IFAC-PapersOnLine 49-28 (2016) 025–030 ScienceDirect ScienceDirect Available online at www.sciencedirect.com 2405-8963 © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Peer review under responsibility of International Federation of Automatic Control. 10.1016/j.ifacol.2016.11.005 © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: safety case maintenance; automation; safety requirements; ARP4754-A; DAL decomposition. 1. INTRODUCTION Contemporary assurance of safety-critical systems often involves the production and maintenance of the safety case. The safety case should present ‘a clear, convincing and comprehensive’ argument that the subject system is acceptably safe (Kelly, 2004). Graphical notations such as the Goal Structuring Notation (GSN) (Kelly, 1998) and the Claims-Arguments-Evidence (CAE) (Bishop, et al., 2004) notation have provided many tools for improving the representation of such arguments. Despite these advances, the process of constructing and maintaining safety cases remains largely a manual one. This is particularly the case in the early to interim stages of development, where the system’s design experiences numerous iterations. During these critical stages, safety case developers need to manage significant amounts of information and construct arguments, the complexity of which are comparable to the scale and complexity of the underlying system. In (Denney, et al., 2013, p. 1) a preliminary safety case for surveillance of airport surfaces (EOSAN, 2011) is quoted to be ‘about 200 pages’ and ‘expected to grow as the operational safety case is created’. It is safe to assume that emerging and future technologies will only further exacerbate this issue, introducing more complexity and interactions whose operation needs to be accounted for in a relevant safety case. The contribution of this paper is a method which automates the construction and maintenance of a part of the safety case. The method focuses on the production of a (partial) preliminary safety argument for civil aircraft, where the applicable safety standard is ARP4754-A. The standard employs a process known as the ‘Development Assurance Process’, whereby Development Assurance Levels (DALs) are assigned hierarchically across the system architecture in a top-down approach. These levels prescribe the rigor with which safety assessment procedures are to be applied accordingly throughout the relevant sections of the system. Previous research has demonstrated that it is feasible to optimally allocate DALs, based on a cost estimation of implementing a component for a given DAL (Sorokos, et al., 2015). The approach makes use of the Hierarchically Performed Hazard and Origins Propagation Studies (HiP-HOPS) tool (Papadopoulos, et al., 2011). The method presented here expands on this notion to produce a safety case fragment from this allocation which can form the basis of a preliminary safety case. Previous work towards automating construction of safety cases in (Basir, et al., 2008) and (Denney, et al., 2013) focused on generating safety cases for automatically generated code based on formal software safety certification. An approach comparable to ours can be seen in (Sljivo, et al., 2015). Although at first glance similar, there are considerable Ioannis Sorokos, Yiannis Papadopoulos, Leonardo Bottaci Department of Computer Science, University of Hull, Hull, HU67RX, UK (e-mail: I.Sorokos@2012.hull.ac.uk, Y.I.Papadopoulos@hull.ac.uk, L.Bottaci@hull.ac.uk) Abstract: The ‘safety case’ documents the safety argument developers of safety-critical systems employ to convince of their systems’ safety, in compliance with safety standard regulation and advice. Despite the considerable body of knowledge that has evolved, constructing and maintaining a safety case remains a significant challenge. Especially for contemporary systems, due to their scale and complexity, safety cases can grow to require hundreds of pages of documentation. In this paper, we propose a method which aims to address these concerns. In numerous safety standards, such as the aerospace ARP4754-A, the concept of Development Assurance Levels (DALs) is used to control the safety assessment process and influence the safety case. Our method is based on automatically constructing a safety argument from an annotated system architecture model. To perform this construction, we employ previous work towards automatically allocating DALs to such a model and combining it with an appropriate safety argument pattern. The method is enabled through the state-of-the-art model-based dependability tool, HiP-HOPS. The advantage of this approach is that when the design changes, the impact of changes can be automatically reflected in the structure of a re-synthesised safety argument for the system. Maintaining Safety Arguments via Automatic Allocation of Safety Requirements