Assurance via model transformations and their hierarchical refinement Zinovy Diskin, Tom Maibaum, Alan Wassyng, Stephen Wynn-Williams, Mark Lawford McMaster University, McMaster Centre for Software Certification, Hamilton, Canada {diskinz,maibaum,wassyng,wynnwisj,lawford}@mcmaster.ca ABSTRACT systems for complex systems, we can say that assurance is about Assurance is a demonstration that a complex system (such as a car property-of-properties of system-of-systems. or a communication network) possesses an importantproperty, such A standard (and perhaps the only) practical engineering way as safety or security, with a high level of confidence. In contrast to to manage complexity is decomposition of the problem into sub- currently dominant approaches to building assurance cases, which problems; these subproblems are then themselves decomposed and are focused on goal structuring and/or logical inference, we propose so on, until a set of “atomic” problems whose solution is known considering assurance as a model transformation (MT) enterprise: is reached. The solution to the subproblems is then combined in saying that a system possesses an assured property amounts to a pre-determined way to solve the original problem. Different re- saying that a particular assurance view of the system comprising alizations of this idea for different contexts and in different terms the assurance data, satisfies acceptance criteria posed as assurance are abundant in engineering, science, mathematics, and everyday constraints. While the MT realizing this view is very complex, we life. Not surprisingly, the decomposition idea is heavily employed show that it can be decomposed into elementary MTs via a hierar- for building assurance cases (ACs) — documents aimed at demon- chy of refinement steps. The transformations at the bottom level are strating S j= Passr, which are written by the manufacturer of S and 1 ordinary MTs that can be executed for data specifying the system, assessed by certifying bodies . Building ACs based on decompo- thus providing the assurance data to be checked against the assur- sition is now supported by several notations and tools, primarily ance constraints. In this way, assurance amounts to traversing the Goal-Structuring Notation (GSN) and Claims-Arguments-Evidence hierarchy from the top to the bottom and assuring the correctness notation CAE. These methods and tools [1, 29] are becoming a de of each MT in the path. Our approach has a precise mathematical facto standard in safety assurance. foundation (rooted in process algebra and category theory) — a ne- The combination of two ideas — delegating the assurance argu- cessity if we are to model precisely and then analyze our assurance ment to the manufacturer and the decomposition approach outlined cases. We discuss the practical applicability of the approach, and above — gave rise to the growing popularity of ACs, which have argue that it has several advantages over existing approaches. lately emerged as a widely-used technique for assurance justifi- cation and assessment (see, e.g., surveys [3, 25] on safety cases.). KEYWORDS While we do believe in the power of both ideas, we think that the way of leveraging decomposition for assurance in GSN and Assurance case, Model transformation, Block diagram, Decomposi- CAE diagrams is confusing for two reasons. First, users of these tion, Substitution notations typically intermix two decomposition hierarchies: func- ACM Reference Format: tional/goal decomposition and logical decomposition, i.e., inference Zinovy Diskin, Tom Maibaum, Alan Wassyng, Stephen Wynn-Williams, [5]. Second, data and dataflow, which we will show are crucially Mark Lawford. 2018. Assurance via model transformations and their hierar- important for assurance, are left implicit in GSN/CAE-diagrams. chical refinement . In Proceedings of ACM Models conference (MODELS’18). ACM, New York, NY, USA, Article 4, 11 pages. https://doi.org/10.475/123_4 While keeping dataflow implicit may (arguably) be acceptable for documenting design activities, it is definitely not acceptable in as- 1 INTRODUCTION surance and essentially diminishes the value of GSN/CAE-based assurance cases. We understand assurance to be a demonstration that a complex We propose another decomposition mechanism based on model system such as a car or a communication network possesses an transformations. The idea is based on three observations 1-3) de- important complex property such as safety or security with a suffi- scribed below. ciently high level of confidence. We then write S j= P , where S assr 1) We notice that saying S j= P means that data about the sys- stands for the system and P for the property; we say S satisfies assr assr tem relevant for assurance, D , satisfy some relevant constraints, P or P holds for S. A technically more accurate formulation assr assr assr C ; that is, we define S j= P to be the statement DS j= C , would say that S satisfies P with acceptably high confidence if assr assr assr assr assr where j= can be read as either satisfies or conforms to – a phrasing the system is used as intended. Exploiting the idiom of a system of often used in the context when properties are seen as constraints. Permission to make digital or hard copies of part or all of this work for personal or To simplify notation, below we will omit the superscript S if it is classroom use is granted without fee provided that copies are not made or distributed clear from the context. Importantly, data D are to be computed for profit or commercial advantage and that copies bear this notice and the full citation assr on the first page. Copyrights for third-party components of this work must be honored. from “raw” data about the system D0 (think of physical parameters For all other uses, contact the owner/author(s). of a car, or technical parameters of a network) rather than being MODELS’18, Oct 2018, Copenhagen, Denmark © 2018 Copyright held by the owner/author(s). ACM ISBN 123-4567-24-567/08/06. 1The latter can be an independent agency or a group of experts at the manufacturer https://doi.org/10.475/123_4 disjoint from the AC writers. MODELS’18, Oct 2018, Copenhagen, Denmark Z. Diskin, T. Maibaum, A. Wassyng, S. Wynn-Williams, M. Lawford 2 SystemData Assr. view definition Cassr Exe(|= ) procedure whose assurance is not problematic. Thus, assurance Fassr: M --> Massr can be viewed as establishing the correctness of a complex model System Assr. View (hierarchically Massr Assr.Data Metamodel Design decomposed) transformation via its hierarchical decomposition – hence, the title Assr. Data con- Fassr of the paper. We will refer to the framework outlined above as the forms Metamodel Model-Transformation Based Assurance (MTBA). dataItem Exe(F ) assr dataItem Conclusion Our plan for the paper is as follows. In the next section, we present an overall view of MTBA, and based on it, explain the Figure 1: MTBA Architecture of Assurance content of the technical part of the paper (Sect. 3, 4 and 5). Sect. 6 is a discussion of the possible practical applicability of MTBA. Sect. 7 is Related and Future work, and Sect. 8 concludes. 2 MTBA IN A NUTSHELL given immediately: Dassr = fassr¹D0º, where fassr refers to an assur- ance function that inputs the raw system data and returns assurance Many assurance techniques rely on requirement decomposition: the data. Thus, the top assurance claim S j= Passr is rewritten as a data high-level assurance requirements for the system are decomposed conformance statement fassr¹D0º j= Cassr. into the corresponding requirements for subsystems and further 2) Next we notice a principal distinction between a definition on until we reach the level of elementary components. (E.g, in and an execution of a function, which is important for assurance. safety assurance, these high-level requirements are called safety Function fassr can be seen as an execution of a model transforma- goals, in privacy protection – standardized NIST controls, and in exe tion (MT) definition Fassr for data D0, i.e., fassr¹D0º = Fassr¹D0º. security, the set of system level requirements is specified in the Also, MT are defined over metamodels and can even be specified Protection Profile—a document identifying security requirements as mappings Fassr: M0 ! Massr (see [9]), where M0 and Massr are for a class of security devices.) The decomposition is mainly based metamodels for, respectively, system data and assurance data. Thus on design patterns and supported by mathematical models so that assurance can be seen as a special view of the system, where Fassr the assurance argument can be close to formal, if the mathematical is the view definition and fassr¹D0º is the view execution. Below complexity is manageable, or is supplemented by testing and/or we will often call transformation Fassr an assurance view. Moreover, model checking and similar techniques otherwise. We will refer to as metamodels typically include constraints, we can include assur- this part as inferential assurance (IA). ance constraints Cassr in Massr and thus reformulate the assurance Yet, however successfully we manage to decompose each system problem S j= Passr as a typical MT problem: does the result of a level goal, the system goals must themselves be validated to ensure transformation satisfy some predefined constraints encoded in the that they are suitable (e.g., complete)—indeed, any formal procedure target metamodel? begins with assumptions taken for granted (cf. axioms of ancient The workflow described above is specified in Fig. 1 as a block Greeks). The only way to “prove” such assumptions is to rely on diagram, whose nodes, shaped as directed rectangles, refer to pro- observational or experimental techniques. Indeed, an assurance cesses/functions and rounded rectangles refer to (meta)data; as case must have all assumptions validated through experimental usual, data consist of a structure of data items that conforms to the evidence - no loose ends! Often, this experimental justification is metamodel (think of a data graph typed over the type graph so that validated by previous experience and expert opinion, but the use of the constraints are satisfied).