ISO 26262-2:2018

INTERNATIONAL ISO
STANDARD 26262-2
Redline version
compares Second edition to
First edition
Road vehicles — Functional safety —
Part 2:
Management of functional safety
Véhicules routiers — Sécurité fonctionnelle —
Partie 2: Gestion de la sécurité fonctionnelle
Reference number
ISO 26262-2:redline:2018(E)
©
ISO 2018
ISO 26262-2:redline:2018(E)
IMPORTANT
This marked-up version uses the following colour-coding in the marked-up text:
Text example 1 — Text has been added (in green)
— Text has been deleted (in red)
Text example 2
— Graphic figure has been added
— Graphic figure has been deleted
1.x . — If there are changes in a clause/subclause, the corresponding clause/
subclause number is highlighted in yellow in the Table of contents
DISCLAIMER
This marked-up version highlights the main changes in this edition of the document
compared with the previous edition. It does not focus on details (e.g. changes in
punctuation).
This marked-up version does not constitute the official ISO document and is not intended to
be used for implementation purposes.
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
Contents Page
Foreword .v
Introduction .vii
1 Scope . 1
2 Normative references . 2
3 Terms, definitions and abbreviated terms  and definitions . 2
4 Requirements for compliance . 2
4.1 Purpose . 2
4.1 4.2 General requirements . 2
4.2 4.3 Interpretations of tables .3
4.3 4.4 ASIL-dependent requirements and recommendations .3
4.5 Adaptation for motorcycles . 4
4.6 Adaptation for trucks, buses, trailers and semi-trailers. 4
5 Overall safety management. 4
5.1 Objective Objectives . . 4
5.2 General . 4
5.2.1 Overview of the safety lifecycle . 4
5.2.2 Explanatory remarks on the safety lifecycle . 6
5.3 Inputs to this clause .11
5.3.1 Prerequisites .11
5.3.2 Further supporting information .11
5.4 Requirements and recommendations .12
5.4.1 General.12
5.4.2 Safety culture .12
5.4.3 Management of safety anomalies regarding functional safety .13
5.4.3 5.4.4 Competence management .14
5.4.4 5.4.5 Quality management during the safety lifecycle system .15
5.4.5 5.4.6 Project-independent tailoring of the safety lifecycle .15
5.5 Work products .15
6 Safety management during the concept phase and the product development Project
dependent safety management .15
6.1 Objectives.15
6.2 General .16
6.3 Inputs to this clause .17
6.3.1 Prerequisites .17
6.3.2 Further supporting information .17
6.4 Requirements and recommendations .17
6.4.1 General.17
6.4.2 Roles and responsibilities in safety management .18
6.4.3 Planning and coordination of the safety activities Impact analysis at the
item level.18
6.4.4 Progression of the safety lifecycle Reuse of an existing element .21
6.4.5 Tailoring of the safety activities .21
6.4.6 Planning and coordination of the safety activities .23
6.4.7 Progression of the safety lifecycle .25
6.4.6 6.4.8 Safety case.25
6.4.7 6.4.9 Confirmation measures: types, independency and authority  .26
6.4.10 Confirmation reviews .33
6.4.8 6.4.11 Functional safety audit .33
6.4.9 6.4.12 Functional safety assessment .35
6.4.13 Release for production . . .37
6.5 Work products .38
ISO 26262-2:redline:2018(E)
7 Safety management after the item's release for production regarding production,
operation, service and decommissioning .38
7.1 Objective .38
7.2 General .38
7.3 Inputs to this clause .38
7.3.1 Prerequisites .38
7.3.2 Further supporting information .39
7.4 Requirements and recommendations .39
7.4.1 General.39
7.4.2 Responsibilities, planning and required processes .39
7.5 Work products .39
Annex A (informative) Overview of and workflow of functional safety management .40
Annex B (informative) Examples for evaluating a safety Safety culture .44
Annex C (informative) Aim of Guidance for the confirmation measures .46
Annex D (informative) Overview of the verification reviews .52
Annex E D (informative) Example of a functional safety assessment agenda (for items that
have an ASIL D safety goal) .53
Annex E (informative) Guidance on potential interaction of functional safety with
cybersecurity . .56
Bibliography .58
iv © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
International Standards areThe procedures used to develop this document and those intended for
its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different
approval criteria needed for the different types of ISO documents should be noted. This document was
drafted in accordance with the rules given ineditorial rules of the ISO/IEC Directives, Part 2 (see www
.iso .org/directives).
The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
ISO 26262-2This document was prepared by Technical Committee ISO/TC 22, Road vehicles,
Subcommittee, SC 332, Electrical and electronic equipmentcomponents and general system aspects.
ISO 26262 consists of the following parts, under the general titleThis edition of ISO 26262 series of
standards cancels and replaces the edition ISO 26262:2011 series of standards, which has been
technically revised and includes the Road vehicles — Functional safetyfollowing main changes:
— Part 1: Vocabularyrequirements for trucks, buses, trailers and semi-trailers;
— Part 2: Management of functional safetyextension of the vocabulary;
— Part 3: Concept phasemore detailed objectives;
— Part 4: Product development at the system levelobjective oriented confirmation measures;
— Part 5: Product development at the hardware levelmanagement of safety anomalies;
— references to cybersecurity;
— updated target values for hardware architecture metrics;
— Part 6: Product development at the software levelguidance on model based development and software
safety analysis;
— Part 7: Production and operationevaluation of hardware elements;
— Part 8: Supporting processesadditional guidance on dependent failure analysis;
ISO 26262-2:redline:2018(E)
— Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analysesguidance on
fault tolerance, safety related special characteristics and software tools;
— Part 10: Guideline on ISO 26262guidance for semiconductors;
— requirements for motorcycles; and
— general restructuring of all parts for improved clarity.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 26262 series can be found on the ISO website.
vi © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
Introduction
The ISO 26262 series of standards is the adaptation of IEC 61508 series to comply with needs specific
to the application sectorof standards to address the sector specific needs of electrical and/or electronic
(E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised
of electrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas
such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems
increasingly touch the domain of system safety engineeringin the development of road vehicles.
Development and integration of theseautomotive functionalities will strengthen the need for safe
system development processesfunctional safety and the need to provide evidence that all reasonable
systemfunctional safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic
implementation, there are increasing risks from systematic failures and random hardware failures,
these being considered within the scope of functional safety. ISO 26262 series of standards includes
guidance to avoidmitigate these risks by providing appropriate requirements and processes.
System safety is achieved through a number of safety measures, which are implemented in a variety
of technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic)
and applied at the various levels of the development process. Although ISO 26262 is concerned with
functional safety of E/E systems, it provides a framework within which safety-related systems based
on other technologies can be considered.To achieve functional safety, ISO 26262the ISO 26262 series of
standards:
a) provides ana reference for the automotive safety lifecycle (management,and supports the tailoring
of the activities to be performed during the lifecycle phases, i.e., development, production,
operation, service, decommissioning) and supports tailoring the necessary activities during these
lifecycle phases and decommissioning;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive
Safety Integrity Levels (ASILASILs)];
c) uses ASILs to specify applicablewhich of the requirements of ISO 26262 so asare applicable to avoid
unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and
acceptable level of safety being achieved;functional safety management, design, implementation,
verification, validation and confirmation measures; and
e) provides requirements for relations withbetween customers and suppliers.
The ISO 26262 series of standards is concerned with functional safety of E/E systems that is achieved
through safety measures including safety mechanisms. It also provides a framework within which
safety-related systems based on other technologies (e.g. mechanical, hydraulic and pneumatic) can be
considered.
FunctionalThe achievement of functional safety is influenced by the development process (including
such activities as requirements specification, design, implementation, integration, verification,
validation and configuration), the production and service processes and by the management processes.
Safety issues areis intertwined with common function-oriented and quality-oriented development
activities and work products. The ISO 26262 series of standards addresses the safety-related aspects of
developmentthese activities and work products.
ISO 26262-2:redline:2018(E)
Figure 1 shows the overall structure of this editionthe ISO 26262 series of ISO 26262standards. The ISO
26262 series of standards is based upon a V-model as a reference process model for the different phases
of product development. Within the figure:
— the shaded “V”s represent the interconnection betweenamong ISO 26262-3, ISO 26262-4,
ISO 26262-5, ISO 26262-6 and ISO 26262-7;
— for motorcycles:
— ISO 26262-12:2018, Clause 8 supports ISO 26262-3;
— ISO 26262-12:2018, Clauses 9 and 10 support ISO 26262-4;
— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number
of the particular part and “n” indicates the number of the clause within that part.
EXAMPLE “2-6” represents Clause 6 of ISO 26262-2ISO 26262-2:2018, Clause 6.
viii © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
Figure 1 — Overview of ISO 26262the ISO 26262 series of standards
INTERNATIONAL STANDARD ISO 26262-2:redline:2018(E)
Road vehicles — Functional safety —
Part 2:
Management of functional safety
1 Scope
ISO 26262This document is intended to be applied to safety-related systems that include one or more
electrical and/or electronic (E/E) systems and that are installed in series production passenger cars
with a maximum gross vehicle mass up to 3 500 kgroad vehicles, excluding mopeds. ISO 26262This
document does not address unique E/E systems in special purpose vehicles such as vehiclesE/E systems
designed for drivers with disabilities.
NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series
of standards or vice versa.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of ISO 26262this document, are exempted from the scope.
For further development or alterations based on of this edition. This document addresses alterations
to existing systems and their components released for production prior to the publication of ISO 26262,
only the modifications will be developed in accordance withthis document by tailoring the safety
lifecycle depending on the alteration. This document addresses integration of existing systems not
developed ISO 26262according to this document and systems developed according to this document by
tailoring the safety lifecycle.
ISO 26262This document addresses possible hazards caused by malfunctioning behaviour of E/E
safety-related E/E systems, including interaction of these systems. It does not address hazards related
to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of
energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related
E/E systems.
This document describes a framework for functional safety to assist the development of safety-
related E/E systems. This framework is intended to be used to integrate functional safety activities
into a company-specific development framework. Some requirements have a clear technical focus to
implement functional safety into a product; others address the development process and can therefore
be seen as process requirements in order to demonstrate the capability of an organization with respect
to functional safety.
ISO 26262This document does not address the nominal performance of E/E systems., even if dedicated
functional performance standards exist for these systems (e.g. active and passive safety systems, brake
systems, Adaptive Cruise Control).
This part of ISO 26262document specifies the requirements for functional safety management for
automotive applications, including the following:
— project-independent requirements with regard to the organizations involved (overall safety
management), and
— project-specific requirements with regard to the management activities in the safety lifecycle (,
i.e. management during the concept phase and the product development, and after the release
for production) phases (at the system, hardware and software level), and regarding production,
operation, service and decommissioning.
Annex A provides an overview on objectives, prerequisites and work products of this document.
ISO 26262-2:redline:2018(E)
2 Normative references
The following referenced documents are indispensable for the application ofreferred to in the text
in such a way that some or all of their content constitutes requirements of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 26262-1:2011 , Road vehicles — Functional safety — Part 1: Vocabulary
ISO 26262-3:2011 2018, Road vehicles — Functional safety — Part 3: Concept phase
ISO 26262-4:2011 2018, Road vehicles — Functional safety — Part 4: Product development at the system level
ISO 26262-5:2011 2018, Road vehicles — Functional safety — Part 5: Product development at the
hardware level
ISO 26262-6:2011 2018, Road vehicles — Functional safety — Part 6: Product development at the
software level
ISO 26262-7:2011 2018, Road vehicles — Functional safety — Part 7: Production and operation Productiond,
operation, service and decommissioning
ISO 26262-8:2011 2018, Road vehicles — Functional safety — Part 8: Supporting processes
ISO 26262-9:2011 2018, Road vehicles — Functional safety — Part 9: Automotive Safety Integrity Level
(ASIL)-oriented and safety-oriented analyses
3 Terms, definitions and abbreviated terms  and definitions
For the purposes of this document, the terms, definitions and abbreviated terms given in
ISO 26262-1:2011 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
4 Requirements for compliance
4.1 Purpose
This clause describes how:
a) to achieve compliance with the ISO 26262 series of standards;
b) to interpret the tables used in the ISO 26262 series of standards; and
c) to interpret the applicability of each clause, depending on the relevant ASIL(s).
4.1 4.2 General requirements
When claiming compliance with the ISO 26262 series of standards, each requirement shall be complied
withmet, unless one of the following applies:
a) tailoring of the safety activities in accordance with this part of ISO 26262document has been
planned andperformed that shows that the requirement does not apply,; or
b) a rationale is available that the non-compliance is acceptable and the rationale has been
assessedevaluated in accordance with this part of ISO 26262document.
2 © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
Information marked as a “NOTE” or “EXAMPLE”Informative content, including notes and examples, is
only for guidance in understanding, or for clarification of the associated requirement, and shall not be
interpreted as a requirement itself or as complete or exhaustive.
The results of safety activities are given as work products. “Prerequisites” are information which shall
be available as work products of a previous phase. Given that certain requirements of a clause are
ASIL-dependent or may be tailored, certain work products may not be needed as prerequisites.
“Further supporting information” is information that can be considered, but which in some cases is not
required by the ISO 26262 series of standards as a work product of a previous phase and which may be
made available by external sources that are different from the persons or organizations responsible for
the functional safety activities.
4.2 4.3 Interpretations of tables
Tables are normative or informative depending on their context. The different methods listed in a table
contribute to the level of confidence in achieving compliance with the corresponding requirement. Each
method in a table is either:
a) a consecutive entry (marked by a sequence number in the leftmost column, e.g. 1, 2, 3), or
b) an alternative entry (marked by a number followed by a letter in the leftmost column, e.g. 2a, 2b, 2c).
For consecutive entries, all methods shall be applied as recommendedlisted highly recommended and
recommended methods in accordance with the ASIL. If methods other than those listed are to be applied
apply. It is allowed to substitute a highly recommended or recommended method by others not listed
in the table, in this case, a rationale shall be given that these fulfildescribing why these comply with the
corresponding requirement. If a rationale can be given to comply with the corresponding requirement
without choosing all entries, a further rationale for omitted methods is not necessary.
For alternative entries, an appropriate combination of methods shall be applied in accordance with the
ASIL indicated, independent of whether they are listed in the table or not. If methods are listed with
different degrees of recommendation for an ASIL, the methods with the higher recommendation should
be preferred. A rationale shall be given that the selected combination of methods or even a selected
single method complies with the corresponding requirement.
NOTE A rationale based on the methods listed in the table is sufficient. However, this does not imply a bias
for or against methods not listed in the table.
For each method, the degree of recommendation to use the corresponding method depends on the ASIL
and is categorized as follows:
— “++” indicates that the method is highly recommended for the identified ASIL;
— “+” indicates that the method is recommended for the identified ASIL; and
— “o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
4.3 4.4 ASIL-dependent requirements and recommendations
The requirements or recommendations of each subclausesub-clause shall be complied withmet for ASIL
A, B, C and D, if not stated otherwise. These requirements and recommendations refer to the ASIL of the
safety goal. If ASIL decomposition has been performed at an earlier stage of development, in accordance
with ISO 26262-9:20112018, Clause 5, the ASIL resulting from the decomposition shall be complied
with.met.
If an ASIL is given in parentheses in the ISO 26262 series of standards, the corresponding subclausesub-
clause shall be considered as a recommendation rather than a requirement for this ASIL. This has no
link with the parenthesis notation related to ASIL decomposition.
ISO 26262-2:redline:2018(E)
4.5 Adaptation for motorcycles
For items or elements of motorcycles for which requirements of ISO 26262-12 are applicable,
the requirements of ISO 26262-12 supersede the corresponding requirements in this document.
Requirements of this document that are superseded by ISO 26262-12 are defined in Part 12.
4.6 Adaptation for trucks, buses, trailers and semi-trailers
Content that is intended to be unique for trucks, buses, trailers and semi-trailers (T&B) is indicated
as such.
5 Overall safety management
5.1 Objective Objectives
The objectiveintent of this clause is to define the requirements for the organizationsensure the
organizations involved in the execution of the safety lifecycle, i.e. those that are responsible for the
safety lifecycle, or that perform or are performing safety activities in the safety lifecycle., achieve the
following objectives:
a) to institute and maintain a safety culture that supports and encourages the effective achievement
of functional safety and promotes effective communication with other disciplines related to
functional safety;
b) to institute and maintain adequate organization-specific rules and processes for functional safety;
c) to institute and maintain processes to ensure an adequate resolution of identified safety anomalies;
d) to institute and maintain a competence management system to ensure that the competence of the
involved persons is commensurate with their responsibilities; and
e) to institute and maintain a quality management system to support functional safety.
This clause serves as a prerequisite to the activities in the ISO 26262 safety lifecycle.
5.2 General
5.2.1 Overview of the safety lifecycle
The ISO 26262 reference safety lifecycle (see Figure 2) encompasses the principal safety activities
during the concept phase, product development, production, operation, service and decommissioning.
Planning, coordinating and documenting the safety activities of all phases of the safety lifecycle
aremonitoring the progress of the safety activities, as well as the responsibility to ensure that the
confirmation measures are performed, are key management tasks. and are performed throughout the
lifecycle. The safety lifecycle may be tailored (see Clause 6).
Figure 2 represents the reference safety lifecycle model. Tailoring of the safety lifecycle, including
iterations of subphases, is allowed.
NOTE 1 The safety activities during the concept phase and, the product development, and after the release
for productionproduction, operation, service and decommissioning are described in detail in ISO 26262-3
(concept phase), ISO 26262-4 (product development at the system level), ISO 26262-5 (product development at
the hardware level), ISO 26262-6 (product development at the software level) and ISO 26262-7 (production and
operation).
NOTE 2 Table A.1 provides an overview of the objectives, prerequisites and work products of the particular
phases of the management of functional safety.
Figure 2 illustrates the management activities in relation to the safety lifecycle.
4 © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
NOTE 3 Within the figure, the specific clauses of each part of ISO 26262 are indicated in the following
manner: “m-n”, where “m” represents the number of the part and “n” indicates the number of the clause, e.g. “3-6”
represents Clause 6 of ISO 26262-3ISO 26262-3:2018, Clause 6.
1)
NOTE 4 Sub-phases of the product development at the system level are shown in ISO 26262-4:2018, Figure 2.
ISO 26262-2:redline:2018(E)
2)
NOTE 5 Sub-phases of the product development at the hardware level are shown in ISO 26262-5:2018,
Figure 2.
3)
NOTE 6 Sub-phases of the product development at the software level are shown in ISO 26262-6:2018, Figure 2.
Figure 2 — Safety Management activities in relation to the safety lifecycle
5.2.2 Explanatory remarks on the safety lifecycle
ISO 26262 specifies requirements with regard to specific phases and subphases of the safety lifecycle,
but also includes requirements that apply to several, or all, phases of the safety lifecycle, such as the
requirements for the management of functional safety.
The key management tasks are to plan, coordinate and track the activities related to functional
safety. These management tasks apply to all phases of the safety lifecycle. The requirements for the
management of functional safety are given in this part, which distinguishes:
— overall safety management (see this clause);
— safety management during the concept phase and the product development (see Clause 6);
— safety management after the item's release for production (see Clause 7).
The following descriptions explain the definitions of the different phases and subphases of the safety
lifecycle, as well as other key concepts:
a) The subphase: item definition
The initiating task of the safety lifecycle is to develop a description of the item with regard to its
functionality, interfaces, environmental conditions, legal requirements, known hazards, etc. The
boundary of the item and its interfaces, as well as assumptions concerning other items, elements,
systems and components are determined (see ISO 26262-3:2011, Clause 5).
b) The subphase: initiation of the safety lifecycle
Based on the item definition, the safety lifecycle is initiated by distinguishing between either a new
development, or a modification of an existing item.
If an existing item is modified, the results of an impact analysis are used to tailor the safety lifecycle
(see ISO 26262-3:2011, Clause 6).
c) The subphase: hazard analysis and risk assessment
After the initiation of the safety lifecycle, the hazard analysis and risk assessment is performed as
given in ISO 26262-3:2011, Clause 7. First, the hazard analysis and risk assessment estimates the
probability of exposure, the controllability and the severity of the hazardous events with regard to
the item. Together, these parameters determine the ASILs of the hazardous events. Subsequently,
the hazard analysis and risk assessment determines the safety goals for the item, with the safety
goals being the top level safety requirements for the item. The ASILs determined for the hazardous
events are assigned to the corresponding safety goals.
During the subsequent phases and subphases, detailed safety requirements are derived from the
safety goals. These safety requirements inherit the ASIL of the corresponding safety goals.
d) The subphase: functional safety concept
Based on the safety goals, a functional safety concept (see ISO 26262-3:2011, Clause 8) is specified
considering preliminary architectural assumptions. The functional safety concept is specified
by functional safety requirements that are allocated to the elements of the item. The functional
safety concept can also include other technologies or interfaces with external measures, provided
that the expected behaviours thereof can be validated (see ISO 26262-4:2011, Clause 9). The
6 © ISO 2018 – All rights reserved

ISO 26262-2:redline:2018(E)
implementation of other technologies is outside the scope of ISO 26262 and the implementation of
the external measures is outside the scope of the item development.
e) The phase: product development at the system level
After having specified the functional safety concept, the item is developed from the system level
perspective, as given in ISO 26262-4. The system development process is based on the concept of
a V-model with the specification of the technical safety requirements, the system architecture,
the system design and implementation on the left hand branch and the integration, verification,
validation and the functional safety assessment on the right hand branch.
The hardware-software interface is specified in this phase.
Figure 1 provides an overview of the subphases of the product development at the system level.
The product development at the system level incorporates validation tasks for activities occurring
within other safety lifecycle phases, including
— the validation of the aspects of the functional safety concept that are implemented by other
technologies;
— the validation of the assumptions concerning the effectiveness and the performance of external
measures; and
— the validation of the assumptions concerning human response, including controllability and
operational tasks.
The release for production is the final subphase of the product development and provides the
item’s release for series production (see ISO 26262-4:2011, Clause 11).
f) The phase: product development at the hardware level
Based on the system design specification, the item is developed from the hardware level perspective
(see ISO 26262-5). The hardware development process is based on the concept of a V-model with
the specification of the hardware requirements and the hardware design and implementation on
the left hand branch and the hardware integration and testing on the right hand branch.
Figure 1 provides an overview of the subphases of the product development at the hardware level.
g) The phase: product development at the software level
Based on the system design specification, the item is developed from the software level
perspective (see ISO 26262-6). The software development process is based on the concept of a
V-model with the specification of the software requirements and the software architectural design
and implementation on the left hand branch, and the software integration and testing, and the
verification of the software requirements on the right hand branch.
Figure 1 provides an overview of the subphases of the product development at the software level.
h) Production planning and operation planning
The planning for production and operation, and the specification of the associated requirements,
starts during the product development at the system level (see ISO 26262-4). The requirements for
production and operation are given in ISO 26262-7:2011, Clauses 5 and 6.
i) The phase: production and operation, service and decommissioning
This phase addresses the production processes relevant for the functional safety goals of the item,
i.e. the safety-related special characteristics, and the development and management of instructions
for the maintenance, repair and decommissioning of the item to ensure functional safety after the
item's release for production (see ISO 26262-7:2011, Clauses 5 and 6).
j) Controllability
ISO 26262-2:redline:2018(E)
In the hazard analysis and risk assessment (see ISO 26262-3:2011, Clause 7), credit can be taken
for the ability of the driver, or the other persons at risk, to control hazardous situations. The
assumptions regarding the controllability in the hazard analysis and risk assessment and the
functional and technical safety concept are validated during the safety validation (see Figure 2 and
ISO 26262-4:2011, Clause 9).
NOTE The exposure and the severity are factors that depend on the scenario. The eventual controllability
through human intervention is influenced by the design of the item and is therefore evaluated during the
validation (see ISO 26262-4:2011, 9.4.3.2).
k) External measures
The external measures r
...