Approval is evidence traceability, not confidence performed in prose.
A Safety-Critical Controls Researcher
Deployment approval is the point where all previous sections meet. The team must decide whether the operating domain is bounded, the mitigations are in place, the evidence is sufficient, and the residual risk is acceptable for the intended use.
Why This Matters
Deployment approval and safety cases sits at the boundary between learning and safety engineering. The question is not whether the policy usually behaves well, but whether dangerous states are detected, blocked, or exited fast enough to protect people, equipment, and mission goals.
A simple approval tuple is $$A = (\mathrm{ODD}, \mathrm{evidence}, \mathrm{defeaters}, \mathrm{residual\ risk}, \mathrm{rollback}),$$ where every element must be explicit enough for an external reviewer or internal safety board to challenge. Many teams then arrange this tuple in a goal-structuring tree so each top-level release claim has child claims, evidence links, and explicit challenge conditions.
Approval is not a scalar threshold. It is a structured argument that says which evidence supports which claim and what conditions would invalidate the release.
- Freeze the operating domain, excluded cases, and authority boundaries.
- Assemble evidence from evaluation panels, monitor tests, override tests, hazard analysis, and trace matrices.
- Map each release claim to one or more concrete artifacts in a goal-structuring or assurance template.
- List defeaters, missing evidence, and residual risks explicitly, with named owners.
- Define rollback, disablement, and post-deployment monitoring plans, then approve only for the claimed domain.
Worked Example
A delivery robot may be approved for indoor daytime office routes with marked lanes and trained operators, but not for crowded public spaces or unstructured loading docks. Approval is domain-bounded by design.
approval = {
"odd_defined": True,
"evidence_complete": False,
"override_tested": True,
"residual_risk_named": True,
}
approval["release_ready"] = all(approval.values())
print(approval){'odd_defined': True, 'evidence_complete': False, 'override_tested': True, 'residual_risk_named': True, 'release_ready': False}Expected output: The release is blocked because the evidence set is incomplete. That is exactly how a safety gate should behave: incomplete evidence is itself a meaningful decision signal.
Assurance templates, hazard logs, experiment trackers, and Goal Structuring Notation style review packets help teams assemble release evidence consistently. The goal is not paperwork for its own sake, but traceable linkage between claims and evidence.
Concrete stack anchors for this chapter include ROS 2 lifecycle and diagnostics logs for authority boundaries, PyTorch or JAX evaluation artifacts for learned policy evidence, Weights & Biases or TensorBoard dashboards for release panels, CasADi or Drake model summaries for control assumptions, and GSN-style assurance templates that connect each claim to its evidence, defeater, owner, and rollback trigger.
| Artifact Tool | Why It Matters | Review Check |
|---|---|---|
| GSN-style templates | Make claim, subclaim, evidence, and defeater structure explicit. | Can the release board trace each top-level claim to a concrete artifact? |
| Hazard log plus issue tracker | Keeps mitigations, owners, and unresolved risks visible through release. | Are any high-severity hazards still open or ownerless? |
| Experiment tracker plus replay archive | Links evaluation panels, monitor tests, and override evidence to the decision packet. | Can another reviewer replay the exact evidence bundle used for approval? |
Good approval practice names the boundary conditions clearly. A system can be approved for one environment, one workload, or one operator model without implying readiness everywhere else. In mature programs, each approval claim is backed by a trace matrix that points to benchmark artifacts, monitor tests, override results, and the exact owner for unresolved residual risks.
Formally, a release gate should check an objective such as task utility subject to explicit constraints on hazard rate, intervention latency, monitor coverage, and residual risk. The approved policy is therefore not merely the argmax of performance, it is the member of the candidate set whose evidence satisfies the safety case under the frozen operating-domain assumptions.
One of the most dangerous approval failures is domain creep, where a system slowly begins operating outside the bounded domain because no one wrote the exclusions sharply enough or monitored them after release.
- Verify that the ODD card and exclusion list match the requested deployment exactly.
- Walk every release claim through its linked benchmark artifact, monitor test, override test, and hazard-log entry.
- Challenge the packet with at least one defeater, such as stale calibration, untested workload, or unsupported terrain.
- Approve only with named residual-risk owners, rollback triggers, and post-deployment monitoring responsibilities.
Cross-References
This section sets up the capstone logic of Section 54.7 on assurance arguments and prepares the transition to Chapter 55 on deployment architecture. The approval tuple introduced here (ODD, evidence, defeaters, residual risk, rollback) becomes the leaf structure of the full assurance graph in Section 54.7, where each element is expanded into a claim, context, and evidence pairing that a release board can trace and challenge individually.
Create a mock release packet for a small embodied system with an ODD card, hazard log, evaluation summary, override evidence, and one blocked release reason. Then ask whether the packet really supports the intended domain.
Do not let a passing benchmark substitute for an approval argument. Benchmarks are inputs to approval, not approval itself.
For autonomous vehicles, the ODD may be limited by weather, road class, and speed range. For manipulation in labs, it may be limited by object set, human proximity rules, and supervision level.
The field is still building shared norms for approval arguments around learning-enabled robots, especially where models update frequently and fleet telemetry changes the available evidence base after release.
Can you list the intended operating domain and the excluded domain for your system in one sentence each? If not, the approval boundary is probably too fuzzy.
Deployment approval is a structured argument over bounded use, evidence sufficiency, and residual risk, not a celebration of one good demo.
Write a one-page approval gate for a robot system you know. Include explicit no-release conditions and one rollback trigger for post-deployment operation.
A deployment approval based on one impressive demo is not a safety case. It is a highlight reel, and the outtakes are exactly what the approval process is supposed to catch.
Section References
UL 4600 overview. https://users.ece.cmu.edu/~koopman/ul4600/index.html
A practical reference for structured autonomous-system safety arguments.
ISO 21448 SOTIF overview. https://www.iso.org/standard/77490.html
Relevant for performance limitations and intended-functionality hazards.
Section 54.7 turns approval logic into a full assurance argument with claims, evidence, defeaters, and replay artifacts.