Downloadable Resources

There are a number of research papers, reports and standards that can be of interest to those learning about CAE, GSN and assurance cases. This set of resources aggregates some of them to provide additional information on the topic. The first set provides an overview of safety and assurance cases, following this are specific papers based on the CAE framework, then papers on GSN.


The Adelard Safety Case Development (ASCAD) Manual by Adelard

The manual is created by Adelard and is provided free of charge in support of the CAE community. Copyright is retained by Adelard. Please read the conditions of use, and submit a download request form on our website to retrieve a copy.

Assurance 2.0 by Robin. E. Bloomfield and John Rushby

Assurance 2.0, as an enabler that supports innovation and continuous incremental assurance. Perhaps unexpectedly, it does so by making assurance more rigorous, with increased focus on the reasoning and evidence employed, and explicit identification of defeaters and counterevidence.

Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS -- a collection of Technical Notes Part 1 and 2 by Robin. E. Bloomfield, Gareth Fletcher, Heidy Khlaaf, Philippa Ryan, Shuji Kinoshita, Yoshiki Kinoshit, Makoto Takeyama, Yutaka Matsubara, Peter Popov, Kazuki Imai, Yoshinori Tsutake

The Tigars project has published a series of Technical Topic Notes on assuring autonomous systems. The notes are available in two bundles. Part 1 addresses: Assurance-overview and issues, Resilience and Safety Requirements, Open Systems Perspective and Formal Verification and Static Analysis of ML Systems. Part 2 addresses: Simulation and Dynamic Testing, Defence in Depth and Diversity, Security-Informed Safety Analysis, Standards and Guidelines.

Safety and Assurance Cases: Past, Present and Possible Future – an Adelard Perspective by Robin. E. Bloomfield

This paper focuses on the approaches used in safety cases for software based systems. The author outlines the history of approaches for assuring the safety of software-based systems, the current uptake of safety and assurance cases and the current practice on structured safety cases. Directions for further development are discussed.

Using Safety Cases in Industry and Healthcare by The Health Foundation

Adelard was a significant contributor to a study commissioned by the UK Health Foundation in 2012 that produced a comprehensive review of the use of safety cases in the industry, aiming to determine how healthcare in the UK could use safety cases in the future.
[December 2012]

The Interpretation and Evaluation of Assurance Cases by John Rushby

The report provides an introduction to assurance cases. Although this material should be accessible to all those with an interest in these topics, the examples focus on software for airborne systems, traditionally assured using the DO-178C guidelines and its predecessors. The report considers the criteria, methods, and tools that may be used to evaluate whether an assurance case provides sufficient confidence that a particular system or service is fit for its intended use.

The Safety Case: Its Development and Use in the United Kingdom by J. R. Inge

This paper shows how different UK industries have developed and adapted the concept and principles of the Safety Case to demonstrate their understanding and management of risks within their business.


Security-Informed Safety: If It’s Not Secure, It’s Not Safe by Robin. E. Bloomfield,  Kate Netkachova, Robert J. Stroud

Traditionally, safety and security have been treated as separate disciplines, but this position is increasingly becoming untenable and stakeholders are beginning to argue that if it’s not secure, it’s not safe. In this paper we present some of the work we have been doing on “security-informed safety”. Our approach is based on the use of structured safety cases and we discuss the impact that security might have on an existing safety case. We also outline a method we have been developing for assessing the security risks associated with an existing safety system such as a large-scale critical infrastructure.
[In Proceedings of 5th International Workshop on Software Engineering for Resilient Systems (SERENE 2013), Kiev, Ukraine, Oct 2013]

Building Blocks for Assurance Cases by Robin. E. Bloomfield and Kate Netkachova

 The paper introduces an approach to structuring assurance cases using specially-designed CAE building blocks. The blocks are derived from an empirical analysis of the real case structures and can standardise the presentation of assurance cases by simplifying their architecture. CAE building blocks might also increase the precision and efficiency of the claims in arguments and can be used as self-contained reusable components of formal and semi-formal assurance cases.
[Paper presented at the International Symposium on Software Reliability Engineering (ISSRE), 03-11-2014 – 06-11-2014, Naples, Italy.]

Using an Assurance Case Framework to Develop Security Strategy and Policies by Robin. E. Bloomfield, Peter. G. Bishop, Eoin Butler, Kate Netkachova

 Assurance cases have been developed to reason and communicate about the trustworthiness of systems. Recently we have also been using them to support the development of policy and to assess the impact of security issues on safety regulation. In the example we present in this paper, we worked with a safety regulator (anonymised as A Regulatory Organisation (ARO) in this paper) to investigate the impact of cyber-security on safety regulation.
[Lecture Notes in Computer Science, 10489, pp. 27-38.]

Understanding, Assessing and Justifying I&C Systems using Claims, Arguments and Evidence by Sofia Guerra

I&C systems important to safety need to be demonstrably safe. Usually this is performed by demonstrating compliance with some relevant standards. This paper argues that compliance is not necessarily enough, and suggested using a claim-based approach to understand, assess and justify the safety of I&C systems.
[In Nuclear Safety and Simulation, Volume 5, Number 4, December 2014, pages 291-298.]

A Layered Approach to Architecting Security-Informed Safety Cases (applied to an avionics case study) by Netkachova, K., Müller, K., Paulitsch, M. and Bloomfield, R.

The paper describes a layered approach to analysing safety and security in a structured way and creating a security-informed safety case. The approach is applied to a case study – a Security Gateway controlling data flow between two different security domains implemented with a separation kernel based operating system in an avionics environment. We discuss some findings from the case study, show how the approach identifies and ameliorates important interactions between safety and security and supports the development of complex assurance case structures.
[Digital Avionics Systems Conference (DASC), 2015 IEEE/AIAA 34th, 1-36.]

Using Structured Assurance Case Approach to Analyse Security and Reliability of Critical Infrastructures by Netkachova, K., Bloomfield, R., Popov, P. and Netkachov, O.

The evaluation of the security, reliability and resilience of critical infrastructures (CI) faces a wide range of challenges ranging from the scale and tempo of attacks to the need to address complex and interdependent systems of systems. Model-based approaches and probabilistic design are fundamental to the evaluation of CI and we need to know whether we can trust these models. This paper presents an approach to justify the models used to assure CI using structured assurance cases based on Claims, Arguments and Evidence (CAE). The modelling and quantitative evaluation of the properties are supported by the Preliminary Interdependency Analysis (PIA) method and platform applied to a case study – a reference power transmission network enhanced with an industrial distributed system of monitoring, protection and control.
[Paper presented at the SAFECOMP 2015 Workshops, ASSURE, DECSoS, ISSE, ReSA4CI, and SASSUR, 22-09-2015, Delft, Netherlands.]

Guidance on the Assessment of  change Safety Cases by CAA

Currently the UK CAA is developing “Guidance on the Assessment of  change Safety Cases” (v4.12, 2018). This provides a systematic approach for Competent Authorities to assess a safety case for a change to a system providing an operational service. The guidance requires that the arguments presented in a change safety case must make valid claims, using valid inferences (reasoning/‌justifications) and evidence. It provides practical guidance on achieving this. The executive summary and table of contents are available to download.


A systematic approach for developing software safety arguments by Richard Hawkins and Tim Kelly

The paper provides a systematic approach to software safety argument construction which explicitly considers and addresses assurance. The approach has two key elements which, when used together, facilitate the construction of compelling software safety arguments. Firstly a method for argument construction is proposed, this method extends an existing method by explicitly considering assurance at each step. Secondly a set of software safety argument patterns have been developed. These patterns document reusable software safety argument structures which may be instantiated for the system under consideration. These patterns again build on existing work, and have been developed such that they highlight as clearly as possible where assurance may be gained and lost during the development of the argument.

A New Approach to Creating Clear Safety Arguments by Richard Hawkins, Tim Kelly, John Knight, and Patrick Graydon

The paper introduces assured safety arguments, a new structure for arguing safety in which the safety argument is accompanied by a confidence argument that documents the confidence in the structure and bases of the safety argument. This structure separates the major components that have traditionally been confused within a single safety argument structure. Separation gives both arguments greater clarity of purpose, and helps avoid the introduction of superfluous arguments and evidence. In this paper the authors describe a systematic approach to establishing both arguments, illustrated with a running example.

GSN Draft Standard is a Comprehensive, Authoritative Definition of the Goal Structuring Notation (GSN)

It aims to provide clear guidance on the current best practice in use of the notation for those concerned with the development and evaluation of engineering arguments – argument owners, readers, authors and approvers. The standard was developed by means of a consensus process involving GSN users from both academia and industry, between 2007 and 2010, and is available to the GSN User Community and other interested parties for comment.