ISO 26262 Explained – Functional Safety for Road Vehicles

Why Functional Safety Matters in Modern Vehicles

Modern vehicles are no longer purely mechanical systems. Today’s cars are highly complex, software-driven systems consisting of dozens of electronic control units (ECUs) and millions of lines of code.

Many of these systems directly influence vehicle behavior, including braking, steering, acceleration, and airbag deployment. This increasing complexity introduces new types of risks that did not exist in traditional mechanical systems.

If a system behaves incorrectly, the consequences can be severe. A sensor may provide incorrect data, a control unit may fail, or a software component may crash. In such situations, the system may no longer behave as intended.

This can lead to hazardous situations, especially when safety-critical functions are affected.

This is exactly why functional safety has become a fundamental discipline in modern automotive engineering.

Overview of ISO 26262 functional safety in automotive systems showing ECUs, sensors, and software components

What Is ISO 26262?

ISO 26262 is the international standard for functional safety in road vehicles.

It specifically addresses electrical and electronic (E/E) systems, including embedded software, which are increasingly responsible for vehicle functionality.

The main objective of ISO 26262 is to reduce risks caused by malfunctioning behavior of these systems. Instead of assuming that systems always work correctly, the standard requires engineers to systematically consider potential failures and their consequences.

ISO 26262 provides a structured framework that guides engineers through the development of safety-critical systems. It defines processes, methods, and requirements that ensure safety is considered throughout the entire lifecycle of a product.

The ISO 26262 Safety Lifecycle

One of the core principles of ISO 26262 is the safety lifecycle.

Rather than treating safety as a one-time activity, the standard defines safety as a continuous process that spans the entire development lifecycle.

This lifecycle starts in the concept phase, where hazards are identified and safety goals are defined. From there, safety requirements are developed and refined across system, hardware, and software levels.

Even production, operation, and decommissioning are part of the lifecycle.

This lifecycle approach ensures that safety is integrated into every stage of development. It prevents safety from being treated as an afterthought and instead makes it a fundamental part of engineering processes from the very beginning.

ISO 26262 safety lifecycle diagram showing concept, system, hardware, software, and validation phases
Figure: ISO 26262 safety lifecycle covering concept, system, hardware, software, and validation phases

Hazard Analysis and Risk Assessment (HARA)

One of the most critical activities in ISO 26262 is the Hazard Analysis and Risk Assessment, commonly referred to as HARA.

This activity is performed during the concept phase and serves as the foundation for all subsequent safety activities.

Engineers begin by defining the system under consideration, referred to as the item. They then identify potential hazards that may occur if the system malfunctions.

For example, a braking system may fail to apply braking force when required, or it may apply braking unexpectedly.

Each hazardous event is analyzed in detail to understand the associated risks.

Based on this analysis, engineers define safety goals, which describe the high-level safety objectives required to prevent or mitigate hazardous situations.

HARA is a crucial step because it directly determines the safety requirements and development rigor needed for the system.

Hazard analysis and risk assessment process in ISO 26262 showing hazard identification, risk evaluation, and safety goals
Figure: Hazard Analysis and Risk Assessment (HARA) process used to identify hazards and define safety goals

ASIL Classification

To evaluate the criticality of hazards, ISO 26262 introduces the Automotive Safety Integrity Level (ASIL).

ASIL represents the level of risk reduction required to ensure acceptable safety.

The standard defines four ASIL levels:

  • ASIL A (lowest)
  • ASIL B
  • ASIL C
  • ASIL D (highest)

Higher ASIL levels require more stringent development processes, more robust safety mechanisms, and more comprehensive verification activities.

For less critical functions, no specific ASIL may be required. In such cases, the function is classified as QM (Quality Management), meaning standard quality processes are sufficient.

The ASIL classification has a direct impact on how a system is designed, developed, and validated.

How ASIL Is Determined

ASIL determination is based on three key parameters:

  • Severity (S): How serious is the potential harm?
  • Exposure (E): How often does the situation occur?
  • Controllability (C): Can the driver avoid the hazard?

These parameters are evaluated using a structured approach defined in ISO 26262.

The combination of severity, exposure, and controllability results in an ASIL classification.

This structured evaluation ensures that risk assessment is consistent and based on clearly defined criteria rather than subjective judgment.

ASIL determination based on severity, exposure, and controllability parameters in ISO 26262
Figure: ASIL determination based on severity, exposure, and controllability parameters

If you want a deeper, step-by-step understanding of HARA and ASIL, including real project examples, you can explore the full ISO 26262 training on our website.

Explore ISO 26262 Training

From Safety Goals to Safety Requirements

Safety goals define what must be achieved to ensure safety, but they are not detailed enough for direct implementation.

Therefore, engineers derive more specific requirements from these goals.

This process includes:

  • Functional safety requirements
  • Technical safety requirements

Functional safety requirements describe what functions are needed to achieve safety goals. Technical safety requirements define how these functions are implemented within the system.

An essential concept in this process is traceability.

Each requirement must be traceable back to the hazard it is intended to mitigate. This ensures transparency, consistency, and accountability throughout development.

System, Hardware, and Software Safety

Once safety requirements are defined, they must be implemented across different levels of the system.

At the system level, engineers define the architecture and allocate safety functions.

At the hardware level, the focus is on analyzing and mitigating random hardware failures, such as component faults.

At the software level, the focus shifts to preventing systematic faults through robust development processes, coding standards, and testing.

Verification and validation activities are performed throughout development to ensure that all safety requirements are correctly implemented and that the system behaves safely under all relevant conditions.

Example: Airbag System

To better understand how ISO 26262 is applied in practice, consider a simplified airbag system.

The purpose of the system is to protect vehicle occupants during a collision. However, the system itself can introduce hazards if it behaves incorrectly.

One potential hazard is unintended airbag deployment.

If the airbag deploys unexpectedly while driving, it may startle the driver or even lead to loss of vehicle control.

During HARA, engineers analyze this hazardous event by evaluating severity, exposure, and controllability.

Based on this analysis, an ASIL level is assigned.

From there, safety requirements are defined to ensure that the probability of such a malfunction is reduced to an acceptable level.

Airbag system functional safety example showing unintended deployment hazard in automotive systems

What ISO 26262 Achieves

ISO 26262 provides a structured and systematic framework for managing functional safety in automotive systems.

It enables organizations to:

  • Identify hazards in a structured way
  • Evaluate risks consistently
  • Define clear and traceable safety requirements
  • Implement safety measures across all system levels
  • Verify that safety objectives are achieved

This structured approach is essential for managing the increasing complexity of modern vehicles and ensuring that safety-critical systems operate reliably.

Summary

ISO 26262 is the international standard for functional safety in automotive systems.

It focuses on risks caused by malfunctioning behavior and provides a structured framework for identifying hazards, assessing risks, and implementing safety measures.

Key concepts include HARA, ASIL classification, safety goals, and safety requirements.

Most importantly, ISO 26262 integrates safety into the entire development lifecycle, making it a core part of modern automotive engineering.

FAQ – ISO 26262 Explained

What is ISO 26262?

ISO 26262 is an international standard that defines functional safety requirements for automotive electrical and electronic systems.

What is functional safety?

Functional safety focuses on preventing hazards caused by system malfunctions.

What is ASIL?

ASIL (Automotive Safety Integrity Level) defines the required level of risk reduction.

What is HARA?

HARA stands for Hazard Analysis and Risk Assessment and is used to identify and evaluate hazards.

If you prefer a visual explanation, this video walks you through ISO 26262 step by step, including HARA, ASIL, and safety requirements:

Explore Our Courses

View Automotive Courses
View Medical Device Courses
View Aerospace/Aircraft Courses

Leave a Comment

Your email address will not be published. Required fields are marked *

Cookie Consent with Real Cookie Banner