Managing Assurance Cases in Model Based Software Systems

Abstract

Software has emerged as a significant part of many domains, including financial service platforms, social networks, medical devices and vehicle control. In critical domains, standards organizations have responded to this by creating regulations to address issues such as safety, security and privacy. In this context, compliance of software with standards has emerged as a key issue. For companies, compliance is a complex and costly goal to achieve and is often accomplished by producing so-called assurance cases, which demonstrate that the system indeed satisfies the property imposed by a standard (e.g., safety, security, privacy) by linking evidence to support claims made about the system. However, as systems undergo evolution for a variety of reasons, including fixing bugs, adding functionality or improving system quality, maintaining assurance cases multiplies the effort. Increasingly, models and model-driven engineering are being used as a means to facilitate communication and collaboration between the stakeholders in the compliance value chain and, further, to introduce automation into regulatory compliance tasks. A complexity problem also exists with the proliferation of software models in model-based software development, and the field of Model Management has emerged to address this challenge. Model Management focuses on a high-level view in which entire models and their relationships (i.e., mappings between models) can be manipulated using specialized operators to achieve useful outcomes. In this thesis, we exploit this connection between model driven engineering and regulatory compliance, and explore how to use Model Management techniques to address software compliance management issues, focusing on assurance case change impact assessment, evolution and reuse. We support the presented approach with tooling and a case study. Although the main contributions of this thesis are not domain specific, for validation, we ground our approaches in the automotive domain and the ISO 26262 standard for functional safety of road vehicles.