Most safety–critical systems are subject to rigorous assurance processes to justify that the systems satisfy given requirements and are dependable. These processes are typically conducted in compliance with standards and require the provision of assurance evidence in the form of system artifacts, such as system specifications and testing results. The management of assurance evidence is usually a complex process because of the large number of artifacts to deal with, the amount of information to gather about the artifacts, and the need to guarantee evidence quality, among other issues. Our aim is to facilitate assurance evidence management by means of a model-based approach. The approach is based on a metamodel that defines the information to be collected about evidence artifacts during their lifecycle. A process for assurance evidence management and usage guidance are also presented. The approach has been developed in the scope of several industry-academia projects, implemented in the OpenCert tool, and validated by practitioners in 10 industrial case studies. Based on the results of the validation, we argue that the approach is an effective means for assurance evidence management and that it could improve the state of the practice.

Throughout the paper, we use the terms assurance evidence, evidence, artifact, and evidence artifact interchangeably to refer to the same concept.
We have noticed that problems might exist with the access to some deliverables that contain information about the approach presented. If a deliverable is not available online, please contact the first author.
Appendix A
Appendix A
1.1 Elements of the assurance evidence metamodel
1.1.1 Artifact Element (abstract)
This class (Fig.
12) generalises the rest of classes of the metamodel.
id: String
The ID of the Artifact Element.
name: String
The name of the Artifact Element.
description: String
A description of the Artifact Element.
Artifact Element represents the fact that all the objects of an assurance evidence model can have an ID, a name, and a description.
1.1.2 Artifact definition
This class corresponds to a distinguishable abstract unit of data to manage in an assurance project (Fig.
13). Artifact Definition depicts the complete lifecycle resulting from the evolution, in different versions, of Artifacts. An Artifact Definition would be specified for, e.g., a hazard log. Each requirement of a requirements specification could have its own Artifact Definition.
Artifact Element
artifact: Artifact [0..*]
The Artifacts of the Artifact Definition.
The evidence artifacts managed in an assurance project can evolve during the project. For example, a hazard log can be created at the beginning of a project, and it will be updated as safety requirements are specified, verification measures are defined, and verification actions are taken. In other words, the hazard log will have different versions during the project. Each individual version is represented by means of an Artifact (see next class description). In an assurance project, it is necessary not only to record the information about the individual versions, but also to keep track in a common place of the different versions and of how the artifact has evolved. This is done with Artifact Definition. Intuitively, Artifact Definition records all the information of the lifecycle of an evidence artifact of an assurance project, i.e., it represents the lifecycle of the evidence artifact.
1.1.3 Artifact
This class corresponds to a distinguishable, concrete, and individual unit of data managed in an assurance project (Fig.
Artifact Element
versionID: String
The version number or ID of the Artifact.
date: Date
The date of creation of the current Artifact version.
changes: String
The list of changes describing any update regarding the previous Artifact version.
isLatestVersion: Boolean
A flag to indicate whether the Artifact version is the latest one.
isTemplate: Boolean
A flag indicating whether the Artifact is a Template to create an actual Artifact to be used in an assurance project.
isConfigurable: Boolean
A flag indicating whether the Artifact is subject to configuration management, i.e., whether the Artifact can be configured for specific usage contexts or situations through different versions.
definition: Artifact Definition [41]
The Artifact Definition to which the Artifact belongs.
artifactPart: Artifact [0..*]
The parts of the Artifact, which can represent document sections or any element composing the whole Artifact.
composite: Artifact [0..1]
Compound Artifact of which the Artifact is part.
precedentVersion: Artifact [0..1]
A pointer to the previous version of the Artifact.
succeedingVersion: Artifact [0..*]
A pointer to the next versions of the Artifact.
event: Artifact Event [0..*]
The events of which the lifecycle of an Artifact consists.
Property: Artifact Property [0..*]
A set of properties that characterise an Artifact.
originatedRel: Artifact Relationship [0..*]
The Artifact Relationships whose source is the Artifact.
endedRel: Artifact Relationship [0..*]
The Artifact Relationships whose target is the Artifact.
recordedRel: Artifact Relationship [0..*]
The Artifact Relationships whose data are in the Artifact.
resource: Resource [0..*]
The Resource elements which represent tangible objects of an artifact, e.g., the set of architectural model files of an Architecture Design document.
userActivity: Activity [0..*]
The activities for which an Artifact is input.
producerActivity: Activity [0..*]
The activities for which an Artifact is output.
technique: Technique [0..*]
The techniques used to produce the Artifact.
responsible: Participant [0..*]
The set of Participants responsible for the management of the Artifact.
In contrast to Artifact Definition, which is used to represent the whole lifecycle of an evidence artifact of an assurance project, Artifact is used to represent the individual versions of an evidence artifact during an assurance project. This is necessary to be able to ascertain the version of an artifact used as evidence of a claim in an assurance case, the version used as input in a given activity, or the version related to another artifact, among other usages. An Artifact specifies the instance of artifacts characterized for a version and a set of resources. Artifacts are subject to traceability, e.g., for change management, and to characterization by means of properties. An Artifact can be composed of other artifacts.
1.1.4 Artifact event
This class corresponds to relevant happenings in the lifecycle of an Artifact (Fig.
15). This serves to maintain a history log for Artifacts.
Artifact Element
type: Event Kind
The type of happening of an Artifact Event.
date: Date
The date (and time) when an Artifact Event occurred.
owner: Artifact [41]
The Artifact for which the Artifact Event has happened.
evaluation: Artifact Evaluation [0..*]
The Artifact Evaluations that result from an Artifact Event.
participant: Participant [0..*]
The Participant or set of Participants that trigger the Artifact Event.
Artifacts change during an assurance project: someone creates them, someone makes some modification, someone fixes some problems, etc. Artifact Event is used to represent the happenings that correspond to these changes. Artifact Events can be consulted to know how an Artifact has evolved and to develop confidence in its adequate management.
1.1.5 Artifact property
This class corresponds to a characteristic of an Artifact (Fig.
16), generally depicted with an attribute (name) and a value.
Artifact Element
dataType: Data Type Kind
The type of the data used to represent the values of an Artifact Property.
value: String
The value of the Artifact Property.
unit: String
The measurement unit corresponding to Artifact Property value.
owner: Artifact [41]
The Artifact that the Artifact Property characterises.
Artifacts can have characteristics that must be recorded for assurance purposes. For example, it is necessary to know whether a given test case is passed or not. Such characteristics are represented by means of Artifact Property. Artifact Properties correspond to objective characteristics. For judgement-based (or subjective) characteristics, Artifact Evaluation must be used.
1.1.6 Artifact evaluation
This class corresponds to the specification of the result of making a judgement regarding an Artifact (Fig.
Artifact Property
rationale: String
The justification of the value of an Artifact Evaluation.
participant: Participant [0..*]
The Participant or set of Participants that has performed an Evaluation.
In addition to Artifact Properties, it can also be necessary to record judgement-based characteristics of Artifacts for an assurance project, typically about their quality (completeness, accuracy, consistency, etc.). It is important to record the rationale behind an Artifact Evaluation to understand the judgement made and how it has led to the evaluation result. The name of an Artifact Evaluation corresponds to the criterion used for evaluation, e.g., completeness.
1.1.7 Artifact relationship
This class corresponds to the existence of a relationship between two Artifacts (Fig.
Artifact Element
sourceModificationEffect: Change Effect Kind
The effect of the modification of the source on the target of an Artifact Relationship.
sourceRevocationEffect: Change Effect Kind
The effect of the revocation of the source on the target of an Artifact Relationship.
targetModificationEffect: Change Effect Kind
The effect of the modification of the target on the source of an Artifact Relationship.
targetRevocationEffect: Change Effect Kind
The effect of the revocation of the target on the source of an Artifact Relationship.
source: Artifact [41]
The Artifact corresponding to the source of an Artifact Relationship.
target: Artifact [41]
The artifact corresponding to the target of an artifact relationship.
artifact: Artifact [0..1]
The Artifact actually containing the data of the Artifact Relationship, e.g., a document that contains a traceability matrix.
Artifact Relationships are the main mechanism for establishing bilateral traceability between artifacts, e.g., the relationship by which a test validates a requirement, and the requirement is validated by the test. Information about modification and revocation effects is important for change impact analysis.
1.1.8 Resource
This class corresponds to the tangible objects representing an Artifact (Fig.
Artifact Element
location: String
The path or URL specifying the location of the Resource.
format: String
The format of the resource, e.g., MS Word.
owner: Artifact [41]
The Artifact for which the Resource is a tangible object.
Artifacts are located and accessible somewhere, usually in the form of some electronic file: a Word file, an Excel file, a file created with some modeling tool, etc. Such information is specified by means of Resource.
1.1.9 Activity
This class corresponds to a unit of work performed in a product lifecycle (Fig.
Artifact Element
startTime: Date
When an Activity starts.
endTime: Date
When an Activity ends.
subActivity: Activity [0..*]
Activities of which an Activity consists.
composite: Activity [0..1]
Compound Activity of which an Activity is part.
successor: Activity [0..*]
The Activities that are performed after an Activity.
predecessor: Activity [0..*]
The Activities that are performed before an Activity.
input: Artifact [0..*]
The Artifacts used in an Activity.
output: Artifact [0..*]
The Artifacts produced or changed in an Activity.
technique: Technique [0..*]
The set of Techniques used in the Activity.
participant: Participant [0..*]
The set of Participants involved in the Activity.
The Artifacts used in an assurance project are the result of and are managed via the execution of processes, which consist of activities: specification of requirements, design of the system, integration of system components, etc. Activities are used to represent this kind of information. An Activity is a specification of an activity already executed or under execution.
1.1.10 Technique
This class corresponds to specific ways to create an Artifact (Fig.
Artifact Element
Aim: String
The purpose of using a Technique.
artifact: Artifact [0..*]
The set of Artifacts generated using the Technique.
activity: Activity [0..*]
The set of Activities in which a Technique has been used.
Artifacts are created, or managed from a more general perspective, via some technique (methods, approaches, languages…) whose use results in specific characteristics for the Artifacts. For example, the use of UML for system design results in a design specification with a set of UML diagrams that could represent static and dynamic internal aspects of the system. Techniques support the specification of this kind of information.
1.1.11 Participant (abstract)
This class corresponds to the concrete parties involved in a product lifecycle (Fig.
Artifact Element
artifact: Artifact [0..*]
The Artifacts of which a Participant is responsible.
activity: Activity [0..*]
The Activities in which a Participant is involved.
event: Artifact Event [0..*]
The events that a Participant triggers.
evaluation: Artifact Evaluation [0..*]
The evaluations that a Participant conducts.
Different parties can participate in an assurance case effort, such as specific people, organizations, and tools.
1.1.12 Person
This class corresponds to individuals that are involved in a product lifecycle (Fig.
email: String
The email address of a person.
organization: Organization [0..*]
The organization for which a person works.\
Concrete people participate in the lifecycle of a safety–critical system, e.g., the managers and the engineers of a safety–critical system manufacturer.
1.1.13 Tool
This class corresponds to the software tools used in a product lifecycle (Fig.
version: String
The version in use of a tool.
Safety–critical systems engineering is a complex process that requires the use of tool support for cost-effectiveness. Such tool support usually covers the complete lifecycle stages. Dedicated tools are commonly used for system development (e.g., for requirements management and for coding) and for V&V (e.g., for testing).
1.1.14 Organization
This class corresponds to groups of people (companies, societies, associations, etc.) that are involved in a product lifecycle (Fig.
address: String
The place where an organization is located.
suborganization: Organization [0..*]
The Organizations that are part of the Organization, e.g., a unit.
composite: Organization [0..1]
The Organization to which an Organization belongs.
person: Person [0..*]
Persons that work at an Organization.
In addition to individuals and tools, organizations can also participate in the lifecycle of safety–critical systems. The organizations can correspond to entities such as component suppliers and assessors. They can provide artifacts that can be used as assurance evidence, such as component specifications.
1.1.15 Event Kind (enumeration)
This enumeration corresponds to types of events that can occur in the lifecycle of an Artifact.
When an Artifact is brought into existence.
When a change is made in a characteristic of an Artifact.
When an Artifact is evaluated.
When an Artifact is revoked from an assurance project.
1.1.16 Data type kind (enumeration)
This enumeration corresponds to types of values for Artifact Properties.
The value space characterized by a string.
A value space characterized by integer numbers.
A value space characterized by real numbers.
1.1.17 Change effect kind (enumeration)
This enumeration corresponds to the possible effects that a change in an Artifact can have in a related Artifact.
A change has no effect.
A change requires a validation.
A change requires a modification.
A change causes a modification.
A change causes a revocation.
