Towards a Formal Basis for Modular Safety Cases

Safety assurance using argument-based safety cases is an accepted best-practice in many safety-critical sectors. Goal Structuring Notation (GSN), which is widely used for presenting safety arguments graphically, provides a notion of modular arguments to support the goal of incremental certification. Despite the efforts at standardization, GSN remains an informal notation whereas the GSN standard contains appreciable ambiguity especially concerning modular extensions. This, in turn, presents challenges when developing tools and methods to intelligently manipulate modular GSN arguments. This paper develops the elements of a theory of modular safety cases, leveraging our previous work on formalizing GSN arguments. Using example argument structures we highlight some ambiguities arising through the existing guidance, present the intuition underlying the theory, clarify syntax, and address modular arguments, contracts, well-formedness and well-scopedness of modules. Based on this theory, we have a preliminary implementation of modular arguments in our toolset, AdvoCATE

Formal Model-Based Assurance Cases in Isabelle/SACM : An Autonomous Underwater Vehicle Case Study

Isabelle/SACM is a tool for automated construction of model-based assurance cases with integrated formal methods, based on the Isabelle proof assistant. Assurance cases show how a system is safe to operate, through a human comprehensible argument demonstrating that the requirements are satisfied, using evidence of various provenances. They are usually required for certification of critical systems, often with evidence that originates from formal methods. Automating assurance cases increases rigour, and helps with maintenance and evolution. In this paper we apply Isabelle/SACM to a fragment of the assurance case for an autonomous underwater vehicle demonstrator. We encode the metric unit system (SI) in Isabelle, to allow modelling requirements and state spaces using physical units. We develop a behavioural model in the graphical RoboChart state machine language, embed the artifacts into Isabelle/SACM, and use it to demonstrate satisfaction of the requirements

Integration of Formal Proof into Unified Assurance Cases with Isabelle/SACM

Assurance cases are often required to certify critical systems. The use of formal methods in assurance can improve automation, increase confidence, and overcome errant reasoning. However, assurance cases can never be fully formalised, as the use of formal methods is contingent on models that are validated by informal processes. Consequently, assurance techniques should support both formal and informal artifacts, with explicated inferential links between them. In this paper, we contribute a formal machine-checked interactive language, called Isabelle/SACM, supporting the computer-assisted construction of assurance cases compliant with the OMG Structured Assurance Case Meta-Model. The use of Isabelle/SACM guarantees well-formedness, consistency, and traceability of assurance cases, and allows a tight integration of formal and informal evidence of various provenance. In particular, Isabelle brings a diverse range of automated verification techniques that can provide evidence. To validate our approach, we present a substantial case study based on the Tokeneer secure entry system benchmark. We embed its functional specification into Isabelle, verify its security requirements, and form a modular security case in Isabelle/SACM that combines the heterogeneous artifacts. We thus show that Isabelle is a suitable platform for critical systems assurance

Structured safety case tools for nuclear facility automation

In regulated domains, such as nuclear power, a documented justification of safety is demanded for licensing and qualifying systems important to safety. One emerging way of communicating the safety of a complex system in a structured and comprehensive manner is using a safety case. Safety case is understood as a documented body of evidence that provides a convincing and a valid argument that a system is adequately safe for a given application in a given environment. It is one option to give the safety justification the transparency and traceability required by the stakeholders. Because of the amount and complexity of the required material, a practical way of preparing safety cases is to use a software tool. This thesis evaluated software tools for developing a structured safety case for nuclear instrumentation and control systems justification. For tool evaluation, a set of criteria was done derived from a description of the tool usage environment in the nuclear domain. There is still unestablished terminology in the domain, so the description needed some clarification to its concepts. Main terms were nuclear safety case, safety demonstration and structured safety case. Nuclear safety case was defined as an informal overall term referring to the totality of the safety justification and management material gathered under one ‘case’. Safety demonstration was defined as the part of nuclear safety case, which contains the argumentation connecting the relevant evidence to given safety claims. Structured safety case was defined as a safety demonstration following a presentation of well-defined notation and related standards. It presents the claims, arguments and evidences required to assure the safety of the given system clearly and unambiguously. A development process for the structured safety case was outlined, from which the criteria for planning, structure, data inserting, review and management features were identified for tool evaluation. A list of safety case tools was gathered from which five tools were selected for further study: Astah GSN, ASCE, NORSTA, ACEdit and D-case Editor. As a result of the tool review, it was concluded that none of the selected tools had good support for the identified requirements. All of the tools had some good features for structure and data inserting. Most lack of support was identified among the features relating to planning, managing and reviewing the safety case. All of the tools also had difficulties with handling the presentation of large systems. Results implicated that the reviewed safety case software tools are not yet ready for large scale industrial use for the justification of instrumentation and control nuclear power plants. For further actions it was recommended to follow the development and continue testing of the current and new software tools