Justification shall be provided for how each of the key design decisions that have been made at tier n ([V]) help to ensure that the safety requirements can be met by the AS. In particular this should consider how the design decisions relate to the robustness and fault tolerance of the AS, and the way in which this supports the safety of the system. It is also important that the design decisions are reviewed to check that no inappropriate decisions are taken that mean that the safety requirements cannot be satisfied by the proposed design. The justification for the design at each tier shall be documented in the AS design justification report ([Y]).
Even if appropriate design decisions have been taken, the design should also be reviewed to check that errors have not been made in the design. It is particularly important for AS, where substantial use is made of software components, that this includes review of the proposed software design. In particular, the review should check for potentially hazardous errors. The review of the design shall be undertaken by a suitable person who is independent from the design activity itself. The results of the design review at each tier shall be documented in the AS design review report ([Z]).
The sufficiency of the design process used (as documented in [X]) shall also be reviewed to check it is sufficiently rigorous. It should also be checked that the defined process has been correctly followed when developing the design.
The level of independence that is required of the people responsible for the review may vary depending upon the level of risk associated with the AS. For high risk systems it may be required for the review to be undertaken by personnel from a different organisation to the design organisation. For lower risk systems it may be sufficient for the review to be undertaken by personnel from the same organisation who are capable of providing an independent view.