Dependable Software Engineering

Theories Tools and Applications 4th

International Symposium SETTA 2018
Beijing China September 4 6 2018
Proceedings Xinyu Feng
Visit to download the full and correct content document:
https://textbookfull.com/product/dependable-software-engineering-theories-tools-and-
applications-4th-international-symposium-setta-2018-beijing-china-september-4-6-20
18-proceedings-xinyu-feng/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Dependable Software Engineering Theories Tools and

Applications 5th International Symposium SETTA 2019
Shanghai China November 27 29 2019 Proceedings Nan Guan

https://textbookfull.com/product/dependable-software-engineering-
theories-tools-and-applications-5th-international-symposium-
setta-2019-shanghai-china-november-27-29-2019-proceedings-nan-
guan/

Dependable Software Engineering. Theories, Tools, and

Applications: 6th International Symposium, SETTA 2020,
Guangzhou, China, November 24–27, 2020, Proceedings Jun
Pang
https://textbookfull.com/product/dependable-software-engineering-
theories-tools-and-applications-6th-international-symposium-
setta-2020-guangzhou-china-november-24-27-2020-proceedings-jun-
pang/

Bio inspired Computing Theories and Applications 13th

International Conference BIC TA 2018 Beijing China
November 2 4 2018 Proceedings Part I Jianyong Qiao

https://textbookfull.com/product/bio-inspired-computing-theories-
and-applications-13th-international-conference-bic-
ta-2018-beijing-china-november-2-4-2018-proceedings-part-i-
jianyong-qiao/

Quantitative Evaluation of Systems 15th International

Conference QEST 2018 Beijing China September 4 7 2018
Proceedings Annabelle Mciver

https://textbookfull.com/product/quantitative-evaluation-of-
systems-15th-international-conference-qest-2018-beijing-china-
september-4-7-2018-proceedings-annabelle-mciver/
Search Based Software Engineering 10th International
Symposium SSBSE 2018 Montpellier France September 8 9
2018 Proceedings Thelma Elita Colanzi

https://textbookfull.com/product/search-based-software-
engineering-10th-international-symposium-ssbse-2018-montpellier-
france-september-8-9-2018-proceedings-thelma-elita-colanzi/

Science of Cyber Security First International

Conference SciSec 2018 Beijing China August 12 14 2018
Revised Selected Papers Feng Liu

https://textbookfull.com/product/science-of-cyber-security-first-
international-conference-scisec-2018-beijing-china-
august-12-14-2018-revised-selected-papers-feng-liu/

Web Information Systems and Applications: 15th

International Conference, WISA 2018, Taiyuan, China,
September 14–15, 2018, Proceedings Xiaofeng Meng

https://textbookfull.com/product/web-information-systems-and-
applications-15th-international-conference-wisa-2018-taiyuan-
china-september-14-15-2018-proceedings-xiaofeng-meng/

Database and Expert Systems Applications 29th

International Conference DEXA 2018 Regensburg Germany
September 3 6 2018 Proceedings Part II Sven Hartmann

https://textbookfull.com/product/database-and-expert-systems-
applications-29th-international-conference-dexa-2018-regensburg-
germany-september-3-6-2018-proceedings-part-ii-sven-hartmann/

Applications of Evolutionary Computation 21st

International Conference EvoApplications 2018 Parma
Italy April 4 6 2018 Proceedings 1st Edition Kevin Sim

https://textbookfull.com/product/applications-of-evolutionary-
computation-21st-international-conference-
evoapplications-2018-parma-italy-april-4-6-2018-proceedings-1st-
 Xinyu Feng · Markus Müller-Olm
Zijiang Yang (Eds.)

Dependable
LNCS 10998

Software Engineering
Theories, Tools, and Applications
4th International Symposium, SETTA 2018
Beijing, China, September 4–6, 2018
Proceedings

123
Lecture Notes in Computer Science 10998
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7408
Xinyu Feng Markus Müller-Olm
•

Zijiang Yang (Eds.)

Dependable
Software Engineering
Theories, Tools, and Applications
4th International Symposium, SETTA 2018
Beijing, China, September 4–6, 2018
Proceedings

123
Editors
Xinyu Feng Zijiang Yang
Nanjing University Western Michigan University
Nanjing Kalamazoo, MI
China USA
Markus Müller-Olm
Westfälische Wilhelms-Universität Münster
Münster
Germany

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-99932-6 ISBN 978-3-319-99933-3 (eBook)
https://doi.org/10.1007/978-3-319-99933-3

Library of Congress Control Number: 2018953821

LNCS Sublibrary: SL2 – Programming and Software Engineering

© Springer Nature Switzerland AG 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

This volume contains the papers presented at the 4th International Symposium on
Dependable Software Engineering: Theories, Tools, and Applications (SETTA 2018),
held during September 4–6, 2018, in Beijing. The purpose of SETTA is to provide an
international forum for researchers and practitioners to share cutting-edge advance-
ments and strengthen collaborations in the field of formal methods and its interoper-
ability with software engineering for building reliable, safe, secure, and smart systems.
Past SETTA symposiums were successfully held in Nanjing (2015), Beijing (2016),
and Changsha (2017).
SETTA 2018 solicited submissions in two categories, regular papers and short
papers. Short papers could discuss ongoing research at an early stage, or present systems
and tools. There were 22 submissions in total. Each submission was reviewed by at least
three, and on average 3.7, Program Committee (PC) members, with the help of external
reviewers. After thoroughly evaluating the relevance and quality of each paper through
online PC meetings, the PC decided to accept nine regular papers and three short papers.
The program also included three invited talks given by Prof. Moshe Vardi from Rice
University, Prof. Tao Xie from University of Illinois at Urbana-Champaign, and Prof.
Hongseok Yang from KAIST. Prof. Moshe Vardi was a joint keynote speaker of
CONFESTA 2018, a joint event comprising the international 2018 conferences CON-
CUR, FORMATS, QEST, and SETTA, alongside with several workshops and tutorials.
This program would not have been possible without the unstinting efforts of many
people, whom we would like to thank. First, we would like to express our gratitude to
the PC and the external reviewers for their hard work put in toward ensuring the high
quality of the proceedings. Our thanks also go to the Steering Committee for its advice
and help. We would like to warmly thank the general chair of SETTA 2018, Prof.
Chaochen Zhou, the general chair of CONFESTA 2018, Prof. Huimin Lin, the local
organizers including Dr. David N. Jansen, Dr. Andrea Turrini, Dr. Shuling Wang, Dr.
Peng Wu, Dr. Zhilin Wu, Dr. Bai Xue, Prof. Lijun Zhang, and all others on the local
Organizing Committee.
We also enjoyed great institutional and financial support from the Institute of
Software, Chinese Academy of Sciences, without which an international conference
like CONFESTA and the co-located events could not have been successfully orga-
nized. We also thank the Chinese Academy of Sciences and the other sponsors for their
financial support. Furthermore, we would like to thank Springer for sponsoring the Best
Paper Award. Finally, we are grateful to the developers of the EasyChair system, which
significantly eased the processes of submission, paper selection, and proceedings
compilation.

July 2018 Xinyu Feng

Markus Müller-Olm
Zijiang Yang
 Organization

General Chair
Chaochen Zhou Institute of Software, CAS, China

Program Chairs
Xinyu Feng Nanjing University, China
Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany
Zijiang Yang Western Michigan University, USA

Program Committee
Farhad Arbab CWI and Leiden University, The Netherlands
Sanjoy Baruah Washington University in St. Louis, USA
Lei Bu Nanjing University, China
Michael Butler University of Southampton, UK
Yan Cai Institute of Software, CAS, China
Taolue Chen Birkbeck, University of London, UK
Yuxin Deng East China Normal University, China
Xinyu Feng Nanjing University, China
Yuan Feng University of Technology, Sydney, Australia
Ernst Moritz Hahn Institute of Software, CAS, China
Dan Hao Peking University, China
Maritta Heisel University of Duisburg-Essen, Germany
Raymond Hu Imperial College London, UK
He Jiang Dalian University of Technology, China
Yu Jiang Tsinghua University, China
Einar Broch Johnsen University of Oslo, Norway
Guoqiang Li Shanghai Jiao Tong University, China
Ting Liu Xi’an Jiaotong University, China
Tongping Liu University of Texas at San Antonio, USA
Yang Liu Nanyang Technological University, Singapore
Xiapu Luo The Hong Kong Polytechnic University, Hong Kong,
SAR China
Stephan Merz Inria Nancy and LORIA, France
Markus Müller-Olm Westfälische Wilhelms-Universität Münster, Germany
Jun Pang University of Luxembourg, Luxembourg
Davide Sangiorgi University of Bologna, Italy
Oleg Sokolsky University of Pennsylvania, USA
Fu Song ShanghaiTech University, China
Zhendong Su University of California, Davis, USA
VIII Organization

Jun Sun Singapore University of Technology and Design,

Singapore
Walid Mohamed Taha Halmstad University and University of Houston,
Sweden
Sofiene Tahar Concordia University, Canada
Cong Tian Xidian University, China
Bow-Yaw Wang Academia Sinica, Taiwan
Chao Wang University of Southern California, USA
Ji Wang National University of Defense Technology, China
Heike Wehrheim University of Paderborn, Germany
Xin Xia Monash University, Australia
Zijiang Yang Western Michigan University, USA
Shin Yoo KAIST, Korea

Local Organizing Committee

Jansen, David N.
Lv, Yi
Turrini, Andrea
Wang, Shuling
Wu, Peng
Wu, Zhilin (chair)
Xue, Bai
Yan, Rongjie
Zhu, Xueyang

Additional Reviewers

Chen, Liqian König, Jürgen

Chen, Zhe Liu, Hongyu
Colley, John Petre, Luigia
Dongol, Brijesh Santen, Thomas
Elderhalli, Yassmeen Silvestro, Sam
Gu, Tianxiao Soualhia, Mbarka
Gutsfeld, Jens Steffen, Martin
Kaur, Ramneet Tang, Enyi
Kenter, Sebastian Zhang, Min
Kharraz, Karam Zhu, Chenyang
Abstracts of Invited Talks
 Intelligent Software Engineering: Synergy
between AI and Software Engineering

Tao Xie

University of Illinois at Urbana-Champaign, Urbana, IL 61801, USA

taoxie@illinois.edu

Abstract. As an example of exploiting the synergy between AI and software

engineering, the field of intelligent software engineering has emerged with
various advances in recent years. Such field broadly addresses issues on intel-
ligent [software engineering] and [intelligence software] engineering. The for-
mer, intelligent [software engineering], focuses on instilling intelligence in
approaches developed to address various software engineering tasks to
accomplish high effectiveness and efficiency. The latter, [intelligence software]
engineering, focuses on addressing various software engineering tasks for
intelligence software, e.g., AI software. In this paper, we discuss recent research
and future directions in the field of intelligent software engineering.

This work was supported in part by National Science Foundation under grants no. CNS-1513939
and CNS1564274, and a grant from the ZJUI Research Program.
 Formal Semantics of Probabilistic
Programming Languages: Issues, Results
and Opportunities

Hongseok Yang

KAIST, Daejeon, South Korea

hongseok00@gmail.com

Probabilistic programming refers to the idea of developing a programming language for

writing and reasoning about probabilistic models from machine learning and statistics.
Such a language comes with the implementation of several generic inference algo-
rithms that answer various queries about the models written in the language, such as
posterior inference and marginalisation. By providing these algorithms, a probabilistic
programming language enables data scientists to focus on designing good models
based on their domain knowledge, instead of building effective inference engines for
their models, a task that typically requires expertise in machine learning, statistics and
systems. Even experts in machine learning and statistics may get benefited from such a
probabilistic programming system because using the system they can easily explore
highly advanced models.
In the past three years, I and my colleagues have worked on developing so called
denotational semantics of such probabilistic programming languages, especially those
that support expressive language features such as higher-order functions, continuous
distributions and general recursion. Such semantics describe what probabilistic model
each program in those languages denotes, serve as specifications for inference algo-
rithms for the languages, and justify compiler optimisations for probabilistic programs
or models. In this talk, I will describe what we have learnt so far, and explain how these
lessons help improve the design and implementation of these probabilistic program-
ming languages and their inference engines.
 Contents

Abstracts of Invited Talks

Intelligent Software Engineering: Synergy Between AI

and Software Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Tao Xie

Software Assurance

Automatic Support of the Generation and Maintenance of Assurance Cases . . . 11

Chung-Ling Lin, Wuwei Shen, Tao Yue, and Guangyuan Li

Refinement

Correct-by-Construction Implementation of Runtime Monitors

Using Stepwise Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Teng Zhang, John Wiegley, Theophilos Giannakopoulos,
Gregory Eakman, Clément Pit-Claudel, Insup Lee, and Oleg Sokolsky

Identifying Microservices Using Functional Decomposition . . . . . . . . . . . . . 50

Shmuel Tyszberowicz, Robert Heinrich, Bo Liu, and Zhiming Liu

Verification

Robust Non-termination Analysis of Numerical Software . . . . . . . . . . . . . . . 69

Bai Xue, Naijun Zhan, Yangjia Li, and Qiuye Wang

Developing GUI Applications in a Verified Setting . . . . . . . . . . . . . . . . . . . 89

Stephan Adelsberger, Anton Setzer, and Eric Walkingshaw

Interleaving-Tree Based Fine-Grained Linearizability Fault Localization . . . . . 108

Yang Chen, Zhenya Zhang, Peng Wu, and Yu Zhang

Miscellaneous (Short Papers)

Improvement in JavaMOP by Simplifying Büchi Automaton . . . . . . . . . . . . 129

Junyan Qian, Cong Chen, Wei Cao, Zhongyi Zhai, and Lingzhong Zhao

Developing A New Language to Construct Algebraic Hierarchies

for Event-B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
James Snook, Michael Butler, and Thai Son Hoang
XIV Contents

Towards the Existential Control of Boolean Networks:

A Preliminary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Soumya Paul, Jun Pang, and Cui Su

Timing and Scheduling

Statistical Model Checking of Response Times for Different

System Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Bernhard K. Aichernig, Severin Kann, and Richard Schumi

Probabilistic Analysis of Timing Constraints in Autonomous

Automotive Systems Using Simulink Design Verifier . . . . . . . . . . . . . . . . . 170
Eun-Young Kang and Li Huang

Mixed-Criticality Scheduling with Limited HI-Criticality Behaviors. . . . . . . . 187

Zhishan Guo, Luca Santinelli, and Kecheng Yang

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Abstracts of Invited Talks
 Intelligent Software Engineering: Synergy
Between AI and Software Engineering

Tao Xie(B)

University of Illinois at Urbana-Champaign, Urbana, IL 61801, USA

taoxie@illinois.edu

Abstract. As an example of exploiting the synergy between AI and soft-

ware engineering, the field of intelligent software engineering has emerged
with various advances in recent years. Such field broadly addresses issues
on intelligent [software engineering] and [intelligence software] engineer-
ing. The former, intelligent [software engineering], focuses on instilling
intelligence in approaches developed to address various software engi-
neering tasks to accomplish high effectiveness and efficiency. The latter,
[intelligence software] engineering, focuses on addressing various soft-
ware engineering tasks for intelligence software, e.g., AI software. In this
paper, we discuss recent research and future directions in the field of
intelligent software engineering.

Keyword: Intelligent software engineering

1 Introduction

As an example of exploiting the synergy between AI and software engineer-

ing, the field of intelligent software engineering [31] has emerged with various
advances in recent years. Such field broadly addresses issues on intelligent [soft-
ware engineering] and [intelligence software] engineering. The former, intelligent
[software engineering], focuses on instilling intelligence in approaches developed
to address various software engineering tasks to accomplish high effectiveness
and efficiency. The latter, [intelligence software] engineering, focuses on address-
ing various software engineering tasks for intelligence software, e.g., AI software.
Indeed, the preceding two aspects can overlap when instilling intelligence in
approaches developed to address various software engineering tasks for intel-
ligence software. By nature, the field of intelligent software engineering is a
research field spanning at least the research communities of software engineering
and AI.

This work was supported in part by National Science Foundation under grants no.
CNS-1513939 and CNS1564274, and a grant from the ZJUI Research Program.
c Springer Nature Switzerland AG 2018
X. Feng et al. (Eds.): SETTA 2018, LNCS 10998, pp. 3–7, 2018.
https://doi.org/10.1007/978-3-319-99933-3_1
4 T. Xie

2 Instilling Intelligence in Software Engineering

Applying or adapting AI technologies to address various software engineering
tasks [13] has been actively pursued by researchers from the software engineering
research community, e.g., machine learning for software engineering [1,18,38] and
natural language processing for software engineering [20,21,29,30,39,40], and
also by researchers from the AI research community in recent years [2] partly
due to the increasing popularity of deep learning [24]. Much of such previous
work has been on automating as much as possible to address a specific software
engineering task such as programming and testing. But as pointed out by various
AI researchers [14,17], AI technologies typically enhance or augment human,
instead of replacing human.
In future work, we envision that intelligence can be instilled into approaches
for software engineering tasks in the following two example ways as starting
points.
Natural Language Interfacing. Natural language conversations between a
human and a machine can be traced back to the Turing test [28], proposed
by Turing in 1950, as a test for a machine to exhibit intelligent behaviors
indistinguishable from a human’s. Natural-language-based chatbots have been
increasingly developed and deployed for various domains: virtual assistants (such
as Apple Siri, Google Assistant, Amazon Alexa, Microsoft Cortana, Samsung
Bixby), customer services, social media (such as Facebook Messenger chatbots).
Very recently, exploring the use of chatbots in software engineering has been
started [3,5,6,12,15,26]. Beyond chatbots or conversational natural language
interfacing, natural language interfacing will play an increasingly important and
popular role in software development environments [9], due to its benefits of
improving developer productivity.
Continuous Learning. Machine learning has been increasingly applied or
adapted for various software engineering tasks since at least early 2000 [2,32]; in
the past several years, deep learning [24] has been applied on software engineer-
ing problems (e.g., [10,11,35]). Such direction’s increasing popularity is partly
thanks to the availability of rich data (being either explicitly or implicitly labeled
in one way or another) in software repositories [32] along with the advances in
machine learning especially deep learning [24] in recent years. Beyond apply-
ing machine learning only once or occasionally, software engineering tools are in
need of gaining the continuous-learning capability: when the tools are applied
in software engineering practices, the tools continuously learn to get more and
more intelligent and capable.

3 Software Engineering for Intelligence Software

In recent decades, Artificial Intelligence (AI) has emerged as a technical pil-
lar underlying modern-day solutions to increasingly important tasks in daily life
and work. The impacted settings range from smartphones carried in one’s pocket
to transportation vehicles. Artificial Intelligence (AI) solutions are typically in
 Intelligent Software Engineering 5

the form of software. Thus, intelligence software is naturally amenable to soft-

ware engineering issues such as dependability [8] including reliability [22,27] and
security [33,34], etc. Assuring dependability of intelligence software is critical but
largely unexplored compared to traditional software.
For example, intelligence software that interacts with users by communi-
cating content (e.g., chatbots, image-tagging) does so within social environ-
ments constrained by social norms [7]. For such intelligence software to meet
the users’ expectation, it must comply with accepted social norms. However,
determining what are accepted social norms can vary greatly by culture and envi-
ronment [7]. Recent AI-based solutions, such as Microsoft’s intelligent chatbot
Tay [16] and Google Photos app’s imagine-tagging feature [4], received negative
feedback because their behavior lied outside accepted social norms. In addition,
formulating failure conditions and monitoring such conditions at runtime may
not be acceptable for intelligence software such as robotic software because it
would be too late to conduct failure avoidance or recovery actions when such
failure conditions are detected [23]. Generally formulating proper requirements
for intelligence software remains a challenge for the research community.
In addition, intelligence software is known to often suffer from the “no
oracle problem” [19,25,36,37]. For example, in supervised learning, a future
application-data entry can be labeled (manually or automatically); however,
using such labels as the test oracle is not feasible. The reason is that there
exists some inaccuracy (i.e., predicting a wrong label) in the learned classifi-
cation model. This inaccuracy is inherent and sometimes desirable to avoid the
overfitting problem (i.e., the classification model performs perfectly on the train-
ing data but undesirably in future application data).

References
1. Acharya, M., Xie, T., Pei, J., Xu, J.: Mining API patterns as partial orders from
source code: from usage scenarios to specifications. In: Proceedings of the Meet-
ing of the European Software Engineering Conference and the ACM SIGSOFT
Symposium on The Foundations of Software Engineering (ESEC-FSE), pp. 25–34
(2007)
2. Allamanis, M., Barr, E.T., Devanbu, P., Sutton, C.: A survey of machine learning
for big code and naturalness, September 2017. arXiv:1709.06182
3. Balog, M., Gaunt, A.L., Brockschmidt, M., Nowozin, S., Tarlow, D.: DeepCoder:
learning to write programs. In: Proceedings of the International Conference on
Learning Representations (ICLR) (2017)
4. Barr, A.: Google mistakenly tags black people as ‘gorillas’, showing limits of
algorithms. Wall Str. J. (2015). http://blogs.wsj.com/digits/2015/07/01/google-
mistakenly-tags-black-people-as-gorillas-showing-limits-of-algorithms/
5. Beschastnikh, I., Lungu, M.F., Zhuang, Y.: Accelerating software engineering
research adoption with analysis bots. In: Proceedings of the International Con-
ference on Software Engineering (ICSE), New Ideas and Emerging Results Track,
pp. 35–38 (2017)
6. Bieliauskas, S., Schreiber, A.: A conversational user interface for software visualiza-
tion. In: Proceedings of the IEEE Working Conference on Software Visualization
(VISSOFT), pp. 139–143 (2017)
6 T. Xie

7. Coleman, J.: Foundations of Social Theory. Belknap Press Series. Belknap Press
of Harvard University Press, Cambridge (1990)
8. Committee on Technology National Science and Technology Council and Penny
Hill Press: Preparing for the Future of Artificial Intelligence. CreateSpace Inde-
pendent Publishing Platform, USA (2016)
9. Ernst, M.D.: Natural language is a programming language: applying natural lan-
guage processing to software development. In: Proceedings of the 2nd Summit on
Advances in Programming Languages (SNAPL), pp. 4:1–4:14 (2017)
10. Gu, X., Zhang, H., Zhang, D., Kim, S.: Deep API learning. In: Proceedings of the
ACM SIGSOFT International Symposium on Foundations of Software Engineering
(FSE), pp. 631–642 (2016)
11. Gu, X., Zhang, H., Zhang, D., Kim, S.: DeepAM: migrate APIs with multi-modal
sequence to sequence learning. In: Proceedings of the International Joint Confer-
ence on Artificial Intelligence (IJCAI), pp. 3675–3681 (2017)
12. Gupta, R., Pal, S., Kanade, A., Shevade, S.: DeepFix: fixing common C language
errors by deep learning. In: Proceedings of the National Conference on Artificial
Intelligence (AAAI) (2017)
13. Harman, M.: The role of artificial intelligence in software engineering. In: Proceed-
ings International Workshop on Realizing AI Synergies in Software Engineering
(RAISE), pp. 1–6 (2012)
14. Jordan, M.: Artificial intelligence-the revolution hasn’t happened yet, April 2018.
https://medium.com/@mijordan3/artificial-intelligence-the-revolution-hasnt-
happened-yet-5e1d5812e1e7
15. Lebeuf, C., Storey, M.D., Zagalsky, A.: How software developers mitigate collabo-
ration friction with chatbots. CoRR abs/1702.07011 (2017). http://arxiv.org/abs/
1702.07011
16. Leetaru, K.: How Twitter corrupted Microsoft’s Tay: a crash course in the
dangers of AI in the real world. Forbes (2016). https://www.forbes.com/sites/
kalevleetaru/2016/03/24/how-twitter-corrupted-microsofts-tay-a-crash-course-
in-the-dangers-of-ai-in-the-real-world/
17. Li, F.F.: How to make A.I. that’s good for people, March 2018. https://www.
nytimes.com/2018/03/07/opinion/artificial-intelligence-human.html
18. Michail, A., Xie, T.: Helping users avoid bugs in GUI applications. In: Proceed-
ings of the International Conference on Software Engineering (ICSE), pp. 107–116
(2005)
19. Murphy, C., Kaiser, G.E.: Improving the dependability of machine learning appli-
cations. Technical report, CUCS-049-, Department of Computer Science, Columbia
University (2008)
20. Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: WHYPER: towards automat-
ing risk assessment of mobile applications. In: Proceedings of the USENIX Con-
ference on Security (SEC), pp. 527–542 (2013)
21. Pandita, R., Xiao, X., Zhong, H., Xie, T., Oney, S., Paradkar, A.: Inferring method
specifications from natural language API descriptions. In: Proceedings of the Inter-
national Conference on Software Engineering (ICSE), pp. 815–825 (2012)
22. Pei, K., Cao, Y., Yang, J., Jana, S.: DeepXplore: automated whitebox testing of
deep learning systems. In: Proceedings of the Symposium on Operating Systems
Principles (SOSP), pp. 1–18 (2017)
23. Qin, Y., Xie, T., Xu, C., Astorga, A., Lu, J.: CoMID: context-based multi-invariant
detection for monitoring cyber-physical software. CoRR abs/1807.02282 (2018).
https://arxiv.org/abs/1807.02282
 Intelligent Software Engineering 7

24. Schmidhuber, J.: Deep learning in neural networks. Neural Netw. 61(C), 85–117
(2015)
25. Srisakaokul, S., Wu, Z., Astorga, A., Alebiosu, O., Xie, T.: Multiple-
implementation testing of supervised learning software. In: Proceedings of the
AAAI-2018 Workshop on Engineering Dependable and Secure Machine Learning
Systems (EDSMLS) (2018)
26. Storey, M.D., Zagalsky, A.: Disrupting developer productivity one bot at a time.
In: Proceedings of the ACM SIGSOFT International Symposium on Foundations
of Software Engineering (FSE), pp. 928–931 (2016)
27. Tian, Y., Pei, K., Jana, S., Ray, B.: DeepTest: automated testing of deep-neural-
network-driven autonomous cars. In: Proceedings International Conference on Soft-
ware Engineering (ICSE), pp. 303–314 (2018)
28. Turing, A.M.: Computing machinery and intelligence (1950). One of the most
influential papers in the history of the cognitive sciences. http://cogsci.umn.edu/
millennium/final.html
29. Wang, X., Zhang, L., Xie, T., Anvik, J., Sun, J.: An approach to detecting duplicate
bug reports using natural language and execution information. In: Proceedings of
the International Conference on Software Engineering (ICSE), pp. 461–470 (2008)
30. Xiao, X., Paradkar, A., Thummalapenta, S., Xie, T.: Automated extraction of
security policies from natural-language software documents. In: Proceedings of
the ACM SIGSOFT International Symposium on the Foundations of Software
Engineering (FSE), pp. 12:1–12:11 (2012)
31. Xie, T.: Intelligent software engineering: synergy between AI and software engi-
neering. In: Proceedings of the Innovations in Software Engineering Conference
(ISEC), p. 1:1 (2018)
32. Xie, T., Thummalapenta, S., Lo, D., Liu, C.: Data mining for software engineering.
Computer 42(8), 55–62 (2009)
33. Yang, W., Kong, D., Xie, T., Gunter, C.A.: Malware detection in adversarial set-
tings: exploiting feature evolutions and confusions in Android apps. In: Proceedings
Annual Computer Security Applications Conference (ACSAC), pp. 288–302 (2017)
34. Yang, W., Xie, T.: Telemade: a testing framework for learning-based malware
detection systems. In: Proceedings AAAI-2018 Workshop on Engineering Depend-
able and Secure Machine Learning Systems (EDSMLS) (2018)
35. Yin, P., Neubig, G.: A syntactic neural model for general-purpose code genera-
tion. In: Proceedings of the Annual Meeting of the Association for Computational
Linguistics (ACL) (2017)
36. Zheng, W., Ma, H., Lyu, M.R., Xie, T., King, I.: Mining test oracles of web search
engines. In: Proceedings of the IEEE/ACM International Conference on Auto-
mated Software Engineering (ASE), pp. 408–411 (2011)
37. Zheng, W., et al.: Oracle-free detection of translation issue for neural machine
translation. CoRR abs/1807.02340 (2018). https://arxiv.org/abs/1807.02340
38. Zhong, H., Xie, T., Zhang, L., Pei, J., Mei, H.: MAPO: mining and recommending
API usage patterns. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp.
318–343. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03013-
0 15
39. Zhong, H., Zhang, L., Xie, T., Mei, H.: Inferring resource specifications from natu-
ral language API documentation. In: Proceedings of the IEEE/ACM International
Conference on Automated Software Engineering (ASE), pp. 307–318 (2009)
40. Zhong, Z., et al.: Generating regular expressions from natural language specifica-
tions: are we there yet? In: Proceedings of the Workshop on NLP for Software
Engineering (NL4SE) (2018)
Software Assurance
 Automatic Support of the Generation
and Maintenance of Assurance Cases

Chung-Ling Lin1, Wuwei Shen1(&), Tao Yue2, and Guangyuan Li3

1
Department of Computer Science, Western Michigan University,
Kalamazoo, USA
{chung-ling.lin,wuwei.shen}@wmich.edu
2
Simula Research Laboratory, University of Oslo, Oslo, Norway
tao@simula.no
3
State Key Laboratory of Computer Science,
Institute of Software, Beijing, China
ligy@ios.ac.cn
4
China School of Computer and Control Engineering, UCAS, Beijing, China

Abstract. One of the challenges in developing safety critical systems is to

ensure software assurance which encompasses quality attributes such as relia-
bility and security as well as functionality and performance. An assurance case,
which lays out an argumentation-structure with supporting evidence to claim
that software assurance in a system is achieved, is increasingly considered as an
important means to gain confidence that a system has achieved acceptable safety
when checking with emerging standards and national guidelines. However, the
complexity of modern safety critical applications hinders the automatic inte-
gration of heterogeneous artifacts into an assurance case during a development
process such as a V-model, let alone the automatic support of system evolution.
In this paper, we present a novel framework to automatically generate assurance
cases via safety patterns and further support the maintenance of them during a
system’s evolution. The application of safety patterns not only enables
reusability of previously successful argument structures but also directs the
support of assurance maintenance caused by common types of modifications in
safety critical domains. The framework is implemented as a prototypical tool
built using Model Driven Architecture (MDA). We evaluated the framework
with two case studies featuring two criteria and the preliminary experimental
results not only show that the framework is useful in evaluation of safety critical
systems but also reveal how different types of modification can affect a structure
of an assurance case.

Keywords: Assurance case
Safety pattern
Model transformation

Safety critical systems

1 Introduction

Failure of safety critical applications might lead to serious consequences such as sig-
nificant financial loss or even loss of life. Thus, software quality assurance, also simply
called software assurance, has become the focus when certifying a safety critical
system. Software assurance includes reliability, security, robustness, safety, and other
© Springer Nature Switzerland AG 2018
X. Feng et al. (Eds.): SETTA 2018, LNCS 10998, pp. 11–28, 2018.
https://doi.org/10.1007/978-3-319-99933-3_2
12 C.-L. Lin et al.

quality-related attributes, as well as functionality and performance [1]. A structure, like

a legal case which lays out an argument structure with supporting evidence, can be
helpful to make decisions on software assurance. This kind of structures is called
assurance cases or safety cases. An assurance case is thus increasingly considered as an
important means to show that a system has acceptable safety when checking its con-
formance to emerging standards and national guidelines such as the ISO 26262
functional safety standard for automotive systems [2] and the U.S. Food and Drug
Administration draft guidance on the production of infusion pump systems [3].
However, most assurance cases are currently manually constructed. For example, the
preliminary assurance case for co-operative airport surface surveillance operations [4]
is about 200 pages long, and is expected to grow as the interim and operational safety
cases are created. The manual management of such increasingly complicated assurance
cases are not only time consuming but also error prone. Thus, any automation in the
management of assurance cases is appreciated. As such, we in this paper propose an
automatic mechanism to create and maintain assurance cases for the purpose of
assisting human decisions on software assurance.
One challenge in the automatic construction and maintenance of an assurance case
originates from the management of heterogeneous artifacts developed during a software
development lifecycle. In many cases, these artifacts are eventually used as evidence in
the assurance case. Such heterogeneous artifacts have various formats. The construc-
tion of an assurance case including heterogeneous artifacts as evidence as well as their
context, assumption and logic inference is further compounded by their underlying
development process. Each safety critical domain often has its own development
process while they share similarity conceptually.
Efforts have been made to construct assurance cases to support software certifi-
cation for safety critical systems. Denny et al. proposed a new methodology in the
aviation domain to automatically assembly lower level safety cases based on the
verification of safety-related properties of the autopilot software in the Swift Unmanned
Aircraft System (UAS) [5]. The methodology applied the annotation schema, which
models the information such as the definition of a program variable during the veri-
fication of safety-related properties, to automatically generate safety case fragments.
But, the annotation schema cannot be employed to model system artifacts and high-
level safety cases thus are manually assembled. Especially inspired by rapid and
successful application of design patterns in software development, researchers have
proposed safety patterns in the construction of assurance cases. However, we found
most existing approaches based on support of safety patterns lack flexibility when
combining two safety patterns in various environment [6–10]. For instance, when
combining a node, say leaf node A, in one safety pattern with another one, most
existing approaches require the leaf node be the same as the root node in the second
safety pattern. In this case, we call the connection to the first safety pattern via the
A leaf node unchanged. But, our experience in safety critical domains has shown that
the A leaf node can connect to the root node via the supportedBy relation to increase the
reusability of the two safety patterns. In this case, we call the connection to the first
safety pattern via A strengthened.
The automatic management of an assurance case in safety critical domains is a
crucial yet feasible feature and can be realized thanks to the development of Model
 Automatic Support of the Generation and Maintenance of Assurance Cases 13

Driven Architecture (MDA) [12]. As is well known, many safety critical systems adopt
a development process such as a V-Model where a sequence of activities are performed
and each activity produces a set of artifacts based on the artifacts of its prior activity as
input. During a development process, an artifact produced by one activity can become
an input to the next activity. Thus, in MDA, using a metamodel, which models a
development process, makes it possible to automatically generate a complete assurance
case. To this end, we employ the Object Constraint Language (OCL) to expand the
syntax of the Goal Structuring Notation (GSN) [13] so that a safety pattern can be
defined in a way where more flexibility can be achieved compared with other existing
approaches. Furthermore, since only support of the unchanged connection to the first
safety pattern via a node limits the application of a safety pattern, we add a new feature
of having a client to decide whether a connection to the first safety pattern via a node is
unchanged or strengthened.
More importantly, the creation of an assurance case with our framework via safety
patterns further alleviates the difficulty in managing the evolution of an assurance case
during software maintenance. A root cause for software maintenance commonly comes
from two types of modifications, i.e. modifications in a development process, and
modifications in artifacts produced for a specific project. In general, if either a
development process or a system artifact is modified, a previously laid-out argument
structure with supporting evidence might be in jeopardy. Instead of regeneration and
review of an entire argument structure, we propose a novel strategy by means of
highlighting affected nodes according to modifications. Certifiers can thus concentrate
on the affected nodes with their underlying argument structure to recertify a software
system. In summary, we make the following contributions in this paper.
• Extension to GSN to allow the introduction of safety case patterns;
• Strengthening an argument structure of a safety pattern when combined with
another safety pattern;
• Automatic support of safety case pattern validation and assurance case generation
based on the extension to GSN to increase the reusability of successful safety case
patterns so that the capability of building and reviewing a safety case can be
improved; and
• Integration of safety case generation and maintenance into a development process.
The remainder of this paper is organized as follows: In Sect. 2, we briefly introduce
the GSN and present a problem statement for this research. In Sect. 3, we introduce a
running example to illustrate our framework. Section 4 discusses the framework
structure and algorithm with its application in one case study. Section 5 presents the
evaluation while Sect. 6 discusses the related work. We draw a conclusion and present
the future work in Sect. 7.

2 GSN and the Problem Statement

An assurance case is important for safety critical systems in that it provides an argu-
ment structure about why a safety critical system achieves its mission. Currently, there
are two notations to denote an assurance case, i.e. GSN and Claims-Arguments-
14 C.-L. Lin et al.

Evidence (CAE) Notation [14]. In this paper, we consider GSN as the main repre-
sentation of an assurance case. Central to an assurance case is an argument that is given
by a hierarchy of claims supporting a logic reasoning chain to support an overall claim.
To provide software assurance of a safety-critical system, a convincing assurance case
usually consists of claims, strategies, and evidence as well as assumptions and justi-
fications, which is illustrated via a GSN example shown in Fig. 4 with a brief intro-
duction as follows.
• Claim. A claim, also called a goal, is a statement that claims about some important
properties of a system such as safety and security. In GSN, a claim of an argument
is documented as a goal which is denoted as rectangle. In Fig. 4, for instance, the
top rectangle node “BSCU SW is safe” is a claim or a goal.
• Strategy. When a claim is supported by a set of sub-claims, it is useful to provide
the reasoning step as part of the whole argument. This reasoning step is called a
strategy. In GSN, a strategy links between two or more goals and is rendered as a
parallelogram. In Fig. 4, for instance, the parallelogram node “Argument over all
BSCU software contributions identified from BSCU SW” is a strategy.
• Evidence. Evidence is used to support the truth of a claim. In GSN, evidence is
documented as a solution and represented as a circle. In Fig. 4, for instance, the
circle node “WBS Hazard Analysis Report” is an evidence item.
A convincing and valid argument regarding why a system meets its assurance
properties is given by a logic reason chain which is the heart of an assurance case.
A line with solid arrowhead between two nodes in GSN denotes the “supportedBy”
relationship. For instance, the top claim of the GSN in Fig. 4 is supported by the
strategy, which is the argument over all “BSCU hazards” being identified from “BSCU
SW”. The strategy is further supported by four subclaims, three of which show the
three hazards while the fourth shows all these three hazards are completely and cor-
rectly identified. Each subclaim can be further supported until some evidence node is
provided. For instance, the fourth subclaim is further decomposed into another sub-
claim about the “Functional Hazard Analysis” method. Finally, the subclaim is sup-
ported by an evidence node showing the WBS hazard analysis report. Due to space, we
skip the further argumentation structure supporting the first three subclaims related to
the identified hazards using a diamond, meaning undeveloped. Once a GSN model is
established, a certifier can review the model in a bottom-up manner to gain the con-
fidence of a root claim.
The goal of this paper is to aid both engineers and certifiers to develop and certify a
safety critical system in an effective and efficient manner. We thus address the fol-
lowing problem statement: Given a specific development process employed by engi-
neers, while software assurance is finally made by a human judgement of fitness for
use, how can we provide as much automation as possible to generate an assurance
case which not only lays out an argument structure with supporting evidence to
support a claim about software assurance but also evolves during software mainte-
nance. To attack the challenging problem statement, we will present a novel framework
based on MDA [12]. The framework provides the automation of the creation and
maintenance of an assurance case in support of development and certification of safety
critical systems.
 Automatic Support of the Generation and Maintenance of Assurance Cases 15

3 An Illustrative Example

To illustrate how our framework supports development and certification of safety critical
systems, we use a Wheel Braking System (WBS) for an aircraft called the S18 based on
the system specification in the Aviation Recommended Practice (ARP) 4761
Appendix L. To demonstrate the capability of our approach in support of automatic
generation of an assurance case, we use the system artifacts which were provided by [6],
where the authors manually generated an assurance case. An important reason to choose
this case study is that the case study was well developed and discussed by a third-party
developer team and so any bias when applying our approach can be removed.
According to the work [6], there are two independent Brake System Control Units
(BSCUs). To demonstrate that a software system is sufficiently safe to operate on the
BSCU, all hazards should be first identified and then hazardous software contributions
related to the identified hazards should be revealed. For each hazardous software
contribution, a set of safety requirements are presented in [6]. All this information can
be modelled as a class diagram in the Unified Modeling Language (UML), called a
domain model. Specifically, a domain model provides the meta-information which is
required for a specific project. In many cases, a domain model can be converted to the
meta information representing the content in a table. For instance, the classes Hazard,
SWContribution, SoftwareSafetyReq are converted to the three columns in Table 1. For
a specific system, the values/instances of the classes in a domain model are listed in the
table. The authors in [6] listed three hazards, three hazardous software contributions,
and three software safety requirements which are summarized in Table 1.

Table 1. Example of system artifacts

Software Hazard SWContribution SoftwareSafetyReq
BSCU Hazard 1 Contribution 1 SSR1 On receipt of brake pedal
SW Loss of Deceleration Software fails to position. Command shall calculate
Capability command braking braking force and output braking
when required command
Hazard 2 Contribution 2 SSR2
Inadvertent Deceleration Software Command shall not output a braking
commands braking command unless brake pedal
when not required position is received
Hazard I Contribution 3 SSR3
Partial Loss of Software Braking commands generated by the
Deceleration Capability commands Command component meet defined
and Asymmetric incorrect braking criteria
Deceleration force

Figure 1 shows a safety pattern catalog whose pattern in the extended GSN is
supported by the framework. Unlike many existing safety pattern-based approaches, we
propose that a safety pattern catalog is necessary for the application of the safety pattern
in that the catalog provides not only a safety pattern in the extended GSN but also
16 C.-L. Lin et al.

includes the description and applied metamodel to which the pattern can be applied.
Therefore, a safety pattern can clearly demonstrate how it is applied in a concrete
environment via an applied metamodel combined with the description. As shown in
Fig. 1, we extend the syntax of GSN to accommodate the introduction of new vari-
ables. Basically, there are two types of variables. One is given by the {s} variable
where s is mapped to a class in an applied metamodel. The other type is given by {$a}
where variable $a denotes a string during the instantiation of a pattern. So, when the
safety pattern shown in Fig. 1 is applied to the metamodel with the configuration table
as shown in Fig. 3(2), an assurance case can be generated via the safety pattern where
the artifacts are produced.

Fig. 1. Safety pattern catalog – Pattern 1

Based on some artifacts produced as an exemplary of a particular system as shown

in Fig. 3(1), an assurance case is generated as shown in Fig. 3(4) as an application of
the pattern shown in Fig. 1 via our framework. The advantage of the framework is that
as more instances of the classes Hazard, SWContribution, and SoftwareSafetyReq are
created, the assurance case is augmented according to the safety pattern and its con-
figuration table. In our framework, the language for specifying a safety pattern has the
following features. First, a link relationship between some artifacts makes the structure
of an assurance case appropriately to be set up. In Fig. 3(4), for instance, three sub-
claims, which are related to three hazards instances which are associated to the BSCU
software, are generated to support the strategy node “Argument over all BSCU hazards
identified from BSCU SW”. Second, the application of string variables which are
replaced with a string value during the instantiation of a pattern provides more flexi-
bility in support of various types of claims. In Fig. 1, $a denotes a property variable
and a real property name depends on the real scenario and, for example, $a is replaced
with “safe” in Fig. 3(4). String variables increase the flexibility of a safety pattern in
 Automatic Support of the Generation and Maintenance of Assurance Cases 17

Fig. 2. Safety pattern catalog – Pattern 2

that $a can be replaced with some other claims such as secure provided that a new
assurance case uses the same argument structure of the safety pattern.
The leaf nodes of the assurance case shown in Fig. 3(4) address the three WBS
hazards respectively. These three claims should be further supported by three goal
nodes, each of which claims that a corresponding software contribution related to a
hazard is addressed in a separate assurance case. In this case, each goal node matches
the root node of pattern 1 and the subtree under each goal node is generated via the
application of pattern 1. In this case, the connections to the first safety pattern via the
three goal nodes are all unchanged. Due to space, we only show how node G2 is
supported in Fig. 4. However, in another scenario, the connection to the first safety
pattern via a node can be strengthened. For instance, the strategy in Fig. 3(4) can be
further strengthened by the claim that all identified hazards are correct and complete,
and no other hazard exists. Thus, pattern 2 in Fig. 2 is connected to pattern 1 via the
strategy node in Fig. 3(4). Specifically, in the WBS assurance case shown in Fig. 4, the
claim node (i.e. node G5) “BSCU hazards are completely and correctly identified in
BSCU SW” as an application of pattern 2, is connected to the strategy node (i.e. node
S1) as an application of pattern 1 so the argument structure of pattern 1 is strengthened.
To make safety patterns more reusable, we add a new feature of having a client to
decide whether a connection to a first safety pattern via a node is unchanged or
strengthened.
On the other hand, modification of system artifacts cannot be avoided and the
modification thus can undermine the validity of a previously laid-out argument
structure. For instance, if the Hazard 1 in the WBS example is changed, then all the
corresponding nodes in the assurance case in Fig. 4 are affected and thus marked as .
Furthermore, all the nodes along the path from an affected node upwards to the root are
also undermined and thus we mark them as . Next, the traceability information
further helps to find affected nodes. Specifically, since Hazardous Software Contri-
bution 1 is derived from Hazard 1 via the traceability information, all the nodes in the
18 C.-L. Lin et al.

Fig. 3. An assurance case

Fig. 4. WBS assurance case

assurance case which are linked to Hazardous Software Contribution 1 are highlighted
as in Fig. 4. Numbers within a circle denote the order of how nodes in an assurance
case are affected and reported. As a result, certifiers should review all the affected nodes
in the assurance case.
 Automatic Support of the Generation and Maintenance of Assurance Cases 19

4 The Framework Overview and Its Main Algorithms

4.1 Overview of the Framework
Our framework includes four main activities, shown in Fig. 5. First, the Instantiable
Validation activity (1) determines whether a generic safety pattern can be applied to a
domain model via configuration tables. This activity ensures that all variables in a
safety pattern can be appropriately instantiated. Second, the Variable Replacement
Activity (2) aims to generate a domain specific pattern by replacing all variables in a
safety pattern with domain classes via a configuration table. Third, the Pattern Com-
bination activity (3) employs pattern connection tables to generate a composite domain
specific pattern via the combination of the generic safety patterns. As a result of
activities (1), (2) and (3), a complete domain specific pattern is generated using an ATL
(Atlas Transformation Language) program [15]. For a specific project, the ATL pro-
gram takes all artifacts, which are a valid instance of a domain model, as input and
generates an assurance case as output. Once an assurance is generated, the Maintenance
Activity (4) takes over to monitor any modification in a domain model or any artifacts
related to the project. Once, a modification is found, the maintenance activity carries
out the impact calculation to figure out how the previous assurance case is affected by
highlighting the affected nodes in the assurance case.

Fig. 5. Flow chart of our framework

4.2 Generation of Assurance Case and Its Algorithms

To finally produce an assurance case for a project in a specific domain model via the
application of various safety patterns, the generation process consists of two steps.
First, a complete safety pattern for a specific domain is produced and this is called a
complete domain specific safety pattern, or just a complete safety pattern for simplicity.
In a complete safety pattern, each variables is replaced with a domain class; for
instance, variable s is replaced with domain class Hazard. As output of the first step,
the framework produces an ATL program ready to output a specific assurance case
Another random document with
no related content on Scribd:
 In 1794 William Jackson deeded to Joseph Preston and others a
piece of ground for a schoolhouse,[561] which was to be in trust for
the Friends’ meeting. This is the first transfer of ground for school
purposes found among the New Garden Friends. Among the
stipulations of the deed are the following:
1. The master is to be a member of Friends. [Sidenote:
Requirements for
2. The master must teach according to the rules the school at New
laid down (presumably by the school trustees) as Garden]
before mentioned in the case of the Horsham
School Rules.[562]
3. The purpose stated is for the “promotion of piety and good
order” and to “propagate useful learning.”
On 12-2-1701, some Friends at Goshen applied [Sidenote:
to their quarterly meeting for the privilege of Goshen]
establishing a meeting for worship,[563] but this
request was not approved until the meeting of the quarter in 1703.
[564] In 1707 they proposed building a house for worship which was

granted by the quarterly meeting in the twelfth month.[565] Their

monthly meeting, as stated before, was not established until 1722.
[566] The preparative meetings in its compass were Goshen,

Newtown, and Uwchlan.[567]

Though starting at a much later date as a [Sidenote: A
monthly meeting the records of Goshen are in school in East
some ways far superior to many other meetings. In Bradford for
Goshen, Bradford
the first place, they devoted considerable attention and Birmingham]
to the yearly meetings’ proposals of 1746 and
1750,[568] which by many meetings received very scant attention.
The concrete results of this attention, however, do not stand forth, as
reports on the subjects are not plentiful till the “1778 era.” In that
year of all years, they received the urgent accounts from the yearly
meeting.[569] They appear to have gone to work at once, or perhaps
had already begun, as a committee in the care of schools reported in
the sixth month, 1779, that “a piece of ground is agreed for and a
schoolhouse is now building in East Bradford.”[570] This school was
to be made up from the Friends of Goshen, Bradford, and
Birmingham,[571] and to be established in accord with the
stipulations of the yearly meeting aforesaid.[572] Goshen Monthly
Meeting was requested to name some Friend to receive the land in
trust, and Thomas Hoopes, Jr., was accordingly appointed for the
purpose.[573]
In 1782, the present school committee, deciding [Sidenote:
that something should be done concerning the Increased
regulation of schools, desired an addition to their committee
reported 1782]
number, those added being Abraham Pratt, William
Lewis, John Mailin, and Josiah Hibberd.[574] Two months later this
committee brought forth the following proposals, which are self-
explanatory.
[Sidenote: Land to
We have met sundry times since the last be purchased for
meeting on the subject and are unanimous in school and
master’s
judgment that it will be convenient for Friends to accommodations]
have a school house built near Jesse Garrett’s
smith shop on the east side of the road leading [Sidenote: The
from the valley where about five acres may be building and cost]
purchased of William Garrett and William
Garrett, Jr., in order to erect a school house on, and also a
house for a school master, which we request the monthly
meeting to take under consideration; and if they approve
thereof, that it may be encouraged by a subscription amongst
Friends only, and to be established on the plan proposed by
the Yearly Meeting and subject to the direction of the monthly
meeting from time to time, to remove or alter as they may see
cause, or time may show to be necessary. We propose the
house to be twenty-seven feet square from out to out, and
compute the expense of building to be £150 exclusive of the
land which will be £25, which we submit to the monthly
meeting. Signed in behalf of the committee—Thomas
Hoopes, Jr.[575]
 Their report was left for further consideration.
In 1784 a drive was organized on the preparative [Sidenote:
meetings. The monthly meeting received a visit Attempt to bestir
from the committee of the quarterly meeting, which the preparatives]
suggested the appointment of a large committee
and the distribution of the printed advices of the yearly meeting of
1778, to be read before each of the preparative meetings.[576] In
conformity with this suggestion, the former school committee was
released and a new one of ten members appointed as a standing
committee, directed to follow out the previously made suggestions.
[577] In their report issued shortly thereafter, there is an account of
the beginning of a school in Willistown, which is as the following:
[Sidenote: School
The committee in the care of schools report at Willistown;
that a school is kept in the new house built in master’s house,
Willistown by a Friend, and endeavors are used etc., proposed]
to have it conducted as near as may be to the directions of
the Yearly Meeting, and the building of a house for the master
is proposed and a considerable sum of money is subscribed
towards the same, provided a sufficiency can in like manner
be raised.[578]

Another report for 1785 gives the state of schools for that date.
[Sidenote: One
There are several schools in the verge of our school the
monthly meeting, kept by members of our property of the
society, one of which belongs to the monthly monthly meeting]
meeting, with several acres of land, whereon Friends are now
building a house for a master, which when completed there
will be a small fund towards schooling poor children.[579]

The chief concern to which the committee now addressed itself

was the problem as to how they might establish a permanent fund
for the schooling of poor children in their limits. For this problem they
seem to have found a satisfactory solution for the time being, in
1786, which they reported to the monthly meeting for its approval. It
appears to have been satisfactory to the meeting in the following
form, the essential features being the same as those incorporated in
the plans of meetings already mentioned.
[Sidenote:
We, the subscribers, do hereby promise to Goshen plan for
pay unto ... treasurer for Friends’ schools, within establishing funds
similar to others]
the compass of Goshen Monthly Meeting, or to
other Friends as may be from time to time appointed by said
committee to that service, the sum of money severally written
against our names, which sums are so subscribed to be and
remain a permanent fund under the care of and direction of
the monthly meeting’s committee of the people called
Quakers, held at Goshen for the time being, appointed for this
and other such purposes relative to schools, to be by them
laid out in such manner as they shall from time to time judge
most conducive to securing an income to the said schools,
which income or annuity so arising therefrom to be applied to
the education of such children as live within the compass of
Goshen Monthly Meeting, whose parents, whether Friends or
others, are not of ability to pay for the same and other such
purposes as a majority of said committee shall from time to
time direct, consistent with the object of the institution.
Witness our hands—etc.[580]

For the next six years there are but two reports worthy of attention,
which may be briefly summarized in this manner:
1787 [Sidenote: The
state of schools in
1. One school, under the monthly meeting, 1787]

a. has a large school house, and

b. a dwelling house and garden for a master, who
c. is a member of Friends
d. The school is in charge of a standing committee
 2. Another school house, whose

a. master is a member of Friends, but

b. the house is not Friends’ property.[581]

1792 [Sidenote: 1792]

1. There is a school in Williston

a. kept by a member of Friends,

b. cared for by a standing committee of the monthly
meeting,
c. much in accord with yearly meeting’s demands.
d. There has been no increase in the permanent fund since
last year.[582]

The report of the standing monthly meeting’s committee in 1795

notes these further advances. The reference to the purchase of
ground in Willistown would lead to the belief that the school of
Willistown mentioned in the report of 1792 was not located on the
meeting’s property; but the tenor of the report of 1784 leaves the
impression that the “new house” might have been the meeting’s
property.[583] The report of 1795 is as follows:
[Sidenote: 1795]
The meeting’s committee in the care of
schools report that they have for some time had in
contemplation the establishment of another school within the
verge of the monthly meeting to be conducted agreeable to
the advice of the Yearly Meeting, and have so far proceeded
as to have purchased 4⅓ acres of land of Samuel Thomas in
Willistown, which is deeded to some Friends in trust for the
use and benefit of Goshen Monthly Meeting, to improve, alter,
sell, or otherwise as the meeting may think proper, or time
show to be necessary; therefore, if the monthly meeting
 unites with our proceedings, we desire they may take the
same under their patronage.[584]

In 1796 the school at Goshen was apparently [Sidenote: One

closed for several months, though the reference school closed
made to this fact may have been to one at temporarily]
Willistown;[585] exactly which one can not be
deciphered from the minutes. In 1797 the committee reported a
house had been built on the ground lately purchased (presumably
that mentioned in the report of 1795)[586] and a school was being
kept therein, according to the advices in all respects, save the
membership of the master being outside of Friends.[587] “The other
school” was taught by a member, and was very much as might be
desired in all respects.[588] One of the schools (not clear which one)
became vacant again for a short time in 1798.[589]
What became of the school established about [Sidenote: Union
1779 by Bradford, Goshen, and Birmingham[590] is school of 1779]
not made clear by Goshen records. It is probable
that when the two schools at Willistown and Goshen came under
their direction, they ceased to have any further connection with the
earlier one in East Bradford. Further mention will be made of the
East Bradford school in the material presented for that monthly
meeting, in the pages just following. It may be only briefly mentioned
in this connection that in 1797 the Goshen meeting appointed a
committee to secure subscriptions for the yearly meeting’s boarding
school which had been proposed in 1794,[591] and was opened for
students in 1799.[592]
Some meetings for worship by the Friends in the [Sidenote:
district, later to be known as Bradford Meeting, Bradford meeting
established]
were held as early as 1719,[593] and regular
meetings for worship were established in 1725.[594] Not until 1737,
however, had they become of sufficient importance to warrant the
establishment of a monthly meeting.[595]
 In 1762 Bradford’s minutes refer to settling the affairs and
providing for the support and the education of the children.[596] It
was proposed that application be made to the next court that those
under indenture to ⸺ might be bound out so as to have a Christian
education, and to enable them “to acquire a livelihood with
reputation.”[597] It is implied that the Mr. ⸺ had not provided for
them properly in those respects. In 1765 fourteen epistles were
received and directed to be read in each of the preparative meetings
(Bradford and Caln).[598] Though no school is mentioned at these
early dates, there seems to be no doubt that schools were in
operation, perhaps a sort of family school. This brief extract would
indicate that the above assumption is not without foundation:

Two of the Friends appointed report they had an

opportunity with Benjamin Faris respecting schooling of Isaac
Few, and that he informed them that he would undertake to
school him for the term of one year, for the sum of £25, which
proposal the meeting complies with and agrees to pay the
half.[599]

The cost of this schooling was paid by the two preparative

meetings which produced their quotas four months later.[600]
Thenceforward, till 1778, nothing of note is recorded, save
occasional notices of the education of the youth.
The year 1778 produced the following minute:

The extracts of last Yearly Meeting were produced here and

read, containing much seasonable advice and instruction
which is recommended to the solid consideration and
observation of individuals; in particular, that of encouragement
of proper schools for the instruction of youth in useful
learning.[601]
 Like an electric current suddenly shunted into the circuit, these
extracts of 1777 and 1778 seemed to increase the voltage in the
wires of the organization, producing a general hum of activity. A
committee, immediately appointed, reported in 1779 they had
considered the situation,[602] and in 1780 produced the report which
is given below. As will be noted, their report mentions the “Union
School” of Goshen, East Bradford and Birmingham, which has
already received some consideration in the case of Goshen.[603]
[Sidenote: Three
We, the committee appointed in the care of schools
schools, report that most of us attended to the established; a
appointment and have several times met and committeeassist in
to

conferred together and have given our establishing

assistance toward the settling of a school others]
between Goshen, Bradford, and Birmingham
Preparative Meeting in a new schoolhouse built by Friends;
one at East Bradford in the old schoolhouse near the meeting
house; one at East Caln kept at the meeting house at present,
agreed to be under the direction of Friends nearly agreeable
to the Advices of the Yearly Meeting; and we think it expedient
to appoint Friends to take the necessary care of said schools;
but there appear to be many Friends that are not yet
accommodated with suitable schools, and we think a
committee of a few Friends to be continued to assist therein
will be necessary, all of which we submit to the meeting.
(Signed by the committee)....
Which being read and considered, the meeting appoints
William England, William Cooper, Humphrey Marshall, and
Thomas Baldwin to have the care of the school near Bradford
Meeting House, and Thomas Fisher, Griffith Mendenhall,
Isaac Coates and Isaac Pim to have the care of the school
now kept in the meeting house at East Caln, who are desired
to take the necessary care therein and the former committee
is still continued.[604]
 A subsequent report of 1781 points out that an additional school
has been established, presumably through the coöperation of the
meetings of Bradford, Kennett, and New Garden.[605] The records of
Kennett and New Garden do not seem to recognize this coöperative
school, however. To the writer, it seems that the probable state of
affairs was that the one school was so located that it was patronized
by the three communities though its direction lay in the hands of
Bradford Meeting. The contiguous situation of the townships makes
this a plausible and a probable solution. The school was soon to be
discontinued for a time.[606] The report of 1781 is herewith
submitted.
[Sidenote: A
The Friends in the care of schools report that school between
they attended the school set between this Bradford, Kennett
meeting, New Garden, and Kennett Monthly and New Garden]
Meetings, and purpose taking further care therein; and those
to have the care of the school at Bradford report that a school
is held there in pretty regular order, considering the situation
of the master in regard to his sight, and they that had the care
of the school at East Caln informed that they had divers
opportunities with the master and scholars, and are of the
mind that further care in that respect is necessary; which
being considered, this meeting continues the said Friends and
desires that they may attend to the service for which they are
appointed.[607]

The conditions presented in the report of the [Sidenote: Four

second month remained the same, save that the schools reported
school between Kennett, New Garden, and by committee]
Bradford was reported “discontinued” in the sixth
month, 1781.[608] Later in that year, the old committee was released
and a new list of men, Thomas Baldwin, Joel Harlan, Thomas Sugar,
Nathan Cooper, Benjamin Hanley, John Hoopes, Thomas Fisher,
Griffith Mendenhall, Samuel Fisher, and George Harrison constituted
a “standing committee.”[609] In 1782 four schools were reported;[610]
in 1783, several schools not entirely agreeable to the desires
expressed in the Yearly Meeting’s Advices;[611] in 1784, three are
reported in the verge of Bradford Particular Meeting, mostly under
the direction of Friends, but “none at either of the Calns” (East or
West).[612] Subsequent reports show that the cessation of the
schools at Caln was only temporary. The presentation of this very
brief span of their history may be closed with an abbreviated
statement of a committee report made in 1792.[613]
[Sidenote: Report
1. We visited four schools in our verge, one of 1792]
more left, making five.
2. The fifth is likely to be discontinued soon.
3. Number

one near Bradford Meeting House (in care of Friends).

one in East Bradford (part Friends and part not).
one in East Caln (the masters not members of Friends,
but willing to be under their direction).

4. The committee was released on request.

In the same year that Uwchlan became a [Sidenote:

monthly meeting, the Friends entered a protest, Uwchlan]
saying that the making of wills was too much
neglected, but that such as were made were not [Sidenote:
Education of
misapplied.[614] It is quite probable that the first Negroes
statement is an indication of a philanthropic spirit in mentioned
1765]
in

the meeting, between which and educational

activity there has been noted a high correlation. Moreover, their
explicit statement in 1765 concerning the education of the negroes
would indicate the education of their own children was already taken
care of.[615] The usual transformation in the kind of reports, noted in
other meetings about 1778 and following, is likewise apparent in the
meeting at present under discussion.
 Though a school committee was appointed much earlier (1779)
there was a very definite report made before 1782. Two reports
made then in successive months are worthy of our attention.
[Sidenote: Three
The committee respecting schools report that schools
they have attended to the service, having mentioned in
visited one school, the master whereof is a 1779]
member of this meeting, to a good degree of satisfaction,
some of the employers and scholars being present. They are
continued to proceed in that service as way may open and
report to next meeting[616]....

And a month later

The Friends appointed report that they have visited two

other schools, the masters whereof and many of the
employers are members of this meeting, and ... being enabled
to communicate some advice, which appeared to be well
received, they are continued.[617]

In 1783 a new committee was commissioned to [Sidenote: New

procure a particular statement of the schools committee
wherein Friends were concerned either as masters appointed]
or as employers, viz.: Thomas Richards, Jesse [Sidenote: The
Jones, Joshua Baldwin, Reuben John, William state of funds]
Millhouse, Griffith John, Simon Meredith, William
Cooper, Elihu Evans, Aaron Duncan, and Joseph Starr.[618] This
committee is not to be confused with the trustees of the school
funds, who were entirely distinct, and whose sole function was to
receive and apply the funds for the education of the indigent
children. The trustees’ report stated in 1784 that the amount of the
legacies and donations up to that date amounted to £120/10/00.[619]
Near this time, very probably in 1784, a new [Sidenote: School
school was established by Friends at Nantmeal, for set up at
which Uwchlan Meeting appointed a special Nantmeal]
committee which was to make a report; the report made in 1785
stated that they had visited the school and found it well conducted.
[620] In 1787, the school committee produced a report on all schools,
which was to be sent to the quarterly meeting. It embodied some
statement of the results achieved, difficulties to be faced, and further
gave an insight into the coöperation of Friends in the “mixed schools”
of their communities. As sent to the quarterly meeting, the report was
as follows:
[Sidenote: Report
We of the committee appointed to essay a of 1787]
report to the quarterly meeting of the situation of
our members in regard to schools and the [Sidenote: Nantmeal school
progress of our monthly meeting in that discontinued]
important concern, having had several
conferences and opportunities of enquiring into that subject,
report as follows: that some have been appointed and
continued from time to time by our monthly meeting for
several years past, who have used many endeavors to
promote the establishment of schools agreeable to the
advices of the Yearly Meeting; but our number generally living
so remote from each other, has prevented much progress
being made therein, save one house being built by Friends at
Nantmeal nearly on the plan proposed, in which a school has
been kept some time, but now dropped for want of a salary for
the master, there not being a sufficient number of Friends
settled contiguous thereto nor to each other, in any other part
of our meeting to support a school; and the boarding out of
our children appears an expense too heavy for many of us, so
that we are generally in the practice of schooling our children
in a mixed manner, though mostly under the tutorage of
Friends, or persons friendly disposed, to whom some care
has been extended and their schools frequently visited by our
committee some time back. Signed by order of the school
committee by William Millhouse, clerk.[621]
 In 1794, the London Grove Monthly Meeting, just [Sidenote: London
created, began its educational work by appointing a Grove]
committee to take subscriptions for a fund to
[Sidenote:
support a “regular school.”[622] In 1795, the Committee of
preparative meeting proposing that a standing men and women
committee be appointed to inspect the necessities appointed
schools]
for

of the poor and the school education of their

children, the following were named to unite with a committee of
women on that concern, viz.: Samuel Swayne, Josiah Hoopes, John
Man, and Jonathan Buslow.[623] Four months later the committee
appointed to raise the funds by subscription (see above) reported
that a sum of “more than fifty pounds” was already subscribed.[624]
No statement of the number of schools established in the limits of
the London Grove Meeting is given between the time of its
establishment and the end of the century; nor are any other details
vouchsafed. It will suffice for a voucher of their intentions and the
work actually begun in that period, to insert the following statement
of their plan for founding their schools.
[Sidenote: Plan
Pursuant to the advice and recommendations produced for
of the Yearly Meeting of Friends for many years, settling schools]
and excited by consideration in our own minds
for an improvement of the school education of the youth,
especially those in low circumstances, we, the subscribers
hereto, have agreed to promote the raising of a fund or stock,
the increase whereof to be for the benefit of the several
schools which are or may be under the care of London Grove
Monthly Meeting, and to be distributed amongst them at the
direction of a committee of the said meeting, appointed from
time to time in the care of schools. The sum annexed to each
of our names we hereby engage each for himself or heirs,
executors and administrators respectively, to pay or to cause
to be paid to such Friend or Friends as the abovesaid monthly
meeting shall appoint as treasurer for the same, and that at
any time, when demanded, after the whole subscription
amounts to the sum of fifty pounds. The treasurer, so
 appointed, we enjoin to be subject to the inspection and
control of the said monthly meeting and to render a fair and
true account thereto of his proceedings therein once a year,
and if the said meeting shall at any time see cause to release
the treasurer, then he shall give up his accounts and pay the
money or transfer such other property as may be under his
care, appertaining to the said fund unto such other Friends as
the monthly meeting may appoint to succeed him in the said
trust. Our subscriptions, until they amount to fifty pounds or
upwards, we direct to be kept in stock and be deposited in
some safe way so as to produce increase either by a loan
upon land at the discretion and direction of the said monthly
meeting or committee thereof. The interest, rent, or increase
whereof we direct to be applied for the benefit of the aforesaid
schools in such a manner and at such times as the school
committee of the said monthly meeting for the time being, or a
majority of them shall direct. And although our present
endeavor may appear feeble and small, yet we trust and hope
it may gradually increase so as to become more useful in
time.[625]

There remains to be presented in this chapter [Sidenote:

the activities of Sadsbury Meeting, which, though Sadsbury]
outside the limits of Chester County, was made up
very largely of members residing in Chester [Sidenote: meetings
Youths’

County.[626] The most distinctly educational work of established 1739]

any sort was the youths’ meeting, which was very
frequently mentioned as early as 1739, only two years after they
became a monthly meeting.[627] Numerous statements of these
meetings occur throughout the first thirty years and more. Attention
was also directed to a care for the children of the poor.

One of the Friends appointed in the case of John Marsh’s

child report they attended the service and met with some
encouragement concerning the education of the child, the
person with whom it resides being its grandmother; the
 meeting concludes to leave it under the care and notice of
Henry Marsh, the child’s uncle.[628]

In 1779 the first committee to carry out the [Sidenote:

instruction of 1777 and 1778 was appointed, Committee
consisting of the following members: James Miller, appointed
schools]
on

Andrew Moore, and Samuel Simons.[629] They

were to afford assistance to each of the preparative meetings
(Sadsbury and Leacock). This they reported in the second month
they had done; James Moore, Isaac Taylor, John Moore, James
Smith, Abraham Gibbons, and James Webb were then appointed to
do the work.[630] In 1782 a visit was made to Sadsbury Meeting by
the committee appointed by the quarterly meeting.[631] They
reported further at that time:
[Sidenote: School
The Monthly Meeting committee has it under at Sadsbury
care and there is a school set up at Sadsbury, mentioned]
and it is closely recommended to Friends for a
further progress and to the committee of this meeting in
particular, to which George Cooper, Andrew Moore, and
Joseph Dickinson are added.[632]

The conditions remain substantially the same for [Sidenote:

the five subsequent years, with frequently Discontinued, but
interspersed reports, made to the monthly not long]
meetings and to be sent to the quarterly meeting.
In that year, as the following report shows, the school at Sadsbury
was discontinued, and the old committee removed to make place for
a new one.

Several Friends of the committee respecting schools report

they have conferred together since the last meeting, and it
doth not appear that there is any school at this time within the
verge of this meeting under the care and direction of Friends,
and the said committee expressing their desire to be
 released, the meeting consents thereto, yet in order to keep
alive the concern and promote a matter so interesting,
concludes to appoint a fresh committee, and James Miller,
John Moore, son of James, Isaac Taylor, and Joseph
Williams, Joseph Brinton, Moses Brinton, William Downing,
and Gaius Dickinson are appointed for the service.[633]

It is not ascertainable from the minutes just how [Sidenote:

long this school remained closed, but a minute of Barclay’s
1789, directing that Barclay’s Catechism be Catechism in schools]
for use

distributed for the use of the schools, indicates that

it was not discontinued for a long time.[634] Isaac Taylor, R. Moore,
William Gibbons, and William Webb were appointed to distribute the
said books.[635]
In 1792, Lampeter Preparative Meeting (called [Sidenote:
Leacock in 1732, but changed to Lampeter in Lampeter
requests to build
1749)[636] laid before the monthly meeting a schoolhouse,
request to be permitted to build a school house on 1792]
or near their meeting house land for the purpose of
a boarding school to be under the care of the monthly meeting.[637]
Their request was not acted upon until the next meeting when it was
referred to a committee of eleven men, who were to consider the
proposals and report their judgment to the monthly meeting when
convenient.[638] It appears from the following extract of the monthly
meeting that they were somewhat critical.
[Sidenote:
The committee appointed to consider the Committee’s
proposals of Lampeter Preparative Meeting for suggestions for
building a school house made a report in Lampeter school
not accepted]
writing, which not meeting the approbation of
this meeting, is returned and Joseph Brinton, Abraham
Gibbons, William Brinton, James Smith, John Ferris, James
Cooper, and Levi Powell are added to the former committee
and William Webb is requested to consider the matter and
report to the next meeting.[639]
 At the session of the monthly meeting held two months later, the
newly appointed committee was successful in getting a satisfactory
hearing for their decision in regard to the Lampeter Boarding School.

The proposal of Lampeter Preparative Meeting comes

again under consideration and the following report being
produced and divers times read, is concurred with.
To Sadsbury Monthly Meeting—

We, the committee appointed to consider [Sidenote: The

Lampeter’s proposals for building a school accepted report]
house and having again met and had a solid
conference together unite in judgment that the proposals are
nearly agreeable to the advices of the Yearly Meeting and
under the present circumstances are of the mind the monthly
meeting may be safe in leaving that meeting at liberty to erect
a building proportioned in size to their Friends and the
probabilities of what may be obtained by subscription (which
is submitted to the meeting by James Miller and signed by
fourteen others). 6-25-1792.[640]

In 1793, the school committee recommended in the following

report that more definite steps be taken to meet the demand of the
yearly meeting in regard to (1) the accommodations for a master and
(2) the establishment of a permanent school fund.
[Sidenote: Funds
The committee in the care of schools made to be raised]
the following report in writing which, after being
solidly considered, is adopted and the clerk is directed to
furnish each preparative meeting with a copy of this minute
together with the report of the committee (which follows).
Most of the committee appointed in the care of establishing
well regulated schools for the instruction of our youth report
they met twice on the subject and solidly considering the
same, believe it would be right for the monthly meeting to
 recommend to Sadsbury Preparative Meeting the making of
such suitable provisions for the accommodation of a school
master as is recommended by the Yearly Meeting Minute of
1778—That Sadsbury and Lampeter Preparative Meetings be
stirred up to use their endeavors to raise such funds for their
respective meetings by subscription as is recommended—as
well as in a minute of our last quarterly meeting, by William
Webb (and five others).[641]

By a later minute we are informed that an instrument of writing

(subscription plan) has been drawn up for the purpose of raising
funds,[642] which, however, did not prove wholly satisfactory,[643] and
was postponed for further consideration. As presented finally and
accepted on twelfth month, 10th, 1793, the plan for raising
permanent funds was as follows:
[Sidenote: Plans
Whereas the Yearly Meeting is impressed for raising funds
with a sense of the advantages that would arise adopted]
from a religious education of our youth, has
frequently recommended the establishment of schools under
the care of a standing committee of monthly or particular
meetings and especially in 1778, recommended the
promoting a subscription towards a fund, the increase
whereof might be employed in paying the master’s salary, if
necessary, and promoting the education of poor Friends’
children. This provision may be made to take in poor children
of Friends or others taught gratis or at such moderate rates as
their parents or guardians can afford to pay at the discretion
of the trustees, etc.
And we, the subscribers, writing with the above
recommendations and willing to part with a portion of the
substance, we as stewards are blessed with, in order to carry
the same into effect (provided always, nevertheless, that no
part of the fund shall ever be applied towards paying the
master’s salary so as to reduce the schooling of children who
are in affluent circumstances, lower than 40 shillings per
 annum, and may be raised at the discretion of the trustees),
do hereby promise for ourselves, our heirs, and executors, or
administrators to pay, or cause to be paid, the several sums
to our names annexed, to the trustees for ... school.
Otherwise, five per cent. interest from the dates respectively
to our names prefixed until paid or till such other persons as
may be appointed by the monthly meeting to receive the
same. In witness whereof, ...[644]

The situation of schools near the close of the century is shown in a

report of 1797 to be as stated below. Though this report states no
fund is established, a later report of 1798 states that some progress
has been made in that respect.[645]
The report for 1797 is as follows:
[Sidenote: Three
The committee in the care of schools report schools; no funds]
that there is no fund established for this
purpose, yet there are three schools within the compass of
our monthly meeting taught by masters who are Friends and
are under the especial care of a committee of this meeting.
[646]

At the very close of the century Sadsbury Friends were interested

in raising a fund to help in the establishment of the Yearly Meeting’s
boarding school at Westtown, Pennsylvania.[647]

SUMMARY
This chapter considers the establishment of [Sidenote: The
schools in Kennett, New Garden, Goshen, meetings]
Bradford, Uwchlan, London Grove and Sadsbury
monthly meetings.
No early definite reference is made to education, [Sidenote:
though the careful interest in children’s welfare is at Kennett]
all times evident. Not until the “1777 era” do the [Sidenote: A
reports give any considerable information union school
concerning schools. Committees were thereafter reported]
always in attendance upon the problems of the [Sidenote: Rules
schools. In 1781 a “union school” was reported drawn for school,
between Kennett, Bradford and New Garden, property
purchased]
which was afterwards discontinued. In 1785 they
report “several schools,” in partial accord with demands of the yearly
meeting. Land for Kennett school “number one” was purchased in
1792, and rules drawn up for its control. Their scheme for raising
permanent funds was not completed until 1795. Two schools, taught
by members of the society, were under the care of the meeting’s
committee in 1798.
Two schools were reported at New Garden in [Sidenote: Two
1779 and another was at that time proposed. Some schools under
land was conveyed to the meeting in 1785 for the Kennett meeting]
use of a school, and a house built upon it. Another [Sidenote: Two
piece of land was deeded by William Jackson in schools, another
1794 for a similar purpose. Certain stipulations proposed]
were made concerning the school to be established
there. It was found more consistent in summer to employ mistresses
rather than masters.
Though established at a late date, Goshen was [Sidenote:
very active educationally. Land was purchased and Goshen]
a house was being built for a union school between
Goshen, Bradford and Birmingham, in 1779. [Sidenote: schools]
Two

Committees were appointed, which gave reports

better than those usually returned. A plan for funds was adopted in
1786. No further mention is found in regard to the union schools after
the establishment of the schools at Goshen and Willistown.
Bradford’s first educational activity was in [Sidenote:
connection with the apprenticing of children. A Bradford]
single case in which a boy was put to school by the
meeting occurred in 1767; the expense therefore [Sidenote: Three
schools 1780]
was defrayed by the preparative meetings.
Educational activity increased in 1778; three schools were reported