5.1: SUP.1 Quality Assurance

Process Definition

Purpose

SUP.1 Purpose: To provide independent and objective assurance that work products and processes comply with defined criteria and that non-conformances are resolved and further prevented.

Why QA Matters in AI-Assisted Development: When AI tools generate or modify work products, the traditional assumption that a human author has verified compliance no longer holds by default. Quality assurance must explicitly verify that AI-generated outputs meet the same standards as human-authored ones, and that the AI tools themselves are used within their qualified boundaries.

Outcomes

Outcome Description AI Relevance
O1 Quality assurance is performed independently and objectively without conflicts of interest AI tools can augment independence by providing automated, bias-free checks, but must not replace the organizational independence requirement
O2 Criteria for the quality of work products and process performance are defined Criteria must explicitly address AI-generated content, including provenance tracking, confidence thresholds, and hallucination detection
O3 Conformance of work products and process performance with the defined criteria and targets is verified, documented and communicated to the relevant parties AI enables continuous verification rather than periodic audits, surfacing deviations earlier in the lifecycle
O4 Non-conformances are tracked, resolved, and further prevented AI pattern analysis across projects identifies systemic issues and predicts future non-conformances
O5 Non-conformances are escalated to appropriate levels of management Automated escalation workflows triggered by severity thresholds and aging timers
O6 Management ensures that escalated non-conformances are resolved Dashboard visibility and AI-generated resolution recommendations accelerate management response

Base Practices with AI Integration

AI Integration Levels: L1 = AI-assisted (templates, suggestions); L2 = AI-augmented (automated checking, human confirms); L3 = AI-automated (autonomous execution with human oversight).

BP Base Practice Description AI Level AI Application Human Responsibility
BP1 Ensure independence of quality assurance QA function must be organizationally independent from development L1 Independence verification through organizational chart analysis and conflict-of-interest detection Define QA organizational structure; approve independence arrangements
BP2 Define criteria for quality assurance Establish measurable criteria for work products and processes L1 Criteria templates derived from ASPICE base practices, project standards, and historical quality data Review and approve criteria; tailor to project-specific needs
BP3 Assure quality of work products Verify work products against defined criteria L2 Automated completeness, consistency, and compliance checking; AI-driven quality scoring of documents, code, and test artifacts Validate AI findings; resolve ambiguous cases; sign off on quality status
BP4 Assure quality of process activities Verify process execution against defined processes L2 Process adherence monitoring via CI/CD pipeline analysis, workflow log mining, and milestone tracking Interpret deviations in context; approve process waivers; confirm audit findings
BP5 Summarize and communicate QA activities and results Report QA status to stakeholders L2 Automated report generation with trend analysis, executive summaries, and actionable recommendations Review reports for accuracy; present findings to stakeholders; contextualize results
BP6 Ensure resolution of non-conformances Track corrective actions to closure L2 Status monitoring, aging alerts, resolution effectiveness tracking, and recurrence prediction Approve corrective actions; verify closure evidence; accept residual risk
BP7 Escalate non-conformances Escalate unresolved issues to management L1 Automated escalation notifications based on severity, age, and resolution deadline thresholds Define escalation criteria; make escalation decisions for ambiguous cases; ensure management engagement

AI-Powered Quality Assurance

Principle: AI transforms QA from periodic, sample-based auditing to continuous, comprehensive monitoring. However, the QA engineer retains authority over all compliance decisions and finding classifications.

Automated Compliance Checking Against Standards

AI-powered compliance checking continuously verifies work products and processes against applicable standards, project plans, and regulatory requirements.

Compliance Area What AI Checks Standards Referenced Automation Approach
Requirements quality Completeness, testability, ambiguity, uniqueness ASPICE SWE.1 BP3-BP6; ISO 26262-8 Clause 6 NLP analysis of requirement text against quality rules; cross-reference with verification criteria
Design documentation Architectural completeness, interface consistency, traceability ASPICE SWE.2 BP1-BP5 Structural analysis of design documents; automated traceability matrix validation
Code compliance Coding standard adherence, MISRA violations, complexity metrics MISRA C:2012; CERT C; project coding standards Static analysis integration (SonarQube, Axivion); rule-based compliance scoring
Test coverage Structural coverage, requirement coverage, boundary analysis ASPICE SWE.4 BP4; ISO 26262-6 Table 12 Coverage tool integration; gap identification and test case suggestions
Process compliance Milestone gate criteria, review records, approval evidence ASPICE SUP.1 BP3-BP4; project QA plan Workflow log analysis; artifact existence and completeness verification
Traceability Bidirectional links between requirements, design, code, tests ASPICE SUP.1 BP3; ISO 26262-8 Clause 6.4.2 Automated gap detection in traceability matrices; orphan and suspect link identification 
# Automated compliance check configuration (illustrative example)
compliance_check:
  name: "ASPICE SWE.1 Requirements Compliance"
  schedule: "on_commit"  # Trigger on every commit to requirements repository

  checks:
    - id: CHK-REQ-001
      name: "Requirement completeness"
      rule: "Every requirement must have: ID, description, priority, verification criterion"
      severity: HIGH
      tool: "ai_nlp_analyzer"

    - id: CHK-REQ-002
      name: "Requirement testability"
      rule: "Requirements must contain measurable acceptance criteria"
      severity: MEDIUM
      tool: "ai_nlp_analyzer"

    - id: CHK-REQ-003
      name: "Traceability completeness"
      rule: "Every SW requirement must trace to at least one system requirement"
      severity: HIGH
      tool: "polarion_api"

    - id: CHK-REQ-004
      name: "No ambiguous language"
      rule: "Flag use of 'should', 'may', 'might', 'could', 'appropriate', 'as needed'"
      severity: LOW
      tool: "ai_nlp_analyzer"

  reporting:
    format: "json"
    destination: "qa_dashboard"
    notify_on_failure: ["qa_lead@project.com"]

Process Adherence Monitoring

Continuous vs. Periodic QA: Traditional QA relies on scheduled audits that sample a subset of activities. AI-powered process monitoring checks every workflow execution, every artifact state transition, and every approval event in real time.

Monitoring Aspect Data Sources AI Technique Alert Conditions
Workflow compliance CI/CD pipeline logs, ALM tool events Sequence pattern matching against defined process models Steps skipped, out-of-order execution, missing approvals
Review execution Code review tool logs, meeting records Review completeness scoring; participant coverage analysis Reviews without documented findings, missing reviewer roles, insufficient review time
Milestone gate criteria Project management tool, artifact repository Gate readiness scoring against checklist criteria Gate attempted with incomplete work products, missing sign-offs
Tool usage compliance Tool access logs, license servers Usage pattern analysis against qualified tool list Unqualified tool versions, unauthorized tool substitutions
Configuration management Git logs, baseline records Branch policy compliance, merge request workflow validation Direct commits to protected branches, baselines without required approvals

Work Product Quality Scoring

AI assigns quality scores to work products based on multiple dimensions, providing QA engineers with a prioritized view of where human review effort is most needed.

Quality Dimension Scoring Method Score Range Threshold
Completeness Mandatory field/section coverage analysis 0-100% >= 95% for release
Consistency Cross-reference validation between related work products 0-100% >= 90% for release
Correctness Rule-based checks against standards and templates 0-100% >= 90% for release
Clarity NLP readability analysis (Flesch-Kincaid adapted for technical docs) 0-100% >= 80% for release
Traceability Link coverage and bidirectionality verification 0-100% 100% for safety-relevant
Composite Score Weighted average (configurable per project) 0-100% >= 90% for release 
AI Work Product Quality Report:
Document: SRS_BCM_v1.2.docx
Analysis Date: 2025-01-15

Dimension         Score   Status    Details
─────────────────────────────────────────────────────────────
Completeness      87%     WARNING   3 requirements missing verification criteria
Consistency       94%     PASS      2 minor terminology inconsistencies
Correctness       91%     PASS      All structural rules satisfied
Clarity           83%     PASS      2 requirements flagged for ambiguity
Traceability      90%     WARNING   5 of 48 requirements missing upward traces
─────────────────────────────────────────────────────────────
Composite Score   89%     WARNING   Below 90% release threshold

Priority Review Areas:
1. [HIGH] Complete traceability for SWE-BCM-110..114
2. [MEDIUM] Add verification criteria to SWE-BCM-103, 107, 119
3. [LOW] Resolve terminology: "actuator" vs "motor driver" usage

Human Review Required:
- Address all HIGH priority items before release gate
- Confirm LOW items are acceptable terminology variations

Deviation Detection and Prediction

Predictive QA: Beyond detecting existing deviations, AI analyzes historical patterns to predict where quality problems are likely to emerge, enabling preventive action rather than corrective action.

Detection Type Method Data Inputs Lead Time
Real-time deviation Rule-based comparison against baselines Current artifact state vs. defined criteria Immediate
Trend-based prediction Statistical trend analysis on quality metrics Historical quality scores, defect density, review finding rates 1-2 sprints
Pattern-based prediction ML classification trained on historical non-conformances Past NCRs, root causes, project characteristics Project phase
Cross-project learning Similarity matching across project portfolio Multi-project quality databases, common failure modes Project kickoff 
# Deviation prediction configuration (illustrative example)
deviation_prediction:
  model: "qa_deviation_predictor_v2"
  training_data: "historical_ncr_database"

  risk_indicators:
    - name: "Requirements volatility"
      threshold: "> 15% change rate after SWE.1 baseline"
      prediction: "HIGH risk of downstream rework and traceability gaps"

    - name: "Review finding density drop"
      threshold: "< 0.5 findings per review session"
      prediction: "MEDIUM risk of superficial reviews"

    - name: "Test case growth stagnation"
      threshold: "Test cases not growing proportionally to requirements"
      prediction: "HIGH risk of insufficient test coverage"

    - name: "Late integration defects"
      threshold: "> 30% of defects found in integration testing"
      prediction: "MEDIUM risk of inadequate unit testing"

  actions:
    - trigger: "HIGH risk prediction"
      action: "Schedule focused QA audit within 5 business days"
      notify: ["qa_lead", "project_manager"]

    - trigger: "MEDIUM risk prediction"
      action: "Add to next scheduled QA review agenda"
      notify: ["qa_lead"]

AI-Assisted QA Framework

The diagram below presents the AI-assisted QA framework, showing how automated compliance checks, evidence collection, and trend analysis feed into the QA audit workflow while maintaining human decision authority.

AI-Assisted QA Framework

QA Audit Automation

Note: AI-assisted audits do not replace human auditor judgment. AI handles evidence gathering, checklist pre-population, and compliance pre-screening. The auditor interprets findings, assesses context, and makes the final compliance determination.

Audit Preparation

AI accelerates audit preparation by automatically gathering evidence, pre-populating checklists, and identifying areas of concern before the auditor begins.

Preparation Step Manual Effort AI-Assisted Effort AI Contribution
Evidence gathering 4-8 hours per process 30-60 minutes Automated retrieval from ALM, Git, review tools; completeness verification
Checklist population 2-4 hours per process 15-30 minutes Pre-fill checklist items with evidence references and preliminary pass/fail status
Scope identification 1-2 hours 15 minutes Risk-based audit scope recommendation using historical findings and change activity
Schedule coordination 1-2 hours 10 minutes Calendar analysis, stakeholder availability matching, resource optimization
Previous findings review 1-2 hours 10 minutes Historical finding summary, recurrence pattern analysis, closure status verification
Total per process 9-18 hours 1.5-2.5 hours ~85% effort reduction in preparation

Audit Execution Support

# AI-assisted audit execution workflow (illustrative example)
audit_execution:
  phase: "preparation"
  steps:
    - step: "Auto-gather evidence"
      ai_actions:
        - "Query Polarion for all SWE.1 work products"
        - "Retrieve review records from GitLab merge requests"
        - "Extract test results from CI/CD pipeline artifacts"
        - "Collect approval records from workflow engine"
      output: "evidence_package.zip"

    - step: "Pre-screen compliance"
      ai_actions:
        - "Check each checklist item against gathered evidence"
        - "Mark items as PASS (evidence found and valid), FAIL (evidence missing or invalid), or REVIEW (ambiguous)"
        - "Calculate preliminary compliance score"
      output: "prescreened_checklist.yaml"

    - step: "Risk-based focus areas"
      ai_actions:
        - "Identify checklist items marked REVIEW or FAIL"
        - "Cross-reference with historical audit findings"
        - "Rank focus areas by risk and impact"
      output: "audit_focus_report.md"

  phase: "execution"
  steps:
    - step: "Auditor reviews pre-screened results"
      human_actions:
        - "Validate AI PASS determinations (sample-based)"
        - "Investigate all FAIL and REVIEW items"
        - "Interview process participants as needed"
        - "Document findings with objective evidence"

    - step: "Finding classification"
      ai_actions:
        - "Suggest finding severity based on ASPICE rating impact"
        - "Link findings to specific base practice gaps"
        - "Propose corrective action categories"
      human_actions:
        - "Confirm or override severity classification"
        - "Finalize finding descriptions"
        - "Agree corrective actions with process owner"

Process Audit Example

# QA Process Audit Checklist (illustrative example)
audit:
  id: QA-AUDIT-001
  process: SWE.1
  date: (audit date)
  auditor: AI-Assisted + QA Lead

  checklist:
    work_products:
      - id: WP-17-08
        name: "SW Requirements Specification"
        check: "Document exists and is under version control"
        status: PASS
        evidence: "SRS_BCM_v1.2.docx in Polarion"

      - id: WP-17-11
        name: "Traceability Record"
        check: "All SW requirements traced to system requirements"
        status: PARTIAL
        finding: "5 of 48 requirements missing traces"
        severity: MEDIUM

      - id: WP-17-12
        name: "Verification Criteria"
        check: "All requirements have verification criteria"
        status: PASS
        evidence: "Verification matrix complete"

    reviews:
      - type: "Requirements Review"
        check: "Review conducted with documented results"
        status: PASS
        evidence: "Review record RR-SWE1-001"

      - type: "Stakeholder Agreement"
        check: "Requirements approved by stakeholders"
        status: FAIL
        finding: "No formal approval record found"
        severity: HIGH

    tools:
      - tool: "Polarion ALM"
        check: "Tool configured per project standards"
        status: PASS

  findings_summary:
    high: 1
    medium: 1
    low: 0

  overall_status: "CONDITIONAL PASS - Address findings"

AI Quality Analysis

L2: Automated Quality Checking

AI Quality Analysis Report:
Document: SRS_BCM_v1.2.docx
Analysis Date: 2025-01-15

The diagram below visualizes the AI completeness analysis results, showing coverage percentages across requirement categories and flagging areas with insufficient specification.

Completeness Analysis

Human Review Required:
- Address ambiguity in flagged requirements
- Complete missing interface requirements
- Add rationale to requirements missing justification
- Fill traceability gaps

Non-Conformance Tracking

Finding Management Workflow

# Non-conformance finding (illustrative example)
finding:
  id: NCR-(year)-(number)
  source: QA-AUDIT-001
  date: (finding date)
  severity: HIGH
  category: process

  description: |
    No formal stakeholder approval record exists for software
    requirements specification SRS_BCM_v1.2.

  evidence: |
    - Review record RR-SWE1-001 shows technical review completed
    - No customer/stakeholder sign-off document found
    - Requirements marked as "Draft" in Polarion

  root_cause_analysis:
    ai_suggestion: |
      Similar pattern in 3 previous projects suggests process gap:
      Review process does not include explicit stakeholder approval step.
    confidence: medium
    human_validation: pending

  corrective_action:
    immediate: "Obtain stakeholder approval for SRS_BCM_v1.2"
    systemic: "Add stakeholder approval gate to requirements workflow"
    owner: Project Manager
    due_date: 2025-01-22

  status: open
  tracking:
    opened: 2025-01-15
    target_close: 2025-01-22
    escalation_date: 2025-01-25

Quality Metrics Dashboard

Note: Metrics should be tailored to project size and ASPICE target capability level. The following represents a comprehensive set; select metrics appropriate to your context.

Core QA Metrics

Metric Formula Target Measurement Frequency AI Contribution
Audit compliance rate Passed items / Total items per audit >= 90% Per audit Automated calculation from checklist data
NCR closure rate Closed NCRs / Total NCRs (within target date) >= 85% Weekly Aging analysis and closure trend prediction
NCR recurrence rate Recurring NCRs / Total NCRs < 10% Monthly Pattern matching to identify recurring root causes
Process adherence score Compliant process executions / Total process executions >= 95% Continuous Workflow log mining and compliance scoring
Work product quality score Composite quality score (see scoring section) >= 90% Per work product update Automated multi-dimensional scoring
Audit coverage Processes audited / Total processes in scope 100% per cycle Quarterly Audit schedule optimization and gap tracking
Finding density Findings per audit / Work products audited Trending downward Per audit Trend analysis with seasonal adjustment
Mean time to resolution (MTTR) Average days from NCR opening to verified closure < 15 business days Monthly Resolution time prediction and bottleneck identification

QA Key Performance Indicators (KPIs)

KPI Description Green Yellow Red
QA Plan Execution Percentage of planned QA activities completed on schedule >= 90% 75-89% < 75%
Audit Finding Trend Direction of finding density over last 3 audits Decreasing Stable Increasing
NCR Backlog Health Open NCRs within resolution target vs. overdue < 10% overdue 10-25% overdue > 25% overdue
Escalation Rate Percentage of NCRs requiring management escalation < 5% 5-15% > 15%
Preventive Action Effectiveness Reduction in recurrence after systemic corrective action > 80% reduction 50-80% reduction < 50% reduction
AI Finding Accuracy Percentage of AI-flagged issues confirmed by human auditor > 85% 70-85% < 70%

AI-Driven Insights

AI augments the metrics dashboard by providing contextual analysis that goes beyond raw numbers.

Insight Type Description Example
Trend explanation AI correlates metric changes with project events "NCR rate increased 40% coinciding with new team member onboarding and 3 concurrent change requests"
Cross-project benchmarking Compare current project metrics against portfolio baselines "Audit compliance rate is 8% below portfolio average for projects at this lifecycle phase"
Predictive alerts Forecast metric threshold breaches before they occur "At current trajectory, NCR backlog will exceed RED threshold within 2 sprints"
Root cause clustering Group findings by common root causes for systemic action "67% of traceability findings across 4 audits trace to the same process gap in requirements import workflow"
Resource optimization Recommend audit schedule adjustments based on risk "SWE.3 audit can be deferred 2 weeks; SWE.4 should be advanced due to high change activity"

The dashboard below consolidates the AI-driven QA insights described above into a single monitoring view, tracking audit compliance, finding trends, and predictive alerts.

QA Metrics Dashboard

HITL Protocol for QA Decisions

Fundamental Principle: AI augments QA efficiency but must never replace human judgment for compliance determinations. ASPICE requires that quality assurance is performed by competent personnel; AI is a tool, not a qualified auditor.

Decision Authority Matrix

QA Activity AI Role Human Role Authority
Evidence gathering Collect and organize artifacts from tools Verify completeness of evidence package Human confirms
Compliance pre-screening Apply rules to flag pass/fail/review items Validate all AI determinations, especially edge cases Human decides
Finding classification Suggest severity and category based on criteria Confirm or override classification with contextual judgment Human decides
Corrective action proposal Recommend actions based on historical effectiveness Define, approve, and assign corrective actions Human decides
NCR escalation Trigger escalation alerts based on thresholds Make final escalation decision considering context Human decides
Audit report generation Draft report with findings, metrics, and trends Review, edit, and approve report before distribution Human approves
Process waiver Flag waiver request against defined criteria Evaluate justification and approve or deny waiver Human decides
Quality gate decision Calculate readiness score against gate criteria Make pass/conditional pass/fail determination Human decides

Mandatory Human Checkpoints

  1. Audit finding confirmation: Every finding flagged by AI must be reviewed and confirmed or dismissed by a qualified QA auditor before it is formally recorded
  2. Severity classification: AI severity suggestions are advisory; the auditor determines the final severity based on project context, safety impact, and customer requirements
  3. Corrective action approval: All corrective actions, whether AI-suggested or human-defined, require approval by the responsible process owner and QA lead
  4. Audit report sign-off: The audit report is a controlled work product; only the designated QA auditor may sign off on the final version
  5. Quality gate decisions: Gate pass/fail determinations remain exclusively human decisions; AI provides the data, humans make the call
  6. Escalation authorization: While AI triggers escalation alerts, the QA lead determines whether formal escalation to management is warranted

Override and Feedback Protocol

# HITL override tracking (illustrative example)
hitl_override:
  id: HITL-QA-001
  date: (override date)
  ai_recommendation: "FAIL - Missing stakeholder approval record"
  human_decision: "CONDITIONAL PASS"

  justification: |
    Verbal approval obtained in steering committee meeting SC-2025-003.
    Formal sign-off scheduled for 2025-01-20. Risk accepted for 5 business
    days to avoid blocking downstream activities.

  approved_by: "QA Lead"
  conditions:
    - "Formal approval must be obtained by 2025-01-20"
    - "If not obtained, finding reverts to FAIL status"

  feedback_to_ai:
    category: "verbal_approval_acceptance"
    learning: "Verbal approval with documented meeting minutes may be
              accepted as interim evidence with time-bounded conditions"

Tool Integration

Note: Tool selection depends on project infrastructure, budget, and existing toolchain. The following integrations are representative; adapt to your specific environment.

SonarQube Integration

SonarQube provides continuous code quality inspection that feeds directly into the QA compliance framework.

Integration Point QA Application Configuration
Quality Gate status Automated pass/fail for code quality criteria Define project-specific quality gate with MISRA compliance, coverage thresholds, and duplication limits
Issue tracking Feed code quality findings into NCR workflow Map SonarQube severity (BLOCKER, CRITICAL) to QA severity (HIGH, MEDIUM)
Technical debt Track and report technical debt as quality metric Set technical debt ratio thresholds per project phase
Coverage reporting Verify structural coverage against ASPICE/ISO 26262 targets Configure coverage thresholds per ASIL level (e.g., ASIL-B: MC/DC not required but statement coverage >= 80%)
Rule compliance MISRA C:2012 rule adherence tracking Enable MISRA C plugin; configure mandatory vs. advisory rule sets

Axivion Suite Integration

Axivion provides architecture verification and code quality analysis particularly suited to embedded and safety-critical software.

Integration Point QA Application Configuration
Architecture compliance Verify implementation matches architectural design Define architecture model; check for dependency violations on every build
Clone detection Identify code duplication that may indicate design issues Set clone thresholds; feed violations into QA finding workflow
Metric trending Track complexity, coupling, and cohesion metrics over time Define metric baselines at project start; alert on degradation
MISRA checking Comprehensive MISRA C:2012 compliance analysis Configure against project-specific deviation permits
Delta analysis Focus review on changed code areas Integrate with CI/CD to analyze only modified files per commit

Custom AI QA Agents

Purpose-built AI agents extend QA automation beyond what commercial tools provide.

Agent Purpose Inputs Outputs Integration
Traceability Auditor Verify bidirectional traceability completeness ALM export (requirements, design, test cases) Gap report with missing links and orphaned items Polarion/codebeamer API; scheduled daily
Review Quality Checker Assess whether reviews meet minimum quality criteria Review records, comments, time logs Review quality score; findings for superficial reviews GitLab/GitHub API; triggered per merge request
Process Compliance Monitor Check workflow execution against defined process CI/CD logs, ALM workflow events, approval records Compliance score per process; deviation alerts Event-driven; monitors tool webhooks
Document Quality Scorer Score work products across quality dimensions Document content, templates, standards Multi-dimensional quality score with improvement suggestions Triggered on document update in repository
NCR Pattern Analyzer Identify recurring non-conformance patterns Historical NCR database Pattern report with systemic action recommendations Scheduled monthly; on-demand for audit preparation 
# Custom AI QA agent configuration (illustrative example)
qa_agents:
  traceability_auditor:
    schedule: "daily at 02:00 UTC"
    data_sources:
      - type: "polarion"
        query: "project:BCM AND type:requirement"
      - type: "polarion"
        query: "project:BCM AND type:test_case"
    checks:
      - "Every requirement has at least one test case linked"
      - "Every test case traces to at least one requirement"
      - "No orphaned requirements (no parent system requirement)"
      - "No suspect links (requirement changed after test case baselined)"
    output:
      format: "json"
      destination: "qa_dashboard"
      alert_threshold: "any gap found"

  review_quality_checker:
    trigger: "merge_request_merged"
    checks:
      - name: "Minimum review time"
        rule: "Review duration >= 30 minutes for changes > 100 lines"
      - name: "Reviewer coverage"
        rule: "At least 2 reviewers including domain expert"
      - name: "Finding resolution"
        rule: "All review findings marked resolved or deferred with justification"
    output:
      format: "markdown"
      destination: "merge_request_comment"

Work Products

WP ID Work Product Description AI Role AI Level Human Responsibility
15-01 QA plan Defines QA strategy, scope, schedule, criteria, and resources Template generation from ASPICE base practices and project context L1 Tailor to project; approve scope and schedule
15-02 QA report Documents audit findings, compliance status, and recommendations Automated finding aggregation, trend analysis, and report drafting L2 Validate findings; approve report content
08-28 Non-conformance record Documents individual non-conformance with evidence and corrective actions Classification, severity suggestion, root cause pattern matching L2 Confirm classification; approve corrective actions
13-25 Corrective action log Tracks corrective and preventive actions to closure Status monitoring, aging alerts, effectiveness tracking L2 Approve actions; verify closure evidence
15-03 Audit checklist Detailed checklist for process and work product audits Pre-population from ASPICE base practices; evidence auto-gathering L2 Customize per audit scope; validate completions
13-50 QA metrics report Periodic report on QA KPIs, trends, and predictions Automated metric calculation, trend analysis, predictive insights L2 Interpret metrics in context; define actions
08-50 Process improvement proposal Systemic improvement proposals based on QA findings Pattern analysis across NCRs; improvement suggestions L1 Evaluate feasibility; prioritize and approve

Common Quality Issues in AI-Assisted Development

Critical Awareness: AI-assisted development introduces new categories of quality issues that traditional QA processes may not detect. QA criteria and checklists must be explicitly updated to address these risks.

Quality Issue Description Detection Method Mitigation
AI hallucination in requirements AI generates plausible but incorrect requirements or rationale Cross-reference AI outputs against source documents; domain expert review Mandatory human review of all AI-generated requirements; provenance tracking
Unverified code suggestions AI-generated code accepted without adequate review or testing Code review quality checking; coverage analysis for AI-generated code Flag AI-generated code for enhanced review; require test evidence
Inconsistent terminology AI uses different terms than project glossary or standards NLP-based terminology consistency checking Maintain and enforce project glossary; configure AI tools with glossary
Traceability gaps from AI changes AI modifications break existing traceability links Automated traceability audit after every AI-assisted change Run traceability validation in CI/CD pipeline; block merge on gaps
Over-reliance on AI findings QA team treats AI results as authoritative without validation HITL compliance monitoring; audit of override rates Enforce mandatory human confirmation; track and review override frequency
Tool qualification gaps AI tools used beyond their qualified scope or version Tool usage monitoring; qualification record maintenance Maintain tool qualification matrix; alert on unqualified tool usage
Bias in AI quality scoring AI scoring model trained on biased historical data Periodic scoring model validation against expert assessments Calibrate AI models quarterly; compare AI scores with manual audit results
Loss of process knowledge Team relies on AI for process compliance without understanding rationale Process competency assessments; training records review Maintain training program; ensure QA team understands underlying standards

AI-Specific QA Checklist Extension

# Additional QA checklist items for AI-assisted development
ai_qa_checks:
  - id: AI-QA-001
    question: "Are AI-generated work products clearly identified and labeled?"
    evidence: "Provenance metadata in document properties or commit messages"

  - id: AI-QA-002
    question: "Has every AI-generated requirement been reviewed by a domain expert?"
    evidence: "Review record with explicit AI-content review confirmation"

  - id: AI-QA-003
    question: "Are AI tools used within their qualified scope and version?"
    evidence: "Tool qualification record; tool version log"

  - id: AI-QA-004
    question: "Is AI confidence level documented for AI-generated analyses?"
    evidence: "Confidence scores in analysis reports; thresholds defined in QA plan"

  - id: AI-QA-005
    question: "Are HITL override decisions documented with justification?"
    evidence: "HITL override log with rationale and approver"

  - id: AI-QA-006
    question: "Is the AI model/tool version recorded for reproducibility?"
    evidence: "Tool version in CI/CD logs; model version in analysis reports"

  - id: AI-QA-007
    question: "Are AI-generated test cases validated for relevance and coverage?"
    evidence: "Test case review record; coverage analysis report"

Implementation Checklist

Usage: This checklist supports incremental adoption of AI-powered QA. Organizations should target Level 1 items first, then progress to Level 2 and Level 3 as capability matures.

Level 1: Foundation (AI-Assisted)

Item Action Responsible Status
1.1 Define QA plan with explicit AI integration scope and boundaries QA Lead [ ]
1.2 Establish QA criteria that address AI-generated work products QA Lead + Process Owner [ ]
1.3 Create audit checklists with AI-specific items (AI-QA-001 through AI-QA-007) QA Lead [ ]
1.4 Define HITL protocol with mandatory human checkpoints QA Lead + Project Manager [ ]
1.5 Set up NCR tracking system with AI classification fields QA Lead + Tool Admin [ ]
1.6 Train QA team on AI tool capabilities and limitations QA Lead + Training [ ]
1.7 Establish tool qualification records for all AI tools used in QA QA Lead + Safety Manager [ ]
1.8 Define quality metrics and KPI thresholds QA Lead + Project Manager [ ]

Level 2: Integration (AI-Augmented)

Item Action Responsible Status
2.1 Integrate SonarQube (or equivalent) quality gate into CI/CD pipeline DevOps + QA Lead [ ]
2.2 Deploy automated traceability auditor agent DevOps + QA Lead [ ]
2.3 Implement automated work product quality scoring QA Lead + AI Engineer [ ]
2.4 Configure process adherence monitoring on CI/CD workflows DevOps + QA Lead [ ]
2.5 Set up QA metrics dashboard with automated data collection QA Lead + Tool Admin [ ]
2.6 Implement automated audit evidence gathering from ALM and Git QA Lead + Tool Admin [ ]
2.7 Deploy review quality checker on merge request workflows DevOps + QA Lead [ ]
2.8 Configure NCR pattern analyzer for monthly systemic analysis QA Lead + AI Engineer [ ]
2.9 Establish AI finding accuracy tracking (target: > 85%) QA Lead [ ]
2.10 Integrate Axivion (or equivalent) for architecture compliance checking DevOps + Architect [ ]

Level 3: Optimization (AI-Automated with Oversight)

Item Action Responsible Status
3.1 Deploy predictive deviation detection using historical NCR data QA Lead + AI Engineer [ ]
3.2 Implement cross-project benchmarking in QA dashboard QA Lead + PMO [ ]
3.3 Enable AI-driven audit scope optimization based on risk analysis QA Lead [ ]
3.4 Deploy continuous process compliance monitoring (real-time) DevOps + QA Lead [ ]
3.5 Implement AI-generated improvement proposals from NCR clustering QA Lead + AI Engineer [ ]
3.6 Establish feedback loop from HITL overrides to AI model refinement QA Lead + AI Engineer [ ]
3.7 Validate AI QA accuracy quarterly with independent manual audits QA Lead + External Auditor [ ]

Summary

SUP.1 Quality Assurance:

  • AI Level: L1-L2 (AI detects, human confirms)
  • Primary AI Value: Automated compliance checking, continuous process monitoring, predictive deviation detection
  • Human Essential: Finding validation, corrective action approval, quality gate decisions, audit sign-off
  • Key Outputs: QA reports, non-conformance records, corrective action logs, quality metrics
  • Focus: Process adherence, work product quality, AI-specific quality risks
  • Tool Ecosystem: SonarQube, Axivion, custom AI QA agents, ALM integration
  • HITL Principle: AI augments QA efficiency; humans retain all compliance decision authority
Previous
Support Processes
Next
SUP.2 Verification