Advertisement

Automated Software Engineering

, Volume 25, Issue 3, pp 435–499 | Cite as

Tool support for assurance case development

  • Ewen DenneyEmail author
  • Ganesh PaiEmail author
Article

Abstract

Argument-based assurance cases, often represented and organized using graphical argument structures, are increasingly being used in practice to provide assurance to stakeholders, e.g., regulatory authorities, that a system is acceptable for its intended use with respect to dependability and safety concerns. In general, comprehensive system-wide assurance arguments aggregate a substantial amount of diverse information, such as the results of safety analysis, requirements analysis, design, verification and other engineering activities. Although a variety of assurance case tools exist, many desirable operations on argument structures such as hierarchical and modular abstraction, argument pattern instantiation, and inclusion/extraction of richly structured information have limited to no automation support. To close this automation gap, over the past four years we have been developing a toolset for assurance case automation, AdvoCATE, at the NASA Ames Research Center. This paper describes how AdvoCATE is being engineered atop formal foundations for assurance case argument structures, to provide unique capabilities for: (a) automated creation and assembly of assurance arguments, (b) integration of formal methods into wider assurance arguments, (c) automated pattern instantiation, (d) hierarchical abstraction, (e) queries and views, and (f) verification of arguments. We (and our colleagues) have used AdvoCATE in real projects for safety assurance, in the context of unmanned aircraft systems.

Keywords

Assurance cases Safety cases Automation Tool support Formal methods 

Notes

Acknowledgements

Several individuals have contributed to the development and testing of AdvoCATE. In particular, we thank Josef Pohl, Dwight Naylor (especially for queries), Iain Whiteside (especially for hierarchy), Atef Suleiman, Alfredo Bencomo, Nija Shi, and Peter Tran. We also acknowledge David Bushnell, Martin Feather, Ibrahim Habli, and Lawrence Markosian for providing end-user feedback.

References

  1. Adelard, L.L.P.: Assurance and Safety Case Environment (ASCE) (2011). http://www.adelard.com/asce/
  2. Armengaud, E.: Automated safety case compilation for product-based argumentation. Presented at the 6th European Congress on Embedded Real-time Software and Systems (\(\text{ERTS}^2\) 2014) (2014)Google Scholar
  3. Ayoub, A., Chang, J., Sokolsky, O., Lee, I.: Assessing the overall sufficiency of safety arguments. In: Proceedings of the 21st Safety-Critical Systems Symposium (SSS ’13), pp. 127–144 (2013)Google Scholar
  4. Barry, M.R.: CertWare: a workbench for safety case production and analysis. In: Proceedings of the 2011 IEEE Aerospace Conference, pp. 1–10 (2011)Google Scholar
  5. Basir, N., Denney, E., Fischer, B.: Constructing a safety case for automatically generated code from formal program verification information. In: Harrison, M., Sujan, M.A. (eds.) Computer Safety, Reliability, and Security. Lecture Notes in Computer Science, vol. 5219, pp. 249–262. Springer, Berlin (2008)CrossRefGoogle Scholar
  6. Berthold, R., Denney, E., Fladeland, M., Pai, G., Storms, B., Sumich, M.: Assuring ground-based detect and avoid for UAS operations. In: Proceedings of the 33rd IEEE/AIAA Digital Avionics Systems Conference (DASC), pp. 6A1-1–6A1-16 (2014)Google Scholar
  7. Bienvenu, M., ten Cate, B., Lutz, C., Wolter, F.: Ontology-based data access: a study through disjunctive Datalog, CSP, and MMSNP. In: Proceedings of the 32nd Symposium on Principles of Database Systems, pp. 213–224. ACM (2013)Google Scholar
  8. Bishop, P., Bloomfield, R.: A methodology for safety case development. In: Redmill, F., Anderson, T. (eds.) Industrial Perspectives of Safety-Critical Systems: Proceedings of the 6th Safety-critical Systems Symposium. Springer (1998)Google Scholar
  9. Bloomfield, R., Bishop, P.: Safety and assurance cases: past, present and possible future—an Adelard perspective. In: Proceedings of the 18th Safety-Critical Systems Symposium (2010)Google Scholar
  10. Bloomfield, R., Chozos, N., Embrey, D., Henderson, J., Kelly, T., Koornneef, F., Pasquini, A., Pozzi, S., Sujan, M., Cleland, G., Habli, I., Medhurst, J.: Evidence: Using Safety Cases in Industry and Healthcare. The Health Foundation, London (2012)Google Scholar
  11. Blume, M., Appel, A.W.: Hierarchical modularity. ACM Trans. Program. Lang. Syst. 21, 813–847 (1999)CrossRefGoogle Scholar
  12. Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the Safety of a Flight-Critical System. arXiv cs.SE e-print arXiv:1502.02605 (2015)
  13. Clothier, R., Denney, E., Pai, G.: Making a risk informed safety case for small unmanned aircraft system operations. In: Proceedings of the 17th AIAA Aviation Technology, Integration, and Operations Conference (ATIO 2017) (2017)Google Scholar
  14. Cruanes, S., Hamon, G., Owre, S., Shankar, N.: Tool integration with the evidential tool bus. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) Verification, Model Checking, and Abstract Interpretation. Lecture Notes in Computer Science, vol. 7737, pp. 275–294. Springer, Berlin (2013)CrossRefGoogle Scholar
  15. Denney, E., Trac, S.: A software safety certification tool for automatically generated guidance, navigation and control code. In: IEEE Aerospace Conference Electronic Proceedings. IEEE, Big Sky, Montana (2008)Google Scholar
  16. Denney, E., Pai, G.: A lightweight methodology for safety case assembly. In: Ortmeier, F., Daniel, P. (eds.) Proceedings of the 31st International Conference on Computer Safety, Reliability and Security (SAFECOMP 2012), LNCS, vol. 7612, pp. 1–12. Springer (2012)Google Scholar
  17. Denney, E., Pai, G.: A formal basis for safety case patterns. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) Computer Safety, Reliability and Security (SAFECOMP 2013), LNCS, vol. 8153, pp. 21–32 (2013a)Google Scholar
  18. Denney, E., Pai, G.: Evidence arguments for using formal methods in software certification. In: 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 375–380 (2013b)Google Scholar
  19. Denney, E., Pai, G.: Automating the assembly of aviation safety cases. IEEE Trans. Reliab. 63(4), 830–849 (2014)CrossRefGoogle Scholar
  20. Denney, E., Pai, G.: Safety Case Patterns: Theory and Applications. Technical Report NASA/TM-2015-218492, NASA Ames Research Center (2015)Google Scholar
  21. Denney, E., Pai, G.: Architecting a safety case for UAS flight operations. In: 34th International System Safety Conference (ISSC) (2016)Google Scholar
  22. Denney, E., Pai, G., Habli, I.: Towards measurement of confidence in safety cases. In: Proceedings of the 5th international symposium on empirical software engineering and measurement, pp. 380–383 (2011)Google Scholar
  23. Denney, E., Habli, I., Pai, G.: Perspectives on software safety case development for unmanned aircraft. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–8. Boston, MA (2012a)Google Scholar
  24. Denney, E., Ippolito, C., Lee, R., Pai, G.: An integrated safety and systems engineering methodology for small unmanned aircraft systems. In: Infotech@Aerospace, AIAA 2012-2572. Garden Grove, CA (2012b)Google Scholar
  25. Denney, E., Pai, G., Pohl, J.: AdvoCATE: an assurance case automation toolset. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP 2012 Workshops—Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR), LNCS, vol. 7613. Springer (2012c)Google Scholar
  26. Denney, E., Naylor, D., Pai, G.: Querying safety cases. In: Bondavalli, A., Giandomenico, F.D. (eds.) 33rd International Conference on Computer Safety, Reliability and Security (SAFECOMP 2014), pp. 294–309. Springer (2014)Google Scholar
  27. Denney, E., Habli, I., Pai, G.: Dynamic safety cases for through-life safety assurance. In: Proceedings of the 37th International Conference on Software Engineering (ICSE 2015): New Ideas and Emerging Results track (NIER). Florence, Italy (2015a)Google Scholar
  28. Denney, E., Pai, G., Whiteside, I.: Formal foundations for hierarchical safety cases. In: Proceedings of the 16th IEEE International Symposium on High Assurance Systems Engineering (HASE 2015) (2015b)Google Scholar
  29. Denney, E., Pai, G., Whiteside, I.: Modeling the safety architecture of UAS flight operations. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) Computer Safety, Reliability, and Security. SAFECOMP 2017. Lecture Notes in Computer Science, vol. 10488. Springer, Cham (2017)Google Scholar
  30. Despotou, G., Apostolakis, A., Kolovos, D.: Assuring Dependable and Critical Systems: Implementing the Standards for Assurance Cases with ACedit. White Paper (2012)Google Scholar
  31. Dezfuli, H., Benjamin, A., Everett, C., Smith, C., Stamatelatos, M., Youngblood, R.: NASA/SP-2010-580, NASA System Safety Handbook, volume 1, System Safety Framework and Concepts for Implementation. NASA, London (2011)Google Scholar
  32. Eagles, S., Wu, F.: Reducing risks and recalls: safety assurance cases for medical devices. Biomed. Instrum. Technol. 48(1), 24–32 (2014)CrossRefGoogle Scholar
  33. European Organisation for the Safety of Air Navigation (EUROCONTROL): Safety Case Development Manual, 2.1 edn. DAP/SSH/091 (2006)Google Scholar
  34. European Organisation for the Safety of Air Navigation (EUROCONTROL): Preliminary Safety Case for ADS-B Airport Surface Surveillance Application. PSC ADS-B-APT (2011). http://www.eurocontrol.int/articles/cascade-documents/
  35. Felici, M.: Modeling safety case evolution— examples from the air traffic management domain. In: Guelfi, N., Savidis, A. (eds.) Proceedings of the 2nd International Workshop on Rapid Integration of Software Engineering Techniques (RISE). Lecture Notes in Computer Science, vol. 3943, pp. 81–96. Springer, Berlin (2006)Google Scholar
  36. Fenn, J., Hawkins, R., Williams, P., Kelly, T.: Safety case composition using contracts—refinements based on feedback from an industrial case study. In: Proceedings of the 15th Safety Critical Systems Symposium (SSS’ 07) (2007)Google Scholar
  37. Gacek, A., Backes, J., Cofer, D., Slind, K., Whalen, M.: Resolute: an assurance case language for architecture models. In: Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology, HILT ’14, pp. 19–28. ACM, New York, NY, USA (2014)Google Scholar
  38. Gallina, B.: A model-driven safety certification method for process compliance. In: Proceedings of the 2014 International Symposium on Software Reliability Engineering (ISSRE) Workshops, pp. 204–209 (2014)Google Scholar
  39. Goal Structuring Notation Working Group: GSN Community Standard Version 1 (2011). http://www.goalstructuringnotation.info/
  40. Goodenough, J., Weinstock, C., Klein, A.: Eliminative induction: a basis for arguing system confidence. In: Proceedings of the 35th International Conference on Software Engineering (ICSE), pp. 1161–1164 (2013)Google Scholar
  41. Graydon, P., Knight, J., Green, M.: Certification and safety cases. In: Proceedings of the 28th International System Safety Conference (2010)Google Scholar
  42. Graydon, P.: Formal assurance arguments: a solution in search of a problem? In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (2015)Google Scholar
  43. Greenwell, W., Knight, J., Holloway, C.M., Pease, J.: A taxonomy of fallacies in system safety arguments. In: Proceedings of the International System Safety Conference (2006)Google Scholar
  44. Hawkins, R., Kelly, T., Knight, J., Graydon, P.: A new approach to creating clear safety arguments. In: Proceedings of the Safety Critical Systems Symposium (2011)Google Scholar
  45. Hawkins, R., Habli, I., Kelly, T.: Principled construction of software safety cases. In: 2013 SAFECOMP Workshops—Next Generation of System Assurance Approaches for Safety-Critical Systems (SASSUR) (2013)Google Scholar
  46. Hawkins, R., Habli, I., Kolovos, D., Paige, R., Kelly, T.: Weaving an assurance case from design: a model-based approach. In: Proceedings of the 16th IEEE International Symposium on High Assurance Systems Engineering (HASE), pp. 110–117 (2015)Google Scholar
  47. International Atomic Energy Agency: IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, 2007th edn. (2007)Google Scholar
  48. International Civil Aviation Organization (ICAO) Asia and Pacific Office: Building a Safety Case for Delivery of an ADS-B Separation Service. Guidance Material v1.0 (2011)Google Scholar
  49. International Organization for Standardization (ISO): Road Vehicles–Functional Safety. ISO 26262 (2011)Google Scholar
  50. Jøsang, A., Bradley, D., Knapskog, S.J.: Belief-based risk analysis. In: Proceedings of the Australasian Information Security Workshop (AISW), pp. 591–598 (2004)Google Scholar
  51. Kelly, T.: Arguing Safety: A Systematic Approach to Managing Safety Cases. Ph.D. thesis, University of York (1998)Google Scholar
  52. Kelly, T., Bates, S.: The costs, benefits, and risks associated with pattern-based and modular safety case development. In: Proceedings of the UK MoD Equipment Safety Assurance Symposium (2005)Google Scholar
  53. Knight, J., Aiello, A., Hocking, A., Rowanhill, J.: SCT: a safety case toolkit. In: Workshop Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering (ISSRE)—Assurance Cases for Software-intensive Systems (ASSURE) (2014)Google Scholar
  54. Littlewood, B., Wright, D.: The use of multilegged arguments to increase confidence in safety claims for software-based systems: a study based on a BBN analysis of an idealized example. IEEE Trans. Softw. Eng. 33(5), 347–365 (2007)CrossRefGoogle Scholar
  55. Mahapatra, S.: Automatic Report Generation in Model-Based Design. SAE Technical Paper 2010-01-2000, SAE International (2010)Google Scholar
  56. Matsuno, Y., Takamura, H., Ishikawa, Y.: Dependability case editor with pattern library. In: Proceedings of the 12th IEEE International Symposium on High-Assurance Systems Engineering (HASE), pp. 170–171 (2010)Google Scholar
  57. McDermid, J.: Support for safety cases and safety arguments using SAM. Reliab. Eng. Syst. Saf. 43(2), 111–127 (1994)CrossRefGoogle Scholar
  58. Menon, C., Hawkins, R., McDermid, J.: Interim standard of best practice on software in the context of DS 00-56 Issue 4. Standard of Best Practice Issue 1, Software Systems Engineering Initiative, University of York (2009)Google Scholar
  59. Nair, S., Walkinshaw, N., Kelly, T., de la Vara, J.L.: An evidential reasoning approach for assessing confidence in safety evidence. Technical Report 2014-17, Simula Research Laboratory (2014)Google Scholar
  60. Object Management Group: Structured Assurance Case Metamodel (SACM) version 1.0. Formal/2013-02-01 (2013)Google Scholar
  61. Ratiu, D., Zeller, M., Killian, L.: Safety.lab: model-based domain specific tooling for safety argumentation. In: Koornneef, F., van Gulijk, C. (eds.) Proceedings of SAFECOMP 2015 Workshops, pp. 72–82. Springer International Publishing (2015)Google Scholar
  62. Ruiz, A., Larrucea, X., Espinoza, H.: A tool suite for assurance cases and evidences: Avionics experiences. In: O’Connor, R.V., Umay Akkaya, M., Kemaneci, K., Yilmaz, M., Poth, A., Messnarz, R. (eds.) Systems, Software and Services Process Improvement, Communications in Computer and Information Science, vol. 543, pp. 63–71. Springer, Berlin (2015)CrossRefGoogle Scholar
  63. Rushby, J.: The Interpretation and Evaluation of Assurance Cases. Technical Report SRI-CSL-15-01, Computer Science Laboratory, SRI International, Menlo Park, CA (2015)Google Scholar
  64. S-18, Aircraft And System Development And Safety Assessment Committee: ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. Society of Automotive Engineers (SAE) (1996)Google Scholar
  65. S-18, Aircraft And System Development And Safety Assessment Committee: ARP 4754, Guidelines for Development of Civil Aircraft and Systems. Society of Automotive Engineers (SAE) (2010)Google Scholar
  66. Steele, P., Collins, K., Knight, J.: ACCESS: a toolset for safety case creation and management. In: Proceedings of the 29th International Systems Safety Conference (2011)Google Scholar
  67. Stevens, P.: A landscape of bidirectional model transformations. In: Lämmel, R., Visser, J., Saraiva, J. (eds.) Generative and Transformational Techniques in Software Engineering II. GTTSE 2007. Lecture Notes in Computer Science, vol. 5235. Springer, Berlin, Heidelberg (2008)Google Scholar
  68. Taguchi, K., Daisuke, S., Nishihara, H., Takai, T.: Linking traceability with GSN. In: Proceedings of the IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 192–197 (2014).  https://doi.org/10.1109/ISSREW.2014.79
  69. Takeyama, M.: A Note on D-Cases as Proofs as Programs. Technical Report, National Institute of Advanced Industrial Science and Technology, Osaka, Japan (2010). AIST-PS-2010-007Google Scholar
  70. Toulmin, S.E.: The Uses of Argument. Cambridge University Press, Cambridge (1969)Google Scholar
  71. UK Civil Aviation Authority (CAA): Small Unmanned Aircraft: Congested Areas Operating Safety Case (CAOSC). Information Notice IN-2014/184 (2014)Google Scholar
  72. UK Ministry of Defence (MOD): Safety Management Requirements for Defence Systems (2007)Google Scholar
  73. UK Ministry of Defence (MOD): The ‘White Booklet’: An Introduction to System Safety Management in the MOD. Issue 3 (2011)Google Scholar
  74. UK Rail Safety Standards Board: Engineering Safety Management. Issue 4 (2007)Google Scholar
  75. US Department of Transportation, Federal Aviation Administration (FAA): Software Approval Guidelines. FAA Order 8110.49 Chg 1 (2011)Google Scholar
  76. US Department of Transportation, Federal Aviation Administration (FAA): Unmanned Aircraft Systems (UAS) Operational Approval. National Policy N 8900.227 (2013)Google Scholar
  77. US Department of Transportation, Federal Aviation Administration (FAA): Flight Standards Information Management System, Volume 16, Unmanned Aircraft Systems. Order 8900.1 (2014)Google Scholar
  78. US Food and Drug Administration (FDA): Guidance for Industry and FDA Staff—Total Product Life Cycle: Infusion Pump—Premarket Notification [510(k)] Submissions (2010)Google Scholar
  79. Voss, S., Schätz, B., Khalil, M., Carlan, C.: Towards modular certification using integrated model-based safety cases. In: Proceedings of the 25th International Conference on Computer Aided Verification (CAV), Workshop on Assurance and Verification (VeriSure 2013) (2013)Google Scholar
  80. Wassyng, A., Maibaum, T., Lawford, M., Bherer, H.: Software certification: is there a case against safety cases? In: Calinescu, R., Jackson, E. (eds.) Foundations of Computer Software. Modeling, Development and Verification of Adaptive Systems. Lecture Notes in Computer Science, vol. 6662. Springer, Berlin, Heidelberg (2011)Google Scholar
  81. Weinstock, C.B., Goodenough, J.B., Klein, A.Z.: Measuring assurance case confidence using Baconian probabilities. In: Proceedings of the 1st International Workshop on Assurance Cases for Software-Intensive Systems, ASSURE ’13, pp. 7–11. IEEE Press (2013)Google Scholar
  82. Wilson, S., McDermid, J., Kirkham, P., Fenelon, P.: The safety argument manager: an integrated approach to the engineering and safety assessment of computer-based systems. In: Proceedings of the IEEE Symposium and Workshop on Engineering of Computer-Based Systems, pp. 198–205 (1996).  https://doi.org/10.1109/ECBS.1996.494529
  83. Yang, J.B., Xu, D.L.: On the evidential reasoning algorithm for multiple attribute decision analysis under uncertainty. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 32(3), 289–304 (2002)CrossRefGoogle Scholar
  84. Yuan, T., Kelly, T., Xu, T., Wang, H., Zhao, L.: A Dialogue-based safety argument review tool. In: Proceedings of the 1st International Workshop on Argument for Agreement and Assurance (AAA-2013) (2013)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.SGT/NASA Ames Research CenterMoffett FieldUSA

Personalised recommendations