This is the presentation slides for the talk "Linking Traceability with GSN" appeared at ASSURE 2014.

1. 1
ASSUER 2014
Linking Traceability with GSN
Nov/05/2014
Kenji Taguchi, Daisuke Souma, Hideki Nishihara
Research Institute for Secure Systems
National Institute of Advanced Industrial Science and
Technology (AIST)
Toshinori Takai
Graduate School of Information Science
Nara Institute of Science and Technology (NAIST)

2. 2
Overview
• Background
 Safety related regulations mandate the submission of safety cases
to relevant authorities to ensure the safety of the systems.
 Regulations (Railway safety cases regulation and Offshore installation
safety cases regulation)
 Standards (e.g., Def-Stand 00-56, IEC 62425, ISO 26262)
 Guidelines (e.g., Railway yellow book or International ESM handbook
(iESM))
• Evidence of safety case is of great importance, since the quality of
evidence affects the quality of safety case.
• Traceability is used to validate evidence (work
products/deliverables/artifacts) produced during the system life cycle.
• We propose one way to link traceability with GSN.

3. 3
Why linking GSN and Traceability?
• Traceability is “the ability to link product requirements
back to stakeholders' rationales and forward to
corresponding design artifacts, code, and test
cases”(From Wiki).
• In GSN evidence and relevant documents are referenced
in contexts and solutions, but it is not certain how they
contribute to traceability.
• A new convention is proposed how to reference
traceability information in GSN diagrams. We can then
check whether all of the substantial traceability
information is referenced in GSN diagrams in a proper
way.

4. 4
Some assumptions
• Target standard
 EN 50126 / IEC 62278 Railway applications –Specification
and demonstration of reliability, availability, maintainability
and safety (RAMS)
 Proposed technique can be applied to any other standard.
• Safety case construction is supported by GSN (Goal
Structuring Notation).
• Traceability is achieved through the design of TIM (
Traceability Information Model）.
Creating a TIM is recommended practice pointed out by Cleland-Huang with people from FDA.

5. 5
APPROACH
RAMS’s life cycle
TIM
Traceability
GSN
Safety Case
Safety Case
Traces between artifacts
Scope of this paper

6. 6
Basic Traceability Information Model (TIM)
System has a safety life cycle.
Safety life cycle has phase(s).
Traceable artifact
Artefacts (deliverables) to be
traced.
They may exist at least one in
each phase.
Each artifact may have different
artifact(s).
Traceable unit
Part(s) of traceable artifact,
which is linked.
Link
Relationship between traceable
units
Has target and source
May have a type

7. 7
How Safety Cases, GSN and TIM are related
Safety Case and GSN TIM

8. 8
Whole Picture of TIM for RAMS (phase 2 ~ phase 4)
 Current model only depicts phase 3 in detail and phase 2 and 4 are
partially depicted in this picture.

9. 9
Overview of TIM for RAMS phase 3
Hazard LogItems required for this phase, but not in the scope of
Traceability.
• IEC 62278 phase 3 requires identification of hazard,
hazardous event, risk assessment criteria and risk
management process.
• Main deliverable of this phase is Hazard log.

10. 10
Detailed Picture of TIM for RAMS phase 3
RAMS phase 3
Deliverable to be traced
Traceable units
Stereotypes are derived
From the basic TIM.

11. 11
Argument Structure for RAMS phase 3

12. 12

13. 13
New convention to support linking GSN and TIM
GSN Context
GSN Solution
TIM
GSN

14. 14
Validation Method for Safety Cases
Validation Criteria/Methods have not been well researched yet.
How to review GSN diagrams has the same issue.
Some standard specifically states how to review safety cases (e.g., ISO
26262).
We would like to propose some criteria based on traceability.
（Validation criteria for safety cases in ISO 26262

15. 15
New Criteria
1) Complete Coverage
w.r.t traceability
A GSN diagram references all of
traceable artifacts in TIM.
2) Forward coverage
w.r.t traceability
If G1, …., Gn are ordered, any
traceable unit referenced in Gj is
linked in another traceable unit
referenced in Gk (1≦j < k ≦n）

16. 16
More complex criterion
RAMS Standard

17. 17
Related Work
• Cleland-Huang, et. al, suggest the use of traceability to
maintain safety case evidence.
• Hull et. al, propose an argument structure called a ”satisfaction
argument”, which specifies the generally hidden rationale
behind the design on traceability between artifacts.
• Attwood, et. al., adopted the idea and applied it to GSN.
• Nair, et. al, proposed a more generic TIM called SafeTIM.
• Katta, et. al, created similar traceability model, but did not
present clear relationships between traceability model and
safety case.

18. 18
Conclusion
• We presented a new convention how GSN is linked with
traceability information.
• We also proposed some validation criteria for GSN based
on traceability information.
• Complete coverage
• Forward coverage
• Expect to provide a mechanical means to check the validity of
GSN.
• Future work
• Lift this framework to real safety case construction.
• Evaluate whether this kind of traceability links provide
validation criteria on a safety case.
• Tool support to automate the validation process.