As developers acknowledge that simply accumulating road miles isn't enough to ensure highly autonomous vehicle (HAV) safety, there will be a need for more comprehensive safety arguments. This paper proposes an hierarchical layered structure for safety arguments that combines the strengths of on-street testing, closed course testing, vehicle level simulation, subsystem testing, reviews, analysis, and component testing. An essential idea is that to make comprehensive validation practical, each layer should not attempt to prove safety all by itself, but rather validate the accuracy of underlying layers. For example, road testing shouldn't attempt to demonstrate safety per se, but rather serve to validate that assumptions made by more extensive simulations are indeed valid. In a similar vein, it's important to untangle the various aspects of the system that are being validated, such as: scenario coverage, training data sufficiency, machine learning robustness, and safety of traditional software. The result is a proposed high level template for HAV safety arguments.