1. Exmouth House 3–11 Pine Street London EC1R 0JH T +44 20 7832 5850 F +44 20 7832 5853 E office@adelard.com W www.adelard.com CAE – Next generation and Building Blocks ASCE User Forum 03 June 2015 Presented by: Dr Kate Netkachova

2. © ADELARD LLP Outline New trends and general concept CAE stack of resources Collection of basic blocks Composite blocks Templates, fragments Tool Support 2

3. © ADELARD LLP Claims, arguments, evidence (CAE) 3 “a documented body of evidence that provides a convincing and valid argument that a system is adequately safe for a given application in a given environment”

4. © ADELARD LLP Security-informed Safety Cases 4 Security consideration Impact on the Case Structure Some observations Supply chain integrity. Malicious events post deployment. Design changes to address user interactions, training, configuration, vulnerabilities. Additional functional requirements that implement security controls. Possible exploitation of the device/service to attack itself or others. Justification of safety which specifically takes into account the impact of security.

5. © ADELARD LLP Levels of abstraction 5 L0 Policy and requirements – the highest level of abstraction where the system represents its requirements, and defines safety and security policies and their interaction; L1 Architectural layer – the intermediate level where the abstract system components and architecture are analysed; L2 Implementation layer – the detailed level where the implementation of specific components and their integration within the specific system architecture are scrutinised.

6. © ADELARD LLP Development of the Blocks approach 6

7. © ADELARD LLP Schematic of the CAE stack 7

8. © ADELARD LLP Instantiating an assurance case

9. © ADELARD LLP 5 Building Blocks 9 Concretion Decomposition Substitution Calculation Evidence incorporation Decomposition Partition some aspect of the claim Substitution Refine a claim about an object into claim about an equivalent object Evidence incorporation Evidence supports the claim Concretion Some aspect of the claim is given a more precise definition Calculation or proof Some value of the claim can be computed or proved

10. © ADELARD LLP General structure of the block General block structure CAE blocks are a series of archetypal argument fragments. They are based on the CAE normal form with further simplification and enhancements. 10

11. © ADELARD LLP Decomposition block Example of a single object decomposition 11

12. © ADELARD LLP Examples of single decomposition 12

13. © ADELARD LLP Substitution block This block is used to claim that if a property holds for one object, then it holds for an equivalent object. The nature of this ‘equivalence’ will vary with the object and property and will need to be defined. Object substitution Property substitution 13

14. © ADELARD LLP Examples of substitution Product substitutionGeneralised: product type substitution 14

15. © ADELARD LLP Evidence incorporation This block is used to incorporate evidence elements into the case. A typical application of this block is at the edge of a case tree where a claim is shown to be directly satisfied by its supporting evidence. 15

16. © ADELARD LLP Example of evidence incorporation 16 Test report directly shows that there are 25 successful tests

17. © ADELARD LLP Concretion This block is used when a claim needs to be given a more precise definition or interpretation. The top claim P(X, Cn, En) can be replaced with a more precise or defined claim P1(X1, Cn, En) 17

18. © ADELARD LLP Example of concretion Property concretionEnvironment concretion 18

19. © ADELARD LLP Calculation This block is used to claim that the value of a property of a system can be computed from the values of related properties of other objects. Show that the value b of property P(X, b, E, C) of system X in env E and conf C can be calculated from values 19

20. © ADELARD LLP Example of calculation 20

21. © ADELARD LLP ‘Helping hand’ - guidance on selecting Blocks 21

22. © ADELARD LLP Composite blocks Example of a composite block and its expansion to show the underlying basic blocks 22 Substitution + Decomposition Concretion + Decomposition Any basic block + Evidence incorporation

23. © ADELARD LLP Fragments/Templates Test Harness M(X1),M(C)X1, C Oracle Test Cases True False Alternative resolution True False

24. © ADELARD LLP CAE normal form Example of a claim structure before and after normal form Claim nodes may only be connected to argument nodes Argument nodes may only be connected to claim and evidence nodes Each argument node may only have one outbound link to a claim node Each claim is to be supported by only one argument Argument nodes must be supported by at least one subclaim or evidence node Evidence nodes represent the bottom of the safety argument and are not supported A claim, subclaim or evidence may support more than one argument 24

25. © ADELARD LLP Positive outcome 1.Standardised way of creating cases 2.Simple patterns, easy to use 3.Structured vs narrative argument 4.Explicit backing for the argument/side-warrant 5.Explicit links to system models, etc. 6.Prototype tool support 25

26. © ADELARD LLP Tool Support – Enable the Blocks plugin

27. © ADELARD LLP Tool Support – Use the Blocks schema

28. © ADELARD LLP Tool support – Add/Edit Block

29. © ADELARD LLP Tool support – use the plugin