Model-based development and automatic code generation have become an established approach in embedded software development for both the automotive and avionics sectors. The use of a code generator can lead to significant improvements in productivity in the software implementation phase. Moreover, early quality assurance at the model level can lead to a higher level of code quality. However, automotive or avionic software is very often deployed in safety-critical systems and as a result, may not contain errors. In this context it is crucial that the use of a code generator and its tool chain (editor, compiler, linker, loader, etc.) does not incorporate errors in the target system and leave them undetected. In general, this cannot be fully avoided even when using a code generator proven to be ‘correct-by-construction’. Inappropriate modeling or the faulty configuration of the code generator could, for example, lead to erroneous generated code. This paper discusses how code generators and generated code can be safeguarded by means of tool certification (also termed qualification in the avionics sector) in respect to safety standards that are relevant for the automotive and avionics sectors. Specific, tool- related problems will be discussed and illustrated with practice-relevant examples; possible solutions for safeguarding model-based code generators will be presented.