Your first safety case
This tutorial walks you through building a small safety case from scratch. The example is a fictional uncrewed aerial vehicle (UAV) — concrete enough to be useful, small enough to finish in about ten minutes.
By the end you'll have a working GSN argument: a top-level Goal, a Strategy that decomposes it, Solutions pointing at evidence, and the Context and Assumptions that scope the claim.
What you'll build
A safety argument for the Hawk-1, a fictional commercial-inspection UAV. The top-level claim:
The Hawk-1 autopilot is acceptably safe for visual-line-of-sight commercial inspection within its operational design domain.
Concrete enough to argue. Bounded enough to finish. The same shape works for any system you'd build a real safety case for.
Step 1 — Create the document
From the dashboard, open the project where this case should live. Click Create document, give it a name (e.g. "Hawk-1 system safety case"), and Lemmatica drops you into the editor.
You'll see one placeholder Goal on the canvas. That's where every safety case starts.
Step 2 — State the top-level claim
Open the placeholder Goal and replace its text with the top-level claim:
The top-level Goal is the only Goal in the document with no parent. Lemmatica enforces that.
Step 3 — Scope the claim with Context and Assumption
A claim with no scope is impossible to defend. Two annotation node types do the scoping:
- Context — definitions, system boundaries, operating conditions
- Assumption — things you're treating as true without proving
Add a Context to the top-level Goal:
ODD: Visual line-of-sight operation in daylight, sub-300 ft AGL, sub-20 knot winds, controlled airspace under CASA Part 101 approval.
Add an Assumption alongside it:
Operator holds a current CASA Remote Pilot Licence (RePL) with a Hawk-1 type rating.
The claim is now bounded. Anyone reading the argument can see what you're claiming, under what conditions, and what you're depending on.
Step 4 — Add a Strategy
You can't attach evidence directly to a Goal in GSN V3. Goals decompose through a Strategy — the reasoning approach you're using to argue the claim.
Add a Strategy under the top-level Goal:
A strategy answers the question "how are we arguing this?". Other common patterns are argument by decomposition (over hazards, over functions) and argument by evidence type.
Step 5 — Decompose into sub-Goals
Under the Strategy, add sub-Goals. Each one is a specific claim that supports the parent:
- "Loss-of-link triggers safe return-to-home"
- "GPS denial degrades gracefully to manual recovery"
- "Battery exhaustion triggers controlled landing"
These are the failure modes the Strategy claims to have eliminated. The list is illustrative, not exhaustive — a real argument would address every identified hazard.
Step 6 — Attach evidence as Solutions
A Solution is a leaf node pointing at evidence — a test report, an analysis document, a review record. Add a Solution under each sub-Goal:
Once a sub-Goal has a Solution, Lemmatica marks it as fully developed. If a sub-Goal has no children, it's flagged as undeveloped — a visible reminder that you owe an argument or evidence.
Step 7 — Read it in flow
Step back. The canvas now shows a top-level Goal, scoped by Context and Assumption, decomposed through a Strategy into three sub-Goals, each terminated with a Solution.
Read it from top to bottom in plain English:
The Hawk-1 autopilot is acceptably safe within its ODD, because we have eliminated identified failure modes — loss-of-link, GPS denial, and battery exhaustion — each supported by a specific test report.
That's a safety case. The structural rules of GSN V3 made sure the argument hangs together; Lemmatica enforced them as you built.