Adelard - IEE Professional Network

Specialist Areas

IEE Pro. Network

General

Safety Case Approach

Notation and Tools

Tools
Tool support for safety cases can be considered in three broad categories:

Decision support and elicitation tools. These allow one to expose expose the thinking behind the argument, advise on how to construct a case, and assist in reading and review. They are considered in more detail below.

Tools to generate evidence. These provide the evidence that support the safety case argument. They include safety analysis tools (fault trees, FMECAs), tools for collecting and analysing field experience, static analysis, test and proof tools.

Safety Management System Infrastructure support. In this category there are the tools for configuration management and traceability such as Requirements Engineering support tools and Hazard Logs.

Notations
Although safety cases are increasingly accepted and mandated for assuring critical systems, the traditional means of production ? word processed documents with in-line graphics ? has a number of shortcomings. Traditional applications have to be severely stretched for safety case development and the resulting documents are often cumbersome, and can be difficult to construct and review. Moreover, the structure of the safety argument itself is often lost in the volume of paper produced.

Toulmin developed a conceptual framework and graphical notation for representing the structure of an argument in the 1950s. Toulmin [6] makes a distinction between "claim or conclusion whose merits we are seeking to establish" and "the facts we appeal to as a foundation for the claim". Together with the notion of a "warrant" that the facts indeed support the claim, Toulmin developed the following basic notation:

Toulmin's graphical argumentation motif

In this way, an argument can be constructed from the following elements[1]:

a claim about a property of the system or some subsystem
evidence which is used as the basis of the argument
an argument linking the evidence to the claim, which explicates how the evidence supports the claim (e.g. statistical, logical argument etc.)

Since the evidence for a claim can itself be another sub-claim, or argument fragment, a generic graphical argument structure allows for hierarchical decomposition, with the general form of an acyclic graph, since a piece of evidence may support a number of claims. Cycles are problematic in that there is no grounded evidence for a cyclic structure, and nodes can be potentially self-defeating.

Following Toulmin's approach, more recent notations such as ASCAD [4], [5] and GSN (Goal Structuring Notation) [8], [9], with supporting methodologies have been developed for making arguments in industry. ASCAD uses a "claims-arguments-evidence" motif for representing argument structure (see figure below); GSN uses a similar "goals-strategies-solutions" form of construction. Existing hypertext systems that have adopted elements of Toulmin's schema include AAA [10] and more recently Aquanet [11].

A generic graphical argument using a "claims-arguments-evidence" structuring motif

Integrating narrative and graphical notation into a hypertext argumentation approach
There are deficiencies in just using plain narrative, or a purely graphical notation. Pure narrative is critiqued earlier ? such documents can be long, unstructured, and often do not bring out the implicit argument. Pure graphical notation can demonstrate links between argument sections and differentiate between different types of argument components, but without narrative there is no "meat" against which the soundness of the argument may be judged.

We propose that a hypertext argument is like software, in that it is "enacted" through reading the notation in conjunction with the narrative. At a macro level, a user "reads" and expands the graphical argument with narrative according to the structure, thereby recreating an overall narrative/set of utterances for the hypertext argument (e.g. "this node is the evidence for the 'design diversity' argument which supports the main safety claim"). The graphical notation allows the user to focus on particular structures and follow threads of supporting evidence. Similarly to software there can be bugs in the argument (e.g. a claim may be floating or unsupported, or a piece of evidence may be invalid). At a micro level, there is a need for standard narrative so that authors can explicate any necessary details about the argument, situate it in context, and make use of any existing narrative. This approach is implemented in the Adelard Safety Case Editor (ASCE) [1] and has been used on real safety cases with many thousands of nodes.

References
This page is based on Luke Emmet & George Cleland, Graphical Notations, Narratives and Persuasion: a Pliant Systems Approach to Hypertext Tool Design,in Proceedings of ACM Hypertext 2002 (HT'02), June 11-15, 2002, College Park, Maryland, USA.

[1] ASCE (Adelard Safety Case Editor) homepage

[2] IEC 61508-1, "Functional safety of electrical / electronic / programmable electronic safety-related systems CEI/IEC 61508:1998.

[3] RTCA/DO-178B Advisory Circular "Software Considerations in airborne systems and equipment certification"

[4] Bishop, P. & Bloomfield, R. A Methodology for Safety Case Development, Safety-Critical Systems Symposium, Birmingham, UK, Feb 1998

[5] Adelard (1998) ASCAD?The Adelard Safety Case Development Manual ISBN 0 9533771 0 5

[6] Toulmin, S.E. (1958) The Uses of Argument, Cambridge University Press, Cambridge, England.

[7] Kolb, D. Scholarly Hypertext: Self-Represented Complexity. In Proceedings of The Eighth ACM Conference on Hypertext, Southampton, 1997, pp. 29-37

[8] Kelly, T. Arguing Safety A Systematic Approach to Managing Safety Cases (1998). PhD Thesis, available at http://www.cs.york.ac.uk/ftpdir/reports/YCST-99-05.ps.gz

[9] Kelly, T & McDermid, J, Safety Case Construction and Reuse using Patterns, Proc 16th Conf on Computer Safety, Reliability and Security (Safecomp '97) 1997

[10] Schuler, W. & Smith, J. Author's Argumentation Assistant (AAA): A Hypertext Based Authoring Tool for Argumentative Texts, ECHT'90

[11] Marshall C., Halasz, F, Rogers R, & Jansen W C. Aquanet: a hypertext tool to hold your knowledge in place. In proceedings of Hypertext 91 (San Antonio, Texas) ACM New York 1991.

[12] Bush, D & Finkelstein, A. Reuse of Safety Case Claims ? An initial investigation. London Communications Symposium, University College London 10th -11th September 2001 http://www.ee.ucl.ac.uk/lcs/prog01/LCS035.pdf

[13] Emmet, L. Experiences of using open hypertext to support safety documentation from: The 5th Workshop on Open Hypermedia Systems (OHS) http://aue.auc.dk/~kock/OHS-HT99/Papers/emmet.html

[14] Conklin, J., Selvin, A. Buckingham-Shum, S, Sierhuis, M. Facilitated Hypertext for Collective Sensemaking: 15 years on from gIBIS. 11th ACM Conference on Hypertext and Hypermedia (Hypertext 2001), pp123

[15] Tourlas, K (2001) Diagrammatic Representations in Domain-Specific Languages. University of Edinburgh, Dphil Thesis.

[16] Conklin and Begeman, M.L. gIBIS: A Hypertext Tool for Exploratory Policy Discussion. ACM Transactions on Office Infromation Systems, 4, 6, 1988, pp. 303-331

[17] Halasz, F.G., Moran, T.P., and Trigg, R.H. (1987) NoteCards in a Nutshell. In Proceedings of ACM CHI + GI '87, Toronto, Ontario. ACM Press. pp. 45-52.

[18] Nielsen, J. (1993). Usability Engineering. Academic Press, Boston, ISBN 0-12-518405-0

[19] Norman, D. Making Technology Invisible: A Conversation with Don Norman. Bergman, Eric (Editor) (2000) Information Appliances and Beyond: Morgan Kaufmann (August, 2001 or earlier).

[20] Norman, D. The Invisible Computer (2 October, 1998) The MIT Press; ISBN: 0262140659

[21] Mark Weiser and John Seely Brown. The Coming Age of Calm Technology, Revised version of Weiser & Brown. "Designing Calm Technology", PowerGrid Journal, v 1.01, http://powergrid.electriciti.com/1.01 (July 1996). October, 1996. http://www.ubiq.com/hypertext/weiser/acmfuture2endnote.htm.

[22] Henderson, A. and Harris, J. Beyond Formalisms: The Art and Science of Designing Pliant Systems. Chapter 4 in: Klaus Kaasgaard Software Design & Usability: Talks with Bonnie Nardi, Jakob Nielsen, David Smith, Austin Henderson & Jed Harris, Terry Winograd and Stephanie Rosenbaum, Copenhagen Business School Press, October 2000. Also available at http://www.pliant.org/Beyond-Formalisms.pdf

[23] Marshall, C & Rogers, R. Two Years before the Mist: Experiences with Aquanet. Proceedings of ECHT'92, Milano

[24] F. Shipman and C. Marshall, "Formality Considered Harmful: Experiences, Emerging Themes, and Directions on the Use of Formal Representations in Interactive Systems", Computer Supported Cooperative Work (CSCW) , 8, 4 (Fall 1999), pp. 333-352.

[25] Marshall, C & Shipman, F M. VIKI: Spatial Hypertext Supporting Emergent Structure ACM Hypertext 1994

[26] Whitehead, E.J. Control Choices and Network Effects in Hypertext Systems, 10th ACM Conference on Hypertext and Hypermedia (Hypertext 1999

[1] This formulation is for arguments supporting claims about systems. Other domains for rigorous argumentation would assert claims about that domain. In the limit, Kolb [7] conceives of tools that could even enable argumentation about its own structures ("scholarly hypertext").