ISO 26262-1 Vocabulary
Common definitions used across all parts.
ISO 26262
Road Vehicles Functional Safety
ISO 26262 is the automotive adaptation of IEC 61508. It defines a complete safety lifecycle for electrical and electronic systems in road vehicles, using ASIL (Automotive Safety Integrity Level) A-D instead of SIL. Mandatory for OEM and Tier-1 suppliers worldwide.
Dokumentstruktur
ISO 26262-2 Management of functional safety
Organizational requirements, project management, supplier management, confirmation measures (Safety Audit, Assessment).
ISO 26262-3 Concept phase
Item definition, Hazard Analysis and Risk Assessment (HARA), ASIL determination, Functional Safety Concept.
ISO 26262-4 Product development at the system level
Technical Safety Concept, system-level safety requirements, integration and testing.
ISO 26262-5 Product development at the hardware level
Hardware metrics (SPFM, LFM, PMHF), random hardware failure analysis, ASIL decomposition rules.
ISO 26262-6 Product development at the software level
Software safety lifecycle, MISRA C, AUTOSAR safety, V-model, ASIL-dependent technique selection.
ISO 26262-7 Production, operation, service and decommissioning
Manufacturing, field monitoring, post-production updates (OTA), decommissioning.
ISO 26262-8 Supporting processes
Configuration management, change management, qualification of software tools, qualification of pre-developed software components (SEooC, Safety Element out of Context).
ISO 26262-9 ASIL-oriented and safety-oriented analyses
ASIL decomposition rules, dependent failure analyses, safety analyses (FTA, FMEA).
ISO 26262-10 Guideline on ISO 26262
Informative — clarifies common application questions.
ISO 26262-11 Guidelines on application to semiconductors
Specific to IC manufacturers (Infineon, NXP, Renesas) producing SoCs and MCUs for automotive.
ISO 26262-12 Adaptation for motorcycles
Variant of ISO 26262 for two-wheelers.
Schlüsselbegriffe
- Automotive Safety Integrity Level
(ASIL) - Discrete level QM (no safety relevance), A, B, C, D (highest). Determined by the Hazard Analysis & Risk Assessment (HARA) using three parameters : Severity (S), Exposure (E), Controllability (C).
- Hazard Analysis and Risk Assessment
(HARA) - The ISO 26262 method to determine ASIL. For each operational scenario × hazard, evaluate S0-S3 × E0-E4 × C0-C3 → ASIL QM/A/B/C/D per HARA table (Part 3 Annex).
- Item
- ISO 26262 unit of analysis. An 'item' is a system or array of systems that implements a function at the vehicle level (e.g., 'Electric Power Steering', 'ADAS Forward Collision Warning'). The HARA is performed at item level.
- Safety Goal
- Top-level safety requirement derived from a hazard via HARA. Example: 'Prevent unintended high acceleration in driving mode' with ASIL D. The functional safety concept refines it into requirements.
- ASIL Decomposition
- Rule allowing a high-ASIL requirement to be split among redundant independent elements. ASIL D = ASIL B(D) + ASIL B(D), or ASIL C(D) + ASIL A(D), or ASIL D(D) + QM(D). The 'D' in parenthesis indicates the original requirement integrity to preserve. Used to reduce single-channel ASIL D costs.
- Single Point Fault Metric
(SPFM) - ISO 26262-5 hardware metric. Fraction of hardware failures that are NOT single point faults (i.e., either detected or non-safety-relevant). ASIL D requires SPFM ≥ 99% per Table 8.
- Latent Fault Metric
(LFM) - Fraction of latent faults (undetected dual point faults) covered by diagnostics or safety mechanisms. ASIL D requires LFM ≥ 90%.
- Probabilistic Metric for Hardware Failures
(PMHF) - Probability of violating the safety goal per hour due to random hardware failures. ASIL D requires PMHF < 10⁻⁸ /h (i.e., < 10 FIT). Equivalent of PFH in IEC 61508.
- Safety Element out of Context
(SEooC) - A safety-related component (microcontroller, software stack, sensor module) developed by a supplier WITHOUT knowing the final vehicle integration context. Qualified for an ASIL claim under assumed use cases (Safety Manual). Common for AUTOSAR stacks, MCU peripherals, etc.
Notes & guidance
Why ASIL instead of SIL ?
The automotive industry adapted IEC 61508 because the original framework didn’t fit driving scenarios well:
Different exposure model. IEC 61508 PFD assumes low-demand mode (a process trip happens rarely, system on standby). A car’s brake-by-wire system is in constant use for hours every day. The metric PMHF (Probabilistic Metric for Hardware Failures) replaces PFD and applies continuously.
Different risk parameters. Process plants assess risk via severity (people/environment), demand frequency, and protection layers. Cars assess via Severity (passenger injury), Exposure (how often the operational situation occurs — daily commute vs once-in-a-lifetime), and Controllability (can the driver react and avoid the hazard?). Different math.
Different industrial structure. Process plants are bespoke: every refinery is unique. Cars are mass-produced: a Tier-1 supplier ships millions of identical ECUs. ISO 26262 incorporates the supplier chain explicitly (DIA — Development Interface Agreement) and the SEooC concept for “qualify once, use many”.
ASIL determination flow (Part 3)
1. Define Item e.g. 'Electric Power Steering EPS'
2. Identify hazards e.g. 'Unintended steering torque'
3. For each scenario × hazard:
- Severity S0..S3 S0 no injuries, S3 life-threatening
- Exposure E0..E4 E0 never, E4 high probability daily
- Controllability C0..C3 C0 controllable in general, C3 difficult
4. Lookup ASIL table S × E × C → QM, A, B, C, or D
5. Set Safety Goal at that ASIL
A frequent hazard (E4) with serious injury (S3) and limited controllability (C3) → ASIL D, the highest. Most vehicle dynamics safety functions (braking, steering, powertrain torque) end up at ASIL C or D.
ASIL is not SIL — comparison
| Aspect | ASIL D (highest) | SIL 4 (highest IEC 61508) |
|---|---|---|
| Driver | Automotive operational situations | Generic high-risk industrial |
| Metric | PMHF < 10 FIT (continuous) | PFD < 10⁻⁴ (low demand) or PFH < 10 FIT (high demand) |
| Hardware metrics | SPFM ≥ 99%, LFM ≥ 90% | SFF + HFT per Type A/B tables |
| Software techniques | MISRA C, AUTOSAR safety SW | IEC 61508-3 Tables A.x / B.x |
| Decomposition | Yes, explicit (D = B(D)+B(D) etc.) | Yes but less prescriptive |
| Tool qualification | Yes (Part 8) | Yes (Part 3 clause 7.4.4) |
Influence on adjacent industries
ISO 26262 became the model for adapting IEC 61508 to other domains :
- ISO 25119 — Tractors and agricultural / construction machinery (AgPL A-E instead of ASIL)
- EN 50128/50129/50126 — Railway (THR framework, slightly different metrics)
- DO-178C / DO-254 — Aerospace software / hardware (DAL A-E instead of ASIL)
- IEC 61513 — Nuclear instrumentation (defense in depth framework)
- IEC 62304 — Medical device software (Class A/B/C)
ISO 26262 is also the most certified-engineer-heavy of the functional safety standards. Industry has converged on certifications from TÜV Süd, TÜV Rheinland, and exida as the de facto employability baseline for automotive FS roles (similar to TÜV FS Engineer for IEC 61511).
Where it’s heading (Edition 3)
The ISO/TC 22/SC 32/WG 8 committee is working on Edition 3 with focus areas:
- SOTIF (ISO 21448) integration — Safety of the Intended Functionality covers performance limitations of perception (cameras, radar). Complementary to 26262 but distinct.
- AI/ML safety — guidance for ML components in automotive (cf ISO/PAS 8800)
- OTA updates — managing safety implications of remote software updates
- Cybersecurity coordination with ISO/SAE 21434 (automotive cybersec) — clarify integration points
- Higher autonomy — adapting concepts to SAE L3+ where driver can no longer be assumed as fallback controllability layer
Betroffene Branchen
- Passenger cars (cars, SUVs, EVs)
- Light commercial vehicles
- Trucks and buses
- Motorcycles (Part 12)
- Off-highway adjacent : agricultural and construction (ISO 25119 derivative)
- Semiconductor / MCU makers serving automotive (Part 11)