The argument pattern relating to this stage is shown in Figure 23 and key elements from the pattern are described in the following sections.
This claim, which is made for each tier of the AS development, demonstrates that the design of the AS is sufficient to ensure that the safety requirements that have been defined at the current tier can be satisfied. This claim is demonstrated by considering the design decisions that have been taken (G5.2), the design process that has been followed (G5.3), and checking for hazardous errors that may have been introduced to the design (G5.4).
A justification must be provided that the key design decisions that have been taken are appropriate to help ensure that the safety requirements can be met by the AS. An argument is presented that considers each of the relevant design decisions in turn. The justifications documented in the AS design justification ([Y]) are used as evidence that the decisions are appropriate. In many cases, where required by the safety requirements, the design decisions taken will include measures to achieve robustness, fault tolerance and runtime monitoring. The argument pattern indicates how claims regarding these measures could be included as design decisions in the argument (G5.6, G5.7 and G5.8). These claims are indicated as optional elements, since they may not always be required depending upon the nature of the system.
It must be demonstrated that the design at each tier has been checked for errors that may have been made in the design that could result in unsafe outcomes. The design review report ([Z]) can provide evidence to support this claim.