International Standard

ISO 26262

Functional Safety for Road Vehicles

A comprehensive guide to the standard that defines how automotive electrical and electronic systems must be engineered for safety — from concept through decommissioning.

Second Edition (2018) 12 Parts ASIL A–D Globally Adopted

What is ISO 26262?

ISO 26262 is the international standard governing functional safety of electrical and electronic (E/E) systems in road vehicles. It was derived from IEC 61508 — the generic functional safety standard — but reshaped specifically for the automotive domain, where the consequences of failure are measured in human lives.

The standard addresses hazards caused by the malfunctioning behaviour of safety-related E/E systems — covering systematic faults (design errors) and random hardware failures. It does not cover hazards arising from cybersecurity attacks (that is the domain of ISO/SAE 21434).

Key focus: ensuring that safety goals are identified and that risks from systematic and random hardware failures are managed throughout the vehicle’s entire lifecycle — from concept to decommissioning.

What does ISO 26262 cover?

All activities during the safety lifecycle of safety-related systems developed in series production
The full vehicle lifecycle: concept, development, production, operation, service, and decommissioning
E/E systems in passenger cars (M1), trucks, buses (M2/M3, N categories), and — since 2018 — motorcycles
Hardware, software, and system-level development activities for safety-relevant items
Processes, methods, and work products required to demonstrate compliance

History & Evolution

IEC 61508 (published 1998) was the foundational industrial safety standard but was too generic for automotive use — it did not account for the V-model development process, automotive supply chains, or the specific failure modes of vehicle E/E systems. The automotive industry began work on a dedicated standard in 2005.

2005

Work begins

2008

FDIS Draft

2011

1st Edition

2016

Revision starts

2018

2nd Edition

The second edition (2018) made significant additions: Part 12 (motorcycles), Part 11 (semiconductors), and clearer guidance on ASIL decomposition and tool qualification. It is the currently active version used for all new automotive development programmes.

Standard Structure: 12 Parts

ISO 26262 is divided into 12 parts, each addressing a distinct aspect of the safety lifecycle or a specific product category.

PART 1

Vocabulary

PART 2

Management of Functional Safety

PART 3

Concept Phase

PART 4

Product Development – System Level

PART 5

Product Development – Hardware

PART 6

Product Development – Software

PART 7

Production, Operation & Decommissioning

PART 8

Supporting Processes

PART 9

ASIL-Oriented & Safety-Oriented Analyses

PART 10

Guidelines & Examples

PART 11

Semiconductors

PART 12

Motorcycles

ASIL — Automotive Safety Integrity Level

ASIL is the key classification system in ISO 26262. It defines the rigour of safety measures required for a given system or component, ranging from QM (no safety requirement) to ASIL D (highest integrity, life-critical systems).

Quality Management — No safety requirement

No specific safety measures mandated. Standard quality processes apply.

ASIL A

Lowest integrity level

Minor hazards, low exposure probability. Lightest set of technical requirements.

ASIL B

Moderate integrity

Significant exposure or probability. Requires formal methods and independent review at higher levels.

ASIL C

High integrity

Major hazards, substantial controllability difficulty. Stringent process and independence requirements.

ASIL D

Highest integrity — life-threatening, uncontrolled

Maximum rigour: formal methods, MC/DC code coverage, full independence between developer and tester, third-party assessment.

Key formula:

ASIL = f(Severity × Exposure × Controllability) — higher values in any parameter increase the required ASIL level.

How ASIL is Determined

ASIL classification is determined by combining three independent parameters assessed during HARA:

Severity (S)

S0 — No injuries
S1 — Light injuries
S2 — Severe injuries
S3 — Life-threatening / fatal

Exposure (E)

E0 — Incredible
E1 — Very low probability
E2 — Low probability
E3 — Medium probability
E4 — High probability

Controllability (C)

C0 — Controllable in general
C1 — Simply controllable
C2 — Normally controllable
C3 — Difficult / uncontrollable

Safety Lifecycle Overview

The ISO 26262 safety lifecycle follows a V-model structure — matching each development phase on the left with a corresponding verification/validation phase on the right. The lifecycle is iterative: work products feed forward and back between phases.

Concept
Phase

System
Design

Hardware
Design

Software
Design

System
Validation

HW/SW
Integration

SW
Integration

The lifecycle is iterative — work products feed forward and back between phases
Confirmation measures (reviews, audits, assessments) run throughout all phases
Each phase generates defined work products that serve as evidence of compliance

Hazard Analysis & Risk Assessment (HARA)

HARA is the cornerstone of the ISO 26262 concept phase (Part 3). It is the systematic process of identifying hazards, evaluating their risk using S/E/C parameters, and deriving safety goals — the foundation on which the entire safety architecture is built.

Identifies hazards caused by malfunctioning behaviour of the item under analysis
Evaluates each hazard using Severity, Exposure, and Controllability parameters
Results in Safety Goals — high-level safety requirements for the item
Safety Goals must be assigned an ASIL and are expressed in functional (not technical) terms
Must consider the operational situation and foreseeable misuse scenarios
Provides the foundation for the Functional Safety Concept and all downstream activities

Output flow: Item definition → Hazard list → ASIL classification → Safety Goals → Functional Safety Concept

Functional Safety Concept

The Functional Safety Concept (FSC) translates Safety Goals into Functional Safety Requirements (FSRs) and allocates them to the architectural elements of the item — systems, subsystems, and interfaces.

Derives Functional Safety Requirements (FSRs) from each Safety Goal
Allocates FSRs to architectural elements (systems, subsystems, interfaces)
Specifies safe states for each hazardous event (e.g. controlled shutdown, limp-home mode)
Defines fault-tolerant time intervals — the maximum time to reach a safe state after a fault
Considers driver warning strategies and human-machine interaction requirements
Takes into account external measures (e.g. infrastructure, regulations)
Serves as the technical contract between the item integrator and suppliers

Hardware Development — Part 5

Requirements & Architecture

Hardware Safety Requirements (HSRs) derived from Technical Safety Concept
Hardware architecture design meeting HSRs and ASIL targets
Evaluation of hardware architectural metrics: SPFM and LFM
Probabilistic Metric for Hardware Failures (PMHF) for random faults

Metrics & Analysis

SPFM — Single-Point Fault Metric (target: ASIL D ≥ 99%)
LFM — Latent Fault Metric (target: ASIL D ≥ 90%)
PMHF target: < 10 FIT for ASIL D
Key tools: FMEA, FTA, FMEDA, Hardware reliability analysis

Software Development — Part 6

Software Safety Requirements (SWRs) derived from the Technical Safety Concept
Defines software architectural design, unit design, and implementation requirements
Mandates modelling and coding guidelines — MISRA-C is widely used for ASIL C/D
Static analysis, code coverage (MC/DC for ASIL D), and formal verification methods required
Software unit testing, integration testing, and qualification testing required at each level
Independence between developer and tester increases with ASIL level
Freedom from interference must be demonstrated for components with different ASIL ratings

ASIL D software — the most stringent level — requires formal methods, MC/DC code coverage, complete independence between developer and tester, and a third-party functional safety assessment.

Functional Safety Management — Part 2

Safety Plan

Documents all safety activities, milestones, responsibilities, and resources for the project

Safety Case

Evidence-based argument that the item satisfies its safety goals — a living document

Competence Mgmt

Qualifications, training, and experience requirements for all safety-relevant roles

Supplier Mgmt / DIA

Development Interface Agreement defines responsibilities between OEM and Tier-1 suppliers

ASIL Decomposition

ASIL decomposition allows a single high-ASIL requirement to be split into two lower-ASIL requirements allocated to independent elements. Redundancy via independent channels can achieve the equivalent safety integrity of a higher ASIL.

ASIL D

↙ ↘

ASIL B(d)

Independent channels — no shared cause of failure

Valid Decompositions

D → B(d) + B(d) D → A(d) + C(d) C → A(d) + B(d) B → A(d) + A(d) C → QM(d) + C(d) D → QM(d) + D(d)

Independence criteria must be met: no common cause failures, no cascading faults. The (d) suffix denotes a decomposed element.

Key Work Products

ISO 26262 mandates a comprehensive set of documented work products at each lifecycle phase. These are the evidence base for demonstrating compliance.

Work Product	Phase	Purpose
Item Definition	Concept	Defines boundaries and operating environment of the item
HARA Report	Concept	Hazard identification, ASIL classification, safety goals
Safety Goals	Concept	Top-level safety requirements with ASIL assignments
Functional Safety Concept (FSC)	Concept	Functional safety requirements allocated to architecture
Technical Safety Concept (TSC)	System	Technical safety requirements at system architecture level
HW Safety Requirements	Hardware	Hardware-level requirements and SPFM/LFM/PMHF targets
FMEA / FMEDA	Hardware	Failure mode analysis and diagnostic coverage assessment
SW Safety Requirements	Software	Software-level requirements with ASIL allocation
MISRA-Compliant Code	Software	Implementation per coding guidelines with static analysis evidence
Safety Case	Management	Evidence-based argument that safety goals are achieved
Confirmation Reviews	Management	Independent review records at each phase gate
Development Interface Agreement (DIA)	Management	Formal responsibility split between OEM and supplier

Confirmation Measures

ISO 26262 mandates independent confirmation of safety activities and work products. Three main types exist:

Functional Safety Audit

Checks that processes comply with the safety plan — a process audit, not a product review.

Functional Safety Assessment

Judges whether safety goals are achieved — performed by an independent assessor (I3 for ASIL D).

Reviews

Inspections or walkthroughs of work products (design docs, code, test plans) at phase gates.

Independence levels: I1 = same team | I2 = different team | I3 = external organisation (required for ASIL D assessment)

ISO 26262 vs IEC 61508

Aspect	IEC 61508	ISO 26262
Scope	Generic industries	Road vehicle E/E systems
Safety levels	SIL 1–4	ASIL A–D
Lifecycle	Generic safety lifecycle	Automotive V-model
HW metrics	HFT, Safe Failure Fraction (SFF)	SPFM, LFM, PMHF
Supply chain	Not addressed	DIA, supplier management
SW methods	Generic guidance	Automotive-specific (MISRA-C)
Certification	3rd-party required for SIL 3/4	Assessment mandated for ASIL C/D

Supporting Processes — Part 8

Part 8 defines the processes that underpin all technical activities across the lifecycle:

Configuration Management

Version control of all safety work products throughout the lifecycle

Change Management

Impact analysis and re-assessment required for every change to safety-relevant work products

Requirements Management

Formal bidirectional traceability from safety goals down to implementation

SW Tool Qualification

Tool Confidence Level (TCL) assessment and qualification process for development tools

Documentation

Required documents and records for traceability and audit

Proven in Use (PiU)

Using field-proven components to reduce validation effort

Real-World Automotive Applications

System	ASIL	Rationale
Airbag ECU	ASIL D	Deployment timing is life-critical
Electric Power Steering	ASIL D	Loss of steering is immediately dangerous
Autonomous Driving	ASIL D	No driver fallback — highest requirement
ABS / ESC	ASIL C	Braking and stability control
Battery Mgmt (BEV)	ASIL C/D	Thermal runaway and isolation fault prevention
ADAS Level 2	ASIL B/C	Driver-monitored automated features
TPMS	ASIL A	Warning only — controllable by driver
Infotainment	QM	No safety relevance

Common Challenges & Best Practices

Common Challenges

Misunderstanding ASIL decomposition rules
Insufficient independence between assessor and developer
Incomplete traceability from safety goals to code
Tool qualification gaps for ASIL C/D tools
Managing safety across complex supply chains
ASIL inheritance confusion between OEM and Tier-1

Best Practices

Start safety activities early in the concept phase
Maintain bidirectional traceability throughout lifecycle
Use DIA templates to clarify OEM–supplier responsibilities
Apply MISRA-C from the outset for ASIL B+ software
Conduct incremental confirmation reviews at each phase
Invest in team training and competence development

Is ISO 26262 Legally Mandatory?

Short answer: Not directly by law — but effectively unavoidable in practice.

Technically Voluntary

ISO 26262 is a voluntary international standard — no single global law mandates it by name
No regulator directly fines companies for lack of certification
Companies can theoretically use alternative methods to demonstrate safety

Effectively Mandatory

Product liability laws (EU, US) require manufacturers to prove their products are safe
OEMs will not accept safety-relevant components without ISO 26262 evidence
UN R155/R156 (UNECE WP.29) legally binding in 60+ countries — aligns directly with ISO 26262
Non-compliance + an incident = near-indefensible legal position in court

The Three Drivers of Effective Mandatory Status

Product Liability Law

Legal duty to produce safe vehicles in all markets

OEM Contract Requirements

Tier-1 suppliers must comply to win business

UNECE WP.29 Regulations

Binding in EU, Japan, Korea & 60+ countries

Key Takeaways

ISO 26262 is the definitive standard for E/E functional safety in road vehicles — adopted globally as the baseline for automotive safety engineering.
ASIL (A–D) classifies risk; ASIL D demands the most rigorous development practices including formal methods, MC/DC coverage, and third-party assessment.
HARA is the foundation — poor hazard analysis invalidates all downstream safety work. Investment here pays dividends throughout the programme.
The V-model lifecycle integrates safety at every stage, not as an afterthought. Safety activities run in parallel with development, not after it.
ASIL decomposition allows pragmatic architecture using independent redundant channels — enabling cost-effective compliance for high-ASIL requirements.
Safety management (plans, cases, DIAs) is as important as technical engineering. The process evidence is what regulators and assessors evaluate.
Compliance requires evidence: traceability, reviews, audits, and assessments — documented, maintained, and accessible throughout the vehicle’s service life.

References & Further Reading

The content of this article is based on the following primary standards, regulatory documents, and industry guidance. For any implementation programme, always consult the official published versions of the standards below.

Primary Standard

ISO 26262:2018 — Road vehicles — Functional Safety (Parts 1–12)

International Organization for Standardization (ISO). Second Edition, published December 2018. The definitive normative reference for all content in this article covering ASIL classification, HARA, lifecycle, hardware metrics, software requirements, and management processes.

iso.org ↗

Note: ISO 26262 is a paid standard. The official document can be purchased directly from ISO or national standards bodies (BSI, DIN, ANSI, BIS, etc.). Free preview abstracts are available on the ISO website.

Parent Standard (Functional Safety Foundation)

IEC 61508:2010 — Functional Safety of E/E/PE Safety-Related Systems (Parts 1–7)

International Electrotechnical Commission (IEC). The generic functional safety standard from which ISO 26262 was derived. Provides the foundational concepts of SIL, safety lifecycle, and systematic capability that underpin ISO 26262’s ASIL framework.

iec.ch ↗

Supporting Standards Referenced in this Article

MISRA C:2012 — Guidelines for the Use of the C Language in Critical Systems

Motor Industry Software Reliability Association (MISRA). Referenced in this article as the widely-used coding standard for ASIL B/C/D software development under ISO 26262 Part 6.

misra.org.uk ↗

ISO 26262-5:2018 — Part 5: Product Development at the Hardware Level

Specific part covering hardware architectural metrics (SPFM, LFM) and the Probabilistic Metric for random Hardware Failures (PMHF) referenced in the Hardware Development section.

iso.org ↗

ISO 26262-6:2018 — Part 6: Product Development at the Software Level

Specific part covering software safety requirements, coding guidelines, MC/DC coverage requirements for ASIL D, and independence requirements for testing referenced in the Software Development section.

iso.org ↗

ISO 26262-9:2018 — Part 9: ASIL-Oriented and Safety-Oriented Analyses

Part covering ASIL decomposition rules, FMEA/FTA methods, and dependent failure analysis referenced in the ASIL Decomposition section of this article.

iso.org ↗

Regulatory & Legal Documents

UN Regulation No. 155 — Uniform Provisions Concerning the Approval of Vehicles with Regard to Cyber Security and Cyber Security Management System

UNECE WP.29. Legally binding in all 1958 Agreement signatory countries from July 2022 (new types) / July 2024 (all new vehicles). Directly references ISO/SAE 21434 as the technical basis; indirectly reinforces ISO 26262 through functional safety linkage.

unece.org ↗

UN Regulation No. 156 — Uniform Provisions Concerning the Approval of Vehicles with Regard to Software Update and Software Updates Management System

UNECE WP.29. Mandates a Software Update Management System (SUMS) and RXSWIN traceability — contextualised in the legal mandatory section of this article as a driver of effective ISO 26262 compliance.

unece.org ↗

EU Framework Regulation 2018/858 — Approval and Market Surveillance of Motor Vehicles and their Trailers

European Parliament & Council. The legislative basis for Whole Vehicle Type Approval (WVTA) in the EU — the regulatory framework within which ISO 26262 compliance is assessed as part of the vehicle approval process.

eur-lex.europa.eu ↗

Industry Guidance & Further Reading

AUTOSAR Safety Overview — Safety Mechanisms in AUTOSAR Classic and Adaptive Platform

AUTOSAR Consortium. Describes how AUTOSAR’s software architecture supports ISO 26262 compliance, particularly freedom from interference, mixed-ASIL partitioning, and E2E protection libraries.

autosar.org ↗

ISO/SAE 21434:2021 — Road Vehicles — Cybersecurity Engineering

ISO & SAE International. The complementary cybersecurity standard to ISO 26262 — referenced in this article in the context of the legally mandatory section. Safety and security must be co-engineered; a successful cyberattack can trigger a safety hazard.

iso.org ↗

BSI (British Standards Institution) — ISO 26262 Product Overview and Guidance

British Standards Institution. Publicly available guidance on applying ISO 26262, including scope clarifications, common interpretation questions, and transition from first to second edition. Useful companion reading for practitioners.

bsigroup.com ↗

UNECE WP.29 — World Forum for Harmonization of Vehicle Regulations

United Nations Economic Commission for Europe. The body responsible for the UN Regulations (R100, R155, R156, R157 etc.) referenced throughout this article. Working party documents and adopted regulations are freely available on the UNECE website.

unece.org ↗

⚠ Important Notice

This article provides an educational overview of ISO 26262 based on its publicly described scope, structure, and requirements. It is not a substitute for the official standard. ISO 26262 is a paid document — for any development, compliance, or certification programme, the official ISO 26262:2018 Parts 1–12 must be obtained and consulted directly. Interpretations may vary; always confirm with an accredited Technical Service or functional safety assessor for project-specific guidance.

ISO 26262:2018 — Road vehicles — Functional Safety | International Standard | Second Edition

Published by the International Organization for Standardization (ISO) · Available at iso.org