Skip to content

Visualizing Safety Cases – Tim Kelly on GSN (Goal Structuring Notation)


Tim Kelly, a developer of GSN (Goal Structuring Notation) at University of York talks about the origin of GSN, benefits, which industries that are adopting GSN and the future of GSN – interviewed by Michael Jesse Chonoles.


AYM What is GSN and what is it for?


Michael

Michael

Hello. I am Michael Chonoles, and I am here at OMG meeting in Long Beach, California. I’m here to interview Tim Kelly, one of the developers of GSN.
Hello. So what is GSN and what does it stand for? and what problems does it solve?

 

Tim

Tim

GSN

An Example Goal Structure

OK, GSN stands for “Goal Structuring Notation”. And it is a graphical argument notation that allows you to visually represent the elements of an argument, the individual claims, assumptions you are making and the strategies that have been used right down to the evidence that supports your argument.

The problem it’s trying to solve is – the historically that would have been done for things like safety and security by writing narrative reports, so you would write out your arguments and justifications in text. That is okay sometimes but a lot of people complain that we couldn’t see the structure of the argument very clearly, couldn’t see individual claims or assumptions. And it’s often very hard for them to trace from the claims been made right down to the evidences that were actually been used. so its hard for people to discern.

 

Michael

Michael

So it helps you organize your arguments with evidence.

 

Tim

Tim

 

Yes.

 


AYM Inspired by Stephen Tulmin – 


Michael

Michael

 

So who are the people who came up with GSN? and what caused them to think of it?

 

Tim

Tim

Stephen Toulmin

Stephen Toulmin

The team comes from the university of York. We have a group of high integrity systems engineering group and a group of us that came up with it. The original inspirations were, first of all very early argumentations so that was a guy called Stephen Toulmin who talked about how to structure informal arguments,

so we used that as one our sources and at the same time in the early 90’s we started to develop GSN that was a little work on goal based requirements engineering so what you see in GSN is, if you like to be very productive fusing the work of argumentation with philosophy of goal based requirements engineering that’s how GSN came about.

 


AYM GSN users are increasing all around the world 


Michael

Michael

 

So what industries have been picking up GSN?

 

Tim

Tim

PRT_heathlow

Personal rapid transit system at London Heathrow

Really a whole variety of different industries – in fact it’s growing every day. I keep finding new examples. So it’s been used for aerospace, medical devices, chemical plants and offshore gas platforms. A whole variety. Railways – some of their safety cases
are represented in GSN. Increasingly all around the world as well.
And it came from UK, and its now got applications you can find all over like UK-US joint strike fighter that has a GSN-based safety case.

If you arrive at London Heathrow Terminal 5 and moved around the terminals with the personal rapid transit system, that has a GSN safety case and even some of our really old air craft in UK, like Attila Britain memorial flight that apparently has a GSN safety case as well.
So the number of uses are really huge and wide-variety.

Michael

Michael

 

So I’m likely to have used the system or a device that GSN was involved in making. Often you would have come across one.

 

Tim

Tim

 

Yes.

 


AYM How GSN is changing the industries – the benefits it gives?


Michael

Michael


How does GSN change the current industries?
Do the users really feel that its improvement for them?

 

Tim

Tim

Yes, I have been working on it for 20 years and if you go right back to the beginning the whole idea of using graphics for representing these arguments was quite foreign to people – they didn’t recognize it so well-known things GSN has done is just roll that into main stream safety case arguments.

I can say people are really using it to share where they wouldn’t have done before. Now what’s the benefit? The kind of things that engineering folks would say..the benefit is things like comprehension, so easier understanding of their arguments and reducing the time it takes for them to agree the arguments. Often safety cases have to be written by one group of people and accepted by another group of people. So what you want is the cleanest, most efficient way of communicating.

Michael

Michael

 

So the regulators seem to understand and adopted it?

 

Tim

Tim

Yes. Quite a few examples of regulators that encouraged it as an approach because it makes their life easier when their given safety cases that have this clear structure, is easier for them to follow.

 

Michael

Michael

 

Yes, I understand that US’s FDA started to look at it.

 

Tim

Tim

 

Yes. just there are examples since they started asking for assurance cases. There are examples where people use GSN to structure those in a clear way that helps them – they only have limited amount of time to review those safety cases.

 


AYM What’s the vision of GSN – where is it going to go?


Michael

Michael

 

So what’s your vision for where it’s going to go?

 

Tim

Tim

Well, if you like the core concept of GSN, is pretty stable. As I mentioned, it’s been around for about 20 years even some of the extensions that I’ve been involved in Mike Patton’s – modular GSN those are 10 years or 15 years old as well. so the kind of things we are looking at York to extend it as we call “model-based assurance cases” how we can automatically link GSN-based arguments with other kind of system models – things like SysML or AADL and directly link the GSN arguments into the different form of modeling and some cases, automatically generating the arguments from other models. System models that are analysis that they can be performed.

Michael

Michael

 

Yea, I know the SysML committee has been thinking about using GSN for two purposes. One is to verify that they’ve met their safety requirements but also to justify design decisions – why they pick this part versus that part two competitors – you always have to document that way using GSN sort of seems very powerful.

 

Tim

Tim

 

Yes. Could be!

 

Michael

Michael

 

Thank you for your time, it’s been wonderful. We will see each other again I’m sure.

 


Tim

Tim Kelly
Professor of High Integrity Systems within the Department of Computer Science at the University of York – Read more on his website

 

Michael

 

Michael Jesse Chonoles
Analysis and Design Task Force co-Chair at Object Management Group. An author of UML 2 for Dummies. Read more on his LinkedIn profile

Advertisements

2 Comments »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: