Conceptual model and development process metamodel
Safety Case pattern and weaving table
GPCA Safety Case

SPIRIT Project


Safety Case Pattern:
An example of a (partial) safety case pattern in the GSN notation that can be fed to SPIRIT is shown below.
The pattern is consisted of three main types of nodes:
1) claims, also known as goals, which assert certain properties of a system and are denoted as rectangles;
2) strategies (denoted as parallelograms) that are the reasoning steps to argue why a goal is supported by sub-goals or evidences;
3) and evidence (denoted as circle) that are artifacts to support the truth of a goal.


The hierarchy of goals in a safety argument is represented as a tree structure, the root of which is an overall safety claim
for the system. The pattern can contain additional context assumption and justification nodes to help to establish sound


The safety case pattern includes a set of expressions written in the Object Constraint Language (OCL) Each of such expressions contains variables, known as roles, that are enclosed within { and }. For example, node G1 contains role system, which represents the target infusion pump device. All roles involved in a safety case pattern must be instantiated before a safety case can be produced for the
target infusion pump system.


A role in the safety case pattern can be formally defined as follows:
• Any variable can be a role r, called a variable role; and
• If r is a role and x is a variable, then r.x is a role, called a derived role.

A safety case pattern can includes a set of role expressions,which are defined as follows:
• Any role r is a role expression; and
• If r is a role, then r.allInstances() is a role expression.

The Weaving Table

The core of SPIRIT is a weaving model, which instructs the instantiation of roles in the safety case pattern to the corresponding
elements in other input metamodels. If the safety case pattern can be successfully instantiated, it indicates that the development process conforms to the guidance. In this case, SPIRIT outputs an ATL program which transforms a specific project developed based on the development process metamodel to a final safety case.