Road vehicles -- Functional safety

This document is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding mopeds. This document does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with disabilities. NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series of standards or vice versa. Systems and their components released for production, or systems and their components already under development prior to the publication date of this document, are exempted from the scope of this edition. This document addresses alterations to existing systems and their components released for production prior to the publication of this document by tailoring the safety lifecycle depending on the alteration. This document addresses integration of existing systems not developed according to this document and systems developed according to this document by tailoring the safety lifecycle. This document addresses possible hazards caused by malfunctioning behaviour of safety-related E/E systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of safety-related E/E systems. This document describes a framework for functional safety to assist the development of safety-related E/E systems. This framework is intended to be used to integrate functional safety activities into a company-specific development framework. Some requirements have a clear technical focus to implement functional safety into a product; others address the development process and can therefore be seen as process requirements in order to demonstrate the capability of an organization with respect to functional safety. This document defines the vocabulary of terms used in the ISO 26262 series of standards.

Véhicules routiers -- Sécurité fonctionnelle

General Information

Status
Published
Publication Date
16-Dec-2018
Current Stage
6060 - International Standard published
Start Date
15-Sep-2018
Completion Date
17-Dec-2018
Ref Project

RELATIONS

Buy Standard

Standard
REDLINE ISO 26262-1:2018 - Road vehicles -- Functional safety
English language
33 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO 26262-1:2018 - Road vehicles -- Functional safety
English language
33 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 26262-1
Redline version
compares Second edition to
First edition
Road vehicles — Functional safety —
Part 1:
Vocabulary
Véhicules routiers — Sécurité fonctionnelle —
Partie 1: Vocabulaire
Reference number
ISO 26262-1:redline:2018(E)
ISO 2018
---------------------- Page: 1 ----------------------
ISO 26262-1:redline:2018(E)
IMPORTANT
This marked-up version uses the following colour-coding in the marked-up text:
Text example 1 — Text has been added (in green)
— Text has been deleted (in red)
Text example 2
— Graphic figure has been added
— Graphic figure has been deleted
1.x ... — If there are changes in a clause/subclause, the corresponding clause/
subclause number is highlighted in yellow in the Table of contents
DISCLAIMER

This marked-up version highlights the main changes in this edition of the document

compared with the previous edition. It does not focus on details (e.g. changes in

punctuation).

This marked-up version does not constitute the official ISO document and is not intended to

be used for implementation purposes.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 26262-1:redline:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

1 3 Terms and definitions ..................................................................................................................................................................................... 2

2 4 Abbreviated terms ...........................................................................................................................................................................................32

Bibliography .............................................................................................................................................................................................................................37

Alphabetical index .............................................................................................................................................................................................................37

© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 26262-1:redline:2018(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

International Standards areThe procedures used to develop this document and those intended for

its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different

approval criteria needed for the different types of ISO documents should be noted. This document was

drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www

.iso .org/directives).

The main task of technical committees is to prepare International Standards. Draft International

Standards adopted by the technical committees are circulated to the member bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the member bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/iso/foreword .html.

ISO 26262-1This document was prepared by Technical Committee ISO/TC 22, Road vehicles

Subcommittee, Subcommittee SC 332, Electrical and electronic equipmentcomponents and general system

aspects.

This edition of ISO 26262 series consists of the following partsof standards cancels and replaces the

edition ISO 26262:2011, under the general title series of standards, which has been technically revised

and includes the Road vehicles — Functional safetyfollowing main changes:
— Part 1: Vocabularyrequirements for trucks, buses, trailers and semi-trailers;
— Part 2: Management of functional safetyextension of the vocabulary;
— Part 3: Concept phasemore detailed objectives;

— Part 4: Product development at the system levelobjective oriented confirmation measures;

— Part 5: Product development at the hardware levelmanagement of safety anomalies;

— references to cyber security;
— updated target values for hardware architecture metrics;

— Part 6: Product development at the software levelguidance on model based development and

software safety analysis;
— Part 7: Production and operationevaluation of hardware elements;
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 26262-1:redline:2018(E)
— Part 8: Supporting processesadditional guidance on dependent failure analysis;

— Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analysesguidance on

fault tolerance, safety-related special characteristics and software tools;
— Part 10: Guideline on ISO 26262guidance for semiconductors;
— requirements for motorcycles; and
— general restructuring of all parts for improved clarity.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 26262 series can be found on the ISO website.
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 26262-1:redline:2018(E)
Introduction

The ISO 26262 series of standards is the adaptation of IEC 61508 series to comply with needs specific

to the application sectorof standards to address the sector specific needs of electrical and/or electronic

(E/E) systems within road vehicles.

This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised

of electrical, electronic and software components.

Safety is one of the key issues of future automobile development. New functionalities not only in areas

such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems

increasingly touch the domain of system safety engineeringin the development of road vehicles.

Development and integration of theseautomotive functionalities will strengthen the need for safe

system development processesfunctional safety and the need to provide evidence that all reasonable

systemfunctional safety objectives are satisfied.

With the trend of increasing technological complexity, software content and mechatronic

implementation, there are increasing risks from systematic failures and random hardware failures,

these being considered within the scope of functional safety. ISO 26262 series of standards includes

guidance to avoidmitigate these risks by providing appropriate requirements and processes.

System safety is achieved through a number of safety measures, which are implemented in a variety

of technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic)

and applied at the various levels of the development process. Although ISO 26262 is concerned with

functional safety of E/E systems, it provides a framework within which safety-related systems based

on other technologies can be considered.To achieve functional safety, ISO 26262the ISO 26262 series of

standards:

a) provides ana reference for the automotive safety lifecycle (management,and supports the tailoring

of the activities to be performed during the lifecycle phases, i.e., development, production,

operation, service, decommissioning) and supports tailoring the necessary activities during these

lifecycle phases and decommissioning;

b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive

Safety Integrity Levels (ASILASILs)];

c) uses ASILs to specify applicablewhich of the requirements of ISO 26262 so asare applicable to avoid

unreasonable residual risk;

d) provides requirements for validation and confirmation measures to ensure a sufficient and

acceptable level of safety being achieved;functional safety management, design, implementation,

verification, validation and confirmation measures; and
e) provides requirements for relations withbetween customers and suppliers.

The ISO 26262 series of standards is concerned with functional safety of E/E systems that is achieved

through safety measures including safety mechanisms. It also provides a framework within which

safety-related systems based on other technologies (e.g. mechanical, hydraulic and pneumatic) can be

considered.

FunctionalThe achievement of functional safety is influenced by the development process (including

such activities as requirements specification, design, implementation, integration, verification,

validation and configuration), the production and service processes and by the management processes.

Safety issues areis intertwined with common function-oriented and quality-oriented development

activities and work products. The ISO 26262 series of standards addresses the safety-related aspects of

developmentthese activities and work products.
vi © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 26262-1:redline:2018(E)

Figure 1 shows the overall structure of this editionthe ISO 26262 series of ISO 26262standards. The ISO

26262 series of standards is based upon a V-model as a reference process model for the different phases

of product development. Within the figure:

— the shaded “V”s represent the interconnection betweenamong ISO 26262-3, ISO 26262-4,

ISO 26262-5, ISO 26262-6 and ISO 26262-7;
— for motorcycles:
— ISO 26262-12:2018, Clause 8 supports ISO 26262-3;
— ISO 26262-12:2018, Clauses 9 and 10 support ISO 26262-4;

— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number

of the particular part and “n” indicates the number of the clause within that part.

EXAMPLE “2-6” represents Clause 6 of ISO 26262-2ISO 26262-2:2018, Clause 6.
© ISO 2018 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO 26262-1:redline:2018(E)
Figure 1 — Overview of the ISO 26262 series of standards
viii © ISO 2018 – All rights reserved
---------------------- Page: 8 ----------------------
INTERNATIONAL STANDARD ISO 26262-1:redline:2018(E)
Road vehicles — Functional safety —
Part 1:
Vocabulary
1 Scope

ISO 26262This document is intended to be applied to safety-related systems that include one or more

electrical and/or electronic (E/E) systems and that are installed in series production passenger cars

with a maximum gross vehicle mass up to 3 500 kgroad vehicles, excluding mopeds. ISO 26262This

document does not address unique E/E systems in special purpose vehicles such as vehiclesE/E systems

designed for drivers with disabilities.

NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series

of standards or vice versa.

Systems and their components released for production, or systems and their components already under

development prior to the publication date of ISO 26262this document, are exempted from the scope.

For further development or alterations based on of this edition. This document addresses alterations

to existing systems and their components released for production prior to the publication of ISO 26262,

only the modifications will be developed in accordance withthis document by tailoring the safety

lifecycle depending on the alteration. This document addresses integration of existing systems not

developed ISO 26262according to this document and systems developed according to this document by

tailoring the safety lifecycle.

ISO 26262This document addresses possible hazards caused by malfunctioning behaviour of E/E

safety-related E/E systems, including interaction of these systems. It does not address hazards related

to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of

energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related

E/E systems.

ISO 26262 does not address the nominal performance ofThis document describes a framework for

functional safety to assist the development of safety-related E/E systems, even if dedicated functional

performance standards exist for these systems (e.g. active and passive safety systems, brake systems,

Adaptive Cruise Control). This framework is intended to be used to integrate functional safety activities

into a company-specific development framework. Some requirements have a clear technical focus to

implement functional safety into a product; others address the development process and can therefore

be seen as process requirements in order to demonstrate the capability of an organization with respect

to functional safety.

This partdocument defines the vocabulary of ISO 26262 specifies the terms, definitions and abbreviated

terms for application in all partsterms used in the ISO 26262 series of ISO 26262standards.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 26262 (all parts), Road vehicles — Functional safety
© ISO 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO 26262-1:redline:2018(E)
1 3 Terms and definitions

For the purposes of this document, the following terms and definitions given in ISO 26262 (all parts)

and the following apply.
1.1
allocation
assignment of a requirement to an architectural element (1.32)

Note 1 to entry: Intent is not to divide an atomic requirement into multiple requirements. Tracing of an atomic

system (1.129) level requirement to multiple lower level atomic requirements is allowed.

1.2
anomaly

condition that deviates from expectations, based, for example, on requirements, specifications, design

documents, user documents, standards, or on experience

Note 1 to entry: Anomalies can be discovered, among other times, during the review (1.98), testing (1.134),

analysis, compilation, or use of components (1.15) or applicable documentation.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
1.3 3.1
architecture

representation of the structure of the item (1.69 3.84) or functions or  systems (1.129 element (3.41)

or  elements (1.32)that allows identification of building blocks, their boundaries and interfaces, and

includes the allocation (1.1)allocation of functions to hardware and software elements requirements to

these building blocks
3.2
ASIL capability

capability of the item (3.84) or element (3.41) to meet assumed safety (3.132) requirements assigned

with a given ASIL (3.6)

Note 1 to entry: As a part of hardware safety requirements, achievement of the corresponding random hardware

target values for fault metrics (see ISO 26262-5:2018, Clauses 8 and 9) allocated to the element (3.41) is included,

if needed.
3.3
ASIL decomposition

apportioning of redundant safety (3.132) requirements to elements (3.41), with sufficient independence

(3.78), conducing to the same safety goal (3.139), with the objective of reducing the ASIL (3.6) of the

redundant safety (3.132) requirements that are allocated to the corresponding elements (3.41)

Note 1 to entry: ASIL decomposition is a basis for methods of ASIL (3.6) tailoring during the design process

(defined as requirements decomposition with respect to ASIL (3.6) tailoring in ISO 26262-9).

Note 2 to entry: ASIL decomposition does not apply to random hardware failure requirements per ISO 26262-9.

Note 3 to entry: Reducing the ASIL (3.6) of the redundant safety (3.132) requirements has some exclusions, e.g.

confirmation measures (3.23) remain at the level of the safety goal (3.139).
1.4 3.4
assessment

examination of whether a characteristic of an item (1.69 3.84) or element (1.32 3.41) achieves the

ISO 26262 objectives

Note 1 to entry: A level of independence (1.61) of the party or parties performing the assessment is associated

with each assessment.
2 © ISO 2018 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 26262-1:redline:2018(E)
1.5 3.5
audit
examination of an implemented process with regard to the process objectives
1.6 3.6
automotive safety integrity level
ASIL

one of four levels to specify the item's (1.69 3.84) or element's (1.32 3.41) necessary requirements

of  ISO 26262 requirements and safety measures (1.110 3.141) to apply for avoiding an

unreasonable  residual unreasonable risk (1.97 3.176), with D representing the most stringent and A the

least stringent level
Note 1 to entry: QM (3.117) is not an ASIL.
1.7
ASIL decomposition

apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with

the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the

corresponding elements
1.8 3.7
availability

capability of a product to be in a state to execute the function required provide a stated function if

demanded, under given conditions, at a certain time or in a given period, supposing the required

external resources are available  over its defined lifetime
3.8
base failure rate
BFR

failure rate (3.53) of a hardware element (3.41) in a given application use case used as an input to safety

(3.132) analyses
3.9
base vehicle

Original Equipment Manufacturer (OEM) T&B vehicle configuration (3.175) prior to installation of body

builder equipment (3.12)

Note 1 to entry: Body builder equipment (3.12) may be installed on a base vehicle that consists of all driving

relevant systems (3.163) (engine, driveline, chassis, steering, brakes, cabin and driver information).

EXAMPLE Truck (3.174) chassis with powertrain and cabin, rolling chassis with powertrain.

1.9 3.10
baseline

version of a the approved set of one or more work products work products (3.185), items (1.69 3.84)

or elements (1.32 3.41) that is under configuration management and used serves as a basis for further

development through the change management process change
Note 1 to entry: See ISO 26262-8:2011 2018, Clause 8.
Note 2 to entry: A baseline is typically placed under configuration management.

Note 3 to entry: A baseline is used as a basis for further development through the change management process

during the lifecycle (3.86).
3.11
body builder

organization that adds trucks (3.174), buses (3.14), trailers (3.171) and semi-trailers (3.151) (T&B)

bodies, cargo carriers, or equipment to a base vehicle (3.9)

Note 1 to entry: T&B bodies include truck (3.174) cabs, bus (3.14) bodies, walk-in vans, etc.

© ISO 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO 26262-1:redline:2018(E)

Note 2 to entry: Cargo carriers include cargo boxes, flat beds, car transport racks, etc.

Note 3 to entry: Equipment includes vocational devices and machinery, such as cement mixers, dump beds, snow

blades, lifts, etc.
3.12
body builder equipment
machine, body, or cargo carrier installed on the T&B base vehicle (3.9)
1.10 3.13
branch coverage

percentage of branches of the control flow that have been executed of a computer program executed

during a test

Note 1 to entry: 100 % branch coverage implies 100 % statementstatement  coverage (1.127 3.160).

Note 2 to entry: An if-statement always has two branches - condition true and condition false - independent of the

existence of an else-clause.
3.14
bus

motor vehicle which, because of its design and appointments, is intended for carrying persons and

luggage, and which has more than nine seating places, including the driving seat

Note 1 to entry: A bus may have one or two decks and may also tow a trailer (3.171).

1.11 3.15
calibration data

data that will be applied as software parameter values after the software build in the development process

EXAMPLE Parameters (e.g. value for low idle speed, engine characteristic diagrams); vehicle specific

parameters (adaptation values) ( , e.g., limit stop for throttle valve); variant coding (e.g. country code, left-hand/

right-hand steering).

Note 1 to entry: Calibration data cannot does not contain executable or interpretable code.

1.12 3.16
candidate

item (1.69 3.84) or element (1.32 3.41) whose definition and conditions of use are identical to, or have

a very high degree of commonality with, an item item (3.84) or element element (3.41) that is already

released and in operation

Note 1 to entry: This definition applies where candidate is used in the context of a proven in use argument

(1.90 3.115).
1.13 3.17
cascading failure

failure (1.39 3.50) of an element (1.32 3.41) of an item (1.69 3.84) resulting from a root cause [inside or

outside of the element (3.41)causing ] and then causing a failure (3.50) of another element element (3.41)

or elements elements (3.41) of the same item to fail or different item (3.84)

Note 1 to entry: Cascading failures are dependent failures (1.22 3.29) that are not could be one of the possible root

causes of a common cause failures (1.14 failure (3.18). See Figure 2, Failure A .

4 © ISO 2018 – All rights reserved
---------------------- Page: 12 ----------------------
ISO 26262-1:redline:2018(E)
Figure 2 — Cascading failure
1.14 3.18
common cause failure
CCF

failure (1.39 3.50) of two or more elements (1.32 3.41) of an item (1.69 3.84) resulting directly from a

single specific event or root cause which is either internal or external to all of these elements (3.41)

Note 1 to entry: Common cause failures are dependent failures (1.22 3.29) that are not cascading failures (1.13 3.17).

See Figure 3.
Figure 3 — Common cause failure
3.19
common mode failure
CMF
case of CCF (3.18) in which multiple elements (3.41) fail in the same manner

Note 1 to entry: Failure (3.50) in the same manner does not necessarily mean that they need to fail exactly the

same. How close the failure modes (3.51) need to be in order to be classified as common mode failure depends on

the context.

EXAMPLE 1 A system (3.163) has two temperature sensors which are compared with each other. If the

difference between the two temperature sensors is larger than or equal to 5 °C it is handled as a fault (3.54) and

the system (3.163) is switched into a safe state (3.131). A common mode failure lets both temperature sensors fail

in such a way that the difference between the two sensors is smaller than 5 °C and therefore is not detected.

© ISO 2018 – All rights reserved 5
---------------------- Page: 13 ----------------------
ISO 26262-1:redline:2018(E)

EXAMPLE 2 In a CPU lockstep architecture (3.1) where the outputs of both CPUs are compared cycle by cycle,

both CPUs need to fail exactly the same way in order for the failure (3.50) to go undetected. In this context, a

common mode failure lets both CPUs fail exactly the same way.

EXAMPLE 3 An over voltage failure (3.50) due to lots of parts not meeting their specification for over voltage

is a common mode failure.
3.20
complete vehicle
fully assembled T&B base vehicle (3.9) with its body builder equipment (3.12)
EXAMPLE Refuse collector, dump truck (3.174).
1.15 3.21
component

non-system (1.129)system level element (1.32 3.41) that is logically and or technically separable and is

comprised of more than one hardware part (1.55 3.71) or of  one or more software units (1.125 3.159)

EXAMPLE A microcontroller.
Note 1 to entry: A component is a part of a system system (3.163).
1.16 3.22
configuration data

data that is assigned during software element build and that controls the software element build process

EXAMPLE 1 Pre-processor instructions; software build scripts (e.g. XML configuration files) variable settings

which are used to derive compile time variants from the source code.
NOTE 1 Configuration data cannot contain executable or interpretable code.
EXAMPLE 2 XML files to control the build tools or toolchain.

NOTE 2 Note 1 to entry: Configuration data controls the software build. Only code, or data selected by

configuration data can Configuration data is used to select code from existing code variants already defined in

the code base. The functionality of selected code variant will be included in the executable code.

Note 2 to entry: Since configuration data is only used to select code variants, configuration data does not include

code that is executed or interpreted during the use of the item (3.84).
1.17 3.23
confirmation measure

confirmation review (1.18 3.24), audit (1.5 3.5) or assessment (1.4 3.4) concerning functional safety

(1.51 3.67)
1.18 3.24
confirmation review

confirmation that a work product meets  work product (3.185)the requirements  provides sufficient and

convincing evidence of their contribution to the achievement of ISO 26262 with functional safety (3.67)

the required level of considering the independence (1.61) of the reviewer corresponding objectives and

requirements of ISO 26262

Note 1 to entry: A complete list of confirmation reviews is given in ISO 26262-2.

Note 2 to entry: The goal of confirmation reviews is to ensure compliance with the ISO 26262 series of standards.

1.19 3.25
controllability

ability to avoid a specified harm (1.56 3.74) or damage through the timely reactions of the persons

involved, possibly with support from external measures (1.38 3.49)

Note 1 to entry: Persons involved can include the driver, passengers or persons in the vicinity of the vehicle's

exterior.
6 © ISO 2018 – All rights reserved
---------------------- Page: 14 ----------------------
ISO 26262-1:redline:2018(E)

Note 2 to entry: The parameter C in in  hazard analysis and risk assessment (1.58 3.76) represents the potential for

controllability.
3.26
coupling factors

common characteristic or relationship of elements (3.41) that leads to a dependence in their failures (3.50)

1.20 3.27
dedicated measure

measure to ensure the failure rate (1.41 3.53) claimed in the evaluation of the probability of violation of

safety goals (1.108 3.139)

EXAMPLE Design feature [ such as hardware part (1.55 3.71) over-design (e.g. electrical or thermal stress

rating) or physical separation (e.g. spacing of contacts on a printed circuit board)] ; special sample test of

incoming material to reduce the risk (1.99 3.128) of occurrence of failure modes (1.40 3.51) which contribute to

the violation of safety goals safety goals (3.139); burn-in test; dedicated control plan.

1.21 3.28
degradation

strategy for providing state or transition to a state of the safety (1.103 item (3.84) by design after the

occurrence of  failures (1.39)or element (3.41) with reduced functionality, performance, or both

Note 1 to entry: Degradation can include reduced functionality, reduced performance, or both reduced

functionality and performance.
1.22 3.29
dependent failures
failures (1.39 3.50) whose probability of simultaneous or suc
...

INTERNATIONAL ISO
STANDARD 26262-1
Second edition
2018-12
Road vehicles — Functional safety —
Part 1:
Vocabulary
Véhicules routiers — Sécurité fonctionnelle —
Partie 1: Vocabulaire
Reference number
ISO 26262-1:2018(E)
ISO 2018
---------------------- Page: 1 ----------------------
ISO 26262-1:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 26262-1:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviated terms ...........................................................................................................................................................................................28

Bibliography .............................................................................................................................................................................................................................33

© ISO 2018 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 26262-1:2018(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles Subcommittee, SC 32,

Electrical and electronic components and general system aspects.

This edition of ISO 26262 series of standards cancels and replaces the edition ISO 26262:2011 series of

standards, which has been technically revised and includes the following main changes:

— requirements for trucks, buses, trailers and semi-trailers;
— extension of the vocabulary;
— more detailed objectives;
— objective oriented confirmation measures;
— management of safety anomalies;
— references to cyber security;
— updated target values for hardware architecture metrics;
— guidance on model based development and software safety analysis;
— evaluation of hardware elements;
— additional guidance on dependent failure analysis;

— guidance on fault tolerance, safety-related special characteristics and software tools;

— guidance for semiconductors;
— requirements for motorcycles; and
— general restructuring of all parts for improved clarity.
iv © ISO 2018 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 26262-1:2018(E)

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 26262 series can be found on the ISO website.
© ISO 2018 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 26262-1:2018(E)
Introduction

The ISO 26262 series of standards is the adaptation of IEC 61508 series of standards to address the

sector specific needs of electrical and/or electronic (E/E) systems within road vehicles.

This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised

of electrical, electronic and software components.

Safety is one of the key issues in the development of road vehicles. Development and integration of

automotive functionalities strengthen the need for functional safety and the need to provide evidence

that functional safety objectives are satisfied.

With the trend of increasing technological complexity, software content and mechatronic

implementation, there are increasing risks from systematic failures and random hardware failures,

these being considered within the scope of functional safety. ISO 26262 series of standards includes

guidance to mitigate these risks by providing appropriate requirements and processes.

To achieve functional safety, the ISO 26262 series of standards:

a) provides a reference for the automotive safety lifecycle and supports the tailoring of the activities

to be performed during the lifecycle phases, i.e., development, production, operation, service and

decommissioning;

b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive

Safety Integrity Levels (ASILs)];

c) uses ASILs to specify which of the requirements of ISO 26262 are applicable to avoid unreasonable

residual risk;

d) provides requirements for functional safety management, design, implementation, verification,

validation and confirmation measures; and
e) provides requirements for relations between customers and suppliers.

The ISO 26262 series of standards is concerned with functional safety of E/E systems that is achieved

through safety measures including safety mechanisms. It also provides a framework within which

safety-related systems based on other technologies (e.g. mechanical, hydraulic and pneumatic) can be

considered.

The achievement of functional safety is influenced by the development process (including such

activities as requirements specification, design, implementation, integration, verification, validation

and configuration), the production and service processes and the management processes.

Safety is intertwined with common function-oriented and quality-oriented activities and work

products. The ISO 26262 series of standards addresses the safety-related aspects of these activities and

work products.

Figure 1 shows the overall structure of the ISO 26262 series of standards. The ISO 26262 series of

standards is based upon a V-model as a reference process model for the different phases of product

development. Within the figure:

— the shaded “V”s represent the interconnection among ISO 26262-3, ISO 26262-4, ISO 26262-5,

ISO 26262-6 and ISO 26262-7;
— for motorcycles:
— ISO 26262-12:2018, Clause 8 supports ISO 26262-3;
— ISO 26262-12:2018, Clauses 9 and 10 support ISO 26262-4;

— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number

of the particular part and “n” indicates the number of the clause within that part.

vi © ISO 2018 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 26262-1:2018(E)
EXAMPLE “2-6” represents ISO 26262-2:2018, Clause 6.
Figure 1 — Overview of the ISO 26262 series of standards
© ISO 2018 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 26262-1:2018(E)
Road vehicles — Functional safety —
Part 1:
Vocabulary
1 Scope

This document is intended to be applied to safety-related systems that include one or more electrical

and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding

mopeds. This document does not address unique E/E systems in special vehicles such as E/E systems

designed for drivers with disabilities.

NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series

of standards or vice versa.

Systems and their components released for production, or systems and their components already under

development prior to the publication date of this document, are exempted from the scope of this edition.

This document addresses alterations to existing systems and their components released for production

prior to the publication of this document by tailoring the safety lifecycle depending on the alteration.

This document addresses integration of existing systems not developed according to this document and

systems developed according to this document by tailoring the safety lifecycle.

This document addresses possible hazards caused by malfunctioning behaviour of safety-related E/E

systems, including interaction of these systems. It does not address hazards related to electric shock,

fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar

hazards, unless directly caused by malfunctioning behaviour of safety-related E/E systems.

This document describes a framework for functional safety to assist the development of safety-

related E/E systems. This framework is intended to be used to integrate functional safety activities

into a company-specific development framework. Some requirements have a clear technical focus to

implement functional safety into a product; others address the development process and can therefore

be seen as process requirements in order to demonstrate the capability of an organization with respect

to functional safety.

This document defines the vocabulary of terms used in the ISO 26262 series of standards.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 26262 (all parts), Road vehicles — Functional safety
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 26262 (all parts) and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
© ISO 2018 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO 26262-1:2018(E)
3.1
architecture

representation of the structure of the item (3.84) or element (3.41) that allows identification of

building blocks, their boundaries and interfaces, and includes the allocation of requirements to these

building blocks
3.2
ASIL capability

capability of the item (3.84) or element (3.41) to meet assumed safety (3.132) requirements assigned

with a given ASIL (3.6)

Note 1 to entry: As a part of hardware safety requirements, achievement of the corresponding random hardware

target values for fault metrics (see ISO 26262-5:2018, Clauses 8 and 9) allocated to the element (3.41) is included,

if needed.
3.3
ASIL decomposition

apportioning of redundant safety (3.132) requirements to elements (3.41), with sufficient independence

(3.78), conducing to the same safety goal (3.139), with the objective of reducing the ASIL (3.6) of the

redundant safety (3.132) requirements that are allocated to the corresponding elements (3.41)

Note 1 to entry: ASIL decomposition is a basis for methods of ASIL (3.6) tailoring during the design process

(defined as requirements decomposition with respect to ASIL (3.6) tailoring in ISO 26262-9).

Note 2 to entry: ASIL decomposition does not apply to random hardware failure requirements per ISO 26262-9.

Note 3 to entry: Reducing the ASIL (3.6) of the redundant safety (3.132) requirements has some exclusions, e.g.

confirmation measures (3.23) remain at the level of the safety goal (3.139).
3.4
assessment

examination of whether a characteristic of an item (3.84) or element (3.41) achieves the ISO 26262

objectives
3.5
audit
examination of an implemented process with regard to the process objectives
3.6
automotive safety integrity level
ASIL

one of four levels to specify the item's (3.84) or element's (3.41) necessary ISO 26262 requirements and

safety measures (3.141) to apply for avoiding an unreasonable risk (3.176), with D representing the most

stringent and A the least stringent level
Note 1 to entry: QM (3.117) is not an ASIL.
3.7
availability

capability of a product to provide a stated function if demanded, under given conditions over its defined

lifetime
3.8
base failure rate
BFR

failure rate (3.53) of a hardware element (3.41) in a given application use case used as an input to safety

(3.132) analyses
2 © ISO 2018 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 26262-1:2018(E)
3.9
base vehicle

Original Equipment Manufacturer (OEM) T&B vehicle configuration (3.175) prior to installation of body

builder equipment (3.12)

Note 1 to entry: Body builder equipment (3.12) may be installed on a base vehicle that consists of all driving

relevant systems (3.163) (engine, driveline, chassis, steering, brakes, cabin and driver information).

EXAMPLE Truck (3.174) chassis with powertrain and cabin, rolling chassis with powertrain.

3.10
baseline

version of the approved set of one or more work products (3.185), items (3.84) or elements (3.41) that

serves as a basis for change
Note 1 to entry: See ISO 26262-8:2018, Clause 8.
Note 2 to entry: A baseline is typically placed under configuration management.

Note 3 to entry: A baseline is used as a basis for further development through the change management process

during the lifecycle (3.86).
3.11
body builder

organization that adds trucks (3.174), buses (3.14), trailers (3.171) and semi-trailers (3.151) (T&B)

bodies, cargo carriers, or equipment to a base vehicle (3.9)

Note 1 to entry: T&B bodies include truck (3.174) cabs, bus (3.14) bodies, walk-in vans, etc.

Note 2 to entry: Cargo carriers include cargo boxes, flat beds, car transport racks, etc.

Note 3 to entry: Equipment includes vocational devices and machinery, such as cement mixers, dump beds, snow

blades, lifts, etc.
3.12
body builder equipment
machine, body, or cargo carrier installed on the T&B base vehicle (3.9)
3.13
branch coverage

percentage of branches of the control flow of a computer program executed during a test

Note 1 to entry: 100 % branch coverage implies 100 % statement coverage (3.160).

Note 2 to entry: An if-statement always has two branches - condition true and condition false - independent of the

existence of an else-clause.
3.14
bus

motor vehicle which, because of its design and appointments, is intended for carrying persons and

luggage, and which has more than nine seating places, including the driving seat

Note 1 to entry: A bus may have one or two decks and may also tow a trailer (3.171).

3.15
calibration data

data that will be applied as software parameter values after the software build in the development process

EXAMPLE Parameters (e.g. value for low idle speed, engine characteristic diagrams); vehicle specific

parameters (adaptation values, e.g., limit stop for throttle valve); variant coding (e.g. country code, left-hand/

right-hand steering).
© ISO 2018 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO 26262-1:2018(E)

Note 1 to entry: Calibration data does not contain executable or interpretable code.

3.16
candidate

item (3.84) or element (3.41) whose definition and conditions of use are identical to, or have a very high

degree of commonality with, an item (3.84) or element (3.41) that is already released and in operation

Note 1 to entry: This definition applies where candidate is used in the context of a proven in use argument (3.115).

3.17
cascading failure

failure (3.50) of an element (3.41) of an item (3.84) resulting from a root cause [inside or outside of the

element (3.41)] and then causing a failure (3.50) of another element (3.41) or elements (3.41) of the same

or different item (3.84)

Note 1 to entry: Cascading failures are dependent failures (3.29) that could be one of the possible root causes of a

common cause failure (3.18). See Figure 2.
Figure 2 — Cascading failure
3.18
common cause failure
CCF

failure (3.50) of two or more elements (3.41) of an item (3.84) resulting directly from a single specific

event or root cause which is either internal or external to all of these elements (3.41)

Note 1 to entry: Common cause failures are dependent failures (3.29) that are not cascading failures (3.17). See

Figure 3.
Figure 3 — Common cause failure
4 © ISO 2018 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 26262-1:2018(E)
3.19
common mode failure
CMF
case of CCF (3.18) in which multiple elements (3.41) fail in the same manner

Note 1 to entry: Failure (3.50) in the same manner does not necessarily mean that they need to fail exactly the

same. How close the failure modes (3.51) need to be in order to be classified as common mode failure depends on

the context.

EXAMPLE 1 A system (3.163) has two temperature sensors which are compared with each other. If the

difference between the two temperature sensors is larger than or equal to 5 °C it is handled as a fault (3.54) and

the system (3.163) is switched into a safe state (3.131). A common mode failure lets both temperature sensors fail

in such a way that the difference between the two sensors is smaller than 5 °C and therefore is not detected.

EXAMPLE 2 In a CPU lockstep architecture (3.1) where the outputs of both CPUs are compared cycle by cycle,

both CPUs need to fail exactly the same way in order for the failure (3.50) to go undetected. In this context, a

common mode failure lets both CPUs fail exactly the same way.

EXAMPLE 3 An over voltage failure (3.50) due to lots of parts not meeting their specification for over voltage

is a common mode failure.
3.20
complete vehicle
fully assembled T&B base vehicle (3.9) with its body builder equipment (3.12)
EXAMPLE Refuse collector, dump truck (3.174).
3.21
component

non-system level element (3.41) that is logically or technically separable and is comprised of more than

one hardware part (3.71) or one or more software units (3.159)
EXAMPLE A microcontroller.
Note 1 to entry: A component is a part of a system (3.163).
3.22
configuration data

data that is assigned during element build and that controls the element build process

EXAMPLE 1 Pre-processor variable settings which are used to derive compile time variants from the

source code.
EXAMPLE 2 XML files to control the build tools or toolchain.

Note 1 to entry: Configuration data controls the software build. Configuration data is used to select code from

existing code variants already defined in the code base. The functionality of selected code variant will be included

in the executable code.

Note 2 to entry: Since configuration data is only used to select code variants, configuration data does not include

code that is executed or interpreted during the use of the item (3.84).
3.23
confirmation measure

confirmation review (3.24), audit (3.5) or assessment (3.4) concerning functional safety (3.67)

3.24
confirmation review

confirmation that a work product (3.185) provides sufficient and convincing evidence of their

contribution to the achievement of functional safety (3.67) considering the corresponding objectives

and requirements of ISO 26262

Note 1 to entry: A complete list of confirmation reviews is given in ISO 26262-2.

© ISO 2018 – All rights reserved 5
---------------------- Page: 12 ----------------------
ISO 26262-1:2018(E)

Note 2 to entry: The goal of confirmation reviews is to ensure compliance with the ISO 26262 series of standards.

3.25
controllability

ability to avoid a specified harm (3.74) or damage through the timely reactions of the persons involved,

possibly with support from external measures (3.49)

Note 1 to entry: Persons involved can include the driver, passengers or persons in the vicinity of the vehicle's

exterior.

Note 2 to entry: The parameter C in hazard analysis and risk assessment (3.76) represents the potential for

controllability.
3.26
coupling factors

common characteristic or relationship of elements (3.41) that leads to a dependence in their failures (3.50)

3.27
dedicated measure

measure to ensure the failure rate (3.53) claimed in the evaluation of the probability of violation of

safety goals (3.139)

EXAMPLE Design feature such as hardware part (3.71) over-design (e.g. electrical or thermal stress rating)

or physical separation (e.g. spacing of contacts on a printed circuit board); special sample test of incoming

material to reduce the risk (3.128) of occurrence of failure modes (3.51) which contribute to the violation of safety

goals (3.139); burn-in test; dedicated control plan.
3.28
degradation

state or transition to a state of the item (3.84) or element (3.41) with reduced functionality,

performance, or both
3.29
dependent failures

failures (3.50) that are not statistically independent, i.e. the probability of the combined occurrence

of the failures (3.50) is not equal to the product of the probabilities of occurrence of all considered

independent failures (3.50)

Note 1 to entry: Dependent failures can manifest themselves simultaneously, or within a sufficiently short time

interval, to have the effect of simultaneous failures (3.50).

Note 2 to entry: Dependent failures include common cause failures (3.18) and cascading failures (3.17).

Note 3 to entry: Whether a given failure (3.50) is a cascading failure (3.17) or a common cause failure (3.18) may

depend on the hierarchical structure of the elements (3.41).

Note 4 to entry: Whether a given failure (3.50) is a cascading failure (3.17) or a common cause failure (3.18) may

depend on the temporal behaviour of the elements (3.41).

Note 5 to entry: Dependent failures can include software failures (3.50) even if the probability of the failure (3.50)

is not calculated.
3.30
dependent failure initiator
DFI

single root cause that leads multiple elements (3.41) to fail through coupling factors (3.26)

Note 1 to entry: Coupling factors (3.26) which are candidates for dependencies are identified during DFA.

Note 2 to entry: Failure (3.50) of elements (3.41) can happen simultaneously or sequentially.

EXAMPLE 1 Coupling factor (3.26): Two SW units using the same RAM. Root cause: One SW unit unintentionally

corrupts data used by the second SW unit.
6 © ISO 2018 – All rights reserved
---------------------- Page: 13 ----------------------
ISO 26262-1:2018(E)

EXAMPLE 2 Coupling factor (3.26): Two ECUs operating in the same compartment of the car. Root cause:

Unwanted/unexpected water intrusion into that particular compartment leads to flooding and to failure (3.50)

of both ECUs.

EXAMPLE 3 Coupling factor (3.26): Two microcontrollers using the same 3,3 V power supply. Root cause:

Overvoltage on the 3,3 V, damaging both microcontrollers.
3.31
detected fault

fault (3.54) whose presence is detected within a prescribed time by a safety mechanism (3.142)

Note 1 to entry: The prescribed time can be the fault detection time interval (3.55) or the multiple-point fault

detection time interval (3.98).
3.32
development interface agreement
DIA

agreement between customer and supplier in which the responsibilities for activities to be performed,

evidence to be reviewed, or work products (3.185) to be exchanged by each party related to the

development of items (3.84) or elements (3.41) are specified

Note 1 to entry: While DIA applies to the development phase, supply agreement (3.162) applies to production.

3.33
diagnostic coverage

percentage of the failure rate (3.53) of a hardware element (3.41), or percentage of the failure rate (3.53)

of a failure mode (3.51) of a hardware element (3.41) that is detected or controlled by the implemented

safety mechanism (3.142)

Note 1 to entry: Diagnostic coverage can be assessed with regard to residual faults (3.125) or with regard to

latent multiple-point faults (3.97) that might occur in a hardware element (3.41).

Note 2 to entry: Safety mechanisms (3.142) implemented at different levels in the architecture (3.1) can be

considered.

Note 3 to entry: Except when it is explicitly mentioned, the proportion of safe faults (3.130) of a safety-related

hardware element (3.41) is not considered when determining the diagnostic coverage of the safety mechanism

(3.142).
3.34
diagnostic points

output signals of an element (3.41) at which the detection or correction of a fault (3.54) is observed

Note 1 to entry: Diagnostic points are also referred to as "alarms" or "error (3.46) flags" or "correction flags".

EXAMPLE Read back information.
3.35
diagnostic test time interval

amount of time between the executions of online diagnostic tests by a safety mechanism (3.142)

including duration of the execution of an online diagnostic test
Note 1 to entry: See Figure 5.
3.36
distributed development

development of an item (3.84) or element (3.41) with development responsibility divided between the

customer and supplier(s) for the entire item (3.84) or element (3.41)
Note 1 to entry: Customer and supplier are roles of the cooperating parties.
© ISO 2018 – All rights reserved 7
---------------------- Page: 14 ----------------------
ISO 26262-1:2018(E)
3.37
diversity

different solutions satisfying the same requirement, with the goal of achieving independence (3.78)

Note 1 to entry: Diversity does not guarantee independence (3.78), but can deal with certain types of common

cause failures (3.18).

Note 2 to entry: Diversity can be a technical solution [diverse hardware components (3.21), diverse SW

components (3.21)] or a technical means (e.g. diverse compiler) to apply.
Note 3 to entry: Diversity is one way to realize redundancy (3.122).
EXAMPLE Diverse programming; diverse hardware.
3.38
dual-point failure

failure (3.50) resulting from the combination of two independent hardware faults (3.54) that leads

directly to the violation of a safety goal (3.139)

Note 1 to entry: Dual-point failures are multiple-point failures (3.96) of order 2.

Note 2 to entry: Dual-point failures that are addressed in the ISO 26262 series of standards include those where

one fault (3.54) affects a safety-related element (3.144) and another fault (3.54) affects the corresponding safety

mechanism (3.142) intended to achieve or maintain a safe state (3.131).
3.39
dual-point fault

individual fault (3.54) that, in combination with another independent fault (3.54), leads to a dual-point

failure (3.38)

Note 1 to entry: A dual-point fault can only be recognized after the identification of a dual-point failure (3.38), e.g.

from cut set analysis of a fault tree.
Note 2 to entry: See also multiple-point fault (3.97).
3.40
electrical and/or electronic system
E/E system

system (3.163) that consists of electrical or electronic elements (3.41), including programmable

electronic elements (3.41)

Note 1 to entry: An element (3.41) of an E/E system can also be another E/E system.

EXAMPLE Power supply; sensor or other input device; communication path; actuator or other output device.

3.41
element

system (3.163), components (3.21) (hardware or software), hardware parts (3.71), or software units (3.159)

Note 1 to entry: When “software element” or “hardware element” is used, this phrase denotes an element of

software only or an element of hardware only, respectively.
Note 2 to entry: An
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.