Perspectives on Applying the Safety Case Approach for the Assurance of Complex Heterogeneous Systems

Presented as part of the 2018 HCSS conference.

ABSTRACT

The Safety Case approach is being adopted in a number of safety- and mission-critical application domains in the U.S., e.g., medical devices, defense aviation, automotive systems, and, lately, civil aviation. This paradigm refocuses traditional, process-based approaches to assurance on demonstrating explicitly stated safety assurance goals, emphasizing the use of structured rationale, and concrete, product-based evidence as the means to provide justified confidence that systems and software are fit for purpose to safely achieve mission objectives.

In aviation, safety cases are core engineering artifacts that detail the efforts undertaken for safety risk management. They are required as part of the regulatory process that approves access to the National Airspace System (NAS) when conducting flight operations with Unmanned Aircraft Systems (UAS) in certain scenarios, e.g., when using alternative means of compliance to the relevant regulations. UAS operations can be viewed as a complex but loosely-coupled heterogeneous system in which safety is achieved through layers of risk mitigation mechanisms that collectively comprise a safety system, and where the constituent subsystems each contribute to overall safety by providing risk reduction functionality. Thus, the system safety case must provide assurance that individual subsystems do not compromise safety, that each mitigation layer is effective, that the composition/combination of mitigations is also effective, and moreover that subsystem interactions and emergent behavior with potential safety impacts are well managed.

Over the past few years, we have developed safety cases for a number of real UAS operations supporting diverse NASA projects in airborne Earth science, aeronautics, and airspace systems. Some of those safety cases underwent scrutiny by the aviation regulator, the applicable NASA boards for airworthiness and flight safety, flight readiness, and mission readiness, and were successfully approved resulting in operational flight approval for the relevant projects. In the corresponding engineering effort, we leveraged our ongoing research in tools and technologies for developing aviation safety cases, through our assurance case automation toolset, AdvoCATE. Our approach composes diverse evidence using structured arguments—to capture assurance rationale and provide a qualitative safety justification—and a safety architecture—which provides a quantitative basis for risk assessment and update. Our tool implements a unified model of safety assurance, integrating hazard analyses, requirements, safety architectures, structured assurance arguments, and heterogeneous evidence. AdvoCATE is being engineered atop formal foundations to provide unique capabilities for: i) automated argument creation and assembly, ii) integration of formal methods into wider assurance arguments, iii) automated pattern instantiation, iv) hierarchical and modular abstraction, and v) queries and views.

In this talk, we elaborate our practical experience and insights gained creating UAS safety cases to enable so-called beyond visual line of sight (BVLOS) flight. As an example, we use a recently developed safety case, created within the context of the UAS traffic management (UTM) project—which is being developed to enable safe, low-altitude UAS operations within the NAS. The safety case assembled a diversity of engineering artifacts and analyses as evidence, and modeled the safety architecture to: a) present an overall picture of safety risk, b) elaborate the measures undertaken to ensure operational safety, and c) justify risk reduction. Moreover, structured arguments were used to provide assurance of functional safety for the required surveillance and avoidance capabilities