Why safety-critical programs struggle with verification

Verification problems in safety-critical programs are often invisible until a program is deep into integration — or facing a formal review. Coverage looks adequate until a structural analysis reveals it is not. Test cases pass but do not demonstrate requirements compliance. Evidence exists but is not organized in a form that a DER stage review, a notified body inspection, or a functional safety assessment can examine without the team's assistance. The work was done; the record does not show it convincingly.

SafeCode Consulting strengthens verification and assurance through targeted analysis, audit support, and evidence-oriented technical work. When conventional testing strategies leave uncertainty — about coverage, completeness, or certifiability — SafeCode provides the technical depth to close the gap.

What adequate verification evidence actually looks like

Verification in a safety-critical context is not merely testing to find bugs. It is the production of objective evidence that software correctly implements its requirements, that no unintended behavior has been introduced, and that the evidence is sufficient to satisfy a reviewer who was not present when the work was done. The gap between "we tested it thoroughly" and "we can demonstrate adequate coverage to a formal reviewer" is where most programs encounter their most expensive late surprises.

Adequate verification evidence includes requirements-based test cases that map unambiguously to requirements, test procedures and results that can be reproduced, structural coverage data at the level required by the applicable assurance level — whether a DO-178C DAL, an IEC 62304 software safety class, or an IEC 61508 SIL — and a verification record that a reviewer can navigate without the team present.

Verification and assurance services

  • Verification strategy development — Designing a verification approach that satisfies the applicable standard and assurance level before coverage gaps accumulate — requirements-based testing, structural coverage planning, and review and analysis methods appropriate to the domain.
  • Test case and procedure development — Writing requirements-based test cases and formal test procedures that produce defensible evidence traceable to requirements under DO-178C, IEC 62304, or IEC 61508.
  • Structural coverage analysis — Planning and supporting structural coverage objectives appropriate to the applicable assurance level — statement and decision coverage for lower levels, MC/DC for DO-178C DAL A and DAL B, and equivalent rigor for high-SIL IEC 61508 programs.
  • Coverage gap assessment — Identifying where current testing does not satisfy structural coverage requirements and recommending targeted remediation that closes the gap with genuine evidence.
  • Review and analysis methods — Design reviews, code reviews, and analysis techniques that complement dynamic testing as required by the applicable standard.
  • Audit support — Pre-audit preparation, artifact gap remediation, and direct participation in DER stage reviews, customer technical audits, FDA inspections, notified body audits, and functional safety assessments.
  • Verification evidence assessment — Evaluating an existing verification record for completeness, accuracy, and review readiness before a critical milestone.

Standards context

  • DO-178C — Requirements-based testing, structural coverage through MC/DC for DAL A, independence requirements, and Software Verification Report.
  • IEC 62304 — Software verification activities, problem resolution, regression testing, and change management documentation for medical device software — including preparation for FDA inspections and notified body audits.
  • IEC 61508 — Verification and validation methods appropriate to SIL, static analysis, and formal methods where applicable — including preparation for independent functional safety assessment.

Common questions

What is structural coverage analysis and why does it matter across standards? Structural coverage measures whether testing has exercised the software's code structure sufficiently to detect unintended behavior. The required level of coverage varies by standard and assurance level: DO-178C Level A requires Modified Condition/Decision Coverage (MC/DC), where every condition in every decision must independently affect the decision outcome; IEC 61508 SIL 3 and above requires equivalent rigor through dynamic analysis and structural coverage techniques; IEC 62304 Class C requires verification that is commensurate with the risk. In all cases, incomplete structural coverage is one of the most common and most expensive certification gaps to close late.

What is the difference between requirements-based testing and structural coverage? Requirements-based testing asks: does the software do what the requirements say? Structural coverage asks: have tests exercised the code structure sufficiently to detect unintended behavior? DO-178C requires both explicitly. IEC 62304 and IEC 61508 require the equivalent in domain-appropriate terms. A program that has one without the other has an incomplete verification record regardless of how many tests passed.

Can SafeCode support a verification effort that is behind schedule or under coverage pressure? Yes. SafeCode can join verification efforts under schedule or coverage pressure — assessing the current state, identifying the highest-priority gaps, and providing targeted technical support to close them with genuine, defensible evidence. Adding test cases that mechanically improve coverage numbers without addressing the underlying gap is not an approach SafeCode takes.

What does audit support look like across different regulatory contexts? The preparation approach is consistent regardless of the reviewing body: identify likely findings before the reviewer does, remediate artifact gaps, and participate directly for technical clarification. The specific reviewer varies — a DER and FAA for DO-178C programs, an FDA inspector or notified body auditor for IEC 62304 programs, and an independent functional safety assessor for IEC 61508 programs. SafeCode's audit support is calibrated to the reviewing body the program is facing.

How does verification depend on requirements quality? Directly and completely. A test case can only be written as precisely as the requirement it tests. A non-verifiable requirement — one that does not specify observable, measurable behavior — cannot be tested in a way that produces defensible evidence under any standard. Verification problems that appear to be test coverage problems are frequently requirements problems in disguise. See Requirements engineering services for how SafeCode addresses the upstream cause.

Contact SafeCode Consulting to discuss your verification and assurance needs.