Shuichiro Yamamoto Nagoya Universityaofa.csce.kyushu-u.ac.jp/documents/Yamamoto-2014-01.pdf ·...

Shuichiro Yamamoto

Nagoya University

Copyright Prof. Dr. Shuichiro Yamamoto 2014 1

Agenda

 Assurance case

  Issues of assurance case development

 Related work

 Argument algebra

 Argument interpretation of Assurance case

  Freeness of pattern application

 Summary and future issues


Assurance Case example


Claim

Evidence

Strategy Context

Assurance Case, Safety Case, Dependability Case, …  Originally, the term “Safety Case” is used

 Then the term “Assurance Case” is introduced to generalize Safety Cases

  “Dependability Case” for dependability,

  “Security Case” for security, ….


Safety case on ISO 26262

  ISO_26262　Part 10 for automotive safety case   Functional safety guideline

  Safety case description method   GSN

  CAE(Claims- Argument- Evidence )

 Argument on safety   Product as the target of system development

  Process for system development and assessment

 Safety case development cycle   Iterative activity integrated with safety lifecycle


Ref. ISO_26262-‐10_2012(E)-‐ Road vehicles — Functional safety — Part 10:Guideline on ISO 26262

Claim decomposition

  What should the claim be and how should it be expressed?

  What should be written as strategies?

  How much should the argument be decomposed using the strategies?

  What should be written as context?

  What should be written as evidence?

  How far should the hierarchical structure be extended?

  How should the relationships between context and evidence be analyzed?


Related work   Safety Case Construction and Reuse using Patterns

  T. Kelly and J. McDermid, 1998   A Software Safety Argument Pattern Catalogue

  R. Hawkins and T. Kelly   A Lightweight Methodology for Safety Case Assembly

  Ewen Denny and Ganesh Pai, 2012   A Pattern-‐Based Method for Safe Control Systems Exemplified within Nuclear Power

Production   A. Hauge and K. Stolen, 2012

  Towards a Case-‐Based Reasoning Approach for Safety　Assurance Reuse   A. Ruiz, I. Habli, H. Espinoza, 2012

  Assessing Software Interference Management When Modifying Safety-‐Related Software   Graydon, P., Kelly T. , 2012

  Formal verification of a safety argumentation and application to a complex UAV system   AdvoCATE: An Assurance Case Automation Toolset

  Ewen Denny and Ganesh Pai, 2012   Safety Argument Strategies for Autonomous Vehicles

  Andrzej Wardzinski, 2008


Claim Decompositions

8

types explanation

Architecture splitting a component into several sub-‐components

functional splitting a component into several sub-‐functions

Attributes splitting a property into several attributes

Infinite set inductive partitioning from a base case (e.g., over time)

complete capturing the full set of values for risks, requirements, etc

monotonic the new system only improves on the old system

concretion making informal statements less vague

Robin Bloomfield and Peter Bishop, Safety and Assurance Cases: Past, Present and Possible Future – an Adelard Perspective

Copyright Prof. Dr. Shuichiro Yamamoto 2014

Safety case patterns

  Improved or Maintained Safety Argument   Improved Safety Argument   Maintained Safety Argument   At Least As Safe Argument   Risk Acceptance Argument   ALARP (As Low as Reasonably Practicable) Argument   Top Level System-to-Software Hazard Mitigation Argument   Top Level System-to-Software Hazard Contribution Argument   Software Hazard Contributions Argument   Hazardous Software Failure Mode (HSFM) Classification Argument   Hazardous Software Failure Mode Acceptability Argument   Hazardous Software Failure Mode Absence Argument   Safe Adaptation Argument   Behavioural vs. Model-Building Adaptation Argument


Cf. Robert Alexander, Tim Kelly, Zeshan Kurd, John McDermid, Safety Cases for Advanced Control Software: Safety Case Patterns, 2007

Definition 1 (Partial Safety Case Argument Structure).

  Let {s, g, e, a, j, c} be the node types strategy, goal, evidence, assumption, justification, and context respectively.

 A partial safety case argument structure S is a tuple N, l, t,→, comprising the set of nodes, N, the labeling functions l : N → {s, g, e, a, j, c} that gives the node type,

  t : N → E giving the node contents, where E is a set of expressions, and the connector relation, →: N,N, which is defined on nodes. the transitive closure, →∗: N,N, is defined in the usual way.

Copyright Prof. Dr. Shuichiro Yamamoto 2014 10 Ref. Ewen Denney and Ganesh Pai, A Formal Basis for Safety Case Patterns, SAFECOMP 2013, LNCS 8153, pp. 21–32, 2013

Definition Pattern   A pattern P is a tuple N, l, t, p,m, c,→, where N,→ is a directed hyper-‐graph in which each hyperedge has a single source and possibly multiple　targets, the structural conditions from Definition 1 hold, and l, t, p, m, and c are　labeling functions, given as follows:


Definition 5 (Pattern Refinement). (1) Instantiate parameters (2) Resolve choices (3) Resolve multiplicities (4) Unfold loops

Definition 6 (Pattern Embedding). An embedding E of an argument structure A into a pattern P.

Definition 7 (Pattern Semantics). Let P be a pattern, let C :range over patterns, and A :safety case argument structures, respectively. Then, Semantics of P = { A | E(A) =C }


Formal proofs and safety cases


Formal methods Safety Cases

AUTOCERT generates an XML document with information describing the formal verification of requirements. Chains of information relating requirements back to assumptions are used to generate safety cases.

The cert file generator will create the formal specifications for the verification process to proceed based on safety-‐case fragments corresponding to the software components.

Refs. Ewen W. Denney, Automating the Generation of Heterogeneous Aviation Safety Cases, NASA/CR–2011–215983

Case based reasoning for assurance case reuse


Case repository

New case

Retrieve information

Reuse case

Revise case

Retain information

Retrieved case

suggested solution

validated solution Store case

Ref. Alejandra Ruiz, Ibrahim Habli, Huáscar Espinoza, Towards a Case-‐Based Reasoning Approach for Safety Assurance Reuse, 2012

Concept types of safety cases

Types Description

Goal organized by the type of argumentation modules: conformance arguments, risk reduction arguments, etc.

Claim described in the current version of the paper (arguments to demonstrate IMA segregation, partition, distribution, integration, etc.)

Evidence based on an ontology/taxonomy and their characteristics.



Aspects

  lexical structure

 Variables

 Values for variables

 Relations between the aspects



Argumentation based verification


NuSMV

Argumentation model

Injection

KAOS representation

Extraction

Results

Manual witness

validation

Objectivier

Claim refinement verification

Graphical representation

LTL formula

Ref. J. Brunel and J. Cazin, Formal verification of a safety argumentation and application to a complex UAV system, SAFECOMP 2012

Argument Pattern category


Target systems D-‐Case Explanation

Existing D-‐Case

Document

Evidence pattern

Description patterns Reference patterns

Conditional patterns Deduction patterns

Reuse patterns

Pattern classes


Patterns Description

Description 15

Architecture, Function, Attribute, Completion, Process, Process dependency , Hierarchy, DFD, View, Use case, Requirements, State transitions, Operation requirements, Sequence diagram, Business process

Reference 10

Risk, Embedded system, Common criteria, Requirements template, System boundary, Failure mode, NFR grade, DEOS process, Test case, Problem frame

Conditional 7

ECA, Conditional decision, Alternative choice , Contradiction resolution, Balance, Improvement, Clarification

Inference 5

Induction, eliminative, negative induction, refutation

Evidence 11

Regulation, Formal proof, Model checking, Testing, Agreement, Review, Simulation, Evaluation, Explanation, Monitoring, Documentation

Reuse 2

Horizontal, Vertical

Assurance case development with patterns

 Sequence of pattern applications


Pattern P Pattern Q

Issues of decomposition patterns

  Equivalence of assurance cases

 Application orders of decomposition patterns


Assurance case

Decomposition by pattern P

Decomposition by pattern Q

Decomposition by pattern Q

Decomposition by pattern P

Yet Another Formal Method for Argument Patterns


Argument space

  Example claim   System S is dependable

  System S is dependable on the process P

  Argument Space   {S} × {P} × {dependable}

  S: subjects

  P: objects

  Dependable: adjective verbs

  Argument expression – relationship among words   [S, dependable]

  [S,P, dependable]


Argument expression

  x is an element of a domain set X then [x] is Arg. exp.

  [x,d] and [y,d] are Arg. exp. then [x, y,d] is Arg. exp.

  [x] and [y] are Arg. exp. then [x], [y] is Arg. exp.

  Context, then [x] | (Context) is Arg. exp.

  [x] is Arg. Exp. and e is the evidence to assures x, then [x!]/{ x->e} is Arg. exp.


Argument expression transformation rules

  Rotation [x, y] => [y, x]

  Commutation [x],[y] => [y], [x]

  Dimension extension [x], [y] => [x, y]

  Dimension restriction [x, y] | [x] => [x]

  Context introduction [x] => [x] | (Context)

  Context deletion [x] | (Context) => [x]

  Element decomposition by context [x] | (x->a,b) => [a,b] | (x->a,b)   where context: (x -> a, b) means x is decomposed by a and b

  Element composition by context [a, b] | (x->a,b) => [x] | (x->a,b)

  Evidence introduction [x] => [x]/{ evidence}

  Evidence deletion [x]/{ evidence} =>[x]

  Bound [x] / {x is assured by the evidence e} => [x ! ] / {x ->e}

  Unbound [x ! ] / {x ->e} => [x] / {x ->e}


Argument interpretation


Assurance case

Argument expression

A E=φ(A)

φ

Example


[S, d] … top claim

[A, d] [B, d] [IntrOfAandB, d]

[S, d]

=>[S, d]|(S-‐>A,B, IntrOfAandB)　 … context introduction

=>[A, d], [B, d], [IntrOfAandB, d] |(S-‐>A,B, IntrOfAandB) … element decomposition

Claim transformation formalizes assurance case development process

Argument interpretation of claim


Goal Claim sentence

Φ（G） = τ(Claim sentence) = [ Subject, Object, Adverb]

Argument interpretation of context


Goal Claim sentence

Φ（G） = τ(Claim sentence) = [ Subject, Object, Adverb]

| (context) context

Argument interpretation of decomposition


Goal Claim sentence

Φ（G） = τ(Claim sentence, context, Claim sentence-‐1, Claim sentence-‐2) = [ Subject, Object, Adverb], [ Subject-‐1, Object-‐1, Adverb-‐1], [ Subject-‐2, Object-‐2, Adverb-‐2]

| (context ⊆ S2×O2× A2） Argument over

context

Context

Goal Claim sentence-‐1

Goal Claim sentence-‐2

Context = WoS -‐> WoS-‐1, WoS-‐2 WoS, WoS-‐1, WoS-‐2 are of the same domain

τ: tuple interpretation of sentence

Argument interpretation of evidence


Goal Claim sentence Φ（G） = τ(Claim sentence, evidence) /

{Evidence}

τ: tuple interpretation of sentence

Evidence

Structural equivalence of argument expressions   For assurance cases A,B,

  If φ(A)　= φ(B)

  then

 A and B are structurally equivalent


Boundary interpretation

  For an argument expression, X, of assurance case A

  Every element of X is bounded by evidences,

 Then X is a boundary interpretation of A

X=φb(A) ⊂ φ(A) 　


Argument transformation

 X is transformed to Y , there is a sequence of transformation rules r1,…, rn-1.

 X = X1 , X1=>X2, …, Xn-1=>Xn, Xn =Y

where Xk is transformed to Xk+1 by rule rk.

X ==> Y if X is transformable to Y


Reversibility

 X ==> Y then Y ==> X for argument expressions X, Y


boundary argument equivalence

  For assurance cases A,B,

  If φb(A)　= φb (B)

  then

 A and B are boundary equivalent


Decomposition freeness

  If assurance cases A and B are boundary equivalent, then there is a sequence of transformation rules between argument interpretations of A and B.

 φb(A) = φb (B) then φ(A) ==> φ(B)


LAN device management system


Manager Network

valid LAN device

Set sensor

Information request

Monitor sensors 1000 LAN devices for each sensors 2000 sensors

LAN

Sensors

invalid LAN device

Sensor status

Device Information

Information request

Device Information

Intercept Invalid device


O-DA Cycles

Ref. Open Group Standard, Real-‐Time and Embedded Systems:, Dependability through Assuredness™ (O-‐DA) Framework, 2013


Assurance case of LDMS

Process decomposition


Assurance case of LDMS

Process decomposition

Architecture decomposition

Notations

 S: LDMS,   T1: Sensor manager,   T2:Sensors,   T3: Interaction between Sensor manager and sensors

 C: DEOS process,   C1:Ordinary operation process,   C2:Change accommodation cycle,   C3: Failure response cycle

  [S, d]: Argument interpretation of D-Case on LDMS where S: LDMS, d: “Service continuity is achieved”


[S,d] = “Service continuity of LDMS is achieved”

Reversibility of Decomposition pattern application

[S, d] => [S, C, d] => [S, C, d] | (C->C1, C2, C3) => [S, C1,d],[S,C2,d],[S,C3,d] | (C->C1, C2, C3) => [S, C1,d],[S,C2,d],[S,C3,d] | (C->C1, C2, C3)| ( S->T1, T2, T3) => [T1, C1,d], [T2, C1,d], [T3, C1,d], [S,C2,d],[S,C3,d] | (C->C1, C2, C3) | ( S->T1, T2, T3)

=>[T1, C1,d], [T2, C1,d], [T3, C1,d], [T1,C2,d], [T2,C2,d], [T3,C2,d],[S,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)

=>[T1, C1,d], [T2, C1,d], [T3, C1,d], [T1,C2,d], [T2,C2,d], [T3,C2,d],[T1,C3,d] ,[T2,C3,d] ,[T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)

=>[T1, C1,d], [T1,C2,d], [T1,C3,d], [T2, C1,d], [T3, C1,d], [T2,C2,d], [T3,C2,d] ,[T2,C3,d] ,[T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)

=>[T1, C1,d], [T1,C2,d], [T1,C3,d], [T2, C1,d], [T2,C2,d], [T2,C3,d] ,[T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3)

=>[T1,C,d], [T2, C1,d], [T2,C2,d], [T2,C3,d] ,[T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3) =>[T1,C,d], [T2, C,d], [T3, C1,d], [T3,C2,d] , [T3,C3,d] |(C->C1,C2,C3)|(S->T1,T2,T3) =>[T1,C,d],[T2,C,d],[T3,C,d] | (S->T1,T2,T3) =>[S, C, d]


Architecture composition

Process decomposition Architecture decomposition

Process composition

Summary

 Argument algebra

 Argument interpretation

 Transformation rules

  Equivalence relationship

 Reversibility

 Running example


Future issues

 Automatic Tool to automate assurance case creation

  Integration with architecture and process models

 Pattern repository

 Argument space management with Natural language analysis and Word dictionary

 Algebra for Pattern instantiation

 Assurance case for Argument expression

 Application to modern modeling frameworks including feature modeling, BPMN, AADL, Archimate


Scope of D-Case Family

Copyright Prof. Dr. Shuichiro Yamamoto 2014

Process

Requirements

Design

Construction

Testing

Service strategy

D-Case for R

D-Case for D

D-Case for C

D-Case for T

D-Case for SS

D-Case for Development process

D-Case for Operation process

SLCP

ITIL

Service design

Service transition

Service operation

Service improvement

D-Case for SD

D-Case for ST

D-Case for SO

D-Case for SI

D-Case category

Refs. ISO/IEC 12207, IEEE Std 12207-‐2008, Systems and software engineering — Software life cycle processes iTSMF, ITIL　V3　Foundation Handbook, 2009

15

Overview of Assured ADM phase AADM

Preliminary ①Architecture repository to store evidence and assurance case

②Dependability board to agree on priority among claims

A. Architecture vision ①Dependability scope definitions　②Quantitative evaluation index

③Capability evaluation of dependability ④Dependability parameter

B. Business architecture ①Dependability principle definition ②BA assurance case development ③BA assurance case review

C. Information system architecture

①IA assurance case development　②IA assurance case review

D. Technology architecture ①TA assurance case development　②TA assurance case review

E. Solution ①Integration of BA, IA, TA assurance case　②Integrity confirmation

F. Transition ①Operation management assurance case development ②Value analysis of operation assurance case

G. Implementation ①Evidence development for assurance case　②Process evidence development method ③Exhaustive relationship validation between claims and evidences ④Operational assurance case review

H. Architecture change management

①Evidence management of operational assurance case　②Confirmation of measure for claim failures③Risk management by assurance case　

④Failure analysis by assurance case

Requirements management Traceability management of assurance case

Copyright Prof. Dr. Shuichiro Yamamoto 2014 47 Ref. Open Group Standard, Real-‐Time and Embedded Systems:, Dependability through Assuredness™ (O-‐DA) Framework, 2013

Compositional Dependability  Dependability of purchased component

 Dependability of the mutual interaction with external systems

 Dependability for the system of systems and organizations by the extended assurance case


Example of compositional dependability


Claim between subsystems

subsystem Safety case of the subsystem

Shuichiro Yamamoto Nagoya Universityaofa.csce.kyushu-u.ac.jp/documents/Yamamoto-2014-01.pdf ·...

Documents

Transcript of Shuichiro Yamamoto Nagoya Universityaofa.csce.kyushu-u.ac.jp/documents/Yamamoto-2014-01.pdf ·...