Assurance Case Templates: Principles for Their Development and Criteria for Their Evaluation

Abstract

An Assurance Case (AC) captures and presents explicit reasoning associated with assuring critical properties of a software-intensive system, such as safety. This thesis contributes specifically to how we build effective ACs, and how we can evaluate the quality of an AC. Rather than simply add yet another set of patterns to the existing AC literature, we developed ten principles for constructing ACs from existing safety and security standards. This is our first contribution in this thesis. An Assurance Case Template (ACT) is a complete assurance case that guides the development of systems within a product line. In most cases, safety-critical systems have to comply with existing standards. Thus, an ACT that complies with a relevant standard can be used to guide development of systems that must comply with that standard. We applied our principles to ISO 26262 (functional safety for automotive vehicles) and SAE J3061 (cyber-security), and used the resulting ACT's specialization in a case study to guide us to pre-emptively mitigate against potential vulnerabilities in automotive over-the-air update implementations. A vital attribute of an AC is to facilitate the identification of fallacies in the validity of any claim. There is considerable published research related to confidence in ACs, which primarily relates to a measure of the soundness of reasoning. Evaluation of an AC should be more general than measuring confidence and should consider multiple aspects of the quality of an AC. Standard evaluation criteria could play a significant role in making the evaluation process more systematic. Another contribution of this research is the identification of effective evaluation criteria for ACs. Concerning this, we developed five criteria for structure evaluation and seven criteria for content evaluation of an assurance case. A final contribution of the thesis is the development of detailed AC evaluation methods that use the aforementioned evaluation criteria from the perspective of the developer of the AC as well as from the perspective of an external reviewer. The evaluation criteria and methods are applied in a simple case study to demonstrate how they may be used in practice.