Automotive IQ Guides: ISO 26262 functional safety standard

An overview of ISO 26262

Speaking at the Society of Automotive Engineers’ (SAE) 2018 WCX conference in Detroit, Ken Kelzer, GM’s vice president of global vehicle components and subsystems, told attendees: “As we look toward the future challenges of new technologies, it is critical that we are unified in the development and application of standards.”

One such norm, the ISO 26262 automotive functional safety standard, is a derivative of IEC 61508, the generic functional safety standard for electric and electronic systems (E/E), which addresses the needs for an automotive-specific international standard focusing on safety critical components.

In general, ISO 26262 manages functional safety by guiding and regulating the entire product lifecycle process, from conceptual development through to decommissioning. What is more, it details how to assign an acceptable risk level to a system or component and document the overall testing process.

ISO 26262 history

Originally released in 2011, ISO 26262:2011 underwent a major update to Part 2 in 2018. In order to address concerns around emerging technologies, the update offered guidance on model-based development and software safety analysis, dependent failure analysis, semiconductors, fault tolerance, safety-related special characteristics, and software tools, as well as expanding its scope to include trucks, buses, trailers, semitrailers, and motorcycles.

To meet evolving industry requirements, ISO 26262:2018 also includes an extended vocabulary, more-detailed objectives, objective-oriented confirmation measures, information on managing safety anomalies, references to cyber security, updated values for hardware architecture metrics, and the means to evaluate hardware elements.

• RELATED Q&A: PRASANTH VISWANATHAN PILLAI, FUNCTIONAL SAFETY ARCHITECT AT TEXAS INSTRUMENTS

The elements of ISO 26262

For Part 2, the original ten sections were expanded to eleven, with a twelfth section dedicated to motorcycles:

• Part 1: Vocabulary
• Part 2: Management of functional safety
• Part 3: Concept phase
• Part 4: Product development at the system level
• Part 5: Product development at the hardware level
• Part 6: Product development at the software level
• Part 7: Production, operation, service and decommissioning
• Part 8: Supporting processes
• Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
• Part 10: Guidelines on ISO 26262
• Part 11: Guidelines on application of ISO 26262 to semiconductors
• Part 12: Adaptation of ISO 26262 for motorcycles

How do the twelve parts of ISO 26262: 2018 assist manufacturers in complying with functional safety?

Each of the twelve parts of the updated standard is meant to either offer guidance or set norms that enable manufacturers to evaluate risk and put in place countermeasures to proactively manage functional safety.

ISO 26262-01 – Definitions used in the execution of the standard

This covers the vocabulary to be applied to safety-related systems installed in series production road vehicles that include E/E architectures, excluding mopeds. By defining the terms and vocabulary used during safety-related E/E system development, this section establishes the framework for the successful implementation of functional safety. In so doing, it supports the entire series of standards.

ISO 26262-02 – Management of the functional safety process

This section describes the appropriate functional safety management methodology for automotive applications, including overall safety management and project-specific information related to management activities during the safety lifecycle’s various phases.

ISO 26262-03 – Functional safety during the concept phase

The third part of ISO 26262 applies to the early stages of development and defines the processes required to assure functional safety from the outset. This section details the functional safety concept, including item definition, hazard analysis and risk assessment.

ISO 26262-04 – Product development at the system level

Part four of ISO 26262 addresses a range of topics concerning product development at the system level. This standard includes general topics for initiating system level product development, specifications for technical safety, the technical safety concept, system architectural design, item integration and testing, and safety validation.

ISO 26262-05 – Functional safety during hardware development

This section addresses product development at the hardware level, including general topics, specifications for hardware safety, hardware design, the evaluation of the hardware architectural metrics, the evaluation of safety goal violations due to random hardware failures, and hardware integration and verification.

ISO 26262-06 – Product development at the software level

Part six defines functional safety at the software level during product development and covers general topics, specifications for software safety, software architectural design, software unit design and implementation, software unit verification, software integration and verification, as well as testing embedded software.

ISO 26262-07 – Production, operation, service and decommissioning

This segment addresses the production, operation, service, and decommissioning stages of the automotive safety lifecycle, including related planning activities.

ISO 26262-08 – Functional safety in the supporting processes

This piece of the standard specifies various supporting processes for the functional safety in the development of safety-related E/E systems. These processes include:

• Interfaces within distributed developments
• Safety management
• Configuration management
• Change management verification
• Documentation management
• Levels of confidence in the use of software tools
• Qualification of software components
• Evaluation of hardware elements
• Proven in-use arguments
• Interfacing an application that is out of the scope of ISO 26262
• Integration of safety-related systems not developed in accordance with ISO 26262

ISO 26262-09 – Automotive Safety Integrity Level (ASIL)-Oriented and safety-oriented analyses

In specifying Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses, this part covers decomposition with respect to ASIL tailoring, criteria for coexistence of elements, analysis of dependent failures, and safety analyses.

ISO 26262-10 – Guidelines on ISO 26262

Intended to be informative and facilitate comprehension of the other parts of the series, Part 10 provides an overview of the ISO 26262 standard with additional explanations. However, while this is meant to enhance the understanding of the general concepts of the other parts, in the case of inconsistencies between this document and any other part of the ISO 26262 series of standards, the requirements, recommendations and information specified in the other part of the ISO 26262 series will apply.

ISO 26262-11 – Guidelines on applying the standard to semiconductors

Part 11 provides detailed information to support semiconductor manufacturers and silicon intellectual property (IP) suppliers develop ISO 26262 compliant IP.

Furthermore the strengths and weaknesses of different reliability standards (SN 29500, IEC TR 62380 and FIDES) are evaluated in relation to component package failure rates. It also addresses considerations relating to the device packaging and pins – topics that are not easily understood nor addressed to any great extent in the first version of ISO 26262.

A more detailed definition of transient faults, than was given in the original version of ISO 26262, is included. There are many considerations documented regarding transient faults including α, β, neutron, or γ radiation sources.

However, this section’s content is not exhaustive with regard to possible interpretations. Having an informative character only, Part 11 contains possible interpretations of other ISO 26262 standards associated with semiconductor development.

• RELATED RENESAS ELECTRONICS ON ISO 26262 CHALLENGES FOR THE SEMICONDUCTOR INDUSTRY
• RELATED ISO 26262 Part 11: SYSTEMS-ON-CHIPS AND THE INTELLECTUAL PROPERTY CONUNDRUM

ISO 26262-12 – Adaptation of ISO 26262 to motorcycles

While the broader ISO 26262 addresses safety-related systems including E/E systems installed in series production road vehicles, this standard is specifically focused on tailoring these stipulations to motorcycles. In meeting this purpose, it covers general topics for the adaptation of motorcycles, safety culture, confirmation measures, hazard analysis and risk assessment, vehicle integration and testing, and safety validation.

• RELATED Q&A: DR THOMAS MAIER-KOMOR, HEAD OF FUNCTIONAL SAFETY PROCESSES FOR MOTORCYCLES AT BMW AG

Criticism of ISO 26262

Notwithstanding the significant advances made toward meeting the rapidly changing E/E environment and the impact on functional safety, regulators were of the opinion that several emerging technologies were still not adequately covered by the revision.

While ISO 26262 sets the standard for functional safety by seeking to eliminate electric/electronic systems malfunctions, the safety of automated-driving systems is not only related to E/E failures – it is also linked to other factors such as the conceivable misuse of the function by the driver, or the performance limitations of sensors or systems, or even due to unanticipated changes in the vehicle’s environment.

• Automotive IQ frequently features Webinars presented by industry leading figures on subjects related to ISO 26262 and SOTIF. Don't miss out!

The Safety of the Intended Functionality (SOTIF) standard

This has prompted regulators, safety lobbyists and the industry in general to expand the standards to address the validation and the verification of systems with complex sensing and AI algorithms, whose limitations in performance could cause safety hazards in the absence of a malfunction.

• RELATED INTEL CORPORATION ON THE FUTURE OF FUNCTIONAL SAFETY FOR AUTONOMOUS VEHICLES

Originally intended as Part 14 of ISO 26262:2018, the scope and complexity of the “Safety of the Intended Functionality (SOTIF)” standard, delayed the release of the revised version of ISO 26262 to such an extent that it was eventually submitted as a new stand-alone SOTIF draft, ISO PAS 21448.

Consequently, PAS 21448 seeks to reduce the following safety threats:

• Residual risk of the intended function, through analysis
• Unintended behavior in known situations through verification
• Residual unknown situations that could cause unintended behavior, through validation of verification situations

While a more definitive guideline would be useful, tech providers have no choice but to go with the most prevalent solution, which is currently to simulate the road miles and generate enough content to test the AVs from every conceivable angle. This includes the AI and ML algorithms’ functional safety performance.

As the industry continues to move towards autonomous, connected and electrified vehicles, ISO 26262 functional safety standards play an ever increasing role in system design. Understanding and correctly implementing an ISO 26262 compliance program can mean the difference between economic success and failure.

• Automotive IQ holds a number of conferences on subjects related to ISO 26262 and SOTIF. For more information, take a look at our Events page