Goal Structuring Notation and Claim Trees

Printer-friendly versionPrinter-friendly versionPDF versionPDF version

1.1. Goal Structuring Notation and Claim Trees

1.1.1. Description and Purpose

1.1.1.1.

Goal Structuring Notation (GSN) and Claim Trees are two similar techniques used to present an explanation of how the available evidence can be interpreted to indicate the achievement of a top-level claim or assertion, for example that a system is tolerably safe and delivers sound environmental performance. Whilst similar, each technique has its own symbols (or Notation), and Claim Trees can be thought of as a simplified version of GSN.

1.1.1.2.

The techniques have developed from academic work on the nature of reasoning. They show how satisfaction of a top-level “Goal” (or “Claim”) is supported by arguments and evidence at progressively more detailed levels. A Safety Argument is “a logically stated and convincingly demonstrated reason why safety requirements are met.” Similarly the Environmental Argument is "a logically stated and convincingly demonstrated reason why environmental requirements are met". 

1.1.1.3.

GSN and Claim Trees provide graphical methods to present Safety and Environmental arguments explicitly rather than relying on detailed textual descriptions which are often incomplete, unclear or contain implicit assumptions. Each technique presents the arguments visually in a logical way, providing interested parties with a clear representation of how the arguments have been constructed to meet the top-level Goal (Claim).

1.1.1.4.

GSN and Claim Trees both have similar elements, including:

  • Goals for, or Claims about, a property of the system or a sub-system
  • Evidence that supports the specific Goal (Claim). These can be either facts (e.g. based on established scientific principles and prior research), assumptions or sub-claims derived from a lower-level sub-argument
  • Arguments linking the Evidence to the Claim, and these may be of several different types, in the following general order of merit:
    • Deterministic (e.g. formal proof, repeatably measurable attribute)
    • Probabilistic (e.g. based on statistical analysis to provide an estimate of a probabilistic parameter such as Reliability, with associated confidence level)
    • Review (e.g. independent review, supported by metrics demonstrating the effectiveness of the review process)
    • Qualitative / Indirect (e.g. process followed, staff competence)

1.1.1.5.

A safety or environmental argument provides the link between documented evidence and the Goal (claim) it is intended to satisfy. The arguments comprise both statements, in the form of assumptions, justifications and strategies to provide the intermediate explanatory steps that describe the approach of the argument adopted and its relevance to the Goal (Claim). As such, Arguments provide the rationale for progression through the levels of the diagram, and ultimately to the Top Level Goal (Claim).

1.1.1.6.

The main symbols used in GSN diagrams are:

1.1.1.7.

Goals, Assumptions, and Justification statements should be single unambiguous statements consisting of a noun phrase (subject) followed by a verb phrase (a statement which is either true or false). For example, “Component A has no critical failure modes”.

1.1.1.8.

The diagrams should require little supporting documentation apart from references contained within the contextual boxes (to remove ambiguities), assumptions, and justifications.

1.1.1.9.

Claims Trees and GSN diagrams are constructed either:

  • Top-down, identifying the top-level Goal (Claim) of the argument and decomposing this into sub-goals (sub-Claims) for which evidence can be provided;
  • Or bottom-up, where evidence exists which has to be structured in such a way to demonstrate achievement of a top-level Goal (Claim).

1.1.1.10.

Claim Trees and GSN diagrams are often constructed for complex systems composed of several distinct systems each with their own discrete Safety and Environmental Requirements and Safety and Environmental Cases. The interactions between the systems should be documented within the associated GSN or claim tree, for example by use of an assumption or within the safety and/or environmental argument by looking at the safe and/or environmentally sound operation of System A, given that System B is in a certain configuration.

1.1.1.11.

GSN or Claim Trees can be used within any Safety and/or Environmental Case to present a clearly defined argument for the safe use of any system or equipment and it delivers sound environmental performance. However, it is not the only method of achieving this and therefore Safety and/or Environmental Cases using other approaches should not necessarily be regarded as improper or inferior.

1.1.2. When It Might be Used

1.1.2.1.

For a new Project, GSN or Claim Tree diagrams should be developed early, to identify the approach for Safety and Environmental Assurance and the evidence which is to be developed, in order to support a sound Safety and Environmental Case. The Safety and Environmental Plan should then show what activities are to be done to populate the GSN or Claim Tree with the necessary evidence of Safety and Environmental Protection.

1.1.2.2.

The GSN or Claim Tree diagrams should be refined to progressively more detailed levels as the system design develops and good evidence becomes available. Where the Claims were supported by Assumptions early in the project life-cycle, Safety and Environmental Assurance activities such as testing and analysis should be used to replace Assumptions with evidence.

1.1.2.3.

If evidence is produced that contradicts the Safety and/or the Environmental Claim, then the GSN or Claim Tree can highlight the shortfall and the need for remedial action.

1.1.2.4.

An example of a GSN is shown below:

1.1.3. Advantages, Disadvantages, and Limitations to The Defence Sector or The Particular Domain

1.1.3.1.

Advantages

  • GSN, Claim Trees and similar approaches make explicit the reasoning behind Safety and Environmental Cases. They therefore make it easier for stakeholders to check the Safety and Environmental Cases.
  • For complex arguments, GSN and Claim Tree diagrams can break down the argument into manageable sections and provide clear comprehension to all interested parties of how the safety and environmental arguments have been constructed to meet the top-level claim.
  • GSN and Claim Trees can also support Project Management activities by allowing clear monitoring of progress towards the successful completion of a Safety and/or Environmental Case.
  • The technique promotes consistency and improved comprehension of arguments, and allows analysis of complex system interdependencies.
  • Software Tools exist to support the GSN and Claim Tree techniques. These range from simple drawing packages to sophisticated products that can organise Safety Case documentation, link to Hazard Analysis tools and automatically generate documents and summary reports.
  • The technique can be particularly useful for the introduction of an untried concept into a well established system.

1.1.3.2.

Disadvantages and Warnings

  • The use of the GSN and Claim Tree technique might give an unrealistic impression of rigour if poorly applied. As with any top-down process, it is more difficult to identify omissions to the argument than to review the content of the presented argument. Stakeholders must still examine the Goals (Claims), together with supporting Arguments and Evidence, although the technique will facilitate this review process.
  • The Top Level Goal (Claim) must be stated clearly and contain the correct concepts to define it. The basis for Goals (Claims) should be unambiguous, and presented as positive statements of objectives to be achieved, not requirements or aspirations.
  • Oversimplification of Goals can reduce the scope and usefulness of the presented argument e.g. “System X is acceptably Safe” is less powerful than “System X is acceptably Safe to operate within Operating Concept Y”.
  • Goals often contain ‘context’ information e.g. “Operating Concept Y” in the previous paragraph. To prevent any misinterpretation all ‘context’ information must be supported by a ‘Context’ statement/reference to the associated information.
  • Care must be taken in construction of the GSN (Claim Tree) to avoid prematurely associating a Goal (Claim) with evidence without clearly showing the relationship. e.g. Goal of ‘Defence in Depth’ associated with claim of ‘System Design Validation’.
  • Evidence must be pertinent to the argument.
1.1.4. Sources of Additional Information

1.1.4.1.

A list of additional information (e.g., Standards, textbooks, and websites) includes but is not limited to:

1.1.5. GSN Example

1.1.5.1.

The example below illustrates a part of a safety argument, which argues that System X is acceptable safe to operate within operating Concept Y because all identified hazards have been eliminated or sufficiently mitigated.

GSN

1.2. Version Control

1.2.0.1.

Version 3.0 to 3.1 Uplift

Amendment to the guidance to include reference to Environmental Protection. 

 

Version 2.3 to 3.0 Uplift

Major uplift from the Acquisition System Guidance (ASG) to online version. 

More like this