The practical guide to ISO 26262

Lukasz Stachowiak

Functional Safety Engineer

For more information on our Functional Safety (ISO 26262) competencies, visit our automotive training page.

The application of the appropriate standards, rules and best practices is essential from the perspective of any experienced manufacturer or supplier on the market. The story doesn’t differ in the automotive environment. This well developed and crucial industry branch cannot work effectively without the unification and the process support defined in the standards. Nowadays, it is obvious, but it was not always like that.

Currently, there are a few vital organisations that provide international industry standards. Some examples of these types of institutions include Internal Organisation of Standardisation (ISO) and International Electrotechnical Commission (IEC). ISO standards are developed by groups of experts from all over the world,and are part of larger groups called technical committees. These experts negotiate all aspects of the standard, including its scope, key definitions and content. These non-governmental institutions are doing their job in almost every area of human life. Since 1946, they approved about 20 000 standards.

What is ISO 26262

“Road vehicles – Functional Safety” is the official title of the ISO 26262 standard. It is the international standard for functional safety of electrical and electronic systems in serial production road vehicles. The basics were derived from IEC 61508, which is often recognised as a master functional safety standard. IEC 61508 can be applied in various industries and it is related to any electronic or electrical system. From that point of view, ISO 26262 is an adaptation of the IEC 61508 for automotive needs.

The ISO 26262 maintains support for the whole product safety lifecycle, including management, development, production and service. During the development process, functional safety covers every safety related aspect of the product on a very detailed level, including such activities as requirements specification, design, implementation, integration, verification, validation, configuration, production, services, operation and decommissioning. The above-mentioned standard also describes the framework for functional safety to assist the development of the safety-related system.

The goal is to achieve acceptable residual risk. E/E System Safety Goals are derived from Hazard and Risk Assessment (HARA) and then the ASIL (Automotive Safety Integrity Level) can be defined. ASIL from A to D means that in the system there is some level of non-acceptable risk which means there are particular FUSA efforts needed to raise the controllability of unwanted situations. - an Automotive Safety Integrity Level (ASIL). Based on that series of activities, it could then be tailored to a particular application.

The history of ISO 26262

The origins of the safety design date back to the 1960s, when for example, the product failure rate, reliability, dependability and availability were considered, but in those days, there was still a long way to go before the first functional safety standard in the automotive environment was created. It does not mean there weren’t any safety features in cars before then. Despite mechanical improvements like safety belts which where mounted in the series car since 1958, the electronic/electrical features were also added long before the appearance of ISO 26262 . For example, Anti – lock braking systems (ABS) currently mandatory in the EU was released in late 1960s. It was the same story with the Electronic steering control (ESC), which was first introduced to the market ] in the 1980s.

The first draft of the ISO 26262 arrived in 2008, but the official release was in 2011. That version of the standard includes ten parts and was limited to electric or electronic devices in series production vehicles with a maximum gross weight of 3500 kg. The second and latest version of the ISO 26262 is from 2018. Two new chapters had been added to the standard. One of them was concerning semiconductors, the other describes adaptation for motorcycles. 4. Why is ISO 26262 important

Even though ISO 26262 is treated very seriously by mature producers it is not mandatory. Widespread compliance shows therefore that it is viewed as an essential standard. This is just half of the story. OEM’s are aware that compliance with this standard is essential and will insist that their own suppliers adhere to it. Following the rules and best practice defined by ISO 26262 makes the development and production process more effective and structured. Based on Quality Assurance there are still gaps in the safety product related to design and production, so the answer in that case is the ISO 26262. It introduces more effort and restriction in the workflow, but as a result, you receive well organised processes, and weak points will be identified and addressed. This lead to a safe, high quality product.

12 parts of ISO 26262 and how they help manufacturers comply with Functional Safety

As was mentioned before, ISO 26262 contains twelve separate parts. Each of them refers to a different level of the product lifecycle. Ten parts are normative and the remaining, are guidelines. All the parts constitute one combined form and furthermore it is common that one part refers to another.

Part 1: Vocabulary

The title speaks for itself. The role of the first part is to specify vocabulary, definitions, and abbreviations. It is crucial to be on the same page and in terms of definitions, understand each other. A brilliant example is an explanation of these words:

Fault - Abnormal condition that can cause an element or an item to fail.

Error - Discrepancy between a computed, observed, or measured value or condition, and the true, specified or theoretically correct value or condition.

Failure -Termination of an intended behavior of an element or an item due to a fault manifestation.

Part 2: Management of functional safety

This section describes the appropriate functional safety management methodology for automotive applications, including overall safety management and project-specific information related to management activities during the safety lifecycle’s various phases.

Part 3: Concept phase

The third part is applied during the early phase of product development. The third part is applied during the early phase of product development. This section requires you to perform a Hazard and Risk Assessment (HARA) based on Item Definition. Later on, Functional Safety Requirements will be defined then all of Functional Safety Requirements will be given to the System Team. meeting the definition of the item. This section requires you to perform Hazard Analysis and Risk Assessment (HARA), so from this point onwards, the Safety Goals in the project should be defined.

Part 4: Product development at the system level

This section covers a range of issues from development on the system level. On the stage are specifications that need to be initiated for technical safety, such as the technical safety concept, system architectural design, item integration and testing.

Part 5: Product development at the hardware level

Part five defines requirements for product development on the hardware level. It includes basic topics like hardware design, or evaluation of architectural hardware metrics. In the range of that section, it is also required to evaluate safety goal violation due to random failures.

Part 6: Product development at the software level

This section addresses a range of topics concerned with product development on the software level. This includes specifications for software safety, software architectural design, software unit design and verification, software integration and testing embedded software. At this stage qualitative analyses, like Failure Tree Analysis (FTA) and Failure Mode and Effect Analysis (FMEA) are often used.

Part 7: Production, operation, service and decommissioning

The objective of this part is to develop and maintain a production process for safety related elements or items that are intended to be installed in road vehicles, as well as gather information about operations, services and decommissioning for users which interface with safety-related items.

Part 8: Supporting processes

The goal of this part is to integrate the whole process and support Safety Life Cycle. It is continuously active throughout all phases. Part eight describes among others how to correctly proceed to verification, how to perform tool qualification, or how introduce proven in-use arguments.

Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses

In specifying Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses, this part covers decomposition with respect to ASIL tailoring, criteria for coexistence of elements, analysis of dependent failures, and safety analyses.

Part 10: Guidelines on ISO 26262

This is one of two informative ISO 26262 parts which provides an overview and extends information by adding additional explanations. The objective of this part is to improve the understanding of other parts and the general concept of the ISO 26262.

Part 11: Guidelines on applying the standard to semiconductors

Part 11 was added in the second release of the standard. It provides detailed information to support semiconductor manufacturers and silicon intellectual property (IP). Its goal is to address how IP suppliers and integrators should work together.

Part 12: Adaptation of ISO 26262 to motorcycles

The objective of this clause is to give an overview of the adaptation of the ISO 26262 series of standards for motorcycles. It covers general topics for the adaptation of motorcycles, safety culture, confirmation measures, hazard analysis and risk assessment, vehicle integration and testing, and safety validation.

Criticism of ISO 26262 (mentioning SOTIF)

Despite the significant improvement to the electronic and electrical environment in the second release of the ISO 26262, there are still some gaps in the functional safety field. Places where the standard falls short are for example missuses, or automated driving. The solution is ISO PAS 21448 (SOTIF). Previously there was a plan to include that standard in ISO 26262 as a fourteenth section, but it was released as a separate document.

The purpose of SOTIF is to start to address some of the aspects of autonomous driving, where safety is not violated by the failure itself but by the unspecified behavior of the vehicle. SOTIF is taking a more holistic look on the usage of the product. Bright lights, dust, smoke and snowstorms all affect the sensor data, and the "brain" of the car is processing and making decisions based on probability.

ISO 26262 Tool Qualification

The tool qualification is a one of the activities deemed essential for compliance with ISO 26262. In general, the purpose is to ensure that all tools used in the project are reliable, or malfunctions are known, and any issues that arise can be handled. It is important to take into consideration all tools used even those indirectly involved in the development process.

Over to you

Due to continuous development, the standard requires periodic updates and improvements. However the current edition of the ISO 26262 provides the most up to date version of the information gathered from a specialists in the global automotive environment . Nowadays following this standard is the best option when developing high quality automotive safety products,as many OEMs require its compliance.