On the Transition from Design Time to Runtime Model-Based Assurance Cases Ran Wei Jan Reich University of York Fraunhofer Institute for Experimental United Kingdom Software Engineering (IESE) ran.wei@york.ac.uk Germany jan.reich@iese.fraunhofer.de Tim Kelly Simos Gerasimou University of York University of York United Kingdom United Kingdom tim.kelly@york.ac.uk simos.gerasimou@york.ac.uk ABSTRACT The physical and digital worlds are gradually merging into a System assurance cases are used to demonstrate confidence in largely connected globe. This is backed by the emergence of con- system properties of interest (e.g. safety and/or security). They cepts such as Cyber-Physical Systems (CPS). Openness and adaptiv- are key artefacts for safety and/or security acceptance for systems ity are core properties of CPS as constituent systems dynamically before they become operational. connect to each other and have to adapt to a changing context at Cyber-Physical Systems (CPS) form a new technological frontier runtime [2]. CPS harbour the potential for vast economic and soci- for their vast economic and societal potentials in various domains. etal impact in domains such as automotive, health care, and home CPS are often safety-critical systems. Thus, their safety and/or automation due to their open and adaptive nature [3]. The majority security need to be assured using system assurance cases. However, of application domains of CPS are safety-critical, such as car2car due to the open and adaptive nature of CPS, the need for system scenarios and collaborative autonomous mobile systems. If these assurance at runtime is imperative. systems fail, they may cause harm and lead to temporary collapse Therefore, assurance cases are expected to be exchanged, inte- of important infrastructures, with catastrophic consequences for grated and verified at runtime to ensure the dependability of CPS industry and society. Therefore, it is imperative to ensure the de- when they intend to execute a cooperative behaviour. pendability of CPS in order to realise their full potential. However, In this position paper, we identify the importance of model-based the open and adaptive nature of CPS poses significant challenges system assurance, we discuss the paradigm shift of assurance cases to assuring such systems, as it is nearly impossible to anticipate from being manually created artefacts to (semi-)automatically cre- the concrete CPS structure, its capabilities and the environmental ated models. We discuss the application of model-based assurance context sufficiently at design time. cases in ensuring the dependability of CPS. Therefore, existing design time system assurance activities are inappropriate to enable dynamic system assurance for CPS at run- time. Thus, a paradigm shift for system assurance activities from CCS CONCEPTS design time to runtime is needed to assure dependability properties • General and reference → Reliability; of CPS. One important aspect of this shift is the transition from design time assurance cases crafted from manually created docu- KEYWORDS ments to runtime assurance case models being (semi-)automatically synthesized and evaluated. Model Driven Engineering, Models at Runtime, Structured Assur- In this position paper, we discuss the notion of assurance cases ance Case Metamodel, System Assurance and the importance of a model-based approach in system assurance, motivated by open adaptive safety-related systems. We discuss the state of practice in system assurance cases and the importance of 1 INTRODUCTION system assurance case models@runtime for CPS. We discuss in Systems/services used to perform critical functions require justi- detail our vision of runtime system assurance cases and how they fications that they exhibit necessary properties (i.e. safety and/or help CPS to reason about the safety and/or security at runtime security). Assurance cases provide an explicit means for justifying by themselves. We point out potential research directions towards and assessing confidence in these critical properties. An assurance model-based system assurance at runtime. case is a document that facilitates information exchange between various system stakeholders (e.g. between operator and regulator), 2 ASSURANCE CASES where the knowledge related to the safety and/or security of the The concept of assurance cases has been long established in the system is communicated in a clear and defendable way [1]. As- safety-related domain, where the term safety case is normally used. surance cases are key artefacts for safety/security acceptance for For many industries, the development, review and acceptance of a systems/services before they become operational. safety case are key elements of regulatory processes. This includes MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou Figure 1: An example GSN safety case for the European Train Control Systems (ETCS5). the nuclear [4], defence [5], civil aviation [6] and railway [7] indus- stakeholders and reducing the time taken to reach agreement on tries. The concept of safety case is defined in [8] as follows: A safety the argument approaches being adopted. An example safety case case communicates a clear, comprehensible and defensible argument created using GSN is provided in Figure 1, which comes from the that a system is acceptably safe to operate in a particular context. European Train Control System (ETCS) engineering story of the Historically, safety arguments were typically communicated in DEIS project [3]. It demonstrate that graphical argumentation nota- safety cases through free text. However, problems are experienced tions make it easier to identify safety goals and evidence/artefacts when text is the only medium available for expressing complex that satisfy those goals. arguments [8]. One problem of using free text is that if the lan- The concept of structured argumentation is also used in other guage used in the text is unclear and poorly structured, there is no domains, particularly for demonstrating system security [11]. Thus, guarantee that system engineers would produce safety cases with the term Assurance Case is a broader definition, that an assurance clear and well-structured language. To overcome these problems, case is used to demonstrate confidence in system safety and/or graphical argumentation notations were developed. Graphical ar- security. gumentation notations are capable of explicitly representing the elements that form a safety argument (i.e. requirements, claims, ev- 3 MODEL-BASED ASSURANCE CASES idence and context), and the relationships between these elements (i.e. how individual requirements are supported by specific claims, In the current state of practice, assurance cases are manually created how claims are supported by evidence and the assumed context documents rather than models. This is due to the nature of the that is defined for the argument). Amongst the graphical notations, intended usage of assurance cases – that they are meant to be the Goal Structuring Notation (GSN) [9] has been widely accepted reviewed by safety/security experts and are used to improve the and adopted [10]. The key benefit experienced by companies/organ- quality of discussion. isations of adopting GSN is that it improves the comprehension of In recent years there has been a tendency for system assurance the safety argument amongst all key project stakeholders, therefore tools to adopt Model-Driven Engineering (MDE) in order to benefit improving the quality of the debate and discussion amongst the from improved efficiency and consistency provided by MDE. In [12], the authors identified the need for model-based solutions for On the Transition from Design Time to Runtime Model-Based Assurance Cases MRT’18, October 2018, Copenhagen, Denmark and give place to other configurations. Therefore, the configurations SACM a CPS may assume over its lifetime are unknown and potentially infinite. This makes currently available approaches for system as- surance insufficient to assure the safety and/or security of CPS, due Base AssuranceCase to the fact that system assurance activities are typically required at runtime for CPS. Runtime system assurance for CPS has been identified as one of the major challenges towards the application of CPS [2, 3]. One Artifact Argumentation Terminology common vision toward runtime system assurance is the exchange of models@runtime, which is the upcoming paradigm for the de- velopment of CPS. As it is not possible to anticipate the runtime context for CPS at design time, Models@Runtime follows the idea of making important models available at runtime in order to enable Figure 2: Packages of SACM the system itself to reflect on its current (safety) state based on monitoring the runtime context. By generating context-awareness in this manner, potentially required adaptation strategies can be GSN pattern instantiation. GSN patterns are abstract safety case planned and executed in order to maintain safe or achieve optimized templates which capture good practice of system assurance, and CPS behaviour. can be instantiated by linking system information (model) with the elements in the GSN pattern to create a concrete safety case. The authors proposed the use of an intermediate model called the weaving model to link external model elements with GSN model elements for pattern instantiation. To promote standardisation and interoperability, the Object Man- agement Group (OMG) specified and issued the Structured Assur- ance Case Metamodel (SACM) [13]. SACM provides a sound solution for model-based system assurance case construction, in the sense that it provides mechanisms to model evidence and related infor- Figure 3: Models@Runtime on different abstraction levels. mation used in a structured assurance case. As shown in Figure 2, SACM provides packages that allow practitioners to group their In [2], the authors identified models on four abstraction levels, structured argumentations (via the Argumentation package), cor- which can be exchanged at runtime, as shown in Figure 3. The responding evidences (via the Artifact package) and controlled most abstract model that CPS can exchange are safety certificate languages (via the Terminology) into atomic packages, and incor- models. The idea of certification at runtime was introduced in [14]. porates them into assurance case packages. In this sense, SACM Safety certificates at runtime describe a formal safety interface is more powerful than GSN for its ability to reference and relate using contract-like interface specifications defining, which safety various kinds of artefacts (e.g. system design models) and its ability properties can be guaranteed by the system under the assumption to use controlled vocabularies. that specific safety demands are fulfilled by the integration context. In summary, in the current state of practice, assurance cases are In [15], the authors introduce a concrete form of runtime safety still manually created design time documents to certify the safety certificates called Conditional Safety Certificates (ConSerts), which and/or security of systems. There are tools that adopt MDE to aid are modular and contract-based definitions of safety certificates the creation of assurance cases. The Structured Assurance Case factoring in variants through Boolean mappings between different Metamodel (SACM) is still in its infancy and there is currently no sets of safety guarantees and demands. tool available implementing SACM. Sometimes it is imperative to know at runtime, how a CPS reaches the conclusion that the safety properties provided at run- 4 THE NEED FOR MODEL-BASED time are guaranteed. In such cases, it is necessary to exchange ASSURANCE CASES AT RUNTIME assurance case models at runtime, such that the argumentation It can be seen that MDE factors in approaches for system assurance leading to the guarantees of the safety properties can be accessed mainly focusing on exploiting the benefits of MDE for improved and reviewed in an automated way. efficiency and automation. However, the increasing complexity of In case the system adaptations lead to invalid evidence, a re- Cyber-Physical Systems (CPS) boosts the need for model-based validation of evidence can be triggered at runtime. This implies that approaches for system assurance. The premise of pervasive appli- a set of pre-defined V&V (Verification & Validation) activities need cations of CPS to realise its economic and societal impact is that to be performed at runtime. V&V models can be used to execute the safety and/or security of CPS are ensured, so that failures of V&V activities (regression testing, generation of test cases, etc.) such systems do not cause damage of different severities (ranges at runtime. However, it is a significant challenge to have V&V from moderate to catastrophic). models at runtime, typically because it is a rather difficult step for CPS are typically loosely connected systems and come together developers at development time, the difficulties to shift this step to as temporary configurations of constituent systems, which dissolve runtime would be multi-fold. In addition, it is almost impossible MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou Base::ArtifactElement +implements 1 AssuranceCasePackageInterface AssuranceCasePackage 0..* +interface +assuranceCasePackage 0..* +participantPackage 2..* +terminologyPackage Terminology::TerminologyPackage 0..* AssuranceCasePackageBinding +argumentPackage 0..* +artifactPackage 0..* Argumentation::ArgumentPackage Artifact::ArtifactPackage Figure 4: An overview of the structure of an assurance case. to perform extensive V&V activities at runtime, provided that real time requirements may be in place for CPS. If requirements are modified at development, from a safety en- gineering perspective, Hazard Analysis and Risk Assessment ac- tivities (HARA) need to be performed. Hence, the idea of HARA models at runtime. However, since HARA is a very creative process and often relies on the experience of system safety experts, it is very unlikely that HARA can be performed at runtime. Apart from the works previously mentioned on safety certificate models at runtime, no work has been done in the line of assurance case models at runtime. This is due to the fact that system engineers still perceive assurance cases as design time artifacts. However, as discussed in this section, the need for assurance case models at runtime is imperative. Figure 5: An example of controlled terminology 5 SACM TOWARDS RUNTIME ASSURANCE In this claim, the user can refer to expression elements in their CASE MODELS terminology packages. For example, Hazard may refer to a Cate- In this section, we discuss the intended usage of Structured As- gory in the terminology package, which in turn points to a hazard surance Case Metamodel (SACM) since we have been involved, to log meta-model through its externalReference property. In this way, a large extent, in the specification of SACM, and it has not been hazard log meta-model provides a definition of what a Hazard is. sufficiently explained since the release of SACM v2.0. Then, hazard H1 can refer to a Term in the terminology package, In SACM, an assurance case model contains a number of pack- which in turn refers to an instance hazard log model (that conforms ages as shown in Figure 4. SACM organises assurance cases in to the hazard log meta-model). The hazard log model may then packages to promote modularity. An assurance case package can contain information on how H1 is identified, its causes and conse- contain a number of argument packages, artifact packages and ter- quences, etc. The Expression sufficiently mitigated is recorded in minology packages. Argument packages store information about the terminology package so that it can be reused. The user is also the argumentation part of an assurance case, where safety/secu- free to add any explanatory information to the Expression so that it rity claims are broken down into sub claims until they are directly better explains what sufficiently mitigated means. Finally, an overall backed by evidence. Evidence used in the argument packages can be Expression which references the three previous elements is created. modeled and organised in artifact pakcages. For example, a hazard This expression can be referenced in the argumentation package analysis model can be recorded in an artifact package, the user may (e.g. as a description of a Claim). also specify when the analysis is performed, who participated in SACM promotes modularity, in the sense that elements are or- the analysis process and what techniques are used in the process. ganised in different packages. To refine modularity, SACM provides SACM also provides the mechanisms to create controlled natural three different types of packages. Figure 6 shows a segment of the languages so that the users can establish a finer grade of reference meta-model for the argument package of SACM, illustrating the to system models. The terminology package of SACM provides three types of packages in the argumentation package of SACM. the mechanisms to create Expressions, Categories and Terms. An ArgumentPackage is the main package in which structured argumen- example of controlled language is shown in Figure 5. The upper tation is stored. The users can disclose part of the argumentation part of the figure is a claim: Hazard H1 is sufficiently mitigated. externally with the use of ArgumentPackageInterfaces. To do this, On the Transition from Design Time to Runtime Model-Based Assurance Cases MRT’18, October 2018, Copenhagen, Denmark major constituent systems at runtime: the on-board system which is installed on trains and the trackside system, which is installed on important nodes at the track side (such as stations and junctions). The left-hand side of the figure shows the ArgumentPackage of the ETCS on-board system (only top level Claim is shown here). The right-hand side of the figure shows the ArgumentPackageIn- terface, where a citation Claim is created to cite Claim C1 in the ArgumentPackage. ArgumentPackageBinding is used to bind ArgumentPackages to- gether by referencing elements stored in their ArgumentPackageIn- terfaces. To integrate ArgumentPackages, integration engineer needs to create an ArgumentPackageBinding, and create again citation el- ements in the ArgumentPackageBinding, which in turn cite the elements in ArgumentPackageInterfaces from the ArgumentPack- ages. An example of the use of ArgumentPackageBinding is shown Figure 6: Argumentation packages. in Figure 9. in ArgumentPackageInterfaces, citation elements need to be cre- ated which cite to original elements in ArgumentPackages. Figure 7 shows a segment of SACM for the citation mechanism. All SACMEle- ments have the capability of citing other SACMElements via the +citedElement reference. If an element cites another, it automatically becomes abstract and citation via its +isAbstract and +isCitation features. ArgumentPackageInterface only contains citation elements, it should be enforced by constraints on the meta-model. Figure 7: Citation mechanism of SACM. Figure 8: An example ArgumentPackageInterface. An example use of ArgumentPackageInterface is illustrated in Figure 8, this example is taken from the DEIS project [3] for the ETCS (European Train Control System) use case. The ETCS use case Figure 9: An example ArgumentPackageBinding. contains a CPS examined in the DEIS project, which consists of two MRT’18, October 2018, Copenhagen, Denmark Ran Wei, Jan Reich, Tim Kelly, and Simos Gerasimou The upper part of Figure 9 is the ArgumentPackage of the ETCS 6 CONCLUSION on-board system, and the lower part of Figure 9 is the Argument- In this paper, we talked about the need to shift assurance cases from Package of the ETCS Trackside system. The ArgumentPackageBind- conventionally design time documents to automatically exchanged ing (rendered in yellow) is created to bind the ArgumentPackages and integrated runtime models for CPS. We discussed and presented of the ETCS parts. Within the ArgumentPackageBinding, an overall our knowledge on the Structure Assurance Case Metamodel and Claim C3 is created, which are backed by the citation Claims C1 how it can be used to create model-based assurance cases. and C2, which in turn cites the citation Claims in ETCS On-board SACM lays a foundation for system assurance of CPS at runtime. safety case and ETCS Trackside safety case, respectively. Assurance case models for CPS are living models in the sense that The use of packages, interfaces and bindings are the key mecha- monitoring devices provide essential evidence for assurance cases nisms for the integration of SACM packages. All packages (artifact, and the validity of the assurance cases are constantly verified. terminology, argument and assurance case) can be integrated using In case an assurance case is invalidated, the CPS carrying it this approach. should make note of it. Therefore, it is anticipated that a CPS would For assurance case models created using SACM to be exchanged carry a repository of assurance cases, which helps CPS developers at runtime, there is also a need for automated system integration. to better understand what goes wrong at runtime. At the moment, arguments in assurance cases are described us- CPS system assurance is a new research frontier and has gained ing natural language. To enable automation, machine-processable increasing popularity in recent years. Runtime assurance cases languages needs to be incorporated in the argument in assurance provide a promising solution for assuring safety-related CPS. The cases. With regards to this need, in SACM v2.0 the notion of Multi- MRT community should be aware of the complexity of CPS and LangString is introduced. Using MultiLangString enables the user to the need for assurance case models at runtime. describe one claim using different languages, including computer languages. This gives the possibility of automated reasoning for safety cases. Acknowledgements This work is supported by the European In addition, for CPS to integrate, there is also a need to express Union’s Horizon 2020 research and innovation programme through supply and demand of services for CPS. The supply of service is the DEIS project (grant agreement No 732242). provided by default in assurance cases, as assurance cases created using SACM are able to relate to system models. To express demand REFERENCES of services, SACM enables the users to create Claims with declara- [1] Richard Hawkins, Ibrahim Habli, Tim Kelly, and John McDermid. Assurance cases and prescriptive software safety certification: A comparative study. Safety tions. For example, to express demand, a Claim can be declared as science, 59:55–71, 2013. needsSupport. To quantify demand and supply, SACM enables the [2] Mario Trapp, Daniel Schneider, and Peter Liggesmeyer. A safety roadmap to user to also create ImplementationConstraints and associate them cyber-physical systems. In Perspectives on the future of software engineering, pages 81–94. Springer, 2013. to elements in the assurance case. By using ImplementationCon- [3] Ran Wei, Tim P Kelly, Richard Hawkins, and Eric Armengaud. Deis: Dependability straints, system assurance engineers are able to express what kind engineering innovation for cyber-physical systems. In Federation of International Conferences on Software Technologies: Applications and Foundations, pages 409–416. of guarantees are provided/needed. Springer, 2017. The DEIS project, which aims at assuring the dependability of [4] Health and Safety Executive (HSE). Safety Assessment Principles for Nuclear CPS, uses SACM as the backbone for its core concept - the Open Facilities. 2006. [5] UK Ministry of Defence (MoD). Defence Standard 00-56 Issue 4: Safety Management Dependability Exchange (ODE) meta-model. The ODE is a versatile Requirements for Defence Systems. 2007. meta-model, which enables CPS developers to capture various as- [6] Safety Regulation Group Civil Aviation Authority (CAA). CAP 670 - Air Traffic pects of CPS, including architecture models, HARA models, failure Services Safety Requirements. 2007. [7] Rail Safety and Standards Board. Engineering Safety Management (The Yellow logic models as well as assurance case models (via usage of SACM). Book). 2007. In our vision, the runtime integration of two CPS (A and B) [8] Tim Kelly and Rob Weaver. The goal structuring notation–a safety argument notation. In Proceedings of the dependable systems and networks 2004 workshop includes the following steps: on assurance cases, page 6. Citeseer, 2004. [9] GSN Working Group Online - The Goal Structuring Notation. http://www. (1) Exchange of assurance case interfaces for CPS A and CPS goalstructuringnotation.info/. Accessed: 26-04-2018. B, which includes the demand/supply of services, as well as [10] Paul Chinneck, David Pumfrey, and Tim Kelly. Turning up the heat on safety case construction. In Practical Elements of Safety, pages 223–240. Springer, 2004. the guarantees needed/provided for these services; [11] Robin Bloomfield and Peter Bishop. Safety and assurance cases: Past, present and (2) If CPS A questions the soundness of the guarantees provided possible future–an adelard perspective. In Making Systems Safer, pages 51–67. by CPS B, CPS B would provide its assurance case; Springer, 2010. [12] Richard Hawkins, Ibrahim Habli, Dimitris Kolovos, Richard Paige, and Tim Kelly. (3) CPS A performs reasoning of the assurance case of CPS B; Weaving an assurance case from design: a model-based approach. In High (4) If the assurance case of CPS B is sound, connection between Assurance Systems Engineering (HASE), 2015 IEEE 16th International Symposium on, pages 110–117. IEEE, 2015. CPS A and CPS B will be established. An assurance case [13] Structured Assurance Case Metamodel, Object Management Group. https://www. binding will be created and maintained locally for both CPS omg.org/spec/SACM/About-SACM/. Accessed: 06-04-2018. A and CPS B until they decide to disconnect from each other; [14] John Rushby. Runtime certification. In International Workshop on Runtime Verification, pages 21–35. Springer, 2008. (5) If CPS A continues to question the soundness of the as- [15] Daniel Schneider and Mario Trapp. A safety engineering framework for open surance case of CPS B, CPS B can choose to send further adaptive systems. In Self-Adaptive and Self-Organizing Systems (SASO), 2011 Fifth evidence, such as related architecture or failure logic models IEEE International Conference on, pages 89–98. IEEE, 2011. (6) If the evidence provided by CPS B is sound, step (4) will be performed. Otherwise, the adaptation process ends.