Striking the Right Balance: Safety and Security in Connected Systems

In the realm of functional safety, tool qualification is a structured process designed to provide objective evidence that a software tool is fit for developing safety-critical systems. Its purpose is clear: to ensure the tool neither introduces errors nor fails to detect them—errors that could jeopardize the safety of the final product.

Take the example of a compiler, a core tool that converts human-readable code into machine instructions. A subtle bug in the compiler could embed a hidden defect in the application—one that might surface only under rare conditions, yet with potentially catastrophic consequences. To mitigate this risk, qualification standards mandate a detailed analysis to establish the tool’s “confidence level” and define the steps required to prove its reliability.

The same principle applies to library qualification. Whether it’s a C++ standard library or an open-source component, these pre-built elements must be verified for their intended use. This step is critical because modern systems heavily depend on such libraries. A single flaw in a widely adopted library can propagate vulnerabilities across countless products.

For years, Validas has been a leader in this field, offering a model-based approach to tool and library qualification. Their methodology includes ready-to-use “Qualification Kits” (QKits), which automate much of the rigorous process. These kits deliver the necessary evidence and documentation, validated by certifying bodies like TÜV Süd, saving development teams significant time and enabling them to focus on their core innovations. This approach has proven to be an effective and indispensable strategy for managing safety risks.

While functional safety focuses on preventing unintended failures, cybersecurity is concerned with preventing intentional, malicious attacks. The two concepts are distinct, but their outcomes are now tightly bound. An attacker who exploits a security vulnerability can effectively create a safety failure on demand.

• A hacker exploited a security flaw in a car's infotainment system could gain control of the steering or braking.

• An attacker remotely opened dam valves by exploiting a weakness in its control system.

• An attacker manipulated data from a medical device, leading to incorrect treatment. 

The challenge is that a tool or library can be perfectly safe from a functional perspective; it may never crash or produce a random error but may be riddled with security holes. This is a blind spot that traditional safety standards, on their own, cannot address.

For decades, the development of safety-critical systems has revolved around one core objective: preventing accidental failures. This focus has led to robust methodologies for tool qualification, codified in standards like ISO 26262 and IEC 61508. As shown in the diagram below, this framework excels at managing safety risks through three structured stages:

• Risk Analysis (Tool Classification): Identifying potential errors a tool might introduce.

• Risk Reduction (Tool Qualification): Mitigating those risks through rigorous testing and documentation.

• Risk Handling (Safe Tool Usage): Defining processes to ensure correct tool usage.

This systematic approach works brilliantly for safety. But when it comes to security, the structure collapses. The same rigor that shields us from accidental failures is almost entirely missing in how we address cybersecurity risks in tools.

The graph reveals a critical—and often ignored—weakness: the tool security gap. While organizations have processes to address security risks through what we might call “tool management,” this is largely reactive. It’s like installing an alarm system after a break-in. It doesn’t prevent the intrusion; it only helps manage the aftermath. What’s missing is the proactive work of analyzing and reducing risk before attackers strike.

This blind spot means we’re failing to perform proper risk analysis on our tools—failing to identify where attackers could exploit vulnerabilities—and we’re not implementing systematic risk reduction strategies to close those gaps. The result? A wide-open door for cyber threats.

It’s no surprise that attacks on the software supply chain are surging. Attackers target the weakest link. Instead of breaching a hardened final product, they compromise the tools used to build it. Injecting malicious code into a compiler, a library, or an open-source dependency can cascade into thousands of compromised products downstream.

This isn’t hypothetical. It’s happening. Headlines have shown the devastating impact of supply chain attacks. It’s time to close the tool security gap and apply the same rigor and discipline we use for safety to cybersecurity. The resilience of tomorrow’s systems depends on it.

The answer lies in adopting a holistic, integrated strategy that embeds security into every stage of the safety-critical development lifecycle. This is no longer about two separate tracks—it’s about one cohesive process.

This harmonized approach starts with a shift in mindset and introduces three key elements:

• Dual Classification: Define both a Tool Risk Level (TRL) and a Tool Security Level (TSL) for structured assessment.

• Clear Documentation Requirements: Include artifacts such as a tool classification report and a tool security manual to capture security needs.

• Risk Reduction Measures: Apply mitigation strategies for critical tools, extending to full tool qualification for security—mirroring what we already do for safety.

By closing this gap, we ensure safety and security are addressed with equal rigor, creating a development process that is truly resilient.

For development teams, navigating this evolving landscape can feel overwhelming. Qualifying tools and libraries for both safety and security often demands significant time and resources. This is where expertise and automation become game-changers.

To manage these dual priorities effectively, organizations should:

• Unify Safety and Security: Avoid treating them as separate silos. They must be managed by the same team or, at minimum, through close collaboration. The qualification process should operate as a single, integrated workflow.

• Leverage Specialized Expertise: Partnering with experts like Validas accelerates progress. Their pre-qualified QKits and proven methodologies—continuously updated to align with emerging security standards—offer a substantial head start.

• Adopt a Lifecycle Mindset: Qualification isn’t a one-off task. Tools and libraries evolve, and new security threats emerge constantly. A continuous, automated qualification process is the only sustainable way to maintain compliance and assurance.

Ultimately, the new equation of trust is simple: Safety + Security = Reliability and Resilience. The future of embedded systems depends on solving this equation—and it starts by ensuring the very foundations we rely on, our tools and libraries, are both functionally safe and cyber-secure.

Don’t wait for an attack to expose your security gaps. Start closing the Tool Security Gap today. Connect with Validas experts to discover how our solutions can safeguard your development lifecycle.

Ready to take the next step? Schedule a free consultation—we’ll analyze your situation and guide you toward the right path forward.