Abstract
Argument-based assurance cases, often represented and organized using graphical argument structures, are increasingly being used in practice to provide assurance to stakeholders, e.g., regulatory authorities, that a system is acceptable for its intended use with respect to dependability and safety concerns. In general, comprehensive system-wide assurance arguments aggregate a substantial amount of diverse information, such as the results of safety analysis, requirements analysis, design, verification and other engineering activities. Although a variety of assurance case tools exist, many desirable operations on argument structures such as hierarchical and modular abstraction, argument pattern instantiation, and inclusion/extraction of richly structured information have limited to no automation support. To close this automation gap, over the past four years we have been developing a toolset for assurance case automation, AdvoCATE, at the NASA Ames Research Center. This paper describes how AdvoCATE is being engineered atop formal foundations for assurance case argument structures, to provide unique capabilities for: (a) automated creation and assembly of assurance arguments, (b) integration of formal methods into wider assurance arguments, (c) automated pattern instantiation, (d) hierarchical abstraction, (e) queries and views, and (f) verification of arguments. We (and our colleagues) have used AdvoCATE in real projects for safety assurance, in the context of unmanned aircraft systems.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Strictly speaking, road vehicles do not undergo regulatory certification in the same way as civil aircraft; rather, they are qualified by the manufacturer as meeting an applicable safety standard.
In general, an assurance case provides assurance of broad system concerns, such as dependability, safety, and security; a safety case is a specialization of an assurance case for system safety assurance.
In this paper, we will use the terms safety argument, and safety case interchangeably when the distinction between the two is not significant. Also note that the scope of our work here applies to assurance cases in general, although we will focus primarily on safety assurance.
Also see Sect. 7.1 for more details on existing tools.
Or, convince and communicate to the relevant stakeholders.
See Sect. 4 for more details. We have opted to use the GSN, although other appropriate notations could also have been used.
We note that the data given in Fig. 2 is not comprehensive. In actual practice, this abstract methodology is replaced by concrete processes, activities, and the corresponding data, e.g., as recommended in civil aviation guidelines for system development and safety assessment (S-18, Aircraft And System Development And Safety Assessment Committee 1996, 2010). Additionally, we note that this methodology addresses safety assurance prior to system operations, and is applied towards facilitating the decision to release a system into service. A lifecycle approach to safety assurance (Denney et al. 2015a) also takes into account operational safety measures and safety performance, although we will not address that here.
For more details on argument patterns, see Sect. 4.2.
Additionally, assumptions can also be made about the assurance techniques employed.
We have also identified and specified additional requirements that cover the remainder of the functionality offered by AdvoCATE, although those are out of scope here.
Status is defined as a set since, as we will see later, nodes can have multiple status values. Here, \( tbd \) represents the ‘to be developed’ status.
A partial argument can have multiple roots, whereas a full argument structure has a single root.
Formally, we define a strict notion of argument where goals require intermediate strategies (thus spelling out explicitly why subgoals follow from parent goals), and separate goals cannot share evidence. In practice, both these conditions are often violated and can be captured with a more relaxed definition. The tool allows both conventions.
Though not so common in practice, bounds are a natural generalization of optionality and multiplicity and can be used, for example, to require complementary strategies or evidence (as a lower bound on number of branches) or to limit argument complexity (by placing an upper bound).
Note that the open and closed views of a hinode, respectively, serve to visually display or hide the node contents. In our current implementation, a hinode cannot be empty regardless of whether it is displayed in its open or closed view, although as part of future work we plan to allow the creation of empty hinodes.
Strictly speaking, they relax some conditions on the definition of modules and add others.
Available at: http://www.eclipse.org/.
Available at: http://eclipse.org/graphiti/.
Available at: http://eclipse.org/Xtext/.
Henceforth, we will use argument (or pattern) when we mean the model of the argument (or pattern), i.e., the instance of the diagram metamodel.
The only way in which cycles can be introduced into arguments is by pasting a pattern with a cycle into an argument.
Here, note that the multiple roots errors shown in the issues panel has identified two goal nodes with the same identifier. However, since the check is performed across all the open projects, the errors exist in separate arguments; the path to those arguments can be seen by expanding the size of panel, but has not been shown in Fig. 11.
The patterns shown here are more concise versions of those given in Denney and Pai (2015).
Note that by hierarchically abstracting such an argument into a closed hierarchical evidence node (see Sects. 4.3 and 6.3.2), the result is an argument which is both structurally and semantically identical to that produced from the traditional approach of referring to the results of formal methods using evidence nodes.
AdvoCATE provides a Show/Hide feature—as shown by the eponymous option in the context menu in Fig. 17a—with which a user can selectively show and/or hide a node, paths to/from a node, and children of a node.
As well as, more generally, to other formal methods paradigms, so that techniques such as formal refinement or program synthesis could be integrated, although that would require a different workflow.
In fact, we can also leverage the use of metrics computation during property verification (Sect. 6.5).
Available at: https://code.google.com/p/acedit/.
Available at: http://cs-gw.utcluj.ro/~adrian/tools/safed/gsn/gsn.html.
Available at: http://af3.fortiss.org/.
Available at: http://nasa.github.io/CertWare/.
Available at: http://www.dcase.jp/index_en.html.
Available at: http://www-03.ibm.com/software/products/en/ratidoor.
Available at: http://www.goalstructuringnotation.info/archives/41.
Available at: http://www.adelard.com/asce/.
Available at: http://astah.net/editions/gsn.
Available at: https://www.argevide.com/en/products/assurance_case.
Available at: http://www.gessnet.com/products.
This distinction has sometimes been misunderstood in the literature (Graydon 2015).
References
Adelard, L.L.P.: Assurance and Safety Case Environment (ASCE) (2011). http://www.adelard.com/asce/
Armengaud, E.: Automated safety case compilation for product-based argumentation. Presented at the 6th European Congress on Embedded Real-time Software and Systems (\(\text{ERTS}^2\) 2014) (2014)
Ayoub, A., Chang, J., Sokolsky, O., Lee, I.: Assessing the overall sufficiency of safety arguments. In: Proceedings of the 21st Safety-Critical Systems Symposium (SSS ’13), pp. 127–144 (2013)
Barry, M.R.: CertWare: a workbench for safety case production and analysis. In: Proceedings of the 2011 IEEE Aerospace Conference, pp. 1–10 (2011)
Basir, N., Denney, E., Fischer, B.: Constructing a safety case for automatically generated code from formal program verification information. In: Harrison, M., Sujan, M.A. (eds.) Computer Safety, Reliability, and Security. Lecture Notes in Computer Science, vol. 5219, pp. 249–262. Springer, Berlin (2008)
Berthold, R., Denney, E., Fladeland, M., Pai, G., Storms, B., Sumich, M.: Assuring ground-based detect and avoid for UAS operations. In: Proceedings of the 33rd IEEE/AIAA Digital Avionics Systems Conference (DASC), pp. 6A1-1–6A1-16 (2014)
Bienvenu, M., ten Cate, B., Lutz, C., Wolter, F.: Ontology-based data access: a study through disjunctive Datalog, CSP, and MMSNP. In: Proceedings of the 32nd Symposium on Principles of Database Systems, pp. 213–224. ACM (2013)
Bishop, P., Bloomfield, R.: A methodology for safety case development. In: Redmill, F., Anderson, T. (eds.) Industrial Perspectives of Safety-Critical Systems: Proceedings of the 6th Safety-critical Systems Symposium. Springer (1998)
Bloomfield, R., Bishop, P.: Safety and assurance cases: past, present and possible future—an Adelard perspective. In: Proceedings of the 18th Safety-Critical Systems Symposium (2010)
Bloomfield, R., Chozos, N., Embrey, D., Henderson, J., Kelly, T., Koornneef, F., Pasquini, A., Pozzi, S., Sujan, M., Cleland, G., Habli, I., Medhurst, J.: Evidence: Using Safety Cases in Industry and Healthcare. The Health Foundation, London (2012)
Blume, M., Appel, A.W.: Hierarchical modularity. ACM Trans. Program. Lang. Syst. 21, 813–847 (1999)
Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the Safety of a Flight-Critical System. arXiv cs.SE e-print arXiv:1502.02605 (2015)
Clothier, R., Denney, E., Pai, G.: Making a risk informed safety case for small unmanned aircraft system operations. In: Proceedings of the 17th AIAA Aviation Technology, Integration, and Operations Conference (ATIO 2017) (2017)
Cruanes, S., Hamon, G., Owre, S., Shankar, N.: Tool integration with the evidential tool bus. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) Verification, Model Checking, and Abstract Interpretation. Lecture Notes in Computer Science, vol. 7737, pp. 275–294. Springer, Berlin (2013)
Denney, E., Trac, S.: A software safety certification tool for automatically generated guidance, navigation and control code. In: IEEE Aerospace Conference Electronic Proceedings. IEEE, Big Sky, Montana (2008)
Denney, E., Pai, G.: A lightweight methodology for safety case assembly. In: Ortmeier, F., Daniel, P. (eds.) Proceedings of the 31st International Conference on Computer Safety, Reliability and Security (SAFECOMP 2012), LNCS, vol. 7612, pp. 1–12. Springer (2012)
Denney, E., Pai, G.: A formal basis for safety case patterns. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) Computer Safety, Reliability and Security (SAFECOMP 2013), LNCS, vol. 8153, pp. 21–32 (2013a)
Denney, E., Pai, G.: Evidence arguments for using formal methods in software certification. In: 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 375–380 (2013b)
Denney, E., Pai, G.: Automating the assembly of aviation safety cases. IEEE Trans. Reliab. 63(4), 830–849 (2014)
Denney, E., Pai, G.: Safety Case Patterns: Theory and Applications. Technical Report NASA/TM-2015-218492, NASA Ames Research Center (2015)
Denney, E., Pai, G.: Architecting a safety case for UAS flight operations. In: 34th International System Safety Conference (ISSC) (2016)
Denney, E., Pai, G., Habli, I.: Towards measurement of confidence in safety cases. In: Proceedings of the 5th international symposium on empirical software engineering and measurement, pp. 380–383 (2011)
Denney, E., Habli, I., Pai, G.: Perspectives on software safety case development for unmanned aircraft. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8. Boston, MA (2012a)
Denney, E., Ippolito, C., Lee, R., Pai, G.: An integrated safety and systems engineering methodology for small unmanned aircraft systems. In: Infotech@Aerospace, AIAA 2012-2572. Garden Grove, CA (2012b)
Denney, E., Pai, G., Pohl, J.: AdvoCATE: an assurance case automation toolset. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP 2012 Workshops—Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR), LNCS, vol. 7613. Springer (2012c)
Denney, E., Naylor, D., Pai, G.: Querying safety cases. In: Bondavalli, A., Giandomenico, F.D. (eds.) 33rd International Conference on Computer Safety, Reliability and Security (SAFECOMP 2014), pp. 294–309. Springer (2014)
Denney, E., Habli, I., Pai, G.: Dynamic safety cases for through-life safety assurance. In: Proceedings of the 37th International Conference on Software Engineering (ICSE 2015): New Ideas and Emerging Results track (NIER). Florence, Italy (2015a)
Denney, E., Pai, G., Whiteside, I.: Formal foundations for hierarchical safety cases. In: Proceedings of the 16th IEEE International Symposium on High Assurance Systems Engineering (HASE 2015) (2015b)
Denney, E., Pai, G., Whiteside, I.: Modeling the safety architecture of UAS flight operations. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) Computer Safety, Reliability, and Security. SAFECOMP 2017. Lecture Notes in Computer Science, vol. 10488. Springer, Cham (2017)
Despotou, G., Apostolakis, A., Kolovos, D.: Assuring Dependable and Critical Systems: Implementing the Standards for Assurance Cases with ACedit. White Paper (2012)
Dezfuli, H., Benjamin, A., Everett, C., Smith, C., Stamatelatos, M., Youngblood, R.: NASA/SP-2010-580, NASA System Safety Handbook, volume 1, System Safety Framework and Concepts for Implementation. NASA, London (2011)
Eagles, S., Wu, F.: Reducing risks and recalls: safety assurance cases for medical devices. Biomed. Instrum. Technol. 48(1), 24–32 (2014)
European Organisation for the Safety of Air Navigation (EUROCONTROL): Safety Case Development Manual, 2.1 edn. DAP/SSH/091 (2006)
European Organisation for the Safety of Air Navigation (EUROCONTROL): Preliminary Safety Case for ADS-B Airport Surface Surveillance Application. PSC ADS-B-APT (2011). http://www.eurocontrol.int/articles/cascade-documents/
Felici, M.: Modeling safety case evolution— examples from the air traffic management domain. In: Guelfi, N., Savidis, A. (eds.) Proceedings of the 2nd International Workshop on Rapid Integration of Software Engineering Techniques (RISE). Lecture Notes in Computer Science, vol. 3943, pp. 81–96. Springer, Berlin (2006)
Fenn, J., Hawkins, R., Williams, P., Kelly, T.: Safety case composition using contracts—refinements based on feedback from an industrial case study. In: Proceedings of the 15th Safety Critical Systems Symposium (SSS’ 07) (2007)
Gacek, A., Backes, J., Cofer, D., Slind, K., Whalen, M.: Resolute: an assurance case language for architecture models. In: Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology, HILT ’14, pp. 19–28. ACM, New York, NY, USA (2014)
Gallina, B.: A model-driven safety certification method for process compliance. In: Proceedings of the 2014 International Symposium on Software Reliability Engineering (ISSRE) Workshops, pp. 204–209 (2014)
Goal Structuring Notation Working Group: GSN Community Standard Version 1 (2011). http://www.goalstructuringnotation.info/
Goodenough, J., Weinstock, C., Klein, A.: Eliminative induction: a basis for arguing system confidence. In: Proceedings of the 35th International Conference on Software Engineering (ICSE), pp. 1161–1164 (2013)
Graydon, P., Knight, J., Green, M.: Certification and safety cases. In: Proceedings of the 28th International System Safety Conference (2010)
Graydon, P.: Formal assurance arguments: a solution in search of a problem? In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2015)
Greenwell, W., Knight, J., Holloway, C.M., Pease, J.: A taxonomy of fallacies in system safety arguments. In: Proceedings of the International System Safety Conference (2006)
Hawkins, R., Kelly, T., Knight, J., Graydon, P.: A new approach to creating clear safety arguments. In: Proceedings of the Safety Critical Systems Symposium (2011)
Hawkins, R., Habli, I., Kelly, T.: Principled construction of software safety cases. In: 2013 SAFECOMP Workshops—Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR) (2013)
Hawkins, R., Habli, I., Kolovos, D., Paige, R., Kelly, T.: Weaving an assurance case from design: a model-based approach. In: Proceedings of the 16th IEEE International Symposium on High Assurance Systems Engineering (HASE), pp. 110–117 (2015)
International Atomic Energy Agency: IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, 2007th edn. (2007)
International Civil Aviation Organization (ICAO) Asia and Pacific Office: Building a Safety Case for Delivery of an ADS-B Separation Service. Guidance Material v1.0 (2011)
International Organization for Standardization (ISO): Road Vehicles–Functional Safety. ISO 26262 (2011)
Jøsang, A., Bradley, D., Knapskog, S.J.: Belief-based risk analysis. In: Proceedings of the Australasian Information Security Workshop (AISW), pp. 591–598 (2004)
Kelly, T.: Arguing Safety: A Systematic Approach to Managing Safety Cases. Ph.D. thesis, University of York (1998)
Kelly, T., Bates, S.: The costs, benefits, and risks associated with pattern-based and modular safety case development. In: Proceedings of the UK MoD Equipment Safety Assurance Symposium (2005)
Knight, J., Aiello, A., Hocking, A., Rowanhill, J.: SCT: a safety case toolkit. In: Workshop Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering (ISSRE)—Assurance Cases for Software-intensive Systems (ASSURE) (2014)
Littlewood, B., Wright, D.: The use of multilegged arguments to increase confidence in safety claims for software-based systems: a study based on a BBN analysis of an idealized example. IEEE Trans. Softw. Eng. 33(5), 347–365 (2007)
Mahapatra, S.: Automatic Report Generation in Model-Based Design. SAE Technical Paper 2010-01-2000, SAE International (2010)
Matsuno, Y., Takamura, H., Ishikawa, Y.: Dependability case editor with pattern library. In: Proceedings of the 12th IEEE International Symposium on High-Assurance Systems Engineering (HASE), pp. 170–171 (2010)
McDermid, J.: Support for safety cases and safety arguments using SAM. Reliab. Eng. Syst. Saf. 43(2), 111–127 (1994)
Menon, C., Hawkins, R., McDermid, J.: Interim standard of best practice on software in the context of DS 00-56 Issue 4. Standard of Best Practice Issue 1, Software Systems Engineering Initiative, University of York (2009)
Nair, S., Walkinshaw, N., Kelly, T., de la Vara, J.L.: An evidential reasoning approach for assessing confidence in safety evidence. Technical Report 2014-17, Simula Research Laboratory (2014)
Object Management Group: Structured Assurance Case Metamodel (SACM) version 1.0. Formal/2013-02-01 (2013)
Ratiu, D., Zeller, M., Killian, L.: Safety.lab: model-based domain specific tooling for safety argumentation. In: Koornneef, F., van Gulijk, C. (eds.) Proceedings of SAFECOMP 2015 Workshops, pp. 72–82. Springer International Publishing (2015)
Ruiz, A., Larrucea, X., Espinoza, H.: A tool suite for assurance cases and evidences: Avionics experiences. In: O’Connor, R.V., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds.) Systems, Software and Services Process Improvement, Communications in Computer and Information Science, vol. 543, pp. 63–71. Springer, Berlin (2015)
Rushby, J.: The Interpretation and Evaluation of Assurance Cases. Technical Report SRI-CSL-15-01, Computer Science Laboratory, SRI International, Menlo Park, CA (2015)
S-18, Aircraft And System Development And Safety Assessment Committee: ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Society of Automotive Engineers (SAE) (1996)
S-18, Aircraft And System Development And Safety Assessment Committee: ARP 4754, Guidelines for Development of Civil Aircraft and Systems. Society of Automotive Engineers (SAE) (2010)
Steele, P., Collins, K., Knight, J.: ACCESS: a toolset for safety case creation and management. In: Proceedings of the 29th International Systems Safety Conference (2011)
Stevens, P.: A landscape of bidirectional model transformations. In: Lämmel, R., Visser, J., Saraiva, J. (eds.) Generative and Transformational Techniques in Software Engineering II. GTTSE 2007. Lecture Notes in Computer Science, vol. 5235. Springer, Berlin, Heidelberg (2008)
Taguchi, K., Daisuke, S., Nishihara, H., Takai, T.: Linking traceability with GSN. In: Proceedings of the IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 192–197 (2014). https://doi.org/10.1109/ISSREW.2014.79
Takeyama, M.: A Note on D-Cases as Proofs as Programs. Technical Report, National Institute of Advanced Industrial Science and Technology, Osaka, Japan (2010). AIST-PS-2010-007
Toulmin, S.E.: The Uses of Argument. Cambridge University Press, Cambridge (1969)
UK Civil Aviation Authority (CAA): Small Unmanned Aircraft: Congested Areas Operating Safety Case (CAOSC). Information Notice IN-2014/184 (2014)
UK Ministry of Defence (MOD): Safety Management Requirements for Defence Systems (2007)
UK Ministry of Defence (MOD): The ‘White Booklet’: An Introduction to System Safety Management in the MOD. Issue 3 (2011)
UK Rail Safety Standards Board: Engineering Safety Management. Issue 4 (2007)
US Department of Transportation, Federal Aviation Administration (FAA): Software Approval Guidelines. FAA Order 8110.49 Chg 1 (2011)
US Department of Transportation, Federal Aviation Administration (FAA): Unmanned Aircraft Systems (UAS) Operational Approval. National Policy N 8900.227 (2013)
US Department of Transportation, Federal Aviation Administration (FAA): Flight Standards Information Management System, Volume 16, Unmanned Aircraft Systems. Order 8900.1 (2014)
US Food and Drug Administration (FDA): Guidance for Industry and FDA Staff—Total Product Life Cycle: Infusion Pump—Premarket Notification [510(k)] Submissions (2010)
Voss, S., Schätz, B., Khalil, M., Carlan, C.: Towards modular certification using integrated model-based safety cases. In: Proceedings of the 25th International Conference on Computer Aided Verification (CAV), Workshop on Assurance and Verification (VeriSure 2013) (2013)
Wassyng, A., Maibaum, T., Lawford, M., Bherer, H.: Software certification: is there a case against safety cases? In: Calinescu, R., Jackson, E. (eds.) Foundations of Computer Software. Modeling, Development and Verification of Adaptive Systems. Lecture Notes in Computer Science, vol. 6662. Springer, Berlin, Heidelberg (2011)
Weinstock, C.B., Goodenough, J.B., Klein, A.Z.: Measuring assurance case confidence using Baconian probabilities. In: Proceedings of the 1st International Workshop on Assurance Cases for Software-Intensive Systems, ASSURE ’13, pp. 7–11. IEEE Press (2013)
Wilson, S., McDermid, J., Kirkham, P., Fenelon, P.: The safety argument manager: an integrated approach to the engineering and safety assessment of computer-based systems. In: Proceedings of the IEEE Symposium and Workshop on Engineering of Computer-Based Systems, pp. 198–205 (1996). https://doi.org/10.1109/ECBS.1996.494529
Yang, J.B., Xu, D.L.: On the evidential reasoning algorithm for multiple attribute decision analysis under uncertainty. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 32(3), 289–304 (2002)
Yuan, T., Kelly, T., Xu, T., Wang, H., Zhao, L.: A Dialogue-based safety argument review tool. In: Proceedings of the 1st International Workshop on Argument for Agreement and Assurance (AAA-2013) (2013)
Acknowledgements
Several individuals have contributed to the development and testing of AdvoCATE. In particular, we thank Josef Pohl, Dwight Naylor (especially for queries), Iain Whiteside (especially for hierarchy), Atef Suleiman, Alfredo Bencomo, Nija Shi, and Peter Tran. We also acknowledge David Bushnell, Martin Feather, Ibrahim Habli, and Lawrence Markosian for providing end-user feedback.
Author information
Authors and Affiliations
Corresponding authors
Additional information
This work has been supported, in part, by the Safe Autonomous Systems Operations (SASO) project of the Airspace Operations and Safety Program, of the NASA Aeronautics Research Mission Directorate.
Rights and permissions
About this article
Cite this article
Denney, E., Pai, G. Tool support for assurance case development. Autom Softw Eng 25, 435–499 (2018). https://doi.org/10.1007/s10515-017-0230-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10515-017-0230-5