A Template for an Assurance Case Shall Be Known as an Assurance Case Template

Similar documents
Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

A Software Safety Argument Pattern Catalogue

A Systematic Approach for Developing Software Safety Arguments

Safety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University

MergeSort, Recurrences, Asymptotic Analysis Scribe: Michael P. Kim Date: April 1, 2015

MergeSort, Recurrences, Asymptotic Analysis Scribe: Michael P. Kim Date: September 28, 2016 Edited by Ofir Geri

Certification Requirements for High Assurance Systems

UK EPR GDA PROJECT. Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011. Resolution Plan Revision History

SOME TYPES AND USES OF DATA MODELS

2012 Developments in Modular (Software) Safety Cases and Modular GSN

Critical Systems. Objectives. Topics covered. Critical Systems. System dependability. Importance of dependability

Checklist for Requirements Specification Reviews

Solutions to In Class Problems Week 5, Wed.

Developing Successful Modular Arguments for Object Oriented Systems. R.D. Hawkins; University of York; York, UK

Proofwriting Checklist

What is a Programming Paradigm

Order from Chaos. Nebraska Wesleyan University Mathematics Circle

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: Sorting lower bound and Linear-time sorting Date: 9/19/17

6.001 Notes: Section 17.5

We will show that the height of a RB tree on n vertices is approximately 2*log n. In class I presented a simple structural proof of this claim:

When the template is complete, the whole Project Initiation Document can be printed and approved.

Mathematical Logic Prof. Arindama Singh Department of Mathematics Indian Institute of Technology, Madras. Lecture - 37 Resolution Rules

Order from Chaos. University of Nebraska-Lincoln Discrete Mathematics Seminar

ELEC-270 Solutions to Assignment 5

MONIKA HEINER.

Fault Propagation and Transformation: A Safety Analysis. Malcolm Wallace

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

CS 292 Software Development

Standard Development Timeline

CS 161 Computer Security

Operational Semantics

Notes on Turing s Theorem and Computability

Rules for Operators. Version 6 / Version 6, 13 May 2011 Page 1/12

Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality

Introduction to AWS GoldBase

Implementing BCM Frameworks. Monday 19 November Aidan O Brien Head of Resilience and Security National Australia Group Europe

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Equations of planes in

Trust Relationship Modeling for Software Assurance

Mobile-as-a-Medical-Device (Security) David Kleidermacher Chief Security Officer, BlackBerry

Difference Between Dates Case Study 2002 M. J. Clancy and M. C. Linn

Artificial Neuron Modelling Based on Wave Shape

Tool Qualification Plan for Testwell CTC++

CS103 Spring 2018 Mathematical Vocabulary

IMPLEMENTATION COURSE (MODULE 1) (ISO 9001:2008 AVAILABLE ON REQUEST)

Integrating Cyber Security and Safety Systems Engineering Disciplines with a common Code of Practice

Programming II. Modularity 2017/18

Safety Case Composition Using Contracts - Refinements based on Feedback from an Industrial Case Study

Basic Requirements for Research Infrastructures in Europe

Does the ITIL Framework Need a Facelift?

ELECTRONIC RECORDS (EVIDENCE) ACT (No. 13 of 2014) ELECTRONIC RECORDS (EVIDENCE) REGULATIONS. (Published on, 2015) ARRANGEMENT OF REGULATIONS

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

Modeling Issues Modeling Enterprises. Modeling

Evidence-based Development coupling structured argumentation with requirements development.

Decomposition into modules

LORAIN-MEDINA RURAL ELECTRIC COOPERATIVE, INC. NORTH CENTRAL ELECTRIC COOPERATIVE, INC.

With the successful completion of this course the participant will be able to:

IEEE Criteria for Standards Development (CSD)

INCREMENTAL SOFTWARE CONSTRUCTION WITH REFINEMENT DIAGRAMS

Public Safety Canada. Audit of the Business Continuity Planning Program

SCADA Software. 3.1 SCADA communication architectures SCADA system

Incremental development A.Y. 2018/2019

Testing for the Unexpected Using PXI

Compositional Security Evaluation: The MILS approach

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

Thread Safety. Review. Today o Confinement o Threadsafe datatypes Required reading. Concurrency Wrapper Collections

Wireless Communication Device Policy Policy No September 2, Standard. Practice

The Common Criteria, Formal Methods and ACL2

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Modular Arithmetic. is just the set of remainders we can get when we divide integers by n

Q Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.

CS 307: Software Engineering. Lecture 10: Software Design and Architecture

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

such a manner that we are able to understand, grasp and grapple with the problem at hand in a more organized fashion.

Data Objectives. The same process can be applied to determine how much simplification is appropriate when describing a geochemical system.

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

M E M O R A N D U M I.S.

IEEE Criteria for Standards Development (CSD)

Can "scale" cloud applications "on the edge" by adding server instances. (So far, haven't considered scaling the interior of the cloud).

A Consistency Check of Dependability Case (D-case) Produced from Data Flow Diagram (DFD)

ELECTRICIAN. Certification for electricians. Join Stroma for only 255 (+VAT) CERTIFICATION

Certification Report

Cyber Security Requirements for Supply Chain. June 17, 2015

Biometrics problem or solution?

An Interesting Way to Combine Numbers

Question 1: What is a code walk-through, and how is it performed?

Support for Safety Case Generation via Model Transformation

Back to the knights and knaves island

Don t Judge Software by Its (Code) Coverage

Fundamentals to Creating Architectures using ISO/IEC/IEEE Standards

Elementary Concepts of Object Class

CS2 Algorithms and Data Structures Note 10. Depth-First Search and Topological Sorting

A Solidify Understanding Task

Expression des Besoins et Identification des Objectifs de Sécurité

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

TRAINING COURSE CERTIFICATION (TCC) COURSE REQUIREMENTS

Transcription:

A Template for an Assurance Case Shall Be Known as an Assurance Case Template Alan Wassyng With lots of help if not always encouragement from: Tom Maibaum, Mark Lawford, Neeraj Singh, Paul Joannou VeriSure: July 2015

1 Motivation for the Title

Objective! Build an assurance case so that it is effective for a class of products within an application domain infusion pumps, for example! The assurance case has placeholders for specific evidence and other entities 2

Assurance Case for Product 1 For the sake of this discussion, we show only claims and evidence no other typical components 1 3 Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

Assurance Case for Product 2 2 Same claim as for product 1 but for a different product 4 added removed content changed Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

3 Types of Changes 5! To build a comprehensive template, we need to understand what could be different in the assurance cases for different (but very similar products)! We have identified 3 kinds of changes that may occur when developing one product after another Content evidence in the different cases can be different even if the evidence supports the same claim Additions the newer product may have features not included in the older product and this may necessitate claims, sub-claims and evidence not in the earlier product Removals the newer product may not have features included in the older product and this may necessitate removal of claims, sub-claims and evidence in the earlier product

3 Types of Changes 6! To build a comprehensive template, we need to understand what could be different in the assurance cases for different (but very similar products)! We have identified 3 kinds of changes that may occur when going from one product to another Content evidence in the different cases can be different even Looks if the like evidence we want supports to do incremental the same claim assurance, but Additions turns out the to be newer different product in may some have important features ways not included in the older product and this may necessitate claims, sub-claims and evidence not in the earlier product Removals It is also not the the newer same product as simply may not have features included instantiating the an older assurance product and case this may necessitate removal pattern with of claims, different sub-claims results and evidence in the earlier product

3 2 Types of Changes! If you look at the situation a little differently and not as an incremental approach, then additions and removals are not really different They just seem different if we think of a temporal ordering of the products However, that is not what we want in a template We want to cope with a set of products from the outset that are essentially very similar but do have differences Actually, we are left with only 2 types of changes o o Content changes in evidence Optional (claim, sub-claim, evidence) paths 7

Putting It Together 1 2 Same claim as for product 1 but for a different product Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise 2 added removed content changed Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise 8 Optional paths in red

A Suggested Template Mechanism 2 A potential structure for an assurance case template 1 1-2 0-1 0-1 9 optional paths - need notation to specify number of paths required acceptance criteria on evidence required specified in the template Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

A Suggested Template Mechanism Need an argument mechanism that copes with these optional paths exclusive or 2 A potential structure for an assurance case template 1 1-2 non-exclusive or 0-1 0-1 10 optional path optional path optional paths - need notation to specify number of paths required acceptance criteria on evidence required specified in the template Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

A Suggested Template Mechanism Need an argument mechanism that copes with these optional paths Could colour the different kinds of paths differently exclusive or 1 2 A potential structure for an assurance case template 1-2 non-exclusive or 0-1 0-1 11 optional path optional path acceptance criteria on evidence required specified in the template Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

Insulin Pump Examples! Optional paths A light to help people use the pump in the dark! Exclusive or paths Some pumps use a standard Luer connector for their infusion sets others do not! Non-exclusive or paths Some pumps allow you to input glucose readings directly from an associated meter, or to input those readings manually, and some hazards for these two options are likely to be different 12

Do We Need This? 2 A potential structure for an assurance case template 1 1-2 0-1 0-1 13 acceptance criteria on evidence required specified in the template Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

I Do Not Think So We Can Do This 2 A potential structure for an assurance case template 1 1 1-2 0-1 0-1 14 acceptance criteria on evidence required specified in the template Legend: - Claim or sub-claim - Evidence A B - A is claim B is premise

Characteristics of an Assurance Case Template! Strategies/Justifications and Argument(s) are explicit! Contexts are explicit! Assumptions are explicit! Evidence to directly support each bottom claim! Explicit acceptance criteria for evidence to guide content of evidence nodes! Argument structures that deal with optional claimevidence paths Notation: Red and italics indicates that this may only be necessary for an assurance case template 15

Build Structures Robust With Respect to Anticipated Change! This is extremely important in general and may prove to be just as important for templates At the moment we do not seem to have (any) good rules that govern the structure of an assurance case structure meaning the argument Information Hiding works like magic in modular software design can we do something similar for assurance cases? The reason we have not done anything like this is probably that we have to cope with safety being a global system property and those unknown unknowns are a genuine challenge 16

Some Ideas for Robust With Respect to Anticipated Change! It should be possible to structure the upper levels of the assurance case so that it is stable for a broad set of products try to move product specific entities lower down in the structure! Try to make paths independent of each other paths are determined not only by argument, they are also determined by product features and related properties context and assumptions, for example (this does not guarantee non-existence of emergent behaviour)! Can acceptance criteria help achieve robustness? 17

A Robust Top Level To keep from cluttering the diagram we have not included other GSN components, such as assumptions, context, justifications, etc G1 Device adequately provides the consequences for which it was designed, with tolerable risk of adverse effects, in its intended operating environment S1 If we could build perfect systems we could decompose G1 into: Requirements describe system; Implementation complies with requirements.... R1 Argument to show that if G2, G3, G4, G5 are satisfied, then G1 is valid New component: R for reasoning (since A for argument is already in use). The argument will normally require significant space and so we have arranged that the R component is loosely joined to the S component and can be hidden when not required so as not to unnecessarily complicate the diagram 18 G2 System requirements are correct, include necessary safety & security constraints, as well as operator requirements, including safe & secure HMI G3 System implementation adequately complies with its requirements, and has not added any unmitigated hazards G4 System is robust with respect to reasonably anticipated changes and is maintainable over its lifetime - changes will not degrade safety, security and reliability G5 System maintains safe behaviour in the presence of hardware malfunction

An Assurance Case Template for X To keep from cluttering the diagram we have not included other GSN components, such as assumptions, context, justifications, etc G1 Device adequately provides the consequences for which it was designed, with tolerable risk of adverse effects, in its intended operating environment S1 If we could build perfect systems we could decompose G1 into: Requirements describe system; Implementation complies with requirements.... R1 New component: R for reasoning (since A for argument is already in use). The argument will normally require significant space and so we have arranged that the R component is loosely joined to the S component and can be hidden when not required so as not to unnecessarily complicate the diagram 19 G2 System requirements are correct, include necessary safety & security constraints, as well as operator requirements, including safe & secure HMI G3 System implementation adequately complies with its requirements, and has not added any unmitigated hazards G4 System is robust with respect to reasonably anticipated changes and is maintainable over its lifetime - changes will not degrade safety, security and reliability G5 System maintains safe behaviour in the presence of hardware malfunction

An Assurance Case Template for X G1 Device adequately provides the consequences for which it was designed, with tolerable risk of adverse effects, in its intended operating environment S1 R1 S and R components can be hidden when not required so as not to unnecessarily complicate the diagram G2 System requirements are correct, include necessary safety & security constraints, as well as operator requirements, including safe & secure HMI G3 System implementation adequately complies with its requirements, and has not added any unmitigated hazards G4 System is robust with respect to reasonably anticipated changes and is maintainable over its lifetime - changes will not degrade safety, security and reliability G5 System maintains safe behaviour in the presence of hardware malfunction 20

Arguments! 21! The argument about arguments seems to be heating up and that is probably good Proponents of inductive reasoning in all sorts of ways, some of them completely bottom-up, starting from the evidence level Proponents of mixed reasoning deductive and inductive Proponents of defeasible reasoning! What is obvious though is that most current assurance cases do not have an explicit argument at all! Example: Argue over mitigation of hazards So, a proof that there are infinitely many primes could be: o Argue over the product of known primes + 1 We need to do better than this

Why an Assurance Case Template?! Better than building the assurance case as you develop the system build assurance in from the start! And (clearly) much better than building it simply to present a documented case to a regulator 22

Why an Assurance Case Template? 23! We can use such a template as a Standard (John Knight suggested something similar for DO-178 in 2008, and we did at NII Shonan in 2014) Need community involvement and buy-in just as in development of Standards Need to solve some of the technical problems Will be for the system not just the software Can reduce confirmation bias Greater predictability in developing and certifying systems Complex yes, but more consistent and much more explicit Do we need a confidence case if we have acceptance criteria?! And I think this just could be our Sanity Clause

Thanks 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback