A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
system is safe); (2) evidence supporting <strong>the</strong> claim (e.g., a hazard analysis)—evidence can take on<br />
many forms, including test results, formal analyses, simulation results, fault-tree analyses, hazard<br />
analyses, modeling, and inspections, and (3) an argument explaining how <strong>the</strong> evidence is linked to<br />
<strong>the</strong> claim.<br />
It is important that an assurance case be reviewable, which means that having a single claim (“The<br />
system does what it’s supposed to do”) and a single complex argument that links myriad evidence<br />
to <strong>the</strong> claim are not appropriate. Instead <strong>of</strong> taking such a large step, <strong>the</strong> claim is typically broken<br />
into subclaims, each <strong>of</strong> which can potentially be broken into yet ano<strong>the</strong>r level <strong>of</strong> subclaims until<br />
<strong>the</strong> step to <strong>the</strong> actual evidence that supports that subclaim is almost obvious.<br />
<strong>SEI</strong> work in assurance cases was initially funded by <strong>the</strong> NASA High Dependability Computing<br />
Project, beginning in 2002. On that project, <strong>the</strong> <strong>SEI</strong> worked with researchers at Carnegie Mellon<br />
University to introduce advanced thinking into NASA for use with various space projects, including<br />
<strong>the</strong> Mars Lander and <strong>the</strong> NASA Mission Data System (MDS), which had an unusual architecture<br />
that raised concerns about reliability. The <strong>SEI</strong> adapted ideas presented in a PhD <strong>the</strong>sis by<br />
Kelly at <strong>the</strong> University <strong>of</strong> York [Kelly 1998].<br />
The Consequence: Assurance Cases Used in Practice<br />
Application <strong>of</strong> assurance cases for certification has not been fully implemented yet, but it is an<br />
idea that many are considering and discussing. For example, NASA developed, with <strong>SEI</strong> assistance,<br />
an assurance case practice. For its Constellation project, <strong>the</strong> <strong>SEI</strong> contributed to NASA’s<br />
safety requirements document, which specified <strong>the</strong> use <strong>of</strong> an assurance case to demonstrate safety.<br />
Although <strong>the</strong> assurance case requirement did not survive final review by NASA and its contractors,<br />
and <strong>the</strong> Constellation project subsequently was cancelled, <strong>the</strong> idea <strong>of</strong> assurance cases was<br />
distributed within NASA, leading to some research projects on assurance cases that continue to<br />
this day.<br />
In 2006 <strong>the</strong> <strong>SEI</strong> was approached by <strong>the</strong> U.S. Food and Drug Administration (FDA). As a result <strong>of</strong><br />
a number <strong>of</strong> safety incidents with infusion pumps, <strong>the</strong> FDA wished to improve <strong>the</strong> thoroughness<br />
<strong>of</strong> its review process and to improve <strong>the</strong> engineering done by manufacturers to assure safety. <strong>SEI</strong><br />
work on <strong>the</strong> use <strong>of</strong> assurance cases in <strong>the</strong> development <strong>of</strong> medical devices [Weinstock 2009] led<br />
directly to <strong>the</strong> FDA’s issuing draft guidance to manufacturers recommending <strong>the</strong> use <strong>of</strong> assurance<br />
cases and providing guidance for <strong>the</strong>ir use. As a result, infusion pump manufacturers are beginning<br />
to make use <strong>of</strong> assurance cases. The FDA is <strong>the</strong> only <strong>of</strong>ficial agency <strong>of</strong> <strong>the</strong> U.S. government<br />
that has formally mandated <strong>the</strong> use <strong>of</strong> assurance cases to date.<br />
The <strong>SEI</strong> Contribution<br />
The idea that a structured argument is better than an unstructured argument is prevalent in Great<br />
Britain, where <strong>the</strong> Ministry <strong>of</strong> Defense (MoD) has for a decade or more required that an assurance-case<br />
kind <strong>of</strong> structure be presented for certain types <strong>of</strong> MoD systems. Subsequent to <strong>the</strong> start<br />
<strong>of</strong> <strong>the</strong> <strong>SEI</strong>’s work in this area, <strong>the</strong> importance <strong>of</strong> assurance case concepts was recognized by <strong>the</strong><br />
National Research Council in its report “S<strong>of</strong>tware for Dependable Systems: Sufficient Evidence?”<br />
[Jackson 2007].<br />
The <strong>SEI</strong> has been instrumental in developing <strong>the</strong> assurance case from <strong>the</strong> existing European safety<br />
case concept, and showing how <strong>the</strong> cases can be used in various areas, such as aerospace and<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 227<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.