Guest Article: This article is contributed by RMAI, a member of the R&M Safety Partner Ecosystem. The content reflects RMAI‘s own methodologies and perspectives.
Certifying AI in Functional Safety: From Standards Gaps to Adversarial Validation
Artificial intelligence and machine learning (AI/ML) are increasingly being integrated into safety-related systems, promising improved perception, adaptability, and performance. However, these benefits come with a fundamental challenge: traditional functional safety frameworks were not designed for probabilistic systems.
RMAI has developed a practical, standards-aligned path for certifying AI in functional safety applications. It explores the technical challenges AI introduces, the limitations of existing standards, and a structured assessment approach based on a double V-model aligned with ISO/IEC TS 22440. It then introduces a novel AIML verification and validation (V&V) strategy called adversarial testing, designed to generate credible safety evidence where traditional testing falls short.
Conventional functional safety standards such as IEC 61508 and ISO 13849 assume deterministic behavior, complete specification, and direct traceability from requirements to implementation. These assumptions hold for traditional software and hardware systems but break down when applied to AI/ML components.
AI systems introduce several fundamental challenges:
- Non‑deterministic behavior driven by training data rather than fixed logic
- Opacity, where internal decision‑making is difficult or impossible to fully explain
- Data dependence, meaning performance can change with shifts in operational context
- Infeasible exhaustive testing due to high‑dimensional input spaces
Historically, these challenges led safety standards to prohibit the use of AI/ML in safety functions altogether. While emerging guidance now provides a path forward, AI cannot be assessed in isolation. Any AI safety function must still be evaluated in combination with a recognized Type A functional safety standard to ensure system-level safety integrity is maintained.
On the left side of the V‑model, AI‑focused artifacts are developed alongside traditional safety deliverables:
- AI system risk assessment
- AI requirements definition and classification
- AI‑specific safety, verification, and validation planning
- AI realization planning and architectural design
These activities align with the intent of ISO/IEC TS 22440, which addresses AI lifecycle processes, while remaining compatible with system-level requirements defined by IEC 61508 or similar standards.
On the right side of the V-model, these artifacts are verified and validated through AI-specific testing, analysis, and safety cases. The result is a cohesive assessment framework in which AI components integrate seamlessly into an overall functional safety certification strategy.
Traditional verification techniques such as code coverage or requirements-based test enumeration are insufficient for AI systems. AIML V&V requires a fundamentally different approach to evidence generation. RMAI uses adversarial testing and response surface methodology, supported by statistical reasoning and structured experimental design.
Starting with the Null Hypothesis
Verification begins with a null hypothesis: the AI safety function does not satisfy its safety requirements within its defined operational domain. Rather than assuming correctness, the testing strategy is designed to challenge this hypothesis. Only when sufficient evidence exists to reject it can confidence in the AI system’s safety performance be justified.
This aligns naturally with safety engineering principles, where confidence is built through attempted falsification rather than optimistic assumption.
Adversarial testing goes beyond validating AI under expected conditions. It deliberately seeks out conditions that are most likely to cause failure.
In a functional safety context, adversarial testing:
- Actively attempts to provoke unsafe behavior
- Explores worst‑case and rare scenarios
- Generates evidence about system robustness, not just average performance
Adversarial testing is particularly well suited to the right side of the V-model, where the goal is to demonstrate that safety requirements are met in practice, even under challenging conditions.
AI behavior depends on many interacting variables, so testing must be both systematic and efficient. Response Surface Methodology (RSM) is an established statistical technique that maps the relationship between input variables and response variables, widely used in industrial applications to analyze and optimize performance. Applied to AI, RSM maps system outputs to variations in inputs, environmental factors, and internal parameters.
RSM enables testers to:
- Identify sensitive regions where performance degrades
- Focus testing on boundary and corner cases rather than nominal conditions
- Build an empirical understanding of system behavior across the operational design domain
The result is a shift from discrete test cases to a structured exploration of system behavior.
The final step is congruence testing, which verifies virtual adversarial testing using physical testing of the worst-case scenarios identified through RSM. When results are congruent, confidence in the virtual testing is strengthened. When they diverge, the discrepancies become critical safety insights, prompting further analysis or design refinement.
Conclusion: A Practical Path Forward for AI Safety Certification
AI does not invalidate functional safety principles, but it does require new ways of generating and evaluating evidence. By combining ISO/IEC TS 22440-aligned AI deliverables, a double V-model assessment structure, and adversarial testing-driven AIML verification, it is possible to create a credible, defensible certification pathway for AI-enabled safety systems.
If you are integrating AI/ML into safety functions and need a practical certification strategy today, engage with RMAI to explore how this approach can support your innovation without compromising safety.
