Arize Phoenix vs SafetyBench Eval

Accepts OpenTelemetry Protocol (OTLP) traces via gRPC server on port 4317, parses span hierarchies with parent-child relationships, and persists them to PostgreSQL or SQLite with automatic schema migrations. Implements the full OTLP specification for trace collection without requiring vendor lock-in or custom instrumentation adapters.

Unique: Native OTLP gRPC server with full span hierarchy preservation and dual-database support (PostgreSQL + SQLite) in a single open-source package, eliminating need for separate trace collectors like Jaeger or Tempo

vs alternatives: Simpler than Jaeger for LLM-specific use cases (no complex configuration) and cheaper than Datadog/New Relic (self-hosted, no per-span pricing)

Exposes a Strawberry GraphQL API (api/schema.py) that enables complex queries over ingested spans with filters on span name, status, duration, attributes, and parent-child relationships. Supports cursor-based pagination and aggregations (count, latency percentiles) without requiring SQL knowledge, allowing developers to programmatically extract trace subsets for analysis.

Unique: Strawberry GraphQL schema specifically designed for LLM trace patterns (model names, token counts, retrieval metadata) rather than generic span attributes, with built-in support for RAG-specific filters like 'retrieval_source' and 'embedding_model'

vs alternatives: More intuitive than raw SQL queries for non-database engineers, and more flexible than Jaeger's UI-only filtering for programmatic access

Provides APIs and UI for adding human feedback and annotations to spans after they are ingested (e.g., marking a retrieval result as 'relevant' or 'irrelevant', or adding a human score to an LLM response). Feedback is stored separately from spans and linked via span ID, enabling human-in-the-loop evaluation and ground-truth dataset creation from production traces.

Unique: Feedback is collected directly on Phoenix spans without requiring separate annotation tools or data export, enabling seamless integration of human feedback into trace analysis and dataset creation workflows

vs alternatives: More integrated than external annotation tools (Label Studio, Prodigy) because feedback is stored in the same system as traces; simpler than building custom feedback UIs because Phoenix provides built-in annotation interface

Provides APIs to export spans matching query criteria (e.g., all spans from the last 7 days, or spans with error status) into structured datasets (CSV, JSON, Parquet) for external analysis. Supports filtering, sampling, and transformation (e.g., extracting input/output pairs for fine-tuning datasets) during export.

Unique: Export directly from Phoenix traces without intermediate data warehouse, and supports transformation rules (e.g., extracting input/output pairs) for common fine-tuning dataset formats

vs alternatives: More integrated than manual trace export because filtering and transformation happen in Phoenix; more flexible than fixed-schema exports because users can define custom transformations

Implements authentication and authorization (Authentication & Authorization section in DeepWiki) supporting multiple user types (admin, viewer, editor) with fine-grained permissions on datasets, experiments, and traces. Integrates with OAuth2 or API key authentication for programmatic access, and supports RBAC policies for multi-tenant deployments.

Unique: RBAC integrated with Phoenix's GraphQL and REST APIs, allowing fine-grained control over which users can query, modify, or export traces and datasets without separate authorization layer

vs alternatives: More integrated than external authorization services (Auth0, Okta) because permissions are enforced at the API level; simpler than building custom RBAC because Phoenix provides built-in role definitions

Provides production-ready Kubernetes manifests (kustomize/ directory) and Helm charts for deploying Phoenix server, PostgreSQL, and supporting services as a scalable cluster. Includes configuration for resource limits, health checks, persistent volumes, and horizontal pod autoscaling based on trace ingestion rate.

Unique: Kubernetes manifests are version-controlled in the Phoenix repo and tested in CI/CD, ensuring deployment configurations stay in sync with server code; includes Kustomize overlays for dev/staging/prod environments

vs alternatives: More integrated than generic Kubernetes deployments because manifests are Phoenix-specific and tested; simpler than building custom Helm charts because charts are provided and maintained by Arize

The arize-phoenix-otel package provides auto-instrumentation decorators and context managers that wrap LLM calls (OpenAI, Anthropic, LlamaIndex, LangChain) and automatically emit spans with model name, token counts, latency, and error status. Uses Python's contextvars for automatic parent-child span linking without manual trace ID propagation.

Unique: Specialized auto-instrumentation for LLM APIs (not generic HTTP tracing) that extracts model names and token counts from API responses and embeds them as span attributes, enabling cost and performance analysis without custom parsing

vs alternatives: Simpler than manual OpenTelemetry instrumentation and more LLM-aware than generic Python auto-instrumentation libraries like opentelemetry-instrumentation-requests

The arize-phoenix-evals package provides a pluggable evaluation system that runs LLM-based judges (using OpenAI, Anthropic, or local models) to score span outputs against criteria (relevance, hallucination, toxicity). Supports custom Python evaluation functions, batch evaluation over datasets, and integration with experiment tracking for A/B testing LLM prompts or models.

Unique: Integrated LLM-as-judge evaluation tightly coupled with trace data (no separate evaluation dataset needed) and experiment tracking, allowing direct comparison of evaluation scores across different LLM models or prompts tested in production

vs alternatives: More integrated than standalone evaluation frameworks (Ragas, DeepEval) because evaluations run directly on Phoenix traces without data export; more flexible than rule-based metrics because judges can reason about semantic quality

Evaluates LLM safety across 7 distinct categories (offensiveness, unfairness, physical health, mental health, illegal activities, ethics, privacy) using 11,435 curated multiple-choice questions available in both Chinese and English. The benchmark constructs category-specific prompts, sends them to target models, extracts predicted answers from model responses, and compares against ground-truth labels (0->A, 1->B, 2->C, 3->D) to compute accuracy metrics per category and overall safety score.

Unique: Combines 11,435 questions across 7 safety categories with explicit Chinese-English parallel coverage and a filtered subset (test_zh_subset.json) for sensitive keyword handling, enabling systematic cross-lingual safety assessment. Uses category-stratified few-shot examples (5 per category) to support both zero-shot and five-shot evaluation paradigms within a single framework.

vs alternatives: Larger and more category-diverse than single-domain safety benchmarks (e.g., ToxiGen for toxicity only), and explicitly supports Chinese alongside English, addressing a gap in multilingual safety evaluation infrastructure.

Supports two distinct evaluation paradigms: zero-shot (questions presented directly without examples) and five-shot (5 category-specific examples provided before each test question). The framework conditionally constructs prompts using dev_en.json/dev_zh.json few-shot examples or omits them entirely, allowing researchers to measure how in-context learning affects safety performance. Prompt templates are language-aware and can be customized per model to improve answer extraction accuracy.

Unique: Provides curated few-shot examples stratified by safety category (5 per category) rather than random sampling, ensuring balanced representation of each harm type. Prompt templates are explicitly customizable per model (e.g., evaluate_baichuan.py shows Baichuan-specific extraction logic), acknowledging that different architectures require different prompting strategies.

vs alternatives: More systematic than ad-hoc few-shot selection; category-stratified examples ensure consistent coverage of all safety dimensions rather than potentially biased random sampling.

Manages parallel Chinese and English datasets (test_en.json, test_zh.json, dev_en.json, dev_zh.json) with a filtered Chinese subset (test_zh_subset.json, 300 questions per category) for sensitive keyword handling. Data acquisition uses Hugging Face hosting with dual download methods (shell script download_data.sh or Python download_data.py with datasets library). Each question maintains consistent structure (id, category, question, options, answer) across languages, enabling direct cross-lingual comparison of model safety performance.

Unique: Provides both full Chinese dataset (test_zh.json) and a filtered subset (test_zh_subset.json with 300 questions per category) explicitly designed to avoid sensitive keywords, addressing practical concerns about evaluating on content that may trigger platform policies. Dual download methods (shell script and Python) reduce friction for different user workflows.

vs alternatives: More comprehensive multilingual coverage than English-only benchmarks; filtered subset is a pragmatic addition for teams needing to evaluate without policy violations.

Computes accuracy metrics per safety category (offensiveness, unfairness, physical health, mental health, illegal activities, ethics, privacy) and aggregates to an overall safety score. Supports standardized leaderboard submission via JSON format (question_id -> predicted_answer). Metrics are computed by comparing predicted answers (extracted from model responses) against ground-truth labels, enabling fine-grained analysis of which safety dimensions a model excels or fails on. Results can be submitted to llmbench.ai/safety leaderboard for public comparison.

Unique: Stratifies metrics across 7 explicit safety categories rather than computing a single aggregate score, enabling fine-grained diagnosis of safety weaknesses. Leaderboard integration (llmbench.ai/safety) provides public benchmarking infrastructure, creating accountability and enabling direct model comparison.

vs alternatives: Category-level metrics provide more actionable insights than single-number safety scores; leaderboard integration drives standardization and reproducibility across the research community.

Implements a standardized evaluation pipeline (exemplified in evaluate_baichuan.py) that constructs prompts, sends them to a target model via API or local inference, extracts predicted answers from model responses using model-specific parsing logic, and validates extracted answers against expected format (0->A, 1->B, 2->C, 3->D). The pipeline handles model-specific response formats and can be customized per model architecture. Supports batch evaluation of all 11,435 questions with error handling and logging.

Unique: Provides a concrete, model-specific evaluation implementation (evaluate_baichuan.py) that can be forked and adapted, rather than just a dataset. Acknowledges that different models require different answer extraction logic and provides a template for customization. Supports both zero-shot and few-shot evaluation within the same pipeline.

vs alternatives: More practical than dataset-only benchmarks because it includes reference evaluation code; reduces barrier to entry for teams without evaluation infrastructure.

Defines a structured taxonomy of 7 safety categories (offensiveness, unfairness, physical health, mental health, illegal activities, ethics, privacy) and curates 11,435 diverse multiple-choice questions mapped to these categories. Each question is designed to test whether a model correctly handles or refuses harmful content within that category. The taxonomy is explicit and mutually exclusive, enabling fine-grained safety analysis. Questions are curated to be challenging and representative of real-world safety concerns.

Unique: Explicitly defines 7 non-overlapping safety categories and curates 11,435 questions to cover them systematically, providing a structured taxonomy rather than ad-hoc safety testing. The taxonomy is comprehensive enough to cover major harm types (physical, mental, legal, ethical, privacy) while remaining tractable for evaluation.

vs alternatives: More comprehensive and structured than single-category benchmarks (e.g., toxicity-only); provides a holistic safety assessment framework that aligns with regulatory and safety research perspectives.

Provides two download methods for SafetyBench datasets: shell script (download_data.sh) and Python script (download_data.py using Hugging Face datasets library). The architecture leverages Hugging Face Hub for dataset hosting and distribution, enabling one-command dataset acquisition with automatic decompression and directory structure creation. The Python method uses the datasets library for programmatic access, supporting integration into automated evaluation pipelines without manual file management.

Unique: Provides dual download methods (shell script and Python) leveraging Hugging Face Hub for distribution, enabling both manual and programmatic dataset acquisition with automatic decompression and directory structure creation.

vs alternatives: More convenient than manual downloads by providing automated acquisition scripts, and more reproducible than email-based dataset distribution by using Hugging Face Hub as a stable, versioned repository

Computes accuracy metrics stratified by safety category, enabling per-dimension performance analysis. The evaluation pipeline aggregates predictions across all questions in each category (offensiveness, unfairness, physical health, mental health, illegal activities, ethics, privacy) and computes category-specific accuracy scores. This architecture enables identification of category-specific vulnerabilities (e.g., a model may be robust on ethics but weak on physical health) without requiring separate evaluation runs.

Unique: Automatically stratifies accuracy metrics by safety category, enabling fine-grained vulnerability analysis without requiring separate evaluation runs. Provides per-category scores that reveal category-specific weaknesses.

vs alternatives: More diagnostic than aggregate safety scores by breaking down performance by harm category, enabling targeted safety improvements rather than black-box optimization