A Case Study on Safety Cases in the Automotive Domain: Modules, Patterns, and Models Stefan Wagner * , Bernhard Sch¨ atz † , Stefan Puchner ‡ , and Peter Kock § * Technische Universit¨ at M¨ unchen, Garching, Germany Email: wagnerst@in.tum.de † fortiss GmbH, Munich, Germany Email: schaetz@fortiss.org ‡ Capgemini sd&m AG, Munich, Germany Email: stefan.puchner@capgemini.com § MAN Nutzfahrzeuge AG, Munich, Germany Email: peter.kock@man.eu Abstract—Driven by market needs and laws, automotive manufacturers develop ever more feature-rich and complex vehicles. This new functionality plays even an active role in driving, what poses many new challenges on assuring the safety of the vehicle. Safety cases constitute a proven technique to systematically use existing information about a system, its environment, and development context to show its safety. We construct the safety case for a cruise control system describe in a case study in the automotive domain with a special consideration of existing domain-specific models. In the case study, we identify generic safety case modules and several reoccurring patterns, which will simplify the development of future automotive safety cases. Keywords-safety case; model-based development; automotive I. I NTRODUCTION The market as well as law makers demand more and more features and hence ever more complex automotive vehi- cles. Manufacturers combine mechanical, electric/electronic, and software parts to implement these features. Especially software plays a major role in the implementation of the functionality, which ranges from embedded control systems to entertainment systems with a rich user interface. The BMW 7 series, for instance, implements about 270 user functions distributed over up to 67 embedded control units, amounting to about 65 megabytes of binary code [1]. In particular software-based functions that interfere with driv- ing gain more importance, because they can (1) decrease the number of crashes and crash effects and (2) increase the driver’s comfort. Examples for such systems are the anti- lock braking system (ABS), electronic stability programme (ESP), automatic parking systems, or systems for collision avoidance. The many features, their interactions, and especially their complexity pose a challenge to the development and mainte- nance processes of the automotive industry. Particularly the assurance of the safety of each of these features and finally the complete vehicle is demanding. A. Problem statement There are several applicable standards for developing safety-critical electronic systems for the automotive domain such as IEC 61508-3 [2] or the currently developed ISO WD 26262. The suggestions for safety assurance contained therein are not sufficient for software. We identify two major problems: (1) some suggestions are not scientifically investigated to have an influence on safety and (2) they are mostly limited to prescribing activities and techniques that have to be used; they constrain the process. The underlying assumption, however, that a good development process alone produces safe software is questionable [3]. B. Research objective The overall objective of this research is to establish usable safety assurance methods for automotive systems involving software. In particular, we aim to discover reusable structures, patterns, and processes in safety assurance to support its practical application. C. Contribution Safety cases have gained acceptance, for example in the avionics industry, as a systematic means to use all existing information to construct a structured argument for the safety of a system. We use safety cases in a case study in the automotive domain exploiting the already existing models of software functions, the vehicle, the driver, and their environment. The case study analyses the construction of a safety case for a real software-based component in a commercial vehicle at MAN Nutzfahrzeuge AG. The result is a generic safety case architecture and a set of reoccurring patterns involving the models that we use to build a safety case. D. Context The case study concentrates on the automotive domain and is performed at MAN Nutzfahrzeuge AG. We construct a safety case for the cruise control unit of a truck.