See you at BlackHat USA


Enhancing Functional Safety in Automotive Software Development

Guarantee that there are no undefined behaviors in code but also reduces compliance effort by bringing the accessible power of formal methods to development teams

ISO 26262: Enhancing functional safety in automotive software development

Functional Safety Key Points:

  • ISO 26262 safety standard in the automotive industry 
  • Simplifying compliance for eSOL 
  • The future of functional safety 


In part one of this blog series, we covered ISO 26262 certification requirements and impact. This series is an adaptation of Simplifying ISO 26262 Certification with TrustInSoft Analyzer, click here to download and read now. 

Understanding the Significance of ISO 26262:

ISO 26262 is an automotive safety standard regarding the functional safety of road vehicles which plays an important role in the guidance of development of automotive systems. This standard helps ensure that safety is systematically built into the development and any potential hazard that could result from software malfunctions can be identified, documented, and mitigated.  

To achieve ISO 26262 certification, one must prove compliant development with an independent authority. This can be a challenging process involving trust in the team’s ASIL level choice, requirements, documents, reports, that demonstrate the proof of functional safety aspects being built into the process. 

The Tool Confidence Level (TCL) corresponds to the confidence level the industry can place on the tool’s results. Tools classified as TCL1 require no additional verification steps against their outputs, while those classified as TCL2 or TCL3 typically require additional activities and evidence depending on their impact on safety. 

Tackling Undefined Behavior

Undefined Behavior (UBs) are vulnerabilities that put software at risk but are difficult to detect, for example, Heartbleed vulnerability. This means that anything can happen, given that the C language standard imposes no requirement of the behavior of a given program construct. 

How do UBs introduce vulnerabilities that hackers exploit? 

  • Program fails to compile 
  • Incorrect execution at runtime 
  • Incorrect output results 

These lead to crashes and other unexpected results that can be a huge safety and security risks, especially for vehicles that need to ensure the software is immune from both types of risks for the protection of the consumer. In research conducted by Google, 90% of Android CVEs were memory safety related. 

Exhaustive static analysis tools that use formal methods address the gap in detecting UBs where traditional static analysis techniques fail. 

TrustInSoft Analyzer uses formal methods to perform exhaustive static analysis with mathematically proven analysis techniques with advancements in software design and computing power to achieve up to 100% code coverage and guarantee the absence of UBs. 

A Revolutionary Approach: Introducing Exhaustive Static Analysis

Rather than implement sets of pre-established rules like most static analysis tools, TrustInSoft Analyzer uses mathematical formal methods to prove unequivocally that code is free from coding errors and UBs that can lead to issues. Exhaustive static analysis methods were initially developed for the formal verification of safety-critical systems over two decades ago, now highly refined and optimized for today’s automotive software applications. 

ISO 26262 standard refers to methods operating on code as “semi-formal methods” and classifies “formal methods” as acting on description techniques that have both syntax and semantics completely defined, such as UML and similar model-based frameworks. 

TrustInSoft Analyzer uses a set of exhaustive static analysis methods based on “abstract interpretation.” These methods simulate a whole set of a given program’s executions simultaneously, as opposed to traditional tests that can only individually simulate a given execution. This approach enables developers to go beyond traditional testing methods that may miss UBs for an individual test value and guarantees that testing results are valid for any compiler, any chosen set of compiler options, and any memory layout. 

Case Studies:


eSOL, a global software company specializing in embedded systems for automotive, industrial, and consumer electronics, recently adopted TrustInSoft Analyzer to support ISO 26262 certification of its eMCOS real-time operating system (RTOS). 

eMCOS is designed to support critical automotive applications, eSOL had to generate sufficient evidence for eMCOS (including kernel, scheduler, and C library) to achieve ISO 26262 ASIL D certification. Unlike most certified operating systems, eSOL included the eMCOS POSIX API in the certification process, requiring a significant investment in time, resources, and expertise. 

TrustInSoft Analyzer simplified compliance efforts in three ways: 

  • Hardware awareness meant no hardware was necessary to meet ISO 26262’s hardware-software integration requirements 
  • Code instrumentation did not have to be implemented as the functionality is built into the tool 
  • Developers achieved a mathematical guarantee of the absence of undefined behaviors in their code 

The result was improved confidence in functional safety and less effort spent on verification. eSOL has since integrated TrustInSoft Analyzer into its V-cycle and continuous integration processes to comply with future activities required by the ISO 26262 standard. Watch the testimonial here.  

Toyota Infotechnology Center Test Suite

The test suite comprises: 

  • 1272 C/C++ test cases, of which half contain code issues and half do not 
  • Code samples for each defect type to help evaluate whether the tool detects all issues and determine if the tool reports alarms where it should not (false positives) 
  •  50 different test categories, including dead code, memory leaks, and type overflows 

TrustInSoft Analyzer found 100% of the issues in all 1008 test cases in its scope, covering undefined behaviors in C/C++ code. This was accomplished with no false positives, meaning that only actual defects were detected. Learn more in the dedicated blog. 


The future of automotive software development continues to be more and more complex and challenging. The software development and verification methods of today form the reality of tomorrow. This said, safety and security must be accounted for from the source code level. Mathematically ISO 26262 qualified tools can help ensure this with functional proof that the critical code will do exactly what it is specified to  

Qualified as an ISO 26262–compliant tool, TrustInSoft Analyzer not only guarantees there are no undefined behaviors in code but also reduces compliance effort by bringing the accessible power of formal methods to development teams. 


Related articles

June 18, 2024
June 4, 2024
May 31, 2024