Bhanexus · Embedded Software & Autocoding
We specialise in model-based autocode generation and hand-crafted C embedded software for safety-critical ECUs — MISRA-compliant, MAAB-reviewed, AUTOSAR-ready.
Safety-critical ECUs leave no margin for error. Whether the path is model-based autocoding or hand-crafted C, every line of software we deliver is MISRA-compliant, MAAB-reviewed, and verified against its originating requirements. Our engineers have deployed embedded software to production vehicles operating across ASIL-A through ASIL-D boundaries — from BMS and PDU controllers to EV powertrain ECUs.
Direct Simulink/Targetlink to MISRA C — with no manual post-processing. The model IS the specification, the test, and the deliverable.
AUTOSAR Classic SWCs with fully compliant ARXML, runnable-to-task mapping, and COM signal definitions — ready to integrate into any BSW stack.
Polyspace, MISRA checker, and peer-reviewed manual C — every path covered, every defect surfaced before the hardware arrives.
Every line of C we ship is either generated from a verified Simulink model or hand-authored to the same standard — MISRA-compliant, reviewed, and traceable to its requirement.
/* Requirement: BMS_SW_REQ_042 — Contactor pre-charge sequence * ASIL: B | Generated: Simulink Embedded Coder | MISRA C:2012 * DO NOT EDIT — changes must be made in the Simulink model */ #include "BMS_ContactorCtrl.h" #include "BMS_Types.h" /* State enumeration — maps to SWD ICD Rev 3.2 */ typedef enum { CTCR_OPEN = 0U, CTCR_PRECHARGE= 1U, CTCR_CLOSED = 2U, CTCR_FAULT = 3U } ContactorState_T; /* BMS_SW_REQ_042: Pre-charge complete when ΔV < threshold */ static boolean_T BMS_IsPrechargeComplete( const BMS_Inputs_T *const in) { return ((uint16_T)(uint16_T) (in->BusVoltage_V - in->BattVoltage_V) < BMS_PRECHG_DELTA_V_THRESH); } /* Step function — called every 10 ms task */ void BMS_ContactorCtrl_Step( const BMS_Inputs_T *const in, BMS_Outputs_T *const out, BMS_DWork_T *const dw) { switch (dw->ContactorState) { case CTCR_OPEN: out->PrechargeCmd = FALSE; out->MainCtcrCmd = FALSE; if (in->CloseRequest && !in->FaultActive) { dw->ContactorState = CTCR_PRECHARGE; dw->PrechgTimer_ms = 0U; } break; case CTCR_PRECHARGE: out->PrechargeCmd = TRUE; dw->PrechgTimer_ms += 10U; if (BMS_IsPrechargeComplete(in) || (dw->PrechgTimer_ms > BMS_PRECHG_TIMEOUT_MS)) { out->PrechargeCmd = FALSE; out->MainCtcrCmd = TRUE; dw->ContactorState = CTCR_CLOSED; } break; case CTCR_CLOSED: if (in->FaultActive || !in->CloseRequest) { out->MainCtcrCmd = FALSE; dw->ContactorState = (in->FaultActive) ? CTCR_FAULT : CTCR_OPEN; } break; default: /* CTCR_FAULT — safe state */ out->PrechargeCmd = FALSE; out->MainCtcrCmd = FALSE; break; } }
╔══════════════════════════════════════════════════════════╗ ║ POLYSPACE CODE PROVER — ANALYSIS SUMMARY ║ ║ File: BMS_ContactorCtrl.c Standard: MISRA C:2012 ║ ╚══════════════════════════════════════════════════════════╝ ── Run-Time Errors (RTE) ────────────────────────────────── Overflow (signed) ✓ PROVEN SAFE [ 8 checks ] Overflow (unsigned) ✓ PROVEN SAFE [ 4 checks ] Division by zero ✓ PROVEN SAFE [ 2 checks ] Out-of-bounds access ✓ PROVEN SAFE [ 6 checks ] Illegal pointer ✓ PROVEN SAFE [ 3 checks ] Unreachable code ✓ PROVEN SAFE [ 1 check ] ── MISRA C:2012 Compliance ──────────────────────────────── Mandatory rules ✓ PASS [ 0 violations ] Required rules ✓ PASS [ 0 violations ] Advisory rules ⚠ 1 deviation [ justified ] ── Deviation: MISRA C:2012 Rule 10.3 ───────────────────── Location: BMS_IsPrechargeComplete(), line 24 Reason: Embedded Coder cast pattern — reviewed & approved Reviewer: Lead SW Architect | Date: 2024-11-14 Status: JUSTIFIED — ISO 26262 justification on file ── Code Complexity ─────────────────────────────────────── Cyclomatic complexity 4 (limit: 10) ✓ Function length (lines) 38 (limit: 60) ✓ Nesting depth 2 (limit: 4 ) ✓ ── Result ──────────────────────────────────────────────── GREEN — All checks passed. Ready for ASIL-B review gate. Report: BMS_CC_Polyspace_R001.pdf SHA256: a3f9e2...
LLM-powered static analysis that goes beyond MISRA rule-checking — identifying logical inconsistencies, unreachable states, and requirement gaps that traditional tools miss.
Machine learning models trained on embedded C patterns automatically suggest optimised implementations for time-critical interrupt service routines and tight memory footprints.
Our upcoming tool will generate MISRA-compliant C directly from natural language intent — bridging the gap between what engineers describe and what the ECU executes.
Model-based autocode generation from Simulink/ASCET/Targetlink UML models
Manual C embedded software development for safety-critical ECUs
AUTOSAR Classic application software components (SWC, ARXML)
MISRA C and MAAB guideline compliance review
Code review, static analysis, and software quality assurance
Our roadmap includes LLM-powered MISRA C generation from natural language intent — making embedded software development faster and more reliable.
We typically respond within one business day.