-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchapter_3.tex
80 lines (63 loc) · 7.27 KB
/
chapter_3.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
\chapter{Safety and assurance}
\label{chap:safety}
In this chapter, we start with a basic definition of safety to set the context. Next, we delve into (safety) assurance cases and how they are structured. Finally, we review a representation method for assurance cases called Goal Structuring Notation (GSN).
\section{Definitions}
\subsection{Safety}
Safety is defined in ISO 26262 \cite{organization2018iso} as:
\begin{quotation}
Absence of unreasonable risk.
\end{quotation}
An unreasonable risk is a \cite{organization2018iso}:
\begin{quotation}
Risk judged to be unacceptable in a certain context according to valid societal moral concepts.
\end{quotation}
Various safety standards have been developed for different industries and activities. Some examples are ISO 26262 for functional safety of road vehicles, DO-178C for aerospace industry, ISO 8124 for safety of toys, ISO 7164 for healthcare organization management.
\subsection{Assurance}
Assurance is defined in ISO 15026 to be \cite{iso15026-1-2019}
\begin{quotation}
Grounds for justified confidence that a claim has been or will be achieved.
\end{quotation}
Assurance is, therefore, the grounds on which the users of a system can rely on its functionality. It is specially important for systems with complexity, such as ML, to give assurance to the users before they start utilization. The level of this assurance is closely related to the level of dependence or trust needed from the users' side. Adequate evidence and arguments need to be present to justify the safety and reliability of the system. The basis for this justification is achieved with reducing uncertainty in measurements, observations, estimations, predictions, information, inferences or effects of unknowns \cite{iso15026-1-2019}.
\section{Safety Assurance Case}
Assurance cases have been successfully used in various industries to specify an argument as to why a system can be safely used for a specific application in a specific context \cite{Ashmore2021}.
A recent definition of safety assurance case is described in \cite{Bloomfield2010} as
\begin{displayquote}[][]
"A structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment"
\end{displayquote}
A structured argument is a \cite{Omg2010}
\begin{displayquote}[][]
"connected series of statements or reasons intended to establish a position...; a process of reasoning."
\end{displayquote}
Reasons used in a structured argument can be considered as premises in logical terms and a conclusion can be drawn based on them \cite{Omg2010}.
% A safety assurance case \textcolor{red}{(Assurance case in short)} justifies safety of a system by bringing a valid argument that a set of claims are justified, given that a set of assumptions are fulfilled \cite{Burton}.
The purpose of using an assurance case is to communicate a clear, comprehensive, defensible argument that a system is safe to be used in a particular context \cite{gsn2004Kelly}. Assurance cases are comprised of five basic components: claims, arguments, evidence, justifications and assumptions. The most common use of assurance cases is to give assurance about system's functionality and properties to the parties which were not involved in the process of developing the system \cite{iso15026-1-2019}.
Assurance cases are used to explicate and support reasoning, albeit in a subjective manner, especially when compared to the logical proofs which consider an absolute truth. In other words, assurance cases are useful because the full range of a system's properties are not always representable in a logical formalization. Also, assurance cases may sometimes be disproved because the underlying logical theory used in them is not relevant \cite{iso15026-1-2019}.
Since assurance cases are considered artefacts, they inherit quality related properties of them such as: the structure of its content, semantic features such as completeness, creation and maintenance. The conclusions of the assurance case should also be stated clearly with clear level of uncertainty \cite{iso15026-1-2019}.
% \textcolor{red}{more from 15020 about assurance cases?}
\section{Goal Structuring Notation}
When the safety assurance case is more complex in nature, textual representation suffers to express the case in a clear and understandable way. Figure \ref{fig:text-case} shows an example of such problem where the English structure of the argument is hard to understand. Having multiple cross references is specially difficult to capture in text \cite{gsn2004Kelly}.
\begin{figure}
\includegraphics[width=0.5\linewidth ]{figures/textual_case.png}
\centering
\caption{Problems associated with textual representation \cite{gsn2004Kelly}.}
\label{fig:text-case}
\end{figure}
The Goal Structuring Notation (GSN) is a graphical notation for safety argumentation. A GSN specification explicitly represents elements of a safety argument and the relationships among these components. For example, how requirements are supported by claims or how claims are supported by evidence or how the case has a defined context \cite{gsn2004Kelly}. Figure \ref{fig:gsn} depicts basic building blocks of a GSN with example instances of each element.
\begin{figure}
\includegraphics[width=0.5\linewidth ]{figures/gsn.png}
\centering
\caption{Basic elements of a GSN \cite{gsn2004Kelly}.}
\label{fig:gsn}
\end{figure}
\section{An example of GSN}
The goal structure is used to show how goals (claims about the system) can be split into sub-goals successively until the sub-goal can be directly supported by available evidence. Figure \ref{fig:gsn-example} represents an example of a GSN.
\begin{figure}
\includegraphics[width=0.9\linewidth ]{figures/gsn-example.png}
\centering
\caption{An example of a goal structure \cite{gsn2004Kelly}.}
\label{fig:gsn-example}
\end{figure}
In this example, "Control System (C/S) logic is fault free." is one single top level goal. The main goal is then divided to two sub-goals through strategies $S1$ and $S2$. These two strategies are then supported by five sub-goals $G2-G4$ and $G8-G9$. In a goal structure, there will be a stage where the sub-goals can be directly supported by solutions. In this example, sub-goals $G8-G9$ are supported by $Sn3-Sn4$ and there is no need to break down the goals further in this branch \cite{gsn2004Kelly}.\\
% \textcolor{red}{write about CAE(Claims Arguments Evidence)}
\section{Trends in safety research}
Safety assurance should constantly evolve and adapt to the new paradigms in industry. With advent of Industry 4.0, new risks and challengers arise in workspace and occupational safety. Safety 4.0 is a response to these new challenges \cite{Laciok2021}. There is a growing number of research projects on using the recent advances in ML technologies to enhance safety, some of which is referred to as "safety informatics \cite{Wang2019}". In addition, 5G technology has raised concerns about the long term health consequences. Critiques are collecting evidence that 5G may result in skin cancer and the millimeter wave radiation can ultimately affect the nervous system \cite{Russel2018}. Unmanned Aerial Vehicles (UAV), or commonly known as drones, are rapidly spreading in industrial usage and thus their safety and privacy challenges are of interest \cite{Aydin2019}.