single source and possibly multiple targets, the structural conditions from Definition 1 hold, and l, t, p, m, and c are labeling functions, given as follows:
Copyright Prof. Dr. Shuichiro Yamamoto 2014 11 Ref. Ewen Denney and Ganesh Pai, A Formal Basis for Safety Case Patterns, SAFECOMP 2013, LNCS 8153, pp. 21–32, 2013
Definition 5 (Pattern Refinement). (1) Instantiate parameters (2) Resolve choices (3) Resolve multiplicities (4) Unfold loops
Definition 6 (Pattern Embedding). An embedding E of an argument structure A into a pattern P.
Definition 7 (Pattern Semantics). Let P be a pattern, let C :range over patterns, and A :safety case argument structures, respectively. Then, Semantics of P = { A | E(A) =C }
Copyright Prof. Dr. Shuichiro Yamamoto 2014 12 Ref. Ewen Denney and Ganesh Pai, A Formal Basis for Safety Case Patterns, SAFECOMP 2013, LNCS 8153, pp. 21–32, 2013
Formal proofs and safety cases
Copyright Prof. Dr. Shuichiro Yamamoto 2014 13
Formal methods Safety Cases
AUTOCERT generates an XML document with information describing the formal verification of requirements. Chains of information relating requirements back to assumptions are used to generate safety cases.
The cert file generator will create the formal specifications for the verification process to proceed based on safety-‐case fragments corresponding to the software components.
Refs. Ewen W. Denney, Automating the Generation of Heterogeneous Aviation Safety Cases, NASA/CR–2011–215983
Case based reasoning for assurance case reuse
Copyright Prof. Dr. Shuichiro Yamamoto 2014 14
Case repository
New case
Retrieve information
Reuse case
Revise case
Retain information
Retrieved case
suggested solution
validated solution Store case
Ref. Alejandra Ruiz, Ibrahim Habli, Huáscar Espinoza, Towards a Case-‐Based Reasoning Approach for Safety Assurance Reuse, 2012
Concept types of safety cases
Types Description
Goal organized by the type of argumentation modules: conformance arguments, risk reduction arguments, etc.
Claim described in the current version of the paper (arguments to demonstrate IMA segregation, partition, distribution, integration, etc.)
Evidence based on an ontology/taxonomy and their characteristics.
Copyright Prof. Dr. Shuichiro Yamamoto 2014 15
Ref. Alejandra Ruiz, Ibrahim Habli, Huáscar Espinoza, Towards a Case-‐Based Reasoning Approach for Safety Assurance Reuse, 2012
Aspects
lexical structure
Variables
Values for variables
Relations between the aspects
Copyright Prof. Dr. Shuichiro Yamamoto 2014 16
Ref. Alejandra Ruiz, Ibrahim Habli, Huáscar Espinoza, Towards a Case-‐Based Reasoning Approach for Safety Assurance Reuse, 2012
Argumentation based verification
Copyright Prof. Dr. Shuichiro Yamamoto 2014 17
NuSMV
Argumentation model
Injection
KAOS representation
Extraction
Results
Manual witness
validation
Objectivier
Claim refinement verification
Graphical representation
LTL formula
Ref. J. Brunel and J. Cazin, Formal verification of a safety argumentation and application to a complex UAV system, SAFECOMP 2012
Argument Pattern category
Copyright Prof. Dr. Shuichiro Yamamoto 2014 18
Target systems D-‐Case Explanation
Existing D-‐Case
Document
Evidence pattern
Description patterns Reference patterns
Conditional patterns Deduction patterns
Reuse patterns
Pattern classes
Copyright Prof. Dr. Shuichiro Yamamoto 2014 19
Patterns Description
Description 15
Architecture, Function, Attribute, Completion, Process, Process dependency , Hierarchy, DFD, View, Use case, Requirements, State transitions, Operation requirements, Sequence diagram, Business process
Reference 10
Risk, Embedded system, Common criteria, Requirements template, System boundary, Failure mode, NFR grade, DEOS process, Test case, Problem frame
Conditional 7
ECA, Conditional decision, Alternative choice , Contradiction resolution, Balance, Improvement, Clarification
Inference 5
Induction, eliminative, negative induction, refutation
Evidence 11
Regulation, Formal proof, Model checking, Testing, Agreement, Review, Simulation, Evaluation, Explanation, Monitoring, Documentation
Reuse 2
Horizontal, Vertical
Assurance case development with patterns
Sequence of pattern applications
Copyright Prof. Dr. Shuichiro Yamamoto 2014 20
Pattern P Pattern Q
Issues of decomposition patterns
Equivalence of assurance cases
Application orders of decomposition patterns
Copyright Prof. Dr. Shuichiro Yamamoto 2014 21
Assurance case
Decomposition by pattern P
Decomposition by pattern Q
Decomposition by pattern Q
Decomposition by pattern P
Argument space
Example claim System S is dependable
System S is dependable on the process P
Argument Space {S} × {P} × {dependable}
S: subjects
P: objects
Dependable: adjective verbs
Argument expression – relationship among words [S, dependable]
[S,P, dependable]
Copyright Prof. Dr. Shuichiro Yamamoto 2014 23
Argument expression
x is an element of a domain set X then [x] is Arg. exp.
[x,d] and [y,d] are Arg. exp. then [x, y,d] is Arg. exp.
[x] and [y] are Arg. exp. then [x], [y] is Arg. exp.
Context, then [x] | (Context) is Arg. exp.
[x] is Arg. Exp. and e is the evidence to assures x, then [x!]/{ x->e} is Arg. exp.
Copyright Prof. Dr. Shuichiro Yamamoto 2014 24
Argument expression transformation rules
Rotation [x, y] => [y, x]
Commutation [x],[y] => [y], [x]
Dimension extension [x], [y] => [x, y]
Dimension restriction [x, y] | [x] => [x]
Context introduction [x] => [x] | (Context)
Context deletion [x] | (Context) => [x]
Element decomposition by context [x] | (x->a,b) => [a,b] | (x->a,b) where context: (x -> a, b) means x is decomposed by a and b
Element composition by context [a, b] | (x->a,b) => [x] | (x->a,b)
Evidence introduction [x] => [x]/{ evidence}
Evidence deletion [x]/{ evidence} =>[x]
Bound [x] / {x is assured by the evidence e} => [x ! ] / {x ->e}
Unbound [x ! ] / {x ->e} => [x] / {x ->e}
Copyright Prof. Dr. Shuichiro Yamamoto 2014 25
Argument interpretation
Copyright Prof. Dr. Shuichiro Yamamoto 2014 26
Assurance case
Argument expression
A E=φ(A)
φ
Example
Copyright Prof. Dr. Shuichiro Yamamoto 2014 27
[S, d] … top claim
[A, d] [B, d] [IntrOfAandB, d]
[S, d]
=>[S, d]|(S-‐>A,B, IntrOfAandB) … context introduction
=>[A, d], [B, d], [IntrOfAandB, d] |(S-‐>A,B, IntrOfAandB) … element decomposition
Claim transformation formalizes assurance case development process
Argument interpretation of claim
Copyright Prof. Dr. Shuichiro Yamamoto 2014 28
Goal Claim sentence
Φ(G) = τ(Claim sentence) = [ Subject, Object, Adverb]
Argument interpretation of context
Copyright Prof. Dr. Shuichiro Yamamoto 2014 29
Goal Claim sentence
Φ(G) = τ(Claim sentence) = [ Subject, Object, Adverb]
| (context) context
Argument interpretation of decomposition
Copyright Prof. Dr. Shuichiro Yamamoto 2014 30
Goal Claim sentence
Φ(G) = τ(Claim sentence, context, Claim sentence-‐1, Claim sentence-‐2) = [ Subject, Object, Adverb], [ Subject-‐1, Object-‐1, Adverb-‐1], [ Subject-‐2, Object-‐2, Adverb-‐2]
| (context ⊆ S2×O2× A2) Argument over
context
Context
Goal Claim sentence-‐1
Goal Claim sentence-‐2
Context = WoS -‐> WoS-‐1, WoS-‐2 WoS, WoS-‐1, WoS-‐2 are of the same domain
τ: tuple interpretation of sentence
Argument interpretation of evidence
Copyright Prof. Dr. Shuichiro Yamamoto 2014 31
Goal Claim sentence Φ(G) = τ(Claim sentence, evidence) /
{Evidence}
τ: tuple interpretation of sentence
Evidence
Structural equivalence of argument expressions For assurance cases A,B,
If φ(A) = φ(B)
then
A and B are structurally equivalent
Copyright Prof. Dr. Shuichiro Yamamoto 2014 32
Boundary interpretation
For an argument expression, X, of assurance case A
Every element of X is bounded by evidences,
Then X is a boundary interpretation of A
X=φb(A) ⊂ φ(A)
Copyright Prof. Dr. Shuichiro Yamamoto 2014 33
Argument transformation
X is transformed to Y , there is a sequence of transformation rules r1,…, rn-1.
X = X1 , X1=>X2, …, Xn-1=>Xn, Xn =Y
where Xk is transformed to Xk+1 by rule rk.
X ==> Y if X is transformable to Y
Copyright Prof. Dr. Shuichiro Yamamoto 2014 34
Reversibility
X ==> Y then Y ==> X for argument expressions X, Y
Copyright Prof. Dr. Shuichiro Yamamoto 2014 35
boundary argument equivalence
For assurance cases A,B,
If φb(A) = φb (B)
then
A and B are boundary equivalent
Copyright Prof. Dr. Shuichiro Yamamoto 2014 36
Decomposition freeness
If assurance cases A and B are boundary equivalent, then there is a sequence of transformation rules between argument interpretations of A and B.
φb(A) = φb (B) then φ(A) ==> φ(B)
Copyright Prof. Dr. Shuichiro Yamamoto 2014 37
LAN device management system
Copyright Prof. Dr. Shuichiro Yamamoto 2014 38
Manager Network
valid LAN device
Set sensor
Information request
Monitor sensors 1000 LAN devices for each sensors 2000 sensors
LAN
Sensors
invalid LAN device
Sensor status
Device Information
Information request
Device Information
Intercept Invalid device
Copyright Prof. Dr. Shuichiro Yamamoto 2014 39
O-DA Cycles
Ref. Open Group Standard, Real-‐Time and Embedded Systems:, Dependability through Assuredness™ (O-‐DA) Framework, 2013
Copyright Prof. Dr. Shuichiro Yamamoto 2014 41
Assurance case of LDMS
Process decomposition
Architecture decomposition
Notations
S: LDMS, T1: Sensor manager, T2:Sensors, T3: Interaction between Sensor manager and sensors
C: DEOS process, C1:Ordinary operation process, C2:Change accommodation cycle, C3: Failure response cycle
[S, d]: Argument interpretation of D-Case on LDMS where S: LDMS, d: “Service continuity is achieved”
Copyright Prof. Dr. Shuichiro Yamamoto 2014 42
[S,d] = “Service continuity of LDMS is achieved”
Reversibility of Decomposition pattern application
[S, d] => [S, C, d] => [S, C, d] | (C->C1, C2, C3) => [S, C1,d],[S,C2,d],[S,C3,d] | (C->C1, C2, C3) => [S, C1,d],[S,C2,d],[S,C3,d] | (C->C1, C2, C3)| ( S->T1, T2, T3) => [T1, C1,d], [T2, C1,d], [T3, C1,d], [S,C2,d],[S,C3,d] | (C->C1, C2, C3) | ( S->T1, T2, T3)
=>[T1, C1,d], [T2, C1,d], [T3, C1,d], [T1,C2,d], [T2,C2,d], [T3,C2,d],[S,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)
=>[T1, C1,d], [T2, C1,d], [T3, C1,d], [T1,C2,d], [T2,C2,d], [T3,C2,d],[T1,C3,d] ,[T2,C3,d] ,[T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)
=>[T1, C1,d], [T1,C2,d], [T1,C3,d], [T2, C1,d], [T3, C1,d], [T2,C2,d], [T3,C2,d] ,[T2,C3,d] ,[T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)
=>[T1, C1,d], [T1,C2,d], [T1,C3,d], [T2, C1,d], [T2,C2,d], [T2,C3,d] ,[T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)
=>[T1,C,d], [T2, C1,d], [T2,C2,d], [T2,C3,d] ,[T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3) =>[T1,C,d], [T2, C,d], [T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3) =>[T1,C,d],[T2,C,d],[T3,C,d] | (S->T1,T2,T3) =>[S, C, d]
Copyright Prof. Dr. Shuichiro Yamamoto 2014 43
Architecture composition
Process decomposition Architecture decomposition
Process composition
Summary
Argument algebra
Argument interpretation
Transformation rules
Equivalence relationship
Reversibility
Running example
Copyright Prof. Dr. Shuichiro Yamamoto 2014 44
Future issues
Automatic Tool to automate assurance case creation
Integration with architecture and process models
Pattern repository
Argument space management with Natural language analysis and Word dictionary
Algebra for Pattern instantiation
Assurance case for Argument expression
Application to modern modeling frameworks including feature modeling, BPMN, AADL, Archimate
Copyright Prof. Dr. Shuichiro Yamamoto 2014 45
Scope of D-Case Family
Copyright Prof. Dr. Shuichiro Yamamoto 2014
Process
Requirements
Design
Construction
Testing
Service strategy
D-Case for R
D-Case for D
D-Case for C
D-Case for T
D-Case for SS
D-Case for Development process
D-Case for Operation process
SLCP
ITIL
Service design
Service transition
Service operation
Service improvement
D-Case for SD
D-Case for ST
D-Case for SO
D-Case for SI
D-Case category
Refs. ISO/IEC 12207, IEEE Std 12207-‐2008, Systems and software engineering — Software life cycle processes iTSMF, ITIL V3 Foundation Handbook, 2009
15
Overview of Assured ADM phase AADM
Preliminary ①Architecture repository to store evidence and assurance case
②Dependability board to agree on priority among claims
A. Architecture vision ①Dependability scope definitions ②Quantitative evaluation index
③Capability evaluation of dependability ④Dependability parameter
B. Business architecture ①Dependability principle definition ②BA assurance case development ③BA assurance case review
C. Information system architecture
①IA assurance case development ②IA assurance case review
D. Technology architecture ①TA assurance case development ②TA assurance case review
E. Solution ①Integration of BA, IA, TA assurance case ②Integrity confirmation
F. Transition ①Operation management assurance case development ②Value analysis of operation assurance case
G. Implementation ①Evidence development for assurance case ②Process evidence development method ③Exhaustive relationship validation between claims and evidences ④Operational assurance case review
H. Architecture change management
①Evidence management of operational assurance case ②Confirmation of measure for claim failures③Risk management by assurance case
④Failure analysis by assurance case
Requirements management Traceability management of assurance case
Copyright Prof. Dr. Shuichiro Yamamoto 2014 47 Ref. Open Group Standard, Real-‐Time and Embedded Systems:, Dependability through Assuredness™ (O-‐DA) Framework, 2013
Compositional Dependability Dependability of purchased component
Dependability of the mutual interaction with external systems
Dependability for the system of systems and organizations by the extended assurance case
Copyright Prof. Dr. Shuichiro Yamamoto 2013 48
Example of compositional dependability
Copyright Prof. Dr. Shuichiro Yamamoto 2013 49
Claim between subsystems
subsystem Safety case of the subsystem