ISO 26262

ISO 26262 Technical Overview

1 Module 4 Sections None

There is an ever-widening range of automotive electrical and/or electronic (E/E/PE) systems such as adaptive driver assistance systems, anti-lock braking systems, steering and airbags. Their increasing levels of integration and connectivity provide almost as many challenges as their proliferation, with non-critical systems such as entertainment systems sharing the same communications infrastructure as steering, braking and control systems. The net result is a necessity for exacting functional safety development processes, from requirements specification, design, implementation, integration, verification, validation, and through to configuration.ISO 26262 “Road vehicles – Functional safety” was first published in 2011 and updated in 2018 in response to this explosion in automotive E/E/PE system complexity, and the associated risks to public safety. Like the rail, medical device and process industries before it, the automotive sector based their functional standard on the (largely) industry agnostic functional safety standard IEC 61508 which, in turn, drew heavily from the guiding principles of the aerospace standards such as DO-178B/C. The net result is that proven tools are available to help with the implementation of ISO 26262 which are longer established than the standard itself.ISO 26262 second edition provides detailed industry specific guidelines for the production of all software for automotive systems and equipment, whether it is safety critical or not.The standard references a number of hazard classifications levels, known as ASILs (Automotive Safety Integrity Levels). ASILs range from A to D, so that the overhead involved in producing a safety critical ASIL D system (e.g. automatic braking) is greater than that required to produce an ASIL A system with few safety implications (e.g. the in-car entertainment system). ASILs are assigned as properties of each individual safety function, not as a property of the whole system or system component, and each assigned ASIL is influence by the frequency of the situation (“exposure”), the potential impact should it occur (“severity”), and how easily it can then be managed (“controllability”).

Figure 1: Overview of the ISO 26262 series of standards, with sections 4 and 6 highlighted

Figure 1 is taken from the standard and shows all 12 parts. It represents a lifecycle that can be summarized into 8 core objectives:

  • each product is identified and its functional requirements defined
  • a comprehensive set of hazardous events are identified for the product
  • an ASIL is assigned to each potential hazardous event
  • a safety goal is determined for each hazardous event, inheriting the ASIL of the hazard
  • a system architecture is defined to ensure the safety goals are met
  • the safety goals are redefined into lower-level safety requirements
  • these safety requirements are allocated to architectural components (subsystems, hardware and software components)
  • the architectural components are developed and validated in accordance with the allocated safety requirements 

Parts 4 (system level) and part 6 (software level) are highlighted in figure 1 because they are of particular interest to software developers.