Fact-checked by Grok 2 weeks ago

Safety case

A safety case is a structured, evidence-based argument that demonstrates a system, process, or facility is acceptably safe for its intended application and operational context, typically by showing that risks have been identified, assessed, and reduced to (ALARP). Originating in the following the 1988 disaster in the industry, which exposed deficiencies in prescriptive safety regulations, the safety case approach was formalized through legislation such as the Offshore Installations (Safety Case) Regulations 1992 to promote proactive risk management over rigid rules. This methodology has since expanded beyond offshore operations to high-hazard sectors including nuclear power, aviation, rail transport, defense, and petrochemicals, where it serves as a regulatory requirement for demonstrating compliance with safety objectives. In these domains, a safety case integrates diverse evidence—such as hazard analyses, engineering assessments, operational procedures, and management system reviews—into a coherent narrative that assures regulators, operators, and stakeholders of ongoing safety maintenance. Key components typically include a clear safety argument, supporting claims about risk controls, contextual descriptions of the system and its environment, and explicit assumptions or limitations, often presented in a modular document or set of reports to facilitate review and updates. The approach emphasizes goal-setting regulation, where operators bear responsibility for safety justification, contrasting with traditional compliance checklists, and has influenced international standards like those from the International Atomic Energy Agency (IAEA) for nuclear facilities and ICAO Annex 11 for air traffic management. By requiring continuous evidence gathering and periodic reassessment, safety cases adapt to changes such as system modifications or emerging hazards, thereby fostering a culture of safety accountability. In recent applications, such as the UK's Building Safety Act 2022 for high-rise residential buildings, safety cases extend to fire and structural risks, underscoring their versatility in modern risk governance.

Definition and Purpose

Definition

A safety case is a structured argument, supported by a body of , that provides a compelling, comprehensible, and valid justification demonstrating that a system is acceptably for a specific application in a given operating . This approach emphasizes to connect safety claims with verifiable , such as test results, analyses, and operational data, ensuring the overall safety rationale is robust and defensible. Unlike traditional or licensing processes, which frequently involve mere with prescriptive standards or checklists, a safety case constitutes a demonstrable justification of through explicit argumentation rather than rote adherence to requirements. It shifts the focus from ticking boxes to proactively addressing risks in context, allowing flexibility while maintaining accountability to regulators and stakeholders. Key attributes of a safety case include its comprehensive scope, covering all relevant safety aspects across the system lifecycle; transparency in the argument structure, facilitating understanding and critique; and auditable documentation, enabling independent verification and ongoing maintenance. Safety cases are commonly represented using notations like Goal Structuring Notation (GSN), which graphically depicts goals, strategies, and evidence relationships.

Core Principles

The core principles of a safety case revolve around structured justification of safety in complex systems, emphasizing risk management that balances practicality, tolerability, and evidential support. These principles ensure that safety is not absolute but demonstrably adequate within defined constraints, guiding the development of arguments that regulators and stakeholders can evaluate for acceptability. A foundational principle is the As Low As Reasonably Practicable (ALARP) approach, which requires reducing risks to a level where further mitigation is not reasonably achievable given the associated time, effort, and cost. Under ALARP, risks are weighed against the resources needed for additional controls, ensuring that reductions are proportionate to the benefits gained, without demanding grossly disproportionate expenditures. This principle is legally embedded in frameworks like the UK Health and Safety at Work Act 1974, applying across the system lifecycle from design to operation. Closely related is the of acceptable or tolerable levels, which defines the boundaries for based on contextual factors such as societal values, economic implications, and the system's intended benefits. Tolerability does not imply but rather a controlled level where are deemed manageable for the advantages provided, often framed within a tolerability of (TOR) model that delineates unacceptable, tolerable (ALARP region), and broadly acceptable zones. For instance, individual criteria might set a broad at 10^{-6} fatalities per year, with tolerability up to 10^{-4}, adjusted by societal and economic considerations. Another key principle is the independence of the safety argument from its supporting evidence, wherein the argument articulates claims about system safety through logical inference, while evidence provides independent substantiation without being conflated with the reasoning itself. This separation allows for modular evaluation: the argument structure remains valid as long as the linking logic holds, even if specific evidence evolves, promoting transparency and adaptability in safety justifications. Safety cases employing this principle are used in regulatory contexts, such as FDA approvals for medical devices, to assure post-market safety.

Historical Development

Origins in Defense and Nuclear Sectors

The safety case concept emerged in the 's nuclear sector in the late , following the on October 8, 1957, at the facility (then known as Windscale), which resulted in the largest release of radioactive material from a in history and was linked to approximately 240 cancer cases. This incident exposed deficiencies in existing safety oversight for high-hazard operations, prompting the enactment of the Nuclear Installations Act 1959, which mandated operators to submit a comprehensive safety case—a structured argument backed by evidence—to justify safe operation during the licensing process. The requirements were further consolidated and reinforced by the Nuclear Installations Act 1965. The Nuclear Installations Inspectorate (NII) had been established in 1960 to rigorously assess safety justifications for nuclear sites, including ; in 1974, the NII became part of the newly formed (), ensuring coverage of all lifecycle phases from design to decommissioning. In the defense sector, the UK Ministry of Defence (MOD) began adopting the safety case approach in the mid-1990s for complex military systems, including weapons and submarines, although its roots drew heavily from nuclear submarine programs managed under defense auspices. Influenced by civil nuclear regulations, the MOD formalized the practice through the Jones Report of 1994, which recommended integrating safety cases into equipment procurement to align military safety management with civil standards despite exemptions from general legislation. This was codified in Defence Standard 00-56, first issued in 1996, requiring a compelling, evidence-based argument to demonstrate that risks in naval platforms like submarines were tolerable and reduced as low as reasonably practicable (ALARP). Early applications focused on high-stakes systems where prescriptive rules proved insufficient for emerging technologies. The primary motivations for introducing safety cases in both the and sectors were to tackle intricate, unprecedented risks in novel technologies and operations that exceeded the scope of traditional prescriptive regulations, enabling a more adaptive, goal-oriented framework for justification. This represented a fundamental shift from compliance-based to goal-based safety assurance, prioritizing comprehensive over rigid checklists.

Evolution and Modern Adoption

The concept of the safety case was formalized in the through reports from the UK's Advisory Committee on the Safety of Nuclear Installations (ACSNI), particularly its Study Group on the Safety of Operational Computer Systems, which outlined principles for structuring evidence and reasoning in safety arguments for nuclear systems. Following the disaster in 1988, the Cullen Inquiry recommended a goal-setting regulatory regime, resulting in the Offshore Installations (Safety Case) Regulations 1990, which required operators to produce safety cases demonstrating ALARP for offshore installations. This period also saw the standardization of notations like Goal Structuring Notation (GSN) to support rigorous safety argumentation. In the 2000s, safety cases expanded to through SAE standards such as (Guidelines for Development of Civil and Systems, first published 1996 and revised 2010) and (Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, 1996), which provide frameworks for safety assessments integral to overall safety arguments in certification. Concurrently, the approach spread to via the UK's Railways (Safety Case) Regulations 2000, mandating operators to submit and maintain safety cases demonstrating acceptable risk levels for infrastructure use, train operations, and stations. The 2014 SAE G-48 System Safety Committee workshop, held in , highlighted growing Department of Defense () interest in adopting safety cases for complex systems, fostering discussions on integrating them into American defense practices. In the 2020s, safety cases have integrated with agile software development in defense systems, such as the F-35 Joint Strike Fighter, where iterative processes support continuous safety assurance amid evolving software updates, as evidenced by DoD's shift toward DevSecOps frameworks combining agile methods with . By 2025, the EU AI Act has incorporated safety case elements for high-risk AI systems, requiring providers to establish a comprehensive risk management system that identifies, analyzes, evaluates, and mitigates risks to health, safety, or fundamental rights throughout the system's lifecycle, supported by documentation and conformity assessments.

Key Components

Safety Argument Structure

The safety argument within a safety case provides a structured, logical framework to demonstrate that a system is acceptably safe for its intended use, typically organized in a hierarchical manner. At the top level, a primary goal asserts overall safety, which is then decomposed into sub-goals that address specific aspects of hazard avoidance or mitigation. This decomposition employs strategies to guide the reasoning process, such as breaking down claims by function, fault tolerance, or lifecycle phases, ensuring comprehensive coverage without gaps. Key elements of this include goals, which represent explicit claims about the system's properties, such as "the system prevents hazardous failures under normal operation"; strategies, which outline the methods or patterns of reasoning used to support those claims, for instance, by referencing standards or modular ; contexts, which define the assumptions, , and operational bounding the argument, like environmental constraints or regulatory requirements; and solutions, which point to the underlying , such as test results or analyses, that substantiates the sub-goals. This claim-evidence model allows for modular and , facilitating from high-level objectives to detailed justifications. A safety case represents a specialized form of assurance case, where the broader assurance case encompasses arguments for various non-functional properties like or reliability, while the safety case specifically focuses on demonstrating acceptable levels of avoidance and through this hierarchical argument. Such structures are often visualized using notations like Goal Structuring Notation (GSN) to enhance clarity and communication.

Supporting Evidence

Supporting evidence in a safety case consists of the verifiable data, analyses, and assessments that substantiate the claims made in the safety argument, providing the foundation for demonstrating that a is acceptably safe. This evidence must be relevant, sufficient, and appropriately linked to specific claims to build confidence in the overall safety justification. Key categories of supporting evidence include hazard analysis techniques such as Hazard and Operability Studies (HAZOP) and Failure Modes and Effects Analysis (FMEA), which systematically identify potential deviations, failures, and their impacts to predict risks. Testing results from prototypes, field trials, or environmental simulations offer empirical validation of system behavior under controlled conditions, revealing hazards that theoretical methods might overlook. Simulation models enable exploration of complex, rare, or untestable scenarios, such as emergency evacuations, by modeling nonlinear interactions while accounting for underlying assumptions. Operational data, derived from historical incident reports, performance metrics, and statistical extrapolations, provides real-world insights into failure rates and system reliability, though limited by the infrequency of major events. Expert judgments, elicited through structured elicitation processes from domain specialists, supplement other evidence by drawing on experience for qualitative assessments where data is scarce. Traceability is essential, requiring each piece of to be explicitly linked to the corresponding claims in the safety argument, often through that details how the supports or refutes specific objectives. levels in this are typically assessed qualitatively, considering factors like the method's reliability, the expertise involved, and any inherent uncertainties—such as overconfidence in expert opinions or untested assumptions in simulations—to gauge the strength of support for each claim. To mitigate biases and limitations in individual sources, safety cases emphasize independence and diversity by incorporating multiple complementary evidence types, such as combining hazard analyses with operational data and verification schemes, ensuring a robust and balanced justification. This approach integrates evidence seamlessly into the broader argument structure, enhancing the comprehensibility and validity of the safety case.

Development and Presentation

Process for Building a Safety Case

The process for building a safety case involves a structured, evidence-based methodology to demonstrate that a system is acceptably safe for its intended use. This typically proceeds through distinct yet interconnected phases, ensuring that risks are systematically identified, analyzed, and mitigated while aligning with principles such as ALARP (As Low As Reasonably Practicable). The initial phase focuses on hazard identification, where potential sources of harm are systematically uncovered using techniques like hazard and operability studies (HAZOP) or preliminary hazard analysis (PHA). This step establishes the scope by pinpointing hazardous events, their causes, and potential consequences within the system's context. Following this, risk assessment evaluates the likelihood and severity of identified hazards, often employing qualitative or quantitative methods to prioritize risks and determine tolerable levels. Engineers quantify or categorize these risks to inform subsequent decisions on mitigation strategies. Next, argument development constructs the core safety claims, articulating how risks are controlled to achieve acceptable safety levels. This involves defining explicit assertions about system properties, such as reliability or , and linking them logically to form a coherent . Concurrently, evidence assembly gathers supporting data from diverse sources, including , testing results, simulations, and operational records, to substantiate the claims. Evidence must be traceable, verifiable, and sufficient to build confidence in the argument's validity. The process culminates in review, where the assembled argument and undergo rigorous by assessors to identify gaps, challenges, or rebuttals. This phase may involve external experts challenging assumptions and recommending refinements, ensuring the safety case withstands critical examination. Finally, maintenance addresses ongoing updates, incorporating new or system changes to keep the case current. Building a safety case is inherently iterative, with preliminary versions developed early in the lifecycle and refined progressively through , , , and even decommissioning stages. Each feeds back into others as new information emerges, allowing for continuous improvement and adaptation to evolving risks or technologies. This lifecycle integration ensures the safety case remains a rather than a static artifact. Stakeholder involvement is essential throughout, with engineers and developers leading hazard identification, , and evidence collection based on their technical expertise. Regulators provide oversight, setting acceptability criteria and conducting formal s to verify . Independent assessors, often external specialists, offer unbiased evaluation during the review phase, while operators contribute practical insights for maintenance and updates. Collaborative engagement among these roles fosters a robust, defensible safety case.

Notations and Tools

The Goal Structuring Notation (GSN) is a widely adopted graphical notation for documenting and analyzing safety cases, originally developed in the 1990s by Tim Kelly at the to structure engineering arguments explicitly. It employs distinct symbols to represent key elements: rectangles for goals (top-level claims about system safety), parallelograms for strategies (reasoning steps decomposing goals into subgoals), ovals for contexts (assumptions or domain information), and rounded rectangles for evidence (supporting artifacts like test results or analyses). These elements are connected via arrows indicating relationships such as "supported by" or "in context of," enabling hierarchical argument development and clear linkage between claims and supporting evidence. The notation has evolved through community efforts, with its latest formalization in Version 3 of the GSN Community Standard released in May 2021 by the GSN Standard Working Group, which standardizes extensions for and reuse in complex systems. Other notable notations include the Claims-Arguments-Evidence (CAE) approach, developed by Adelard in the as a structured method for presenting arguments, emphasizing claims (assertions about properties), arguments (logical justifications), and (verifiable ), often visualized in mind-map style diagrams to highlight contextual dependencies. Similarly, the Trust Case Notation, exemplified by the TRUST-IT , extends case principles to broader assurance domains like and dependability, using comparable elements to build arguments for trustworthiness while integrating with GSN for hybrid applications. These notations facilitate rigorous analysis by promoting transparency in how underpins claims, though GSN remains the most prevalent due to its graphical clarity and tool support. Several software tools aid in modeling, editing, and analyzing safety cases using these notations. AdvoCATE, an open-source toolset developed by NASA Ames Research Center, automates the creation of assurance cases by generating GSN-compliant diagrams from hazard analyses, requirements, and evidence repositories, while supporting argument assessment through traceability and pattern instantiation. For advanced modeling, tools like Astah System Safety provide integrated environments that combine GSN with SysML (Systems Modeling Language) diagrams, enabling seamless linkage of safety arguments to system architecture models in safety-critical engineering workflows, such as automotive or aerospace projects. This integration allows engineers to visualize how safety evidence correlates with behavioral and structural models, enhancing overall systems engineering practices without requiring separate documentation silos.

Applications and Examples

Industries and Regulatory Contexts

Safety cases are widely mandated or commonly employed in high-hazard industries to demonstrate compliance with safety objectives, particularly where complex systems pose risks to human life, the environment, or critical infrastructure. In the nuclear sector, the UK's Office for Nuclear Regulation (ONR) requires operators to submit safety cases that align with Safety Assessment Principles (SAPs), providing a framework for inspectors to evaluate nuclear facilities' risk management and operational controls. Similarly, in aviation, regulatory bodies such as the European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA) incorporate safety case principles into certification processes, emphasizing structured arguments and evidence to assure system safety in aircraft design and operations. The rail industry, exemplified by the UK's Rail Safety and Standards Board (RSSB), mandates safety cases for infrastructure contractors, including risk assessments to support ongoing compliance with railway operations. In medical devices, the U.S. (FDA) integrates safety assurance cases into its 510(k) premarket notification pathway, particularly for moderate-risk devices like pumps, where manufacturers must provide explicit arguments linking design to claims. For emerging technologies such as autonomous vehicles, the (NHTSA) is developing guidelines that require safety cases as part of a voluntary , including detailed assessments and strategies to evaluate automated driving systems. Regulatory drivers for safety cases often distinguish between goal-based and prescriptive regimes. In the UK, the Control of Major Accident Hazards (COMAH) regulations adopt a goal-based approach, requiring operators of top-tier sites handling hazardous substances to demonstrate that risks are controlled to As Low As Reasonably Practicable (ALARP) through comprehensive safety reports akin to safety cases. This contrasts with more prescriptive frameworks, where specific compliance steps are outlined rather than flexible arguments. Variations in safety case application are evident between defense and civil contexts. In defense, the U.S. of Defense's MIL-STD-882E standard practice employs a prescriptive for , mandating hazard identification, , and throughout the acquisition lifecycle to address military-specific risks. Civil applications, however, typically favor goal-based safety cases that allow tailored arguments and evidence, as seen in and sectors, to accommodate diverse operational environments while ensuring proportional risk reduction.

Notable Case Studies

The Piper Alpha disaster on July 6, 1988, involved a series of explosions and fires on the Occidental Petroleum-operated in the , resulting in 167 fatalities and highlighting critical failures in safety management and regulatory oversight. The subsequent Cullen Inquiry, chaired by Lord Cullen and spanning 180 days of hearings, identified inadequate safety procedures, poor systems, and insufficient regulatory enforcement as key contributors. In response, the inquiry's 106 recommendations, all accepted by the government and industry, mandated the introduction of safety cases for all offshore installations under the Offshore Installations (Safety Case) Regulations 1990. These safety cases required operators to systematically demonstrate that risks were reduced to (ALARP), including detailed hazard identification, risk assessments, and evidence of control measures, fundamentally shifting the offshore sector toward goal-setting regulation. The of the , the world's largest passenger airliner at its 2007 entry into service, exemplified the application of structured arguments for complex (IMA) systems. The A380's IMA architecture consolidated multiple functions into shared computing modules to reduce weight and wiring, necessitating rigorous cases to verify functional partitioning and under DO-178B software standards. Goal Structuring Notation (GSN) was employed to construct these arguments, hierarchically linking goals—such as maintaining aircraft control integrity—to supporting strategies, evidence from testing, and modular isolation analyses, ensuring compliance with EASA and FAA requirements. This approach addressed risks in the A380's , including real-time partitioning and health monitoring, contributing to the aircraft's type on December 12, 2006, after extensive validation on the "iron bird" test rig. In the 2020s, investigations into Tesla's Autopilot and Full Self-Driving (FSD) systems by the National Highway Traffic Safety Administration (NHTSA) underscored the challenges of developing evolving safety cases for over-the-air (OTA) software updates in advanced driver-assistance systems (ADAS). Following crashes linked to Autopilot engagement, such as the 2021 probe into 11 incidents involving emergency vehicles (PE20018), NHTSA has documented hundreds of crashes involving Autopilot and FSD as of October 2024, with an ongoing October 2025 probe into traffic safety violations when using FSD in 2.4 million vehicles, including 6 crashes and 4 injuries. Tesla responded with OTA updates and recalls, like Recall 23V-838 in December 2023, enhancing cabin camera monitoring and dynamic speed warnings. As of Q3 2025, Tesla submitted safety data showing Autopilot-involved crashes at one per 6.36 million miles driven, compared to one per 1.45 million miles without Autopilot and the U.S. national average of one per 670,000 miles (NHTSA data). These efforts formed an iterative safety case, balancing rapid deployment with regulatory scrutiny to mitigate risks like driver inattention and low-visibility failures.

Standards and Regulations

International Standards

standards for safety cases provide structured frameworks to ensure the assurance of through rigorous argumentation and evidence collection, applicable across various domains. These standards emphasize goal-based approaches to management, integrating considerations into the lifecycle from to operation. The ISO/IEC/IEEE 15026 series addresses systems and software assurance, defining concepts, processes, and methods for achieving and demonstrating claims. Part 1 establishes foundational concepts and vocabulary for assurance in systems and software . Part 2 specifies requirements for the structure and terminology of assurance cases, applicable for developing and maintaining them. Part 3, updated in 2023, specifies integrity levels and corresponding requirements for assurance assessment throughout the lifecycle, including updates to normative references for alignment with current practices. Part 4, published in 2021, offers guidance on achieving and demonstrating assurance claims for a system-of-interest, including recommendations for agreements between acquirers and suppliers. The (IAEA) develops safety standards for nuclear facilities that incorporate safety case principles. For example, GSR Part 4 (Safety Assessment for Facilities and Activities, 2009) requires a systematic safety assessment supported by evidence, while specific guides like SSG-3 (The Safety Case and Safety Assessment for the Disposal of , 2012) provide detailed guidance on developing safety cases, including integration of analyses, arguments, and ongoing updates to demonstrate long-term safety. In the sector, ARP4761A provides guidelines and methods for conducting assessments on civil systems and equipment, supporting the integration of safety cases into processes. Issued in December 2023 as a revision of the 1996 ARP4761, it describes techniques such as functional (FHA), preliminary system (PSSA), and system (SSA) to identify hazards, analyze risks, and mitigate failures. This standard facilitates the construction of safety arguments by linking analysis results to compliance evidence, ensuring comprehensive coverage of potential failure conditions. DEF STAN 00-56, issued by the , outlines management requirements for defence systems, with a strong emphasis on lifecycle safety cases. In its Issue 7 (Part 1, 2017), it mandates the development of safety cases as iterative documents that evolve through the system's lifecycle, including hazard identification, risk evaluation, and control measures. Safety case reports summarize the overall safety argument and status of management activities, promoting continuous assurance and alignment with principles such as ALARP for risk reduction.

Regulatory Requirements by Region

Regulatory requirements for safety cases differ across regions, shaped by national laws and regulatory bodies that enforce tailored obligations for high-hazard activities to ensure risks are adequately managed. These mandates typically require operators to demonstrate through structured arguments and evidence that safety measures are robust and proportionate to potential threats. In the , the () oversees enforcement of safety case requirements under the Health and Safety at Work etc. Act 1974, which imposes general duties to protect workers and the public from workplace hazards. Safety cases are mandatory for high-hazard sites, including offshore installations and chemical facilities under the Control of Major Accident Hazards (COMAH) Regulations 2015, where operators must submit detailed demonstrations that major accident risks have been reduced to (). The Offshore Installations (Safety Case) Regulations 2005 specifically require duty holders to prepare, submit, and maintain safety cases for fixed and mobile installations, subject to HSE acceptance and periodic review. Within the , the 2006/42/EC establishes essential health and requirements for machinery placed on the market, mandating manufacturers to perform risk assessments that identify hazards, estimate risks, and implement protective measures in a prioritized manner. These assessments form the core of safety cases by documenting compliance with Annex I principles, such as design for and residual risk communication to users. Furthermore, the EU (Regulation (EU) 2024/1689), which entered into force in August 2024, classifies certain AI systems as high-risk and requires providers to establish a continuous risk management system, including identification, analysis, evaluation, and mitigation of risks to health, , and . High-risk systems must undergo conformity assessments and maintain technical documentation akin to safety case evidence, with obligations applying from 2027 for most categories. In the United States, the (FDA) integrates safety assurance cases into premarket review processes for medical devices, particularly emphasizing them in guidance for software-containing devices to verify safety and effectiveness. A notable example is the 2010 FDA initiative on infusion pumps, where the agency issued letters to manufacturers requiring comprehensive safety assurance cases as part of 510(k) premarket notifications, including , risk mitigation, and postmarket surveillance plans to address systemic failures. The (FAA) addresses software safety through (AC) 20-174, which endorses SAE ARP4754A guidelines for civil and systems development, recommending assurance levels and safety arguments to demonstrate compliance with certification standards for failure conditions. In other regions, ’s Office of the National Rail Safety Regulator (ONRSR) mandates safety cases within accredited rail safety management systems under the Rail Safety National Law () Act 2012, requiring operators to identify, assess, and associated with rail operations. These safety cases must be submitted for and updated to reflect changes, ensuring ongoing demonstration of competence. Similarly, ’s Canadian Nuclear Safety Commission (CNSC) requires nuclear facility licensees to provide a comprehensive safety case as part of licensing applications, encompassing deterministic and probabilistic safety assessments to prove that operations pose no unreasonable risk to health, , security, or the environment. Under REGDOC-2.4.1 (updated May 2025) and REGDOC-2.4.2 (updated March 2025), safety cases integrate evidence from design, operational limits, and severe management, with probabilistic safety assessments covering damage frequencies and radiological releases.

Challenges and Future Directions

Common Limitations

One prominent limitation of safety cases lies in the subjectivity inherent to judgments, where determining "reasonable practicability" often sparks debates due to varying interpretations among stakeholders, experts, and regulators. This subjectivity arises because risk tolerability involves not only technical analysis but also public values, professional judgments, and qualitative factors like trust and perception, with no fixed formula for resolution—courts ultimately decide reasonableness on a case-by-case basis. For instance, cost-benefit analyses supporting ALARP decisions rely on methods, such as the UK's Value of Prevented Fatality (VPF) at £1.661 million in 2009, but these are sensitive to assumptions and can differ significantly between payers (e.g., organizations minimizing expenses) and potential victims (e.g., prioritizing safety). Such debates undermine the objectivity of safety arguments, potentially leading to inconsistent application across projects. Safety cases also face scalability challenges when applied to complex systems, particularly those with heavy software components or AI integration, where exhaustive hazard identification becomes infeasible due to emergent behaviors and incomplete analyses. Hazard analyses in these environments can only trace known paths to s and cannot guarantee the absence of unidentified ones, as software and AI introduce non-deterministic elements that defy traditional methods. In -driven designs, for example, evolving capabilities and deployment scenarios demand multifaceted arguments (e.g., on and trustworthiness) that grow exponentially in , straining the ability to generalize claims across contexts. This limitation is exacerbated in software-intensive systems, where probabilistic arguments may overlook rare but critical failure modes, fostering overconfidence in assurances. Additionally, developing safety cases is highly resource-intensive, involving substantial costs for evidence collection, analysis, and independent review, which can delay projects and impose significant financial burdens. gathering requires integrating diverse sources—such as documents, testing , and operational histories—often demanding man-years of effort that exceed initial development phases; for instance, the assessment of the Darlington Reactor Protection System consumed approximately 50 man-years, far surpassing the software creation effort and resulting in millions in lost revenue from startup delays. Independent reviews, mandatory in regulated sectors like , further amplify these costs by necessitating external validation to satisfy regulators, turning safety demonstration into a major commercial risk. Tools like Goal Structuring Notation (GSN) can help mitigate some resource demands by providing structured argumentation frameworks.

Emerging Trends

One prominent emerging trend in safety case development involves the integration of agile methodologies and practices to support modular safety arguments and in safety-critical systems. Research from the early 2020s, such as the Agile Safety Case framework, enables developers to construct safety cases incrementally alongside software iterations, using techniques like SafeScrum to align safety evidence with rapid deployment cycles. This approach facilitates modular assurance, where safety arguments for individual components are verified and updated autonomously, allowing for frequent, safe releases in industries like automotive without compromising compliance with standards such as ISO 26262. For instance, combining pipelines with continuous safety assessment ensures that evidence from testing and monitoring feeds back into the safety case in real-time, reducing deployment risks in dynamic environments. Another key development is the adaptation of safety cases for and systems, particularly through dynamic safety arguments that address the adaptive nature of these technologies under frameworks like the EU AI Act. The Act classifies high-risk systems—such as those in or autonomous decision-making—as requiring robust risk management, including conformity assessments that evolve with system updates to ensure ongoing safety and transparency. Recent proposals, including the Balanced, Integrated, and Grounded (BIG) argument structure, advocate for living safety cases that incorporate Goal Structuring Notation to link model-level assurances (e.g., ) with system-wide ethical and operational claims, enabling adaptation to emergent behaviors in models. This dynamic approach is essential for adaptive systems, where static arguments fail to capture runtime uncertainties, and supports compliance by providing traceable evidence of risk mitigation throughout the lifecycle. Safety cases are increasingly incorporating sustainability considerations, such as environmental risks and , through updates to ISO management system standards post-2023. Amendments to standards like ISO 14001 and , effective from 2024, require organizations to evaluate climate-related issues under Clause 4.1 as relevant external factors affecting safety and operations, integrating them into risk and opportunity assessments. This extension ensures that safety arguments address not only direct hazards but also indirect environmental risks, such as disruptions from , by embedding metrics into evidence gathering and monitoring processes. For example, the ISO climate action amendments promote a holistic view where environmental bolsters overall , aligning safety cases with global goals without altering core assurance structures. Efforts toward global harmonization of safety case practices are gaining momentum, exemplified by international workshops and collaborations led by the UK's Office for Nuclear (ONR) in 2024-2025. These initiatives, including joint assessments with regulators like the US Nuclear Regulatory Commission and Canada's CNSC, focus on standardizing safety case methodologies for such as small modular reactors, promoting shared evidence templates and cross-border acceptance criteria. ONR's 2025 reports highlight workshops that address discrepancies in assurance arguments, aiming to reduce regulatory duplication while maintaining rigorous safety standards. This harmonization extends to broader sectors, facilitating consistent application of safety cases in multinational projects and enhancing global confidence in high-risk deployments.

References

  1. [1]
    Offshore safety cases - HSE
    Jul 18, 2025 · Offshore safety cases. The following legislation aims to reduce the risks from major accident hazards to the health and safety of the workforce ...
  2. [2]
    [PDF] Using safety cases in industry and healthcare - The Health Foundation
    The core of the safety case is typically a risk-based argument and corresponding evidence to demonstrate that all risks associated with a particular system have ...
  3. [3]
    Safety Case | SKYbrary Aviation Safety
    Definition. A Safety Case is the documented assurance, including argument and supporting evidence, of the achievement and maintenance of safety.<|control11|><|separator|>
  4. [4]
    Preparing a safety case report - GOV.UK
    Dec 6, 2024 · A safety case report sets out the building safety risks of a high-rise residential building and how they are being managed.When you need a safety case... · Basic building information · Fire safety measures
  5. [5]
    Safety Case | ASEMS Online
    A structured argument, supported by a body of evidence that provides a compelling, comprehensible and valid case that a system is safe for a given application ...
  6. [6]
    https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6919
  7. [7]
    Assurance Cases and Confidence - Software Engineering Institute
    Aug 12, 2013 · ... safety case." As defined by the U.K. Ministry of Defence: A safety case is a structured argument, supported by a body of evidence that ...
  8. [8]
    [PDF] The Use of Safety Cases in Certification and Regulation¹
    The term Safety Case has become popular recently as a solution to the problem of regulating safety-critical systems. The term arises from the HSE (Health and ...
  9. [9]
    [PDF] Formalism in Safety Cases - Computer Science Laboratory
    A safety case provides an argument that a system is safe to deploy; the notion of “safe” is made precise in suitable claims about the system and its context.
  10. [10]
    [PDF] The SHIP Safety Case Approach - Adelard
    We define a safety case as: “a documented body of evidence that provides a convincing and valid argument that a system is adequately safe for a given ...
  11. [11]
    A summary of the 'ALARP' principle and associated thinking
    This paper provides an outline summary of the UK approach to the ALARP principle and the 'tolerability of risk' model. This is used in deciding if risks are ...
  12. [12]
    https://www.hse.gov.uk/risk/theory/alarp.htm
  13. [13]
    Guidelines for HSE inspectors
    Jun 30, 2025 · This document includes HSE's Tolerability of Risk Framework. HSE is currently working on publishing this framework in webpages. This is part ...
  14. [14]
    Reducing Risks and Recalls: Safety Assurance Cases For Medical ...
    Safety assurance cases for medical devices have been described by researchers,6, have been recommended in an IOM study, and now are included in the FDA draft ...
  15. [15]
    https://www.health.org.uk/sites/default/files/UsingSafetyCasesInIndustryAndHealthcare_supplements.pdf
  16. [16]
    [PDF] Supplements to: Using safety cases in industry and healthcare
    Section 3 presents the evolution of the nuclear industry in the UK, focusing on key events that have shaped safety regulation and the nuclear safety case.
  17. [17]
    [PDF] The Safety Case, its Development and Use in the United Kingdom
    A safety case is a means of assessing risk and demonstrating satisfactory management of risk, arising from UK legislation requiring risk reduction.
  18. [18]
    [PDF] The Need for SoS Safety Cases Rob Alexander, Tim Kelly, George ...
    Aug 18, 2011 · The (explicit) safety case concept has a long history in the UK and achieved embodiment for military systems in the core Ministry of Defence ...
  19. [19]
    (PDF) Safety and Assurance Cases: Past, Present and Possible Future
    PDF | This paper focuses on the approaches used in safety cases for software based systems. We outline the history of approaches for assuring the safety.
  20. [20]
    (PDF) The goal structuring notation–a safety argument notation
    This paper presents a technique called GSN (Goal Structuring Notation) that is increasingly being used in safety-critical industries to improve the structure, ...
  21. [21]
    The Railways (Safety Case) Regulations 2000 - Legislation.gov.uk
    PART II SAFETY CASES · 4.Use of railway infrastructure · 5.Safety case for train operations and for station operations · 6.Review of safety cases · 7.Revision ...
  22. [22]
    Safety Case Workshop
    Jun 1, 2014 · A two-day Safety Case Workshop was conducted in Huntsville, Alabama under the sponsorship of the SAE International G-48 System Safety Committee and APT ...
  23. [23]
    [PDF] GAO-21-226, F-35 Joint Strike Fighter: DOD Needs to Update ...
    Mar 18, 2021 · DOD is 3 years into a development effort that is loosely based on Agile software development processes to modernize the F-35 aircraft's.Missing: 2020s | Show results with:2020s
  24. [24]
    (PDF) The Agile Safety Case - ResearchGate
    Aug 7, 2025 · The Agile Safety Case forces the applicant to be specific about the quality and safety process together with technical safety aspects.Missing: defense | Show results with:defense
  25. [25]
    Article 9: Risk Management System | EU Artificial Intelligence Act
    It should identify and analyze potential risks to health, safety, or fundamental rights, estimate and evaluate these risks, and adopt measures to manage them.Missing: case | Show results with:case
  26. [26]
    [PDF] Hierarchical Safety Cases - NASA Technical Reports Server (NTRS)
    The Goal Structuring Notation (GSN) is emerging as the de facto representation for the argument structure of a safety case, representing safety cases using a “ ...
  27. [27]
    [PDF] Assurance Case Guide - Part 1. Argument Structure - Argevide
    In this reasoning step we argue that the device is adequately safe (the top claim C1) when all safety functions are effective (claim C2). The reasoning is ...
  28. [28]
    [PDF] Simulation and Prediction in Safety Case Evidence - University of York
    When an engineer is building a safety case for a system, the claims in their argument need to be supported by evidence, and simulation is one of many sources ...
  29. [29]
    [PDF] A guide to the Offshore Installations (Safety Case) Regulations 2005
    The main aim of the Regulations is to reduce the risks from major accident hazards to the health and safety of those working on offshore installations or in.
  30. [30]
    (PDF) A Methodology for Safety Case Development - ResearchGate
    This paper will outline a safety case methodology that seeks to minimise safety risks and commercial risks by constructing a demonstrable safety case.Missing: defense | Show results with:defense
  31. [31]
    Developing Compelling Safety Cases - arXiv
    Feb 2, 2025 · Safety cases provide a way to communicate a clear, comprehensive and defensible argument that a system is acceptably safe to operate [1] .<|control11|><|separator|>
  32. [32]
    [PDF] Safety Case Workshop
    In Ministry of Defence (MoD) practice, a Safety Case is defined as a structured argument supported by claims of why the system is adequately safe.
  33. [33]
    None
    ### Summary of Key Steps for Writing a Safety Case (UK Nuclear Safety Case Forum Guide, March 2014)
  34. [34]
    Goal Structuring Notation - Safety-Critical Systems Club
    Goal Structuring Notation (GSN) is a standardisation information and related guidance, maintained by the GSN Standard Working Group.
  35. [35]
    CAE | Adelard
    A mind-map diagram showing how to structure safety cases. It allows you to structure your overall argument into the following elements: Structure, Description.
  36. [36]
    [PDF] Assurance Case Guide - Argevide
    The objective of this step is to establish base claims backed directly by evidence. In our example we use Safety Requirements Specification, Test Plan and Test ...
  37. [37]
    MBSE tool for safety-critical systems - Astah
    Introducing a powerful MBSE tool for safety-critical systems that supports STPA STAMP, SysML, UAF, GSN, SCDL and more for safety-critical.
  38. [38]
    Safety Assessment Principles (SAPs) - Office for Nuclear Regulation
    Dec 6, 2024 · The SAPs provide ONR's inspectors with a framework for making consistent regulatory judgements on nuclear safety cases. The SAPs also provide ...
  39. [39]
    Do safety cases have a role in aircraft certification? - ScienceDirect
    Safety cases, as a means of demonstrating system safety, have been increasingly used as the basis for system assurance, especially in safety or ...
  40. [40]
    Safety Case Guidelines and Procedures for Contractors - RSSB
    This document gives guidance on the preparation of a Safety Case to those who contract to work on or undertake designs for the railway infrastructure.
  41. [41]
    [DOC] Safety Assurance Case - Reginfo.gov
    For this reason, assurance cases are considered to be device-specific, meaning any newly developed device would have its own unique assurance case. If the ...
  42. [42]
    NHTSA Proposes New Autonomous Vehicle Program
    Jan 30, 2025 · ”[20] NHTSA proposes that each safety case should include a detailed analysis of nine topics: Safety Risk Assessment, Safety Risk Management ...
  43. [43]
    Trump's Transportation Secretary Sean P. Duffy Advances AV ...
    Sep 4, 2025 · NHTSA's AV Framework will unleash American ingenuity, maintain key safety standards, and prevent a harmful patchwork of state laws and ...
  44. [44]
    Guidance on ALARP Decisions in COMAH - SPC/Permissioning/37
    Apr 4, 2025 · This document aims to give guidance specifically on ALARP demonstrations in the COMAH context and replaces SPC/Perm/12 which is withdrawn.
  45. [45]
    [PDF] The ongoing challenge of demonstrating ALARP in COMAH safety ...
    A key requirement of the safety report is to demonstrate that 'all measures necessary' have been taken to prevent or mitigate hazardous events with the ...
  46. [46]
    [PDF] department of defense standard practice system safety
    Jul 14, 2025 · This system safety standard practice identifies the DoD approach for identifying hazards and assessing and mitigating associated risks ...
  47. [47]
    The Public Inquiry into the Piper Alpha Disaster - HSE
    Jul 8, 2025 · The Public Inquiry into the Piper Alpha Disaster. Reports. The Public Inquiry into the Piper Alpha Disaster: Volume 1 ( PDF ) · The Public ...
  48. [48]
    https://www.easa.europa.eu/en/newsroom-and-events/press-releases/agency-certifies-worlds-largest-airliner-a380
  49. [49]
    Agency certifies world's largest airliner A380 - EASA - European Union
    Dec 12, 2006 · The European Aviation Safety Agency (EASA) issued todayits safety approval for the Airbus A380 in a hand-over ceremony in Toulouse with Airbus CEO Louis ...Missing: GSN | Show results with:GSN
  50. [50]
    [PDF] A380 Integrated Modular Avionics
    The AIRBUS IMA concept is based on “shared Modules”. A module- focused approached has been preferred compared with the previous concept of “Cabinet”.
  51. [51]
    Architectural Considerations in Integrated Modular Avionics (IMA ...
    This article presents a systematic approach to using a safety argument notation-GSN-to construct a safety case for IMA systems.
  52. [52]
    [PDF] Investigation: EA 22-002 - DOT NHTSA ODI Document
    Jun 8, 2022 · Upon opening the investigation, NHTSA indicated that the PE would also evaluate additional similar circumstance crashes of Tesla vehicles ...<|separator|>
  53. [53]
    [PDF] Additional Information Regarding EA22002 Investigation - nhtsa
    Apr 25, 2024 · Tesla filed Recall 23V838 to address concerns regarding the Autopilot system investigated in EA22002. These insufficient controls can lead ...Missing: 2020s | Show results with:2020s<|separator|>
  54. [54]
    Comirnaty | European Medicines Agency (EMA)
    Safety measures for Comirnaty are implemented in line with the EU safety monitoring plan for COVID-19 vaccines to ensure that new safety information is rapidly ...Missing: FDA | Show results with:FDA
  55. [55]
    [PDF] Summary Basis for Regulatory Action - FDA
    Nov 8, 2021 · In December 2020, the FDA issued emergency use authorizations (EUAs) for two mRNA vaccines which encode the SARS-CoV-2 spike glycoprotein: ...Missing: EMA | Show results with:EMA
  56. [56]
    https://standards.ieee.org/ieee/15026-3/10699/
  57. [57]
    ISO/IEC/IEEE 15026-4:2021 - Systems and software engineering
    In stock 2–5 day deliveryThis document provides guidance and recommendations for assurance of a selected claim about the system-of-interest by achieving the claim and showing the ...Missing: 2023 | Show results with:2023
  58. [58]
    IEEE/ISO/IEC 15026-3-2023
    Oct 30, 2023 · This part of ISO/IEC 15026 specifies the concept of integrity levels with corresponding integrity level requirements that are required to be met.
  59. [59]
    [PDF] Defence Standard 00-56 Part 1 - Issue 7 Date
    Feb 28, 2017 · Further guidance on the concepts of MOD Safety Cases and Safety Case Reports are available through the ASG. iii. The DAE use of Safety ...
  60. [60]
    Health and Safety at Work etc. Act 1974 - Legislation.gov.uk
    An Act to make further provision for securing the health, safety and welfare of persons at work, for protecting others against risks to health or safety in ...
  61. [61]
    Directive - 2006/42 - EN - Machinery Directive - EUR-Lex
    Summary of each segment:
  62. [62]
    Directive 2006/42/EC - machinery directive - EU-OSHA
    Jun 13, 2024 · Directive 2006/42/EC on machinery lays down health and safety requirements for the design and construction of machinery, placed on the European market.Missing: cases | Show results with:cases
  63. [63]
    AI Act | Shaping Europe's digital future - European Union
    Unacceptable risk. All AI systems considered a clear threat to the safety, livelihoods and rights of people are banned. · High risk. AI use cases that can pose ...Regulation - EU - 2024/1689 · AI Pact · AI Factories · European AI Office
  64. [64]
    Content of Premarket Submissions for Device Software Functions
    Jun 14, 2023 · This guidance document is intended to provide information regarding the recommended documentation for premarket submissions for FDA's evaluation of the safety ...Missing: 2010 cases
  65. [65]
    [PDF] AC 20-174 - Development of Civil Aircraft and Systems
    Sep 30, 2011 · AC 20-174 recognizes SAE ARP 4754A as an acceptable, but not mandatory, method for development assurance of civil aircraft and systems.
  66. [66]
    [PDF] ONRSR Guideline - Safety Management Systems - NET
    About the Office of the National Rail Safety Regulator. Our primary objectives are to encourage safe rail operations, ensure compliance with the Rail Safety.
  67. [67]
    Safety cases and probabilistic safety assessments
    Jul 20, 2015 · All nuclear power plant operators in Canada must present a strong safety case to obtain a licence from the CNSC. A safety case represents ...
  68. [68]
    REGDOC-2.4.1, Deterministic Safety Analysis
    May 9, 2025 · Part I of this regulatory document sets out the requirements of the CNSC for deterministic safety analysis for nuclear power plants (NPPs).
  69. [69]
    None
    Summary of each segment:
  70. [70]
    [PDF] The Danger of a “Safety Case” - Nancy Leveson
    There are lots of problems with the safety case but a basic one is that it is impossible to prove (or argue convincingly) for something that is untrue. No ...
  71. [71]
    [PDF] Safety Cases: A Scalable Approach to Frontier AI Safety - arXiv
    Safety case. A structured argument, supported by a body of evidence, that provides a compelling, comprehensible, and valid case that a system is safe for a.<|control11|><|separator|>
  72. [72]
    [PDF] A Methodology for Safety Case Development Foreword - Adelard
    So the need to demonstrate safety can involve significant direct costs and indirect costs if the overall project is delayed. This paper will outline a safety ...Missing: resource intensity high
  73. [73]
    Agile Safety Case and DevOps for the Automotive Industry
    [39] demonstrate a high-level safety case and DevOps process for the automotive industry which allows the safe deployment of incremental updates. The ...Missing: 2020s | Show results with:2020s
  74. [74]
    Towards Continuous Safety Assessment in Context of DevOps - ar5iv
    [12] . DevOps uses continuous integration and test automation to build a pipeline from development to test and then to production (so-called continuous delivery) ...
  75. [75]
    High-level summary of the AI Act | EU Artificial Intelligence Act
    A smaller section handles limited risk AI systems, subject to lighter transparency obligations: developers and deployers must ensure that end-users are aware ...
  76. [76]
    A sketch of an AI control safety case - AI Security Institute
    Jan 28, 2025 · We sketch how developers could construct a "control safety case", which is a structured argument that models are incapable of subverting control ...<|separator|>
  77. [77]
    Spotlight on New Climate Considerations in ISO Standards - Intertek
    Nov 22, 2024 · ISO standards now require organizations to consider climate change in clause 4.1, impacting all standards, and affecting interested parties in ...
  78. [78]
    Adapting the ISO Climate Action Amendments for Management ...
    Jun 25, 2025 · Climate action amendments are incorporated into ISO management standards including ISO 9001, ISO 14001 and ISO 45001.
  79. [79]
    [PDF] Climate action and ISO standards
    Nov 14, 2024 · These standards serve as benchmarks for controlling air pollution, and for testing and inspecting vehicle emissions, with the goal of protecting ...
  80. [80]
    ONR explores international collaboration on assessing new nuclear ...
    Sep 22, 2025 · ONR explores international collaboration on assessing new nuclear reactors. 22 September 2025. The Office for Nuclear Regulation (ONR) led a ...Missing: workshops harmonization
  81. [81]
    ONR outlines international collaboration on small modular reactors
    Apr 8, 2025 · The Office for Nuclear Regulation (ONR) has published its first report on international regulatory collaboration for small modular reactors ...Missing: harmonization | Show results with:harmonization
  82. [82]
    [PDF] NEWSLETTER Issue 4 March 2025
    Apr 1, 2025 · This collaboration was further strengthened in March. 2024, when the CNSC, NRC, and the UK's Office for Nuclear Regulation (ONR) signed a ...