=Paper=
{{Paper
|id=Vol-2245/mrt_paper_2
|storemode=property
|title=On the Transition from Design Time to Runtime Model-Based Assurance Cases
|pdfUrl=https://ceur-ws.org/Vol-2245/mrt_paper_2.pdf
|volume=Vol-2245
|authors=Ran Wei,Tim Kelly,Jan Reich,Simos Gerasimou
|dblpUrl=https://dblp.org/rec/conf/models/WeiKRG18
}}
==On the Transition from Design Time to Runtime Model-Based Assurance Cases==
https://ceur-ws.org/Vol-2245/mrt_paper_2.pdf
On the Transition from Design Time to Runtime Model-Based
Assurance Cases
Ran Wei Jan Reich
University of York Fraunhofer Institute for Experimental
United Kingdom Software Engineering (IESE)
ran.wei@york.ac.uk Germany
jan.reich@iese.fraunhofer.de
Tim Kelly Simos Gerasimou
University of York University of York
United Kingdom United Kingdom
tim.kelly@york.ac.uk simos.gerasimou@york.ac.uk
ABSTRACT The physical and digital worlds are gradually merging into a
System assurance cases are used to demonstrate confidence in largely connected globe. This is backed by the emergence of con-
system properties of interest (e.g. safety and/or security). They cepts such as Cyber-Physical Systems (CPS). Openness and adaptiv-
are key artefacts for safety and/or security acceptance for systems ity are core properties of CPS as constituent systems dynamically
before they become operational. connect to each other and have to adapt to a changing context at
Cyber-Physical Systems (CPS) form a new technological frontier runtime [2]. CPS harbour the potential for vast economic and soci-
for their vast economic and societal potentials in various domains. etal impact in domains such as automotive, health care, and home
CPS are often safety-critical systems. Thus, their safety and/or automation due to their open and adaptive nature [3]. The majority
security need to be assured using system assurance cases. However, of application domains of CPS are safety-critical, such as car2car
due to the open and adaptive nature of CPS, the need for system scenarios and collaborative autonomous mobile systems. If these
assurance at runtime is imperative. systems fail, they may cause harm and lead to temporary collapse
Therefore, assurance cases are expected to be exchanged, inte- of important infrastructures, with catastrophic consequences for
grated and verified at runtime to ensure the dependability of CPS industry and society. Therefore, it is imperative to ensure the de-
when they intend to execute a cooperative behaviour. pendability of CPS in order to realise their full potential. However,
In this position paper, we identify the importance of model-based the open and adaptive nature of CPS poses significant challenges
system assurance, we discuss the paradigm shift of assurance cases to assuring such systems, as it is nearly impossible to anticipate
from being manually created artefacts to (semi-)automatically cre- the concrete CPS structure, its capabilities and the environmental
ated models. We discuss the application of model-based assurance context sufficiently at design time.
cases in ensuring the dependability of CPS. Therefore, existing design time system assurance activities are
inappropriate to enable dynamic system assurance for CPS at run-
time. Thus, a paradigm shift for system assurance activities from
CCS CONCEPTS design time to runtime is needed to assure dependability properties
• General and reference → Reliability; of CPS. One important aspect of this shift is the transition from
design time assurance cases crafted from manually created docu-
KEYWORDS ments to runtime assurance case models being (semi-)automatically
synthesized and evaluated.
Model Driven Engineering, Models at Runtime, Structured Assur-
In this position paper, we discuss the notion of assurance cases
ance Case Metamodel, System Assurance
and the importance of a model-based approach in system assurance,
motivated by open adaptive safety-related systems. We discuss the
state of practice in system assurance cases and the importance of
1 INTRODUCTION system assurance case models@runtime for CPS. We discuss in
Systems/services used to perform critical functions require justi- detail our vision of runtime system assurance cases and how they
fications that they exhibit necessary properties (i.e. safety and/or help CPS to reason about the safety and/or security at runtime
security). Assurance cases provide an explicit means for justifying by themselves. We point out potential research directions towards
and assessing confidence in these critical properties. An assurance model-based system assurance at runtime.
case is a document that facilitates information exchange between
various system stakeholders (e.g. between operator and regulator), 2 ASSURANCE CASES
where the knowledge related to the safety and/or security of the The concept of assurance cases has been long established in the
system is communicated in a clear and defendable way [1]. As- safety-related domain, where the term safety case is normally used.
surance cases are key artefacts for safety/security acceptance for For many industries, the development, review and acceptance of a
systems/services before they become operational. safety case are key elements of regulatory processes. This includes
�MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou
Figure 1: An example GSN safety case for the European Train Control Systems (ETCS5).
the nuclear [4], defence [5], civil aviation [6] and railway [7] indus- stakeholders and reducing the time taken to reach agreement on
tries. The concept of safety case is defined in [8] as follows: A safety the argument approaches being adopted. An example safety case
case communicates a clear, comprehensible and defensible argument created using GSN is provided in Figure 1, which comes from the
that a system is acceptably safe to operate in a particular context. European Train Control System (ETCS) engineering story of the
Historically, safety arguments were typically communicated in DEIS project [3]. It demonstrate that graphical argumentation nota-
safety cases through free text. However, problems are experienced tions make it easier to identify safety goals and evidence/artefacts
when text is the only medium available for expressing complex that satisfy those goals.
arguments [8]. One problem of using free text is that if the lan- The concept of structured argumentation is also used in other
guage used in the text is unclear and poorly structured, there is no domains, particularly for demonstrating system security [11]. Thus,
guarantee that system engineers would produce safety cases with the term Assurance Case is a broader definition, that an assurance
clear and well-structured language. To overcome these problems, case is used to demonstrate confidence in system safety and/or
graphical argumentation notations were developed. Graphical ar- security.
gumentation notations are capable of explicitly representing the
elements that form a safety argument (i.e. requirements, claims, ev- 3 MODEL-BASED ASSURANCE CASES
idence and context), and the relationships between these elements
(i.e. how individual requirements are supported by specific claims, In the current state of practice, assurance cases are manually created
how claims are supported by evidence and the assumed context documents rather than models. This is due to the nature of the
that is defined for the argument). Amongst the graphical notations, intended usage of assurance cases – that they are meant to be
the Goal Structuring Notation (GSN) [9] has been widely accepted reviewed by safety/security experts and are used to improve the
and adopted [10]. The key benefit experienced by companies/organ- quality of discussion.
isations of adopting GSN is that it improves the comprehension of In recent years there has been a tendency for system assurance
the safety argument amongst all key project stakeholders, therefore tools to adopt Model-Driven Engineering (MDE) in order to benefit
improving the quality of the debate and discussion amongst the from improved efficiency and consistency provided by MDE. In
[12], the authors identified the need for model-based solutions for
�On the Transition from Design Time to Runtime Model-Based Assurance Cases MRT’18, October 2018, Copenhagen, Denmark
and give place to other configurations. Therefore, the configurations
SACM a CPS may assume over its lifetime are unknown and potentially
infinite. This makes currently available approaches for system as-
surance insufficient to assure the safety and/or security of CPS, due
Base AssuranceCase to the fact that system assurance activities are typically required at
runtime for CPS.
Runtime system assurance for CPS has been identified as one
of the major challenges towards the application of CPS [2, 3]. One
Artifact Argumentation Terminology common vision toward runtime system assurance is the exchange
of models@runtime, which is the upcoming paradigm for the de-
velopment of CPS. As it is not possible to anticipate the runtime
context for CPS at design time, Models@Runtime follows the idea
of making important models available at runtime in order to enable
Figure 2: Packages of SACM
the system itself to reflect on its current (safety) state based on
monitoring the runtime context. By generating context-awareness
in this manner, potentially required adaptation strategies can be
GSN pattern instantiation. GSN patterns are abstract safety case
planned and executed in order to maintain safe or achieve optimized
templates which capture good practice of system assurance, and
CPS behaviour.
can be instantiated by linking system information (model) with
the elements in the GSN pattern to create a concrete safety case.
The authors proposed the use of an intermediate model called the
weaving model to link external model elements with GSN model
elements for pattern instantiation.
To promote standardisation and interoperability, the Object Man-
agement Group (OMG) specified and issued the Structured Assur-
ance Case Metamodel (SACM) [13]. SACM provides a sound solution
for model-based system assurance case construction, in the sense
that it provides mechanisms to model evidence and related infor- Figure 3: Models@Runtime on different abstraction levels.
mation used in a structured assurance case. As shown in Figure 2,
SACM provides packages that allow practitioners to group their
In [2], the authors identified models on four abstraction levels,
structured argumentations (via the Argumentation package), cor-
which can be exchanged at runtime, as shown in Figure 3. The
responding evidences (via the Artifact package) and controlled
most abstract model that CPS can exchange are safety certificate
languages (via the Terminology) into atomic packages, and incor-
models. The idea of certification at runtime was introduced in [14].
porates them into assurance case packages. In this sense, SACM
Safety certificates at runtime describe a formal safety interface
is more powerful than GSN for its ability to reference and relate
using contract-like interface specifications defining, which safety
various kinds of artefacts (e.g. system design models) and its ability
properties can be guaranteed by the system under the assumption
to use controlled vocabularies.
that specific safety demands are fulfilled by the integration context.
In summary, in the current state of practice, assurance cases are
In [15], the authors introduce a concrete form of runtime safety
still manually created design time documents to certify the safety
certificates called Conditional Safety Certificates (ConSerts), which
and/or security of systems. There are tools that adopt MDE to aid
are modular and contract-based definitions of safety certificates
the creation of assurance cases. The Structured Assurance Case
factoring in variants through Boolean mappings between different
Metamodel (SACM) is still in its infancy and there is currently no
sets of safety guarantees and demands.
tool available implementing SACM.
Sometimes it is imperative to know at runtime, how a CPS
reaches the conclusion that the safety properties provided at run-
4 THE NEED FOR MODEL-BASED time are guaranteed. In such cases, it is necessary to exchange
ASSURANCE CASES AT RUNTIME assurance case models at runtime, such that the argumentation
It can be seen that MDE factors in approaches for system assurance leading to the guarantees of the safety properties can be accessed
mainly focusing on exploiting the benefits of MDE for improved and reviewed in an automated way.
efficiency and automation. However, the increasing complexity of In case the system adaptations lead to invalid evidence, a re-
Cyber-Physical Systems (CPS) boosts the need for model-based validation of evidence can be triggered at runtime. This implies that
approaches for system assurance. The premise of pervasive appli- a set of pre-defined V&V (Verification & Validation) activities need
cations of CPS to realise its economic and societal impact is that to be performed at runtime. V&V models can be used to execute
the safety and/or security of CPS are ensured, so that failures of V&V activities (regression testing, generation of test cases, etc.)
such systems do not cause damage of different severities (ranges at runtime. However, it is a significant challenge to have V&V
from moderate to catastrophic). models at runtime, typically because it is a rather difficult step for
CPS are typically loosely connected systems and come together developers at development time, the difficulties to shift this step to
as temporary configurations of constituent systems, which dissolve runtime would be multi-fold. In addition, it is almost impossible
�MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou
Base::ArtifactElement
+implements 1
AssuranceCasePackageInterface AssuranceCasePackage
0..*
+interface
+assuranceCasePackage
0..*
+participantPackage 2..* +terminologyPackage
Terminology::TerminologyPackage
0..*
AssuranceCasePackageBinding
+argumentPackage 0..* +artifactPackage 0..*
Argumentation::ArgumentPackage Artifact::ArtifactPackage
Figure 4: An overview of the structure of an assurance case.
to perform extensive V&V activities at runtime, provided that real
time requirements may be in place for CPS.
If requirements are modified at development, from a safety en-
gineering perspective, Hazard Analysis and Risk Assessment ac-
tivities (HARA) need to be performed. Hence, the idea of HARA
models at runtime. However, since HARA is a very creative process
and often relies on the experience of system safety experts, it is
very unlikely that HARA can be performed at runtime.
Apart from the works previously mentioned on safety certificate
models at runtime, no work has been done in the line of assurance
case models at runtime. This is due to the fact that system engineers
still perceive assurance cases as design time artifacts. However, as
discussed in this section, the need for assurance case models at
runtime is imperative. Figure 5: An example of controlled terminology
5 SACM TOWARDS RUNTIME ASSURANCE
In this claim, the user can refer to expression elements in their
CASE MODELS terminology packages. For example, Hazard may refer to a Cate-
In this section, we discuss the intended usage of Structured As- gory in the terminology package, which in turn points to a hazard
surance Case Metamodel (SACM) since we have been involved, to log meta-model through its externalReference property. In this way,
a large extent, in the specification of SACM, and it has not been hazard log meta-model provides a definition of what a Hazard is.
sufficiently explained since the release of SACM v2.0. Then, hazard H1 can refer to a Term in the terminology package,
In SACM, an assurance case model contains a number of pack- which in turn refers to an instance hazard log model (that conforms
ages as shown in Figure 4. SACM organises assurance cases in to the hazard log meta-model). The hazard log model may then
packages to promote modularity. An assurance case package can contain information on how H1 is identified, its causes and conse-
contain a number of argument packages, artifact packages and ter- quences, etc. The Expression sufficiently mitigated is recorded in
minology packages. Argument packages store information about the terminology package so that it can be reused. The user is also
the argumentation part of an assurance case, where safety/secu- free to add any explanatory information to the Expression so that it
rity claims are broken down into sub claims until they are directly better explains what sufficiently mitigated means. Finally, an overall
backed by evidence. Evidence used in the argument packages can be Expression which references the three previous elements is created.
modeled and organised in artifact pakcages. For example, a hazard This expression can be referenced in the argumentation package
analysis model can be recorded in an artifact package, the user may (e.g. as a description of a Claim).
also specify when the analysis is performed, who participated in SACM promotes modularity, in the sense that elements are or-
the analysis process and what techniques are used in the process. ganised in different packages. To refine modularity, SACM provides
SACM also provides the mechanisms to create controlled natural three different types of packages. Figure 6 shows a segment of the
languages so that the users can establish a finer grade of reference meta-model for the argument package of SACM, illustrating the
to system models. The terminology package of SACM provides three types of packages in the argumentation package of SACM.
the mechanisms to create Expressions, Categories and Terms. An ArgumentPackage is the main package in which structured argumen-
example of controlled language is shown in Figure 5. The upper tation is stored. The users can disclose part of the argumentation
part of the figure is a claim: Hazard H1 is sufficiently mitigated. externally with the use of ArgumentPackageInterfaces. To do this,
�On the Transition from Design Time to Runtime Model-Based Assurance Cases MRT’18, October 2018, Copenhagen, Denmark
major constituent systems at runtime: the on-board system which
is installed on trains and the trackside system, which is installed on
important nodes at the track side (such as stations and junctions).
The left-hand side of the figure shows the ArgumentPackage of
the ETCS on-board system (only top level Claim is shown here).
The right-hand side of the figure shows the ArgumentPackageIn-
terface, where a citation Claim is created to cite Claim C1 in the
ArgumentPackage.
ArgumentPackageBinding is used to bind ArgumentPackages to-
gether by referencing elements stored in their ArgumentPackageIn-
terfaces. To integrate ArgumentPackages, integration engineer needs
to create an ArgumentPackageBinding, and create again citation el-
ements in the ArgumentPackageBinding, which in turn cite the
elements in ArgumentPackageInterfaces from the ArgumentPack-
ages. An example of the use of ArgumentPackageBinding is shown
Figure 6: Argumentation packages. in Figure 9.
in ArgumentPackageInterfaces, citation elements need to be cre-
ated which cite to original elements in ArgumentPackages. Figure 7
shows a segment of SACM for the citation mechanism. All SACMEle-
ments have the capability of citing other SACMElements via the
+citedElement reference. If an element cites another, it automatically
becomes abstract and citation via its +isAbstract and +isCitation
features. ArgumentPackageInterface only contains citation elements,
it should be enforced by constraints on the meta-model.
Figure 7: Citation mechanism of SACM.
Figure 8: An example ArgumentPackageInterface.
An example use of ArgumentPackageInterface is illustrated in
Figure 8, this example is taken from the DEIS project [3] for the
ETCS (European Train Control System) use case. The ETCS use case Figure 9: An example ArgumentPackageBinding.
contains a CPS examined in the DEIS project, which consists of two
�MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou
The upper part of Figure 9 is the ArgumentPackage of the ETCS 6 CONCLUSION
on-board system, and the lower part of Figure 9 is the Argument- In this paper, we talked about the need to shift assurance cases from
Package of the ETCS Trackside system. The ArgumentPackageBind- conventionally design time documents to automatically exchanged
ing (rendered in yellow) is created to bind the ArgumentPackages and integrated runtime models for CPS. We discussed and presented
of the ETCS parts. Within the ArgumentPackageBinding, an overall our knowledge on the Structure Assurance Case Metamodel and
Claim C3 is created, which are backed by the citation Claims C1 how it can be used to create model-based assurance cases.
and C2, which in turn cites the citation Claims in ETCS On-board SACM lays a foundation for system assurance of CPS at runtime.
safety case and ETCS Trackside safety case, respectively. Assurance case models for CPS are living models in the sense that
The use of packages, interfaces and bindings are the key mecha- monitoring devices provide essential evidence for assurance cases
nisms for the integration of SACM packages. All packages (artifact, and the validity of the assurance cases are constantly verified.
terminology, argument and assurance case) can be integrated using In case an assurance case is invalidated, the CPS carrying it
this approach. should make note of it. Therefore, it is anticipated that a CPS would
For assurance case models created using SACM to be exchanged carry a repository of assurance cases, which helps CPS developers
at runtime, there is also a need for automated system integration. to better understand what goes wrong at runtime.
At the moment, arguments in assurance cases are described us- CPS system assurance is a new research frontier and has gained
ing natural language. To enable automation, machine-processable increasing popularity in recent years. Runtime assurance cases
languages needs to be incorporated in the argument in assurance provide a promising solution for assuring safety-related CPS. The
cases. With regards to this need, in SACM v2.0 the notion of Multi- MRT community should be aware of the complexity of CPS and
LangString is introduced. Using MultiLangString enables the user to the need for assurance case models at runtime.
describe one claim using different languages, including computer
languages. This gives the possibility of automated reasoning for
safety cases. Acknowledgements This work is supported by the European
In addition, for CPS to integrate, there is also a need to express Union’s Horizon 2020 research and innovation programme through
supply and demand of services for CPS. The supply of service is the DEIS project (grant agreement No 732242).
provided by default in assurance cases, as assurance cases created
using SACM are able to relate to system models. To express demand REFERENCES
of services, SACM enables the users to create Claims with declara- [1] Richard Hawkins, Ibrahim Habli, Tim Kelly, and John McDermid. Assurance
cases and prescriptive software safety certification: A comparative study. Safety
tions. For example, to express demand, a Claim can be declared as science, 59:55–71, 2013.
needsSupport. To quantify demand and supply, SACM enables the [2] Mario Trapp, Daniel Schneider, and Peter Liggesmeyer. A safety roadmap to
user to also create ImplementationConstraints and associate them cyber-physical systems. In Perspectives on the future of software engineering,
pages 81–94. Springer, 2013.
to elements in the assurance case. By using ImplementationCon- [3] Ran Wei, Tim P Kelly, Richard Hawkins, and Eric Armengaud. Deis: Dependability
straints, system assurance engineers are able to express what kind engineering innovation for cyber-physical systems. In Federation of International
Conferences on Software Technologies: Applications and Foundations, pages 409–416.
of guarantees are provided/needed. Springer, 2017.
The DEIS project, which aims at assuring the dependability of [4] Health and Safety Executive (HSE). Safety Assessment Principles for Nuclear
CPS, uses SACM as the backbone for its core concept - the Open Facilities. 2006.
[5] UK Ministry of Defence (MoD). Defence Standard 00-56 Issue 4: Safety Management
Dependability Exchange (ODE) meta-model. The ODE is a versatile Requirements for Defence Systems. 2007.
meta-model, which enables CPS developers to capture various as- [6] Safety Regulation Group Civil Aviation Authority (CAA). CAP 670 - Air Traffic
pects of CPS, including architecture models, HARA models, failure Services Safety Requirements. 2007.
[7] Rail Safety and Standards Board. Engineering Safety Management (The Yellow
logic models as well as assurance case models (via usage of SACM). Book). 2007.
In our vision, the runtime integration of two CPS (A and B) [8] Tim Kelly and Rob Weaver. The goal structuring notation–a safety argument
notation. In Proceedings of the dependable systems and networks 2004 workshop
includes the following steps: on assurance cases, page 6. Citeseer, 2004.
[9] GSN Working Group Online - The Goal Structuring Notation. http://www.
(1) Exchange of assurance case interfaces for CPS A and CPS goalstructuringnotation.info/. Accessed: 26-04-2018.
B, which includes the demand/supply of services, as well as [10] Paul Chinneck, David Pumfrey, and Tim Kelly. Turning up the heat on safety
case construction. In Practical Elements of Safety, pages 223–240. Springer, 2004.
the guarantees needed/provided for these services; [11] Robin Bloomfield and Peter Bishop. Safety and assurance cases: Past, present and
(2) If CPS A questions the soundness of the guarantees provided possible future–an adelard perspective. In Making Systems Safer, pages 51–67.
by CPS B, CPS B would provide its assurance case; Springer, 2010.
[12] Richard Hawkins, Ibrahim Habli, Dimitris Kolovos, Richard Paige, and Tim Kelly.
(3) CPS A performs reasoning of the assurance case of CPS B; Weaving an assurance case from design: a model-based approach. In High
(4) If the assurance case of CPS B is sound, connection between Assurance Systems Engineering (HASE), 2015 IEEE 16th International Symposium
on, pages 110–117. IEEE, 2015.
CPS A and CPS B will be established. An assurance case [13] Structured Assurance Case Metamodel, Object Management Group. https://www.
binding will be created and maintained locally for both CPS omg.org/spec/SACM/About-SACM/. Accessed: 06-04-2018.
A and CPS B until they decide to disconnect from each other; [14] John Rushby. Runtime certification. In International Workshop on Runtime
Verification, pages 21–35. Springer, 2008.
(5) If CPS A continues to question the soundness of the as- [15] Daniel Schneider and Mario Trapp. A safety engineering framework for open
surance case of CPS B, CPS B can choose to send further adaptive systems. In Self-Adaptive and Self-Organizing Systems (SASO), 2011 Fifth
evidence, such as related architecture or failure logic models IEEE International Conference on, pages 89–98. IEEE, 2011.
(6) If the evidence provided by CPS B is sound, step (4) will be
performed. Otherwise, the adaptation process ends.
�