Skip to main content

Challenges of Using Artificial Intelligence in Safety-Critical Systems

Artificial Intelligence (AI) has transformed the world of technology, enabling systems to learn, adapt, and make decisions without explicit programming. From autonomous vehicles to medical diagnostics and flight control systems, AI promises unprecedented efficiency and capability. However, when it comes to safety-critical systems—where failure could result in injury, loss of life, or significant damage—the use of AI introduces profound challenges that go far beyond traditional software engineering. Unlike conventional software, which behaves predictably according to its programmed logic, AI is built on learning and training. Its decisions and outputs depend heavily on the data it has been trained on and the patterns it recognizes during runtime. This adaptive, data-driven behavior means that an AI system’s responses may vary with changing inputs or environments, often in ways that are not explicitly defined or foreseen by developers. While this flexibility is a strength in many applica...
Post a Comment

Independence in Verification and Testing: Why It Matters in Safety-Critical Systems

Independence in Verification and Testing: Why It Matters in Safety-Critical Systems

When it comes to safety-critical systems—such as those in avionics, automotive, rail, defense, and medical domains—software cannot afford to fail silently. A single unchecked defect can have catastrophic consequences. That’s why independent verification and testing (IV&V) is not just a best practice; it’s a mandatory requirement under most international safety standards.

What “Independence” Really Means

In simple terms, independence refers to separation of responsibility between those who develop a product and those who verify or validate it. The goal is to eliminate developer bias—the natural tendency to interpret one’s own work too optimistically.

An independent verifier or tester reviews the system objectively, ensuring that the product meets requirements, is free from unintended behavior, and complies with safety standards.

What the Standards Require

Several major safety standards explicitly define levels of independence and their required rigor based on system criticality:

1. DO-178C (Avionics Software)

The DO-178C standard defines five software levels (A through E) based on the severity of potential failure conditions, ranging from catastrophic (Level A) to no effect (Level E). As the level of criticality increases, the required degree of independence in verification activities also increases. For Level A software—where a failure could lead to catastrophic consequences—verification must be conducted by personnel who are independent of those who developed the software. Independence is specifically required in requirements reviews, design reviews, code reviews, test case development and execution, and in the verification of verification tools (if such tools are used). This structured independence ensures unbiased verification and strengthens the integrity of the safety assurance process.

2. ISO 26262 (Automotive)

In the automotive domain, ISO 26262 defines Automotive Safety Integrity Levels (ASIL A through D), where ASIL D represents the highest level of safety criticality. As with DO-178C, the standard requires greater independence at higher safety levels. For ASIL C and D, independent confirmation reviews must be conducted on the safety lifecycle, verification results, and safety analyses. ISO 26262 emphasizes the separation between the individuals or teams performing development and those conducting confirmation reviews, ensuring that safety evidence is objectively assessed without bias.

3. IEC 61508 (Industrial Functional Safety)

IEC 61508 introduces the broader framework of Functional Safety Management and places significant importance on independent assessment. Independence requirements increase with the Safety Integrity Level (SIL), which ranges from SIL 1 (lowest) to SIL 4 (highest). For higher SILs, the standard mandates that an independent Functional Safety Assessment (FSA) be carried out to verify that all safety lifecycle processes comply with the standard. This approach ensures that functional safety is not only implemented but also independently validated through systematic oversight.

4. EN 50128 (Railway Software)

In the railway industry, EN 50128 defines Software Safety Integrity Levels (SSIL 0 through 4), with higher levels corresponding to greater criticality. The standard specifies progressively increasing independence in verification activities as SSIL increases. For SSIL 3 and SSIL 4—where software failures could have severe or catastrophic outcomes—verification and validation must be performed by individuals or teams independent from those responsible for software development. This ensures that potential design or implementation flaws are detected and addressed without developer influence, maintaining the highest levels of safety assurance in railway control systems.

Why Independence Is So Important

Even the best engineers can overlook issues in their own designs. This isn’t due to carelessness—it’s a human factor. When you build something, your brain automatically fills in gaps, assuming intent matches outcome. Independent verification brings a fresh, unbiased perspective. The key reasons for independence include:

  • Objectivity: Independent teams challenge assumptions and test what the developer might subconsciously ignore.

  • Compliance: It ensures the system meets all requirements and safety objectives, as mandated by regulatory authorities.

  • Traceability: Independent reviewers verify that every requirement is implemented, tested, and traced correctly.

  • Defect detection: Early and independent reviews uncover hidden logic flaws, timing issues, and safety hazards before they escalate.

  • Credibility: Certification bodies and authorities rely on independently verified evidence for approval.

What’s Expected in Independent Verification

An independent verification and validation (IV&V) team typically performs the following:

  • Review of system and software requirements for completeness, consistency, and testability.

  • Evaluation of design and architecture to ensure safety principles (redundancy, partitioning, fail-safe behavior) are correctly implemented.

  • Independent code reviews for compliance with coding standards (e.g., MISRA C/C++).

  • Independent testing at component, integration, and system levels, ensuring coverage of all safety requirements.

  • Verification of verification tools and test results, ensuring test evidence is valid, reproducible, and traceable.

  • Audit and reporting to confirm that all required verification objectives (as per the applicable standard) have been met independently.

Benefits of Independent Verification & Testing

  1. Increased Confidence in Safety: Independent verification builds strong evidence that the system performs safely under all conditions.

  2. Improved Product Quality: Independent reviewers often detect subtle logic, interface, and timing issues missed by the development team.

  3. Regulatory Compliance: It satisfies certification and audit requirements from authorities like FAA, EASA, or TÜV.

  4. Early Defect Detection: Independent reviews during early stages (requirements, design) prevent costly rework later.

  5. Risk Reduction: Independence enhances safety assurance and reduces residual risk.

  6. Cultural Benefits: It promotes transparency, accountability, and continuous improvement in engineering teams.

Can AI or Automated Tools Replace Independence?

Automation and artificial intelligence (AI) are transforming software verification, but in safety-critical domains, they can support — not replace — independent verification. While AI can dramatically enhance efficiency, reduce human error, and improve consistency, it still lacks the human judgment, accountability, and contextual understanding required for certification-level assurance.

AI tools excel at automating static code analysis, performing compliance checks (such as MISRA C/C++ or coding standard conformance), generating test cases, and monitoring code coverage. They can also assist in requirements traceability, impact analysis, and defect prediction through pattern recognition and data-driven insights. These capabilities make AI a powerful assistant in the verification process.

However, there are clear limitations to what AI can achieve on its own. AI cannot yet exercise the judgment needed to evaluate system-level correctness, design intent, or trade-offs between safety, performance, and maintainability. It also cannot assume accountable independence, as certification authorities require human oversight and documented accountability for every verification activity. Furthermore, AI models can inherit bias from their training data or configuration, which undermines the reliability of their conclusions. Finally, no AI system can independently make safety-critical decisions or formally sign off on certification compliance.

In essence, AI is an enabler—not a substitute—for independent verification. The future of verification in safety-critical systems likely lies in a hybrid IV&V (Independent Verification and Validation) model, where human experts oversee and validate results produced by intelligent automation tools. This approach combines human judgment with the efficiency and analytical power of AI.

Qualified Tools as Independent Verifiers Under DO-178C

While DO-178C mandates that verification activities be performed independently of software development, it also recognizes the role of qualified tools in supporting or automating verification tasks. When properly qualified, such tools can perform verification functions independently of the human developers who wrote the code.

According to Section 12 of DO-178C and its companion document DO-330 (Software Tool Qualification Considerations), a tool may automate or replace verification activities if it can be demonstrated to:

  • Perform its intended function correctly and consistently, and
  • Provide the same level of assurance as an independent human verifier.

When these conditions are met, the tool is categorized as a Verification Tool and may be accepted as independent from development—even if it was created or configured by the same organization. This is possible because the assurance evidence provided through qualification effectively substitutes for human independence.

Tool Qualification Levels (TQLs)

Under DO-330, tools are assigned a Tool Qualification Level (TQL) based on the potential consequences of a tool malfunction leading to undetected errors in the airborne software. Verification tools typically fall under TQL-4 or TQL-5, as their malfunction could result in undetected verification errors but not directly modify airborne software. In contrast, TQL-1 or TQL-2 apply to development tools that can generate or alter executable code.

For a verification tool to be accepted as an independent verifier, its qualification data package must include detailed requirements, validation evidence, test results, and operational context showing that:

  • The tool cannot introduce or mask verification errors.
  • Its outputs are objective, consistent, and repeatable.
  • It operates within a controlled environment with full configuration traceability.

This rigorous qualification process ensures that tool-based verification is reliable, reproducible, and certifiable.

Practical Examples

Qualified verification tools play a vital role in modern airborne software development. Examples include static analysis tools for rule compliance or data coupling analysis, requirements traceability analyzers, code coverage analyzers, and automated test execution frameworks. For instance, a qualified tool that checks source code against MISRA or DO-178C coding objectives can perform automated, repeatable, and unbiased verification—removing human subjectivity while maintaining independence.

These tools reduce manual effort and improve verification efficiency, but they operate within the boundaries defined by qualification evidence and still require human validation and oversight.

The Human Factor: Oversight and Accountability

It’s essential to understand that tool qualification does not eliminate human oversight. Even when a qualified tool performs verification independently, the final responsibility for verification integrity rests with human reviewers. Certification authorities expect human experts to review, approve, and formally account for all verification results as part of the project’s certification data.

In other words, a qualified tool can perform independent verification tasks, but it cannot replace the role or responsibility of the independent verification authority. Human judgment, ethical accountability, and contextual understanding remain irreplaceable components of certification in safety-critical software systems.

Conclusion

Independent verification and testing is the safety net of safety-critical engineering. It ensures that no assumption goes unchallenged, no defect goes unnoticed, and no safety requirement is left unverified. Standards across industries all converge on the same principle: those who build must not be the sole judges of correctness.

As AI and automation evolve, they can greatly enhance efficiency and coverage—but true independence still requires human oversight, accountability, and ethical judgment. In the world of safety-critical systems, independence isn’t just a compliance checkbox—it’s what keeps lives safe.
Labels:

Comments

Post a Comment