!
Goal Strategy Evidence Context
System can tolerate single component failures
Argument by eliminating of all
hazards
All Identified system Hazards
In context of Supported by
Fault Tree for Hazard
Figure 3.2: GSN Notations [11]
aerospace, railways and defence) for the presentation of safety arguments within safety cases [11]. Moreover, GSN has been included in the software assurance standard ISO 15026 [156]. Given the broad acceptance of GSN, we adopted this approach in this dissertation.
3.2 Goal structuring notations (GSN)
GSN can be used to present argument by creating a graphical structure between goals, sub-goals, evidence/solutions, strategies and contexts [11]. GSN has been found to improve the comprehension of safety arguments and allows lightweight development of an argument [140]. The notation helps to focus the selection of evidence upon satisfying the overall objectives (or requirements) of the systems or applications.
3.2.1 GSN elements and notations
Figure 3.2 presents the core symbols used in GSN:Goal, Strategy,Solution/Evidence andContext, as well asSupported byandIn context of. AGoalis a claim, the state- ments that the goal structure is designed to support.Evidenceexists to support the truth of the claimed goal, which can be documented by providing a solution in GSN.Strat- egyis inserted between goals at two levels of abstraction, to explain how the top-level goal is addressed by the aggregation of the goals presented at the lower level. Context is used to declare supplementary information and provide adequate understanding of the context surrounding the claim/strategy. Usually it presents concept clarification introduced in the claim/strategy [11].
3.2. GOAL STRUCTURING NOTATIONS (GSN) 36
3.2.2 Goal decomposition methods
3.2.2.1 Developing goal structures top-down
A top down approach to goal development starts with top goal identification, followed by context identification providing the basis on which the goals are stated. The strate- gies are then identified for providing reasons why the claimed goal is true. Contextual information of the strategy is also required to understand the argument approach. The goal structure continues to be developed in this way until it is clear that no further decomposition is needed and the goal can be directly supported by evidence artefacts (e.g. test results). Below are the steps of a top down approach to goal development [11],
Step 1: Identify the goals to be supported (Identify the top goal(s) of the structure).
Step 2: Define the basis on which the goals are stated (Identify the context of the goal).
Step 3: Identify the strategy used to support the goals (Substantiate the goal). What reasons are there for saying that the goal is true? What statements would convince the reader that the goal is true?
Step 4: Define the basis on which the strategy is stated. Identify the contextual information required to understand the argument approach.
Step 5: Elaborate the strategy (Elaborating a strategy involves defining new goals).
The goal structure continues to be developed in this way until it is clear that no further decomposition into sub-goals is necessary and the goal can be directly supported by appeal to some evidence artefact.
Step 6: Identify the basic solution/evidence.
3.2.2.2 Developing goal structures bottom-up
The following process can be used to develop a goal structure bottom-up [11], Step 1: Identify evidence to present as solutions.
Step 2: Infer “evidence assertion” goals to be directly supported by these solutions.
Step 3: Derive higher-level sub-goals that are supported by the evidence asser- tions.
Step 4: Describe how each layer of sub-goals to satisfy their parent goal i.e. strat- egy.
Step 5: Check that any necessary contextual information is included.
Step 6: Check back down the structure for completeness.
3.2. GOAL STRUCTURING NOTATIONS (GSN) 37
Step 7: Join the resulting goal structure to known top goal or set of sub-goals.
The bottom-up approach is rarely used in isolation to form a complete goal struc- ture. It usually joins to a desired higher-level goal that is already understood to be a requirement of an assurance case [11].
3.2.3 Safety arguments and the GSN
Safety arguments are typically communicated in safety cases through free text and the GSN [7]. Kelly cited the following textual descriptions from a real industrial safety case to explain the problems experienced when text is the only medium available for expressing complex arguments.
“For hazards associated with warnings, the assumptions of Section 3.4 associated with the requirements to present a warning when no equipment failure has occurred are carried forward. In particular, with respect to hazard 17 in section 5.7 that for test operation, operating limits will need to be introduced to protect against the hazard, whilst further data is gathered to determine the extent of the problem.” [7].
Several communication concerns were identified with this paragraph. The free- style text was found to be unclear and not well structured. The meaning of the text, and the structure of the safety argument, can be ambiguous and unclear. This problem became compounded by the frequently used cross-references in a safety case as an integrator of evidence. Multiple cross-references can disrupt the flow of the main arguments. The use of free text makes it difficult to ensure that all stakeholders share the same understanding of the argument, which resulted in inefficient and ineffective safety case management [7]. Johnson has identified the same difficulty in analysing accident reports. It is difficult to draw particular conclusions from the many hundreds of pages of evidence from those reports, as the logic can easily get lost across the paragraphs of contextual details [139].
Goal Structuring Notation (GSN) clearly represents the individual elements of the safety argument (requirements, claims, evidence and context). An example safety case is provided in Figure 3.3, taken from [11]. In this diagram, the top goal is “C/S (Con- trol System) Logic is fault free”, the statements that the goal structure is designed to support. The structure is broken down into sub-goals, either directly or, as in this case, or indirectly through a strategy. The two argument strategies put forward as a means of addressing the top level goal are “Argument by satisfaction of all C/S (Control System) safety requirements”, and, “Argument by omission of all identified software hazards”.