Using RocqStat and VectorCAST to Prove Temporal Behavior for Compliance

Proving timing behavior matters now: using RocqStat + VectorCAST for audit-grade evidence

Hook: If you build real-time software for automotive or industrial control, you already know a missed deadline can become a safety incident—and a regulator's audit finding. Generating credible, verifiable timing evidence (WCET reports, path analyses, instrumented traces) is no longer optional. In 2026, with Vector Informatik’s acquisition of RocqStat and the announced integration into VectorCAST, teams have a practical path to produce timing analysis outputs that satisfy safety certification bodies and internal auditors.

Executive summary — what this article gives you

This article explains how to turn timing-analysis outputs into audit artifacts suitable for safety certifications (ISO 26262, IEC 61508) and industrial compliance programs. You’ll get:

• Why timing evidence is increasingly required in 2026
• Which RocqStat/VectorCAST artifacts matter for audits
• Concrete, reproducible steps to produce, sign, and retain WCET reports
• CI/CD and incident-response patterns for timing evidence
• Data-retention and GDPR-safe practices for audit logs

Why timing evidence matters now (2026 trends)

By late 2025 and early 2026 regulators and OEMs accelerated scrutiny on timing safety. Two major forces drive this shift:

• Software-defined vehicles and industrial controllers now run complex scheduling and mixed-criticality workloads; proving worst-case execution times (WCET) is essential to showing deadlines are met.
• Auditors expect verifiable artifacts that link requirements to verification activities — not just assertions. Timing analysis outputs are the natural evidence for real-time behavior.

On January 16, 2026, Vector Informatik announced its acquisition of StatInf’s RocqStat technology and team, and committed to integrating it into VectorCAST. That move signals industry consolidation toward unified verification and timing analysis toolchains — a practical win for teams that want single-source, traceable evidence for audits and safety certification.

Source: Automotive World, Vector buys RocqStat to boost software verification (Jan 16, 2026)

What auditors want: the anatomy of timing evidence

Auditors (internal and external) typically accept timing evidence when it meets three qualities: traceability, reproducibility, and authenticity. Translate those qualities into concrete artifacts:

• WCET reports — conservative upper bounds for execution time, with assumptions, measurement points, configuration, and tool versions.
• Path analyses — annotated control-flow or call-graph slices that explain the worst-case path and how it's calculated.
• Instrumentation traces — timestamped runtime logs showing representative executions and coverage of timing-relevant code.
• Environment and model files — hardware models, CPU timing parameters, compiler flags, and OS configuration used for analysis.
• Verification traceability — links from requirements to test cases, and test execution evidence produced by VectorCAST (merged with timing outputs from RocqStat).
• Signed metadata — cryptographic signatures, tool hashes, and timestamp authorities to prove authenticity and non-repudiation.

How RocqStat + VectorCAST improves compliance workflows

RocqStat specializes in WCET estimation and timing analysis; VectorCAST provides unit, integration, and structural test automation with traceability to requirements. When integrated, the combined toolchain helps you create a coherent evidence package where timing analysis results link directly to tests and requirements. Benefits for compliance:

• Unified evidence — one source of truth for verification and timing results reduces audit friction.
• Reproducibility — automated runs in CI produce the same artifacts with the same toolchain, reducing variance in reviewer evidence.
• Context-rich reports — timing outputs can be embedded alongside test harnesses, sample inputs, and configuration snapshots.

Practical: building audit-grade WCET reports (step-by-step)

The following is a practical workflow you can adapt today. It assumes you have access to RocqStat and VectorCAST (or similar tools) and a CI system (Jenkins/GitHub Actions/GitLab CI). Each step emphasizes traceability and evidence integrity.

1) Lock and record the analysis environment

Before running timing analysis, create an immutable snapshot of the environment.

1. Record tool versions: RocqStat binary hash, VectorCAST version, compiler and linker versions, OS kernel, and libc versions. Example:

sha256sum rocqstat-2026.01.1/bin/rocqstat
gcc --version >> build/env.txt
uname -a >> build/env.txt

Store env.txt in your artifacts storage and include the SHA256 of the tool binaries in the report.

2) Capture the exact build and platform model

WCET depends on compiler optimizations and hardware. Include:

• Compiler flags (CFLAGS, LDFLAGS)
• Binary image with checksum
• Processor model and timing parameters (cache sizes, pipeline assumptions, timer granularity)
• RTOS configuration (tick rate, scheduling policy)

3) Run deterministic analysis and retain logs

Run RocqStat’s analysis and keep:

• The generated WCET report
• Analysis logs (verbose mode) showing the call graph and any assumptions or path pruning
• Intermediate models (annotated control-flow graphs or timing-model snapshots)

4) Link timing outputs to test evidence from VectorCAST

Embed timing outputs into VectorCAST test cases and include traceability matrices so an auditor can follow a requirement to test to WCET:

Requirement: R-ENG-001
Unit tests: UT-foo.c
VectorCAST run: vectorcast/results/UT-foo-20260117.xml
RocqStat WCET: rocqstat/results/foo-wcet-20260117.pdf

5) Sign and timestamp artifacts

Use GPG or an enterprise signing service and a trusted timestamp authority (TSA) so artifacts cannot be repudiated:

gpg --output foo-wcet-20260117.pdf.sig --detach-sig foo-wcet-20260117.pdf
# Optionally timestamp the signature using RFC 3161 TSA

Store signatures alongside the artifacts in an immutable artifact repository.

6) Produce an audit package and index

Generate a single ZIP/TAR that contains:

• WCET report, signed and timestamped
• VectorCAST test artifacts and test results
• Environment snapshot and checksums
• Traceability matrix and assessor notes

Checklist: what to include in an audit-grade WCET report

Make it easy for assessors — include these sections in every WCET output:

• Executive summary: what was analyzed, top-level WCET values and claims
• Scope: code boundaries, excluded modules, and assumptions
• Environment: toolchain versions, hardware model, compiler flags
• Methodology: static/deterministic analysis settings, measurement methods
• Worst-case path: annotated source listing or control-flow slice
• Confidence and coverage: path coverage, testing performed, measurement instrumentation
• Change log: what changed since previous report and how it affects timing
• Signatures & timestamps: cryptographic proof of report origin

Integrating timing evidence into CI/CD

Auditors prefer automated, repeatable processes. Integrate RocqStat and VectorCAST into CI to generate trusted evidence on every merge:

1. Trigger build & test on merge request; produce VectorCAST results.
2. Run RocqStat analysis in an isolated, versioned runner (container or VM) with environment snapshotting.
3. Store artifacts in an immutable artifact store (e.g., Artifactory, S3 with Object Lock) and run automated signing using a CI runner with limited key access.
4. Publish a human-readable audit index and machine-readable metadata (JSON) for quick audits.

Pro tip: Use reproducible builds and immutable containers so your WCET results are reproducible across audit requests.

Incident response and change management: preserving evidence

When a timing violation is suspected, you need a defensible evidence chain. Include these steps in your playbook:

• Freeze the relevant release branch and tag the commit.
• Run RocqStat/VectorCAST analysis with the tagged binary; sign the results immediately.
• Collect runtime traces from the incident system and map them to static analysis paths.
• Log corrective actions, verification reruns, and assessor approvals into your change-management system.

For learnings about running security and incident programs that preserve evidence, see approaches like running coordinated vulnerability programs and lessons from cloud-storage incident exercises (running a bug bounty for your cloud storage platform).

Data retention, GDPR and audit logs

Timing artifacts are usually technical artifacts, but they can contain personal data (e.g., trace logs that include usernames or telemetry identifiers) in some industrial telematics contexts. Follow these practices to satisfy GDPR and enterprise governance:

• Minimize: Avoid storing identifiable personal data in WCET reports when possible. Strip or pseudonymize identifiers before archiving.
• Retention policy: Define retention windows for audit artifacts. Safety-relevant evidence often requires multi-year retention (align with ISO 26262 project retention recommendations), but justify retention with a data-processing record.
• Access controls: Use RBAC and SSO for artifact access; log every download and sign-off in your SIEM for auditability.
• Immutability: Use WORM or object-locking to prevent retroactive changes to evidence, and log who requested and approved any retention exceptions.

Hardening evidence authenticity (advanced)

For high-assurance systems, add these layers:

• Detached signatures with hardware security modules (HSMs) to keep private keys secure.
• Trusted timestamping (RFC 3161) to prove the artifact existed at a certain time; combine with detached signatures and timestamp authorities for stronger non-repudiation (transparency logs and trust scoring can help auditors evaluate your chain).
• Transparency logs or append-only ledgers for public accountability in multi-supplier ecosystems — in 2026 more OEMs expect third-party verification of critical artifacts.
• SBOM and hash-chain linking: include the Software Bill of Materials (SBOM) and hash-chain each artifact for tamper-evidence.

Common audit questions — and how to answer them

Below are questions auditors frequently ask and a short template answer you can adapt:

Q: How do you ensure the WCET is conservative?

A: We combine static analysis (RocqStat) with controlled micro-benchmarks and representative traces. The WCET report documents all assumptions, and VectorCAST unit tests show coverage of timing-critical paths.

Q: How do we know the report corresponds to the shipped binary?

A: Every report includes binary checksums (SHA256) and a build manifest. The build manifest is signed and timestamped using our HSM-backed CI credential so we can prove the artifact corresponds exactly to the analyzed binary.

Q: How are changes handled post-certification?

A: We use a gated release process. Any change impacting timing triggers a mandatory RocqStat re-run and updated WCET report. Change approvals and verifier signatures are stored in the artifact repository and cross-referenced in the safety-case documentation.

Case example (compact): proving a deadline for an ECU task

Scenario: An ECU task processing sensor fusion data must complete within 5 ms. Steps taken:

1. Isolate task code; produce a minimal binary and run RocqStat to compute WCET = 4.3 ms with documented assumptions.
2. Run VectorCAST unit tests to validate control-flow paths and gather coverage metrics showing the WCET path is covered by tests UT-123 and UT-124.
3. Sign and timestamp the WCET report and VectorCAST results; store them in immutable archive with a traceability matrix linking ECU requirement to reports.
4. During audit, present the package: requirement > test cases > signed WCET > environment snapshot. Auditor verifies checksums and signatures and accepts the evidence.

Risks and mitigations

Timing evidence is powerful, but be aware of pitfalls:

• Over-reliance on single method: Combine static and measurement-based evidence to increase confidence.
• Environment drift: Keep hardware timing models updated and rerun WCET after toolchain or platform changes.
• Poor traceability: Embed identifiers in every artifact so auditors can map each report to a specific commit/release.

Future predictions (2026–2028)

Expect these trends to shape timing-evidence practices:

• Consolidated toolchains: Following Vector’s acquisition of RocqStat, integrated suites that couple dynamic testing and timing analysis will become the default for OEMs and Tier-1s.
• Standardized evidence schemas: The industry will push machine-readable evidence formats for WCET and verification artifacts to ease automated compliance checks.
• Third-party attestations: Independent timing attestation services will arise, offering cross-vendor verification for multi-supplier supply chains.

Actionable takeaways — what to do this month

1. Inventory timing-critical software and identify the top 10 tasks by safety impact.
2. Start generating WCET reports and store them with checksums and signatures in an immutable artifact store.
3. Integrate RocqStat runs into CI (or prepare to integrate once VectorCAST/RocqStat integration is available) and automate environment snapshotting.
4. Define retention and pseudonymization rules for evidence to meet GDPR and enterprise governance.

Conclusion & call-to-action

In 2026, timing evidence is a first-class citizen of safety cases and audit artifacts. The RocqStat technology, now under Vector Informatik’s umbrella and slated for integration with VectorCAST, makes it practical to produce reproducible, traceable WCET reports that auditors accept. Shift from ad-hoc measurement to a disciplined, automated evidence pipeline: lock environments, sign artifacts, and retain them under enterprise controls.

Ready to make timing evidence audit-ready? Start by running a pilot: pick a safety-critical task, generate a signed WCET package using your current tools, and map it to your requirements in VectorCAST. If you need a compliance review or CI playbook template, contact our team for a hands-on audit readiness workshop.

Related Reading

• Trust scores for security telemetry vendors (useful for transparency & attestation)
• Privacy policy templates and data-minimization guidance for archival evidence
• Building developer platforms & CI integrations for reproducible evidence
• Immutable artifact storage and cloud-native hosting patterns
• How to Spot Fake Trading Card Boxes (Amazon, eBay and Marketplace Tips)
• Designing Virtual Classrooms Without VR: Lessons from Meta’s Workrooms Shutdown
• From JPM Billboards to Celeb Ads: How Biotech Is Using AI-Driven Visuals
• Cashtags to DOIs: Mapping Financial Tagging Ideas to Scholarly Identifiers
• Constructing a Low-Cost Hedge for Ford Exposure While Europe Strategy Is Rebalanced