What Is ISO 26262?

ISO 26262, "Road vehicles – Functional safety," is an international safety standard created by the International Standards Organization (ISO), providing guidelines for the safe design and development of electrical and/or electronic (E/E) systems in road vehicles. First formalized in 2011, it was revised in 2018.

ISO 26262 is not a formal regulation. Instead, it establishes a state-of-the-art industry-specific, safety-related guidelines that vehicle original equipment manufacturers (OEMs) and their suppliers can follow with confidence when developing electrical and electronic systems in vehicles.

As a whole, the standard promotes trust among key stakeholders in the automotive industry and consumers. It derives from the IEC 61508 standard developed by the International Electrotechnical Commission.

Vehicle electronics have come a long way. From the first transistorized car radios of the 1950s, we have seen the development of electronic ignition systems in the 1960s, engine control units in the 1970s, anti-lock braking systems in the 1980s, infotainment systems in the 1990s, and advanced driver-assistance systems in the 2000s.

Automotive electronics costs as a percentage of total vehicle cost have risen from 5% in 1970 to 35% in 2010, a figure projected to fully reach 50% by 2030. As it stands, there are as many as 3,000 semiconductor chips installed in modern vehicles. This reflects a general migration of system functionalities from mechanic to mechatronic systems, justified by improvements in performance and cost.

For instance, the usage of mechatronic in engine controls, which perform on-the-fly calculations to optimize engine performance, showed vehicle manufacturers what was possible with digital technology.

In fact, digital sensors can monitor various parameters such as throttle position, crankshaft position, mass air flow, temperature, and oxygen concentration in exhausts to markedly improve fuel consumption in vehicles.

This points to the significant improvements in vehicle functionalities achievable with E/E systems, which would be impossible to achieve with mechanical systems alone. Within modern vehicles, mechatronic systems power a range of functionalities, including:

• Power steering
• Advanced driver-assistance systems (ADAS)
• Anti-lock braking 
• Automatic transmissions (incorporating controller chips, speed sensors, and semiconductor power switches to enable sophisticated functionalities such as gear shifting according to terrain)

Therefore, to minimize the risks of E/E system’s hazards, the International Standards Organization formalized a series of comprehensive functional safety objectives and requirements — adapted from Functional Safety Standard IEC 61508 for Automotive Electric/Electronic Systems — to meet the specificities unique to the automotive sector.

Functional Safety Requirements

ISO 26262 safety requirements cover the entire life cycle of a vehicle, including activities related to development, production, operation, service, and decommissioning.

The first edition of ISO 26262 was published in 2011 (ISO 26262:2011), addressing functional safety of E/E systems installed in "series production passenger cars" with a maximum gross weight of 3,500 kg. The revised edition was published in 2018 (ISO 26262:2018) to cover all road vehicles, with the exception of mopeds.

Like IEC 61508, ISO 26262 is a risk-based standard, providing a qualitative assessment of hazards resulting from E/E systems failures.

The aims of ISO 26262 are:

• Functional safety: ISO 26262 outlines functional safety aspects applicable throughout the development process, including requirements specification, design, implementation, integration, verification, validation, and configuration. The standard aims to detect faulty situations and define how to react to them, thereby protecting road users from injuries caused by faults in vehicle electronics and software.
• Automotive safety life cycle: ISO 26262 provides a comprehensive framework covering the entire life cycle of automotive safety, including management, development, production, operation, service, and decommissioning. It supports tailoring activities during these phases to ensure safety is maintained throughout the vehicle's life cycle.
• Risk management: ISO 26262 minimizes the risks associated with the design and development of E/E automotive systems to prevent hazards and potential life-threatening failures. It seeks to achieve an acceptable level of residual risk, ensuring that the systems are as safe as possible. The standard employs a risk-based approach by determining risk classes known as Automotive Safety Integrity Levels (ASILs) that help specify the safety requirements to achieve an acceptable level of residual risk.
• Validation and confirmation: The standard provides requirements for validation and confirmation measures to ensure that a sufficient and acceptable level of safety is achieved. It emphasizes the importance of testing and validating safety mechanisms at both the system and vehicle levels.

The integration of mechanical, electrical, electronic, and software disciplines increases the risks of system failures in vehicles. Consequently, ISO 26262 provides comprehensive guidance on system requirements and processes to mitigate these risks. 

The standard:

• Outlines a comprehensive safety life cycle that includes safety checks at multiple stages, from concept through decommissioning
• Focuses on the functional safety of electrical and electronic (E/E) systems while also addressing the integration of these with other vehicle systems to ensure overall vehicle safety
• Emphasizes that achieving functional safety requires both functional development activities (such as requirements specification, design, and implementation) and quality-oriented activities (such as verification, validation, and confirmation measures)

Following is a breakdown of the 12 sections that make up the ISO 26262 standard:

Part 1: Vocabulary

Part 1 outlines terms, definitions, and abbreviations applied throughout the standard — paying careful attention to the definitions of “fault,” “error,” and “failure.”

Part 2: Management of Functional Safety

Part 2 outlines organizational requirements to be ensured by those performing safety related activities. 

Part 3: Concept Phase

Part 3 describes how hazard analysis and risk assessment (HARA) shall be performed during the early phases of product development for each item (system or subsystem) integrated. It also describes how the identified hazards can be addressed by a functional architecture.  

Part 4: Product Development at the System Level

Part 4 covers technical architectural design, item integration, and testing at the system level. During this stage of development, engineers frequently perform failure tree analysis (FTA) and failure mode and effect analysis (FMEA).

Part 5: Product Development at the Hardware Level

Part 5 addresses hardware design, integration, and verification, including the evaluation of hardware metrics.

Part 6: Product Development at the Software Level

Part 6 addresses software architectural and unit design, implementation, integration, and verification. 

Part 7: Production, Operation, Service, Decommissioning

Part 7 outlines the production process for safety-related systems and items. It also includes details about operating, servicing, and decommissioning these items.

Part 8: Supporting Processes

Part 8 describes the implementation of support processes throughout the safety life cycle. It outlines, for example, change management requirements, documentation management requirements, tool evaluation, and qualification requirements, etc.

Part 9: Automotive Safety Integrity Level (ASIL)-oriented and Safety-oriented Analyses

Part 9 specifies requirements for ASIL decomposition and requirements for safety analyses (including the analysis of dependent failures and the criteria for coexistence of elements).

Part 10: Guidelines on ISO 26262

Part 10 provides additional explanations on various parts of ISO 26262.

Part 11: Guidelines on Applying the Standard to Semiconductors

Part 11 addresses the development, production, and operation of semiconductor components. It describes different semiconductor technologies and use cases and provides guidance on how some safety life cycle activities can be performed.

Part 12: Adaptation of ISO 26262 to Motorcycles

As the section title implies, Part 12 describes the adaptation of ISO 26262 for motorcycles.

Although not mandated by law, ISO 26262 is a vital safety standard that provides assurance around the integration of electrical and electronic systems in vehicles (throughout their life cycles).

It further introduces a reliable methodology for assessing risks through ASILs. Thus, ISO 26262 is a comprehensive standard addressing the full automotive lifecycle, for a range of vehicle types and technologies.

It’s a reliable automotive functional safety standard that:

• Improves design workflows: ISO 26262 addresses the complexities of hardware and software integrations in automotive systems, providing guidance for hardware development and software development.
• Improves vehicle safety: ISO 26262 addresses the entire safety life cycle of automotive electronic and electrical systems, providing a single point of reference for manufacturers, their suppliers, and agencies (including the National Highway Traffic Safety Administration) to ensure robust safety management development, production, and testing procedures.
• Improves trust: By adhering to a recognized set of standards, manufacturers, suppliers, consumers, and other stakeholders in the automotive industry can have confidence in the safety of vehicles and parts.

Following is a high-level overview of the ISO 26262 design and verification process:

1. List items: The term “item” carries a specific meaning within ISO 26262, describing a system (or combination of systems) that performs a function (or part of a function) at the vehicle level. It is, therefore, the highest-level identified object in a process — e.g., the anti-lock braking system (or ABS).
2. Outline top-level functionalities: Outline the functional requirements of each item (including subsystems).
3. Identify possible hazards: Perform a hazard analysis and risk assessment (HARA) for each item, referencing a set of predefined hazardous events — for example, skidding resulting from ABS failure.
4. Assign ASILs: Automotive safety integrity levels — which range from A (least severe) to D (most severe, life threatening) — are based on three factors, namely probability of exposure, controllability, and severity of risks.
5. Identify safety goals: Safety goals are derived from those hazardous events identified in the HARA as top-level safety requirements at vehicle level. Each safety goal carries an ASIL rating and may be linked to one or more hazards.
6. Specify functional safety requirements: Perform safety analysis such as fault tree analysis (FTA) to identify the hazardous event root causes that could lead to the violation of a safety goal; this analysis helps to establish a functional safety concept (FSC). This latter aims to specify the safety measures required to address the effects of relevant faults and allocate functional safety requirements to the system architectural design or external measures.
7. Specify technical safety requirements: Establish the technical safety concept (TSC), which specifies technical safety requirements and designs system architectures that satisfy the functional safety requirements mentioned above. Technical safety requirements are allocated to the system's elements.   
8. Design the product: During product design, engineers develop products in alignment with the technical safety requirements outlined above.
9. Verify and validate: Verification allows safety engineers to verify product designs against safety requirements, while validation enables testing in real-world scenarios.

As outlined in Part 8 of the standard, supporting processes (production, operation, change management, and quality management) throughout the development life cycle play a critical part in fulfilling compliance requirements.

To ensure compliance, manufacturers and their suppliers must check their products and processes according to functional safety guidelines provided within ISO 26262, following procedures termed “confirmation measures.” These measures are grouped into the following three categories:

• A confirmation review: judgment of whether the particular work product is achieving the related ISO 26262 objectives and requirements
• A functional safety audit: judgment of whether the implemented processes are achieving ISO 26262 objectives and requirements
• A functional safety assessment: judgment of whether the ISO 26262 objectives and requirements are achieved. A functional safety assessment shall consider the results of the confirmation reviews and functional safety audit.

ISO 26262 was introduced in response to the growing complexity of electrical and/or electronic systems in road vehicles. Correspondingly, the complexities of designing compliant items have also increased.

In this context, automotive engineers must tackle the following challenges:

• Compliance with all parts of ISO 26262, considering the extensive objectives and requirements provided in each part
• The growing complexity of the systems to be developed (software-defined vehicle architectures, highly automated driving systems, infotainment systems, etc.) 
• Development of generic platforms by OEMs and suppliers designing chips for third-party OEMs without knowledge of the safety requirements surrounding their intended final use. In this case, designers must make assumptions, ensuring they supply complete documentation of these assumptions
• The need to monitor extensive design data, dependencies, intellectual property, and documentation
• The ability to track IP ownership of every tool, system, or item used in the development process. This means engineers must meticulously evaluate, document, and verify IP offerings from each and every supplier.

In light of the challenges outlined above, it becomes evident that ISO 26262 compliance is a near-impossible task without the assistance of specialized software tools.

Considering the cost of vehicle recalls, most OEMs along the automotive supply chain require evidence of ISO 26262 compliance.

Where successful development projects used to typically rely on a patchwork of dedicated tools, Ansys medini® analyze™ software is a model-based, comprehensive tool dedicated to the safety analysis of electrical and electronics road vehicles’ systems, offered in one convenient package.

Ansys medini analyze software offers transparency in automotive safety design, fostering trust and collaboration among key stakeholders in the automotive industry. This enables:

• Model-based safety analysis
• Systems modeling language (SysML) modeling with safety properties
• Functional safety analysis
• Key safety analyses using methods such as failure modes effects and diagnostics analysis (FMEDA), HARA, hazard and operability (HAZOP) studies, failure mode and effects analysis (FMEA), FTA, the “Safety Of the Intended Functionality (SOTIF)” standard, and others
• Safety analysis at system, software, and hardware levels
• Integration with requirements management tools
• End-to-end traceability, workflows, and more

Furthermore, in addition to Ansys medini analyze software, the Ansys SCADE® product collection offers a model-based environment for software development:

• Model-based design editor 
• Automatic generation of safe and secure code
• Testing capabilities
• Test coverage measurement up to MC/DC (modified condition/decision coverage)
• AUTOSAR compliance

If you are interested in streamlining your ISO 26262 process, sign up for a trial of Ansys medini analyze software.

If you want to reduce your software design and verification cost up to 50%, sign up for a free trial of Ansys SCADE software.

Related Resources