Embed Size (px)
Citation preview
Answers to Problems
Abstract This section presents answers to the problems set at the end of eachchapter (except for Chaps. 1, 15 and 16; no problems were set therein). Note that inmost cases there is no single right answer; an answer is presented below withdiscussion pointing to other ways of doing things. No external references are madefrom this section; if a reference is needed it is made from the chapter in which theproblem was set.
Answers to the Problems of Chapter 2
The problem asks which, if any, of the given statements could be used as a claim ina Top Goal, i.e. as the basis of an argument. It also asked if any of the others canbe reworded such that they can be claimed.
1. ‘‘Our Quality Management System is ISO 9001:2008 compliant’’ is a claimthat could be used un-modified as a Top Goal. ISO 9001:2008 is anInternational Standard for Quality Management Systems; many companiesmake this claim, but I have yet to see one use GSN to support it.
2. ‘‘My Business Plan is complete and ready for review by the Board’’: At firstsight, this looks to be two claims, but that is quite valid. There is nothing tostop your Top Goal claiming that both A and B are True. In this particularcase, however, the Business Plan may well be ready for review by the Board,but it will not be complete until that review is finished, you have put in thechanges for which they inevitably asked, and you have formally issued thedocument for use. ‘‘My Business Plan is ready for review by the Board’’would be better. I expand on this claim in Chap. 5.
3. ‘‘This burial site is probably that of Rædwald, King of the East Angles’’: Avalid claim, but it makes you look uncertain of your case. This statement may
J. Spriggs, GSN—The Goal Structuring Notation,DOI: 10.1007/978-1-4471-2312-5, � Springer-Verlag London Limited 2012
169
well be the final outcome of the debate; however, it would be better to startyour debate with a positive assertion, ‘‘This burial site is that of Rædwald,King of the East Angles’’.
4. ‘‘This painting should be attributed to Albrecht Dürer’’: again, a valid claim.You could be more assertive, ‘‘Albrecht Dürer painted this’’, but the form ofthe claim also depends on the purpose of the argument. If you are cataloguinga collection, and have an opinion about the Unknown Artist label given to oneof the pictures, use the ‘‘should be attributed to’’ form but, if you found thecanvas in your attic and you are trying to sell it, go for the assertive form.
5. ‘‘This equipment fulfils the essential requirements of the RTTE Directive’’ is avalid claim that would normally only be made in a situation where it is knownwhat the RTTE Directive is but, even so, it is better to expand the abbreviationon first use. Alternatively you could identify the directive by number, but it isstill not crystal clear (Chap. 3 contains a means of making it clearer). Alter-native expressions of the claim are, ‘‘This equipment fulfils the essentialrequirements of the Radio & Telecommunications Terminal EquipmentDirective’’ or ‘‘This equipment fulfils the essential requirements of EuropeanDirective 1999/5/EC, known as the RTTE Directive’’.
6. ‘‘Beryllia is a carcinogen’’: Yes, good one; succinct. This is another examplewhere you may need to add information to explain what a carcinogen is—orBeryllia for that matter. What can you assume about what your audienceknows? It is difficult for experts from different domains to have a meaningfulexchange of ideas because they tend to use different vocabulary, or use thesame word to mean different things. You need to be aware of the vocabularyof your intended audience. Are you presenting your argument to inorganicchemists, or to the general public? You will need to expand or contract yourdescriptions accordingly, but do not put extra information in the Goal; it goesin a new symbol, see Chap. 3.
7. ‘‘Hazard Identification and Risk Assessment’’: It is not unusual to find this onein a system safety argument, but it is not a claim. It is not valid as a Goal. Ifyou find a Goal like this, ask the author what they meant. It may be helpful tosuggest an appropriate re-wording; this can show that you have missed thepoint completely and prompt the author to strive for clarity. They may havemeant to claim that, ‘‘Hazard Identification and Risk Assessment was doneand documented’’, or ‘‘Hazard Identification and Risk Assessment showed thatthe risk is tolerable’’, or a host of other things.
8. ‘‘Assurance is provided that safety requirements raised on the software arevalid’’: Well, it is a claim, but a bit ‘‘round the houses’’. Presumably, in thiscase the author will provide an argument assuring us that the requirements arevalid. He, or she, will not be providing an argument showing that someoneelse has already provided assurance that the requirements are valid. We canthus delete the preamble, ‘‘Assurance is provided that’’. Also, note theambiguity due to the missing article, the claim is ‘‘requirements are valid’’, not
170 Answers to Problems
‘‘the requirements are valid’’. It could thus be interpreted to mean that onlysome of them are valid; surely, we want all of them to be valid. A better claimwould therefore be, ‘‘The safety requirements raised on the software are valid’’.This is still a bit strange, one would normally speak of software safetyrequirements; so the claim could be succinctly stated as, ‘‘The software safetyrequirements are valid’’. Half the number of words, but a lot clearer. Note that asimilar claim of software safety requirement validity is the subject of a problemset in Chap. 7, ‘‘The software safety requirements correctly state what is nec-essary and sufficient to achieve tolerable safety, in the system context’’.
9. ‘‘The GSN Symbol for a Goal is a rectangle’’: Yes indeed, but could you argueabout it? This is really a definition, rather than a claim. I consider what to dowith definitions in Chap. 3. Or, is it a fact, an axiom, or a self-evident truth? Ideal with those in Chap. 7.
10. ‘‘The colour of the sky’’ is not a claim. It could be made a claim by choosingan actual colour, ‘‘The sky is blue’’. Even now, this is not a good start for anargument; sky colour is not an invariant, it is different for night and day, forexample. It is different in different places; it depends on the weather, and soon. By the time you have finished preparing your argument the sky may haveturned grey. Think carefully: what is it that you want to argue, who is it thatyou want to persuade, and why? Once you have answers to these questionsyou will be well on the way to expressing a good Top Goal, ‘‘The daytime skyseen from the surface of Mars on a clear day is yellow–brown’’, for example.
Answers to the Problems of Chapter 3
1. If this were a real example, I would have changed the claim to, ‘‘PreventativeMaintenance Procedure PMP5 is fit for purpose’’ and would have providedmore detail as to what ‘‘keeping the power supply running’’ actually means. Butthat was not the question; using the information provided, Fig. A.1 is apotential solution. I could have split the left-hand Context into two; one tospecify what PMP5 is and the other to say where to find it. Of course, in someenvironments, ‘‘PMP5’’ may be sufficient reference, making it unnecessary tostate where it is documented. Note the Context specifying the factory powersupply; this is building on the definition of purpose, rather than the claim itself,but it is shown linked to the Goal, not the Context. Context does not havecontext of its own (unless it is an external document referenced in the Contextitself). It may have been clearer to combine this pair into one Context. In thissolution, I have assumed that the references specify versions, issue states, etc. Ifthey did not, I would add a Context to say, for example, ‘‘This argument is forPMP5 Issue 2 as applied to Power Supply build-state 7.2’’.
Answers to Problems 171
• Note that this last problem is not as contrived as it may seem. It is not unknownfor preventative maintenance procedures to be changed, or dropped altogether,by people who do not know what the purpose of the procedure was. I have alsoencountered the converse; I was told of a procedure that was being regularlycarried out to check a piece of equipment that was only there in case of anincident with some machinery that was no longer in service (in fact no longerthere).
2. This solution is very similar in concept to the previous one; in this case,allegedly, the Butler did It, so we need to specify both Butler and It, seeFig. A.2. Note that I have taken the fictional case reference and emphasized itto form a ‘‘tag’’. If you have a set of small arguments, such tagging makes iteasier to find the one you want.
PMP5 is
fit for purpose
PMP5 is a preventative maintenance procedure,
documented in <reference>
The purpose of PMP5 is to keep the factory power
supply running
The factory power supply is specified in <reference>
Fig. A.1 Potential solution to Problem 3.1
The Butler Did ItThe Butler in question is
that of Lord Symondsbury, Adams
The Butler is accused of stealing silver belonging to
Lord Symondsbury
Case Reference2011/537
Fig. A.2 Potential solution to Problem 3.2
172 Answers to Problems
Answers to the Problems of Chapter 4
1. The expected conclusion is that vinegar is an acid, as shown in Fig. A.3.
2. As well as a Context to present the fletchings definition given in the question, Ihave added one to explain tumbling, see Fig. A.4.
3. Note that, in Fig. A.5, I have included a defining Context for clarity.
Vinegar is an acid
Litmus paper goes
red in vinegar
Litmus paper goes
red in acid
Fig. A.3 Potential solutionto Problem 4.1
Fletched arrows fly without tumbling
Aerodynamic forces on the fletchings of an arrow in flight act to prevent it tumbling
An object is prone to tumbling when in
flight
Tumbling is rotation about any axis other than the
direction of travel
Fletchings are the fins attached near the back of
an archery arrow
Fig. A.4 Potential solution to Problem 4.2
Adelle is Estelle’s
granddaughter
Celine is Estelle’s daughter
Adelle is Celine’s daughter
A person’s granddaughter is the daughter of their child
Fig. A.5 Potential solutionto Problem 4.3
Answers to Problems 173
Answers to the Problems of Chapter 5
1. From the names, this appears to be a French family so, in Fig. A.6, I havephrased my claims in the French manner, rather than using apostrophes.
2. I revert back to using apostrophes in Fig. A.7, in line with the phrasing of theGoal re-used from Chap. 4. These two examples show that there is more thanone way of constructing an argument; we should strive to examine the alter-natives and pick the most compelling or the clearest for use.
Gabrielle is the great aunt of
Adelle
Gabrielle is the aunt of Celine
Celine is the mother of Adelle
A person’s great aunt is sister of their grandparent or the wife of
their grandparent’s brother, i.e. a parent’s aunt
Gabrielle is the wife of Frederic
Frederic is the brother of Estelle
Estelle is the mother of Celine
Fig. A.6 Potential solutionto Problem 5.1
Gabrielle is the great aunt of
Adelle
A person’s great aunt is sister
of their grandparent or the wife of their grandparent’s brother, i.e. a parent’s aunt
Gabrielle is Frederic’s
wife
Frederic is Estelle’s brother
Adelle is
Estelle’s granddaughter
Celine is Estelle’s daughter
Adelle is Celine’s daughter
A person’s granddaughter is the daughter of their child
Fig. A.7 Potential solutionto Problem 5.2
174 Answers to Problems
3. Context applies to the Goal to which it is attached and all of its Sub-Goals. Inthis example, it applies to all the Sub-Goals of a Goal. It is therefore reasonableto apply it to the Goal itself. As a general rule, apply Context as far down theGoal Structure as practicable; it is then clearer for the reader to understand yourmeaning. Invoking a standard, for example, at the top of the structure just addsconfusion if the subject of that standard does not appear until two levels downin the argument structure. Invoking the standard and introducing the subject atthe same level immediately sets the context and aids comprehension.
Answers to the Problems of Chapter 6
1. A Context is missing from the figure. It is needed to state that the three sub-divisions, as represented by the Strategies, cover all the requirements.
2. We can include Context in the Sub-Goal version to show that the three sub-divisions cover all the requirements, as shown in Fig. A.8. Alternatively, wecould add a fourth Sub-Goal to argue that there are only these three types ofrequirement.
Answers to the Problems of Chapter 7
1. Assumption A6.3a includes the preamble ‘‘It is assumed that’’; the symbol is tobe read as meaning that, so it is unnecessary to state it. It should have been just‘‘Vehicle traffic is in the junction’’. Examine that statement; whether it turns outto be true or false, it has no impact on the truth of the Goal. A6.3a is thus anunnecessary Assumption and should be removed. A6.3b contains an externalreference to supporting information; it should therefore be a Context. I already
All functional
requirements have been
successfully verified by
test or by demonstration
All requirements for
automatic functions have
been successfully
verified by test or by
demonstration
All requirements for
user-triggered functions
have been successfully
verified by test or by
demonstration
All requirements for
operator-initiated
functions have been
successfully verified by
test or by demonstration
Functional requirements
specify automatic, user-
triggered and operator
initiated functions only
Fig. A.8 Reducing span by using Sub-Goals to add levels
Answers to Problems 175
have a Context, so I have re-labelled it C6.3a and transformed A6.3b intoC6.3b. A6.3c appears reasonable, but as applied to the Goal, rather than theStrategy. I propose re-drawing the argument fragment as in Fig. A.9.
2. The basic answer is shown in Fig. A.10, in which I added a Context to saywhere the Goal statement came from. I should also have added Contexts to saywhat the system is and where the various requirements referred to are specified.For the next step, Fig. A.11, I add those and use the text of the notes (but I donot need to say ‘‘It is assumed that…’’ in the Assumption symbols).
C6.3bThe failure conditions are specified in the concept of
operations
G6.3On detection of any of
the specified failure conditions, all signal
lights are extinguished
C6.3a“All signal lights”
includes those for pedestrians
S6.3Argue over each
failure condition & any combination thereof
A6.3The system fulfils its
electromagnetic interference susceptibility requirements A
Fig. A.9 One Assumption remains
G1The software safety
requirements correctly state what is necessary and sufficient
to achieve tolerable safety, in the system context
J1NOTE 7
J
C1bNOTE 1
C1aSub-objective A of CAP 670 SW01,
“Requirements Validity”
C1cNOTE 8
A1aNOTE 2
A
A1bNOTE 3
A
A
A1cNOTE 4
A1eNOTE 6
A
A1dNOTE 5
A
Fig. A.10 Basic answer using the suggested shorthand
176 Answers to Problems
G1
The
sof
twar
e sa
fety
requ
irem
ents
cor
rect
ly s
tate
wha
t is
nece
ssar
y an
d su
ffici
ent
to a
chie
ve to
lera
ble
safe
ty, i
nth
e sy
stem
con
text
J1D
urin
g th
e so
ftwar
e de
velo
pmen
tpr
oces
s, fu
nctio
ns m
ay b
e in
trod
uced
whi
ch h
ave
repe
rcus
sion
s on
the
safe
ty o
f the
AT
S s
yste
m. T
hese
will
need
to b
e as
sess
ed a
nd if
nec
essa
ry,
new
or
chan
ged
Saf
ety
Req
uire
men
tsw
ill h
ave
to b
e ge
nera
ted.
J
C1e
The
se r
equi
rem
ents
will
incl
ude
requ
irem
ents
to c
ontr
ol h
azar
ds id
entif
ied
durin
g im
plem
enta
tion
C1f
The
set
of s
oftw
are
safe
ty r
equi
rem
ents
incl
udes
al l
softw
are
safe
ty r
equi
rem
ents
deriv
ed o
r ch
ange
d du
ring
the
requ
irem
ents
det
erm
inat
ion
and
desi
gnpr
oces
ses
A1a
The
sys
tem
-leve
l saf
ety
requ
irem
ents
are
deriv
ed fr
om a
haz
ard
and
risk
anal
ysis
of t
heA
TS
env
ironm
ent i
n w
hich
the
syst
em is
req
uire
dto
ope
rate
A
A1b
A n
eces
sary
and
suf
ficie
nt s
et o
f sys
tem
-leve
lsa
fety
req
uire
men
ts e
xist
, whi
ch d
escr
ibe
the
func
tiona
lity
and
perf
orm
ance
req
uire
d of
the
syst
em in
ord
er to
sup
port
a to
lera
bly
safe
AT
SA
C1a
G1
addr
esse
s S
ub-o
bjec
tive
A o
f CA
P67
0SW
01,
“Req
uire
men
ts V
alid
ity”
A1c
The
failu
re m
odes
whi
ch th
eso
ftwar
e m
ust d
etec
t and
miti
gate
in o
rder
tom
eet t
he s
yste
m s
afet
y re
quire
men
ts h
ave
been
iden
tifie
d e.
g. th
ose
failu
re m
odes
ass
ocia
ted
with
: oth
er s
yste
ms,
sys
tem
-sys
tem
inte
ract
ions
, equ
ipm
ents
, pre
-exi
stin
g so
ftwar
ean
d al
l use
r-sy
stem
inte
ract
ions
.A
A1d
The
failu
re m
odes
iden
tifie
d in
clud
ege
neric
failu
res
rele
vant
to th
e sa
fety
rela
ted
AT
Sap
plic
atio
n, e
.g. s
ecur
ityth
reat
s, lo
ss o
f com
mun
icat
ions
,and
loss
of p
ower
A
A1e
The
failu
re m
odes
iden
tifie
d (in
clud
ing
hum
an e
rror
s) a
re r
epre
sent
ativ
e of
the
oper
atio
nal e
nviro
nmen
t for
the
syst
em a
nd w
orkl
oad
on th
e sy
stem
oper
ator
sA
C1b
The
sys
tem
is to
sup
port
pro
visi
on o
f Air
Tra
ffic
Ser
vice
s (A
TS
); it
is d
escr
ibed
in <
refe
renc
e>
C1d
The
sof
twar
e sa
fety
req
uire
men
ts a
resp
ecifi
ed in
<re
fere
nce>
C1c
The
sys
tem
-leve
l saf
ety
requ
irem
ents
are
spe
cifie
din
<re
fere
nce>
Fig. A.11 Basic answer expanded using note text
Answers to Problems 177
3. The problem is that we have been too literal in our capture of the material andhave missed a significant point. This is a case in which a Customer (actually theCustomer’s Regulator) has told us what to argue; they want us to demonstratethat the claim is true for our software-based system. They stated assumptions,but these are not the conditions in which the claim is true, rather they are theconditions for it to be the right claim. We must not capture them asAssumptions; we must show in our argument (Fig. A.12) that they are valid.
It may have been better, rather than to have detail of a low-level processhighlighted right at the top of the argument, to have had a Justification in place ofGoal G1.3. That Justification would have the same wording as the Goal, but itwould also cross-refer to a lower-level Goal that provides the argument.
I have not captured all the Customer’s assumptions in the decomposition shownin Fig. A.12; to do that I will need to decompose Goal G1.1 another level, seeFig. A.13.
G1The software safety
requirements correctly state what is necessary and sufficient to achieve
tolerable safety, in the system context
G1.1The system safety
requirements correctly state what is necessary and
sufficient to achieve tolerable safety, in the system context
G1.2The software safety requirements
were derived from the system safety requirements, and that derivation was independently
checked
G1.3The Change Process includes a review of safety requirements, augmenting or modifying as
necessary to accommodate the effects of the change
C1aSub-objective A of
CAP670 SW01, “Requirements Validity”
C1bThe system is to
support provision of Air Traffic Services (ATS);
it is described in <reference>
C1cThe software safety
requirements are specified in
<reference>
C1.1The system-level safety
requirements are specified in <reference>
Fig. A.12 Revised top-level argument
178 Answers to Problems
Answers to the Problems of Chapter 8
1. It is conceivable that, if you were to adopt the S convention for numberingevidence, you could have two entities in your argument with the same number,the other one being a Strategy. This does not really matter to the reader, as it isclear from the geometry and the syntax which is meant; it can, however, causeconfusion in review or challenge. For example, someone may have written,‘‘What is the justification for S2.1.2?’’ Do you have to explain why you usedthat Strategy, or why that Evidence is pertinent?
2. We can use the same structure as we did for the Methuselah Report, as shown inFig. A.14. I would hope to see a bit more information in a real argument, seeProblem 3.
3. This part of the argument would be more (or possibly less) compelling if theactual result of the analysis were declared. If the report predicts a failure rate ofonce in a hundred thousand hours, I will be more confident that the claim is truethan if it had predicted exactly once in ten thousand hours. Of course, if the
G1.1The system safety
requirements correctly state what is necessary and sufficient to achieve
tolerable safety, in the system context
G1.1.1The system safety
requirements were derived from a hazard analysis and risk
assessment of the operating environment and the concept
of operations
G1.1.2The set of system safety
requirements is necessary and sufficient to maintain tolerably safe operations when in service
G1.1.4Human Error Effects Analysis has been carried out on the
system in its operating environment (including usability
and workload considerations)
C1.1b“Tolerable safety” is
defined in<reference>
C1.1aThe system-level safety
requirements are specified in <reference>
G1.1.3Failure Modes & Effects Analysis
has been carried out on the system in its operating environment
(including consideration of external and interface failures)
Fig. A.13 Decomposition of system requirements Goal
Answers to Problems 179
report were to predict once in a hundred million hours, I could be less confident,thinking instead that the people who prepared and approved the report may bekidding themselves!Another point of concern here is whether Fault Tree Analysis is valid in thissituation. The logical structure of such an analysis is universally applicable tocausal systems but, like in the Reliability Block Diagram example in the mainbody of the chapter, the failure rate calculations depend on assumptions thatmay not hold for this particular equipment. The use of the technique should bejustified, as should the competence of the analyst, the suitability of any toolsused to produce the results, and the provenance of the data.The argument segment, shown in Fig. A.15, also illustrates another problemwith evidence in some contexts: the potential for mismatch of units. When Imade the claim, I expressed the target in terms of hours but, when the analysisreport arrived, it gave the result in years. Although the widespread use ofstandard ‘‘SI Units’’ has reduced such problems, there are situations in whichother units, such as Knots, have been retained. I suggest either re-expressing thetarget in new units using a Context, as shown, or using a Justification to declarethat the target has been met, in this case because failures are predicted to occurat least eight times more infrequently than required.Also, is it sufficient to point your readers to a, potentially very large, report asevidence of a parameter attaining a target? It would have been better if I hadidentified the pertinent section of each report as Evidence.
G2.3.1The equipment will fail
no more often than once in ten thousand
operating hours
E2.3.1The Fault
Tree Analysis Report
J2.3.1This is argued in the
Fault Tree Analysis Report
J
Fig. A.14 Argument part redrawn using core GSN
180 Answers to Problems
E2.3.1.1The
Fault Tree Analysis Report
C2.3.1Continuous operation,
so ten thousand operating hours is just
over one year
G2.3.1.1Fault Tree Analysis
predicts an equipment failure rate of once in
ten years
G2.3.1.2The Fault Tree
Analysis tool used is fit for purpose
G2.3.1.5Fault Tree Analysis
was carried out on the current version of the
design
G2.3.1.3The use of Fault Tree
Analysis is valid in this case
E2.3.1.2Tool
Verification Report
E2.3.1.3Equipment Verification
Plan
E2.3.1.5Project Quality
Records
G2.3.1.4Fault Trees were
produced by competent staff
E2.3.1.4Staff
Competency Report
G2.3.1The equipment will fail
no more often than once in ten thousand
operating hours
S2.3.1Argument of a valid
analysis of the pertinent design by competent staff with
qualified tools
Fig. A.15 Argument augmented with new Sub-Goals
Answers to Problems 181
Answers to the Problems of Chapter 9
1. If you were to use the Goal to be Developed symbol to indicate that a Goal isdeveloped later on in the same document, it would cause confusion for thereviewer, who will not be expecting to follow that particular chain of thoughtfurther. It would cause even more confusion if your argument were to includegenuine undeveloped Goals. If you wish to include navigation information onthe diagram, use a Label; otherwise, put it in the text below the diagram. Use atabular or bulleted format if there are several such Sub-Goals.
2. I am sorry; I cannot give you an answer to this one. What you need to produceis a personal checklist that includes the detail you need. If you are naturallyvery methodical and/or succinct and accurate in what you write, you can prunethose areas of the checklist, but you may need to enhance other areas… Youmay also wish to add additional questions once you have read Chaps. 12 and 13on the problems of evidence collection.
Answers to the Problems of Chapter 10
1. Although now a deprecated symbol, this seemed an ideal opportunity to use aModel, see Fig. A.16. In a real argument, I would actually have included itlower down the Goal Structure, in the decomposition of Goal G3.3…
2. My proposed solution is set out in Fig. A.17.
G3Evidence of life is found in exoplanet
atmospheres
G3.1Atmospheric components
can be identified by spectrographic analysis as an exoplanet transits its star
G3.2Climate models can predict
the proportions of atmospheric gases both
with and without life present
G3.3Results from spectrographic analyses shows, to a high
level of confidence, the atmospheric gas proportions
that indicate life is present
M3Exoplanet
Climate Model <reference>
Fig. A.16 Potential solution to Problem 10.1
182 Answers to Problems
Answers to the Problems of Chapter 11
1. This is my suggested decomposition; I have split it into two diagrams(Figs. A.18 and A.19) for ease of fitting it on the page. If there are tasks toperform, they must be identified and specified so that training can be provided.That is not enough; we also need to run some evaluation trials so that Users canraise any concerns and we need to monitor performance when the system is inservice, and feedback any problems encountered to the System Authority.
When plants fix CO2 during photosynthesis, they take up 12C, 13C and 14C in the same proportions as in the
atmosphere
After a plant dies (or is eaten) the amount of 14C
declines by beta decay at a fixed exponential rate
A sample’s age can be derived by comparing the proportion of 14C in it with
that expected from the atmosphere
Calibration of the measurements to a known accuracy can be achieved by correlation with other
data sources
We can measure the age of an archaeological sample
of organic matter with a known accuracy
The half-life of 14C is 5730 years
Of the fifteen known isotopes of Carbon, only 12C, 13C and 14C
occur naturally
Fig. A.17 Potential solution to Problem 10.2
Answers to Problems 183
Answers to the Problems of Chapter 12
1. In the absence of any prior use data from other systems, I have to depend on theexperience gained with the component as it was deployed in the systemthroughout testing and evaluation. The usage environment should be verysimilar to that which will be experienced in operation, indeed I have had toargue that elsewhere in the assurance to justify the use of the test set-up. In a
C5.1Task specifications are in the system Master Record Index
S5.1Argue that all tasks have
been specified and validated, also that the users can perform them
G5.1.1
User {Task} has been identified and specified
G5.1.2The {Task} specification has been evaluated by representative users on
the prototype system
G5.1.3{User} has been
successfully trained to properly perform {Task}
>1 >1>1
Fig. A.19 Potential solution to Problem 11.1, View 2
G5
User tasks will be performed properly
C5Proper performance of tasks is defined in the
Human Factors Handbook
S5.1Argue that all tasks have
been specified and validated, also that the users can perform them
S5.2
Argue that performance levels will be maintained
or improved in service
G5.2.1There is a mechanism in
place to measure in-service user performance on {Task}
G5.2.2There is a mechanism in
place to capture in-service user feedback on {Task}
>1>1
Fig. A.18 Potential solution to Problem 11.1, view 1
184 Answers to Problems
real argument I would have bought out the number of hours of use thecomponent had been subject to. Here, in Fig. A.20, I have left the reader to getthat from reading the Evidence reports.
Answers to the Problems of Chapter 13
1. The key point is that, in the fish example, the counter-evidence challenged theTop Goal directly, whereas the test failure challenged a Sub-Goal way down theGoal Structure. In general, if a small part of your argument is refuted bycounter-evidence, it may only be that part that is wrong; it may still be possibleto argue for the Top Goal successfully. Look for a work-around, or (and this isthe better option) develop a different way of supporting your claims.
2. The example found in the fisherman’s catch was dead; therefore the Coelacanthis extinct, but the extinction event was a bit more recent than the previousestimate of sixty-five million years ago. OK, a silly example, but if you are areviewer of arguments, this is the sort of thing you should be looking out for.
E4.2.5.2.1System Failure
Logs
C4.2.5The component
deployed is N8112
E4.2.5.2.2System
Verification Summary
Report
G4.2.5.1The network component was developed by a well-
established network equipment manufacturer
G4.2.5The network
component is fit for purpose for the sales
office system
G4.2.5.2The component was in use
throughout system testing and evaluation without any network
failures attributed to it
J4.2.5.2The test environment is
representative of the operating environment,
see Goal 3.2.2 J
E4.2.5.2.3System
Evaluation Summary
Report
Fig. A.20 Argument based on the deployed component
Answers to Problems 185
Answers to the Problems of Chapter 14
1. I have spread my suggested solution across three figures; one for the Top Goaldecomposition (Fig. A.21) and one each for each of the Strategies (Figs. A.22 andA.23).
G1
Process 7 is fit for purpose
S1.2Argue over the
set of unwanted outcomes
G1.1
Process 7 achieves its stated objectives
G1.2Unwanted outcomes from Process 7 are
mitigated
C1.2“Mitigated” means avoided
or the associated risk is reduced
S1.1Argue over the set of objectives
C1bProcess 7 is documented
as Chapter 7 of the Decorating Manual
C1aProcess 7 provides a
method for properly applying wallpaper to interior walls C1c
Process 7 does not address quantity surveying,
preparation of surfaces, etc.
Fig. A.21 Potential solution to Problem 14.1, Top Goal
186 Answers to Problems
S1.1Argue over the set of objectives
G1.1.1Process 7 provides
methods for selecting and mixing paste
G1.1.2Process 7 provides
measurement, cutting and pasting methods
G1.1.4Each method has been tested and
deemed acceptable by a third party
G1.1.3Process 7 provides
methods for correctly hanging wallpaper
G1.1.3.1Process 7 addresses
starting from a vertical, and pattern alignment
G1.1.3.2Process 7 addresses
papering around doorways, windows, sockets, light switches and radiators
G1.1.3.3Process 7 addresses
papering around reveals, internal corners and
external corners
E1.1.3.3Sections 3.6 & 3.7
E1.1.1Section
2.1
E1.1.2Section
2.2
E1.1.4Specialist’s
Report
E1.1.3.1Section
3.1
E1.1.3.2.1Sections 3.2, 3.4 &
3.5
E1.1.3.2.2
Section 3.3
C1.1The objective of the process
is to give a high-quality finish by correctly pasting and hanging wallpaper J1.1
Process 7 Objectives are clearly stated in the
process document at Subsection 1.1
A1.1The precursor processes, e.g. surface preparation, are properly completed before this process is
started
J
A
Fig. A.22 Potential solution to Problem 14.1, S1.1
Answers to Problems 187
2. I asked you to modify the pattern in Fig. 14.1 to argue for the outputs of acomputer-based tool; see Fig. A.24 for my solution. In practice, such a toolwould be used to automate part of an existing process; if so, you should aug-ment the process argument with the tool argument, rather than replace it.
GXThe outputs obtained from {Tool} are correct
CXa{Tool} is documented
in...
SXArgue that the tool is fit for purpose, it has been used
properly and the outputs have been independently checked
GX.1
{Tool} is fit for purpose
GX.Y{Tool} was used by {Staff}, a competent
person
GX.Z{Output} of {Tool} was
checked independently
n > 0
CXbIndependent => an output is
checked by someone not involved in its production
n > 0
Fig. A.24 Potential solution to Problem 14.2
S.1.2Argue over the
set of unwanted outcomes
G1.2.1
Process 7 mitigates bubbles and creases
G1.2.2
Process 7 mitigates apparent seams
G1.2.3
Process 7 mitigates paste marks
E1.2.1Section
2.2
E1.2.3Section
4
E1.2.2Section
3.1
J1.2Unwanted outcomes were identified from Customer
Questionnaires and Quality Standards J
Fig. A.23 Potential solution to Problem 14.1, S1.2
188 Answers to Problems
Index
AApplications
Assurance Arguments, 1, 11, 13, 36, 41,53, 69, 79, 85, 89, 111, 115, 132,135, 147, 149, 167, 170, 184
Checklist Design, 35, 77Competent Person Arguments, 71, 131, 148Process Arguments, 71, 129, 143, 148, 166Tool Arguments, 68, 71, 140, 141, 166, 188
ArgumentAffirming the consequent (fallacy), 21Against a proposition, 9An invalid decomposition, 46Argument by contradiction, 56Challenge, 24Clarity, 25Clever, 93Commutativity of conjunction, 24Competence, See Applications, 139Contrarian Argument, 57Counter-evidence, 121Deductive, 26Definition, 2Fallacies, 21Generic, See Generic Argument, 103Great subtlety and cunning, 93Inductive, 26Missing evidence, 115Other Notations, 4Partition for Publication, 31, 53Partition with Away Goals, 144Partition with Justification, 53Partition with Strategy, 41Pattern, See Generic Argument, 103Premises, 20Process Argument, See Applications, 139Product Argument, 131
Proposition, 8, 19, 20, 155Safety Argument Re-use, 3Structuring an Argument, See Goal
Structures, 19Subverting a proposition, 9Tool Argument, See Applications, 139
ArrowsBroken, 107Cardinality, 106, 107, 124, 164MooN Relationship, 107, 165Open-headed (Contextual Reference), 12,
16, 17, 49, 55, 75, 159, 161OR Relationship, 106, 165Solid-headed (Thread of Argument), 19,
62, 156, 158Solid-headed, with bobble (Many
Relationship), 105, 124, 164Solid-headed, with O (Optional
Relationship), 106, 164Assumption
Connectivity, 55, 162GSN Symbol, 55, 161Labelling, 55Text Convention, 55, 161Validation, 55, 162
Assurance Argument, See Applications, 139Away
Context, 150Goal, 144Solution, 150
CChecklists
Additional review questions, 90, 101, 111,119, 127, 152
Argument ready for review, 77
J. Spriggs, GSN—The Goal Structuring Notation,DOI: 10.1007/978-1-4471-2312-5, � Springer-Verlag London Limited 2012
189
C (cont.)Authors’, 84Business Plan ready for review, 35Correctness of argument, 88Correctness of relationships, 87Correctness of symbols, 86Quality of presentation, 85Reviewers’, 88Task completion, 35Verification, 36
Claims Argument Evidence Trees, 4Coelacanth, 121, 127, 185Competent Person, See Applications, 139Confirmation Bias, 119Context
Away, See Modular GSN, 150Connectivity, 12, 16, 159Flow Down, 94Generic, See Generic Argument, 106GSN Symbol, 12, 13, 160Inheritance, 14, 160Labelling, 33Text Convention, 12, 14, 160Too much, 16, 60, 177
Counter-evidencePattern, 127Tests all passed, but one, 122Tests all passed, but six, 124Used to advantage, 125What is it?, 121
DDeprecated Symbols
Goal Developed Elsewhere, 66, 72Model, 16, 182
Disclaimer, 3Drake Equation
Formulation, 117History, 116Parameters, 117What is it?, 93, 117
EEvidence
Away Solution, See Modular GSN, 150GSN Symbol, 62, 158Labelling, 63Text Convention, 63, 158
ExamplesAll Men are Aristotle (fallacy), 21Applying Wallpaper, 136Argument by Contradiction, 56
Beryllia, 10, 15, 169Business Plan is ready, 30CAP670 SW01, 58, 176Car salesman, 70Carbon dating, 101, 182Cattery admission, 106Choreography, 139Competency, 131, 148, 180Contractual complication, 110, 152Counter-evidence used to advantage, 125Defendant is Guilty, 24Dürer, 10, 169Euclid’s Theorem, 56Fault Trees, 72, 180Fit for purpose, 134Fundamental Principle of GSN, 35Goal text, 8, 10, 44, 156, 169Human Factors, 111, 183Icosahedron, 53, 58ISO9001, 10, 169Justifying Evidence with a Justification, 67Justifying Evidence with explicit
argument, 68Justifying test failure, 124, 125Methuselah Report, 65Option C is the Best Candidate, 42, 50, 73Planning enquiry, 2, 9, 132Previous Use Argument, 69Process Argument patterns, 130, 132,
134, 138Protection system, 132, 152Radome repair, 135Rædwald, 10, 169RTTE, 10, 15, 169Site has Adequate Security, 25, 43, 51Socrates is a Cat (fallacy), 21Socrates is mortal, 20Specific Absorption Rate, 143, 146Staff Knowledge, 132Staff Skills, 133Tests all passed, 115, 122Tests all passed, but one, 122Tests all passed, but six, 124Tests not run, 115There is life on Exoplanets
See Exoplanet Example, 92Town needs a Bypass, 22Turing Centenary, 9Unit mismatch, 180University admission, 106, 107Wallpaper, 136Xanthippe, 64Yacht repair, 135
Exoplanet Example
190 Index
Climate model, 100, 182Doppler sensor, 95Drake Equation, See Drake Equation, 116Evidence of life is found in exoplanet
atmospheres, 98, 114Goldilocks Zone, 98Green Bank Equation, See Drake Equation,
116Introduction, 91Lack of evidence from SETI, 100, 116Some exoplanets are habitable, 97Spectrometer, 98Strategy for Top Goal, 92The first level of Goal decomposition, 94There are planets in other solar systems, 95Top Goal, 92Transit sensor, 96
Extra Symbols (not GSN)Navigation labels, 75Notes, 75
FFallacy
See Argument, 21
GGeneric Argument
Counter-evidence, 127Documentary Data, 110Generic Assumption, 165Generic Context, 106, 165Generic element symbols, 106, 165Generic elements to be developed, 166Generic Evidence, 163Generic Goal, 104, 163Generic Justification, 165Generic Strategy, 163Identifier, {X}, 104, 162Instantiation Table, 110Introduction, 103MooN Relationship, 166Multiple Relationship, 107, 165Optional Relationship, 106, 164OR Relationship, 106, 132, 165Strategy, 110
GoalAway, See Modular GSN, 144Developed Elsewhere, See Deprecated
Symbols, 66Generic, See Generic Argument, 106GSN Symbol, 7, 8, 156Labelling, 32
Text Convention, 8, 156To be Developed Symbol, 73, 105, 158True or False, 8, 156Vague, 16
Goal StructuresAd infinitum, 131Drafting strategy, 34Labelling, 32Layout and balance, 33Ordering of Sub-Goals, 23Reducing the span, 46Segmenting, 31Sequence of Argument, 19, 23Text Descriptions—are they needed?, 22Using ‘Yellow Stickies, 34
GSN OverviewArgument elements, 155Argument elements to be developed, 158Contextual elements, 159Generic elements, 104, 106, 162Modular elements, 144, 150
HHow to use this book, 2
I’Is Solved By’ relationship, 62
JJustification
Connectivity, 49, 161GSN Symbol, 49, 160Labelling, 50Text Convention, 50, 161
LLabelling Goal Structures, 32Layout and balance, 33Logic type, 26
MMnemonic Labelling, 33, 144, 147Model, See Deprecated Symbols, 16, 182Modular GSN
Away Context, 150Away Goal, 144Away Solution, 150Contract Module, 152Interface Problem, 151
Index 191
M (cont.)Mapping ‘away’ to ‘public’, 151, 152Modular Argument, 147Module, 147Public elements, 151
NNormalisation of Deviance, 125Numerical Labelling, 33
PPlanetarium, viiiProcess Argument
See Applications, 139Process to generate a Goal Structure, 45Product Argument, 131Public elements
See Modular GSM, 151
QQuotations
Boris Grushenko, 21Frank Drake, 117Juvenal, 131Monty Python, 2Richard Feynman, 69Spock, 95Woody Allen, 21
RReasoning, 26Relationships
See Arrows, 36Reviewing
An invalid decomposition, 46Authors’ checklist, 84–88Confirmation Bias, 119, 185Correct argument, 83Correct use of GSN Symbols, 81Correctness of GSN Symbols, 78
Quality of presentation, 77Reviewers’ checklist, 88Scope, 73
SSegmenting Goal Structures
for publication, 31SETI, 93, 116Solution
See Evidence, 62Strategy
GSN Symbol, 39, 157Labelling, 40Text Convention, 39, 157To be Developed Symbol, 74, 159Using for Emphasis, 42Using More Than One, 40
TTim Kelly, 44, 143To be developed
See Goal or Strategy,as appropriate, 73
Tool ArgumentSee Applications, 139
Toulmin Diagrams, 4
UUnified Modeling Language, 17, 147
VValidating Assumptions
See Assumption, 192Verifying checklists
See Checklists, 192
WWigmore Charts, 4
192 Index
