Robotics safety · Functional safety · Autonomous systems

How to build a robotics safety case

A practitioner's guide to safety management systems for autonomous and robotic systems — from hazard analysis to assurance arguments, written by someone who has built them.

Read the guide
IEEE Senior Member
ISO 26262 · UL 4600 · SOTIF
Patents filed · AV safety systems
MSc Computer Science · KIT

The guide

1

What is a safety case?

GSN, CAE, and assurance case fundamentals

A safety case is a structured argument — supported by evidence — that a system is acceptably safe to operate in a defined context. It is not a document you write at the end of a project. It is a living artifact built throughout development.

The dominant notation is Goal Structuring Notation (GSN), which makes the argument explicit: goals, strategies, solutions, and the context that scopes each claim.

  • Goal Structuring Notation (GSN) — goals, strategies, solutions, context
  • Claims-Argument-Evidence (CAE) structure
  • What counts as evidence — test results, analysis, field data
  • Tooling: ASCE, Astah GSN, AdvoCATE
  • Common failure modes — circular arguments, unsubstantiated claims
2

Which standard applies to your system?

Navigating the robotics and AV standards landscape

The answer depends on your system type, domain, and geography. These are the standards that matter most for robotics and autonomous systems.

ISO 26262
Functional safety for road vehicles
UL 4600
Safety for autonomous products
ISO/PAS 21448
SOTIF — safety of intended functionality
IEC 61508
Base functional safety standard
ISO 10218
Safety for industrial robots
ISO/TS 15066
Collaborative robot safety
3

Hazard analysis and risk assessment

HARA, SOTIF analysis, and ODD definition

Before you can argue a system is safe, you must identify what could go wrong and under what conditions. For AV and robotic systems, this is complicated by the fact that many failures are not random hardware faults — they are systematic, ML-driven, or scenario-dependent.

  • HARA methodology — hazard identification, exposure, severity, controllability
  • ASIL determination and decomposition
  • Operational design domain (ODD) — defining the envelope your safety case covers
  • SOTIF triggering conditions — known and unknown unsafe scenarios
  • V&V strategy for ML and AI components
  • Residual risk and acceptance criteria
4

Building and running a safety management system

The organizational infrastructure behind a safety case

A safety case without a functioning SMS behind it is a document, not a system. The SMS is the set of processes, roles, and governance that keep the safety case valid as the system evolves.

  • Safety policy, objectives, and plans
  • Hazard log — structure, ownership, and lifecycle
  • Functional safety management roles and independence requirements
  • Supplier safety management — what to require, how to audit
  • Change impact analysis — keeping your safety case current
  • Safety audits and confirmation measures

About

R

Riri Isellhusen

Staff TPM · Functional safety · AV cybersecurity · IEEE Senior Member

I work at the intersection of hardware security, systems architecture, and cross-functional program execution in safety-critical autonomous vehicle contexts.

My research focuses on secure communication protocol selection for AV architectures and chiplet security in safety-critical systems. I hold two Master's degrees — Computer Science from Karlsruhe Institute of Technology and Industrial Engineering from Berlin University of Applied Sciences — and have filed patents in the AV safety space.

ISO 26262 SOTIF UL 4600 SecOC AUTOSAR Adaptive Automotive SPICE Chiplet security IEEE Senior Member

Contact

Open to research collaboration, advisory conversations, and speaking on functional safety and autonomous systems security.

in LinkedIn @ hello@isellhusen.com