<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
    <title></title>
    <style type="text/css">
h1 {
text-decoration: underline;
}
h1, h2, h3, h4  {
color: #336699;
}

span.bold {
font-weight: bold;
}

span.italic {
font-style: italic;
}</style>
  </head>
  <body>
    <h1>Support for Assurance Case Maintenance</h1>
    <p> Throughout the operational life of any system, changing regulatory
      requirements, additional assurance evidence and a changing design can
      challenge the corresponding assurance case. In order to maintain an
      accurate account of the assurance of the system, all such challenges must
      be assessed for their impact on the original assurance argument.</p>
    <h2>Why do we need maintenance? </h2>
    <p>An assurance case consists of many inter-dependent parts: requirements,
      argument, evidence, design and process information. As a result, a single
      change to an assurance case may necessitate many other consequential
      changes - creating a 'ripple effect'. It is significant to recognize the
      importance of every challenge to an assurance case. Furthermore, the
      indirect impact is crucial and one of the biggest challenges. Any of these
      challenges imply re-certification and by extension re-generation of the
      assurance case of a system. The construction and maintenance of assurance
      case arguments is expensive and tedious, as it is mainly a manual process
      that requires a considerable amount of time. Therefore, offering safety
      engineers tool-supported re-evaluation is a big step forward.</p>
    <h2>Change Impact Analysis for Assurance Cases</h2>
    <p>The change impact analysis includes the handling of challenges regarding
      the following different argument elements.</p>
    <ul>
      <li>
        <p>If the challenged item is a Goal, it challenges its relationship to
          both the parent Goal and to the supporting evidence provided. It also
          challenges the solutions that support the Goal.</p>
      </li>
      <li>
        <p>If the challenged item is a Solution, it challenges its role as a
          solution to all goals relying upon it through the SupportedBy
          relationship.</p>
      </li>
      <li>
        <p>If the challenged item is a Context, it challenges the relationship
          with all goals previously expressed in the context of that item using
          the InContextOf relationship. More specifically, changing a Context
          challenges all goals, strategies and solutions that introduce this
          Context. In addition, it challenges all goals, strategies and
          solutions which inherit this Context.</p>
      </li>
    </ul>
    <h3>Potential vs. actual change effect</h3>
    <p>The rules described above constitute the potential change effect and not
      necessarily the actual change. There is a significant difference between
      actual and potential change. The nodes to which the impact of the
      challenge in a connected GSN node propagates are called impacted nodes.
      The potential change includes further analysis of the possible effects on
      the rest of GSN nodes after one element is challenged. A safety engineer
      has to review all the potential challenges and decide upon them.
      ExplicitCase implements as a starting point, the potential change effect.</p>
    <h3>Change Impact Analysis in ExplicitCase</h3>
    <p> The assurance case maintenance in ExplicitCase requires the
      participation of different entities and stakeholders (see Fig. 8). The
      system modeling is done by the system engineer and the GSN modeling of the
      assurance cases by the safety engineer. The safety engineer has also
      responsibilities such as hyperlinking GSN with System Models and
      annotating GSN assurance cases with maintainability information.
      ExplicitCase recognizes challenges to validity of GSN assurance cases and
      identifies the impact of a GSN node challenge. Finally, the safety
      engineer gives input to the system engineer regarding the reasons why,
      after a change in one system model element, other system model elements,
      should be reviewed.</p>
    <figure> <img src="./pictures/MaintenanceExplicitCase.PNG"> <figcaption>Fig.
        8 - Stakeholders in ExplicitCase.</figcaption> </figure>
    <h3>Steps</h3>
    <ol>
      <li> Follow the steps in the section <span class="italic"><span class="bold">"Steps
            to specify the contained elements of a assurance case module"</span></span>
        and build an assurance case module; </li>
      <p> <img src="./pictures/Maintenance1.PNG"></p>
      <li> Select the Solution Argument Element and right-click on it. Click 'Is
        Challenged'; </li>
      <p> <img src="./pictures/Maintenance2.PNG"></p>
      <li> The challenged solution has changed its color to red; </li>
      <p> <img src="./pictures/Maintenance3.PNG"></p>
      <li> Right-click again on the challenged solution. Click 'Show potential
        change impact'; </li>
      <p> <img src="./pictures/Maintenance4.PNG"></p>
      <li> The potentially impacted argument elements, by the challenged
        solution, have turned their color to yellow; </li>
      <p> <img src="./pictures/Maintenance5.PNG"></p>
    </ol>
  </body>
</html>