ABSTRACT
CONTENTS 13.1 Standards-Based Development 339
13.1.1 The Role of Standards 339 13.1.2 Challenges with Standards 340
13.2 Assurance Cases 342 13.2.1 The Role of an Assurance Case 342 13.2.2 State-of-the-Practice 343 13.2.3 Improving the State-of-the-Practice 345 13.2.4 Aiming for State-of-the-Art 346
13.2.4.1 Argumentation 347 13.2.4.2 Condence 347
13.3 Assurance Case Templates 348 13.3.1 What Is an Assurance Case Template? 348 13.3.2 Characteristics of an Assurance Case Template 352
13.3.2.1 Characteristics of State-of-the-Art Assurance Cases 352 13.3.2.2 Characteristics Essential for an Assurance Case
Template 353 13.3.3 Acceptance Criteria and Condence 355 13.3.4 Dealing with Evidence 355 13.3.5 Product-Domain Specic 356 13.3.6 Dierent Development Processes 356 13.3.7 Suggested Structure 356 13.3.8 Example: Infusion Pumps 359
13.4 Assurance Case Templates as Standards 359 13.4.1 Using an Assurance Case Template as a Standard 360 13.4.2 Problems in Constructing Assurance Case Templates 360
13.4.2.1 General Problems 360
13.4.2.2 Problems Especially Related to CPS 362 13.4.3 Benets of Using an Assurance Case Template as a Standard 362
13.5 Conclusion 364 References 364
Cyber-physical systems (CPSs) are extremely complex systems that combine com-ponents with both physical and cyber interfaces and potentially complex interactions between these parts. They are also often both security and safety critical if the physical system being controlled can harm people. It is imperative that these systems be developed and certied to be safe, secure, and reliable-hence the focus on Trustworthy Cyber-Physical Systems. The current safety-critical or high-integrity standards primarily set out objectives on the process, as is typical in much of software engineering. Thus, the acceptance criteria in these standards apply to the development process much more than to the product being manufactured. Having manufacturers use these “good” processes is, indeed, advantageous. However, their use does not guarantee a “good” product, except in a statistical sense. We need to evaluate the quality of the product, not only the process by which it was built [1].
