• Home

  • Documents

  • Copyright Prof. Dr. Shuichiro Yamamoto 2013 1 Prof. Dr. Shuichiro Yamamoto Nagoya University
35
An evaluation of argument patterns to reduce pitfalls of applying Assurance Case Copyright Prof. Dr. Shuichiro Yamamoto 2013 1 Prof. Dr. Shuichiro Yamamoto Nagoya University

Copyright Prof. Dr. Shuichiro Yamamoto 2013 1 Prof. Dr. Shuichiro Yamamoto Nagoya University

Embed Size (px)

Citation preview

1

An evaluation of argument patterns to reduce pitfalls of applying Assurance CaseCopyright Prof. Dr. Shuichiro Yamamoto 20131Prof. Dr. Shuichiro Yamamoto

Nagoya University13:00 -- 13:30Architecture and Assurance CasesS. Yamamoto1Agenda Pitfalls of assurance case deploymentPatterns of argument decompositionEarly evaluations of pattern applicationsFuture plan 2Copyright Prof. Dr. Shuichiro Yamamoto 2013Assurance case pitfallsNecessity of Decomposition PatternCopyright Prof. Dr. Shuichiro Yamamoto 2013Pitfalls Fundamental ChallengesConfusion of Argument Structure & Control StructureControlling the Represented RangeDiversity of Decomposition ApproachesCopyright Prof. Dr. Shuichiro Yamamoto 20134Claim decompositionWhat should the claim be and how should it be expressed? What should be written as strategies? How much should the argument be decomposed using the strategies? What should be written as context? What should be written as evidence? How far should the hierarchical structure be extended? How should the relationships between context and evidence be analyzed?

Copyright Prof. Dr. Shuichiro Yamamoto 201355Assurance case ambiguity 6

Goal StrategyEvidence ContextWidthDepth?Relationship?SentenceCopyright Prof. Dr. Shuichiro Yamamoto 2013Confusion of Argument Structure & Control StructureMixing up of strategies and goals. Content that should be written as a claim being expressed in the form of an action or function statement rather than as a proposition. Misunderstanding of strategies as judgment branches. Decomposing into function execution sequences instead of arguments.

Copyright Prof. Dr. Shuichiro Yamamoto 20137Controlling the Represented Range Copyright Prof. Dr. Shuichiro Yamamoto 20138

This does not extend to cover measures taken regarding maintenance of the train itself or the dangers associated with maintenance work. Basic pattern of argument decomposition9ArchitectureFunctionalAttributesInfinite setCompleteMonotonicconcretionCopyright Prof. Dr. Shuichiro Yamamoto 2013 Robin Bloomfield and Peter Bishop, Safety and Assurance Cases: Past, Present and Possible Future an Adelard Perspective

ArchitecturefunctionalAttributesInfinite setcompletemonotonicconcretion

9Formal Claim Decompositions10typesexplanationArchitecturesplitting a component into several sub-components functionalsplitting a component into several sub-functions Attributessplitting a property into several attributes Infinite setinductive partitioning from a base case (e.g., over time) completecapturing the full set of values for risks, requirements, etc. monotonicthe new system only improves on the old system concretionmaking informal statements less vague Robin Bloomfield and Peter Bishop, Safety and Assurance Cases: Past, Present and Possible Future an Adelard Perspective Copyright Prof. Dr. Shuichiro Yamamoto 201310Architecture decomposition11

System is dependableSystemarchitecture designArgument over System architectureSub system A is dependableSub system B is dependableInteractions between A and B are dependableCopyright Prof. Dr. Shuichiro Yamamoto 2013Functional decomposition12

Search system is dependableArgument over functionsKeyword input function is dependableData management function is dependableKeyword search function is dependableResult of search function is dependableCopyright Prof. Dr. Shuichiro Yamamoto 201312Attribute decomposition13

Search system is dependableSearch system is dependableArgument over quality attributesSystem is availableSystem is reliableSystem is safeSystem is consistentSystem protects confidentialitySystem is maintainableCopyright Prof. Dr. Shuichiro Yamamoto 2013Infinite set decomposition14[K=1] The claim holds[K=N]If the claim holds for N, then it also holds for K=N+1

Claim holds for every NArgument over inductionClaim holds for NIf Claim holds for N, then it also holds for N+1Copyright Prof. Dr. Shuichiro Yamamoto 2013Complete decomposition15

System is dependableArgument over riskSystem risk includes input, process and output risksSystem is dependable for input riskSystem is dependable for process riskSystem is dependable for process riskCopyright Prof. Dr. Shuichiro Yamamoto 201315Monotonic decomposition16

As-is System problem is resolved in the To-be systemAs-is SystemArgument over As-is System problemAs-is System problem is identifiedSolution is proposed to resolve As-is System problemTo-be system can be realized by implementing Solution for resolve As-is System problemCopyright Prof. Dr. Shuichiro Yamamoto 2013

16Decomposition by concretion 17

Argument over concretionDefinition of objectAmbiguity of object is resolvedAmbiguity of object is identifiedConcretion of object is providedAmbiguity of object is reduced by the concretionCopyright Prof. Dr. Shuichiro Yamamoto 2013Evaluation of the decomposition patternsCopyright Prof. Dr. Shuichiro Yamamoto 201318Design of experiment Examinee is an engineer who has more than 20 years experience in the embedded system development. 4 hour course of assurance case education was provided to the examinee. Copyright Prof. Dr. Shuichiro Yamamoto 201319The content of the course textIntroduction to assurance case 10 pagesAssurance case development method26 pagesAssurance case exercises 15 pagesArgument decomposition patterns 15 pages

Copyright Prof. Dr. Shuichiro Yamamoto 201320Case study: LAN device monitoringCopyright Prof. Dr. Shuichiro Yamamoto 201321Manager Network valid LAN deviceP3 P P2 Interactions descriptionP1 Initial packets to LAN devices Get names and informationP2 Initial packets to abnormal LAN devices InterceptionP3 Set up sensors Validate sensor status Update sensor software Update interception table Monitor sensors1000 LAN devices for each sensors 2000 sensorsLAN Sensorsinvalid LAN deviceExample of architecture decompositionCopyright Prof. Dr. Shuichiro Yamamoto 201322

Number of nodesCopyright Prof. Dr. Shuichiro Yamamoto 201323*( number ) shows the number of hazards described in ContextArchitecture elementsContext Claim StrategyEvidenceSensor Power unit1(16)833071Main board 1(17)602142HW case 1(6)20713HW interaction 1(16)541843Software1(25)1244160HW- SW Interaction1(11)351127Manager HW1(4)13410SW1(18)561838HW- SW Interaction1(8)24816Interaction between sensors and manager1(23)702348Total 10(144)539181368Man hours for work categoriesCopyright Prof. Dr. Shuichiro Yamamoto 201324Specification Analysis 5Pattern selection 30Architecture decomposition 10Risk analysis 62D-Case description 110Total 217LAN 2 14 5 28 51

24Relationship between claim and evidenceCopyright Prof. Dr. Shuichiro Yamamoto 201325claimevidenceRelationship between claim and strategyCopyright Prof. Dr. Shuichiro Yamamoto 201326Claim Strategy Relationship between evidence and context(risk)Copyright Prof. Dr. Shuichiro Yamamoto 201327Risk Evidence Electric power deviceDiscussions Copyright Prof. Dr. Shuichiro Yamamoto 201328Effectiveness of argument patternsAs the examinee said, the architecture decomposition pattern was useful to analyze risk, although the decision to choose it from argument decomposition patterns needed time to understand appropriateness between the target system and argument patterns.Many pitfalls discussed in section 2 were not observed in the course of the experiment. This also showed the effectiveness of the argument pattern. Without the knowledge of argument patterns, the examinee could not develop a large assurance case consists of 1098 nodes in 15 days.Copyright Prof. Dr. Shuichiro Yamamoto 201329Limitations of patternsBloomfield's patterns do not, however, take decomposition by process or condition into considerations. For example, in argumentation by conditional judgment, a claim can be decomposed using a strategy such as that shown in Figure 2. Here, based on evidence, a condition is defined and dependability is verified both for the case where that condition is satisfied and the case where it is not. In other words, Goal G_4 claims that the condition is defined; Goal G_2 claims that an appropriate action is taken when the condition is satisfied; and Goal G_3 claims that an appropriate action is taken when it is not.

Copyright Prof. Dr. Shuichiro Yamamoto 201330Correlation with System Development & Operation MaterialsThe correlation between an assurance cases context and evidence and those documents used in system development and operation has not clearly been defined, leading to a situation where multiple documents and multiple assurance cases have simply been handled at a combined level. Specific relationships at the element level were thus unclear, and as a result, valuable information from system development and operation documents could not be fully utilized.Copyright Prof. Dr. Shuichiro Yamamoto 201331Systems, Documentation & Assurance CasesCopyright Prof. Dr. Shuichiro Yamamoto 201332

Creating Assurance Cases for Process Validation(1)Establish a claim based on the goal. (2) Argue each procedure necessary to achieve the goal according to the strategy. (3) Establish input information using contexts. (4) Establish the verification result for the process output as evidence.

Copyright Prof. Dr. Shuichiro Yamamoto 201333Summary This paper introduced some of the pitfalls commonly encountered when developing assurance cases, as well as assurance case pattern methods for dealing with them.Evaluation of the pattern approach was also evaluated for assuring a LAN device management system. The experimental evaluation showed the effectiveness of the architecture pattern of argument decomposition. The examinee developed assurance case contains more than 1000 nodes systematically in less than 2 weeks, after learned assurance case introduction course and patterns in 4 hours. Methods for extending assurances case patterns based on process definition were also discussed.

Copyright Prof. Dr. Shuichiro Yamamoto 201334Thank you for your attentionCopyright Prof. Dr. Shuichiro Yamamoto 201335


Files/fundacion... · Project Leader: Sarah Möller Team: Guus Peters, Gertjan Machiels, Gerbrand van Oostveen, Giulia Pastore, Michael Schoner and Gen Yamamoto with Shuichiro Mitomo

Files/fundacion... · Project Leader: Sarah Möller Team: Guus Peters, Gertjan Machiels, Gerbrand van Oostveen, Giulia Pastore, Michael Schoner and Gen Yamamoto with Shuichiro Mitomo

Documents
CV, Masumi Yamamoto

CV, Masumi Yamamoto

Documents
Yamamoto | Hagakure - Reclam

Yamamoto | Hagakure - Reclam

Documents
McElroy Certificates - Kyle Yamamoto

McElroy Certificates - Kyle Yamamoto

Documents
Monografia - Titao Yamamoto

Monografia - Titao Yamamoto

Technology
Yamamoto ynsa

Yamamoto ynsa

Documents
Tsuyoshi Yamamoto

Tsuyoshi Yamamoto

Documents
Yamamoto Noise

Yamamoto Noise

Documents
EG2009 Takashi Yamamoto Ppt

EG2009 Takashi Yamamoto Ppt

Education
1606015 m1 yamamoto

1606015 m1 yamamoto

Engineering
YAMAMOTO PAPERカタログ2015

YAMAMOTO PAPERカタログ2015

Documents
Coffe art kazuki yamamoto

Coffe art kazuki yamamoto

Entertainment & Humor
Marcos Kazuo Yamamoto

Marcos Kazuo Yamamoto

Documents
Yuuki Yamamoto

Yuuki Yamamoto

Documents
Arthur Dias, Bruna Silva, Eduardo Hiroshi, Fernanda Yamamoto e Guilherme Kamano Ambulatório Cefaleias – Prof. Dr. Milton Marchioli Jun/2014

Arthur Dias, Bruna Silva, Eduardo Hiroshi, Fernanda Yamamoto e Guilherme Kamano Ambulatório Cefaleias – Prof. Dr. Milton Marchioli Jun/2014

Documents
Yamamoto - Hagakure

Yamamoto - Hagakure

Spiritual
Biglobe yamamoto

Biglobe yamamoto

Documents
Yamamoto Pulsologia

Yamamoto Pulsologia

Documents
Yohji Yamamoto // Case Study

Yohji Yamamoto // Case Study

Design
Microstructure Studies of Carbon- Carbon Composite Materials Kei Yamamoto Purdue University Advisor: Prof. Alex King

Microstructure Studies of Carbon- Carbon Composite Materials Kei Yamamoto Purdue University Advisor: Prof. Alex King

Documents
Yohji Yamamoto

Yohji Yamamoto

Lifestyle
LIDIA YAMAMOTO - teses.usp.br

LIDIA YAMAMOTO - teses.usp.br

Documents
05 - Yamamoto

05 - Yamamoto

Documents
Swc2013 yamamoto

Swc2013 yamamoto

Technology
Bulário Yamamoto

Bulário Yamamoto

Documents
Publication List of prof. Shigeki MatsunagaPublication List of prof. Shigeki Matsunaga 1. Takehiko Iida, Noriyoshi Yamamoto, Shigeki Matsunaga, Hee-Gweon Woo, Masakatsu Shibasaki Enantioselective

Publication List of prof. Shigeki MatsunagaPublication List of prof. Shigeki Matsunaga 1. Takehiko Iida, Noriyoshi Yamamoto, Shigeki Matsunaga, Hee-Gweon Woo, Masakatsu Shibasaki Enantioselective

Documents
Reproduçãl deYohji Yamamoto

Reproduçãl deYohji Yamamoto

Documents
Hagakure - Yamamoto Tsunetomo

Hagakure - Yamamoto Tsunetomo

Documents
Naoki Yamamoto

Naoki Yamamoto

Documents
SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer

SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer

Documents