GSN patterns support argument abstraction but the details of how it works are not specified. We can specify a claim “{System S} is sufficiently safe”, but the GSN standard doesn’t say how to manage the parameter S. You can find some guidance on model-based assurance cases for SACM, but this is not available in the GSN standard version 3.
We are working on a solution that allows for systematic referencing of argument templates to system models while ensuring consistency for modular assurance cases. We build this as an extension of the argument template parameters proposed in the GSN Standard.
The figure below shows a GSN-style pattern on the left and a corresponding model-based pattern on the right. You can notice a few differences between the two patterns.
- The model-based pattern specifies a condition that G3 is only instantiated if the contracts attribute of C is not empty, where C is a component. This formal condition corresponds to a textual description of the optional instantiation in the GSN pattern.
- Instead of the black ball for the multiple instantiation on the GSN pattern, the model-based pattern specifies, that G9 should be instantiated for each K which belongs to the attribute contracts of C.
The conditions specified in the model-based pattern will work with a System Assurance Reference Model (SARM), that describes the complete context of an assurance case. This may include system architecture models, risk models (hazards, threats, etc.), environment, operational conditions, life cycle processes and other relevant factors.
The approach is described in our paper “Automated Generation of Modular Assurance Cases with the System Assurance Reference Model” published in December by the ACM Journal Formal Aspects of Computing (https://dl.acm.org/doi/10.1145/3685936).
We are currently experimenting with a prototype tool that generates modular assurance cases from model-based templates. The tool generates XML files that define assurance cases and then they are imported to PREMIS. We test the argument generation process, and in the next stage of our project, we will work on updating assurance cases for changes in system models.
If you are interested in this approach to using assurance case templates, we would be happy to present our approach and see if it would also be effective for your templates. Please contact us if you have any questions or would like to find out more.