ASSURANCE CASE FOR SAFETY AND SECURITY IMPLEMENTATION: A SURVEY OF APPLICATIONS
Keywords:Assurance Case, safety, security, dependability
This paper presents a survey of Assurance Case implementation for applications which are not directly related to the usual for Assurance Case regulatory regime. The UK is the country which first developed the theory of Assurance Case as a response to big catastrophes, and most applies Assurance Case regime for many industrial domains. USA, Australia and EU countries apply Assurance Case approach for safety and security regulation and licensing. For the last two decades Assurance Case has been used mostly for confirmation analysis of critical systems with established set of regulatory requirements. There are proven standards of use, notations and tools to support Assurance Case methodology. However, many researchers have tried to find approach to expand Assurance Case application to communicating domains. We group the following directions of Assurance Case applications as the following ones: Assurance Case for attributes assessment such as quality, dependability and, first of all, safety and security, Assurance Case based certification, improvement of argumentation, assurance based development, and Assurance Case for knowledge management. The main challenges and solutions of development and application of Assurance Case methodology, techniques and tools have been analyzed.
GSN Community Standard, Version 1, Origin Consulting (York) Limited, York, UK, 2011, 64 p.
Evidence: Using safety cases in industry and healthcare, Health Foundation, London, UK, 2012, 32 p.
S. Toulmin, The Uses of Argument, Cambridge University Press, 1958, 268 p.
W. Cullen, The Public Enquiry into the Piper Alpha Disaster, Department of Energy, London, UK, 1990, 488 p.
T. Kelly, Arguing Safety: A Systematic Approach to Managing Safety Cases. PhD Thesis, University of York, UK, 1998, 341 p.
The Adelard Safety Case Development (ASCAD) Manual, [Online]. Available: http://www.adelard.com/resources/ascad/
Structured Assurance Case Metamodel, v2.0, Object Management Group, 2016, 56 p.
R. Wei, T.Kelly, X. Dai, S. Zhao, R. Hawkins, “Model based system assurance using the structured assurance case metamodel,” Journal of Systems and Software, vol. 154, pp. 211-233, 2019.
ISO/IEC/IEEE 15026:2019, Systems and software engineering – Systems and software assurance (in 4 parts), ISO, Geneva, Switzerland, 2019.
ISO 26262:2011, Road vehicles – Functional safety, ISO, Geneva, Switzerland, 2011.
P. Bishop, R. Bloomfield. “A methodology for safety case development,” Safety and Reliability, vol. 20, issue 1, 2000, pp. 34-42.
V. Sklyar, V. Kharchenko, “Assurance case driven design based on the harmonized framework of safety and security requirements,” Proceedings of the 13th International Conference on ICT in Education, Research and Industrial Applications, Kyiv, Ukraine, May 15-18, 2017, pp. 670-685.
V. Kharchenko, V. Sklyar. “Assurance case driven design for software and hardware description language based systems,” Radioelectronic and Computer Systems, no. 5(79), 2016, pp. 98-103.
V. Sklyar, V. Kharchenko, “Green assurance case: Applications for Internet of Things,” in: V. Kharchenko, Y. Kondratenko, J. Kacprzyk (Eds.), Green IT Engineering: Social, Business and Industrial Applications, Springer, 2019, pp. 351-371.
M. Maksimov, N. Fung, S. Kokaly, M. Chechik, “Two decades of assurance case tools: A survey,” in: B. Gallina, A.Skavhaug, E. Schoitsch, F. Bitsch (Eds.), Computer Safety, Reliability, and Security, Springer, 2018, pp. 49-59.
Adelard ASCE Software, [Online]. Available at: https://www.adelard.com/asce/choosing-asce/index/
Astah GSN Editor Overview, [Online]. Available at: http://astah.net/editions/gsn
NOR-STA: Support for Achieving and Assessing Conformance to NORms and STAndards, [Online]. Available at: https://www.nor-sta.eu/en
E. Denney, G. Pai, Tool Support for Assurance Case Development. ARC-E-DAA-TN48294, NASA Ames Research Center, Moffett Field, CA, USA, 64 p.
C. Weinstock, J. Goodenough, J. Hudak, Dependability Cases. CMU/SEI-2004-TN-016, SEI/CMU, Pittsburgh, PA, USA, 2004, 30 p.
C. Haddon-Cave, The Nimrod Review. An independent review into the broader issues surrounding the loss of the RAF Nimrod MR2 Aircraft XV230 in Afghanistan in 2006, London, UK, Crown Copyright, 2009, 585 p.
R. Ellison, J. Goodenough, C. Weinstock, C. Woody, Survivability Assurance for System of Systems. Technical Report CMU/SEI-2008-TR-008, CMU/SEI, Pittsburgh, PA, USA, 2008, 63 p.
T. Rhodes, F. Boland, E. Fong, M. Kass. “Software assurance using structured assurance case models,” Journal of Research of the NIST, vol. 115, issue 3, pp. 209-216, 2010.
D. Firesmith, P. Capell, J. Elm, M. Gagliardi, T. Morrow, L. Roush, L. Sha, QUASAR: A Method for the Quality Assessment of Software-Intensive System Architectures, CMU/SEI-2006-HB-002, CMU/SEI, Pittsburgh, PA, USA, 2006, 266 p.
L. Sun, W. Zhang, T. Kelly, “Do safety cases have a role in aircraft certification?” Procedia Engineering, vol. 17, pp. 358-368, 2011.
T. Ankrum and A. Kromholz, “Structured assurance cases: Three common standards,” Proceedings of the 9th IEEE International Symposium on High-Assurance Systems Engineering, Heidelberg, Germany October 12-14, 2005, pp. 99-108.
ISO/IEC 15408:2009 Information technology – Security techniques – Evaluation criteria for IT security, ISO, Geneva, Switzerland, 2009.
RTCA/DO-178 Software Considerations in Airborne Systems and Equipment Certification, RTCA, Washington DC, 2011.
ISO 14971:2007 Medical devices – Application of risk management to medical devices, ISO, Geneva, Switzerland, 2007.
R. Hawkins, I. Habli, T. Kelly, J. McDermid, “Assurance cases and prescriptive software safety certification: A comparative study,” Safety Science, vol. 59, 2013, pp. 55–71.
M. Holloway, “Explicate ‘78: Uncovering the Implicit Assurance Case in DO–178C,” Proceedings of the 23rd Safety-Critical Systems Symposium, Bristol, UK, February 3-5, 2015.
P. Graydon, J. Knight and M. Green, “Certification and Safety Cases,” Proceedings of the 28th International Systems Safety Conference, Minneapolis, MN USA, August 30 – 3 September 04, 2010, pp. 235-244.
P. Graydon and C. Holloway, “Evidence under a Magnifying Glass: Thoughts on Safety Argument Epistemology,” Proceedings of the 10th IET System Safety and Cyber-Security Conference, Bristol, UK, October 21-22, 2015.
L. Duan, S. Rayadurgam, M. Heimdahl, A. Ayoub, O. Sokolsky, I. Lee, “Reasoning about confidence and uncertainty in assurance cases: A survey,” in: M. Huhn, L. Williams (Eds) Software Engineering in Health Care, Springer, 2017, pp. 64-80.
J. Rushby. The Interpretation and Evaluation of Assurance Cases. Technical Report SRI-CSL-15-01, SRI International, Menlo Park, CA, USA, 2015, 127 p.
J. Goodenough, C. Weinstock, A. Klein. Eliminative Argumentation: A Basis for Arguing Confidence in System Properties February, Technical Report, CMU/SEI-2015-TR-005, CMU/SEI, Pittsburgh, PA, USA, 2015, 71 p.
X. Zhao, D. Zhang, M. Lu, F. Zeng, “A new approach to assessment of confidence in assurance cases,” in: F. Ortmeier, P. Daniel (Eds.), Computer Safety, Reliability and Security, Springer, 2012, pp. 79–91.
D. Hitchcock. “good reasoning on the Toulmin model,” Argumentation, vol. 19, issue 3, pp. 373–391, 2005.
R. Hawkins, T. Kelly, J. Knight, P. Graydon, “A new approach to creating clear safety arguments,” Proceedings of the 19th Safety Critical Systems Symposium, Southampton, UK, February 8-10, 2011, pp. 3 23.
R. Bloomfield, B. Littlewood and D. Wright, “Confidence: Its role in dependability cases for risk assessment,” in: Proceedings of the International Conference on Dependable Systems and Networks, Edinburgh, UK, June 25-28, 2007, pp. 338–346.
B. Littlewood, D. Wrigh. “The use of multilegged arguments to increase confidence in safety claims for software-based systems: A study based on a BBN analysis of an idealized example,” IEEE Transactions on Software Engineering, vol. 33, issue 5, pp. 347–365, 2007.
P. Graydon, J. Knight. Assurance Based Development. Technical Report CS-2009-10, University of Virginia, Charlottesville, VA, USA, 2009, 43 p.
I. Sljivo, B. Gallina, J. Carlson, H. Hansson, “Generation of safety case argument-fragments from safety contracts,” in: A. Bondavalli, F. Di Giandomenico (Eds.), Computer Safety, Reliability, and Security, Springer, 2014, pp. 170-185.
I. Sljivo, O. Jaradat, I. Bate and P. Graydon, “Deriving safety contracts to support architecture design of safety critical systems,” in: Proceedings of the 2015 IEEE 16th International Symposium on High Assurance Systems Engineering, Washington DC, USA, January 08-10, 2015, pp. 126-133.
E. Jee, I. Lee, O. Sokolsky, “Assurance cases in model-driven development of the pacemaker software,” in: T. Margaria, B. Steffen (Eds.), Leveraging Applications of Formal Methods, Verification, and Validation, Springer, 2010, pp. 343-356.
R. Hawkins, I. Habli, D. Kolovos, R. Paige and T. Kelly, “Weaving an assurance case from design: A model-based approach,” in Proceedings of IEEE 16th International Symposium on High Assurance Systems Engineering, Daytona Beach, Florida, USA, January 8-10, 2015, pp. 110-117.
R. Calinescu, S. Gerasimou, I. Habli, M. Iftikhar, T. Kelly, D. Weyns. “Engineering trustworthy self-adaptive software with dynamic assurance cases,” IEEE Transactions on Software Engineering, vol. 44, issue 11, pp. 1-30, 2018.
A. Gacek, J. Backes, D. Cofer, K. Slind and M. Whalen, “Resolute: An assurance case language for architecture models,” Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology, Portland, OR, USA, October 18-21, 2014, pp. 19-28.
N. Kobayashi, A. Nakamoto, N. Kawase, F. Sussan, S. Shirasaka. “What model(s) of assurance cases will increase the feasibility of accomplishing both vision and strategy?” Review of Integrative Business and Economics Research, vol. 7, issue 2, pp. 1-17, 2018.
R. Gallo, R. Dahab, “Assurance cases as a didactic tool for information security,” in: M. Bishop, N. Miloslavskaya, M. Theocharidou (Eds.), Information Security Education Across the Curriculum, Springer, 2015, pp. 15-26.
B. Smith, M. Feather and T. Huntsberger, “A hybrid method of assurance cases and testing for improved confidence in autonomous space systems,” Proceedings of the AIAA SciTech 2018 Forum, Kissimmee, FL, USA, January 8-12, 2018, pp. 1566-1577.
K. Kakimoto, K. Sasaki, H. Umeda, and Y. Ueda, “IV&V case: Empirical study of software independent verification and validation based on safety case,” Proceedings of the 2017 IEEE International Symposium on Software Reliability Engineering Workshops, Toulouse, France, October 23-26, 2017, pp. 32-35.
O. Illiashenko, O. Potii, and D. Komin, “Advanced security assurance case based on ISO/IEC 15408,” Proceedings of the 10th Conference on Dependability and Complex Systems, Brunów, Poland, June 29 – July 3 2015, pp. 391-401.
How to Cite
LicenseInternational Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:
• Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
• Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
• Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.