In those kinds of scenarios I think you'd typically want to go for formal verification or similar methods because you want liveness guarantees in addition to memory safety guarantees.
Formal verification doesn't mean shit when a cosmic ray bitflips your program counter.
Safety critical systems need to fail safely, because they will fail. Detecting unexpected execution should halt the system and revert it back to a known state (e.g. cycle power).
Depends on the "threat model" I suppose, for lack of a better phrase. I'd imagine hardware faults and the response(s) can be modeled if you decide to do so as well.
