In the safety critical systems industry, the adoption of Machine Learning (ML) remains slow due to the lack of trust and regulation. As part of the Confiance.ai program, the Institute for Technological Research (IRT) SystemX and its partners (ONERA, IRT Saint Exupéry, Thales AVS) seek to address this issue by supporting all the development phases of systems involving Artificial Intelligence (AI) with dedicated methods, libraries, and tools. This effort covers in particular the Verification and Validation (V&V) of such systems, to address the specific challenges raised by AI.
Assurance Cases to support V&V
In order to support a rational definition of the V&V process for an AI system, the Confiance.ai program investigates the use of Assurance Cases, a method to build structured and auditable arguments that justify claims about the system. High-level claims regarding some expected property of the system (e.g. “the system is robust”) are iteratively refined into lower-level claims until they become easily provable or are consensually deemed true. This approach is recommended by IEEE (ISO/IEC/IEEE 15026-2:2022 “Systems and software engineering – Systems and software assurance – Part 2: Assurance case”) and ISO standards (ISO 26262: “Road vehicles – Functional safety”).
Capella, as a systems engineering workbench, provides support for the usual development phases of such systems thanks to the Arcadia method, but it does not have out-of-the-box support for a V&V approach based on Assurance Cases.
Introducing the Capella Assurance Cases Extension
IRT SystemX has asked Obeo to develop a Capella extension to add tool support for the Assurance Cases approach to the V&V phase.
The modular and extensible architecture of Capella and its underlying technologies allow any custom extension to seamlessly enhance both the data model and the user interface with custom domain-specific data and UI elements. This extensibility makes Capella a great target for the implementation of any novel approach to systems engineering.
With this custom-made extension, Capella users now have dedicated tooling for the following system design activities:
-
In the Operational Analysis layer of Capella (where system designers specify “what the users of the system need to accomplish”), users may specify a set of properties of interest that represent the requirements about the Exchange Items flowing through Operational Activities.
-
These properties are expressed using rich text thanks to a WYSIWYG rich text editor. Properties may be expressed by combining other properties, and for such cases the content assist (aka autocompletion) allows the user to easily cross-reference other existing properties.
-
Users may additionally define a set of glossaries containing definitions for the various domain-specific terms used to build the argumentation (e.g. claims, contexts, assumptions, etc.). Once again, the content assist allows the user to easily define additional terms using existing terms.
-
These properties may be combined textually to form conditions held by the Operational Activities, ultimately representing a form of contract for these activities.
-
The argumentation demonstrating the satisfaction of these properties is formalized using the Goal Structuring Notation (GSN). This specification proposes a graphical notation to represent the elements of an argumentation (requirements, claims, evidence and context) as well as the relationships between those elements (e.g. that depending on some context, some evidences may not be necessary, or on the contrary, additional evidences may be required). With this notation, goals (i.e. claims about the system) are successively broken down into sub-goals, possibly through different strategies or in different contexts (e.g. about the system scope or the assumed operational role) until claims can be supported by available evidences.
-
Once the model has been enhanced with these concerns, users may generate a docx-compliant documentation about the Exchange Items of the system, the properties they carry and the argumentation used to support these properties.
Once this extension developed and tested, came time to deploy the extension internally. IRT SystemX relies on Cloud for Capella to easily manage their Capella setup. As a result, deploying this extension to all internal users was painless. Only the systems administrator needed to perform the installation. The extension was then directly available to all users seamlessly.
“The Assurance Cases viewpoint, a Capella add-on developed by Obeo, is a key component of our strategy for integrating AI components into safety-critical systems. Obeo's skillful integration of Assurance Cases into Capella's framework provides us with the capability to specify intricate properties of engineering items, formalize argumentation using the Goal Structuring Notation (GSN) standard, and capture V&V alternatives. The seamless deployment via Cloud for Capella also made the transition smooth and efficient for our team. Working with Obeo on our project has definitely been a thoroughly positive experience.”
Eric Jenn – IRT Saint-Exupéry
For more details about the approach of IRT SystemX to the V&V phase using Assurance Cases, check out the paper submitted to the Embedded Real Time Systems 2024 conference entitled “Assurance Cases to face the complexity of ML-based systems verification”.