SlideShare a Scribd company logo

[SiriusCon 2018] AdvoCATE: An Assurance Case Automation Toolset Based on Eclipse and Sirius

Obeo, profile picture
Obeo

The document discusses Advocate, an assurance case automation toolset developed by NASA to enhance safety management in high-hazard industries through evidence-based assurance and safety cases. It emphasizes the need for tools that support the creation, assessment, and management of safety and assurance artifacts, particularly in the context of unmanned aircraft systems. The toolset incorporates various technologies and methodologies, including barrier modeling and hazard analysis, to provide comprehensive safety assurance throughout the system lifecycle.

Technology
1 of 46
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
AdvoCATE: An Assurance Case Automation Toolset Based on Eclipse and Sirius 4th December, 2018 Ewen Denney & Robbie Henderson (Joint work with Ganesh Pai and Dimo Petroff) NASA Ames Research Center Robust Software Engineering Group ewen.denney@nasa.gov
Research Motivation • High-hazard industries are moving to active safety management – Safety management system (SMS) in aviation – Need to • Unify reasoning about technical aspects of safety • Support safety-related decision making • Goals-based regulation is attractive for novel applications – When regulations and performance standards are absent • Unmanned aircraft systems (UAS), Autonomous systems, … – Increases flexibility for regulated entity – Evidence-based assurance  safety case / assurance case 2
Safety and Assurance Cases ‘A safety case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given operating environment’ - NASA System Safety Handbook ver. 1 (2014) • Essentially, a safety risk management artifact – Other compatible definitions and guidance on content – Based on application domain, standard, regulatory paradigm, etc. • An assurance case generalizes safety cases to other assurance properties: reliability, security, availability, … 3
Risk Control Risk Analysis and Assessment Hazard Effect Severity Likelihood Initial Risk Level Hazard Control Residual Risk Level H1 - Airspace encounter with GA aircraft NMAC / MAC 2 (Haz.) 1 (Cat.) Probable Probable 2B 1B Detect & Avoid Flt. Termination ... 2D 2D H2 – Stall CFIT Safety Risk Management 4 System Analysis Concept of Operations, System/change description, Regulations, … HazID Hazards Operational, functional, … Design target Barrier Modeling – Abstract Safety Architecture Safety Requirements Implementation Mitigations Safety requirements Barrier and Control functions Risk scenarios, design targets, risk evaluation Assurance Rationale (Structured Argument) Evidence Artifacts Design, Analysis, Verification Testing, Assurance claims, strategies, context, rationale, … Operational Safety Assurance (Monitoring and Update) Safety performance measures, monitors, … Operational Evidence Verification of safety performance targets Assumption corroboration Hazard tracking, Precursors, …
Example: UAS Safety 5 Combination of operating modes • Visual line of sight (VLOS) • Beyond visual line of sight (BVLOS) • Beyond radio line of sight (BRLOS) Varying access profiles • Operating range • Terminal airspace • Transit (vertical / lateral) Diverse environment • Populated / urban / built-up areas • Uncontrolled / controlled airspace • Low / high density airspace Varying mission concepts • Package delivery • Surveillance • Aerial inspection • Mapping, … Different configurations • Airborne sensors (Lidar, sonar, FPV camera, Radar) • Ground sensors (Radar) • Multiple GCS, Roaming GCS, … Increasing complexity in mission and operations UAS – Unmanned Aerial System (aka drone)
UTM: UAS Traffic Management 6
Tool Needs • Creation and assessment of assurance cases – Support variety of diagrams and for assurance artifacts representations (graphical, tabular, textual) – Views for diverse stakeholders and use cases – Consistency and navigation between assurance artifacts – Automation workflows – Integration with 3rd party tools • Tool technologies – EMF: model-based assurance – Sirius: graphical editing of industry standard safety notations – Xtext: domain specific languages and querying of safety models – NatTable: table editor for hazard/requirements analysis 7
Barrier Modeling • Collection of barrier models providing a risk basis – Collection of all factors affecting risk – Model for risk qualification/quantification 8 Event chain / accident trajectory Barrier compromise/breach Loss of Control State Threats / Causes / Initiating Events or States Accident / Loss / Harmful States or Events Prevention Barriers Recovery Barriers Hazard
Bow Tie Diagram (BTD) 9
Example: Loss of Separation 10
Rationale Capture via Assurance Arguments 11 Chain of reasoning Safety / Dependability Claims Item of Evidence Developed claims Documentation and Details Goal Structuring Notation (GSN)
Example: Battery Failure 12
AdvoCATE: Tables • Assurance Case Automation Toolset • Hazard analysis and risk assessment – Conducting hazard identification – Specification of hazard causes and consequences – Assessment of initial and residual risk levels given in terms of probability and severity • Safety and assurance requirements capture 13
Hazard Log and Tabular Editor 14
Safety Requirements Capture 15
AdvoCATE: Arguments and Patterns • Structured argument development – Pattern specification – Automated pattern instantiation • Integration of formal methods and formal tool-based evidence – Hierarchical and Modular organization – Argument queries and views • Metrics 16
Argument Editor 17
AdvoCATE: Safety Architectures • Safety architecture development – Composition of multiple bow tie diagrams – Views – Transformations (event and barrier split / merge) • Sequential event split: Loss of safe separation  Loss of “well-clear” separation + NMAC • Parallel event split: MAC  MAC within OR || MAC outside OR • Barrier split: Ground-based surveillance  Radar surveillance + Visual surveillance – Risk computation: event probability along paths 18
Safety Architectures 19 Bow Tie Modeling Automated View Extraction
AdvoCATE: Traceability • Navigation • Traceability matrices • Maintaining consistency between related artifacts, e.g., between – Entries in the hazard log and the relevant assurance requirements – Arguments and the corresponding requirements, verification artifacts, etc. 20
Tracing and Consistency 21 Hazards Safety and Assurance Requirements Assurance Arguments / Rationale Bow Tie Diagrams / Safety Architecture
Amalgam Activity Explorer • The Amalgam activity explorer is used in the design of our Safety, Mission Assurance, and Risk management (SMART) dashboard 22
Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case 23
Amalgam Activity Explorer 24 • For each step we have one EMF model • Dependencies provide some of the workflow, i.e. safety architectures can require “requirements” model components • Necessary components are clearly prompted • Sirius diagrams relevant to the current model are accessible
Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case – Provide feedback on the status of assurance activities, and areas that need to be developed further – Provide a naive evaluation of the current system safety 25
Amalgam Activity Explorer 26 • Problems with the safety case development are clearly brought to the users attention, with hyperlinking to the problem source
Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case – Provide feedback on the status of assurance activities, and areas that need to be developed further – Provide a naive evaluation of the current system safety – In future, provide real-time evaluation of system based on feedback from a live platform 27
Activity Explorer Issues • We don’t always have a Sirius “session” – Amalgam works very well when provided a Sirius “session” – Some of our models are entirely developed in a DSL, or NAT Table tabular editor – Initially we created viewpoints for all resources….even when it wasn’t useful – We now manually load resources and open editors by id, and only use the Sirius session for the opening/creation of viewpoints • Debugging is hard! – Issues with activity explorer pages often result in no activity explorer at all, with no logging – help! 28
BX of Safety Models • Sirius viewpoints are used extensively, along side various editors, to avoid complex bi- directional transformations of the safety models – The safety architecture of a system can be viewed as a Controlled Event Structure, a single diagram showing the temporal flow of all events – One event in a CES may have a local bow tie, where we only care about the event, its own causes and effects – Through a combination of Xtend model helpers and multiple viewpoints, we managed to merge most models containing similar information and just provide viewpoints where necessary 29
BX of Safety Models 30
Sirius Custom Properties Panel • Many of AdvoCATE’s graphical elements are the product of multiple modelled constructs – To handle this, we made use of Sirius custom property panels – Model elements, such as hazards, are edited from many locations in AdvoCATE, and are viewed in different forms all over the tool – One custom property panel is added, allowing us to define one uniform editing experience for the combined feature, regardless of what is shown – Certain semantic attributes can be shown, but not edited to allow the user context while in a particular viewpoint 31
Sirius Custom Properties Panel 32 Calculated Values – Mitigation of Risk A Hazard/Event A Hazard in progress – Event Instance
Property Panel Additions • Some customizations to the custom properties panel we have implemented: – Enum Lists: We have many model features as lists of enumerated values – Xtext editor widgets (more on that later) – Xtext index-query selection boxes – model cross references 33
Xtext 34 • All models within AdvoCATE make use of Xtext resources and the powerful index they provide • Extensive cross-referencing between models became cumbersome using pure EMF • Integration of Xtext and Sirius has been very smooth – with only minimal customizations to Sirius widgets and some services to take advantage of the Xtext index in diagrams • Most models we use require an Xtext DSL to keep all users happy…so extra effort is minimal
Xtext - Indexing 35 • With all models being Xtext resources we are able to take advantage of the Xtext index as a one-stop repository of safety elements • Cross-referencing by loading resources becomes quite cumbersome with large projects • We wrap Xtext index querying in services used by our Sirius diagrams, to take advantage of our DSL scope providers • Future plans will involve the DSL Devkit Scope/Export framework, to allow us to fine tune relevant safety artifacts, and export these to an external repository (large scale safety case development)
Xtext - Indexing 36 • We create an Xtext scope-provider-fed custom property widget • As the DSL is modified, the Sirius properties view is updated automatically – it simply calls our scope provider • Relevant EObjects are resolved and the list of choices is populated
Xtext – Serialized Models 37 • One important future feature of AdvoCATE is collaborative safety case development – When using pure EMF + Sirius, we found that version control struggled a little…
Xtext – Serialized Models 38 • One way we thought to combat this problem is a combination of: – Really good auto-layout (if a little ambitious) • We don’t necessarily need to version control the layout if we can do so automatically, and reliably • AIRD merge conflicts become huge, and impossible to merge – we might not need to track them – Serialize the model as a DSL, and parse • The models themselves in XMI format can be hard to merge • New features cause compatibility problems
Xtext – Serialized Models 39 • By designing a robust Xtext DSL for each model, we can more reliably track changes – Git likes DSLs way more than XMI – New features, or modified metamodels are less likely to also break the parser, but XMI almost always will – We can auto-create appropriate diagrams for our models in Sirius, and auto-layout on first opening • We’re still in the process of finding a solution to our problems – but this fits nicely so far
Xtext – Direct Edit Xtext Editor 40 • In some contexts, complex syntax had to be embedded in our graphical editors – Argument patterns, are a way to generate a GSN argument based on given data and a “pattern” providing the structure – Parameters are defined, and then embedded in node descriptions to be evaluated at generation time – To do so, we designed a DSL to define the pattern and it’s parameters – Great! We get all the content assist, linking, and that fun stuff
Xtext – Direct Edit Xtext Editor 41 But wait…what’s the structure?
Xtext – Direct Edit Xtext Editor 42 • Clearly, a graphical layout gives a much more manageable view of what the generated result might be – We needed a solution that combined the power of the Xtext DSL, for what might become very complex string-building expressions, with the high-level view of a Sirius viewpoint – We created a Sirius Direct Edit widget which wrapped the Xtext Embedded editor – Now we have content assist, syntax highlighting, hyperlinking, and inline validation – all as part of direct edit
Xtext – Direct Edit Xtext Editor 43
Perspectives • Ongoing focus on design-time assurance – Artifacts and rationale from development, prior to release-into-service • Outlook towards operational assurance through lifecycle – In-service safety performance monitoring • Autonomy applications – NASA System-wide Safety Project – DARPA Assured Autonomy Program – Expansion in application domain to spaceflight: initially robotic, eventually, human spaceflight • Future tool development – User-customizable dashboards – Query/view language – Collaborative development – Towards the Cloud … 44
We’re hiring! Contact: ewen.denney@nasa.gov 45 Looking for software engineers with experience in Eclipse, Sirius, Xtext, NatTable, ...
Please wait a few seconds before we automatically bring you to the next session (First Day Closing Session) If you want to keep talking with the speakers of actual talk, you will have to come back to this session. Thanks for listening to (Ewen Denney|NASA Ames) Any questions?

More Related Content

PDF
Db2 for z/OS and FlashCopy - Practical use cases (June 2019 Edition)
Florence Dubois
 
PDF
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Bruno Teixeira
 
PPTX
Juniper round table switching and product overview
Kappa Data
 
PDF
Inter-AS MPLS VPN Deployment
Bangladesh Network Operators Group
 
PPTX
Storage networks
Ahmed Nour
 
PPTX
Azure DevOps
Omnia Ismail
 
PDF
z/OS Communications Server Overview
zOSCommserver
 
PPTX
Introduction to DRBD
dawnlua
 
Db2 for z/OS and FlashCopy - Practical use cases (June 2019 Edition)
Florence Dubois
 
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Bruno Teixeira
 
Juniper round table switching and product overview
Kappa Data
 
Inter-AS MPLS VPN Deployment
Bangladesh Network Operators Group
 
Storage networks
Ahmed Nour
 
Azure DevOps
Omnia Ismail
 
z/OS Communications Server Overview
zOSCommserver
 
Introduction to DRBD
dawnlua
 

What's hot (20)

PDF
Aruba Mobility Controller 7200 Installation Guide
Aruba, a Hewlett Packard Enterprise company
 
PPT
Maximizing SAP ABAP Performance
PeterHBrown
 
PDF
SAP HANA System Replication - Setup, Operations and HANA Monitoring
Linh Nguyen
 
PDF
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
zOSCommserver
 
PDF
How to Speak the Language of Application Architecture
Brad Beiermann
 
PPT
Vpn site to site
IT Tech
 
PPTX
CCNAS :Multi Area OSPF
rooree29
 
PDF
High Availability Part 2 - pfSense Hangout July 2016
Netgate
 
PDF
Introducción a SDN & NFV - LACNIC26-LACNOG16
Gianpietro Lavado
 
PDF
Ccna simulation exam practice guide
Kishore Kumar
 
PDF
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Bruno Teixeira
 
PPTX
EMEA Airheads- Manage Devices at Branch Office (BOC)
Aruba, a Hewlett Packard Enterprise company
 
PPT
An intoroduction to the IS-IS IGP routing protocol
Iftach Ian Amit
 
PDF
Node-Red
Kleber Carvalho
 
PPTX
Introduction to AirWave 10
Aruba, a Hewlett Packard Enterprise company
 
PDF
Rap installation updated
Aruba, a Hewlett Packard Enterprise company
 
PDF
Implementation and Use of Generic VTAM Resources with Parallel SYSPLEX Features
CA Technologies
 
PPTX
VMware Cloud Foundation - PnP presentation 8_6_18 EN.pptx
BradLai3
 
DOCX
How to Troubleshooting VLAN Switch Problems-Part1
IT Tech
 
PPTX
The fundamentals of AWS Cloud Security 🛠⛅️🚀
Thanh Nguyen
 
Aruba Mobility Controller 7200 Installation Guide
Aruba, a Hewlett Packard Enterprise company
 
Maximizing SAP ABAP Performance
PeterHBrown
 
SAP HANA System Replication - Setup, Operations and HANA Monitoring
Linh Nguyen
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
zOSCommserver
 
How to Speak the Language of Application Architecture
Brad Beiermann
 
Vpn site to site
IT Tech
 
CCNAS :Multi Area OSPF
rooree29
 
High Availability Part 2 - pfSense Hangout July 2016
Netgate
 
Introducción a SDN & NFV - LACNIC26-LACNOG16
Gianpietro Lavado
 
Ccna simulation exam practice guide
Kishore Kumar
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Milan Jan/2014
Bruno Teixeira
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
Aruba, a Hewlett Packard Enterprise company
 
An intoroduction to the IS-IS IGP routing protocol
Iftach Ian Amit
 
Node-Red
Kleber Carvalho
 
Introduction to AirWave 10
Aruba, a Hewlett Packard Enterprise company
 
Rap installation updated
Aruba, a Hewlett Packard Enterprise company
 
Implementation and Use of Generic VTAM Resources with Parallel SYSPLEX Features
CA Technologies
 
VMware Cloud Foundation - PnP presentation 8_6_18 EN.pptx
BradLai3
 
How to Troubleshooting VLAN Switch Problems-Part1
IT Tech
 
The fundamentals of AWS Cloud Security 🛠⛅️🚀
Thanh Nguyen
 
Ad

Similar to [SiriusCon 2018] AdvoCATE: An Assurance Case Automation Toolset Based on Eclipse and Sirius (20)

PPTX
Software engineering
sakthibalabalamuruga
 
PPTX
Assurance Cases: Medical Device Summit West, San Francisco, CA. June 13, 2013
Sterling Medical Devices
 
PPT
Concepts in Software Safety
dalesanders
 
PDF
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Roberto Natella
 
PDF
Standards for safety and security in avionics
Alessandro Bruni
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
functional safety topic for engineers .pptx
mohamed abd elrazek
 
PPT
Safe & Sec Case Patterns (ASSURE 2015)
Kenji Taguchi
 
PPT
Ch24
phanleson
 
PPTX
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
PPTX
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
PPT
201201 ureason introduction to use
UReasonChannel
 
PDF
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Plan de Calidad para el SNS
 
PDF
Afry software safety ISO26262 (Embedded @ Gothenburg Meetup)
Dimitrios Platis
 
PPT
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Jaap van Ekris
 
PDF
Secure software chapman
AdaCore
 
PDF
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PDF
The New European PV Legislation: Issues and Challenges
Sara Dunlap
 
Software engineering
sakthibalabalamuruga
 
Assurance Cases: Medical Device Summit West, San Francisco, CA. June 13, 2013
Sterling Medical Devices
 
Concepts in Software Safety
dalesanders
 
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Roberto Natella
 
Standards for safety and security in avionics
Alessandro Bruni
 
AppSec in an Agile World
David Lindner
 
functional safety topic for engineers .pptx
mohamed abd elrazek
 
Safe & Sec Case Patterns (ASSURE 2015)
Kenji Taguchi
 
Ch24
phanleson
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
201201 ureason introduction to use
UReasonChannel
 
Health Informatics – Application of Clinical Risk Management to the Manufactu...
Plan de Calidad para el SNS
 
Afry software safety ISO26262 (Embedded @ Gothenburg Meetup)
Dimitrios Platis
 
Testing safety critical systems: Practice and Theory (14-05-2013, VU Amsterdam)
Jaap van Ekris
 
Secure software chapman
AdaCore
 
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
ProdSec: A Technical Approach
Jeremy Brown
 
The New European PV Legislation: Issues and Challenges
Sara Dunlap
 
Ad

More from Obeo (20)

PDF
Digitally assisted design for safety analysis
Obeo
 
PDF
INCOSE IS 2023 | You deserve more than the best in class MBSE tool
Obeo
 
PDF
Tailoring Arcadia Framework in Thales UK
Obeo
 
PDF
CapellaDays2022 | Saratech | Interface Control Document Generation and Linkag...
Obeo
 
PDF
CapellaDays2022 | Politecnico di Milano | Interplanetary Space Mission as a r...
Obeo
 
PDF
CapellaDays2022 | NavalGroup | Closing the gap between traditional engineerin...
Obeo
 
PDF
CapellaDays2022 | Thales | Stairway to heaven: Climbing the very first steps
Obeo
 
PDF
CapellaDays2022 | COMAC - PGM | How We Use Capella for Collaborative Design i...
Obeo
 
PDF
CapellaDays2022 | CILAS - ArianeGroup | CILAS feedback about Capella use
Obeo
 
PDF
CapellaDays2022 | ThermoFisher - ESI TNO | A method for quantitative evaluati...
Obeo
 
PDF
CapellaDays2022 | SIEMENS | Expand MBSE into Model-based Production Engineeri...
Obeo
 
PDF
Gestion applicative des données, un REX du Ministère de l'Éducation Nationale
Obeo
 
PDF
Simulation with Python and MATLAB® in Capella
Obeo
 
PDF
From Model-based to Model and Simulation-based Systems Architectures
Obeo
 
PDF
Connecting Textual Requirements with Capella Models
Obeo
 
PDF
Sirius Web Advanced : Customize and Extend the Platform
Obeo
 
PDF
Sirius Web 101 : Create a Modeler With No Code
Obeo
 
PDF
Sirius Project, Now and In the Future
Obeo
 
PDF
Visualizing, Analyzing and Optimizing Automotive Architecture Models using Si...
Obeo
 
PDF
Defining Viewpoints for Ontology-Based DSLs
Obeo
 
Digitally assisted design for safety analysis
Obeo
 
INCOSE IS 2023 | You deserve more than the best in class MBSE tool
Obeo
 
Tailoring Arcadia Framework in Thales UK
Obeo
 
CapellaDays2022 | Saratech | Interface Control Document Generation and Linkag...
Obeo
 
CapellaDays2022 | Politecnico di Milano | Interplanetary Space Mission as a r...
Obeo
 
CapellaDays2022 | NavalGroup | Closing the gap between traditional engineerin...
Obeo
 
CapellaDays2022 | Thales | Stairway to heaven: Climbing the very first steps
Obeo
 
CapellaDays2022 | COMAC - PGM | How We Use Capella for Collaborative Design i...
Obeo
 
CapellaDays2022 | CILAS - ArianeGroup | CILAS feedback about Capella use
Obeo
 
CapellaDays2022 | ThermoFisher - ESI TNO | A method for quantitative evaluati...
Obeo
 
CapellaDays2022 | SIEMENS | Expand MBSE into Model-based Production Engineeri...
Obeo
 
Gestion applicative des données, un REX du Ministère de l'Éducation Nationale
Obeo
 
Simulation with Python and MATLAB® in Capella
Obeo
 
From Model-based to Model and Simulation-based Systems Architectures
Obeo
 
Connecting Textual Requirements with Capella Models
Obeo
 
Sirius Web Advanced : Customize and Extend the Platform
Obeo
 
Sirius Web 101 : Create a Modeler With No Code
Obeo
 
Sirius Project, Now and In the Future
Obeo
 
Visualizing, Analyzing and Optimizing Automotive Architecture Models using Si...
Obeo
 
Defining Viewpoints for Ontology-Based DSLs
Obeo
 

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KodekX | Application Modernization Development
KodekX
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 

[SiriusCon 2018] AdvoCATE: An Assurance Case Automation Toolset Based on Eclipse and Sirius

  • 1. AdvoCATE: An Assurance Case Automation Toolset Based on Eclipse and Sirius 4th December, 2018 Ewen Denney & Robbie Henderson (Joint work with Ganesh Pai and Dimo Petroff) NASA Ames Research Center Robust Software Engineering Group ewen.denney@nasa.gov
  • 2. Research Motivation • High-hazard industries are moving to active safety management – Safety management system (SMS) in aviation – Need to • Unify reasoning about technical aspects of safety • Support safety-related decision making • Goals-based regulation is attractive for novel applications – When regulations and performance standards are absent • Unmanned aircraft systems (UAS), Autonomous systems, … – Increases flexibility for regulated entity – Evidence-based assurance  safety case / assurance case 2
  • 3. Safety and Assurance Cases ‘A safety case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given operating environment’ - NASA System Safety Handbook ver. 1 (2014) • Essentially, a safety risk management artifact – Other compatible definitions and guidance on content – Based on application domain, standard, regulatory paradigm, etc. • An assurance case generalizes safety cases to other assurance properties: reliability, security, availability, … 3
  • 4. Risk Control Risk Analysis and Assessment Hazard Effect Severity Likelihood Initial Risk Level Hazard Control Residual Risk Level H1 - Airspace encounter with GA aircraft NMAC / MAC 2 (Haz.) 1 (Cat.) Probable Probable 2B 1B Detect & Avoid Flt. Termination ... 2D 2D H2 – Stall CFIT Safety Risk Management 4 System Analysis Concept of Operations, System/change description, Regulations, … HazID Hazards Operational, functional, … Design target Barrier Modeling – Abstract Safety Architecture Safety Requirements Implementation Mitigations Safety requirements Barrier and Control functions Risk scenarios, design targets, risk evaluation Assurance Rationale (Structured Argument) Evidence Artifacts Design, Analysis, Verification Testing, Assurance claims, strategies, context, rationale, … Operational Safety Assurance (Monitoring and Update) Safety performance measures, monitors, … Operational Evidence Verification of safety performance targets Assumption corroboration Hazard tracking, Precursors, …
  • 5. Example: UAS Safety 5 Combination of operating modes • Visual line of sight (VLOS) • Beyond visual line of sight (BVLOS) • Beyond radio line of sight (BRLOS) Varying access profiles • Operating range • Terminal airspace • Transit (vertical / lateral) Diverse environment • Populated / urban / built-up areas • Uncontrolled / controlled airspace • Low / high density airspace Varying mission concepts • Package delivery • Surveillance • Aerial inspection • Mapping, … Different configurations • Airborne sensors (Lidar, sonar, FPV camera, Radar) • Ground sensors (Radar) • Multiple GCS, Roaming GCS, … Increasing complexity in mission and operations UAS – Unmanned Aerial System (aka drone)
  • 6. UTM: UAS Traffic Management 6
  • 7. Tool Needs • Creation and assessment of assurance cases – Support variety of diagrams and for assurance artifacts representations (graphical, tabular, textual) – Views for diverse stakeholders and use cases – Consistency and navigation between assurance artifacts – Automation workflows – Integration with 3rd party tools • Tool technologies – EMF: model-based assurance – Sirius: graphical editing of industry standard safety notations – Xtext: domain specific languages and querying of safety models – NatTable: table editor for hazard/requirements analysis 7
  • 8. Barrier Modeling • Collection of barrier models providing a risk basis – Collection of all factors affecting risk – Model for risk qualification/quantification 8 Event chain / accident trajectory Barrier compromise/breach Loss of Control State Threats / Causes / Initiating Events or States Accident / Loss / Harmful States or Events Prevention Barriers Recovery Barriers Hazard
  • 9. Bow Tie Diagram (BTD) 9
  • 10. Example: Loss of Separation 10
  • 11. Rationale Capture via Assurance Arguments 11 Chain of reasoning Safety / Dependability Claims Item of Evidence Developed claims Documentation and Details Goal Structuring Notation (GSN)
  • 13. AdvoCATE: Tables • Assurance Case Automation Toolset • Hazard analysis and risk assessment – Conducting hazard identification – Specification of hazard causes and consequences – Assessment of initial and residual risk levels given in terms of probability and severity • Safety and assurance requirements capture 13
  • 14. Hazard Log and Tabular Editor 14
  • 16. AdvoCATE: Arguments and Patterns • Structured argument development – Pattern specification – Automated pattern instantiation • Integration of formal methods and formal tool-based evidence – Hierarchical and Modular organization – Argument queries and views • Metrics 16
  • 18. AdvoCATE: Safety Architectures • Safety architecture development – Composition of multiple bow tie diagrams – Views – Transformations (event and barrier split / merge) • Sequential event split: Loss of safe separation  Loss of “well-clear” separation + NMAC • Parallel event split: MAC  MAC within OR || MAC outside OR • Barrier split: Ground-based surveillance  Radar surveillance + Visual surveillance – Risk computation: event probability along paths 18
  • 19. Safety Architectures 19 Bow Tie Modeling Automated View Extraction
  • 20. AdvoCATE: Traceability • Navigation • Traceability matrices • Maintaining consistency between related artifacts, e.g., between – Entries in the hazard log and the relevant assurance requirements – Arguments and the corresponding requirements, verification artifacts, etc. 20
  • 21. Tracing and Consistency 21 Hazards Safety and Assurance Requirements Assurance Arguments / Rationale Bow Tie Diagrams / Safety Architecture
  • 22. Amalgam Activity Explorer • The Amalgam activity explorer is used in the design of our Safety, Mission Assurance, and Risk management (SMART) dashboard 22
  • 23. Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case 23
  • 24. Amalgam Activity Explorer 24 • For each step we have one EMF model • Dependencies provide some of the workflow, i.e. safety architectures can require “requirements” model components • Necessary components are clearly prompted • Sirius diagrams relevant to the current model are accessible
  • 25. Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case – Provide feedback on the status of assurance activities, and areas that need to be developed further – Provide a naive evaluation of the current system safety 25
  • 26. Amalgam Activity Explorer 26 • Problems with the safety case development are clearly brought to the users attention, with hyperlinking to the problem source
  • 27. Amalgam Activity Explorer • The (SMART) Dashboard allows us to: – Provide a clear and directional workflow towards a completed safety/assurance case – Provide feedback on the status of assurance activities, and areas that need to be developed further – Provide a naive evaluation of the current system safety – In future, provide real-time evaluation of system based on feedback from a live platform 27
  • 28. Activity Explorer Issues • We don’t always have a Sirius “session” – Amalgam works very well when provided a Sirius “session” – Some of our models are entirely developed in a DSL, or NAT Table tabular editor – Initially we created viewpoints for all resources….even when it wasn’t useful – We now manually load resources and open editors by id, and only use the Sirius session for the opening/creation of viewpoints • Debugging is hard! – Issues with activity explorer pages often result in no activity explorer at all, with no logging – help! 28
  • 29. BX of Safety Models • Sirius viewpoints are used extensively, along side various editors, to avoid complex bi- directional transformations of the safety models – The safety architecture of a system can be viewed as a Controlled Event Structure, a single diagram showing the temporal flow of all events – One event in a CES may have a local bow tie, where we only care about the event, its own causes and effects – Through a combination of Xtend model helpers and multiple viewpoints, we managed to merge most models containing similar information and just provide viewpoints where necessary 29
  • 30. BX of Safety Models 30
  • 31. Sirius Custom Properties Panel • Many of AdvoCATE’s graphical elements are the product of multiple modelled constructs – To handle this, we made use of Sirius custom property panels – Model elements, such as hazards, are edited from many locations in AdvoCATE, and are viewed in different forms all over the tool – One custom property panel is added, allowing us to define one uniform editing experience for the combined feature, regardless of what is shown – Certain semantic attributes can be shown, but not edited to allow the user context while in a particular viewpoint 31
  • 32. Sirius Custom Properties Panel 32 Calculated Values – Mitigation of Risk A Hazard/Event A Hazard in progress – Event Instance
  • 33. Property Panel Additions • Some customizations to the custom properties panel we have implemented: – Enum Lists: We have many model features as lists of enumerated values – Xtext editor widgets (more on that later) – Xtext index-query selection boxes – model cross references 33
  • 34. Xtext 34 • All models within AdvoCATE make use of Xtext resources and the powerful index they provide • Extensive cross-referencing between models became cumbersome using pure EMF • Integration of Xtext and Sirius has been very smooth – with only minimal customizations to Sirius widgets and some services to take advantage of the Xtext index in diagrams • Most models we use require an Xtext DSL to keep all users happy…so extra effort is minimal
  • 35. Xtext - Indexing 35 • With all models being Xtext resources we are able to take advantage of the Xtext index as a one-stop repository of safety elements • Cross-referencing by loading resources becomes quite cumbersome with large projects • We wrap Xtext index querying in services used by our Sirius diagrams, to take advantage of our DSL scope providers • Future plans will involve the DSL Devkit Scope/Export framework, to allow us to fine tune relevant safety artifacts, and export these to an external repository (large scale safety case development)
  • 36. Xtext - Indexing 36 • We create an Xtext scope-provider-fed custom property widget • As the DSL is modified, the Sirius properties view is updated automatically – it simply calls our scope provider • Relevant EObjects are resolved and the list of choices is populated
  • 37. Xtext – Serialized Models 37 • One important future feature of AdvoCATE is collaborative safety case development – When using pure EMF + Sirius, we found that version control struggled a little…
  • 38. Xtext – Serialized Models 38 • One way we thought to combat this problem is a combination of: – Really good auto-layout (if a little ambitious) • We don’t necessarily need to version control the layout if we can do so automatically, and reliably • AIRD merge conflicts become huge, and impossible to merge – we might not need to track them – Serialize the model as a DSL, and parse • The models themselves in XMI format can be hard to merge • New features cause compatibility problems
  • 39. Xtext – Serialized Models 39 • By designing a robust Xtext DSL for each model, we can more reliably track changes – Git likes DSLs way more than XMI – New features, or modified metamodels are less likely to also break the parser, but XMI almost always will – We can auto-create appropriate diagrams for our models in Sirius, and auto-layout on first opening • We’re still in the process of finding a solution to our problems – but this fits nicely so far
  • 40. Xtext – Direct Edit Xtext Editor 40 • In some contexts, complex syntax had to be embedded in our graphical editors – Argument patterns, are a way to generate a GSN argument based on given data and a “pattern” providing the structure – Parameters are defined, and then embedded in node descriptions to be evaluated at generation time – To do so, we designed a DSL to define the pattern and it’s parameters – Great! We get all the content assist, linking, and that fun stuff
  • 41. Xtext – Direct Edit Xtext Editor 41 But wait…what’s the structure?
  • 42. Xtext – Direct Edit Xtext Editor 42 • Clearly, a graphical layout gives a much more manageable view of what the generated result might be – We needed a solution that combined the power of the Xtext DSL, for what might become very complex string-building expressions, with the high-level view of a Sirius viewpoint – We created a Sirius Direct Edit widget which wrapped the Xtext Embedded editor – Now we have content assist, syntax highlighting, hyperlinking, and inline validation – all as part of direct edit
  • 43. Xtext – Direct Edit Xtext Editor 43
  • 44. Perspectives • Ongoing focus on design-time assurance – Artifacts and rationale from development, prior to release-into-service • Outlook towards operational assurance through lifecycle – In-service safety performance monitoring • Autonomy applications – NASA System-wide Safety Project – DARPA Assured Autonomy Program – Expansion in application domain to spaceflight: initially robotic, eventually, human spaceflight • Future tool development – User-customizable dashboards – Query/view language – Collaborative development – Towards the Cloud … 44
  • 45. We’re hiring! Contact: ewen.denney@nasa.gov 45 Looking for software engineers with experience in Eclipse, Sirius, Xtext, NatTable, ...
  • 46. Please wait a few seconds before we automatically bring you to the next session (First Day Closing Session) If you want to keep talking with the speakers of actual talk, you will have to come back to this session. Thanks for listening to (Ewen Denney|NASA Ames) Any questions?