Road vehicles -- Functional safety
ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross vehicle mass up to 3 500 kg. ISO 26262 does not address unique E/E systems in special purpose vehicles such as vehicles designed for drivers with disabilities. Systems and their components released for production, or systems and their components already under development prior to the publication date of ISO 26262, are exempted from the scope. For further development or alterations based on systems and their components released for production prior to the publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262. ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems. ISO 26262 does not address the nominal performance of E/E systems, even if dedicated functional performance standards exist for these systems (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control). ISO 26262-1:2011 specifies the terms, definitions and abbreviated terms for application in all parts of ISO 26262.
Véhicules routiers -- Sécurité fonctionnelle
Standards Content (sample)
Road vehicles — Functional safety —
Véhicules routiers — Sécurité fonctionnelle —
Partie 1: Vocabulaire
---------------------- Page: 1 ----------------------
COPYRIGHT PROTECTED DOCUMENT
© ISO 2011
The reproduction of the terms and definitions contained in this International Standard is permitted in teaching manuals, instruction
booklets, technical publications and journals for strictly educational or implementation purposes. The conditions for such reproduction are:
that no modifications are made to the terms and definitions; that such reproduction is not permitted for dictionaries or similar publications
offered for sale; and that this International Standard is referenced as the source document.
With the sole exceptions noted above, no other part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below orISO's member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
Published in Switzerland
ii © ISO 2011 – All rights reserved
---------------------- Page: 2 ----------------------
Foreword ............................................................................................................................................................ iv
Introduction ......................................................................................................................................................... v
Scope ................................................................................................................................................................... 1
1 Terms and definitions ................................................................................................................................. 1
2 Abbreviated terms ..................................................................................................................................... 18
Bibliography ...................................................................................................................................................... 21
Alphabetical index ............................................................................................................................................ 22© ISO 2011 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 26262-1 was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 3,Electrical and electronic equipment.
ISO 26262 consists of the following parts, under the general title Road vehicles — Functional safety:— Part 1: Vocabulary
— Part 2: Management of functional safety
— Part 3: Concept phase
— Part 4: Product development at the system level
— Part 5: Product development at the hardware level
— Part 6: Product development at the software level
— Part 7: Production and operation
— Part 8: Supporting processes
— Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses— Part 10: Guideline on ISO 26262
iv © ISO 2011 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of electricaland/or electronic (E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised ofelectrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas such
as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems
increasingly touch the domain of system safety engineering. Development and integration of these
functionalities will strengthen the need for safe system development processes and the need to provideevidence that all reasonable system safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic implementation, there
are increasing risks from systematic failures and random hardware failures. ISO 26262 includes guidance toavoid these risks by providing appropriate requirements and processes.
System safety is achieved through a number of safety measures, which are implemented in a variety of
technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic) and
applied at the various levels of the development process. Although ISO 26262 is concerned with functional
safety of E/E systems, it provides a framework within which safety-related systems based on othertechnologies can be considered. ISO 26262:
a) provides an automotive safety lifecycle (management, development, production, operation, service,
decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive SafetyIntegrity Levels (ASIL)];
c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptablelevel of safety being achieved;
e) provides requirements for relations with suppliers.
Functional safety is influenced by the development process (including such activities as requirements
specification, design, implementation, integration, verification, validation and configuration), the productionand service processes and by the management processes.
Safety issues are intertwined with common function-oriented and quality-oriented development activities and
work products. ISO 26262 addresses the safety-related aspects of development activities and work products.
Figure 1 shows the overall structure of this edition of ISO 26262. ISO 26262 is based upon a V-model as a
reference process model for the different phases of product development. Within the figure:
— the shaded “V”s represent the interconnection between ISO 26262-3, ISO 26262-4, ISO 26262-5,ISO 26262-6 and ISO 26262-7;
— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number of theparticular part and “n” indicates the number of the clause within that part.
EXAMPLE “2-6” represents Clause 6 of ISO 26262-2.
© ISO 2011 – All rights reserved v
---------------------- Page: 5 ----------------------
Figure 1 — Overview of ISO 26262
vi © ISO 2011 – All rights reserved
2. Management of functional safety
2-6 Safety management during the concept phase 2-7 Safety management after the item´s release2-5 Overall safety management
and the product development for production
3. Concept phase 4. Product development at the system level 7. Production and operation4-5 Initiation of product
4-11 Release for production
3-5 Item definition 7-5 Production
development at the system level
4-10 Functional safety assessment
7-6 Operation, service
3-6 Initiation of the safety lifecycle
4-6 Specification of the technical
(maintenance and repair), and
4-9 Safety validation
3-7 Hazard analysis and risk
4-7 System design 4-8 Item integration and testing
3-8 Functional safety
5. Product development at the 6. Product development at the
hardware level software level
5-5 Initiation of product 6-5 Initiation of product
development at the hardware level development at the software level
5-6 Specification of hardware
5-7 Hardware design 6-7 Software architectural design
5-8 Evaluation of the hardware 6-8 Software unit design and
architectural metrics implementation
5-9 Evaluation of the safety goal
6-9 Software unit testing
violations due to random hardware
6-10 Software integration and
5-10 Hardware integration and
6-11 Verification of software safety
8. Supporting processes
8-5 Interfaces within distributed developments 8-10 Documentation
8-6 Specification and management of safety requirements 8-11 Confidence in the use of software tools8-7 Configuration management 8-12 Qualification of software components
8-8 Change management 8-13 Qualification of hardware components
8-9 Verification 8-14 Proven in use argument
9. ASIL-oriented and safety-oriented analyses
9-5 Requirements decomposition with respect to ASIL tailoring 9-7 Analysis of dependent failures9-6 Criteria for coexistence of elements 9-8 Safety analyses
10. Guideline on ISO 26262
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 26262-1:2011(E)
Road vehicles — Functional safety —
ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or
electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross
vehicle mass up to 3 500 kg. ISO 26262 does not address unique E/E systems in special purpose vehiclessuch as vehicles designed for drivers with disabilities.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of ISO 26262, are exempted from the scope. For further
development or alterations based on systems and their components released for production prior to the
publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262.
ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems,
including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat,
radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directlycaused by malfunctioning behaviour of E/E safety-related systems.
ISO 26262 does not address the nominal performance of E/E systems, even if dedicated functional
performance standards exist for these systems (e.g. active and passive safety systems, brake systems,Adaptive Cruise Control).
This part of ISO 26262 specifies the terms, definitions and abbreviated terms for application in all parts ofISO 26262.
1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
assignment of a requirement to an architectural element (1.32)
NOTE Intent is not to divide an atomic requirement into multiple requirements. Tracing of an atomic system (1.129) levelrequirement to multiple lower level atomic requirements is allowed.
condition that deviates from expectations, based, for example, on requirements, specifications, designdocuments, user documents, standards, or on experience
NOTE Anomalies can be discovered, among other times, during the review (1.98), testing (1.134), analysis,compilation, or use of components (1.15) or applicable documentation.
© ISO 2011 – All rights reserved 1
---------------------- Page: 7 ----------------------
representation of the structure of the item (1.69) or functions or systems (1.129) or elements (1.32) that
allows identification of building blocks, their boundaries and interfaces, and includes the allocation (1.1) offunctions to hardware and software elements
examination of a characteristic of an item (1.69) or element (1.32)
NOTE A level of independence (1.61) of the party or parties performing the assessment is associated with eachassessment.
examination of an implemented process
Automotive Safety Integrity Level
one of four levels to specify the item's (1.69) or element's (1.32) necessary requirements of ISO 26262 and
safety measures (1.110) to apply for avoiding an unreasonable residual risk (1.97), with D representing themost stringent and A the least stringent level
apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective
of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the correspondingelements
capability of a product to be in a state to execute the function required under given conditions, at a certain
time or in a given period, supposing the required external resources are available1.9
version of a set of one or more work products, items (1.69) or elements (1.32) that is under configuration
management and used as a basis for further development through the change management processNOTE See ISO 26262-8:2011, Clause 8.
percentage of branches of the control flow that have been executed
NOTE 1 100 % branch coverage implies 100 % statement coverage (1.127).
NOTE 2 An if-statement always has two branches - condition true and condition false - independent of the existence ofan else-clause.
data that will be applied after the software build in the development process
EXAMPLE Parameters (e.g. value for low idle speed, engine characteristic diagrams); vehicle specific parameters
(adaptation values) (e.g. limit stop for throttle valve); variant coding (e.g. country code, left-hand/right-hand steering).NOTE Calibration data cannot contain executable or interpretable code.
2 © ISO 2011 – All rights reserved
---------------------- Page: 8 ----------------------
item (1.69) or element (1.32) whose definition and conditions of use are identical to, or have a very high
degree of commonality with, an item or element that is already released and in operation
NOTE This definition applies where candidate is used in the context of a proven in use argument (1.90).1.13
failure (1.39) of an element (1.32) of an item (1.69) causing another element or elements of the same item tofail
NOTE Cascading failures are dependent failures (1.22) that are not common cause failures (1.14). See Figure 2,Failure A.
Figure 2 — Cascading failure
common cause failure
failure (1.39) of two or more elements (1.32) of an item (1.69) resulting from a single specific event or rootcause
NOTE Common cause failures are dependent failures (1.22) that are not cascading failures (1.13). See Figure 3.Figure 3 — Common cause failure
non-system (1.129) level element (1.32) that is logically and technically separable and is comprised of morethan one hardware part (1.55) or of one or more software units (1.125)
NOTE A component is a part of a system.
data that is assigned during software build and that controls the software build process
EXAMPLE Pre-processor instructions; software build scripts (e.g. XML configuration files).© ISO 2011 – All rights reserved 3
---------------------- Page: 9 ----------------------
NOTE 1 Configuration data cannot contain executable or interpretable code.
NOTE 2 Configuration data controls the software build. Only code, or data selected by configuration data can beincluded in the executable code.
confirmation review (1.18), audit (1.5) or assessment (1.4) concerning functional safety (1.51)1.18
confirmation that a work product meets the requirements of ISO 26262 with the required level ofindependence (1.61) of the reviewer
NOTE 1 A complete list of confirmation reviews is given in ISO 26262-2.
NOTE 2 The goal of confirmation reviews is to ensure compliance with ISO 26262.
ability to avoid a specified harm (1.56) or damage through the timely reactions of the persons involved,possibly with support from external measures (1.38)
NOTE 1 Persons involved can include the driver, passengers or persons in the vicinity of the vehicle's exterior.
NOTE 2 The parameter C in hazard analysis and risk assessment (1.58) represents the potential for controllability.1.20
measure to ensure the failure rate (1.41) claimed in the evaluation of the probability of violation of safetygoals (1.108)
EXAMPLE Design feature [such as hardware part (1.55) over-design (e.g. electrical or thermal stress rating) or
physical separation (e.g. spacing of contacts on a printed circuit board)]; special sample test of incoming material to
reduce the risk (1.99) of occurrence of failure modes (1.40) which contribute to the violation of safety goals; burn-in test;dedicated control plan.
strategy for providing safety (1.103) by design after the occurrence of failures (1.39)
NOTE Degradation can include reduced functionality, reduced performance, or both reduced functionality andperformance.
failures (1.39) whose probability of simultaneous or successive occurrence cannot be expressed as thesimple product of the unconditional probabilities of each of them
NOTE 1 Dependent failures A and B can be characterized when
P P P
AB A B
P is the probability of the simultaneous occurrence of failure A and failure B;
P is the probability of the occurrence of failure A;
P is the probability of the occurrence of failure B.
NOTE 2 Dependent failures include common cause failures (1.14) and cascading failures (1.13).4 © ISO 2011 – All rights reserved
---------------------- Page: 10 ----------------------
fault (1.42) whose presence is detected within a prescribed time by a safety mechanism (1.111) thatprevents the fault from being latent
EXAMPLE The fault can be detected by a dedicated safety mechanism (1.111) (e.g. detection of the error (1.36) and
notifying the driver via an alerting device on the instrument panel) as defined in the functional safety concept (1.52).1.24
development interface agreement
agreement between customer and supplier in which the responsibilities for activities, evidence or workproducts to be exchanged by each party are specified
proportion of the hardware element (1.32) failure rate (1.41) that is detected or controlled by theimplemented safety mechanisms (1.111)
NOTE 1 Diagnostic coverage can be assessed with regard to residual faults (1.96) or with regard to latent multiple-point faults (1.77) that might occur in a hardware element.
NOTE 2 The definition can be represented in terms of the equations given in ISO 26262-5.
NOTE 3 Safety mechanisms implemented at different levels in the architecture (1.3) can be considered.1.26
diagnostic test interval
amount of time between the executions of online diagnostic tests by a safety mechanism (1.111)1.27
development of an item (1.69) or element (1.32) with development responsibility divided between thecustomer and supplier(s) for the entire item or element, or for subsystems
NOTE Customer and supplier are roles of the cooperating parties.
different solutions satisfying the same requirement with the aim of independence (1.61)EXAMPLE Diverse programming; diverse hardware.
NOTE Diversity does not guarantee independence, but addresses certain types of common cause failures (1.14).1.29
failure (1.39) resulting from the combination of two independent faults (1.42) that leads directly to theviolation of a safety goal (1.108)
NOTE 1 Dual-point failures are multiple-point failures (1.76) of order 2.
NOTE 2 Dual-point failures that are addressed in ISO 26262 include those where one fault affects a safety-related
element (1.113) and another fault affects the corresponding safety mechanism (1.111) intended to achieve or maintain asafe state (1.102).
NOTE 3 For a dual-point failure to directly violate a safety goal, the presence of both independent faults is necessary,
i.e. the violation of a safety goal due to a combination of a residual fault (1.96) with a safe fault (1.101) is not considered
a dual-point failure since the residual fault leads to a violation of a safety goal with or without the presence of a secondindependent fault.
© ISO 2011 – All rights reserved 5
---------------------- Page: 11 ----------------------
individual fault (1.42) that, in combination with another independent fault, leads to a dual-point failure (1.29)
NOTE 1 A dual-point fault can only be recognized after the identification of dual-point failure, e.g. from cut set analysisof a fault tree.
NOTE 2 See also multiple-point fault (1.77).
electrical and/or electronic system
system (1.129) that consists of electrical and/or electronic elements (1.32), including programmableelectronic elements
EXAMPLE Power supply; sensor or other input device; communication path; actuator or other output device.1.32
system (1.129) or part of a system including components (1.15), hardware, software, hardware parts (1.55),and software units (1.125)
fully-integrated software to be executed on a processing element (1.32)
NOTE The processing element is normally a micro-controller, a field programmable gate array (FPGA) or an application-
specific integrated circuit (ASIC), but it can also be a more complex component (1.15) or subsystem.1.34
degraded functionality from the state in which a fault (1.42) occurred until the transition to a safe state (1.102)is achieved as defined in the warning and degradation concept (1.140)
emergency operation interval
specified time-span that emergency operation (1.34) is needed to support the warning and degradationconcept (1.140)
NOTE Emergency operation is part of the warning and degradation concept (1.140).
discrepancy between a computed, observed or measured value or condition, and the true, specified ortheoretically correct value or condition
NOTE 1 An error can arise as a result of unforeseen operating conditions or due to a fault (1.42) within the system(1.129), subsystem or component (1.15) being considered.
NOTE 2 A fault can manifest itself as an error within the considered element (1.32) and the error can ultimately cause afailure (1.39).
state of being in an operational situation (1.83) that can be hazardous (1.57) if coincident with the failuremode (1.40) under analysis
measure that is separate and distinct from the item (1.69) which reduces or mitigates the risks (1.99)resulting from the item
6 © ISO 2011 – All rights reserved
---------------------- Page: 12 ----------------------
termination of the ability of an element (1.32), to perform a function as requiredNOTE Incorrect specification is a source of failure.
manner in which an element (1.32) or an item (1.69) fails
probability density of failure (1.39) divided by probability of survival for a hardware element (1.32)NOTE The failure rate is assumed to be constant and is generally denoted as “”.
abnormal condition that can cause an element (1.32) or an item (1.69) to fail
NOTE 1 Permanent, intermittent and transient faults (1.134) (especially soft-errors) are considered.
NOTE 2 An intermittent fault occurs time and time again, then disappears. This type of fault can occur when a
component (1.15) is on the verge of breaking down or, for example, due to a glitch in a switch. Some systematic faults(1.131) (e.g. timing marginalities) could lead to intermittent faults.
representation of failure modes (1.40) resulting from faults (1.42)
NOTE Fault models are generally based on field experience or reliability handbooks.1.44
fault reaction time
time-span from the detection of a fault (1.42) to reaching the safe state (1.102)See Figure 4.
Fault Fault Detection
Normal Safe State
T <=Diagnostic test Time
Fault Reaction T ime
Fault tolerant time interval
Figure 4 — Fault reaction time and fault tolerant time interval
© ISO 2011 – All rights reserved 7
---------------------- Page: 13 ----------------------
fault tolerant time interval
time-span in which a fault (1.42) or faults can be present in a system (1.129) before a hazardous (1.57)event occurs
data obtained from the use of an item (1.69) or element (1.32) including cumulative operating hours, allfailures (1.39) and in-service anomalies
NOTE Field data normally comes from customer use.
description technique that has both its syntax and semantics completely defined
EXAMPLE Z notation (Zed); NuSMV (symbolic model checker); Prototype Verification System (PVS); ViennaDevelopment Method (VDM).
method used to prove the correctness of a system (1.129) against the specification in formal notation (1.47)of its required behaviour
freedom from interference
absence of cascading failures (1.13) between two or more elements (1.32) that could lead to the violation ofa safety requirement
EXAMPLE 1 Element 1 is free of interference from element 2 if no failure (1.39) of element 2 can cause element 1 tofail.
EXAMPLE 2 Element 3 interferes with element 4 if there exists a failure of element 3 that causes element 4 to fail.1.50
specification of the intended functions and their interactions necessary to achieve the desired behaviourNOTE The functional concept is developed during the concept phase (1.89).
absence of unreasonable risk (1.136) due to hazards (1.57) caused by malfunctioning behaviour (1.73) ofE/E systems (1.31)
functional safety concept
specification of the functional safety requirements (1.53), with associated information, their allocation (1.1)
to architectural elements (1.32), and their interaction necessary to achieve the safety goals (1.108)1.53
functional safety requirement
specification of implementation-independent safety (1.103) behaviour, or implementation-independent safetymeasure (1.110), including its safety-related attributes
NOTE 1 A functional safety requirement can be a safety requirement implemented by a safety-related E/E system
(1.31), or by a safety-related system (1.129) of other technologies (1.84), in order to achieve or maintain a safe state
(1.102) for the item (1.69) taking into account a determined hazardous event (1.59).
NOTE 2 The functional safety requirements might be specified independently of the technology used in the conceptphase (1.89), of product development.
NOTE 3 Safety-related attributes include information about ASIL (1.6).
8 © ISO 2011 – All rights reserved
---------------------- Page: 14 ----------------------
hardware architectural metrics
metrics for the assessment (1.4) of the effectiveness of the hardware architecture (1.3) with respect tosafety (1.103)
NOTE The single-point fault (1.122) metric and the latent fault (1.71) metric are the hardware architectural metrics.1.55
hardware which cannot be subdivided
physical injury or damage to the health of persons
potential source of harm (1.56) caused by malfunctioning behaviour (1.73) of the item (1.69)
NOTE This definition is restricted to the scope of ISO 26262; a more general definition is potential source of harm.1.58
hazard analysis and risk assessment
method to identify and categorize hazardous events (1.59) of items (1.69) and to specify safety goals
(1.108) and ASILs (1.6) related to the prevention or mitigation of the associated hazards in order to avoidunreasonable risk (1.136)
combination of a hazard (1.57) and an operational situation (1.83)
multiple but identical implementations of a requirement
absence of dependent failures (1.22) between two or more elements (1.32) that could lead to the violation ofa safety requirement, or or