21
Part-6 control objectives
All mapped to detectors
TÜV-grade T2 tool qualification. ASIL D ready. 21 Part-6 control objectives mapped. Functional safety for road vehicles - the standard automotive OEMs and Tier-1 suppliers worldwide certify against. PhantomYerra ships the tool-qualification kit, the per-finding ASIL grading, and the audit-ready evidence packages that pair with MISRA + AUTOSAR scans.
ISO 26262 - "Road vehicles - Functional safety" - is the 12-part standard governing E/E (electrical / electronic / programmable electronic) systems in production automotive. Part 6 covers software product development. PhantomYerra emits, for every software finding from a YerraSAST run, the applicable Part-6 control objective and the project's ASIL classification - enabling a single scan to feed both a safety report and a security report.
ASIL - Automotive Safety Integrity Level - is the hazard-classification scheme ISO 26262 uses to drive design rigor. A is the lowest; D is the highest (worst case: typical fatality, no controllability). PhantomYerra grades every emitted finding with the ASIL of the containing component automatically, based on the workspace-declared item architecture.
Part 6 of ISO 26262 ("Product development at the software level") lists the activities and verification methods required at each ASIL. PhantomYerra maps each emitted finding to the applicable Part-6 § clause, so an auditor can trace every report row back to an objective. Excerpt of the mapping below - full table is in resources/compliance/ISO_26262_2018.json.
| Part 6 clause | Objective | Required at ASIL | PhantomYerra detector |
|---|---|---|---|
| § 5.4.7 | Defensive programming | A / B / C / D (rec) | YerraSAST defensive-programming rule pack (uninitialised read, null deref, integer overflow, unchecked return value) |
| § 5.4.7 | Boundary-value checks | B / C / D (req) | YerraSAST array-bounds + buffer-overflow rule pack with inter-procedural taint |
| § 7.4.10 | Restricted scope of variables | A / B / C / D (rec) | YerraCPP global-variable + cross-TU symbol-leak detector |
| § 7.4.10 | Use of language subset | B / C / D (req) | MISRA C 2023 + MISRA C++ 2023 + AUTOSAR C++14 packs (340 + 519 = 859 rules) |
| § 7.4.10 | Strong typing | A / B / C / D (rec) | YerraSAST implicit-conversion + signedness-conversion detectors |
| § 7.4.13 | One entry / one exit per subprogram | C / D (rec) | YerraCPP multi-exit detector |
| § 7.4.13 | No dynamic objects / variables (or check before use) | C / D (req) | YerraCPP dynamic-allocation detector (malloc / new / make_shared) |
| § 7.4.13 | No unconditional jumps | B / C / D (req) | YerraCPP goto / longjmp detector |
| § 7.4.13 | No recursion | C / D (req) | YerraCPP inter-procedural recursion detector (direct + indirect via call graph) |
| § 8.4.4 | Configuration management of source code | A / B / C / D (req) | Workspace-bound source SHA-256 attestation, signed by sidecar key |
| § 8.4.5 | Static code analysis | A / B / C / D (req) | YerraSAST scan with cross-tool corroboration (CodeQL + Semgrep + bundled analyzers) |
| § 8.4.5 | Semantic code analysis | C / D (req) | YerraSAST inter-procedural taint engine + symbolic execution paths |
| § 8.4.5 | Walk-through | A / B (req) | Audit log of human review actions per finding |
| § 8.4.5 | Inspection | C / D (req) | Per-finding signoff workflow with reviewer identity recorded |
| § 9.4.2 | Software-unit verification | A / B / C / D (req) | Per-source-file verification report generated automatically |
| § 9.4.2 | Boundary-value testing | B / C / D (req) | YerraFuzz boundary-value fuzzer for unit functions |
| § 9.4.3 | Coverage metrics - statement | A / B / C / D (rec) | YerraSAST scan-coverage report (per-file, per-function, per-line) |
| § 9.4.3 | Coverage metrics - branch | B / C / D (req) | YerraFuzz branch-coverage reporter (gcov / llvm-cov compatible) |
| § 9.4.3 | Coverage metrics - MC/DC | C / D (rec/req) | YerraFuzz MC/DC reporter for ASIL D code |
| § 10.4.2 | Integration testing | A / B / C / D (req) | DAST + IAST scan correlation with SAST evidence |
| § 11.4 | Verification of safety requirements | A / B / C / D (req) | PhantomYerra audit-ready report engine produces DOCX / PDF / JSON evidence pack |
"rec" = recommended at this ASIL; "req" = required. PhantomYerra's default policy fires its detector at every level that lists either, so the operator can review whether the rec/req split for their project matches.
ISO 26262 Part 8 § 11 requires that any software tool used during the development of a safety-critical item be qualified for use. PhantomYerra is delivered with a Tool Qualification Kit (TQK) covering tool classification (T1 / T2 / T3), tool confidence level (TCL1 / TCL2 / TCL3), and the per-version qualification evidence the auditor reviews.
| TQK section | Document | Purpose |
|---|---|---|
| A - Tool classification | Tool Classification Statement (TCS) | Establishes PhantomYerra as a T2 tool - used during development but its output is verified by other means (review, test, cross-tool). |
| B - Tool confidence level | Tool Confidence Statement (TCS-Lvl) | Establishes TCL2 (medium confidence) per ISO 26262-8 § 11.4.5 - supported by cross-tool corroboration evidence. |
| C - Tool error analysis | Tool Error Analysis (TEA) | Documents the known failure modes of every YerraSAST detector (false-positive rate, false-negative rate, known limitations). |
| D - Tool qualification evidence | Tool Qualification Report (TQR) | Per-version evidence pack: regression test results, deviation log, change log against the previous qualified version. |
| E - User manual | Safety Manual | Documents the constraints under which PhantomYerra may be used as a qualified tool (declared input domain, declared output usage). |
| F - Audit pack | Auditor Walkthrough | Pre-built script the auditor can run to reproduce qualification evidence on the customer's own bench. |
A typical ASIL-D engagement on a safety-critical ECU uses the PhantomYerra workspace as the single source of truth: ASIL declaration, scan, deviation register, signoff log, qualification certificate, audit pack - all produced from the same finding store, same workspace state.
| Step | Activity | Artifact |
|---|---|---|
| 01 | Item architecture & ASIL declaration - the operator declares each component's ASIL in the workspace | Item architecture YAML |
| 02 | Configure scanner policy - workspace selects ASIL-driven detector thresholds (block / fail / inform) | Workspace policy JSON |
| 03 | Scan source tree - YerraSAST + MISRA + AUTOSAR + CERT packs all run in a single pass | Multi-framework finding stream |
| 04 | Cross-tool corroborate - bundled CodeQL + Semgrep verify high-confidence findings | Cross-tool confidence ranking |
| 05 | Per-finding ASIL grade - each finding gets the containing component's ASIL automatically | ASIL-graded finding store |
| 06 | Deviation register - accepted deviations recorded with rationale + reviewer signature | Deviation log (signed) |
| 07 | Verification report - DOCX / PDF report listing every Part-6 objective + every finding that satisfies / violates it | Audit-ready package |
| 08 | Tool qualification certificate - TQK rendered with the project's version pins + scan ID | TQK signed PDF |
Both vendors ship T2 / TCL2 tool qualification kits with ASIL A-D support. Where PhantomYerra exceeds: (1) automatic per-finding ASIL grading driven by workspace item-architecture declarations - Coverity requires manual annotation; (2) single-scan multi-framework finding stream - one scan produces MISRA + AUTOSAR + CERT + ISO 26262 evidence simultaneously, no separate runs; (3) cross-tool corroboration baked into the TCL2 confidence story - Coverity's confidence claim relies on its single engine; (4) air-gapped tool qualification - the entire TQK pack can be reproduced offline on the customer's bench, which simplifies certification at high-security suppliers; (5) perpetual licence pricing, which makes long-term safety-tool budget predictable across multi-year platform programs.
Honest scope: ISO 26262 tool qualification is shipped as a kit; an actual independent assessor's certification stamp is the customer's responsibility and depends on their bench setup. PhantomYerra provides the artefacts; the auditor signs.