Run-time assurance and what it actually buys you
Run-time-assurance architectures get used as if they were a get-out-of-verification card. They are not. A monitor-and-revert design supports a real assurance argument when the four conditions below are jointly satisfied; we have found very few customer designs that satisfy all four on first review.
First, the monitor must be independent. If the monitor is built on the same software stack, runs in the same partition, and shares modes with the controller it is monitoring, then a class of failures in the controller is also a class of failures in the monitor. Independence is structural; "we wrote it carefully" is not an argument.
Second, the safe-revert action must remain safe over the entire envelope the controller could leave the system in at the moment of revert. If the controller can drive the platform into a corner of the envelope from which the revert action is itself unsafe, the monitor's intervention is not actually safe. This requires a reachable-set analysis on the controller; informal arguments are not sufficient.
Third, the revert must be timely with respect to the dynamics of the system. A revert that requires 1.5 seconds to take effect on a system whose unsafe excursion takes 800 milliseconds to develop is not a revert. The timing argument has to be made against the worst-case rather than the typical-case dynamics.
Fourth, the monitor must be testable independently of the controller. If the only way to validate the monitor is to run the controller and observe that the monitor fires when expected, then the validation is conditional on the controller behavior the monitor is supposed to be independent of. Monitors should have their own test campaigns against controller-output fault injection.
When all four conditions are met, run-time assurance buys you real coverage of a class of controller failures that would be cost-prohibitive to verify directly. When any condition is not met, the assurance argument is structurally weak and the airworthiness authority will say so.