ISO 26262 Part 6: Software Development Process Explained (MISRA, MC/DC & Testing Guide)
Hello, automotive embedded software engineers, safety engineers, and development managers! ISO 26262 Part 6 is the part of the standard that most directly affects your daily work if you write, review, test, or manage software for safety-relevant automotive ECUs. It defines the requirements for the complete software development lifecycle – from software safety requirements specification, through architectural design and unit implementation, to unit verification, integration testing, and verification of software safety requirements.
In this comprehensive walkthrough at PiEmbSysTech, we will walk through every clause of Part 6 – covering what each clause requires, what the ASIL-dependent methods are, how MISRA coding guidelines fit in, how MC/DC structural coverage works, and the complete software V-model traceability. This is the practical companion to our Part 6 reference article, designed as a step-by-step guide you can follow while developing safety software. Let us begin.
ISO 26262 Part 6: Software Development Table of Contents
1. Scope of Part 6 – What It Covers and What It Does Not
Part 6 addresses systematic failure avoidance and management in safety-related software. Unlike Part 5 (hardware), which focuses on random hardware failures and quantitative metrics, Part 6 focuses on preventing and detecting systematic errors in the software design, implementation, and verification process. Software does not have “random failures” in the ISO 26262 sense – every software failure is deterministic and stems from a design or implementation error.
Part 6 covers the software development sub-lifecycle within the ISO 26262 product development phase, from specification of software safety requirements through software architectural design, unit design and implementation, unit verification, software integration and testing, to verification of software safety requirements. It does not cover system-level integration (that is Part 4) or hardware development (Part 5).
2. The Software V-Model – Left Side and Right Side
The software V-model organizes Part 6 activities into a left side (specification/design – top-down) and a right side (verification/testing – bottom-up), connected by horizontal traceability:
Left side (top-down): Software Safety Requirements (Clause 5) → Software Architectural Design (Clause 6) → Software Unit Design and Implementation (Clause 7)
Right side (bottom-up): Software Unit Verification (Clause 8) → Software Integration and Testing (Clause 9) → Verification of Software Safety Requirements (Clause 10)
Each right-side activity verifies the corresponding left-side specification: unit verification verifies unit design, integration testing verifies the architectural design, and SSR verification verifies the software safety requirements against the TSR. This mirrored structure ensures that every requirement is verified and every test traces back to a specification.
3. Part 6 Clause Structure Overview (Clauses 5–11)
Clause 5: Initiation of product development at software level – establishes the software development plan and environment.
Clause 6: Specification of software safety requirements (SSR).
Clause 7: Software architectural design.
Clause 8: Software unit design and implementation.
Clause 9: Software unit verification.
Clause 10: Software integration and testing.
Clause 11: Verification of software safety requirements.
Each clause contains normative requirements, informative notes, and ASIL-dependent tables that specify which methods are recommended (R), highly recommended (HR), or not specifically recommended at each ASIL level.
4. Clause 6 – Software Safety Requirements Specification (SSR)
The Software Safety Requirements (SSRs) are derived from the Technical Safety Requirements (TSRs) allocated to software elements by the TSC and the Hardware-Software Interface (HSI) specification. The SSRs define what the software must do to contribute to the safety goals — expressed in implementation-independent terms.
SSRs must address: the software’s contribution to achieving each safety goal, software safety mechanisms (fault detection, fault handling, degradation), timing constraints derived from the FTTI, data integrity requirements, and software’s interaction with the hardware (through the HSI). Each SSR inherits the ASIL of the TSR it implements. The SSRs form the top-level input to the software V-model and the reference against which the software is ultimately verified (Clause 11).
5. Clause 7 – Software Architectural Design
The software architectural design defines the structure of the software in terms of software components, their interfaces, their interactions (data flow and control flow), and the allocation of SSRs to software components. Part 6 Clause 7 requires that the software architecture describe the static structure (hierarchy of components, interfaces, and dependencies – typically modeled using UML class or component diagrams), the dynamic behavior (control flow, task scheduling, inter-component communication – typically modeled using UML sequence or state diagrams), and the allocation of safety requirements to specific components.
The software architectural design must address several safety-specific concerns, including how Freedom from Interference (FFI) is achieved between software components of different ASILs, how safety mechanisms are implemented in the software architecture, and how the software interacts with hardware safety mechanisms defined in the HSI.
6. Software Architecture Safety Principles – FFI, Redundancy, Diversity
Part 6 Clause 7 Table 1 lists the design principles applicable to the software architectural design:
Hierarchical structure of software components: The software should be organized in a clear hierarchical structure with well-defined interfaces between layers.
Restricted size of software components: Components should be small enough to be comprehensible, testable, and maintainable. Large monolithic components are harder to verify.
Restricted size of interfaces: Interfaces between components should be minimal – only the necessary data should be exchanged.
Strong cohesion within components and loose coupling between components: Each component should perform a single, well-defined function (high cohesion) with minimal dependencies on other components (loose coupling).
Scheduling mechanism appropriate for the safety-related functions: The task scheduling (priority-based, time-triggered) must ensure that safety-related tasks execute within their timing constraints – even when non-safety tasks are present.
Restricted use of interrupts: Interrupts can cause unexpected interference between components. Their use should be restricted and their behavior documented.
Appropriate spatial isolation (memory protection): Using MPU/MMU mechanisms to prevent non-safety software from corrupting safety-relevant memory regions.
7. Architectural Notations by ASIL – Informal to Formal
| Notation Type | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| Informal | HR | HR | R | R |
| Semi-formal | R | HR | HR | HR |
| Formal | — | – | R | R |
Informal: Natural language descriptions, block diagrams. Semi-formal: UML diagrams, AUTOSAR architecture descriptions, Simulink models. Formal: Mathematically precise notations (Z notation, B method, model checking languages) – rarely used in practice for automotive software due to the expertise required, but recommended for ASIL D critical components.
8. Clause 8 – Software Unit Design and Implementation
The software unit is the smallest testable entity – typically a C function or a small group of closely related functions. Part 6 Clause 8 requires that the software unit design describe the unit’s detailed behavior, and that the implementation follows the coding guidelines and design principles established in the project.
The unit design should clearly specify the function’s purpose, input parameters, output values, pre-conditions, post-conditions, error handling, and timing behavior. The implementation must follow the project’s coding standard (MISRA) and apply the design principles from Part 6 Table 5 (such as limited complexity, no dynamic memory allocation in safety code, no recursion, range checking of inputs).
9. Coding Guidelines – MISRA C:2023 and MISRA C++:2023
MISRA C and MISRA C++ are the de facto coding standards for automotive safety-related software. ISO 26262 Part 6 Clause 8 explicitly recommends the use of coding guidelines including language subsets, and MISRA is the most widely adopted choice in the automotive industry.
MISRA C:2023 (the current edition) contains 175 guidelines categorized as mandatory (must be followed), required (must be followed with documented deviations), and advisory (should be followed where practical). The guidelines prevent the use of undefined, unspecified, and implementation-defined behaviors of the C language that could lead to unpredictable runtime behavior.
MISRA C++:2023 provides equivalent guidelines for C++ codebases, addressing the larger language feature set of C++ including templates, exceptions, and dynamic polymorphism.
The MISRA Compliance:2020 framework defines how to claim MISRA compliance for a project. It requires a Guideline Re-categorization Plan (GRP) (documenting which guidelines apply), a Guideline Enforcement Plan (GEP) (documenting how guidelines are checked – typically via static analysis tools), and documented deviations for any required rule violations with justification that the violation does not compromise safety.
10. Software Design Principles – The Part 6 Tables
Part 6 Table 5 specifies software design principles applicable to unit design and implementation. Key principles include: limited use of pointers, no dynamic memory allocation after initialization, no recursion, enforcement of strong typing, range checking of input values, use of defensive programming techniques, limited complexity (e.g., cyclomatic complexity targets), use of naming conventions, and enforcement of style guides. These principles become increasingly important at higher ASILs – what is “recommended” at ASIL A becomes “highly recommended” at ASIL C and D.
11. Clause 9 – Software Unit Verification
Software unit verification confirms that each software unit correctly implements its design specification. Part 6 Clause 9 requires both static verification (code review, static analysis) and dynamic verification (unit testing). The verification methods and their ASIL applicability are specified in Part 6 Tables 7, 8, and 9.
12. Unit Testing Methods by ASIL
| Method | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| Requirements-based testing | HR | HR | HR | HR |
| Interface testing | HR | HR | HR | HR |
| Fault injection testing | R | R | HR | HR |
| Resource usage evaluation | HR | HR | HR | HR |
| Back-to-back comparison testing | R | R | R | R |
HR = Highly Recommended, R = Recommended
Test case derivation methods (Part 6 Table 8) include analysis of requirements, analysis of boundary values, error guessing, equivalence class partitioning, and for ASIL C/D, analysis of the data and control flow.
13. Structural Coverage – Statement, Branch, MC/DC
| Coverage Type | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| Statement coverage | HR | HR | R | R |
| Branch coverage | R | HR | HR | HR |
| MC/DC | — | R | HR | HR |
Statement coverage: Every executable statement is executed at least once. The simplest form — verifies code reachability but does not verify decision logic.
Branch coverage (Decision coverage): Every branch of every decision (if/else, switch case, loop conditions) is executed at least once (both true and false). Verifies that all decision paths are tested.
MC/DC (Modified Condition/Decision Coverage): The most rigorous coverage metric. Requires that every condition within a compound decision is shown to independently affect the decision outcome. MC/DC subsumes both statement and branch coverage.
14. MC/DC Explained – Modified Condition/Decision Coverage
MC/DC requires that for every condition in a compound decision, there exists a pair of test cases where only that condition changes value, and the decision outcome changes. Consider the decision: if (A && B).
To achieve MC/DC for this 2-condition decision, we need test cases that show each condition independently affects the outcome:
| Test Case | A | B | Result (A && B) | Purpose |
|---|---|---|---|---|
| TC1 | TRUE | TRUE | TRUE | Base case: both true |
| TC2 | FALSE | TRUE | FALSE | A changed: TC1↔TC2 shows A independently affects result |
| TC3 | TRUE | FALSE | FALSE | B changed: TC1↔TC3 shows B independently affects result |
For N conditions, MC/DC requires a minimum of N+1 test cases (versus 2N for exhaustive testing). For a decision with 8 conditions, MC/DC requires only 9 test cases instead of 256 – a dramatic reduction while still verifying that each condition matters. This is why MC/DC is the standard for safety-critical software – it provides strong evidence of thorough testing without the exponential cost of exhaustive coverage.
15. Clause 10 – Software Integration and Testing
Software integration testing verifies that software components interact correctly as defined in the software architectural design. Integration testing is performed incrementally – components are integrated one at a time and tested at each integration step. The integration testing methods follow the same ASIL-dependent tables as unit testing (requirements-based testing, interface testing, fault injection). Integration testing verifies the interfaces between components, the correct data flow, the timing behavior, and the resource usage of the integrated software.
16. Clause 11 – Verification of Software Safety Requirements
This is the top-right corner of the software V-model. Clause 11 requires verification that the complete integrated software meets all Software Safety Requirements (SSRs). This is typically accomplished through system-level software testing on the target hardware, back-to-back testing (model vs code), and review of all verification evidence. The SSR verification confirms that the software achieves its intended safety contribution as specified by the TSC.
17. Static Analysis – Tools, Methods, and ASIL Requirements
Static analysis examines the source code without executing it – identifying potential defects, coding standard violations, data flow anomalies, and unreachable code. Part 6 requires static analysis as a verification method, with the following common tool categories:
MISRA checkers: Polyspace (MathWorks), Coverity (Black Duck), PC-lint Plus, LDRA TBvision, QA-MISRA (QA Systems), Parasoft C/C++test, Klocwork (Perforce). These tools verify compliance with MISRA C/C++ guidelines and generate deviation reports.
Data flow analyzers: Identify potential runtime errors (division by zero, null pointer dereference, buffer overflow, uninitialized variable access) through abstract interpretation or symbolic execution. Polyspace Code Prover and Astrée are industry-leading tools for this purpose.
Complexity analyzers: Calculate cyclomatic complexity, function length, nesting depth, and other HIS (Hersteller Initiative Software) metrics that indicate code maintainability and testability.
18. Software Tool Qualification for Part 6 Activities
Any software tool used in the development or verification of safety-related software must be evaluated for its Tool Confidence Level (TCL) as defined in Part 8, Clause 11. Tools with high impact on safety (such as compilers, code generators, and test coverage tools) may require formal tool qualification. Static analysis tools (MISRA checkers), unit testing frameworks (Cantata, VectorCAST, Tessy), and code coverage tools are particularly important – their ability to correctly detect defects or measure coverage is directly relied upon for the safety argument. Many tool vendors (Parasoft, QA Systems, LDRA, MathWorks) provide TÜV-certified tools and tool qualification kits to simplify this process.
19. Model-Based Development and Back-to-Back Testing
Model-based development (MBD) using tools like MATLAB/Simulink, TargetLink, or Embedded Coder is widely used in automotive software development. ISO 26262 Part 6 supports MBD and requires that the modeling guidelines serve as coding guidelines for the model (equivalent to MISRA for hand-coded C). Back-to-back testing compares the behavior of the model against the generated code (model-in-the-loop vs software-in-the-loop vs hardware-in-the-loop) to verify that the code generation process does not introduce errors. Back-to-back testing is recommended for all ASILs and highly recommended for ASIL C and D.
20. Bidirectional Traceability – Requirements to Code to Tests
ISO 26262 requires bidirectional traceability throughout the software development lifecycle. Every SSR must trace forward to the software architectural components, unit design elements, and source code that implement it. Every SSR must trace forward to the test cases that verify it. Every test case must trace backward to the requirement it verifies. Every line of code must trace to the requirement it implements. This traceability ensures completeness (no requirement is unimplemented or untested), correctness (no code exists without a corresponding requirement), and change impact analysis (when a requirement changes, all affected code and tests are immediately identifiable). Requirements management tools (IBM DOORS, Polarion, Jama Connect, codebeamer) provide automated traceability support.
21. Key Work Products of Part 6
Part 6 generates the following key work products: the software safety requirements specification, the software architectural design document, the software unit design and implementation (source code and detailed design), the software verification plan, the software unit verification report (unit test results and coverage data), the software integration test report, the software safety requirements verification report, the static analysis report (MISRA compliance, data flow analysis), and the software configuration management records (version control, change history, build configuration).
22. Common Mistakes and How to Avoid Them
Mistake 1: Treating MC/DC as a checkbox exercise. Achieving 100% MC/DC coverage without meaningful test cases produces coverage without quality. Test cases should be derived from requirements first, then coverage analysis reveals gaps – not the other way around.
Mistake 2: Applying MISRA rules without a Guideline Re-categorization Plan. Blindly applying all MISRA rules without considering which are relevant to the project’s ASIL and technology leads to excessive deviation effort. The GRP documents which rules apply and why.
Mistake 3: Neglecting static analysis until late in development. Running static analysis only before release produces a flood of findings that are expensive to fix. Integrate static analysis into the daily development workflow (CI/CD pipeline) from day one.
Mistake 4: Insufficient software architectural design documentation. Jumping directly to coding without documenting the software architecture makes verification difficult and increases the risk of FFI violations.
Mistake 5: Not qualifying the test tools. Relying on unqualified test coverage tools for ASIL C/D projects creates a compliance gap. Ensure that compilers, coverage tools, and test frameworks have appropriate TCL classification and qualification evidence.
Mistake 6: Not maintaining traceability as the code evolves. Traceability established at the beginning of the project becomes stale as requirements change and code evolves. Automate traceability maintenance through tool integration.
23. Frequently Asked Questions
Q1: Is MC/DC mandatory for ASIL D?
MC/DC is “highly recommended” (HR) for ASIL C and D. In ISO 26262, “highly recommended” is not mandatory in the strict sense – but if you choose not to apply an HR method, you must provide a documented rationale explaining why an alternative method achieves equivalent assurance. In practice, virtually all ASIL D projects use MC/DC because the alternative justification burden is typically greater than the effort of achieving MC/DC coverage.
Q2: Can I use C++ for safety-critical automotive software?
Yes, with restrictions. MISRA C++:2023 provides the guidelines for safe use of C++ in automotive. Key restrictions include limitations on dynamic polymorphism, exceptions, templates, and dynamic memory allocation in safety-critical code paths. Many AUTOSAR Adaptive applications use C++ with MISRA C++ compliance.
Q3: What is the difference between software verification and software validation?
Verification confirms that the software meets its specification (“are we building the product right?”). Validation confirms that the software achieves the intended safety behavior in the vehicle context (“are we building the right product?”). Part 6 covers verification. Validation is part of the system-level safety validation in Part 4.
Q4: How does AUTOSAR affect ISO 26262 Part 6 compliance?
AUTOSAR provides a standardized software architecture framework that aligns well with Part 6 requirements. AUTOSAR’s layered architecture (MCAL, BSW, RTE, Application Layer) provides natural component boundaries for FFI, and AUTOSAR’s configuration-based approach enables systematic verification. AUTOSAR BSW components are commonly developed as SEooC by supplier companies.
Q5: What target structural coverage percentage should I aim for?
ISO 26262 does not specify a numerical percentage – it requires the appropriate coverage type for the ASIL level (statement, branch, or MC/DC). In practice, most projects target 100% of the applicable coverage type for safety-relevant code, with documented justification for any uncoverable code (dead code analysis, defensive code justification).
24. Conclusion
ISO 26262 Part 6 provides the comprehensive framework for developing safety-relevant automotive software. From SSR specification through architectural design, unit implementation with MISRA compliance, unit verification with structural coverage, integration testing, to final SSR verification – Part 6 ensures that systematic software errors are prevented, detected, and managed through a rigorous, ASIL-appropriate development lifecycle.
This article is part of our comprehensive ISO 26262 series at PiEmbSysTech. For the foundational Part 6 reference, see Part 6 – Software Development & MISRA.
Stay safe. Stay tested. Keep engineering the future.
— The PiEmbSysTech Team
Discover more from PiEmbSysTech - Embedded Systems & VLSI Lab
Subscribe to get the latest posts sent to your email.
