ISO 26262-1:2018

INTERNATIONAL ISO
STANDARD 26262-1
Redline version
compares Second edition to
First edition
Road vehicles — Functional safety —
Part 1:
Vocabulary
Véhicules routiers — Sécurité fonctionnelle —
Partie 1: Vocabulaire
Reference number
ISO 26262-1:redline:2018(E)
©
ISO 2018
ISO 26262-1:redline:2018(E)
IMPORTANT
This marked-up version uses the following colour-coding in the marked-up text:
Text example 1 — Text has been added (in green)
— Text has been deleted (in red)
Text example 2
— Graphic figure has been added
— Graphic figure has been deleted
1.x . — If there are changes in a clause/subclause, the corresponding clause/
subclause number is highlighted in yellow in the Table of contents
DISCLAIMER
This marked-up version highlights the main changes in this edition of the document
compared with the previous edition. It does not focus on details (e.g. changes in
punctuation).
This marked-up version does not constitute the official ISO document and is not intended to
be used for implementation purposes.
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
1 3 Terms and definitions . 2
2 4 Abbreviated terms .32
Bibliography .37
Alphabetical index .37
ISO 26262-1:redline:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different
approval criteria needed for the different types of ISO documents should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www
.iso .org/directives).
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
ISO 26262-1This document was prepared by Technical Committee ISO/TC 22, Road vehicles
Subcommittee, Subcommittee SC 332, Electrical and electronic equipmentcomponents and general system
aspects.
This edition of ISO 26262 series consists of the following partsof standards cancels and replaces the
edition ISO 26262:2011, under the general title series of standards, which has been technically revised
and includes the Road vehicles — Functional safetyfollowing main changes:
— Part 1: Vocabularyrequirements for trucks, buses, trailers and semi-trailers;
— Part 2: Management of functional safetyextension of the vocabulary;
— Part 3: Concept phasemore detailed objectives;
— Part 4: Product development at the system levelobjective oriented confirmation measures;
— Part 5: Product development at the hardware levelmanagement of safety anomalies;
— references to cyber security;
— updated target values for hardware architecture metrics;
— Part 6: Product development at the software levelguidance on model based development and
software safety analysis;
— Part 7: Production and operationevaluation of hardware elements;
iv © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
— Part 8: Supporting processesadditional guidance on dependent failure analysis;
— Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analysesguidance on
fault tolerance, safety-related special characteristics and software tools;
— Part 10: Guideline on ISO 26262guidance for semiconductors;
— requirements for motorcycles; and
— general restructuring of all parts for improved clarity.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 26262 series can be found on the ISO website.
ISO 26262-1:redline:2018(E)
Introduction
The ISO 26262 series of standards is the adaptation of IEC 61508 series to comply with needs specific
to the application sectorof standards to address the sector specific needs of electrical and/or electronic
(E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised
of electrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas
such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems
increasingly touch the domain of system safety engineeringin the development of road vehicles.
Development and integration of theseautomotive functionalities will strengthen the need for safe
system development processesfunctional safety and the need to provide evidence that all reasonable
systemfunctional safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic
implementation, there are increasing risks from systematic failures and random hardware failures,
these being considered within the scope of functional safety. ISO 26262 series of standards includes
guidance to avoidmitigate these risks by providing appropriate requirements and processes.
System safety is achieved through a number of safety measures, which are implemented in a variety
of technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic)
and applied at the various levels of the development process. Although ISO 26262 is concerned with
functional safety of E/E systems, it provides a framework within which safety-related systems based
on other technologies can be considered.To achieve functional safety, ISO 26262the ISO 26262 series of
standards:
a) provides ana reference for the automotive safety lifecycle (management,and supports the tailoring
of the activities to be performed during the lifecycle phases, i.e., development, production,
operation, service, decommissioning) and supports tailoring the necessary activities during these
lifecycle phases and decommissioning;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive
Safety Integrity Levels (ASILASILs)];
c) uses ASILs to specify applicablewhich of the requirements of ISO 26262 so asare applicable to avoid
unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and
acceptable level of safety being achieved;functional safety management, design, implementation,
verification, validation and confirmation measures; and
e) provides requirements for relations withbetween customers and suppliers.
The ISO 26262 series of standards is concerned with functional safety of E/E systems that is achieved
through safety measures including safety mechanisms. It also provides a framework within which
safety-related systems based on other technologies (e.g. mechanical, hydraulic and pneumatic) can be
considered.
FunctionalThe achievement of functional safety is influenced by the development process (including
such activities as requirements specification, design, implementation, integration, verification,
validation and configuration), the production and service processes and by the management processes.
Safety issues areis intertwined with common function-oriented and quality-oriented development
activities and work products. The ISO 26262 series of standards addresses the safety-related aspects of
developmentthese activities and work products.
vi © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
Figure 1 shows the overall structure of this editionthe ISO 26262 series of ISO 26262standards. The ISO
26262 series of standards is based upon a V-model as a reference process model for the different phases
of product development. Within the figure:
— the shaded “V”s represent the interconnection betweenamong ISO 26262-3, ISO 26262-4,
ISO 26262-5, ISO 26262-6 and ISO 26262-7;
— for motorcycles:
— ISO 26262-12:2018, Clause 8 supports ISO 26262-3;
— ISO 26262-12:2018, Clauses 9 and 10 support ISO 26262-4;
— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number
of the particular part and “n” indicates the number of the clause within that part.
EXAMPLE “2-6” represents Clause 6 of ISO 26262-2ISO 26262-2:2018, Clause 6.
ISO 26262-1:redline:2018(E)
Figure 1 — Overview of the ISO 26262 series of standards
viii © ISO 2018 – All rights reserved

INTERNATIONAL STANDARD ISO 26262-1:redline:2018(E)
Road vehicles — Functional safety —
Part 1:
Vocabulary
1 Scope
ISO 26262This document is intended to be applied to safety-related systems that include one or more
electrical and/or electronic (E/E) systems and that are installed in series production passenger cars
with a maximum gross vehicle mass up to 3 500 kgroad vehicles, excluding mopeds. ISO 26262This
document does not address unique E/E systems in special purpose vehicles such as vehiclesE/E systems
designed for drivers with disabilities.
NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series
of standards or vice versa.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of ISO 26262this document, are exempted from the scope.
For further development or alterations based on of this edition. This document addresses alterations
to existing systems and their components released for production prior to the publication of ISO 26262,
only the modifications will be developed in accordance withthis document by tailoring the safety
lifecycle depending on the alteration. This document addresses integration of existing systems not
developed ISO 26262according to this document and systems developed according to this document by
tailoring the safety lifecycle.
ISO 26262This document addresses possible hazards caused by malfunctioning behaviour of E/E
safety-related E/E systems, including interaction of these systems. It does not address hazards related
to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of
energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related
E/E systems.
ISO 26262 does not address the nominal performance ofThis document describes a framework for
functional safety to assist the development of safety-related E/E systems, even if dedicated functional
performance standards exist for these systems (e.g. active and passive safety systems, brake systems,
Adaptive Cruise Control). This framework is intended to be used to integrate functional safety activities
into a company-specific development framework. Some requirements have a clear technical focus to
implement functional safety into a product; others address the development process and can therefore
be seen as process requirements in order to demonstrate the capability of an organization with respect
to functional safety.
This partdocument defines the vocabulary of ISO 26262 specifies the terms, definitions and abbreviated
terms for application in all partsterms used in the ISO 26262 series of ISO 26262standards.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 26262 (all parts), Road vehicles — Functional safety
ISO 26262-1:redline:2018(E)
1 3 Terms and definitions
For the purposes of this document, the following terms and definitions given in ISO 26262 (all parts)
and the following apply.
1.1
allocation
assignment of a requirement to an architectural element (1.32)
Note 1 to entry: Intent is not to divide an atomic requirement into multiple requirements. Tracing of an atomic
system (1.129) level requirement to multiple lower level atomic requirements is allowed.
1.2
anomaly
condition that deviates from expectations, based, for example, on requirements, specifications, design
documents, user documents, standards, or on experience
Note 1 to entry: Anomalies can be discovered, among other times, during the review (1.98), testing (1.134),
analysis, compilation, or use of components (1.15) or applicable documentation.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
1.3 3.1
architecture
representation of the structure of the item (1.69 3.84) or functions or  systems (1.129 element (3.41)
or  elements (1.32)that allows identification of building blocks, their boundaries and interfaces, and
includes the allocation (1.1)allocation of functions to hardware and software elements requirements to
these building blocks
3.2
ASIL capability
capability of the item (3.84) or element (3.41) to meet assumed safety (3.132) requirements assigned
with a given ASIL (3.6)
Note 1 to entry: As a part of hardware safety requirements, achievement of the corresponding random hardware
target values for fault metrics (see ISO 26262-5:2018, Clauses 8 and 9) allocated to the element (3.41) is included,
if needed.
3.3
ASIL decomposition
apportioning of redundant safety (3.132) requirements to elements (3.41), with sufficient independence
(3.78), conducing to the same safety goal (3.139), with the objective of reducing the ASIL (3.6) of the
redundant safety (3.132) requirements that are allocated to the corresponding elements (3.41)
Note 1 to entry: ASIL decomposition is a basis for methods of ASIL (3.6) tailoring during the design process
(defined as requirements decomposition with respect to ASIL (3.6) tailoring in ISO 26262-9).
Note 2 to entry: ASIL decomposition does not apply to random hardware failure requirements per ISO 26262-9.
Note 3 to entry: Reducing the ASIL (3.6) of the redundant safety (3.132) requirements has some exclusions, e.g.
confirmation measures (3.23) remain at the level of the safety goal (3.139).
1.4 3.4
assessment
examination of whether a characteristic of an item (1.69 3.84) or element (1.32 3.41) achieves the
ISO 26262 objectives
Note 1 to entry: A level of independence (1.61) of the party or parties performing the assessment is associated
with each assessment.
2 © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
1.5 3.5
audit
examination of an implemented process with regard to the process objectives
1.6 3.6
automotive safety integrity level
ASIL
one of four levels to specify the item's (1.69 3.84) or element's (1.32 3.41) necessary requirements
of  ISO 26262 requirements and safety measures (1.110 3.141) to apply for avoiding an
unreasonable  residual unreasonable risk (1.97 3.176), with D representing the most stringent and A the
least stringent level
Note 1 to entry: QM (3.117) is not an ASIL.
1.7
ASIL decomposition
apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with
the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the
corresponding elements
1.8 3.7
availability
capability of a product to be in a state to execute the function required provide a stated function if
demanded, under given conditions, at a certain time or in a given period, supposing the required
external resources are available  over its defined lifetime
3.8
base failure rate
BFR
failure rate (3.53) of a hardware element (3.41) in a given application use case used as an input to safety
(3.132) analyses
3.9
base vehicle
Original Equipment Manufacturer (OEM) T&B vehicle configuration (3.175) prior to installation of body
builder equipment (3.12)
Note 1 to entry: Body builder equipment (3.12) may be installed on a base vehicle that consists of all driving
relevant systems (3.163) (engine, driveline, chassis, steering, brakes, cabin and driver information).
EXAMPLE Truck (3.174) chassis with powertrain and cabin, rolling chassis with powertrain.
1.9 3.10
baseline
version of a the approved set of one or more work products work products (3.185), items (1.69 3.84)
or elements (1.32 3.41) that is under configuration management and used serves as a basis for further
development through the change management process change
Note 1 to entry: See ISO 26262-8:2011 2018, Clause 8.
Note 2 to entry: A baseline is typically placed under configuration management.
Note 3 to entry: A baseline is used as a basis for further development through the change management process
during the lifecycle (3.86).
3.11
body builder
BB
organization that adds trucks (3.174), buses (3.14), trailers (3.171) and semi-trailers (3.151) (T&B)
bodies, cargo carriers, or equipment to a base vehicle (3.9)
Note 1 to entry: T&B bodies include truck (3.174) cabs, bus (3.14) bodies, walk-in vans, etc.
ISO 26262-1:redline:2018(E)
Note 2 to entry: Cargo carriers include cargo boxes, flat beds, car transport racks, etc.
Note 3 to entry: Equipment includes vocational devices and machinery, such as cement mixers, dump beds, snow
blades, lifts, etc.
3.12
body builder equipment
machine, body, or cargo carrier installed on the T&B base vehicle (3.9)
1.10 3.13
branch coverage
percentage of branches of the control flow that have been executed of a computer program executed
during a test
Note 1 to entry: 100 % branch coverage implies 100 % statementstatement  coverage (1.127 3.160).
Note 2 to entry: An if-statement always has two branches - condition true and condition false - independent of the
existence of an else-clause.
3.14
bus
motor vehicle which, because of its design and appointments, is intended for carrying persons and
luggage, and which has more than nine seating places, including the driving seat
Note 1 to entry: A bus may have one or two decks and may also tow a trailer (3.171).
1.11 3.15
calibration data
data that will be applied as software parameter values after the software build in the development process
EXAMPLE Parameters (e.g. value for low idle speed, engine characteristic diagrams); vehicle specific
parameters (adaptation values) ( , e.g., limit stop for throttle valve); variant coding (e.g. country code, left-hand/
right-hand steering).
Note 1 to entry: Calibration data cannot does not contain executable or interpretable code.
1.12 3.16
candidate
item (1.69 3.84) or element (1.32 3.41) whose definition and conditions of use are identical to, or have
a very high degree of commonality with, an item item (3.84) or element element (3.41) that is already
released and in operation
Note 1 to entry: This definition applies where candidate is used in the context of a proven in use argument
(1.90 3.115).
1.13 3.17
cascading failure
failure (1.39 3.50) of an element (1.32 3.41) of an item (1.69 3.84) resulting from a root cause [inside or
outside of the element (3.41)causing ] and then causing a failure (3.50) of another element element (3.41)
or elements elements (3.41) of the same item to fail or different item (3.84)
Note 1 to entry: Cascading failures are dependent failures (1.22 3.29) that are not could be one of the possible root
causes of a common cause failures (1.14 failure (3.18). See Figure 2, Failure A .
4 © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
Figure 2 — Cascading failure
1.14 3.18
common cause failure
CCF
failure (1.39 3.50) of two or more elements (1.32 3.41) of an item (1.69 3.84) resulting directly from a
single specific event or root cause which is either internal or external to all of these elements (3.41)
Note 1 to entry: Common cause failures are dependent failures (1.22 3.29) that are not cascading failures (1.13 3.17).
See Figure 3.
Figure 3 — Common cause failure
3.19
common mode failure
CMF
case of CCF (3.18) in which multiple elements (3.41) fail in the same manner
Note 1 to entry: Failure (3.50) in the same manner does not necessarily mean that they need to fail exactly the
same. How close the failure modes (3.51) need to be in order to be classified as common mode failure depends on
the context.
EXAMPLE 1 A system (3.163) has two temperature sensors which are compared with each other. If the
difference between the two temperature sensors is larger than or equal to 5 °C it is handled as a fault (3.54) and
the system (3.163) is switched into a safe state (3.131). A common mode failure lets both temperature sensors fail
in such a way that the difference between the two sensors is smaller than 5 °C and therefore is not detected.
ISO 26262-1:redline:2018(E)
EXAMPLE 2 In a CPU lockstep architecture (3.1) where the outputs of both CPUs are compared cycle by cycle,
both CPUs need to fail exactly the same way in order for the failure (3.50) to go undetected. In this context, a
common mode failure lets both CPUs fail exactly the same way.
EXAMPLE 3 An over voltage failure (3.50) due to lots of parts not meeting their specification for over voltage
is a common mode failure.
3.20
complete vehicle
fully assembled T&B base vehicle (3.9) with its body builder equipment (3.12)
EXAMPLE Refuse collector, dump truck (3.174).
1.15 3.21
component
non-system (1.129)system level element (1.32 3.41) that is logically and or technically separable and is
comprised of more than one hardware part (1.55 3.71) or of  one or more software units (1.125 3.159)
EXAMPLE A microcontroller.
Note 1 to entry: A component is a part of a system system (3.163).
1.16 3.22
configuration data
data that is assigned during software element build and that controls the software element build process
EXAMPLE 1 Pre-processor instructions; software build scripts (e.g. XML configuration files) variable settings
which are used to derive compile time variants from the source code.
NOTE 1 Configuration data cannot contain executable or interpretable code.
EXAMPLE 2 XML files to control the build tools or toolchain.
NOTE 2 Note 1 to entry: Configuration data controls the software build. Only code, or data selected by
configuration data can Configuration data is used to select code from existing code variants already defined in
the code base. The functionality of selected code variant will be included in the executable code.
Note 2 to entry: Since configuration data is only used to select code variants, configuration data does not include
code that is executed or interpreted during the use of the item (3.84).
1.17 3.23
confirmation measure
confirmation review (1.18 3.24), audit (1.5 3.5) or assessment (1.4 3.4) concerning functional safety
(1.51 3.67)
1.18 3.24
confirmation review
confirmation that a work product meets  work product (3.185)the requirements  provides sufficient and
convincing evidence of their contribution to the achievement of ISO 26262 with functional safety (3.67)
the required level of considering the independence (1.61) of the reviewer corresponding objectives and
requirements of ISO 26262
Note 1 to entry: A complete list of confirmation reviews is given in ISO 26262-2.
Note 2 to entry: The goal of confirmation reviews is to ensure compliance with the ISO 26262 series of standards.
1.19 3.25
controllability
ability to avoid a specified harm (1.56 3.74) or damage through the timely reactions of the persons
involved, possibly with support from external measures (1.38 3.49)
Note 1 to entry: Persons involved can include the driver, passengers or persons in the vicinity of the vehicle's
exterior.
6 © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
Note 2 to entry: The parameter C in in  hazard analysis and risk assessment (1.58 3.76) represents the potential for
controllability.
3.26
coupling factors
common characteristic or relationship of elements (3.41) that leads to a dependence in their failures (3.50)
1.20 3.27
dedicated measure
measure to ensure the failure rate (1.41 3.53) claimed in the evaluation of the probability of violation of
safety goals (1.108 3.139)
EXAMPLE Design feature [ such as hardware part (1.55 3.71) over-design (e.g. electrical or thermal stress
rating) or physical separation (e.g. spacing of contacts on a printed circuit board)] ; special sample test of
incoming material to reduce the risk (1.99 3.128) of occurrence of failure modes (1.40 3.51) which contribute to
the violation of safety goals safety goals (3.139); burn-in test; dedicated control plan.
1.21 3.28
degradation
strategy for providing state or transition to a state of the safety (1.103 item (3.84) by design after the
occurrence of  failures (1.39)or element (3.41) with reduced functionality, performance, or both
Note 1 to entry: Degradation can include reduced functionality, reduced performance, or both reduced
functionality and performance.
1.22 3.29
dependent failures
failures (1.39 3.50) whose probability of simultaneous or successive occurrence cannot be expressed as
the simple that are not statistically independent, i.e. the probability of the combined occurrence of the
failures (3.50) is not equal to the product of the unconditional  probabilities of each of them occurrence
of all considered independent failures (3.50)
Note 1 to entry: Dependent failures can manifest themselves simultaneously, or within a sufficiently short time
interval, to have the effect of simultaneous failures (3.50).
Note 2 to entry: Dependent failures include common cause failures (3.18) and cascading failures (3.17).
Note 3 to entry: Whether a given failure (3.50) is a cascading failure (3.17) or a common cause failure (3.18) may
depend on the hierarchical structure of the elements (3.41).
Note 4 to entry: Dependent failures A and B can be characterized when

P ≠ P × P
AB A B
where
P is the probability of the simultaneous occurrence of failure A and failure B;
AB
P is the probability of the occurrence of failure A;
A
P is the probability of the occurrence of failure B.
B
Whether a given failure (3.50) is a cascading failure (3.17) or a common cause failure (3.18) may depend on the
temporal behaviour of the elements (3.41).
Note 5 to entry: Dependent failures can include software common cause  failures (1.14 3.50) and even if the
probability of the cascading failures (1.13 failure (3.50) is not calculated.
3.30
dependent failure initiator
DFI
single root cause that leads multiple elements (3.41) to fail through coupling factors (3.26)
Note 1 to entry: Coupling factors (3.26) which are candidates for dependencies are identified during DFA.
ISO 26262-1:redline:2018(E)
Note 2 to entry: Failure (3.50) of elements (3.41) can happen simultaneously or sequentially.
EXAMPLE 1 Coupling factor (3.26): Two SW units using the same RAM. Root cause: One SW unit unintentionally
corrupts data used by the second SW unit.
EXAMPLE 2 Coupling factor (3.26): Two ECUs operating in the same compartment of the car. Root cause:
Unwanted/unexpected water intrusion into that particular compartment leads to flooding and to failure (3.50)
of both ECUs.
EXAMPLE 3 Coupling factor (3.26): Two microcontrollers using the same 3,3 V power supply. Root cause:
Overvoltage on the 3,3 V, damaging both microcontrollers.
1.23 3.31
detected fault
fault (1.42 3.54) whose presence is detected within a prescribed time by a safety mechanism (1.111 3.142)
that prevents the fault from being latent
EXAMPLE The fault can be detected by a dedicated safety mechanism (1.111) (e.g. detection of the error
(1.36) and notifying the driver via an alerting device on the instrument panel) as defined in the functional safety
concept (1.52).
Note 1 to entry: The prescribed time can be the fault detection time interval (3.55) or the multiple-point fault
detection time interval (3.98).
1.24 3.32
development interface agreement
DIA
agreement between customer and supplier in which the responsibilities for activities to be performed,
evidence or work products to be reviewed, or work products (3.185) to be exchanged by each party
related to the development of items (3.84) or elements (3.41) are specified
Note 1 to entry: While DIA applies to the development phase, supply agreement (3.162) applies to production.
1.25 3.33
diagnostic coverage
DC
proportion percentage of the failure rate (3.53) of a hardware element (1.32 3.41), or percentage of the
failure rate (1.41 3.53) of a failure mode (3.51) of a hardware element (3.41) that is detected or controlled
by the implemented safety mechanisms (1.111 mechanism (3.142)
Note 1 to entry: Diagnostic coverage can be assessed with regard to residual faults (1.96 3.125) or with regard to
latent multiple-point faults (1.77 3.97) that might occur in a hardware element element (3.41).
NOTE 2: The definition can be represented in terms of the equations given in ISO 26262-5.
Note 2 to entry: Safety mechanisms  Safety mechanisms (3.142) implemented at different levels in the architecture
(1.3 3.1) can be considered.
Note 3 to entry: Except when it is explicitly mentioned, the proportion of safe faults (3.130) of a safety-related
hardware element (3.41) is not considered when determining the diagnostic coverage of the safety mechanism
(3.142).
3.34
diagnostic points
output signals of an element (3.41) at which the detection or correction of a fault (3.54) is observed
Note 1 to entry: Diagnostic points are also referred to as "alarms" or "error (3.46) flags" or "correction flags".
EXAMPLE Read back information.
8 © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
1.26 3.35
diagnostic test time interval
DTI
amount of time between the executions of online diagnostic tests by a safety mechanism (1.111 3.142)
including duration of the execution of an online diagnostic test
Note 1 to entry: See Figure 5.
1.27 3.36
distributed development
development of an item (1.69 3.84) or element (1.32 3.41) with development responsibility divided between
the customer and supplier(s) for the entire item item (3.84) or element, or for subsystems element (3.41)
Note 1 to entry: Customer and supplier are roles of the cooperating parties.
1.28 3.37
diversity
different solutions satisfying the same requirement, with the aim goal of achieving independence
(1.61 3.78)
EXAMPLE 1 Diverse programming; diverse hardware.
Note 1 to entry: Diversity does not guarantee independence independence (3.78), but addresses can deal with
certain types of common cause failures (1.14 3.18).
Note 2 to entry: Diversity can be a technical solution [diverse hardware components (3.21), diverse SW
components (3.21)] or a technical means (e.g. diverse compiler) to apply.
Note 3 to entry: Diversity is one way to realize redundancy (3.122).
EXAMPLE 2 Diverse programming; diverse hardware.
1.29 3.38
dual-point failure
failure (1.39 3.50) resulting from the combination of two independent hardware faults (1.42 3.54) that
leads directly to the violation of a safety goal (1.108 3.139)
Note 1 to entry: Dual-point failures are multiple-point failures (1.76 3.96) of order 2.
Note 2 to entry: Dual-point failures that are addressed in the ISO 26262 series of standards include those
where one fault fault (3.54) affects a safety-related element (1.113 3.144) and another fault fault (3.54) affects the
corresponding safety mechanism (1.111 3.142) intended to achieve or maintain a safe state (1.102 3.131).
Note 3 to entry: For a dual-point failure to directly violate a safety goal, the presence of both independent faults is
necessary, i.e. the violation of a safety goal due to a combination of a residual fault (1.96) with a safe fault (1.101) is
not considered a dual-point failure since the residual fault leads to a violation of a safety goal with or without the
presence of a second independent fault.
1.30 3.39
dual-point fault
individual fault (1.42 3.54) that, in combination with another independent fault fault (3.54), leads to a
dual-point failure (1.29 3.38)
Note 1 to entry: A dual-point fault can only be recognized after the identification of dual-point failure a dual-point
failure (3.38), e.g. from cut set analysis of a fault tree.
Note 2 to entry: See also multiple-point fault (1.77 3.97).
ISO 26262-1:redline:2018(E)
1.31 3.40
electrical and/or electronic system
E/E system
system (1.129 3.163) that consists of electrical and/ or electronic elements (1.32 3.41), including
programmable electronic elements elements (3.41)
Note 1 to entry: An element (3.41) of an E/E system can also be another E/E system.
EXAMPLE Power supply; sensor or other input device; communication path; actuator or other output device.
1.32 3.41
element
system (1.129 3.163), components (3.21) or part of a system including (hardware or components (1.15),
hardware, software software), hardware parts (1.55 3.71), and or software units (1.125 3.159)
Note 1 to entry: When “software element” or “hardware element” is used, this phrase denotes an element of
software only or an element of hardware only, respectively.
Note 2 to entry: An element may also be a SEooC (3.138).
1.33 3.42
embedded software
fully-integrated software to be executed on a processing  processing element (1.32 3.113)
Note 1 to entry: The processing element is normally a micro-controller, a field programmable gate array (FPGA)
or an application-specific integrated circuit (ASIC), but it can also be a more complex component (1.15) or
subsystem.
3.43
emergency operation
operating mode (3.102) of an item (3.84), for providing safety (3.132) after the reaction to a fault (3.54)
until the transition to a safe state (3.131) is achieved
Note 1 to entry: See Figure 4 and Figure 5.
Note 2 to entry: When a safe state (3.131) cannot be directly reached, or cannot be timely reached, or cannot
be maintained after the detection of a fault (3.54), a safety mechanism (3.142) can transition the item (3.84)
to emergency operation for providing safety (3.132) until the transition to a safe state (3.131) is achieved and
maintained.
Note 3 to entry: Emergency operation and associated emergency operation tolerance time interval (3.45) are
described in the warning and degradation strategy (3.183).
Note 4 to entry: Degradation (3.28) can be part of the concept for emergency operation.
EXAMPLE Emergency operation can be specified as part of the error (3.46) reaction of a fault tolerant
item (3.84).
1.34 3.44
emergency operation time interval
EOTI
degraded functionality from the state in which a time-span during which fault (1.42 emergency operation
(3.43) occurred until the transition to a  safe state (1.102)is achieved as defined in the  warning and
degradation concept (1.140)is misaintained
Note 1 to entry: See Figure 4 and Figure 5.
Note 2 to entry: Emergency operation (3.43) and associated emergency operation tolerance time interval (3.45) are
described in the warning and degradation strategy (3.183).
Note 3 to entry: Emergency operation (3.43) is temporarily maintained for providing safety (3.132) until the
transition to a safe state (3.131) is achieved.
10 © ISO 2018 – All rights reserved

ISO 26262-1:redline:2018(E)
1.35 3.45
emergency operation tolerance time interval
EOTTI
specified time-span that during which emergency operation (1.34 3.43) is needed to support the can be
maintained without an unreasonable level of warning and degradation concept (1.140 risk (3.128)
Note 1 to entry: See Figure 4.
Note 2 to entry: Emergency operation is part tolerance time interval is the maximum value of the warning and
degradation concept (1.140 emergency operation time interval (3.44).
Note 3 to entry: Emergency operation (3.43) can be considered safe due to the limited operation time as defined
in the emergency operation tolerance time interval.
Figure 4 — Emergency operation tolerance time interval
1.36 3.46
error
discrepancy between a computed, observed or measured value or condition, and the true, specified or
theoretically correct value or condition
Note 1 to entry: An error can arise as a result of unforeseen operating conditions or due to  a fault (1.42 3.54)
within the system (1.129 3.163), subsystem  or component (1.15 3.21) being considered.
Note 2 to entry: A fault can manifest itself as an error within the considered element (1.32) and the error can
ultimately cause a failure (1.39).
3.47
expert rider
role filled by persons capable of evaluating controllability (3.25) classifications based on operation of
actual motorcycles (3.93)
Note 1 to entry: An expert rider is a rider who has the:
— skill to evaluate controllability (3.25) including knowledge to evaluate;
— capability to conduct the vehicle test; and
— knowledge to evaluate motorcycle (3.93)controllability (3.25) characteristics with respect to a representative
rider's riding capability.
Note 2 to entry: See ISO 26262-12:2018, Annex C for information relating to the use of expert riders.
ISO 26262-1:redline:2018(E)
1.37 3.48
exposure
state of being in an operational situation (1.83 3.104) that can be hazardous (1.57)hazardous if coincident
with the failure mode (1.40 3.51) under analysis
Note 1 to entry: The parameter “E” in hazard analysis and risk assessment (3.76) represents the potential exposure
to the operational situation (3.104).
1.38 3.49
external measure
measure that is separate and distinct from the item (1.69 3.84) which reduces or mitigates the risks
(1.99 3.128) resulting from the item item (3.84)
1.39 3.50
failure
termination of the ability an intended behaviour of an element (1.32 3.41),  or an item (3.84) due to
perform a function as required a fault (3.54) manifestation
Note 1 to entry: Incorrect specification is a source of failure Termination can be permanent or transient.
1.40 3.51
failure mode
manner in which an element (1.32 3.41) or an item (1.69 3.84) fails to provide the intended behaviour
3.52
failure mode coverage
FMC
proportion of the failure rate (3.53) of a failure mode (3.51) of a hardware element (3.41) that is detected
or controlled by the implemented safety mechanism (3.142)
1.41 3.53
failure rate
probability density of failure (1.39 3.50) divided by probability of survival for a hardware element
(1.32 3.41)
Note 1 to entry: The failure rate is assumed to be constant and is generally denoted as “λ”.
1.42 3.54
fault
abnormal condition that can cause an element (1.32 3.41) or an item (1.69 3.84) to fail
Note 1 to entry: Permanent, intermittent, and transient faults (1.134 3.173) (especially soft-  errors) are considered.
Note 2 to entry: When a subsystem is in an error (3.46) state it could result in a fault for the system (3.163).
Note 3 to entry: An intermittent fault occurs from time and time again, then disappears to time and then
disappears again. This type of fault can occur when a component (1.15 3.21) is on the verge of breaking down or,
for example, due to a glitch an internal malfunction in a switch. Some systematic faults (1.131 3.165) (e.g. timing
marginalities irregularities) could lead to intermittent faults.
3.55
fault detection time interval
FDTI
time-span from the occurrence of a fault (3.54) to its detection
Note 1 to entry: See Figure 5.
Note 2 to entry: Fault detection time interval is determined independently of diagnostic test time interval (3.35).
EXAMPLE The fault detection time interval of a diagnostic test can be longer than the diagnostic test time
interval (3.35) due to implemented error (3.46) counters, i.e. the fault (3.54) must be detected more than once by
the diagnostic test before triggering an error (3.46) reactio
...