Safety-Case Writing

Author a deployment safety case for a machine that adopts Intended. What Intended provides as mechanism, what your case must still argue, and an honest standards crosswalk.

advanced8 min readimplemented

Safety-Case Writing#

Audience: functional-safety engineers writing the deployment-specific safety case for a machine that uses Intended for authority gating.

Scope: what Intended provides today, what the customer's safety case still has to argue, and how to write the argument honestly.

What Intended is, in safety-case terms#

Intended provides mechanisms a safety case can cite: structured-goal classification, policy evaluation over attested machine state, short-lived signed tokens, an escalation/approval workflow, and a tamper-evident audit trail. It is not a turnkey safety solution, and — stated plainly — it carries no functional-safety certification today.

No certifications exist yet — do not claim them

There is no IEC 61508 / ISO 13849 / ISO 26262 assessment, and no SOC 2 / IEC 62443 certification, of any Intended component today. The runtime encodes no compliance-framework control mappings. The dedicated edge verifier binary (the component a future certification would most plausibly target) is roadmap — not shipped. Your safety case may cite the mechanisms Intended provides; it may not cite a SIL/PL level, a TÜV/Exida assessment, or a SOC 2 report for Intended, because none exist. When in doubt, claim "best-practice authority gating," not "SIL-2 authority gating."

Component	Owner	Certification status
Cloud authority issuer (classify, policy, sign, audit)	Intended	No formal certification today
Edge verifier binary	Intended	Roadmap — not shipped
Robot / PLC / safety bus	Customer	Per-machine, per-deployment
Application logic + DAG	Customer	Per-machine, per-deployment
Safety-bus → predicate bridge	Customer	Per-deployment

What you can claim today#

When you adopt Intended, you may claim that the following mechanisms are in place and evidenced by the audit chain:

Authority gating is enforced before dispatch. No state-changing action your integration gates is dispatched without a token whose claims your controller checked.
Tokens carry a bound actor identity. Each token's sub / actorIdentity names the actor it was issued for; the actor must be registered on the tenant roster before issuance. (Hardware-anchored DevID binding is a customer provisioning step.)
Tokens are time-bound. A token's lifetime is the action's deadlineMs (sub-second), and your verifier rejects expired tokens — against attested time once you integrate PTP/NTP.
Safety-rated input attestation is honored. When your PhysicalStateProvider surfaces a predicate as safetyRated: true over a declared protocol (FSoE, PROFIsafe, Pilz PSS, OPC-UA Safety), a clause requiring safety-rated input will not be satisfied by an untrusted or unavailable channel.
Every decision is recorded in a tamper-evident chain. Issuance, denial, and escalation are all auditable. The chain is a per-tenant SHA-256 hash chain; evidence export is HMAC-signed with the tenant's own secret — verification requires possession of that secret, so it is not publicly/asymmetrically verifiable.
Safe-default fallback is declared per node. On denial, expiry, or an audit-gap trip, the deciding clause carries the declared safe-default for your controller to actuate.

You may NOT claim:

That Intended replaces your safety PLC or safety bus.
That a safety case exists for the machine — that is your document.
Any SIL / PL level, or any third-party assessment, for an Intended component.
That audit evidence is independently/publicly verifiable — it is HMAC-keyed to the tenant secret.

Argument structure (GSN sketch)#

The top-level claim typically reads:

G1: The machine satisfies <safety standard> for the hazard
    <H1: unintended motion> in operating mode <M1>.

  Strategy: argue over (a) hazard analysis, (b) risk reduction,
            (c) implementation, (d) verification.

  G1.1: Hazard analysis identified all credible sources of unintended motion.
        [evidence: HAZOP / FMEA / STPA records]

  G1.2: The risk-reduction architecture mitigates each identified hazard.

    G1.2.1: Safety-rated e-stop chain interrupts power on operator request.
            [evidence: certified safety-PLC, FSoE bus, commissioning report]

    G1.2.2: Authority gating prevents motion without explicit, classified,
            time-bound authorization.

      G1.2.2.1: Token claims are checked before dispatch and rejected when
                invalid/expired.
                [evidence: controller code review, bench test, Intended audit chain]

      G1.2.2.2: The customer integration (predicate provider, actor-identity
                binding, policy file) correctly surfaces machine state.
                [evidence: integration test plan, traceability matrix]

      G1.2.2.3: On denial / expiry, the controller transitions to the declared
                safe-default within <bounded time>.
                [evidence: latency measurement, controller code review]

  G1.3: Implementation matches the architecture.  [evidence: SBOM, change control]
  G1.4: Verification confirms the safety claim.    [evidence: test reports]

The G1.2.2.x branch is where you cite Intended's mechanisms — but the evidence at G1.2.2.1 is your own (controller review, bench test, the Intended audit chain), not a third-party certificate, because none exists yet. You own G1.2.2.2 and G1.2.2.3 outright.

Concrete deliverables#

Integration design document — block diagram of where verification sits relative to controller and safety bus; sequence diagrams for normal operation, denial, and audit-gap trip; the OI category map (which machine actions map to which OI codes and which clause covers each); the actor-identity binding mechanism.
PhysicalStateProvider correctness argument — each predicate maps to one named bus signal; safetyRated is set true only when the signal is genuinely safety-rated (cite the bus certification); protocol names the bus accurately; asOfTimestampMs comes from a bounded-freshness source; on bus loss the provider returns kind: unavailable, never a stale value.
Policy file and review record — version-controlled with reviewed PRs; each clause traces to a hazard; changes go through change control.
Latency and timing analysis — the cloud round-trip (issuance) is off the RT path; verification fits the controller's RT cycle with margin; safe-default actuation completes within the hazard-analysis budget.
Time-attestation argument — the time source is trustworthy in your environment; the verifier clock cannot be rolled back; loss of attestation yields a defined safe state.
Failure-mode analysis — for each Intended-related failure, argue the machine's response is safe:

Failure	Machine response	Argument
Issuance fails / cloud unreachable	Declared safe-default	No token returned; controller transitions.
Token expires mid-motion	Safe-default at next check	Verifier rejects on re-check against `expiresAtMs`.
Audit-gap clause trips (`423`)	New authority denied	AUD-P5 audit-gap policy.
Safety bus drops	Predicate `unavailable`; clauses requiring it deny	Attestation semantics.
Controller ignores the decision	Controller-internal safety case applies	Out of Intended's scope.

Common pitfalls#

Claiming certification you don't have. Until an Intended component is actually assessed, the claim is "best-practice authority gating." Do not write SIL/PL levels or assessor names for Intended into your case.
Treating the policy file as mere configuration. It is safety-relevant logic; give it change-control parity with your PLC program.
Surfacing camera-derived predicates as safety-rated. Vision is not a safety-rated input. For redundant human detection, use a safety-rated curtain/scanner and aggregate with an N-of-M consensus clause.
Forgetting the audit-gap policy. Set audit_gap.max_gap_ms to a value compatible with your network reliability; a robot that keeps moving with a broken audit trail has lost its forensic guarantee.

Standards crosswalk (informal — no certification implied)#

This maps where the mechanisms fit, not where Intended is certified. No row below asserts an assessment.

Standard	Where the Intended mechanism fits
IEC 61508 (functional safety)	Authority gating is a software-based risk-reduction layer; any SIL claim depends on your own argument and the weakest link.
ISO 13849 (machinery)	Supports a Category 3 / PLd argument when paired with safety-rated inputs; the machine's PL is independent.
ISO 26262 (automotive)	Contributes to an ASIL argument for control hand-off; the vehicle ECU owns its ASIL classification.
ISO 10218 / ISO/TS 15066 (robots / cobots)	Maps to the `OI-1500` / `OI-1800` / `OI-2900` families; speed/separation monitoring is a customer policy concern.
IEC 62443 (industrial cybersecurity)	Token signing, JWKS distribution, and tamper-evident audit align with secure-by-design principles.

Working with assessors#

Bring this guide. The early conversation is "is this mechanism credible enough to base a safety argument on?" The honest answer: open-source SDK, open OI taxonomy, signed tokens, tamper-evident audit chain — and no third-party safety assessment yet. The assessor's call, made on your machine's full case, not on a certificate Intended does not hold.