Both the GSN Community Standard and OMG SACM specify modular assurance cases, though from different perspectives. The GSN Standard focuses on the logical dependencies between elements in different argument modules. SACM, on the other hand, introduces the concepts of interfaces and bindings in its metamodel. In practice there are no conflicts between the two standards. Both perspectives of modular assurance cases are combined in PREMIS.
The two main characteristic elements defined in these two standard are:
- Three types of inter-module relationships defined in GSN: away elements, supported by modules and supported by contracts. GSN describes their properties and graphical notation.
- Interfaces and bindings in SACM metamodel allow to technically describe inter-module relationships in a machine-readable form.
First, we will look at GSN and its three types of relations between elements in different argument modules. They are presented in the diagram:
- Away element – this is simply a link to an element in the supporting module. This type of relationship offers the least control. The supporting element is only referenced in your module only. It’s not a real element in your module and you cannot modify it. Its fully managed by the owner of the supporting module.
- Supported by another module – the element in your argument is supported by another element in a supporting module. This is a standard “supported by” relation used in GSN Standard. This gives some control over the relationship, but there is still no way to verify it.
- Supported by a contract – a claim in one module is supported by a claim in another module through an intermediary contract. A contract is a reasoning step inside the connection between the bound modules verification is required whether the supporting claim is sufficient to justify the supported claim in its full context. Contracts are always used for claims together with their applicable context. This type of relationship offers full control over the binding.
GSN defines these relationships as occurring directly between elements in different modules. Each relationship is an independent of the others. This perspective of independent relationships is characteristic of the GSN Standard. An example is presented in the diagram below.
The representation of relationships in SACM is a bit more complex. SACM defines an argument metamodel that can allow to define any type of relationship between modules. To do this effectively SACM introduces two concepts:
- An interface is a collection of argument elements that are exposed to other modules (known as ‘packages’ in SACM) in order to establish relationships. This is an important property of SACM – you can expose an argument element on an interface to allow argument developers of other assurance case modules to refer to it.
- A binding is a SACM relation between elements exposed in different interfaces. The SACM metamodel is flexible and it enables the binding to model any of the three types of intermodule relations specified by the GSN Standard.
The diagram below presents a simplified view of the SACM representation of relationships between argument modules. Interfaces belong to argument modules and contain references to their elements (citations in SACM terminology). Bindings connext elements from different interfaces.
In order to implement the GSN modules fully in SACM, we have extended the SACM metamodel with additional attributes to assign interface types. Interfaces are divided into ‘provided’ and ‘required’ interfaces. Provided interfaces are used to publish argument elements that support other modules. Required interfaces contain argument elements that must be supported by other modules. These are further divided into three types: away elements, elements supported by a module, and elements supported by a contract. The consequence is that different types of GSN relationships cannot be mixed in one interface.
You can browse a sample modular argument in PREMIS. You have GSN relationships in the user interface and SACM model underneath.