Principles for Systematic Development of an Assurance Case Template from ISO 26262 Thomas Chowdhury * , Chung-Wei Lin † , BaekGyu Kim † , Mark Lawford * , Shinichi Shiraishi † , and Alan Wassyng * * McMaster Centre for Software Certification, McMaster University, Hamilton, ON, Canada † Systems & Software Division, Toyota InfoTechnology Center, Mountain View, CA, USA Emails: {chowdt2, lawford, wassyng}@mcmaster.ca, {cwlin, bkim, sshiraishi}@us.toyota-itc.com Abstract—A failure in a critical system can cause death, injury, financial loss, and environmental damage. To develop safe and trustworthy systems, we need to plan the development and assessment of system functionality in advance. Assurance Cases are a generalization of Safety Cases, and are gaining momentum as a preferred way of demonstrating assurance of critical properties in complex software-intensive systems. To cope with the lack of standardized assurance structures, and to encourage safety assessment prior to development, we previously proposed the use of an assurance case template. The principles presented here can be used to build an assurance case template that complies with the functional safety standard, ISO 26262 in a cost-effective way. In the future, such principles may lead to semi-automated development of these templates. 1. Introduction An assurance case is a popular method we can use to document system safety assurance [1]. According to Bloomfield et al., “An assurance case is a documented body of evidence that provides a convincing and valid argument that a specified set of critical claims about a system’s properties are adequately justified for a given application in a given environment” [2]. The assurance case starts with a claim about the properties of the system of interest that is supported by a structure of sub-claims, eventually supported by evidence. This structure is easier to understand in a graphical format, and a popular notation is Goal Structuring Notation (GSN), developed by Kelly [3]. An assurance case template is a complete assurance case for a product-line, developed prior to building products of that product-line. An essential aspect of system safety assur- ance for safety critical systems is that it is necessary to plan and document, as early as possible, how and why the system will be developed and assessed. Such a template supports this approach. The template includes optional argument paths dependent on the specific product, kinds of required evidence, and acceptance criteria for the evidence [4]. A skeleton of an assurance case template is shown in Figure 1. The arrows in this diagram and other assurance case extracts � � ����� �� ��������� �������� � �� ����� � �� ������� � � ���������� �������� �� �������� �������� ��������� �� ��� �������� ��� ��� ��� � �������� ���� �������� ���� ������������� �� ��������� �� Figure 1. Assurance case template (modified from [4]). in this paper are drawn from a parent to a sub-claim, which is popularized by GSN. The main contribution of this paper is to define prin- ciples we can use to develop an assurance case template that complies with a standard such as ISO 26262 (Road vehicles—Functional safety [5]). ISO 26262 is the de facto standard for functional safety of automotive vehicles. It deals with the electrical and electronic components of au- tomotive vehicles—including software. We intend that the contribution of this paper will eventually pave the way to semi-automated development of such templates. 2. Literature Review There have been a number of works related to building assurance cases compliant with existing standards, or using assurance cases to represent implicit safety arguments in a standard. The first such attempt was made by Ankrum and Kromholz who targeted three standards in 2005 [6]. In recent years, Holloway [7] described initial attempts at classifying DO-178C (the de facto civil aviation standard)