Goal Structuring Notation (GSN) is used in a hazard analysis or during the production of a safety case for systems that can cause hazards. This could be in those industries where safety assurance is critical such as defence, automotive, rail or nuclear sectors.
It is a graphical notation for representing the structure of safety arguments. It is effectively a pyramid structure with a bottom layer of evidence. The higher levels are built upon the lower levels until the argument demonstrates how the set of evidence items combine together to demonstrate the top claim (e.g. that the system is acceptably safe to operate in a particular operating environment).
Although the safety case is built bottom up, in reality the argument is a top down approach. The principal purpose of a goal structure is to show how goals (claims about the system) are successively broken down into (“solved by”) sub-goals until a point is reached where claims can be supported by direct reference to available evidence (solutions). By using GSN in developing a safety or environmental case, you will be introducing a confidence in the stated claims that is hard to establish by other means.
What is GSN?
Goal Structuring Notation is a graphical argumentation notation that can be used to explicitly represent the individual elements of any complex argument, based on visualization of evidence. Because it is graphical it provides a clear way of forming, and navigating, often complex arguments. The GSN diagrams are often supported by the inclusion of further textual narrative to find the right balance between brevity in the diagrams and a fuller explanation provided by the additional narrative.
The argument is levelled with a top level claim about the level of risk (Goal 1).
Through use of an organised argument using GSN notation, the top level claim is decomposed into lower level claims and strategies (constituting the argument). e.g. Goals G.1.1, G1.1.1 …, Strategy S.3 etc.
The low level claims are ultimately satisfied by references to evidence, in this example through a reference to an appropriate set of functional requirements, safety cases and test evidence e.g. E1, E2, E3.
In simple terms, the process to produce the safety argument can be summarised in a number of steps as (this is a guide and is not mandated):
- Clearly define the objective and scope of the safety argument being presented;
- Define the basis for the goals – e.g. context information;
- Identify strategy- i.e. how to substantiate the stated goal;
- Define the basis for the strategy – as for a goal, identify any relevant contextual information;
- Elaborate the strategy, defining the sub goals;
- Identify solutions; and
- Review and assess the GSN against qualitative review criteria such as completeness, correctness, adequacy.
GSN Symbols 
Example of a GSN diagram created using Visio
Example of a GSN diagram using colours to represent maturity
In this example, the following colours have been assigned to demonstrate maturity:
Blue Unassigned
Red Basis has been agreed
Amber Work in progress
Green Work complete
The maturity is inherited from the lower level elements according to a series of predefined rules taking into account the worst case.
For each symbol there is a ‘traffic light’ system to convey maturity. Once engineers become familiar with the GSN notation, then this aids a speedy assessment of the overall safety argument goals and strategies and their maturity and should also identify where any additional effort should be focused to resolve any specific issues identified.
Although GSN diagrams can be produced with drawing tools such as Visio or even PowerPoint the amount of information is unfortunately fixed to what is in the diagram and this may not be sufficient for a safety case.
DOORS will provide an elegant and rich GSN.
Example of how it can be done in DOORS
The user could edit the values directly in DOORS. But the aim of this tool is to present the safety argument in a clear and concise manner without the need to have any knowledge of how DOORS works or is modified.
The following two examples provide an extract of Goal Structuring Notation (GSN) relating to:
- The safety argument around Hazardous RF Emissions for an aircraft.
- The Automotive Safety Integrity Level (ASIL) which is a risk classification scheme defined by the ISO 26262 – Functional Safety for Road Vehicles standard.
In both examples, the GSN Hazard Log Editor and Viewer are built from a series of editors which combine together to inform the GSN display itself. The display and the editors are intrinsically linked so that edits are immediately reflected in the display. The edits are only permanent if the user saves to the underlying DOORS module(s).
The Hazard Editor for an Aerospace Project
This is the main page and is used to add, delete, view, and edit an aerospace hazard. There can be any number of hazards within a project and each hazard is in its own module. The hazard editor searches through the current project identifying the hazard modules. Attributes such as the description and overall status are displayed to identify the hazard if the names are similar.
Once the hazard is selected then the user can either edit more of the hazard attributes such as operating states or the Hazard Inherent Risk matrix values.
Each hazard is allocated a classification according to a severity and probability matrix which is then used to automatically calculate the inherent and residual risk.
The table used in the example is a 4 * 6 matrix, but the software can be modified to any table size. The software could also be further expanded to provide ALARP statements, links to cause and consequence mitigations, or provide links to Safety requirements to form a progressive assurance regime.
Alternatively, the user can go directly to the GSN display.
The Hazard Editor for an ASIL Project
This is the main page for an automotive project hazard and is used to add, delete, view, and edit an ASIL hazard. As with the aerospace format, there can be any number of hazards within a project and each hazard is in its own module. The hazard editor searches through the current project identifying the hazard modules. Attributes such as the description and overall status are displayed to identify the hazard if the names are similar.
Once the hazard is selected then the user can either edit more of the hazard attributes such as ASIL level and inherited ASIL level.
The Display
Both editor formats use the same GSN display. The GSN symbols are displayed according to the type, location, relationship and maturity. As the levels zoom in (using the GSN display control panel) then the amount of information displayed is automatically decreased. Vertical and horizontal scroll bars can be used to move the centre of interest.
As the user zooms out then the information level increases. The scroll bars are automatically resized with the level of the zoom.
Symbols can be selected using the right hand button. Multiple symbols can be added to the selection using cntrl + right hand mouse button click. Element(s) can be moved by selecting the element(s) and then pointing to the desired location using the left hand mouse button click. A popup is used to confirm the move.
The GSN display has its own dedicated control panel which can define automatic or manual placement of each element and a zoom factor. Because we are using the DOORS canvas then, unfortunately, we don’t have the luxury of drag and drop that you would expect with modern editors. However, by using the mouse buttons then a user can select a target location and then move one or more objects. This is a quick way of moving blocks of elements. Then each element (or a group if required) can be moved a small distance using the nudge features. Groups of elements can also be aligned horizontally or vertically. The traceability relationships are automatically moved along with the elements. The user also has access to the x, y co-ordinates in the element editor for very fine granularity changes.
When zooming then the amount of text displayed in each symbol is truncated to remain within the symbol. By swapping between the display and the editor, further textual narrative to support the GSN diagrams can be added to find the right balance between brevity (in the diagrams) and a fuller explanation (provided by additional narrative in the editor).
The display can be cut and pasted using traditional snipping tools or via Paint but the tool also provide the ability to export to xml or html.
Both manual and automatic placement options are available. It is recommended to use the automatic placement and then swap to manual placement for fine tuning and aesthetic preferences. Also provided are buttons to centralize the display and fit the diagram on the page (by automatically calculating the zoom factor). There are buttons to align horizontally and vertically, or nudge in any direction a selection of elements. The buttons are enabled and disabled depending on the elements selected.
If an object is selected, then the element editor can be called via the Edit button.
The Element Editor
The editor is used to create or modify an existing element. If the selected object is a hazard, then the maturity and location is based on the underlying Goal. The maturity is normally assigned according to the child objects although it is possible to override. Assumptions, justifications and context elements can be added. The element editor is context sensitive and will display the appropriate editor for the element being modified. The element editor also provides the manual selection of the x, y coordinates.
