Key takeaways:
ISO 26262 structures engineering and documentation activities to reduce the risk arising from electronic faults to an acceptable level.
- ISO 26262:2018 is an international functional safety standard for electrical and electronic (E/E) systems in road vehicles.
- The standard is an adaptation of IEC 61508, tailored to operating conditions and development processes in the automotive industry.
- It describes the safety lifecycle: from concept and design, through integration and testing, to production, operation, and decommissioning.
- ASIL (A–D) and QM define the stringency of requirements; the level is determined in the HARA based on Severity, Exposure, and Controllability.
- The 2018 edition expanded the scope to most road vehicles (excluding mopeds) and added, among other things, topics related to semiconductors.
Modern vehicles are packed with electronics—from engine control systems and driver-assistance functions to sensors and actuators. Ensuring their reliable operation is critical to safety. The ISO 26262:2018 Road Vehicles – Functional Safety standard is an international benchmark that defines functional safety requirements for electrical and electronic (E/E) systems in road vehicles. It is an automotive-specific adaptation of the general standard IEC 61508 (which addresses functional safety across all industries), tailored specifically to the realities of automotive engineering. The aim of ISO 26262 is to prevent unacceptable risk arising from faulty operation of electronic systems—by defining risk assessment processes and implementing safety measures that reduce risk to an acceptable level. In other words, the standard addresses potential hazards caused by electronic failures in vehicles and explains how to mitigate them.
ISO 26262 was first published in 2011, initially limited in scope to passenger cars with a mass up to 3.5 tonnes. The second edition from 2018 introduced major extensions—covering all road vehicles (trucks, buses, motorcycles, etc., excluding mopeds) and adding new sections addressing, among other things, semiconductor components. As a result, the standard reflects the growing complexity and diversity of electronic systems in modern automotive applications, taking their specific challenges into account.
IEC 61508 as the foundation: It is worth emphasizing that ISO 26262 is derived directly from its parent standard IEC 61508, but has been tightly aligned with the needs of the automotive industry. This means the approach to risk assessment, hazard classification, and the selection of safety measures is tailored to typical vehicle operating conditions. The standard defines, among other things, a dedicated automotive safety lifecycle and introduces domain-specific concepts such as the Automotive Safety Integrity Level described below.
ISO 26262 structures the entire functional safety assurance process into a product lifecycle—from concept through design, integration, and testing, all the way to production, operation, and decommissioning. The standard indicates what activities should be carried out at each of these stages to identify potential hazards and minimize the risk of failures that could create dangerous situations.
ASIL levels – risk classification in ISO 26262
One of the core concepts in ISO 26262 is ASIL (Automotive Safety Integrity Level), i.e., the level of functional safety integrity in automotive applications. ASIL is a scale used to assess the risk associated with a potential failure of a given system—it determines how stringent the safety measures must be to reduce risk to an acceptable level. The standard defines four ASIL levels: A, B, C, D (from lowest to highest) and the QM (Quality Management) category, which indicates that no safety requirements beyond standard quality processes apply.
Determining the ASIL level: The ASIL level is established during hazard analysis and risk assessment (Hazard Analysis and Risk Assessment, HARA). For each potential hazard, three key factors are considered: Severity—the seriousness of potential consequences (e.g., injuries), Exposure—how often situations conducive to the failure occur, and Controllability—the driver’s ability to manage the situation. The combination of these factors translates into a risk classification. Levels from ASIL A to ASIL D reflect the maximum severity of failure consequences, the likelihood of injury, and the chance of controlling the event. Based on these parameters, the appropriate safety integrity level is assigned for a given hazard—or QM if the risk is low enough that normal design practices are sufficient.
The role of ASIL in risk assessment: Selecting the correct ASIL level is critical because it determines how rigorous the system development process must be. The higher the ASIL, the more stringent the requirements the design has to meet—both in terms of the hardware/software architecture and the processes for development, testing, and validation. The standard clearly requires that higher ASIL levels be supported by more detailed documentation, stricter design rules, more thorough safety analyses, and independent reviews of the work results. In practice, a high ASIL often drives the inclusion of redundancy and diagnostic mechanisms in the design so that a single fault does not lead to the loss of a safety function. For illustration: life-critical systems such as airbags, the ABS system, or electric power steering are typically classified as ASIL D, because their failure poses a serious risk to passengers. Less critical functions, such as rear position lights, may be assigned ASIL A or even treated as QM, because a potential fault does not create significant risk. This approach makes it possible to focus the greatest engineering effort where it is most needed—on systems that directly affect people’s safety.
Structure of ISO 26262:2018 – Parts 1–10
ISO 26262 (2018 edition) is divided into a series of parts, each focusing on a different aspect of the safety lifecycle. The core of the standard consists of nine normative parts (1–9) plus an additional guidance part (Part 10). The second edition also introduced Parts 11 and 12 covering specific topics (semiconductors and motorcycles, respectively); however, the discussion below focuses on the foundational Parts 1–10, which have universal applicability. The table below presents the individual parts of ISO 26262:2018 along with their titles and subject scope:
| Part | Title (EN) | Scope and topics |
|---|---|---|
| 1 | Terminology (Vocabulary) | Definitions of the basic terms, concepts, and abbreviations used across all parts of the standard. It provides the foundation for a shared language (e.g., it clarifies concepts such as fault, error, failure, hazard, etc.). |
| 2 | Safety management (Management of Functional Safety) | Requirements for managing functional safety within an organization and within projects. It specifies activities at the organizational level (e.g., safety policy, competence) as well as the safety management process across the project lifecycle (planning, oversight, compliance assessment). |
| 3 | Concept phase (Concept Phase) | The earliest stage of the product lifecycle. It includes defining the item (item definition), hazard analysis and risk assessment (HARA), and establishing the vehicle’s functional safety concept. At this stage, safety goals are created for the identified hazards. |
| 4 | Development at the system level (Product Development at the System Level) | Requirements for system design with safety in mind. This part describes creating a system architecture that meets the safety goals, allocating safety requirements to individual elements, and system-level integration and testing. It also covers safety validation at the vehicle level. |
| 5 | Development at the hardware level (Product Development at the Hardware Level) | Requirements for hardware (electronic) design from a safety perspective. It includes principles for defining the hardware architecture, specifying safety requirements for HW components, analyzing random hardware failures (e.g., calculating architecture metrics: SPFM, LFM, etc.), and verifying the hardware against those requirements. |
| 6 | Development at the software level (Product Development at the Software Level) | Requirements for developing safe embedded software. It covers designing a software architecture aligned with the safety goals, implementing code in accordance with standards (e.g., MISRA guidelines), unit and integration testing, and verifying the software for compliance with safety requirements. |
| 7 | Production, operation, service and decommissioning (Production, Operation, Service and Decommissioning) | Requirements for the production and operational stages of the product. They address, among other things, ensuring that the production process maintains the intended safety level (quality control, end-of-line testing), as well as activities during vehicle use (service procedures, collecting failure information) and the safe decommissioning of the vehicle. |
| 8 | Supporting processes (Supporting Processes) | A set of general processes that support safety across all lifecycle stages. These include, among others: configuration and change management, qualification of software tools, assessment of components for proven in use, maintaining consistent project documentation, managing supplier relationships in the context of safety, and ensuring appropriate independence in the verification process. |
| 9 | ASIL-related analyses (ASIL-Oriented and Safety Analyses) | Analysis methods focused on ASIL and system dependability. This part includes, among other things, rules for ASIL decomposition (splitting functions across elements with lower ASIL while maintaining the required safety), criteria for coexistence of elements with different ASILs within one system, analysis of common-cause and dependent failures (e.g., Dependent Failure Analysis), and classic risk analysis techniques such as FMEA and FTA in the context of ISO 26262 requirements. |
| 10 | Guidance on ISO 26262 (Guidelines on ISO 26262) | An informative part providing guidance to support interpretation of the other parts of the standard. It explains ISO 26262 concepts and principles through examples, helping to correctly understand the intent of the requirements. (However, if there is any discrepancy between the content of this part and the requirements of Parts 1–9, the requirements in the normative parts shall be applied.) |
(Note: The 2018 edition also added Part 11 – Guidelines on semiconductors and Part 12 – Adaptation of ISO 26262 for motorcycles. Both are supplementary informative documents that extend the scope of the standard to cover these areas.)
As you can see, the structure of ISO 26262:2018 mirrors the individual stages and aspects of the safe-system design process. Parts 3–7 guide engineers through successive phases—from defining the concept and safety requirements, through system design and implementation at the hardware and software levels, all the way to production and product operation. Part 2 ensures that this entire process is carried out under appropriate safety management at both the company and project levels. Part 8, in turn, provides organizational and technical measures (such as configuration management or tool qualification) that support the implementation of safety requirements at every step. Part 9 provides analysis methodologies, ensuring that at no stage do we overlook factors affecting risk (ASIL) and that we identify potential common-cause or latent failures. Taken together, all these elements form a comprehensive functional safety assurance system.
ISO 26262:2018 structures the entire functional safety lifecycle in automotive—from the concept phase, through detailed design and verification, to series production, maintenance, and product decommissioning. As a result, it provides a coherent framework for manufacturers and suppliers: starting with risk analysis and the definition of safety requirements, through implementing those requirements in the designed systems and software, and ending with final testing and in-field product monitoring. Applying this standard ensures that no safety aspect is overlooked—from the highest level of project management down to the smallest technical detail. The result is vehicles equipped with advanced systems that still meet stringent safety criteria, minimizing risk to users.
We understand what ISO 26262-compliant design looks like—from risk analysis through final testing. With our knowledge and experience, we help implement the standard’s requirements at every stage of the project, so functional safety is not an add-on, but an integral feature of your product.
ISO 26262 – automotive functional safety
ISO 26262:2018 Road Vehicles – Functional Safety is an international standard that specifies functional safety requirements for electrical and electronic (E/E) systems in road vehicles. Its objective is to prevent unacceptable risk arising from malfunctioning electronics through risk assessment processes and the selection of safety measures.
ISO 26262 is derived directly from IEC 61508, but it is tailored to the realities of the automotive industry. It covers a risk assessment methodology and a dedicated safety lifecycle appropriate to typical vehicle operating conditions.
ASIL (Automotive Safety Integrity Level) is a safety integrity level that defines the rigor of the safety measures required for a given function. The standard defines ASIL A, B, C, and D, as well as the QM category where standard quality processes are sufficient.
ASIL is determined in the HARA (Hazard Analysis and Risk Assessment) based on three factors: Severity (severity of consequences), Exposure (exposure), and Controllability (controllability). The combination of these parameters translates into the risk classification and the required ASIL level or QM.
The second edition expanded the scope from passenger cars up to 3.5 t to all road vehicles (excluding mopeds). New sections were also added, including those on semiconductor components.