Inferensys

Glossary

ISO 26262

ISO 26262 is an international functional safety standard for road vehicles, defining requirements and processes to manage risk and achieve Automotive Safety Integrity Levels (ASIL) for electrical and electronic systems.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
AUTOMOTIVE FUNCTIONAL SAFETY STANDARD

What is ISO 26262?

ISO 26262 is the international functional safety standard for road vehicles, providing a risk-based framework to manage hazards in electrical and electronic systems.

ISO 26262 is an international functional safety standard for road vehicles, providing a risk-based framework to manage hazards in electrical and electronic systems. It defines the entire safety lifecycle, from concept through decommissioning, and mandates processes to achieve specified Automotive Safety Integrity Levels (ASIL). The standard is essential for ensuring that safety-critical components, such as those in autonomous driving systems, do not pose unacceptable risks.

The core methodology involves hazard analysis and risk assessment to assign an ASIL rating (A to D) to each safety goal. This rating dictates the required rigor of safety measures, including architectural design, verification, and validation activities. For embodied intelligence systems, compliance ensures that integrated hardware and software components—from sensors to actuators—operate with deterministic reliability under real-world conditions, forming a critical foundation for certifiable robotic platforms in automotive and adjacent mobility sectors.

FUNCTIONAL SAFETY STANDARD

Core Concepts of ISO 26262

ISO 26262 is the international functional safety standard for road vehicles, providing a risk-based framework to manage hazards and achieve Automotive Safety Integrity Levels (ASIL) for electrical and electronic systems.

01

Automotive Safety Integrity Level (ASIL)

The Automotive Safety Integrity Level (ASIL) is a risk classification scheme at the core of ISO 26262. It quantifies the necessary rigor of safety measures based on three factors:

  • Severity of potential harm
  • Exposure probability of the operational scenario
  • Controllability by the driver or other systems

ASIL ratings range from QM (Quality Management, no specific safety requirements) to ASIL A, B, C, and D (the most stringent). An ASIL D requirement, for a critical function like electronic power steering, demands the highest level of verification, fault tolerance, and process rigor.

02

Safety Lifecycle & V-Model

ISO 26262 prescribes a safety lifecycle structured around the V-model, which tightly couples development phases with corresponding verification and validation activities.

Left side of the V (Development):

  • Concept Phase: Hazard Analysis and Risk Assessment (HARA) to derive safety goals and ASILs.
  • Product Development: System, hardware, and software-level design, each with specific safety requirements.

Right side of the V (Verification/Validation):

  • Integration Testing: Hardware-software and system integration.
  • Safety Validation: Confirming the system meets its safety goals in the vehicle.

This model ensures traceability from high-level safety goals down to individual software modules and hardware components, and back up through testing.

03

Functional Safety Concept (FSC)

The Functional Safety Concept (FSC) is the pivotal output of the concept phase. It translates abstract safety goals (e.g., "prevent unintended acceleration") into technically actionable functional safety requirements.

Key elements defined in the FSC include:

  • Safety Mechanisms: Technical solutions to detect, control, or mitigate faults (e.g., a watchdog to reset a frozen microcontroller, a redundant sensor channel).
  • Fault Tolerance Time Intervals: The maximum allowable time between a fault occurrence and the system reaching or maintaining a safe state.
  • Allocation of Requirements: Distributing safety requirements to specific system elements (e.g., ECU, sensor, software function).

The FSC serves as the primary specification for all subsequent system, hardware, and software development.

04

Hardware Metrics: SPFM, LFM, PMHF

ISO 26262 defines quantitative metrics to objectively evaluate hardware architectural safety:

  • Single-Point Fault Metric (SPFM): Measures the robustness against single-point faults, which are faults that directly cause a violation of a safety goal without a safety mechanism. A high SPFM (e.g., >99% for ASIL D) indicates good coverage by safety mechanisms.
  • Latent-Fault Metric (LFM): Measures the robustness against latent faults, which are undetected faults that, combined with a second fault, could cause a hazard. A high LFM indicates effective diagnostic coverage for multi-point faults.
  • Probabilistic Metric for Hardware Failures (PMHF): Estimates the probability of a random hardware failure causing a violation of a safety goal per hour of operation. It must be below a target value (e.g., <10⁻⁸/h for ASIL D).

These metrics drive design choices like redundancy, diversity, and diagnostic coverage.

05

Software Safety Requirements & Testing

Software development under ISO 26262 is governed by derived software safety requirements, which are traced from the system and functional safety concepts. The standard mandates specific techniques based on the assigned ASIL:

  • Coding Standards: Use of enforceable guidelines like MISRA C/C++ to avoid error-prone constructs.
  • Software Unit Design & Testing: Techniques include control flow analysis, data flow analysis, and unit testing with high statement and decision coverage (MC/DC for ASIL D).
  • Software Integration Testing: Verification that software components interact correctly.
  • Verification of Safety Mechanisms: Specific testing to confirm that implemented software safety mechanisms (e.g., plausibility checks, alive monitoring) function as specified in the FSC.
06

Safety Management & Supporting Processes

Beyond technical work products, ISO 26262 mandates rigorous supporting processes to ensure systematic safety engineering:

  • Safety Management: Oversight by a safety manager, planning via a safety plan, and independent functional safety audits and assessments.
  • Confidence in Use of Software Tools: Evaluation of development tools (compilers, debuggers) to justify that their potential malfunctions do not introduce safety violations.
  • Qualification of Software Components: Process for integrating pre-existing or externally developed software (e.g., an OS or library) with evidence of its suitability for the safety context.
  • Configuration Management: Tracking of all safety-relevant items and their versions.
  • Change Management: Formal impact analysis for any modifications after initial release.
  • Documentation: Creation of the Safety Case, a structured argument supported by evidence, to demonstrate that safety goals have been achieved.
ISO 26262

Understanding Automotive Safety Integrity Levels (ASIL)

A core risk classification mechanism within the ISO 26262 functional safety standard for road vehicles.

Automotive Safety Integrity Levels (ASIL) are a risk classification scheme defined by the ISO 26262 standard, used to specify the necessary safety requirements for automotive electrical and electronic systems to achieve an acceptable level of risk. The level—ASIL A, B, C, or D—is determined through a systematic hazard analysis and risk assessment that evaluates the severity, exposure, and controllability of potential malfunctions, with ASIL D representing the highest integrity requirements.

For robotic and embodied intelligence systems, ASIL principles directly inform functional safety (FuSa) architectures, guiding the design of fault detection and diagnostics, deterministic execution in real-time control loops, and rigorous validation through methods like Hardware-in-the-Loop (HIL) testing. Achieving a target ASIL necessitates stringent processes across the entire development lifecycle, from concept to decommissioning, ensuring that safety is systematically engineered into the system rather than tested in retrospectively.

PROCESS PHASES

The ISO 26262 Safety Lifecycle (V-Model)

A comparison of the core phases in the ISO 26262 V-model, showing the corresponding activities between the left (definition) and right (verification & validation) sides of the lifecycle.

Concept PhaseProduct Development: System LevelProduct Development: Hardware LevelProduct Development: Software LevelProduction & Operation

Item Definition

Technical Safety Concept

Hardware Safety Requirements

Software Safety Requirements

Production Planning

Hazard Analysis & Risk Assessment (HARA)

System Design

Hardware Design

Software Architectural Design

Operation & Maintenance

Functional Safety Concept

System Integration & Testing

Hardware Integration & Testing

Software Integration & Testing

Decommissioning

Safety Goals & ASIL Assignment

System Safety Validation

Hardware Safety Validation

Software Unit Testing

ASIL-Dependent Safety Requirements

Hardware Metrics Calculation (SPFM, LFM)

Software Integration Testing

Verification of Safety Requirements

Hardware Architectural Metrics

Software Safety Validation

Confirmation Measures (Reviews, Audits)

Software Tool Qualification

ISO 26262

Frequently Asked Questions

ISO 26262 is the international functional safety standard for automotive electrical and electronic systems. These FAQs address its core concepts, processes, and relevance to robotics and autonomous systems engineering.

ISO 26262 is an international functional safety standard that provides a risk-based framework for ensuring the safety of electrical and electronic (E/E) systems in road vehicles. Its primary purpose is to manage and mitigate the risk of systematic failures and random hardware failures that could lead to hazardous events, thereby preventing unreasonable risk to drivers, passengers, and other road users. The standard defines a complete safety lifecycle, from concept phase through decommissioning, mandating specific processes for hazard analysis, risk assessment, and the derivation of technical safety requirements. It culminates in the assignment of an Automotive Safety Integrity Level (ASIL) to each safety goal, which dictates the rigor of the safety measures required.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.