The argument pattern relating to this stage is shown in Figure 25 below and key elements from the pattern are described in the following sections.
The top claim in this argument pattern is that all of the potentially hazardous failures that are identified for tier n (as documented in [BB]) are acceptably managed. To demonstrate this it must be shown that the potential hazardous failures have been identified correctly (G6.1) and also that appropriate mitigations have been put in place for each (G6.2).
The details of the safety analysis performed at tier n, as documented in the safety analysis justification report ([BB]) is used as evidence that the potentially hazardous failures have been completely and correctly identified.
For each of the identified potential hazardous failures it must be demonstrated that they are sufficiently addressed by the mitigations that are put in place. A separate claim (G6.3) is therefore made for each of the potential hazardous failures.
To demonstrate that each potential hazardous failure is sufficiently addressed, it must first be shown that mitigations for that failure have been put in place (G6.4). As discussed in Activity 20, the mitigations could be provided in a number of ways. There is therefore a choice as to how this is demonstrated. In the pattern three choices are provided based upon the use of evidence from safety requirements (Sn6.3), design mitigations (Sn6.2) or constraints placed upon the operating concept of the AS (Sn6.5). Other forms of mitigation may be provided where necessary, and for any hazardous failure multiple forms of mitigation may be used as appropriate. The sufficiency of the chosen mitigations must be justified (G6.5).