NASA Logo, National Aeronautics and Space Administration

AdvoCATE logo

AdvoCATE: Assurance Case Automation Toolset

Safety/assurance cases represent the state of the art in assurance technologies. Effectively, they provide an audit trail of assurance considerations from concept through operations, demonstrating that the risks associated with a specific system concern (such as safety, security, etc.) have been identified, are well-understood, have been appropriately controlled, and that there are processes in place to monitor the performance and effectiveness of the risk management measures. Thus, safety/assurance cases are risk management artifacts whose purpose is to convince the various stakeholders of a system, including the regulatory authority, that the system has been designed to be safe, is operated safely, and that it meets the required assurance properties.

Engineered atop formal foundations, the Assurance Case Automation Toolset (AdvoCATE) supports the development and management of safety/assurance cases, providing novel capabilities in automating their production, with applicability to safety-critical applications in general (e.g., nuclear power, road and rail transportation, defense, medical devices, etc.), and aviation systems in particular.

AdvoCATE 1.0

Built as an Eclipse application, AdvoCATE 1.0 mainly focuses on the construction and manipulation of the structured argument component of safety/assurance cases. It provides:
  • Manual creation and editing of assurance arguments in the Goal Structuring Notation (GSN)
  • User-customizable metadata.
  • Structuring of arguments using modules and hierarchy.
  • Formal methods integration
  • Assembly of manually-created and auto-generated assurance argument fragments.
  • Semi-automated creation of arguments through argument pattern instantiation.
  • Computation of argument metrics
  • Logical querying

AdvoCATE 2.0

AdvoCATE 2.0 is an Eclipse application that targets a broader scope of assurance activities than AdvoCATE 1.0. AdvoCATE 2.0 facilitates creating safety/assurance cases (as opposed to only the underlying structured arguments) and, more broadly, organizing project assurance activities. It is architected around an integrated assurance model that combines hazard analysis, requirements, structured arguments, barrier models (bow tie diagrams), and verification artifacts. All the capabilities of AdvoCATE 1.0 are (or will be) available in AdvoCATE 2.0, with some of those being re-engineered from the ground up. Additional capabilities include:
  • Hazard analysis and risk assessment:
    • Conducting hazard identification
    • Specification of hazard causes and consequences
    • Assessment of initial and residual risk levels given in terms of probability and severity
  • Capture of risk reduction and assurance requirements
  • Safety architecture modeling using bow tie diagrams.
  • Traceability and consistency between related artifacts, e.g., between
    • Entries in the hazard log and the relevant assurance requirements
    • Arguments and the corresponding requirements, verification artifacts, etc.
  • Assurance analytics, e.g., status of assurance activities, presented on customizable dashboards; additionally, generated views to visualize aggregated status of assurance artifacts.


AdvoCATE has been used in the development of safety cases for real unmanned aircraft systems (UAS), and their operations. Those safety cases successfully underwent regulatory scrutiny and evaluation, resulting in the grant of operational approval to conduct UAS flight operations in the US National Airspace.


Updated 23 February 2022

Active Members

Ewen Denney

Erik Danielsson
Louis (Greg) Detweiler
Jonathan Menzies
Ganesh Pai
Irfan Sljivo

Past Members

Robbie Henderson
Dimo Petroff
Josef Pohl
Atef Suleiman
Peter Tran
Iain Whiteside

Other Contributors

Mariya Abrahamyan
Sarah Bass
Lee Brownston
Alejandro Fernandez
Gregory Han
Dwight Naylor
Jessica Salazar

First Gov logo
NASA Logo -