Safety-Aware Machine Learning (ISO 8800)
11 chapters You learn to engineer AI and ML components that hold up in a safety case: the ISO/PAS 8800:2024 lifecycle layered on ISO 26262 and ISO 21448, covering dataset coverage, robustness, runtime monitoring, and structured assurance arguments.
How You Learn
Video and text stay in sync. As you scroll through the chapter, the video jumps to the matching explanation automatically.
Learning Objectives
Derive verifiable ML safety requirements
Flow safety goals down to AI and data requirements with per-class error budgets, ODD bounds, and defined evaluation protocols.
Build dataset coverage arguments
Specify the dataset lifecycle, map ODD cells to sample counts and label quality, and document completeness against edge cases.
Engineer runtime supervision
Design doer-checker architectures, OOD detectors, plausibility checks, and Minimal Risk Condition transitions within a real latency budget.
Verify ML beyond accuracy
Choose safety-relevant metrics, run scenario-based tests, and enforce test independence so evidence survives an assessor review.
Chapters
The AI Safety Gap
Why the deterministic ISO 26262 fault model does not fit machine learning, and what ISO/PAS 8800:2024 adds to close the gap.
ISO 8800 in the Landscape
Mapping the AI safety standard ecosystem and identifying which standard owns which risk argument.
The ML Safety Lifecycle
Eight lifecycle phases from concept and data through training, evaluation, deployment, and field monitoring, mapped onto the V-model.
Safety-Related ML Requirements
Deriving verifiable AI requirements from safety goals, SOTIF performance targets, ODD constraints, and fallback design.
Data and Dataset Safety
Treating the dataset as a partial specification, with ODD coverage, labelling quality, lineage, and completeness arguments.
Robustness and Out-of-Distribution
Detecting and bounding out-of-distribution behaviour, distribution shift, perturbation robustness, and calibrated uncertainty.
Verification and Validation of ML
Moving beyond accuracy to safety-relevant metrics, scenario-based testing, and provable test independence from training data.
Runtime Monitoring
Safety envelopes, plausibility checks, doer-checker architecture, runtime OOD detection, and transition to a Minimal Risk Condition.
The AI Safety Case
Structuring assurance arguments for ML using a four-pillar decomposition and Goal Structuring Notation (GSN) down to concrete evidence.
Integration with ISO 26262 and ISO 21448
Plugging ISO 8800 evidence into the functional safety case and SOTIF validation, including ASIL allocation to ML elements.
Anti-Patterns in ML Safety
The most common ways teams undermine an AI safety argument, with a diagnostic checklist to catch them at review gates.
Diagrams & Visuals
ML Safety Lifecycle Pipeline
The eight ISO 8800 lifecycle phases overlaid on the ISO 26262 V-model, showing where data and training decisions sit.
ODD Coverage Matrix
A coverage grid of road type, lighting, weather, object class, and speed, with minimum sample counts and gap risks per cell.
Dataset Independence Venn
How training, validation, and test datasets must stay separated, with overlap shown as a source of over-optimistic results.
OOD Detection Threshold Explorer
Interactive view of how a confidence threshold trades false alarms against missed out-of-distribution inputs at runtime.
Doer-Checker Architecture
Signal flow from sensor to ML doer to independent checker to actuator, with a fallback path to the Minimal Risk Condition.
Assurance Argument Tree
A GSN-style decomposition of the top safety claim into data, model, robustness, and supervision goals down to evidence nodes.
AEB Pedestrian Detector at ASIL B
Follow a camera-and-radar Automatic Emergency Braking perception model through the ISO 8800 lifecycle, from safety goal to a defensible assurance argument.
- Safety goal traced to a false-negative rate below 1% per ODD sub-condition (rain, low-sun, night)
- Dataset coverage matrix proving minimum labelled counts per ODD cell with annotation accuracy above 98%
- Test set held out by temporal and geographic split, locked before architecture selection
- Doer-checker runtime monitor flagging out-of-distribution inputs and triggering the Minimal Risk Condition within 200 ms
- Four-pillar GSN safety case linking data, model, robustness, and supervision evidence
- Field monitoring plan with drift triggers feeding the over-the-air update process
Assurance Argument Snapshot
Engineer ML you can put in a safety case
Work through the ISO/PAS 8800 lifecycle on top of ISO 26262 and ISO 21448, from dataset coverage to runtime monitoring and assurance arguments.
Start Learning Now