Visualizing Safety Cases – Tim Kelly on GSN (Goal Structuring Notation)
Tim Kelly, a developer of GSN (Goal Structuring Notation) at University of York talks about the origin of GSN, benefits, which industries that are adopting GSN and the future of GSN – interviewed by Michael Jesse Chonoles.
What is GSN and what is it for?
Hello. I am Michael Chonoles, and I am here at OMG meeting in Long Beach, California. I’m here to interview Tim Kelly, one of the developers of GSN.
Hello. So what is GSN and what does it stand for? and what problems does it solve?
OK, GSN stands for “Goal Structuring Notation”. And it is a graphical argument notation that allows you to visually represent the elements of an argument, the individual claims, assumptions you are making and the strategies that have been used right down to the evidence that supports your argument.
The problem it’s trying to solve is – the historically that would have been done for things like safety and security by writing narrative reports, so you would write out your arguments and justifications in text. That is okay sometimes but a lot of people complain that we couldn’t see the structure of the argument very clearly, couldn’t see individual claims or assumptions. And it’s often very hard for them to trace from the claims been made right down to the evidences that were actually been used. so its hard for people to discern.
So it helps you organize your arguments with evidence.
Inspired by Stephen Tulmin –
So who are the people who came up with GSN? and what caused them to think of it?
The team comes from the university of York. We have a group of high integrity systems engineering group and a group of us that came up with it. The original inspirations were, first of all very early argumentations so that was a guy called Stephen Toulmin who talked about how to structure informal arguments,
so we used that as one our sources and at the same time in the early 90’s we started to develop GSN that was a little work on goal based requirements engineering so what you see in GSN is, if you like to be very productive fusing the work of argumentation with philosophy of goal based requirements engineering that’s how GSN came about.
GSN users are increasing all around the world
So what industries have been picking up GSN?
Really a whole variety of different industries – in fact it’s growing every day. I keep finding new examples. So it’s been used for aerospace, medical devices, chemical plants and offshore gas platforms. A whole variety. Railways – some of their safety cases
are represented in GSN. Increasingly all around the world as well.
And it came from UK, and its now got applications you can find all over like UK-US joint strike fighter that has a GSN-based safety case.
If you arrive at London Heathrow Terminal 5 and moved around the terminals with the personal rapid transit system, that has a GSN safety case and even some of our really old air craft in UK, like Attila Britain memorial flight that apparently has a GSN safety case as well.
So the number of uses are really huge and wide-variety.
So I’m likely to have used the system or a device that GSN was involved in making. Often you would have come across one.
How GSN is changing the industries – the benefits it gives?
How does GSN change the current industries? Do the users really feel that its improvement for them?
Yes, I have been working on it for 20 years and if you go right back to the beginning the whole idea of using graphics for representing these arguments was quite foreign to people – they didn’t recognize it so well-known things GSN has done is just roll that into main stream safety case arguments.
I can say people are really using it to share where they wouldn’t have done before. Now what’s the benefit? The kind of things that engineering folks would say..the benefit is things like comprehension, so easier understanding of their arguments and reducing the time it takes for them to agree the arguments. Often safety cases have to be written by one group of people and accepted by another group of people. So what you want is the cleanest, most efficient way of communicating.
So the regulators seem to understand and adopted it?
Yes. Quite a few examples of regulators that encouraged it as an approach because it makes their life easier when their given safety cases that have this clear structure, is easier for them to follow.
Yes, I understand that US’s FDA started to look at it.
Yes. just there are examples since they started asking for assurance cases. There are examples where people use GSN to structure those in a clear way that helps them – they only have limited amount of time to review those safety cases.
What’s the vision of GSN – where is it going to go?
So what’s your vision for where it’s going to go?
Well, if you like the core concept of GSN, is pretty stable. As I mentioned, it’s been around for about 20 years even some of the extensions that I’ve been involved in Mike Patton’s – modular GSN those are 10 years or 15 years old as well. so the kind of things we are looking at York to extend it as we call “model-based assurance cases” how we can automatically link GSN-based arguments with other kind of system models – things like SysML or AADL and directly link the GSN arguments into the different form of modeling and some cases, automatically generating the arguments from other models. System models that are analysis that they can be performed.
Yea, I know the SysML committee has been thinking about using GSN for two purposes. One is to verify that they’ve met their safety requirements but also to justify design decisions – why they pick this part versus that part two competitors – you always have to document that way using GSN sort of seems very powerful.
Yes. Could be!
Thank you for your time, it’s been wonderful. We will see each other again I’m sure.
Michael Jesse Chonoles
Analysis and Design Task Force co-Chair at Object Management Group. An author of UML 2 for Dummies. Read more on his LinkedIn profile