ISO 26262-1:2011

INTERNATIONAL ISO

STANDARD 26262-1

First edition
2011-11-15
Road vehicles — Functional safety —
Part 1:
Vocabulary
Véhicules routiers — Sécurité fonctionnelle —
Partie 1: Vocabulaire




Reference number
ISO 26262-1:2011(E)

©
ISO 2011

---------------------- Page: 1 ----------------------
ISO 26262-1:2011(E)




COPYRIGHT PROTECTED DOCUMENT


©  ISO 2011
The reproduction of the terms and definitions contained in this International Standard is permitted in teaching manuals, instruction
booklets, technical publications and journals for strictly educational or implementation purposes. The conditions for such reproduction are:
that no modifications are made to the terms and definitions; that such reproduction is not permitted for dictionaries or similar publications
offered for sale; and that this International Standard is referenced as the source document.
With the sole exceptions noted above, no other part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 26262-1:2011(E)
Contents Page
Foreword . iv
Introduction . v
Scope . 1
1 Terms and definitions . 1
2 Abbreviated terms . 18
Bibliography . 21
Alphabetical index . 22

© ISO 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 26262-1:2011(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 26262-1 was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 3,
Electrical and electronic equipment.
ISO 26262 consists of the following parts, under the general title Road vehicles — Functional safety:
— Part 1: Vocabulary
— Part 2: Management of functional safety
— Part 3: Concept phase
— Part 4: Product development at the system level
— Part 5: Product development at the hardware level
— Part 6: Product development at the software level
— Part 7: Production and operation
— Part 8: Supporting processes
— Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
— Part 10: Guideline on ISO 26262

iv © ISO 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 26262-1:2011(E)
Introduction
ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of electrical
and/or electronic (E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised of
electrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas such
as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems
increasingly touch the domain of system safety engineering. Development and integration of these
functionalities will strengthen the need for safe system development processes and the need to provide
evidence that all reasonable system safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic implementation, there
are increasing risks from systematic failures and random hardware failures. ISO 26262 includes guidance to
avoid these risks by providing appropriate requirements and processes.
System safety is achieved through a number of safety measures, which are implemented in a variety of
technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic) and
applied at the various levels of the development process. Although ISO 26262 is concerned with functional
safety of E/E systems, it provides a framework within which safety-related systems based on other
technologies can be considered. ISO 26262:
a) provides an automotive safety lifecycle (management, development, production, operation, service,
decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive Safety
Integrity Levels (ASIL)];
c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable
level of safety being achieved;
e) provides requirements for relations with suppliers.
Functional safety is influenced by the development process (including such activities as requirements
specification, design, implementation, integration, verification, validation and configuration), the production
and service processes and by the management processes.
Safety issues are intertwined with common function-oriented and quality-oriented development activities and
work products. ISO 26262 addresses the safety-related aspects of development activities and work products.
Figure 1 shows the overall structure of this edition of ISO 26262. ISO 26262 is based upon a V-model as a
reference process model for the different phases of product development. Within the figure:
— the shaded “V”s represent the interconnection between ISO 26262-3, ISO 26262-4, ISO 26262-5,
ISO 26262-6 and ISO 26262-7;
— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number of the
particular part and “n” indicates the number of the clause within that part.
EXAMPLE “2-6” represents Clause 6 of ISO 26262-2.
© ISO 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 26262-1:2011(E)

Figure 1 — Overview of ISO 26262

vi © ISO 2011 – All rights reserved

1. Vocabulary
2. Management of functional safety
2-6 Safety management during the concept phase 2-7 Safety management after the item´s release
2-5 Overall safety management
and the product development for production
3. Concept phase 4. Product development at the system level 7. Production and operation
4-5 Initiation of product
4-11 Release for production
3-5 Item definition 7-5 Production
development at the system level
4-10 Functional safety assessment
7-6 Operation, service
3-6 Initiation of the safety lifecycle
4-6 Specification of the technical
(maintenance and repair), and
safety requirements
decommissioning
4-9 Safety validation
3-7 Hazard analysis and risk
assessment
4-7 System design 4-8 Item integration and testing
3-8 Functional safety
concept
5. Product development at the 6. Product development at the
hardware level software level
5-5 Initiation of product 6-5 Initiation of product
development at the hardware level development at the software level
5-6 Specification of hardware
safety requirements
5-7 Hardware design 6-7 Software architectural design
5-8 Evaluation of the hardware 6-8 Software unit design and
architectural metrics implementation
5-9 Evaluation of the safety goal
6-9 Software unit testing
violations due to random hardware
failures
6-10 Software integration and
5-10 Hardware integration and
testing
testing
6-11 Verification of software safety
requirements
8. Supporting processes
8-5 Interfaces within distributed developments 8-10 Documentation
8-6 Specification and management of safety requirements 8-11 Confidence in the use of software tools
8-7 Configuration management 8-12 Qualification of software components
8-8 Change management 8-13 Qualification of hardware components
8-9 Verification 8-14 Proven in use argument
9. ASIL-oriented and safety-oriented analyses
9-5 Requirements decomposition with respect to ASIL tailoring 9-7 Analysis of dependent failures
9-6 Criteria for coexistence of elements 9-8 Safety analyses
10. Guideline on ISO 26262

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 26262-1:2011(E)

Road vehicles — Functional safety —
Part 1:
Vocabulary

Scope
ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or
electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross
vehicle mass up to 3 500 kg. ISO 26262 does not address unique E/E systems in special purpose vehicles
such as vehicles designed for drivers with disabilities.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of ISO 26262, are exempted from the scope. For further
development or alterations based on systems and their components released for production prior to the
publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262.
ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems,
including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat,
radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly
caused by malfunctioning behaviour of E/E safety-related systems.
ISO 26262 does not address the nominal performance of E/E systems, even if dedicated functional
performance standards exist for these systems (e.g. active and passive safety systems, brake systems,
Adaptive Cruise Control).
This part of ISO 26262 specifies the terms, definitions and abbreviated terms for application in all parts of
ISO 26262.
1 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
1.1
allocation
assignment of a requirement to an architectural element (1.32)
NOTE Intent is not to divide an atomic requirement into multiple requirements. Tracing of an atomic system (1.129) level
requirement to multiple lower level atomic requirements is allowed.
1.2
anomaly
condition that deviates from expectations, based, for example, on requirements, specifications, design
documents, user documents, standards, or on experience
NOTE Anomalies can be discovered, among other times, during the review (1.98), testing (1.134), analysis,
compilation, or use of components (1.15) or applicable documentation.
© ISO 2011 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 26262-1:2011(E)
1.3
architecture
representation of the structure of the item (1.69) or functions or systems (1.129) or elements (1.32) that
allows identification of building blocks, their boundaries and interfaces, and includes the allocation (1.1) of
functions to hardware and software elements
1.4
assessment
examination of a characteristic of an item (1.69) or element (1.32)
NOTE A level of independence (1.61) of the party or parties performing the assessment is associated with each
assessment.
1.5
audit
examination of an implemented process
1.6
Automotive Safety Integrity Level
ASIL
one of four levels to specify the item's (1.69) or element's (1.32) necessary requirements of ISO 26262 and
safety measures (1.110) to apply for avoiding an unreasonable residual risk (1.97), with D representing the
most stringent and A the least stringent level
1.7
ASIL decomposition
apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective
of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the corresponding
elements
1.8
availability
capability of a product to be in a state to execute the function required under given conditions, at a certain
time or in a given period, supposing the required external resources are available
1.9
baseline
version of a set of one or more work products, items (1.69) or elements (1.32) that is under configuration
management and used as a basis for further development through the change management process
NOTE See ISO 26262-8:2011, Clause 8.
1.10
branch coverage
percentage of branches of the control flow that have been executed
NOTE 1 100 % branch coverage implies 100 % statement coverage (1.127).
NOTE 2 An if-statement always has two branches - condition true and condition false - independent of the existence of
an else-clause.
1.11
calibration data
data that will be applied after the software build in the development process
EXAMPLE Parameters (e.g. value for low idle speed, engine characteristic diagrams); vehicle specific parameters
(adaptation values) (e.g. limit stop for throttle valve); variant coding (e.g. country code, left-hand/right-hand steering).
NOTE Calibration data cannot contain executable or interpretable code.
2 © ISO 2011 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 26262-1:2011(E)
1.12
candidate
item (1.69) or element (1.32) whose definition and conditions of use are identical to, or have a very high
degree of commonality with, an item or element that is already released and in operation
NOTE This definition applies where candidate is used in the context of a proven in use argument (1.90).
1.13
cascading failure
failure (1.39) of an element (1.32) of an item (1.69) causing another element or elements of the same item to
fail
NOTE Cascading failures are dependent failures (1.22) that are not common cause failures (1.14). See Figure 2,
Failure A.

Figure 2 — Cascading failure
1.14
common cause failure
CCF
failure (1.39) of two or more elements (1.32) of an item (1.69) resulting from a single specific event or root
cause
NOTE Common cause failures are dependent failures (1.22) that are not cascading failures (1.13). See Figure 3.

Figure 3 — Common cause failure
1.15
component
non-system (1.129) level element (1.32) that is logically and technically separable and is comprised of more
than one hardware part (1.55) or of one or more software units (1.125)
NOTE A component is a part of a system.
1.16
configuration data
data that is assigned during software build and that controls the software build process
EXAMPLE Pre-processor instructions; software build scripts (e.g. XML configuration files).
© ISO 2011 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 26262-1:2011(E)
NOTE 1 Configuration data cannot contain executable or interpretable code.
NOTE 2 Configuration data controls the software build. Only code, or data selected by configuration data can be
included in the executable code.
1.17
confirmation measure
confirmation review (1.18), audit (1.5) or assessment (1.4) concerning functional safety (1.51)
1.18
confirmation review
confirmation that a work product meets the requirements of ISO 26262 with the required level of
independence (1.61) of the reviewer
NOTE 1 A complete list of confirmation reviews is given in ISO 26262-2.
NOTE 2 The goal of confirmation reviews is to ensure compliance with ISO 26262.
1.19
controllability
ability to avoid a specified harm (1.56) or damage through the timely reactions of the persons involved,
possibly with support from external measures (1.38)
NOTE 1 Persons involved can include the driver, passengers or persons in the vicinity of the vehicle's exterior.
NOTE 2 The parameter C in hazard analysis and risk assessment (1.58) represents the potential for controllability.
1.20
dedicated measure
measure to ensure the failure rate (1.41) claimed in the evaluation of the probability of violation of safety
goals (1.108)
EXAMPLE Design feature [such as hardware part (1.55) over-design (e.g. electrical or thermal stress rating) or
physical separation (e.g. spacing of contacts on a printed circuit board)]; special sample test of incoming material to
reduce the risk (1.99) of occurrence of failure modes (1.40) which contribute to the violation of safety goals; burn-in test;
dedicated control plan.
1.21
degradation
strategy for providing safety (1.103) by design after the occurrence of failures (1.39)
NOTE Degradation can include reduced functionality, reduced performance, or both reduced functionality and
performance.
1.22
dependent failures
failures (1.39) whose probability of simultaneous or successive occurrence cannot be expressed as the
simple product of the unconditional probabilities of each of them
NOTE 1 Dependent failures A and B can be characterized when
P  P  P
AB A B
where
P is the probability of the simultaneous occurrence of failure A and failure B;
AB
P is the probability of the occurrence of failure A;
A
P is the probability of the occurrence of failure B.
B
NOTE 2 Dependent failures include common cause failures (1.14) and cascading failures (1.13).
4 © ISO 2011 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 26262-1:2011(E)
1.23
detected fault
fault (1.42) whose presence is detected within a prescribed time by a safety mechanism (1.111) that
prevents the fault from being latent
EXAMPLE The fault can be detected by a dedicated safety mechanism (1.111) (e.g. detection of the error (1.36) and
notifying the driver via an alerting device on the instrument panel) as defined in the functional safety concept (1.52).
1.24
development interface agreement
DIA
agreement between customer and supplier in which the responsibilities for activities, evidence or work
products to be exchanged by each party are specified
1.25
diagnostic coverage
proportion of the hardware element (1.32) failure rate (1.41) that is detected or controlled by the
implemented safety mechanisms (1.111)
NOTE 1 Diagnostic coverage can be assessed with regard to residual faults (1.96) or with regard to latent multiple-
point faults (1.77) that might occur in a hardware element.
NOTE 2 The definition can be represented in terms of the equations given in ISO 26262-5.
NOTE 3 Safety mechanisms implemented at different levels in the architecture (1.3) can be considered.
1.26
diagnostic test interval
amount of time between the executions of online diagnostic tests by a safety mechanism (1.111)
1.27
distributed development
development of an item (1.69) or element (1.32) with development responsibility divided between the
customer and supplier(s) for the entire item or element, or for subsystems
NOTE Customer and supplier are roles of the cooperating parties.
1.28
diversity
different solutions satisfying the same requirement with the aim of independence (1.61)
EXAMPLE Diverse programming; diverse hardware.
NOTE Diversity does not guarantee independence, but addresses certain types of common cause failures (1.14).
1.29
dual-point failure
failure (1.39) resulting from the combination of two independent faults (1.42) that leads directly to the
violation of a safety goal (1.108)
NOTE 1 Dual-point failures are multiple-point failures (1.76) of order 2.
NOTE 2 Dual-point failures that are addressed in ISO 26262 include those where one fault affects a safety-related
element (1.113) and another fault affects the corresponding safety mechanism (1.111) intended to achieve or maintain a
safe state (1.102).
NOTE 3 For a dual-point failure to directly violate a safety goal, the presence of both independent faults is necessary,
i.e. the violation of a safety goal due to a combination of a residual fault (1.96) with a safe fault (1.101) is not considered
a dual-point failure since the residual fault leads to a violation of a safety goal with or without the presence of a second
independent fault.
© ISO 2011 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 26262-1:2011(E)
1.30
dual-point fault
individual fault (1.42) that, in combination with another independent fault, leads to a dual-point failure (1.29)
NOTE 1 A dual-point fault can only be recognized after the identification of dual-point failure, e.g. from cut set analysis
of a fault tree.
NOTE 2 See also multiple-point fault (1.77).
1.31
electrical and/or electronic system
E/E system
system (1.129) that consists of electrical and/or electronic elements (1.32), including programmable
electronic elements
EXAMPLE Power supply; sensor or other input device; communication path; actuator or other output device.
1.32
element
system (1.129) or part of a system including components (1.15), hardware, software, hardware parts (1.55),
and software units (1.125)
1.33
embedded software
fully-integrated software to be executed on a processing element (1.32)
NOTE The processing element is normally a micro-controller, a field programmable gate array (FPGA) or an application-
specific integrated circuit (ASIC), but it can also be a more complex component (1.15) or subsystem.
1.34
emergency operation
degraded functionality from the state in which a fault (1.42) occurred until the transition to a safe state (1.102)
is achieved as defined in the warning and degradation concept (1.140)
1.35
emergency operation interval
specified time-span that emergency operation (1.34) is needed to support the warning and degradation
concept (1.140)
NOTE Emergency operation is part of the warning and degradation concept (1.140).
1.36
error
discrepancy between a computed, observed or measured value or condition, and the true, specified or
theoretically correct value or condition
NOTE 1 An error can arise as a result of unforeseen operating conditions or due to a fault (1.42) within the system
(1.129), subsystem or component (1.15) being considered.
NOTE 2 A fault can manifest itself as an error within the considered element (1.32) and the error can ultimately cause a
failure (1.39).
1.37
exposure
state of being in an operational situation (1.83) that can be hazardous (1.57) if coincident with the failure
mode (1.40) under analysis
1.38
external measure
measure that is separate and distinct from the item (1.69) which reduces or mitigates the risks (1.99)
resulting from the item
6 © ISO 2011 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 26262-1:2011(E)
1.39
failure
termination of the ability of an element (1.32), to perform a function as required
NOTE Incorrect specification is a source of failure.
1.40
failure mode
manner in which an element (1.32) or an item (1.69) fails
1.41
failure rate
probability density of failure (1.39) divided by probability of survival for a hardware element (1.32)
NOTE The failure rate is assumed to be constant and is generally denoted as “”.
1.42
fault
abnormal condition that can cause an element (1.32) or an item (1.69) to fail
NOTE 1 Permanent, intermittent and transient faults (1.134) (especially soft-errors) are considered.
NOTE 2 An intermittent fault occurs time and time again, then disappears. This type of fault can occur when a
component (1.15) is on the verge of breaking down or, for example, due to a glitch in a switch. Some systematic faults
(1.131) (e.g. timing marginalities) could lead to intermittent faults.
1.43
fault model
representation of failure modes (1.40) resulting from faults (1.42)
NOTE Fault models are generally based on field experience or reliability handbooks.
1.44
fault reaction time
time-span from the detection of a fault (1.42) to reaching the safe state (1.102)
See Figure 4.
Fault Fault Detection
Possible
Hazard
Normal Safe State
Operation
T <=Diagnostic test Time
interval
Fault Reaction T ime
Fault tolerant time interval

Figure 4 — Fault reaction time and fault tolerant time interval

© ISO 2011 – All rights reserved 7

---------------------- Page: 13 ----------------------
ISO 26262-1:2011(E)
1.45
fault tolerant time interval
time-span in which a fault (1.42) or faults can be present in a system (1.129) before a hazardous (1.57)
event occurs
1.46
field data
data obtained from the use of an item (1.69) or element (1.32) including cumulative operating hours, all
failures (1.39) and in-service anomalies
NOTE Field data normally comes from customer use.
1.47
formal notation
description technique that has both its syntax and semantics completely defined
EXAMPLE Z notation (Zed); NuSMV (symbolic model checker); Prototype Verification System (PVS); Vienna
Development Method (VDM).
1.48
formal verification
method used to prove the correctness of a system (1.129) against the specification in formal notation (1.47)
of its required behaviour
1.49
freedom from interference
absence of cascading failures (1.13) between two or more elements (1.32) that could lead to the violation of
a safety requirement
EXAMPLE 1 Element 1 is free of interference from element 2 if no failure (1.39) of element 2 can cause element 1 to
fail.
EXAMPLE 2 Element 3 interferes with element 4 if there exists a failure of element 3 that causes element 4 to fail.
1.50
functional concept
specification of the intended functions and their interactions necessary to achieve the desired behaviour
NOTE The functional concept is developed during the concept phase (1.89).
1.51
functional safety
absence of unreasonable risk (1.136) due to hazards (1.57) caused by malfunctioning behaviour (1.73) of
E/E systems (1.31)
1.52
functional safety concept
specification of the functional safety requirements (1.53), with associated information, their allocation (1.1)
to architectural elements (1.32), and their interaction necessary to achieve the safety goals (1.108)
1.53
functional safety requirement
specification of implementation-independent safety (1.103) behaviour, or implementation-independent safety
measure (1.110), including its safety-related attributes
NOTE 1 A functional safety requirement can be a safety requirement implemented by a safety-related E/E system
(1.31), or by a safety-related system (1.129) of other technologies (1.84), in order to achieve or maintain a safe state
(1.102) for the item (1.69) taking into account a determined hazardous event (1.59).
NOTE 2 The functional safety requirements might be specified independently of the technology used in the concept
phase (1.89), of product development.
NOTE 3 Safety-related attributes include information about ASIL (1.6).
8 © ISO 2011 – All rights reserved

---------------------- Page: 14 ----------------------
ISO 26262-1:2011(E)
1.54
hardware architectural metrics
metrics for the assessment (1.4) of the effectiveness of the hardware architecture (1.3) with respect to
safety (1.103)
NOTE The single-point fault (1.122) metric and the latent fault (1.71) metric are the hardware architectural metrics.
1.55
hardware part
hardware which cannot be subdivided
1.56
harm
physical injury or damage to the health of persons
1.57
hazard
potential source of harm (1.56) caused by malfunctioning behaviour (1.73) of the item (1.69)
NOTE This definition is restricted to the scope of ISO 26262; a more general definition is potential source of harm.
1.58
hazard analysis and risk assessment
method to identify and categorize hazardous events (1.59) of items (1.69) and to specify safety goals
(1.108) and ASILs (1.6) related to the prevention or mitigation of the associated hazards in order to avoid
unreasonable risk (1.136)
1.59
hazardous event
combination of a hazard (1.57) and an operational situation (1.83)
1.60
homogeneous redundancy
multiple but identical implementations of a requirement
1.61
independence
absence of dependent failures (1.22) between two or more elements (1.32) that could lead to the violation of
a safety requirement, or or
...