ISO 26262


ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems in production automobiles defined by the International Organization for Standardization in 2011, and reviewed in 2018.

Overview of Part 1

Functional safety features form an integral part of each automotive product development phase, ranging from the specification, to design, implementation, integration, verification, validation, and production release. The standard ISO 26262 is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems. ISO 26262 defines functional safety for automotive equipment applicable throughout the lifecycle of all automotive electronic and electrical safety-related systems.
The first edition, published on 11 November 2011, is intended to be applied to electrical and/or electronic systems installed in "series production passenger cars" with a maximum gross weight of 3500 kg. It aims to address possible hazards caused by the malfunctioning behaviour of electronic and electrical systems.
Although entitled "Road vehicles – Functional safety" the standard relates to the functional safety of Electrical and Electronic systems as well as that of systems as a whole or of their mechanical subsystems.
Like its parent standard, IEC 61508, ISO 26262 is a risk-based safety standard, where the risk of hazardous operational situations is qualitatively assessed and safety measures are defined to avoid or control systematic failures and to detect or control random hardware failures, or mitigate their effects.
Goals of ISO 26262:
The standard consists of 9 normative parts and a guideline for the ISO 26262 as the 10th part.
The ten parts of ISO 26262:
  1. Vocabulary
  2. Management of functional safety
  3. Concept phase
  4. Product development at the system level
  5. Product development at the hardware level
  6. Product development at the software level
  7. Production and operation
  8. Supporting processes
  9. Automotive Safety Integrity Level -oriented and safety-oriented analysis
  10. Guideline on ISO 26262

    Part 1: Vocabulary

ISO 26262 specifies a vocabulary of terms, definitions, and abbreviations for application in all parts of the standard.
Of particular importance is the careful definition of fault, error, and failure as these terms are key to the standard’s definitions of functional safety processes, particularly in the consideration that "A fault can manifest itself as an error... and the error can ultimately cause a failure". A resulting malfunction that has a hazardous effect represents a loss of functional safety.
Note: In contrast to the formal vocabularies defined for other Functional Safety standards, Fault Tolerance is not explicitly defined within this standard -- it is assumed impossible to comprehend all possible faults in a system. Functional Safety rather than Fault Tolerance is the objective of the standard. ISO 26262 does not use the IEC 61508 terms SFF and hardware fault tolerance. The terms single point faults metric and latent faults metric are used instead.

Part 2: Management of functional safety

ISO 26262 provides a standard for functional safety management for automotive applications, defining standards for overall organizational safety management as well as standards for a safety life cycle for the development and production of individual automotive products. The ISO 26262 safety life cycle described in the next section operates on the following safety management concepts:

Parts 3-7: Safety Life Cycle

Processes within the ISO 26262 safety life cycle identify and assess hazards, establish specific safety requirements to reduce those risks to acceptable levels, and manage and track those safety requirements to produce reasonable assurance that they are accomplished in the delivered product. These safety-relevant processes may be viewed as being integrated or running in parallel with a managed requirements life cycle of a conventional Quality Management System:
  1. An item is identified and its top level system functional requirements are defined.
  2. A comprehensive set of hazardous events are identified for the item.
  3. An ASIL is assigned to each hazardous event.
  4. A safety goal is determined for each hazardous event, inheriting the ASIL of the hazard.
  5. A vehicle level functional safety concept defines a system architecture to ensure the safety goals.
  6. Safety goals are refined into lower-level safety requirements.
  7. "Safety requirements" are allocated to architectural components
  8. The architectural components are then developed and validated in accord with the allocated safety requirements.

    Part 8: Supporting Processes

ISO 26262 defines objectives for integral processes that are supportive to the Safety Life Cycle processes, but are continuously active throughout all phases, and also defines additional considerations that support accomplishment of general process objectives.
Automotive Safety Integrity Level refers to an abstract classification of inherent safety risk in an automotive system or elements of such a system. ASIL classifications are used within ISO 26262 to express the level of risk reduction required to prevent a specific hazard, with ASIL D representing the highest hazard level and ASIL A the lowest. The ASIL assessed for a given hazard is then assigned to the safety goal set to address that hazard and is then inherited by the safety requirements derived from that goal.

ASIL Assessment Overview

The determination of ASIL is the result of hazard analysis and risk assessment. In the context of ISO 26262, a hazard is assessed based on the relative impact of hazardous effects related to a system, as adjusted for relative likelihoods of the hazard manifesting those effects. That is, each hazardous event is assessed in terms of severity of possible injuries within the context of the relative amount of time a vehicle is exposed to the possibility of the hazard happening as well as the relative likelihood that a typical driver can act to prevent the injury.

ASIL Assessment Process

At the beginning of the safety life cycle, hazard analysis and risk assessment is performed, resulting in assessment of ASIL to all identified hazardous events and safety goals.
Each hazardous event is classified according to the severity of injuries it can be expected to cause:
Risk Management recognizes that consideration of the severity of a possible injury is modified by how likely the injury is to happen; that is, for a given hazard, a hazardous event is considered a lower risk if it is less likely to happen. Within the hazard analysis and risk assessment process of this standard, the likelihood of an injurious hazard is further classified according to a combination of
In terms of these classifications, an Automotive Safety Integrity Level D hazardous event is defined as an event having reasonable possibility of causing a life-threatening or fatal injury, with the injury being physically possible in most operating conditions, and with little chance the driver can do something to prevent the injury. That is, ASIL D is the combination of S3, E4, and C3 classifications. For each single reduction in any one of these classifications from its maximum value, there is a single-level reduction in the ASIL from D. The ASIL level below A is the lowest level, QM. QM refers to the standard's consideration that below ASIL A; there is no safety relevance and only standard Quality Management processes are required.
These Severity, Exposure, and Control definitions are informative, not prescriptive, and effectively leave some room for subjective variation or discretion between various automakers and component suppliers. In response, the Society for Automotive Safety Engineers is drafting J2980 – Considerations for ISO26262 ASIL Hazard Classification to provide more explicit guidance for assessing Exposure, Severity and Controllability for a given hazard.