A Safety Case Approach to Assuring Configurable Architectures of Safety-Critical Product Lines Ibrahim Habli and Tim Kelly, Department of Computer Science, University of York, United Kingdom {Ibrahim.Habli, Tim.Kelly}@cs.york.ac.uk Abstract. Companies are increasingly adopting a product-line approach to the development of safety-critical systems. A product line offers large-scale reuse by exploiting common features and assets shared by systems within a specific domain. In this paper, we discuss the challenges of justifying the safety of architectural configurations and variation when developing product-line safety cases. We then address these challenges by defining an approach to developing product-line safety cases using the patterns and modular extensions of the Goal Structuring Notation (GSN). In this approach, we use the GSN patterns extension for explicitly capturing safety case variations and tracing these variations to their extrinsic source in the architectural model. Further, we use the GSN modular extension to organise the safety case into core and variable argument modules which are loosely coupled by means of argument contracts. We demonstrate this approach in a case study based on a product line of aero- engine control systems. Keywords: Safety Cases, Architectures, Product Lines, Variation Management 1 Introduction To reduce the engineering costs of safety-critical systems, companies are increasingly adopting a product-line approach which offers large-scale reuse by exploiting common features and assets shared by systems within a specific domain. In particular, the safety case in a safety-critical product line is a valuable asset which should be systematically documented, reused and maintained. Otherwise, the value of a safety- critical product line can be easily undermined if the safety case is developed from scratch, or in an ad-hoc manner, for each product within the product line. Given that products in a product line share most of their functional features, components, failure modes and risk mitigation measures, it is reasonable to expect that these products also share strategies which can be used to argue why they are acceptably safe to operate within certain environments. For example, if products derived from a product-line share a set of functional configurations, which pose similar risks managed using common risk-mitigation measures, it would be sensible to expect that the safety case for these products share a set of core (i.e. common) argumentation strategies too. However, like most reusable product-line assets, the challenges do not lie simply in exploiting and managing commonalities. Rather, the key challenges often lie in the management of the way in which assets may vary, according to predefined