ISO 26262 is an international functional safety standard for road vehicles, providing a risk-based framework to manage hazards in electrical and electronic systems. It defines the entire safety lifecycle, from concept through decommissioning, and mandates processes to achieve specified Automotive Safety Integrity Levels (ASIL). The standard is essential for ensuring that safety-critical components, such as those in autonomous driving systems, do not pose unacceptable risks.
Glossary
ISO 26262

What is ISO 26262?
ISO 26262 is the international functional safety standard for road vehicles, providing a risk-based framework to manage hazards in electrical and electronic systems.
The core methodology involves hazard analysis and risk assessment to assign an ASIL rating (A to D) to each safety goal. This rating dictates the required rigor of safety measures, including architectural design, verification, and validation activities. For embodied intelligence systems, compliance ensures that integrated hardware and software components—from sensors to actuators—operate with deterministic reliability under real-world conditions, forming a critical foundation for certifiable robotic platforms in automotive and adjacent mobility sectors.
Core Concepts of ISO 26262
ISO 26262 is the international functional safety standard for road vehicles, providing a risk-based framework to manage hazards and achieve Automotive Safety Integrity Levels (ASIL) for electrical and electronic systems.
Automotive Safety Integrity Level (ASIL)
The Automotive Safety Integrity Level (ASIL) is a risk classification scheme at the core of ISO 26262. It quantifies the necessary rigor of safety measures based on three factors:
- Severity of potential harm
- Exposure probability of the operational scenario
- Controllability by the driver or other systems
ASIL ratings range from QM (Quality Management, no specific safety requirements) to ASIL A, B, C, and D (the most stringent). An ASIL D requirement, for a critical function like electronic power steering, demands the highest level of verification, fault tolerance, and process rigor.
Safety Lifecycle & V-Model
ISO 26262 prescribes a safety lifecycle structured around the V-model, which tightly couples development phases with corresponding verification and validation activities.
Left side of the V (Development):
- Concept Phase: Hazard Analysis and Risk Assessment (HARA) to derive safety goals and ASILs.
- Product Development: System, hardware, and software-level design, each with specific safety requirements.
Right side of the V (Verification/Validation):
- Integration Testing: Hardware-software and system integration.
- Safety Validation: Confirming the system meets its safety goals in the vehicle.
This model ensures traceability from high-level safety goals down to individual software modules and hardware components, and back up through testing.
Functional Safety Concept (FSC)
The Functional Safety Concept (FSC) is the pivotal output of the concept phase. It translates abstract safety goals (e.g., "prevent unintended acceleration") into technically actionable functional safety requirements.
Key elements defined in the FSC include:
- Safety Mechanisms: Technical solutions to detect, control, or mitigate faults (e.g., a watchdog to reset a frozen microcontroller, a redundant sensor channel).
- Fault Tolerance Time Intervals: The maximum allowable time between a fault occurrence and the system reaching or maintaining a safe state.
- Allocation of Requirements: Distributing safety requirements to specific system elements (e.g., ECU, sensor, software function).
The FSC serves as the primary specification for all subsequent system, hardware, and software development.
Hardware Metrics: SPFM, LFM, PMHF
ISO 26262 defines quantitative metrics to objectively evaluate hardware architectural safety:
- Single-Point Fault Metric (SPFM): Measures the robustness against single-point faults, which are faults that directly cause a violation of a safety goal without a safety mechanism. A high SPFM (e.g., >99% for ASIL D) indicates good coverage by safety mechanisms.
- Latent-Fault Metric (LFM): Measures the robustness against latent faults, which are undetected faults that, combined with a second fault, could cause a hazard. A high LFM indicates effective diagnostic coverage for multi-point faults.
- Probabilistic Metric for Hardware Failures (PMHF): Estimates the probability of a random hardware failure causing a violation of a safety goal per hour of operation. It must be below a target value (e.g., <10⁻⁸/h for ASIL D).
These metrics drive design choices like redundancy, diversity, and diagnostic coverage.
Software Safety Requirements & Testing
Software development under ISO 26262 is governed by derived software safety requirements, which are traced from the system and functional safety concepts. The standard mandates specific techniques based on the assigned ASIL:
- Coding Standards: Use of enforceable guidelines like MISRA C/C++ to avoid error-prone constructs.
- Software Unit Design & Testing: Techniques include control flow analysis, data flow analysis, and unit testing with high statement and decision coverage (MC/DC for ASIL D).
- Software Integration Testing: Verification that software components interact correctly.
- Verification of Safety Mechanisms: Specific testing to confirm that implemented software safety mechanisms (e.g., plausibility checks, alive monitoring) function as specified in the FSC.
Safety Management & Supporting Processes
Beyond technical work products, ISO 26262 mandates rigorous supporting processes to ensure systematic safety engineering:
- Safety Management: Oversight by a safety manager, planning via a safety plan, and independent functional safety audits and assessments.
- Confidence in Use of Software Tools: Evaluation of development tools (compilers, debuggers) to justify that their potential malfunctions do not introduce safety violations.
- Qualification of Software Components: Process for integrating pre-existing or externally developed software (e.g., an OS or library) with evidence of its suitability for the safety context.
- Configuration Management: Tracking of all safety-relevant items and their versions.
- Change Management: Formal impact analysis for any modifications after initial release.
- Documentation: Creation of the Safety Case, a structured argument supported by evidence, to demonstrate that safety goals have been achieved.
Understanding Automotive Safety Integrity Levels (ASIL)
A core risk classification mechanism within the ISO 26262 functional safety standard for road vehicles.
Automotive Safety Integrity Levels (ASIL) are a risk classification scheme defined by the ISO 26262 standard, used to specify the necessary safety requirements for automotive electrical and electronic systems to achieve an acceptable level of risk. The level—ASIL A, B, C, or D—is determined through a systematic hazard analysis and risk assessment that evaluates the severity, exposure, and controllability of potential malfunctions, with ASIL D representing the highest integrity requirements.
For robotic and embodied intelligence systems, ASIL principles directly inform functional safety (FuSa) architectures, guiding the design of fault detection and diagnostics, deterministic execution in real-time control loops, and rigorous validation through methods like Hardware-in-the-Loop (HIL) testing. Achieving a target ASIL necessitates stringent processes across the entire development lifecycle, from concept to decommissioning, ensuring that safety is systematically engineered into the system rather than tested in retrospectively.
The ISO 26262 Safety Lifecycle (V-Model)
A comparison of the core phases in the ISO 26262 V-model, showing the corresponding activities between the left (definition) and right (verification & validation) sides of the lifecycle.
| Concept Phase | Product Development: System Level | Product Development: Hardware Level | Product Development: Software Level | Production & Operation |
|---|---|---|---|---|
Item Definition | Technical Safety Concept | Hardware Safety Requirements | Software Safety Requirements | Production Planning |
Hazard Analysis & Risk Assessment (HARA) | System Design | Hardware Design | Software Architectural Design | Operation & Maintenance |
Functional Safety Concept | System Integration & Testing | Hardware Integration & Testing | Software Integration & Testing | Decommissioning |
Safety Goals & ASIL Assignment | System Safety Validation | Hardware Safety Validation | Software Unit Testing | |
ASIL-Dependent Safety Requirements | Hardware Metrics Calculation (SPFM, LFM) | Software Integration Testing | ||
Verification of Safety Requirements | Hardware Architectural Metrics | Software Safety Validation | ||
Confirmation Measures (Reviews, Audits) | Software Tool Qualification |
Frequently Asked Questions
ISO 26262 is the international functional safety standard for automotive electrical and electronic systems. These FAQs address its core concepts, processes, and relevance to robotics and autonomous systems engineering.
ISO 26262 is an international functional safety standard that provides a risk-based framework for ensuring the safety of electrical and electronic (E/E) systems in road vehicles. Its primary purpose is to manage and mitigate the risk of systematic failures and random hardware failures that could lead to hazardous events, thereby preventing unreasonable risk to drivers, passengers, and other road users. The standard defines a complete safety lifecycle, from concept phase through decommissioning, mandating specific processes for hazard analysis, risk assessment, and the derivation of technical safety requirements. It culminates in the assignment of an Automotive Safety Integrity Level (ASIL) to each safety goal, which dictates the rigor of the safety measures required.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
ISO 26262 is a cornerstone of automotive functional safety. These related concepts define the broader ecosystem of standards, processes, and engineering disciplines required to build and validate safe, complex robotic and autonomous systems.
Hardware-in-the-Loop (HIL) Testing
Hardware-in-the-Loop (HIL) testing is a critical validation technique in the ISO 26262 V-model. It involves connecting a physical hardware component (e.g., an Electronic Control Unit - ECU) to a real-time simulator that provides realistic sensor inputs and receives actuator commands. For robotic systems, HIL testing:
- Verifies that embedded controllers function correctly with simulated plant models.
- Enables stress testing of safety mechanisms under fault conditions (e.g., sensor failure injection).
- Allows for repeatable and exhaustive scenario testing that would be dangerous or costly in the real world.
- Is a key method for providing evidence for ASIL certification.
Automotive Safety Integrity Level (ASIL)
Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined within ISO 26262. It determines the necessary rigor of safety measures. ASIL is assigned based on:
- Severity of potential injury.
- Exposure probability of the operational scenario.
- Controllability by the driver or other road users. The four levels are ASIL A (lowest) to ASIL D (highest). An ASIL D requirement, such as for a steering system, mandates the most stringent development processes, architectural constraints (e.g., high fault coverage), and testing evidence. Systems with no safety impact are classified as QM (Quality Management).
Fault Detection and Diagnostics
Fault Detection and Diagnostics (FDD) is a core capability mandated by functional safety standards. It involves continuously monitoring a system to:
- Detect anomalies, errors, or deviations from expected behavior.
- Diagnose the root cause of the fault (e.g., which sensor has failed).
- Initiate a safe state or mitigation strategy, as defined by the safety concept. In ISO 26262, this is realized through safety mechanisms like plausibility checks, range monitoring, and end-to-end communication protection (e.g., CRC checksums). For robots, FDD is essential for triggering fallback behaviors or safe stops.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us