Coding Guidelines (MISRA, CERT) - Functional Safety (ISO 26262)

MISRA C:2012 in ISO 26262 Context

ASIL Level	MISRA Requirement	Deviation Process
QM	Not required by standard; best practice	N/A
ASIL-A/B	MISRA C:2012 mandatory rules required	Deviations must be justified and reviewed
ASIL-C	MISRA C:2012 mandatory + advisory rules recommended	Deviations reviewed by independent party (I1)
ASIL-D	Full MISRA C:2012 compliance (mandatory + advisory); or equivalent justified alternative	Deviations require formal deviation report; I2 review; assessor may challenge

Most Safety-Critical MISRA C:2012 Rules

Rule	Category	Rationale	Common Violation
Rule 14.3	Required	Controlling expressions shall not be invariant (dead code)	if (x == 1 && x == 2) — impossible condition; dead code hides bugs
Rule 15.5	Required	Function shall have single point of exit	Multiple returns make coverage measurement harder; harder to trace
Rule 10.1	Required	Operands shall not be of an inappropriate essential type	Implicit int/float conversion; precision loss
Rule 17.3	Required	A function shall not be declared implicitly	Missing prototype causes undefined behaviour
Rule 2.2	Advisory	Dead code shall not appear in a program	Unreachable code can hide safety mechanisms
Rule 13.5	Required	Right-hand operand of logical && shall not contain side effects	Short-circuit evaluation can skip safety checks
Rule 1.3	Required	No undefined or critical unspecified behaviour	Buffer overflow, signed overflow, use of uninitialised variable

Static Analysis Configuration for ASIL-D

Bashstatic_analysis.sh

#!/bin/bash
# Static analysis pipeline for ASIL-D SW: MISRA + custom safety rules

# Tools commonly used in automotive:
# - PC-lint Plus (Gimpel): MISRA C:2012 full coverage
# - Polyspace Code Prover (MathWorks): formal verification; proves no run-time errors
# - PRQA QA-C (Perforce): MISRA + AUTOSAR C++
# - Klocwork (Perforce): defect detection + MISRA
# - Parasoft C/C++test: MISRA + unit testing integration

# Example: Polyspace Code Prover for AEB decision module
polyspace-code-prover-nodesktop \
    -sources "src/AEB_Decision.c" \
    -include "include/" \
    -compiler "gcc" \
    -target "arm" \
    -misra-cpp:2008 \          # or misra-c:2012
    -checkers-activation-file "asilD_checkers.xml" \
    -report-output-format "pdf" \
    -results-dir "polyspace_results/"

# Expected results for ASIL-D compliant code:
# Green: proven no run-time error
# Orange: unproven (needs manual review or test)
# Red: proven run-time error (must be fixed)
# Gray: unreachable code (MISRA 14.3 / 2.2)

# PC-lint Plus: MISRA C:2012 mandatory + advisory
lint-nt \
    +v -u \
    co-gcc.lnt \          # compiler options file
    au-misra3.lnt \       # MISRA C:2012 rules
    au-misra3-amd1.lnt \  # MISRA C:2012 Amendment 1
    src/AEB_Decision.c \
    2>&1 | tee lint_results.txt

# Deviation management: deviations must be justified in code + tracked in tool
/* MISRA C:2012 Deviation: Rule 15.5 (single exit)
   Rationale: Multiple returns used for early fault detection;
   ensures fault path exits immediately without executing further code.
   Risk: Low — reviewed and approved by Safety Engineer (CR-AEB-005)
   Approval: [Safety Engineer Name], [Date]
   Ref: DEVIATION-SW-007 */

Summary

MISRA C:2012 compliance is not a style guide — it is a set of rules that eliminate categories of C language behaviour that are undefined, implementation-defined, or prone to misinterpretation by compilers and developers. Rule 14.3 (invariant controlling expression) is particularly important for safety: dead code created by an impossible condition can hide safety mechanisms that were intended to be executed but never actually run. Static analysis tools must be configured to report MISRA violations, and every violation must be either fixed or formally documented as a deviation with justification and independent review. The deviation count and residual violations are reported to the assessor as evidence of compliance.

🔬 Deep Dive — Core Concepts Expanded

This section builds on the foundational concepts covered above with additional technical depth, edge cases, and configuration nuances that separate competent engineers from experts. When working on production ECU projects, the details covered here are the ones most commonly responsible for integration delays and late-phase defects.

Key principles to reinforce:

Configuration over coding: In AUTOSAR and automotive middleware environments, correctness is largely determined by ARXML configuration, not application code. A correctly implemented algorithm can produce wrong results due to a single misconfigured parameter.
Traceability as a first-class concern: Every configuration decision should be traceable to a requirement, safety goal, or architecture decision. Undocumented configuration choices are a common source of regression defects when ECUs are updated.
Cross-module dependencies: In tightly integrated automotive software stacks, changing one module's configuration often requires corresponding updates in dependent modules. Always perform a dependency impact analysis before submitting configuration changes.

🏭 How This Topic Appears in Production Projects

Project integration phase: The concepts covered in this lesson are most commonly encountered during ECU integration testing — when multiple software components from different teams are combined for the first time. Issues that were invisible in unit tests frequently surface at this stage.
Supplier/OEM interface: This is a topic that frequently appears in technical discussions between Tier-1 ECU suppliers and OEM system integrators. Engineers who can speak fluently about these details earn credibility and are often brought into critical design review meetings.
Automotive tool ecosystem: Vector CANoe/CANalyzer, dSPACE tools, and ETAS INCA are the standard tools used to validate and measure the correct behaviour of the systems described in this lesson. Familiarity with these tools alongside the conceptual knowledge dramatically accelerates debugging in real projects.

⚠️ Common Mistakes and How to Avoid Them

Assuming default configuration is correct: Automotive software tools ship with default configurations that are designed to compile and link, not to meet project-specific requirements. Every configuration parameter needs to be consciously set. 'It compiled' is not the same as 'it is correctly configured'.
Skipping documentation of configuration rationale: In a 3-year ECU project with team turnover, undocumented configuration choices become tribal knowledge that disappears when engineers leave. Document why a parameter is set to a specific value, not just what it is set to.
Testing only the happy path: Automotive ECUs must behave correctly under fault conditions, voltage variations, and communication errors. Always test the error handling paths as rigorously as the nominal operation. Many production escapes originate in untested error branches.
Version mismatches between teams: In a multi-team project, the BSW team, SWC team, and system integration team may use different versions of the same ARXML file. Version management of all ARXML files in a shared repository is mandatory, not optional.

📊 Industry Note

Engineers who master both the theoretical concepts and the practical toolchain skills covered in this course are among the most sought-after professionals in the automotive software industry. The combination of AUTOSAR standards knowledge, safety engineering understanding, and hands-on configuration experience commands premium salaries at OEMs and Tier-1 suppliers globally.