1. No category

"Safety Case"? - 34th International System Safety Conference

SAFETY CASES WITH THE HELP OF GSN
Tutorial at the
International System Safety Conference 2016
Orlando, Florida, USA
August 2016
Andreas Gerstinger
 Your competences after the workshop
 Understanding of the concept of safety cases
 Understanding of the benefits and potential pitfalls of safety cases
 Knowledge of the Goal Structuring Notation (GSN)
 Ability to read GSN
 Ability to create simple arguments in GSN
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 2
Presentation Date: August 2016
Author: Andreas Gerstinger
 Agenda
 What are Safety Cases?
 The Goal Structuring Notation (GSN)
 Common Errors in GSN arguments
 Case Study
 Concluding Remarks
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 3
Presentation Date: August 2016
Author: Andreas Gerstinger
 Acknowledgements
 The original work on GSN is Tim Kelly's doctoral thesis [Kel98]
 The GSN slides in this presentation are heavily based on [Spr12],
which we highly recommend as a very readable introduction to safety
arguments and GSN
 A useful web resource is http://www.goalstructuringnotation.info
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 4
Presentation Date: August 2016
Author: Andreas Gerstinger
 Literature
[Ade98] Adelard Safety Case Development Manual. 1998.
[EUR06] Eurocontrol. Safety Case Development Manual. DAP/SSH/091. 13 Oct 2006.
[Gre&06] William S. Greenwell, John C. Knight, C. Michael Holloway, Jacob J. Pease. A Taxonomy of Fallacies in System
Safety Arguments. Proceedings of the 24th International System Safety Conference, 2006.
[Kel98] T. P. Kelly, Arguing Safety – A Systematic Approach to Safety Case Management, DPhil Thesis YCST99-05,
Department of Computer Science, University of York, UK, 1998.
[Kel&04] Tim Kelly, Rob Weaver. The Goal Structuring Notation - A Safety Argument Notation. Conference on
Dependable Systems and Networks (DSN). Florence, Italy, 2004.
[Ori11] Origin Consulting. GSN Community Standard Version 1. November 2011. http://www.goalstructuringnotation.info/
[Spr12] John Spriggs. GSN - The Goal Structuring Notation: A Structured Approach to Presenting Arguments. Springer,
2012.
3 publicly available Safety Cases:
[EUR01] Eurocontrol. The EUR RVSM Pre-Implementation Safety Case. RVSM 691. 14 Aug 2001.
[Kin01] Steve Kinnersly. Whole Airspace ATM System – Preliminary Study. A report produced for EUROCONTROL
by AEA Technology. Report number AEAT LD76008/2. 2001.
[NAG02] NAGRA. Project Opalinus Clay Safety Report. TECHNICAL REPORT 02-05. December 2002.
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 5
Presentation Date: August 2016
Author: Andreas Gerstinger

INTRODUCTION TO SAFETY CASES
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 6
Presentation Date: August 2016
Author: Andreas Gerstinger
 What is a "Safety Case"?
?
 The "Robens Report" (1972)
– Balance between “prescriptive” and “goal setting” legislation needed to shift towards
the latter
 Piper Alpha Accident (1988)
– Conclusion that compliance with detailed prescriptive regulations was not sufficient to
ensure safety
 It is necessary to "make a case" for safety!
 "Make a case": to show that what you say is true
 Safety Case: shows that sufficient safety is given
 Term "safety case" has a legal origin
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 7
Presentation Date: August 2016
Author: Andreas Gerstinger
 Prescriptive vs. Goal-based Standards
Goal-Based
Prescriptive
 Describes what to do (way)
 Describes what to achieve (goal)
 Process-focus
 Product-focus
 Requires the application of
specific techniques and methods
 Less freedom, less responsibility
 Based on the assumption: "good
process leads to good product"
 (Generally) does not require a
safety case
 Requires certain product
characteristics
 More freedom, more responsibility
 Based on the general approach:
-
Determine hazards and safety
requirements
-
Design and implement them
-
Demonstrate achievement
 (Generally) requires a safety case
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 8
Presentation Date: August 2016
Author: Andreas Gerstinger
 IEC 61508 (2010)
 No safety case required
 Requires processes, documents, verification, validation and functional
safety assessment
 Requires detailed techniques and measures based on required safety
integrity
 Very prescriptive
© FREQUENTIS 2016
Safety Cases with the Help of GSN_2016_00.pptx
Page: 9
Presentation Date: August 2016
Author: Andreas Gerstinger
 DO-178C (2012)
 No safety case required
 A "software accomplishment summary" is required, which shows
compliance to the planned lifecycle
 Detailed documentation and processes required
 Very prescriptive
© FREQUENTIS 2016
Page: 10
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Def Stan 00-56, Issue 4 (2007)
 Safety Case required: "A structured argument, supported by a body of
evidence that provides a compelling, comprehensible and valid case that
a system is safe for a given application in a given operating environment."
 Safety Management Requirements for Defence Systems
 Strongly goal-based
 No specific processes or documentation structure suggested
 Safety Case is a major requirement
© FREQUENTIS 2016
Page: 11
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 CENELEC EN 50129 (2003)
 Safety Case required: "the documented demonstration that the product
complies with the specified safety requirements"
 Although detailed processes, documents, techniques and measures
are required, a safety case is also required
 But: A very prescriptive description of how a safety case shall be
structured, containing even the parts, sections and subsections of the
complete safety case
 Practically no freedom how to argue safety
© FREQUENTIS 2016
Page: 12
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 ISO 26262 (2011)
 Safety Case: "argument that the safety goals for an item are complete
and satisfied by evidence compiled from work products of the safety
activities during development"
 Required for ASILs B, C, D
 No detailed requirements on structure of safety case, but "the safety
case shall be sufficiently complete to evaluate the achievement of
functional safety of the item."
 Processes, documents, techniques and measures are nevertheless
required in detail
 Safety Case is a prerequisite for assessment
© FREQUENTIS 2016
Page: 13
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Comparison
Standard
Safety
Case
Comment
IEC 61508
No
-
DO-178C
No
-
Def Stan 00-56
Yes
• Very high level, very goal based
• Safety Case shall demonstrate safety
CENELEC 50129
Yes
• Prescriptive processes and prescritpive
safety case generation
• Safety case shall show that specified
requirements are met
ISO 26262
Yes
• Quite prescriptive processes, lots of freedom
for safety case generation
• Safety case shall show that safety goals are
complete and met
© FREQUENTIS 2016
Page: 14
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Content of a Safety Case
 Generally, a Safety Case is a document containing a top level claim
saying:
"The system is safe BECAUSE…"
… compelling and convincing arguments and evidence follow
Safety
Case
Report
HAZOP
FTA
……...
Test
Cases
 What "safe" means in the context has to be defined
 Often other documents and analyses are referenced
© FREQUENTIS 2016
Page: 15
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 General Form of a Safety Case
The claims, goals, etc. that we
want to prove
The valid arguments
The pieces of evidence
(documents, test results,…)
supporting the arguments
[Kel&04]
 Form:
– Can be simply textual
– But: Difficult to structure, difficult to read
© FREQUENTIS 2016
Page: 16
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Is a Safety Case a Proof?
 In an ideal world: Yes.
 In the real world: No.
 But it depends on your understanding of the word "proof"…
 A safety case is rarely as strong as a mathematical proof
 But it should be as strong as a proof in law
Law
Safety
Defendant is innocent until proven
guilty
System is dangerous until proven
safe
In case of the slightest doubts, the
defendant is not guilty
In case of the slightest doubts, the
system is not safe
– And of course, as all proofs: it can contain flaws…
© FREQUENTIS 2016
Page: 17
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Arguments vs. Rhetorics
 A Safety Case must be "convincing" (not merely "persuasive")
 It must contain good (valid, compelling, comprehensible) arguments!!!
 Good rhetorics is not necessary (but can help)
If you don't understand a safety case,
there is a high chance that it is crap!
© FREQUENTIS 2016
Page: 18
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Guidelines for a persuasive (not convincing)

Safety Case Report (1) ;-)
 Write a lot of text, e.g. copy the complete system description and safety plan into
the safety case document
 Don't be too clear – this allows you to always interpret the statements in your
preferred way
 Use many different terms for the same concept
 Use the same term for different concepts (the context helps to understand the
right meaning anyway)
 Use lots of technical jargon that has no relevance to the overall safety, but that
sounds professional
 Make the assessor look incompetent when questions are asked
 Include some easy to find typos and other irrelevant errors so that reviewers can
comment without understanding the contents
 Use a lot of marketing phrases from your products
 Write that your company is successful with the product
 Play bullshit bingo with your safety case
 Mention how hard everybody has worked
© FREQUENTIS 2016
Page: 19
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Guidelines for a persuasive (not convincing)

Safety Case Report (2) ;-)
 Use lots of references, so that readers are intimidated to check them
 References ad infinitum: always put lots of further references in your
referenced documents, so that readers have to hop many times before
finding the information they are looking for
 Circular references: You can design it that way that after some hops you
land at the originating document again
 Preferably reference books and papers that are out of print/not
available any more
 Always make conclusions from one to all
 Always extrapolate from some event in the past into the future
 Repeat invalid conclusions many times, then they will eventually be
believed
 Remember: "Tell a man that there is wet paint on a bench and he will
have to touch it to make sure. Tell a man there are 100 billion stars in the
universe and he will believe you."
© FREQUENTIS 2016
Page: 20
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Disclaimer and Warning
 Use the above guidelines at your own risk! We strongly advise not to
use a single one!
 If you work with people with only the slightest bit of experience with
safety cases, these guidelines will not work at all!
© FREQUENTIS 2016
Page: 21
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 The Safety Case is not a document!
 The Safety Case is "a structured argument, supported by a body of
evidence that provides a compelling, comprehensible and valid case
that a system is safe for a given application in a given operating
environment." [DS00-56]
 The Safety Case Report is the corresponding document, i.e. "a key
deliverable that summarises the Safety Case at a particular instant in
time" [DS00-56]
 A document-centric approach is not desirable
– "We need the safety case" is often misunderstood to mean "This annoying document
has to be written up by someone now"
© FREQUENTIS 2016
Page: 22
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Safety Argument
 "An argument is a connected series of statements intended to
establish a proposition" [Spr12, p.2]
 "You use an argument to persuade others of the validity of some
claim" [Spr12, p.2]
– My opinion: "persuade" should be replaced by "convince"
 Properties of a good safety argument presentation
– It has to be understandable
– It has to be easy to read
– Its logic correctness has to be verifiable
– Logical faults shall be easy to spot
– The notation shall be well defined and uniquely interpretable
– It has to be clearly visible if there are unfinished parts
– It shall be reusable
© FREQUENTIS 2016
Page: 23
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Textual Arguments
…can be good…
…but are more
often horrible!
© FREQUENTIS 2016
Page: 24
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Tabular Structure
 (+) Clear differentiation between elements of an argumentation:
– Claims
– Arguments
– Evidences
 (-) Not practicable for
large safety cases
 (-) Hierarchical Levels
not straightforward to
represent
[Kel98]
© FREQUENTIS 2016
Page: 25
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSNGOAL STRUCTURING NOTATION
© FREQUENTIS 2016
Page: 26
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN – Goal Structuring Notation
 Developed by Tim Kelly et al., University of York
 "Forces" author to develop clear arguments
 Graphical Notation
 Safety cases in GSN easier to read than text
 Reduces fault probability in safety cases
 Tool support available
 Currently being standardized
 Clearly shows
– Goals (aka "Claims")
– Arguments (aka "Strategies")
– Evidence (aka "Solutions")
© FREQUENTIS 2016
Page: 27
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN Symbols Overview (Subset)
© FREQUENTIS 2016
Page: 28
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "GOAL"
© FREQUENTIS 2016
Page: 29
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN GOAL
 A Goal is a proposition to be established.
– Is a statement that can be “TRUE” or “FALSE”
 Represents a claim, the truth of which is to be demonstrated by
argument
 The Goal text should be of the form subject-verb(-object)
© FREQUENTIS 2016
Page: 30
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Top Goal – your top level claim
 For a safety case, it is typically something like "The System is
acceptably safety for a given application in a given environment"
 The top goal is typically divided into several sub-goals, sub-sub-goals,
etc. which are easier to prove
 GSN development typically is a top-down approach – you start with
the top level proposition you want to show to be true
© FREQUENTIS 2016
Page: 31
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Excercise: Which of the following claims could

be used as a Top Goal?
1. Our Quality Management System is ISO9001:2008 compliant (ISO
2008)
2. My Business Plan is complete and ready for review by the Board
3. This burial site is probably that of Rædwald, King of the East Angles
4. This painting should be attributed to Albrecht Dürer
5. This equipment fulfils the essential requirements of the RTTE Directive
6. Beryllia is a carcinogen
7. Hazard Identification and Risk Assessment
8. Assurance is provided that safety requirements raised on the software
are valid
9. The GSN Symbol for a Goal is a rectangle
10. The colour of the sky
© FREQUENTIS 2016
Page: 32
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "CONTEXT"
© FREQUENTIS 2016
Page: 33
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN CONTEXT
 The truth of a claim depends on the context!
 What does a typical top level claim "The system is acceptably safe"
actually mean?
– What does safe mean here?
– How much/little safety is acceptable?
– In which environment?
– For which use or application?
© FREQUENTIS 2016
Page: 34
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 It all depends on context…
© FREQUENTIS 2016
Page: 35
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN CONTEXT
 Context provides, or references out to, definitions and other supporting
material
 Always on the end of an open-headed arrow
– Important: DO NOT hang other contextual information from them
 Environmental Context
 External References
© FREQUENTIS 2016
Page: 36
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN CONTEXT
 Another example
 Too much context probably means your goal uses too many vague
terms
 Makes GSN less readable
© FREQUENTIS 2016
Page: 37
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Context Excercise
My factory manager wants to persuade me that one of her preventative
maintenance procedures, known as PMP5, is adequate to keep the
factory power supply running. She claims, ‘‘PMP5 is fit for purpose’’. We
want to document the argument so that in future, if someone wants to
change the procedure, they will be able to ensure that they do not ‘‘break’’
it. Using GSN, how could the claim, ‘‘PMP5 is fit for purpose’’, and its
Contexts be presented?
© FREQUENTIS 2016
Page: 38
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "GOALS AND SUBGOALS"
© FREQUENTIS 2016
Page: 39
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN Goals and Sub-Goals
 Goals are typically decomposed into sub-goals
 Truth of Sub-Goals is sufficient to establish truth of Goal
 GSN is meant to be read in the deductive form
– "D is true because A, B and C are true"
 Not in the inductive form
– "Because A, B and C are true, we can conclude that D is true"
© FREQUENTIS 2016
Page: 40
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN Goals and Sub-Goals
 Similar to a mathematical proof, which is usually in the form: Theorem
– Proof
 Sub-Claims which are accepted by the reader without detailed proof
can be skipped by the reader
© FREQUENTIS 2016
Page: 41
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN does not preclude fallacies
 The reader must judge if the argument is logically flawed!
 Of course again, all depends on context (which is missing here)! Who
is meant by "Socrates" here?
© FREQUENTIS 2016
Page: 42
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 A more realistic example
 Important to add enough information into goals to make argument
understandable
© FREQUENTIS 2016
Page: 43
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Excercise
Adelle is the daughter of Bertrand and Celine. Celine’s parents are Didier
and Estelle. Construct a simple argument in GSN claiming that Adelle is
Estelle’s granddaughter.
© FREQUENTIS 2016
Page: 44
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Excercise
Adelle is the daughter of Bertrand and Celine. Celine’s parents are Didier
and Estelle. Estelle’s brother Frederic is married to Gabrielle; they have a
son, Henri. Construct an argument in GSN that Gabrielle is the great aunt
of Adelle by decomposing this Top Goal into two appropriate Sub-Goals,
and then decompose your Sub-Goals one level, as necessary.
© FREQUENTIS 2016
Page: 45
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "ARGUMENT STRATEGY"
© FREQUENTIS 2016
Page: 46
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN STRATEGY
 Part of the argumentation
– Contain a brief description of the argument approach
 Always links to Goals with a solid-headed arrow
– Only one incoming arrow from above
– Many outgoing arrows below
 Contextual information referenced with open-headed arrow
 Note that the symbol is optional, sub-goals can be linked directly to
goals
– Describes the rationale why goals are divided into the specific chosen sub-goals
– Massively improves readability and comprehensibility
© FREQUENTIS 2016
Page: 47
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
G0
 GSN STRATEGY
The system is
adequately safe to
operate
G0
S0.1
All functional requirements have
been successfully verified by
test or by demonstration
S0.1
Argue that the system is safe
to operate in normal
operation
S0.2
Argue in turn for each
automatic function
S0.2
Argue that the system
remains safe under failure
conditions
S0.3
Argue in turn for each
user-triggered function
Argue in turn for each
operator-initiated
function
G0
Option C is the
best of the
candidates
C0a
S0
The set of candidates
is [A, B, C, D, E]
Argument over the set
of candidates
G1
G2
Option C 2016
is better
Option Page:
C is better
© FREQUENTIS
48
thanwith
Option
A of GSN_2016_00.pptx
than Option B
Safety Cases
the Help
G3
G4
Option
C isDate:
better
Presentation
August 2016 Option C is better
than
Option
D Gerstinger
than Option E
Author:
Andreas
 Note: Numbering GSN elements
 It is convenient to give unique IDs to all elements in a GSN
 Makes references and reusing elements possible
 GSN does not specify how elements shall be numbered
 There are several methods, e.g.
– Unique Names
– Numerical sequential IDs
– Hierarchical numbering (preferred way, used here)
© FREQUENTIS 2016
Page: 49
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Security Example with Strategy
© FREQUENTIS 2016
Page: 50
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Excercise
 Is there anything missing from the top level of this Goal Structure?
 How would you express this example using Sub-Goals, rather than
multiple Strategies?
© FREQUENTIS 2016
Page: 51
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "JUSTIFICATION"
© FREQUENTIS 2016
Page: 52
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN JUSTIFICATION
 Provides extra explanation or rationale
– A reason for what you have done
 Is a contextual information
– Always associated with the element being justified
 We use it to say…
– Why the sub-goals have been chosen when others may have been more obvious
– Alternatively, a Justification may contain a simple “If A then B” argument
© FREQUENTIS 2016
Page: 53
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN JUSTIFICATION
 Refer out to an existing argument
C3a
G3
BP-02, "Procedure
for preparing
business plans"
Correctly following
Procedure BP-02
produces a complete
Business Plan
© FREQUENTIS 2016
Page: 54
Safety Cases with the Help of GSN_2016_00.pptx
J3a
Presentation Date: August 2016
Author: Andreas Gerstinger
This is argued in an
Annex to procedure
BP-02
J
G0
 GSN JUSTIFICATION
The system is
adequately safe to
operate
 Split-up
S0.1
Argue that the system is safe
to operate in normal
operation
S0.2
Argue that the system
remains safe under failure
conditions
G0
The system is
adequately safe to
operate
S0.1
Argue that the system is safe
to operate in normal
operation
{ Volume 1 }
G0
J0
That the system remains
safe under failure
conditions is argued in
Volume 2
The system is
adequately safe to
operate
{ Volume 2 }
J
J0
S0.1
That the system is safe
under in normal operation
is argued in Volume 1
J
© FREQUENTIS 2016
Page: 55
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Argue that the system
remains safe under failure
conditions
 GSN JUSTIFICATION
 If A than B
G0
Option C is the
best of the
candidates
S0
J0
If option C is better
than each candidate,
then it is best overall
Argument over the set
of candidates
G1
G2
G3
G4
Option C is better
than Option A
Option C is better
than Option B
Option C is better
than Option D
Option C is better
than Option E
© FREQUENTIS 2016
Page: 56
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
J

GSN "ASSUMPTION"
© FREQUENTIS 2016
Page: 57
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN ASSUMPTION
 An assumption is something taken to be true for the purpose of the
argument
 Simplify a situation
– Argument may be invalid in general, but perfectly adequate in the conditions you
assume.
– Argument is valid for specified conditions.
 It is very important to state your assumptions explicitly
 The symbol itself say “I assume that …”, so there is no need to repeat
it in the text.
 An assumption helps you to say that a statement in a Goal is TRUE
© FREQUENTIS 2016
Page: 58
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN ASSUMPTION
 Fragment of an argument about traffic lights at a road junction with
pedestrian crossings
 Exercise: Are the three assumptions appropriate?
C6.3
"All signal lights"
includes those for
pedestrians
G6.3
On detection of any of the
specified failure conditions,
all signal lights are
extinguished
A6.3a
It is assumed that
vehicle traffic is in the
junction
A
S6.3
A6.3b
The failure conditions
are specified in the
concept of operations
A
A6.3c
Argue over each failure
condition & any combination
thereof
The system fulfils its
electromagnetic interference
susceptibility requirements
A
© FREQUENTIS 2016
Page: 59
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN ASSUMPTION
 Revised fragment of an argument about traffic lights at a road junction
with pedestrian crossings
C6.3b
The failure conditions
are specified in the
concept of operations
C6.3a
G6.3
"All signal lights"
includes those for
pedestrians
On detection of any of the
specified failure conditions,
all signal lights are
extinguished
The system fulfils its
electromagnetic interference
susceptibility requirements
A
S6.3
Argue over each failure
condition & any combination
thereof
© FREQUENTIS 2016
Page: 60
Safety Cases with the Help of GSN_2016_00.pptx
A6.3
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN "SOLUTION"
© FREQUENTIS 2016
Page: 61
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Where is the final proof?
 Well, the argument is correct
 But who says that the premises are true?
– Are all men mortal?
– Is Socrates a man?
 Solutions provide the evidence that the lowest sub-goals are actually
true
 Without this evidence, the argument is not complete!
© FREQUENTIS 2016
Page: 62
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Solutions (aka Evidence)
G1
All men are mortal
J1
The Methusaleh Report
concludes, from
epidemiological studies,
that all men are mortal.
Sn1
The Methusaleh
Report
J
J1
Xanthippe is "Mrs.
Socrates" – she
should know...
G1
Socrates is a man
J
Sn1
Witness
statement from
Xanthippe
© FREQUENTIS 2016
Page: 63
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN SOLUTION
 A single Goal can have one or more evidences
– Do not bundle them
– Use separate Evidence symbol for each
 If an evidence supports more than one Goal
– Label each evidence item uniquely
– Use the same Evidence and not update the index
 Solutions or Evidences make no claim
– Simply references to evidence artefact that provide support for a particular claim
© FREQUENTIS 2016
Page: 64
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN SOLUTION
© FREQUENTIS 2016
Page: 65
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Where does Evidence come from?
 Direct Evidence
– tells something about the product
– e.g. product features, test results, static analysis results, formal proofs,...
 Backing (indirect) Evidence
– tells something about the process
– e.g. well established process according to ISO9000, reviews were conducted
properly,...
 Due to the difficulty of providing sufficient direct evidence for software,
backing evidence plays a crucial role
© FREQUENTIS 2016
Page: 66
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN RELATIONSHIP INDICATION
 GSN elements are intended to be combined to represent logical
structure. GSN provides two types of linkage between elements
1. SupportedBy
– Inferential relationships declare that there is an inference between goals in the
argument
– Evidential relationships declare the link between a goal and the evidence used to
substantiate it
– Goal-to-goal, goal-to-strategy, goal-to-solution, strategy to goal
2. InContextOf
– Declares a contextual relationship
– Goal-to-context, goal-to-assumption, goal-to-justification, strategy-to-context,
strategy-to-assumption and strategy-to-justification
© FREQUENTIS 2016
Page: 67
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

COMMON ERRORS
© FREQUENTIS 2016
Page: 68
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Confirmation Bias
 You look for what you want to find
 Searching for counter-evidence is crucial
 Somebody needs to challenge the safety case
© FREQUENTIS 2016
Page: 69
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Avoidance of Common Errors in GSN
 The statements made in GSN goal, context and solution elements
should be stated atomically
– A single node should contain exactly one claim or reference
– Goals should only contain claims
– Solutions should only refer to evidence
– Strategies should only summarise the argument approach
 The statements made in GSN goal elements capture the claims made
in the argument
– The statements should be expressed in the form <noun-phrase><verb-phrase>
 Similarly, assumptions should be stated atomically in GSN
© FREQUENTIS 2016
Page: 70
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Avoidance of Common Errors in GSN
 GSN strategy elements record the approach used in structuring the
argument
– It should be possible to remove all of the strategy elements without affecting the
logical flow of the claims being made
– Like "comments" in programming languages, they enhance readability
 Strategy elements are intended as a description of the argument
approach which has been carried out to relate claims stated at
different levels of detail
– For example, the strategy “Interlocks used” should be phrased “Argument by appeal
to the use of interlocks”, to focus the reader’s attention on the argument process,
rather than on the design of the system.
© FREQUENTIS 2016
Page: 71
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Avoidance of Common Errors in GSN
 Context elements should not be used to refer to information which is
intended to support the validity of a claim.
 Context elements are sometimes used where a GSN assumption or
justification may be more appropriate.
 Context and Solution elements in GSN should provide references to
artefacts stored elsewhere
– A single noun-phrase should be sufficient to identify these artefacts
– It is not necessary to summarize the content of the artefact in the GSN node
© FREQUENTIS 2016
Page: 72
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Fallacies in Safety Cases [Gre&06]
 A critical review of three publicly available safety cases showed that
fallacies are quite common
© FREQUENTIS 2016
Page: 73
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Safety Argument Fallacy Taxonomy [Gre&06]
 Circular Reasoning
– Circular Argument, Circular Definition
 Diversionary Arguments
– Irrelevant Premise, Verbose Argument
 Fallacious Appeals
– Appeal to Common Practice, Appeal to Improper/Anonymous Authority, Appeal to Money, Appeal to
Novelty, Association Fallacy, Genetic Fallacy
 Mathematical Fallacies
– Faith in Probability, Gambler’s Fallacy, Insufficient Sample Size, Pseudo-Precision, Unrepresentative
Sample
 Unsupported Assertions
– Arguing from Ignorance, Unjustified Comparison, Unjustified Distinction
 Anecdotal Arguments
– Correlation Implies Causation, Damning the Alternatives, Destroying the Exception, Destroying the
Rule, False Dichotomy
 Omission of Key Evidence
– Omission of Key Evidence, Fallacious Composition, Fallacious Division, Ignoring Counter-Evidence,
Oversimplification
 Linguistic Fallacies
– Ambiguity, Equivocation, Suppressed Quantification, Vacuous Explanation, Vagueness
© FREQUENTIS 2016
Page: 74
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Any fallacies here?
C0.1
"Sufficiently secure"
means that it is
guaranteed that no
unauthorised access
will ever take place
G0
InContextOf
SupportedBy
The computer system
is sufficiently secure
SupportedBy
InContextOf
C0.2
CIA computer system
storing all strategic
plans for future CIA
activities
SupportedBy
G1
G2
G3
The developer had
security know-how
No security leaks
were found during
analysis
A paid hacker could
not break into the
system
SupportedBy
SupportedBy
SupportedBy
Sn1.1
Training
Certificate
© FREQUENTIS 2016
Page: 75
Safety Cases with the Help of GSN_2016_00.pptx
Sn2.1
Analysis
Report
Presentation Date: August 2016
Author: Andreas Gerstinger
Sn3.1
Hacker Report
 Any fallacies?
C0.1
G0
A0.1
COMPANY shares are in
the Dow Jones
InContextOf
A
SupportedBy
Prices of COMPANY
shares will rise within
the next year
InContextOf
SupportedBy
"Rise" means that the
price at the end of the
last trading day is
higher than at the
beginning of the first
trading day in a year
SupportedBy
G1
G2
G3
Experts say COMPANY
has a bright future
The Dow Jones Index
will rise within the
next year
Interest rates are low
SupportedBy
SupportedBy
SupportedBy
Sn1.1
Newspaper
G2.1
The Dow Jones Index
has always risen
within a year in the
last 10 years
SupportedBy
Sn2.1.1
Historical
Records
© FREQUENTIS 2016
Page: 76
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Sn3.1
Bank
Commercials
 Any fallacies?
G0
MEDICATION X helps
to alleviate a common
cold
SupportedBy
SupportedBy
G1
G2
Dr. X confirms that
MEDICATION X works
There are several
success stories
available
SupportedBy
SupportedBy
Sn1
Dr. X's
testimonial
Sn2
Detailed doc of
three success
stories
SupportedBy
SupportedBy
G3
Last time when I had
a cold, I took
MEDICATION X and
my cold was gone
within three days
SupportedBy
Sn3
My own
testimonial
© FREQUENTIS 2016
Page: 77
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
G4
MEDICATION X does
not have any
unwanted side effects
SupportedBy
Sn4
Rigorous randomized
double blind evidencebased study about
absence of side effects
of MEDICATION X
Excerpt of EUR RVSM Safety Case – can you find

fallacies?
© FREQUENTIS 2016
Page: 78
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

UK DEF-STAN 00-56
© FREQUENTIS 2016
Page: 79
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger


13.2.1 The Contractor shall ensure that the Safety Case consists of a structured argument, supported
by a body of evidence that provides a compelling, comprehensible and valid case that a system is
safe for a given application in a given environment.

13.2.5 The Contractor shall provide evidence to demonstrate the competence of individuals and
organisations responsible for tasks that have a bearing on safety.

13.2.6 The Contractor shall develop, maintain and refine the Safety Case as defined in the SMP and
in developing the Safety Case the Contractor shall address the full lifecycle (CADMID/T) of the PSS.

13.2.7 Where practicable, the Contractor should provide objective evidence.

13.2.8 The Contractor should provide diverse evidence, to ensure that that the overall safety
argument is not compromised by errors or uncertainties in individual pieces of evidence.

13.2.9 The Contractor should demonstrate that the arguments and evidence in Safety Cases are
sound, comprehensive and trustworthy.

13.2.10 The Contractor should provide evidence to demonstrate the adequacy and suitability of the
methods and techniques used for safety and risk analysis and in safety engineering.

13.2.11 The Contractor should develop, maintain and refine the Safety Case through the life of the
Contract.

13.2.12 The Contractor should provide evidence of competency of those whose work could impact
safety and confidence in the Safety Case.

13.2.13 The Contractor should ensure that any related Safety Cases or information sets already in
existence and identified in the scope of analysis are utilised and integrated as necessary.
© FREQUENTIS 2016
Page: 80
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

 The Contractor shall produce Safety Case Reports that incorporate the
key elements of the safety argument and references to evidence so
that, in principle, it would be possible to access the complete Safety
Case, starting from the Report, or counter-evidence where it has been
identified.
 Where there are shortfalls in the evidence the Contractor shall ensure
that the Safety Case Report provides the rationale for operating the
PSS, and the ways of mitigating the residual risk.
 The Contractor should ensure that any related Safety Case Reports or
ISSSs already in existence and identified in the scope of analysis are
utilised and integrated as necessary.
 The Contractor should deliver the Reports incrementally, as
Contracted, to give the MOD visibilit of progress in safety engineering
and safety analysis.
© FREQUENTIS 2016
Page: 81
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

© FREQUENTIS 2016
Page: 82
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

CASE STUDY
© FREQUENTIS 2016
Page: 83
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Case Study
 Read the handout
 Create a GSN for a claim like
"The system is acceptably safe…"
 Please form groups of <=5 people
 Time: 40min for elaboration, 20min for discussion
© FREQUENTIS 2016
Page: 84
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

SOME FINAL NOTES
© FREQUENTIS 2016
Page: 85
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Problems with Traditional Safety Case

Development: "Retrospective Safety Case"
Too late!
[Kel98], p. 67
 Large amounts of re-design necessary because safety case cannot be constructed
 Less robust safety case – safety engineers have to live with the current design instead
of influence the design
 Lost safety rationales – rationales for certain design features might not be recorded and
therefore lost
© FREQUENTIS 2016
Page: 86
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Better: Evolutionary Safety Case Development
Continuous Safety Case
Development
[Kel98], p. 69
 (Intermediate) Safety Cases are produced at each major milestone in
a project
 GSN supports the evolutionary development of safety cases
© FREQUENTIS 2016
Page: 87
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Three publicly available Safety Cases
 Unfortunately, most safety cases are not publicly available
 Should safety cases affecting the public be publicly available? (cf.
sessions and decisions in a criminal court)
1. [EUR01] The EUR RVSM Pre-Implementation Safety Case
Reduced vertical separation safety case
GSN and text
2. [Kin01] Eurocontrol Whole Airspace ATM System Safety Case
Common airspace for all Eurocontrol member states
GSN and text
3. [NAG02] Project Opalinus Clay: Safety Report
Long-term radioactive waste storage facility
Text, heavy use of bullet points
© FREQUENTIS 2016
Page: 88
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Potential problems with Safety Cases
 Confirmation bias: People who have a vital interest that the top level claim is true
provide the evidence
 People who build the system also build the safety case, they only see the positive
evidence
 Re-inventing the wheel many times instead of using successful processes which are
successful over many years
 "The problem is that it is always possible to find or produce evidence that something is
safe." [Lev11]
 "Care should be taken when utilizing techniques such as Goal Structured Notation […]
to avoid falling into the trap of assuming the conclusion […], or looking for supporting
evidence for the conclusion instead of carrying out a proper analysis of risk." [Lev11]
[Lev11] Nancy Leveson. The Use of Safety Cases in Certification and Regulation.
Journal of System Safety, Vol. 47, No. 6, 2011.
 Active searching for counter-evidence is important! (and not
finding counter-evidence is no guarantee that it does not exist)
© FREQUENTIS 2016
Page: 89
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Some conclusions with my personal view
 Good processes, techniques and measures are necessary but not
sufficient to assure safety
 A Safety Case must be easy to follow and understandable
 The Safety Case is the most important document for assuring safety
 There shall be freedom in the design of the safety case
 ISO 26262 combines necessary prescriptions with the goal-based
approach of a Safety Case in the best way
 GSN improves readability of Safety Cases massively
 GSN is an excellent way to document or to support the documentation
of Safety Cases
© FREQUENTIS 2016
Page: 90
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Thank You!

DEVELOPING GOAL STRUCTURES
© FREQUENTIS 2016
Page: 92
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Developing - SIX STEP METHOD – Top Down
Elaborate
strategy
Step 5
STOP
Identify goals
to be
supported
Step 1
Define basis
on which
goals stated
Step 2
© FREQUENTIS 2016
Page: 93
Safety Cases with the Help of GSN_2016_00.pptx
Identify
strategy to
support
goals
Step 3
Define basis
on which
strategy
stated
Step 4
Presentation Date: August 2016
Author: Andreas Gerstinger
Identify
Basic
Solutions
Step 6
 Step 1: Identify Goals
5
 Goals should be phrased as propositions
 Statements that can be said to be
1
3
2
4
6
TRUE / FALSE
 Statement should be expressed as a single statement (1 sentence) in
the form
– NOUN-PHRASE : identifies the subject
– VERB-PHRASE : defines a predicate over the subject
 The objective of this step is to identify the top goal, the principal claim
that the remainder of the argument should support
© FREQUENTIS 2016
Page: 94
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 1: Identify Goals
5
 It is important that the claim made in the
top goal is stated at an appropriate level of
detail
1
3
2
4
 Correctly:
– The SR-SW is adequately safe.
– The insulin pump is adequately safe for routine use.
 Incorrectly:
– Fault Tree for Hazard H1.  !! Describes an entity !!
– How many failure modes does comp. X have?  !! Question !!
– All hazards have been mitigated. -> !! No over all top-goal !!
 Test: “CAN WE SAY THAT THE GOAL
ISAugust
TRUE
OR FALSE”
Presentation Date:
2016
© FREQUENTIS 2016
Page: 95
Safety Cases with the Help of GSN_2016_00.pptx
Author: Andreas Gerstinger
6
 Step 1: Identify Goals
5
 Running Example:
© FREQUENTIS 2016
Page: 96
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
Step 2: Definition of the Basis on

which Goals are Stated
5
 A claim can be evaluated as ‘true’ or ‘valid’
only if the basis on which it is stated is clear
1
3
6
2
– Ensure that the reader has an adequate and correct understanding
of4the context
surrounding the claim
– Identifying information required about the …
– system under discussion
– context of the system
– argument
© FREQUENTIS 2016
Page: 97
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 2: Definition of the Basis on

which Goals are Stated
5
 Contexts are used to refer
– System information
– Artefacts
– Processes
© FREQUENTIS 2016
Page: 98
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
Step 2: Definition of the Basis on

which Goals are Stated
5
 contextual information associated with a claim made
3
6
1 in a particular
goal is understood to be in scope for all sub-goals of that goal
2
4
 the objective of using context is to ensure that there is a clear
understanding of goal-statements between reader and writer
 definitions can be provided throughout the course of the argument
communicated by the goal structure
© FREQUENTIS 2016
Page: 99
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 2: Definition of the Basis on

which Goals are Stated
5
 Running Example:
© FREQUENTIS 2016
Page: 100
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
 Step 3: Identification of Strategy
5
 Work out how to substantiate the stated goal
– “What reasons are there for saying the goal is true!”
1
– “What statements would convince the reader that the goal is true?”
3
6
2
4
 Aiming for statements that are easier to support than the larger goal
– Breaking into a number of smaller goals
– Relating goal more closely to specific application in question ( e. g. – for a generic
requirement)
© FREQUENTIS 2016
Page: 101
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 3: Identification of Strategy
5
 Divide and Conquer Goal Decomposition
1
3
– decompose a high-level goal into a number of ‘smaller’ goals
2
© FREQUENTIS 2016
Page: 102
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
4
6
 Step 3: Identification of Strategy
5
 Interpretation, or Detailing, of a Goal
1
3
6
– Another approach is to attempt to re-state the original claim as one more closely
related to the specific application in question or to the evidence that will ultimately be
2
4
used to support the argument.
© FREQUENTIS 2016
Page: 103
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 3: Identification of Strategy
5
1
3
2
4
6
 The role of a strategy node is to clearly explain the relationship
between a goal and a set of sub-goals
 Strategy statements should describe the argument approach adopted
– “Argument by … <approach>”
– “Argue that … <approach>”
– …
© FREQUENTIS 2016
Page: 104
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 3: Identification of Strategy
5
 Running Example:
© FREQUENTIS 2016
Page: 105
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
Step 4: Definition of the Basis on

which the Strategy is Stated
5
 Identifying the contextual information required to understand
the
argument approach described by the GSN strategy node
3
6
1
2 the same
4 as that for
 The process of identifying context for strategies is
goals
– strategies should be examined and assessed for terms or concepts that have been
introduced but not defined explicitly
© FREQUENTIS 2016
Page: 106
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 4: Definition of the Basis on

which the Strategy is Stated
5 strategy
 Ask what information is required in order to expand / fulfil
outlined
3
6
1
2
4if the reader
 Add context information, justifications and/or assumptions
need more information
© FREQUENTIS 2016
Page: 107
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 4: Definition of the Basis on

which the Strategy is Stated
5
 Running Example:
© FREQUENTIS 2016
Page: 108
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
 Step 5: Elaborate Strategy
 Elaborating a strategy involves defining new goals, i.e.5 beginning the
argument development process again at Step 1, although this time
3
6
1 goal structure.
obviously the goals are one level further down the
2
4
 It should be noted that a sub-goal stated as part of a strategy in
support of a particular parent goal may also form part of the supporting
argument of other parent goals.
© FREQUENTIS 2016
Page: 109
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 5: Elaborate Strategy
5 until it is clear
 The goal structure continues to be developed in this way
that no further decomposition into sub-goals is necessary and the goal
3
6
1
can be directly supported by appeal to some evidence
artefact
2
© FREQUENTIS 2016
Page: 110
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
4
 Step 5: Elaborate Strategy
5
 Running Example:
© FREQUENTIS 2016
Page: 111
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
 Step 6: Identify Solutions
5
 A Solution is added to support the goal
 Provides a reference to some evidence
artefacts
1
3
2
4
6
– Refer unambiguously and precisely to the section in an evidence artefact which is
required to support the claim
© FREQUENTIS 2016
Page: 112
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 6: Identify Solutions
5
– Reference the whole document should be avoided where possible
© FREQUENTIS 2016
Page: 113
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
 Step 6: Identify Solutions
5
 It is possible to cite multiple solutions as providing evidential
support
for a particular parent goal.
3
6
1
2 evidential
4
 It should be noted that a solution stated as providing
support
for a particular parent goal may also form part of the cited evidential
support for other parent goals.
© FREQUENTIS 2016
Page: 114
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 6: Identify Solutions
5
 Note that peer goals do not always require the same level
of
decomposition.
3
1
6
2 it to a4point at
 Sometimes goals requires further argument to bring
which it can be supported directly by evidence.
 It is regarded as best practice that the goal most immediately
supported by a solution element should be an unambiguous assertion
of the property of the evidence item that is being referred to by the
argument.
© FREQUENTIS 2016
Page: 115
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 6: Identify Solutions
5
 Running Example:
© FREQUENTIS 2016
Page: 116
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
1
3
2
4
6
 Developing - Bottom Up
Step 1
Step 3
Step 2
Infer evidence
assertions
Identify
evidence
Step 5
Step 6
Check back
down
structure for
completeness
Derive
higher goals
Add required
context
Step 7
Join up to
known top
goal or set of
sub-goals
© FREQUENTIS 2016
Page: 117
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 4
Describe
strategy
 Step 1: Identify Relevant Evidence
1
2
3
 The starting point is to ascertain what evidence exists
5
6
4
 Consider what this evidence reveals why the analysis was originally
carried out
© FREQUENTIS 2016
Page: 118
Safety Cases with the Help of GSN_2016_00.pptx
7
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 2: Infer ‘Evidence Assertion’ Goals
 Examine each evidence
1
3
2
5
– “What safety claim or property of the system is demonstrated or
6 supported by 4this
item of evidence?”
7
© FREQUENTIS 2016
Page: 119
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 2: Infer ‘Evidence Assertion’ Goals
3 goals
2
 A give item of evidence may in fact provide support1 for several
5
– Each ‘evidence assertion’ should refer to the individual section 6of the evidence
4
7
© FREQUENTIS 2016
Page: 120
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 3: Adding Higher Sub-Goals
3 and
 Work higher in the argument to add a further hierarchy
1 of2 goals
strategies
5
6
4
 Do not jump too quickly to the ultimate objective of the top goal
7
 Goals should not be exclusively product-oriented
© FREQUENTIS 2016
Page: 121
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 4: Describe Strategy for
 Goal-Decomposition
 Describe how the sub-goals support the claim
1
2
3
5
6
 Should the decomposition strategy be obvious, it may not be
necessary to represent it explicitly as part of the goal structure
7
© FREQUENTIS 2016
Page: 122
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
4
 Step 5: Adding Contextual Information
3
2 have
 The creation of a goal structure from existing evidence
1 may
elicited contextual information
5
6
4
– including assumptions, definitions and references
7
© FREQUENTIS 2016
Page: 123
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 6: Check Back Down the

Goal Structure
 Each time a parent goal is created
3
2
1
– Re-examine the supporting sub-goals top-down
5
6
4
7
© FREQUENTIS 2016
Page: 124
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
Structure into Higher (Top-Down)

Argument
3a
2 form
 The bottom-up approach will rarely be used in isolation
1
to
complete goal structure
5
6
4
 Since the goal structure is developed from the existing evidence, you
7
should keep in mind where the argument is ‘aiming’
© FREQUENTIS 2016
Page: 125
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

EVALUATING GOAL STRUCTURES
© FREQUENTIS 2016
Page: 126
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 A Staged Argument Review Process
Step 1
Argument
Comprehension
Step 2
Wellformedness
(Syntax)
Checks
© FREQUENTIS 2016
Page: 127
Safety Cases with the Help of GSN_2016_00.pptx
Step 3
Expressive
Sufficiency
Checks
Presentation Date: August 2016
Author: Andreas Gerstinger
Step 4
Argument
Criticism &
Defeat
 Step 1: Argument Comprehension
 Argumentation presented textually
1
2
3
4
– Identify the key claims, strategies, context and evidence presented in the assurance
case
– Having identified the essential elements of the assurance case, it is then necessary
for the reviewer to identify the links between them
– This activity involves determining the argument approaches which are being used to
support the claims identified and the evidence items being used to support the
arguments
 Argumentation presented with GSN
– Check that the notation has been used in accordance to the standard
– Identify and weed out superficial arguments
© FREQUENTIS 2016
Page: 128
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 2: Well-Formedness Checks
2
1
 Identify structural errors in the argument under review
3
4
– For example: circular arguments
 It may be possible to identify claims for which no supporting argument
or evidence has been presented
– Check for items of evidence whose role in the argument is unclear
© FREQUENTIS 2016
Page: 129
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 3: Expressive Sufficiency Checks
2
3have4
 The purpose of this step is to assess whether the1arguments
been expressed sufficiently for the argument to be fully understood
 The purpose of a strategy element in GSN is to explain the
relationship between claims made in a parent goal and those in the
sub-goals related to it
 Explicit documentation of strategies is useful wherever this relationship
is unclear
© FREQUENTIS 2016
Page: 130
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 4: Argument Criticism and Defeat
2
3
 Are the premises of the argument strong enough 1
to support
the
conclusion(s) being drawn??
4
 The sufficiency of the relationship between premises and conclusion of
the argument can depend on a number of attributes
– Coverage – to what extent does the argument and/or evidence presented cover the
conclusion?
– Dependency – the level of assurance offered up by multiple forms of evidence or
strands of argument may not be so convincing if they are not truly independent
© FREQUENTIS 2016
Page: 131
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 4: Argument Criticism and Defeat
– Definition – it could be considered undesirable to over-constrain
2or under-constrain
3
4
1
the argument or the evidence being presented
– Directness – to what extent does the argument or evidence directly address the
conclusion being sought?
– Against a specific product claim, process evidence can be regarded as ‘indirect’
– Indirect arguments are often considered unconvincing
– Relevance – how relevant is a particular piece of evidence or line of argumentation
to the conclusion being sought?
– An argument that “the System is safe” because “the sky is blue” suffers from a
problem of relevance
© FREQUENTIS 2016
Page: 132
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Step 4: Argument Criticism and Defeat
– Robustness – how susceptible is the argument to changes1 in the2evidence
3 and4
claims arising from this?
 When providing feedback from this step in the review process, it is
advisable for the reviewer to be as specific as possible in identifying
the problems present in the argument
 It is important to recognise that criticisms of the argument at this stage
could simply relate to weaknesses of expression
© FREQUENTIS 2016
Page: 133
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

GSN ADDITIONAL ELEMENTS
© FREQUENTIS 2016
Page: 134
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN Additional Elements
© FREQUENTIS 2016
Page: 135
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

DATA DICTIONARY
© FREQUENTIS 2016
Page: 136
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 Data Dictionary
 Enumeration -> use unique IDs
– detailed explanation of the problem at hand
– assumptions that had to be done
– assessment and selection of solutions
– connection to relevant standards
– correctness of arguments/evidence
– validity of arguments/evidence
– sufficiency of arguments/evidence
– ...
© FREQUENTIS 2016
Page: 137
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN and Data Dictionary
 Combination of GSN and data dictionaries
– Result in a document (Safety Case Report)
– Allows the reader to fully understand the argumentation
– Evidences are proving the correctness of the argument
– Describes why those evidences are sufficient
– Show additional information for the whole argumentation
© FREQUENTIS 2016
Page: 138
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 GSN and Data Dictionary

Example:

G_0.3: “Traceability of safety requirements and safety evidence has been shown.” – The traceability of safety
evidence and requirements is an important aspect in the argumentation of the safety case and is therefore developed
in a separate sub-tree instead of being part of the engineering life cycle argumentation.
–
G_0.3.1: “Traceability concept was defined.” – A concept defining the scope and means of achieving traceability
must be provided.
–
–
Sn_0.3.1a: “Concept: Traceability_Concept.doc” – A document defining the traceability concept followed for
the example project.
G_0.3.2: “Traceability was enforced.” – It must be proven that the traceability as defined in the concept was
actually enforced over all life cycles and their resulting artefacts.
–
Sn_0.3.2a: “Traceability Matrix: Traceability_Matrix.xls” – A traceability matrix lists all artefacts and their links
to depict the traceability between them.
© FREQUENTIS 2016
Page: 139
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

A FINAL EXAMPLE
© FREQUENTIS 2016
Page: 140
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 IsaPro® Safety Case Pattern
© FREQUENTIS 2016
Page: 141
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 IsaPro® Safety Case Pattern (M_0.1)
© FREQUENTIS 2016
Page: 142
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger
 IsaPro® Safety Case Pattern (M_0.2)
© FREQUENTIS 2016
Page: 143
Safety Cases with the Help of GSN_2016_00.pptx
Presentation Date: August 2016
Author: Andreas Gerstinger

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz