ISO 26262-10:2012

INTERNATIONAL ISO
STANDARD 26262-10
First edition
2012-08-01

Road vehicles — Functional safety —
Part 10:
Guideline on ISO 26262
Véhicules routiers — Sécurité fonctionnelle —
Partie 10: Lignes directrices relatives à l'ISO 26262




Reference number
ISO 26262-10:2012(E)
©
ISO 2012

---------------------- Page: 1 ----------------------
ISO 26262-10:2012(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2012 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 26262-10:2012(E)
Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Normative references . 1
3  Terms, definitions and abbreviated terms . 2
4  Key concepts of ISO 26262 . 2
4.1  Functional safety for automotive systems (relationship with IEC 61508) . 2
4.2  Item, system, element, component, hardware part and software unit . 4
4.3  Relationship between faults, errors and failures . 5
5  Selected topics regarding safety management . 6
5.1  Work product . 6
5.2  Confirmation measures . 6
5.3  Understanding of safety cases . 9
6  Concept phase and system development . 10
6.1  General . 10
6.2  Example of hazard analysis and risk assessment . 10
6.3  An observation regarding controllability classification . 11
6.4  External measures . 12
6.5  Example of combining safety goals . 13
7  Safety process requirement structure - Flow and sequence of safety requirements . 14
8  Concerning hardware development . 17
8.1  The classification of random hardware faults . 17
8.2  Example of residual failure rate and local single-point fault metric evaluation . 22
8.3  Further explanation concerning hardware . 34
9  Safety element out of context . 36
9.1  Safety element out of context development . 36
9.2  Use cases . 37
10  An example of proven in use argument . 45
10.1  General . 45
10.2  Item definition and definition of the proven in use candidate . 46
10.3  Change analysis . 46
10.4  Target values for proven in use . 46
11  Concerning ASIL decomposition . 47
11.1  Objective of ASIL decomposition . 47
11.2  Description of ASIL decomposition . 47
11.3  An example of ASIL decomposition . 47
Annex A (informative) ISO 26262 and microcontrollers . 51
Annex B (informative) Fault tree construction and applications . 73
Bibliography . 89

© ISO 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 26262-10:2012(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 26262-10 was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 3,
Electrical and electronic equipment.
ISO 26262 consists of the following parts, under the general title Road vehicles — Functional safety:
 Part 1: Vocabulary
 Part 2: Management of functional safety
 Part 3: Concept phase
 Part 4: Product development at the system level
 Part 5: Product development at the hardware level
 Part 6: Product development at the software level
 Part 7: Production and operation
 Part 8: Supporting processes
 Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
 Part 10: Guideline on ISO 26262

iv © ISO 2012 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 26262-10:2012(E)
Introduction
ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of electrical
and/or electronic (E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised of
electrical, electronic and software components.
Safety is one of the key issues of future automobile development. New functionalities not only in areas such
as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems
increasingly touch the domain of system safety engineering. Development and integration of these
functionalities will strengthen the need for safe system development processes and the need to provide
evidence that all reasonable system safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic implementation, there
are increasing risks from systematic failures and random hardware failures. ISO 26262 includes guidance to
avoid these risks by providing appropriate requirements and processes.
System safety is achieved through a number of safety measures, which are implemented in a variety of
technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic) and
applied at the various levels of the development process. Although ISO 26262 is concerned with functional
safety of E/E systems, it provides a framework within which safety-related systems based on other
technologies can be considered. ISO 26262:
a) provides an automotive safety lifecycle (management, development, production, operation, service,
decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive Safety
Integrity Levels (ASIL)];
c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable
level of safety being achieved;
e) provides requirements for relations with suppliers.
Functional safety is influenced by the development process (including such activities as requirements
specification, design, implementation, integration, verification, validation and configuration), the production
and service processes and by the management processes.
Safety issues are intertwined with common function-oriented and quality-oriented development activities and
work products. ISO 26262 addresses the safety-related aspects of development activities and work products.
Figure 1 shows the overall structure of this edition of ISO 26262. ISO 26262 is based upon a V-model as a
reference process model for the different phases of product development. Within the figure:
 the shaded “V”s represent the interconnection between ISO 26262-3, ISO 26262-4, ISO 26262-5,
ISO 26262-6 and ISO 26262-7;
 the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number of the
particular part and “n” indicates the number of the clause within that part.
EXAMPLE “2-6” represents Clause 6 of ISO 26262-2.
© ISO 2012 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 26262-10:2012(E)

Figure 1 — Overview of ISO 26262
vi © ISO 2012 – All rights reserved

1. Vocabulary
2. Management of functional safety
2-6 Safety management during the concept phase 2-7 Safety management after the item´s release
2-5 Overall safety management
and the product development for production
3. Concept phase 4. Product development at the system level 7. Production and operation
4-5 Initiation of product
4-11 Release for production
3-5 Item definition
7-5 Production
development at the system level
4-10 Functional safety assessment
7-6 Operation, service
3-6 Initiation of the safety lifecycle
4-6 Specification of the technical (maintenance and repair), and
safety requirements
decommissioning
4-9 Safety validation
3-7 Hazard analysis and risk
assessment
4-7 System design 4-8 Item integration and testing
3-8 Functional safety
concept
5. Product development at the 6. Product development at the
hardware level software level
5-5 Initiation of product 6-5 Initiation of product
development at the hardware level development at the software level
5-6 Specification of hardware 6-6 Specification of software safety
safety requirements requirements
5-7 Hardware design 6-7 Software architectural design
5-8 Evaluation of the hardware
6-8 Software unit design and
architectural metrics implementation
5-9 Evaluation of the safety goal
6-9 Software unit testing
violations due to random hardware
failures
6-10 Software integration and
5-10 Hardware integration and
testing
testing
6-11 Verification of software safety
requirements
8. Supporting processes
8-5 Interfaces within distributed developments 8-10 Documentation
8-6 Specification and management of safety requirements 8-11 Confidence in the use of software tools
8-7 Configuration management 8-12 Qualification of software components
8-8 Change management 8-13 Qualification of hardware components
8-9 Verification 8-14 Proven in use argument
9. ASIL-oriented and safety-oriented analyses
9-5 Requirements decomposition with respect to ASIL tailoring 9-7 Analysis of dependent failures
9-6 Criteria for coexistence of elements 9-8 Safety analyses
10. Guideline on ISO 26262

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 26262-10:2012(E)

Road vehicles — Functional safety —
Part 10:
Guideline on ISO 26262
1 Scope
ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or
electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross
vehicle mass up to 3 500 kg. ISO 26262 does not address unique E/E systems in special purpose vehicles
such as vehicles designed for drivers with disabilities.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of ISO 26262, are exempted from the scope. For further
development or alterations based on systems and their components released for production prior to the
publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262.
ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems,
including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat,
radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly
caused by malfunctioning behaviour of E/E safety-related systems.
ISO 26262 does not address the nominal performance of E/E systems, even if dedicated functional
performance standards exist for these systems (e.g. active and passive safety systems, brake systems,
Adaptive Cruise Control).
This part of ISO 26262 provides an overview of ISO 26262, as well as giving additional explanations, and is
intended to enhance the understanding of the other parts of ISO 26262. It has an informative character only
and describes the general concepts of ISO 26262 in order to facilitate comprehension. The explanation
expands from general concepts to specific contents.
In the case of inconsistencies between this part of ISO 26262 and another part of ISO 26262, the
requirements, recommendations and information specified in the other part of ISO 26262 apply.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 26262-1:2011, Road vehicles — Functional safety — Part 1: Vocabulary
ISO 26262-2:2011, Road vehicles — Functional safety — Part 2: Management of functional safety
ISO 26262-3:2011, Road vehicles — Functional safety — Part 3: Concept phase
ISO 26262-4:2011, Road vehicles — Functional safety — Part 4: Product development at the system level
ISO 26262-5:2011, Road vehicles — Functional safety — Part 5: Product development at the hardware level
ISO 26262-6:2011, Road vehicles — Functional safety — Part 6: Product development at the software level
ISO 26262-7:2011, Road vehicles — Functional safety — Part 7: Production and operation
© ISO 2012 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 26262-10:2012(E)
ISO 26262-8:2011, Road vehicles — Functional safety — Part 8: Supporting processes
ISO 26262-9:2011, Road vehicles — Functional safety — Part 9: Automotive Safety Integrity Level (ASIL)-
oriented and safety-oriented analyses
3 Terms, definitions and abbreviated terms
For the purposes of this document, the terms, definitions and abbreviated terms given in ISO 26262-1:2011
apply.
4 Key concepts of ISO 26262
4.1 Functional safety for automotive systems (relationship with IEC 61508)
IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, is
designated by IEC as a generic standard and a basic safety publication. This means that industry sectors will
base their own standards for functional safety on the requirements of IEC 61508.
In the automotive industry, there are a number of issues with applying IEC 61508 directly. Some of these
issues and corresponding differences in ISO 26262 are described below.
IEC 61508 is based upon the model of “equipment under control”, for example an industrial plant that has an
associated control system as follows:
a) A hazard analysis identifies the hazards associated with the equipment under control (including the
equipment control system), to which risk reduction measures will be applied. This can be achieved
through E/E/PE systems, or other technology safety-related systems (e.g. a safety valve), or external
measures (e.g. a physical containment of the plant). ISO 26262 contains a normative automotive scheme
for hazard classification based on severity, probability of exposure and controllability.
b) Risk reduction allocated to E/E/PE systems is achieved through safety functions, which are designated as
such. These safety functions are either part of a separate protection system or can be incorporated into
the plant control. It is not always possible to make this distinction in automotive systems. The safety of a
vehicle depends on the behaviour of the control systems themselves.
ISO 26262 uses the concept of safety goals and a safety concept as follows:
 a hazard analysis and risk assessment identifies hazards and hazardous events that need to be
prevented, mitigated or controlled;
 a safety goal is formulated for each hazardous event;
 an Automotive Safety Integrity Level (ASIL) is associated with each safety goal;
 the functional safety concept is a statement of the functionality to achieve the safety goal(s);
 the technical safety concept is a statement of how this functionality is implemented on the system level by
hardware and software; and
 software safety requirements and hardware safety requirements state the specific safety requirements
which will be implemented as part of the software and hardware design.
EXAMPLE
 The airbag system: one of the hazards is unintended deployment.
 An associated safety goal is that the airbag does not deploy unless a crash occurs that requires the deployment.
2 © ISO 2012 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 26262-10:2012(E)
 The functional safety concept can specify a redundant function to detect whether the vehicle is in a collision.
 The technical safety concept can specify the implementation of two independent accelerometers with different axial
orientations and two independent firing circuits. The squib deploys if both are closed.
IEC 61508 is aimed at singular or low volume systems. The system is built and tested, then installed on the
plant, and then safety validation is performed. For mass-market systems such as road vehicles, safety
validation is performed before the release for volume (series) production. Therefore, the order of lifecycle
activities in ISO 26262 is different. Related to this, ISO 26262-7 addresses requirements for production. These
are not covered in IEC 61508.
IEC 61508 does not address specific requirements for managing development across multiple organizations
and supply chains, whereas ISO 26262 addresses explicitly the issue, including the Development Interface
Agreement (DIA) [see ISO 26262-8:2011, Clause 5 (Interfaces within distributed developments)], because
automotive systems are produced by one or more suppliers of the customer, e.g. the vehicle manufacturer,
the supplier of the customer, or the customer.
IEC 61508 does not contain normative requirements for hazard classification. ISO 26262 contains an
automotive scheme for hazard classification. This scheme recognizes that a hazard in an automotive system
does not necessarily lead to an accident. The outcome will depend on whether the persons at risk are actually
exposed to the hazard in the situation in which it occurs, and whether they are able to take steps to control the
outcome of the hazard. An example of this concept applied to a failure which affects the controllability of a
moving vehicle is given in Figure 2.
NOTE This concept is intended only to demonstrate that there is not necessarily a direct correlation between a failure
occurring and the accident. It is not a representation of the hazard analysis and risk assessment process, although the
parameters evaluated in this process are related to the probabilities of the state transitions shown in the figure.

Figure 2 — State machine model of automotive risk
The requirements for hardware development (ISO 26262-5) and software development (ISO 26262-6) are
adapted for the state-of-the-art in the automotive industry. Specifically, ISO 26262-6 contains requirements
concerned with model-based development; IEC 61508 prescribes the application of specific methods. A
detailed rationale for the use of any alternative method has to be provided. For the methods listed in
© ISO 2012 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 26262-10:2012(E)
ISO 26262, specific goals are provided. To achieve these goals, the provided methods can be applied, or a
rationale that alternative methods can also achieve the goal is provided.
Safety requirements in ISO 26262 are assigned an ASIL (Automotive Safety Integrity Level) rather than a SIL
(Safety Integrity Level). The main motivation for this is that the SIL in IEC 61508 is stated in probabilistic terms
(see IEC 61508-1:2010, Table 3). IEC 61508 states: "It is accepted that only with respect to the hardware
safety integrity will it be possible to quantify and apply reliability prediction techniques in assessing whether
the target failure measures have been met. Qualitative techniques and judgements have to be made with
respect to the precautions necessary to meet the target failure measures with respect to the systematic safety
integrity." An ASIL is not based on this probabilistic requirement concerning the occurrence of the hazard;
however, there are probabilistic targets associated with compliance to the requirements of an ASIL.
4.2 Item, system, element, component, hardware part and software unit
The terms item, system, element, component, hardware part, and software unit are defined in ISO 26262-1.
Figure 3 shows the relationship of item, system, component, hardware part and software unit. Figure 4 shows
an example of item dissolution. A divisible element can be labelled as a system, a subsystem or a component.
A divisible element that meets the criteria of a system can be labelled as a system or subsystem. The term
subsystem is used when it is important to emphasize that the element is part of a larger system. A component
is a non-system-level, logically and technically separable element. Often the term component is applied to an
element that is only comprised of parts and units, but can also be applied to an element comprised of lower-
level elements from a specific technology area, e.g. electrical/electronic technology (see Figure 4).
EXAMPLE In the case of a microcontroller or ASIC, the following partitioning can be used: the whole microcontroller
is a component, the processing unit (e.g. a CPU) is a part, the registers inside the processing unit (e.g. the CPU register
bank) is a sub-part. In the case of microcontroller (MCU) analyses, a higher level of detail in the partitioning could be
needed; to aid in this purpose, it is possible to partition a part into sub-parts which can be further divided into
basic/elementary sub-parts.
One instance consists of one or more other
instances (e.g. a system may consist of one or more

subsystems)

One instance is realized by another instance
(e.g. a function is realized by one or more systems)

Aggregation: one instance consists of another
instance (e.g. a system consists of a set of

components)
NOTE 1 Depending on the context, the term
“element” can apply to the entities “system”,
“component”, “hardware part” and “software unit” in
this chart according to ISO 26262-1, Clause 1.32.
NOTE 2 The system as it is defined in
ISO 26262-1 is at least a sensor, controller and an
actuator, e.g. at least 3 related elements.
NOTE 3 * means N elements are possible.

Figure 3 — Relationship of item, system, component, hardware part and software unit
4 © ISO 2012 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 26262-10:2012(E)

Figure 4 — Example item dissolution
4.3 Relationship between faults, errors and failures
The terms fault, error and failure are defined in ISO 26262-1. Figure 5 depicts the progression of faults to
errors to failures from three different types of causes: systematic software issues, random hardware issues
and systematic hardware issues. Systematic faults (see ISO 26262-1) are due to design or specifications
issues; software faults and a subset of hardware faults are systematic. Random hardware faults (see
ISO 26262-1) are due to physical processes such as wear-out, physical degradation or environmental stress.
At the component level, each different type of fault can lead to different failures. However, failures at the
component level are faults at the item level. Note that in this example, at the vehicle level, faults from different
causes can lead to the same failure. A subset of failures at the item level will be hazards (see ISO 26262-1) if
additional environmental factors permit the failure to contribute to an accident scenario.
EXAMPLE If unexpected behaviour of the vehicle occurs while the vehicle is starting to cross an intersection, a
crash can occur, e.g. the risk of the hazardous event “vehicle bucking when starting to cross intersection” is assessed for
severity, exposure and controllability ("bucking" refers to making sudden jerky movements).
© ISO 2012 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 26262-10:2012(E)

Figure 5 — Example of faults leading to failures
5 Selected topics regarding safety management
5.1 Work product
This subclause describes the term "work product".
A work product is the result of meeting the corresponding requirements of ISO 26262 (see ISO 26262-1).
Therefore, a documented work product can provide evidence of compliance with these safety requirements.
EXAMPLE A requirements specification is a work product that can be documented by means of a requirements
database or a text file. An executable model is a work product that can be represented by modelling language files that
can be executed, e.g. for simulation purposes by using a software tool.
The documentation of a work product [see ISO 26262-8:2011, Clause 10 (Documentation)] serves as a record
of the executed safety activities, safety requirements or of related information. Such documentation is not
restricted to any form or medium.
EXAMPLE The documentation of a work product can be represented by electronic or paper files, by a single
document or a set of documents. It can be combined with the documentation of other work products or with documentation
not directly dedicated to functional safety.
To avoid the duplication of information, cross-references within or between documentation can be used.
5.2 Confirmation measures
5.2.1 General
In ISO 26262, specified work products are evaluated during subsequent activities, either as part of the
confirmation measures or as part of the verification activities. This subclause describes the difference between
verification and confirmation measures.
6 © ISO 2012 – All rights reserved

---------------------- Page: 12 -----------
...