Architecting a Safety Case for UAS Flight Operations

Over the past few years, we have been developing safety cases for several NASA unmanned aircraft system (UAS) missions involving increasingly complex operational concepts. We have also begun including structured argumentation in the safety case reports to organize and explicitly document the reasons why the operations can be expected to be acceptably safe. Although each operation has particular mission-specific constraints and safety requirements, we have identified similarities amongst the associated hazard control mechanisms and safety arguments. The twin aims of this paper are to a) facilitate future reuse of the UAS operational safety measures and the associated safety arguments, and b) aid safety case comprehension and evaluation. Towards achieving these goals, we first present a generic concept for low altitude operations, describing the commonalities/differences between the missions, and the dependencies between the concrete details of specific missions and the applicable safety systems. Then we describe two architectural models: i) an abstract safety architecture specifying the collection of hazard controls, given using bow-tie diagrams, and ii) an argument architecture, given in terms of abstract argumentation patterns. We also discuss the relationship between the safety and argument architectures outlining their roles in creating the safety case and its underlying safety arguments.