INTERNATIONAL ISO
STANDARD 26262-3
Second edition
2018-12
Road vehicles — Functional safety —
Part 3:
Concept phase
Véhicules routiers — Sécurité fonctionnelle —
Partie 3: Phase de projet
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Requirements for compliance . 2
4.1 Purpose . 2
4.2 General requirements . 2
4.3 Interpretations of tables . 3
4.4 ASIL-dependent requirements and recommendations . 3
4.5 Adaptation for motorcycles . 3
4.6 Adaptation for trucks, buses, trailers and semi-trailers. 3
5 Item definition . 4
5.1 Objectives. 4
5.2 General . 4
5.3 Inputs to this clause . 4
5.3.1 Prerequisites . 4
5.3.2 Further supporting information . 4
5.4 Requirements and recommendations . 4
5.5 Work products . 5
6 Hazard analysis and risk assessment . 5
6.1 Objectives. 5
6.2 General . 5
6.3 Inputs to this clause . 6
6.3.1 Prerequisites . 6
6.3.2 Further supporting information . 6
6.4 Requirements and recommendations . 6
6.4.1 Initiation of the hazard analysis and risk assessment . 6
6.4.2 Situation analysis and hazard identification. 6
6.4.3 Classification of hazardous events . 7
6.4.4 Determination of safety goals .10
6.4.5 Management of variances of T&B in hazard analysis and risk assessment .11
6.4.6 Verification .12
6.5 Work products .12
7 Functional safety concept.12
7.1 Objectives.12
7.2 General .13
7.3 Inputs to this clause .13
7.3.1 Prerequisites .13
7.3.2 Further supporting information .13
7.4 Requirements and recommendations .14
7.4.1 General.14
7.4.2 Derivation of functional safety requirements .14
7.4.3 Safety validation criteria .16
7.4.4 Verification of the functional safety concept .16
7.5 Work products .17
Annex A (informative) Overview of and workflow of concept phase .18
Annex B (informative) Hazard analysis and risk assessment.19
Bibliography .28
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 32,
Electrical and electronic components and general system aspects.
This edition of ISO 26262 series of standards cancels and replaces the edition ISO 26262:2011 series of
standards, which has been technically revised and includes the following main changes:
— requirements for trucks, buses, trailers and semi-trailers;
— extension of the vocabulary;
— more detailed objectives;
— objective oriented confirmation measures;
— management of safety anomalies;
— references to cyber-security;
— updated target values for hardware architecture metrics;
— guidance on model based development and software safety analysis;
— evaluation of hardware elements;
— additional guidance on dependent failure analysis;
— guidance on fault tolerance, safety related special characteristics and software tools;
— guidance for semiconductors;
— requirements for motorcycles; and
— general restructuring of all parts for improved clarity.
iv © ISO 2018 – All rights reserved

Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO 26262 series can be found on the ISO website.
Introduction
The ISO 26262 series of standards is the adaptation of IEC 61508 series of standards to address the
sector specific needs of electrical and/or electronic (E/E) systems within road vehicles.
This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised
of electrical, electronic and software components.
Safety is one of the key issues in the development of road vehicles. Development and integration of
automotive functionalities strengthen the need for functional safety and the need to provide evidence
that functional safety objectives are satisfied.
With the trend of increasing technological complexity, software content and mechatronic
implementation, there are increasing risks from systematic failures and random hardware failures,
these being considered within the scope of functional safety. ISO 26262 series of standards includes
guidance to mitigate these risks by providing appropriate requirements and processes.
To achieve functional safety, the ISO 26262 series of standards:
a) provides a reference for the automotive safety lifecycle and supports the tailoring of the activities
to be performed during the lifecycle phases, i.e., development, production, operation, service and
decommissioning;
b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive
Safety Integrity Levels (ASILs)];
c) uses ASILs to specify which of the requirements of ISO 26262 are applicable to avoid unreasonable
residual risk;
d) provides requirements for functional safety management, design, implementation, verification,
validation and confirmation measures; and
e) provides requirements for relations between customers and suppliers.
The ISO 26262 series of standards is concerned with functional safety of E/E systems that is achieved
through safety measures including safety mechanisms. It also provides a framework within which
safety-related systems based on other technologies (e.g. mechanical, hydraulic and pneumatic) can be
considered.
The achievement of functional safety is influenced by the development process (including such
activities as requirements specification, design, implementation, integration, verification, validation
and configuration), the production and service processes and the management processes.
Safety is intertwined with common function-oriented and quality-oriented activities and work
products. The ISO 26262 series of standards addresses the safety-related aspects of these activities and
work products.
Figure 1 shows the overall structure of the ISO 26262 series of standards. The ISO 26262 series of
standards is based upon a V-model as a reference process model for the different phases of product
development. Within the figure:
— the shaded “V”s represent the interconnection among ISO 26262-3, ISO 26262-4, ISO 26262-5,
ISO 26262-6 and ISO 26262-7;
— for motorcycles:
— ISO 26262-12:2018, Clause 8 supports ISO 26262-3;
— ISO 26262-12:2018, Clauses 9 and 10 support ISO 26262-4;
— the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number
of the particular part and “n” indicates the number of the clause within that part.
vi © ISO 2018 – All rights reserved

EXAMPLE “2-6” represents ISO 26262-2:2018, Clause 6.
Figure 1 — Overview of the ISO 26262 series of standards
INTERNATIONAL STANDARD ISO 26262-3:2018(E)
Road vehicles — Functional safety —
Part 3:
Concept phase
1 Scope
This document is intended to be applied to safety-related systems that include one or more electrical
and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding
mopeds. This document does not address unique E/E systems in special vehicles such as E/E systems
designed for drivers with disabilities.
NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series
of standards or vice versa.
Systems and their components released for production, or systems and their components already under
development prior to the publication date of this document, are exempted from the scope of this edition.
This document addresses alterations to existing systems and their components released for production
prior to the publication of this document by tailoring the safety lifecycle depending on the alteration.
This document addresses integration of existing systems not developed according to this document and
systems developed according to this document by tailoring the safety lifecycle.
This document addresses possible hazards caused by malfunctioning behaviour of safety-related E/E
systems, including interaction of these systems. It does not address hazards related to electric shock,
fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar
hazards, unless directly caused by malfunctioning behaviour of safety-related E/E systems.
This document describes a framework for functional safety to assist the development of safety-
related E/E systems. This framework is intended to be used to integrate functional safety activities
into a company-specific development framework. Some requirements have a clear technical focus to
implement functional safety into a product; others address the development process and can therefore
be seen as process requirements in order to demonstrate the capability of an organization with respect
to functional safety.
This document does not address the nominal performance of E/E systems.
This document specifies the requirements for the concept phase for automotive applications, including
the following:
— item definition;
— hazard analysis and risk assessment; and
— functional safety concept.
Annex A provides an overview on objectives, prerequisites and work products of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 26262-1, Road Vehicles — Functional Safety — Part 1: Vocabulary
ISO 26262-2:2018, Road Vehicles — Functional Safety — Part 2: Management of functional safety
ISO 26262-4:2018, Road vehicles — Functional safety — Part 4: Product development at the system level
ISO 26262-8:2018, Road vehicles — Functional safety — Part 8: Supporting processes
ISO 26262-9:2018, Road vehicles — Functional safety — Part 9: Automotive Safety Integrity Level (ASIL)-
oriented and safety-oriented analyses
3 Terms and definitions
For the purposes of this document, the terms, definitions and abbreviated terms given in
ISO 26262-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
4 Requirements for compliance
4.1 Purpose
This clause describes how:
a) to achieve compliance with the ISO 26262 series of standards;
b) to interpret the tables used in the ISO 26262 series of standards; and
c) to interpret the applicability of each clause, depending on the relevant ASIL(s).
4.2 General requirements
When claiming compliance with the ISO 26262 series of standards, each requirement shall be met,
unless one of the following applies:
a) tailoring of the safety activities in accordance with ISO 26262-2 has been performed that shows
that the requirement does not apply; or
b) a rationale is available that the non-compliance is acceptable and the rationale has been evaluated
in accordance with ISO 26262-2.
Informative content, including notes and examples, is only for guidance in understanding, or for
clarification of the associated requirement, and shall not be interpreted as a requirement itself or as
complete or exhaustive.
The results of safety activities are given as work products. “Prerequisites” are information which shall
be available as work products of a previous phase. Given that certain requirements of a clause are
ASIL-dependent or may be tailored, certain work products may not be needed as prerequisites.
“Further supporting information” is information that can be considered, but which in some cases is not
required by the ISO 26262 series of standards as a work product of a previous phase and which may be
made available by external sources that are different from the persons or organizations responsible for
the functional safety activities.
2 © ISO 2018 – All rights reserved

4.3 Interpretations of tables
Tables are normative or informative depending on their context. The different methods listed in a table
contribute to the level of confidence in achieving compliance with the corresponding requirement. Each
method in a table is either:
a) a consecutive entry (marked by a sequence number in the leftmost column, e.g. 1, 2, 3); or
b) an alternative entry (marked by a number followed by a letter in the leftmost column, e.g. 2a, 2b, 2c).
For consecutive entries, all listed highly recommended and recommended methods in accordance with
the ASIL apply. It is allowed to substitute a highly recommended or recommended method by others
not listed in the table, in this case, a rationale shall be given describing why these comply with the
corresponding requirement. If a rationale can be given to comply with the corresponding requirement
without choosing all entries, a further rationale for omitted methods is not necessary.
For alternative entries, an appropriate combination of methods shall be applied in accordance with the
ASIL indicated, independent of whether they are listed in the table or not. If methods are listed with
different degrees of recommendation for an ASIL, the methods with the higher recommendation should
be preferred. A rationale shall be given that the selected combination of methods or even a selected
single method complies with the corresponding requirement.
NOTE A rationale based on the methods listed in the table is sufficient. However, this does not imply a bias
for or against methods not listed in the table.
For each method, the degree of recommendation to use the corresponding method depends on the ASIL
and is categorized as follows:
— “++” indicates that the method is highly recommended for the identified ASIL;
— “+” indicates that the method is recommended for the identified ASIL; and
— “o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
4.4 ASIL-dependent requirements and recommendations
The requirements or recommendations of each sub-clause shall be met for ASIL A, B, C and D, if not
stated otherwise. These requirements and recommendations refer to the ASIL of the safety goal.
If ASIL decomposition has been performed at an earlier stage of development, in accordance with
ISO 26262-9:2018, Clause 5, the ASIL resulting from the decomposition shall be met.
If an ASIL is given in parentheses in the ISO 26262 series of standards, the corresponding sub-clause
shall be considered as a recommendation rather than a requirement for this ASIL. This has no link with
the parenthesis notation related to ASIL decomposition.
4.5 Adaptation for motorcycles
For items or elements of motorcycles for which requirements of ISO 26262-12 are applicable,
the requirements of ISO 26262-12 supersede the corresponding requirements in this document.
Requirements of ISO 26262-2 that are superseded by ISO 26262-12 are defined in Part 12.
4.6 Adaptation for trucks, buses, trailers and semi-trailers
Content that is intended to be unique for trucks, buses, trailers and semi-trailers (T&B) is indicated
as such.
5 Item definition
5.1 Objectives
The objectives of this clause are:
a) to define and describe the item, its functionality, dependencies on, and interaction with, the driver,
the environment and other items at the vehicle level; and
b) to support an adequate understanding of the item so that the activities in subsequent phases can be
performed.
5.2 General
This clause lists the requirements and recommendations for establishing the definition of the item,
including its functionality, interfaces, environmental conditions, legal requirements and hazards.
This definition serves to provide sufficient information about the item to the persons who conduct the
subsequent sub-phases: “Hazard analysis and risk assessment” (see Clause 6) and “Functional safety
concept” (see Clause 7).
NOTE Table A.1 provides an overview of objectives, prerequisites and work products of the concept phase.
5.3 Inputs to this clause
5.3.1 Prerequisites
None.
5.3.2 Further supporting information
The following information can be considered:
— any information that already exists concerning the item, e.g. a product idea, a project sketch, relevant
patents, the results of pre-trials, the documentation from predecessor items, relevant information
on other items.
5.4 Requirements and recommendations
5.4.1 The requirements of the item shall be made available, including:
NOTE 1 Requirements can be classified as safety-related after safety goals and their respective ASIL have
been defined.
NOTE 2 If the functional and non-functional requirements are not already available, their generation can be
triggered by the requirements of this clause.
a) legal requirements, national and international standards;
b) the functional behaviour at the vehicle level, including the operating modes or states;
c) the required quality, performance and availability of the functionality, if applicable;
d) constraints regarding the item such as functional dependencies, dependencies on other items, and
the operating environment;
e) potential consequences of behavioural shortfalls including known failure modes and hazards, if
any; and
NOTE 3 This can include known safety-related incidents including similar items.
4 © ISO 2018 – All rights reserved

f) the capabilities of the actuators, or their assumed capabilities.
NOTE 4 These values (e.g. torque output, force exerted, speed of operation, brightness, loudness), or their
estimates, are necessary to determine the magnitude of the effect when performing the hazard analysis and
risk assessment. The magnitude of the effect is taken into account when deciding the values of severity and
controllability.
5.4.2 The boundary of the item, its interfaces, and the assumptions concerning its interaction with
other items and elements, shall be defined considering:
a) the elements of the item;
NOTE 1 The elements can also be based on other technology.
b) the assumptions concerning the effects of the item's behaviour on the vehicle;
c) the functionality of the item under consideration required by other items and elements;
d) the functionality of other items and elements required by the item under consideration;
e) the allocation and distribution of functions among the involved systems and elements; and
f) the operational scenarios which impact the functionality of the item.
NOTE 2 With increasing complexity of vehicle functions, there are dependencies between items. One item can
be realized by an array of systems that themselves implement other vehicle level functions, i.e. can be considered
as items in their own right.
EXAMPLE A combined adaptive cruise control and lane keeping assist function is implemented in a braking
system, a steering system and a propulsion system. In this example the braking system implements the service
braking function, which can be considered an item in its own right.
NOTE 3 If the scope of the development is an element and not an item, then refer to ISO 26262-2:2018, 6.4.5.7.
5.5 Work products
5.5.1 Item definition resulting from requirements in 5.4.
6 Hazard analysis and risk assessment
6.1 Objectives
The objectives of this clause are:
a) to identify and to classify the hazardous events caused by malfunctioning behaviour of the item; and
b) to formulate the safety goals with their corresponding ASILs related to the prevention or mitigation
of the hazardous events, in order to avoid unreasonable risk.
6.2 General
Hazard analysis, risk assessment and ASIL determination are used to determine the safety goals for the
item. For this, the item is evaluated with regard to its potential hazardous events. Safety goals and their
assigned ASIL are determined by a systematic evaluation of hazardous events. The ASIL is determined
by considering severity, probability of exposure and controllability. It is based on the item’s functional
behaviour; therefore, the detailed design of the item does not need to be known.
6.3 Inputs to this clause
6.3.1 Prerequisites
The following information shall be available:
— item definition in accordance with 5.5.1.
6.3.2 Further supporting information
The following information can be considered:
— relevant information on other items (from an external source).
6.4 Requirements and recommendations
6.4.1 Initiation of the hazard analysis and risk assessment
6.4.1.1 The hazard analysis and risk assessment shall be based on the item definition.
6.4.1.2 The item without internal safety mechanisms shall be evaluated during the hazard analysis
and risk assessment, i.e. safety mechanisms intended to be implemented or that have already been
implemented in predecessor items shall not be considered in the hazard analysis and risk assessment.
NOTE 1 In the evaluation of an item, available and sufficiently independent external measures can be
beneficial.
EXAMPLE Electronic stability control can mitigate the effect of failures in chassis systems by increasing the
controllability for the driver if it is shown to be available and independent from the item under evaluation.
NOTE 2 Safety mechanisms of the item that are intended to be implemented or that have already been
implemented are incorporated as part of the functional safety concept.
6.4.2 Situation analysis and hazard identification
6.4.2.1 The operational situations and operating modes in which an item's malfunctioning behaviour
will result in a hazardous event shall be described; both when the vehicle is correctly used and when it is
incorrectly used in a reasonably foreseeable way.
NOTE 1 Operational situations describe conditions within which the item is assumed to behave in a safe manner.
NOTE 2 Hazards resulting only from the item behaviour, in the absence of any item failure, are outside the
scope of this document.
6.4.2.2 The hazards shall be determined systematically based on possible malfunctioning behaviour of
the item.
NOTE 1 FMEA approaches and HAZOP are suitable to support hazard identification at the item level. These
can be supported by brainstorming, checklists, quality history, and field studies.
NOTE 2 The responsibility to establish external measures to mitigate the additional risks from transporting
goods is outside of the scope of ISO 26262. Therefore, the additional risks related to the transport of goods are
not part of the hazard analysis and risk assessment.
6.4.2.3 Hazards caused by malfunctioning behaviour of the item shall be defined at the vehicle level.
NOTE 1 In general, each hazard will have a variety of potential causes related to the item's implementation,
but these causes do not need to be considered in the hazard analysis and risk assessment for the analysis of the
malfunctioning behaviour.
6 © ISO 2018 – All rights reserved

NOTE 2 Only hazards associated with malfunctioning behaviour of the item are considered; every other
system (external measure) is presumed to be functioning correctly provided it is sufficiently independent.
6.4.2.4 If there are hazards identified in this clause that are outside of the scope of ISO 26262 (see
Clause 1), then these hazards shall be addressed according to organization specific procedures.
NOTE As these hazards are outside the scope of ISO 26262, this document does not provide guidance for
ASIL compliance of these hazards. Such hazards are classified according to the procedures of the applicable
safety discipline.
6.4.2.5 Relevant hazardous events shall be determined.
6.4.2.6 The consequences of hazardous events shall be identified.
NOTE If malfunctioning behaviour induces the loss of several functions of the item, then the situation
analysis and hazard identification consider the combined effects.
EXAMPLE 1 Loss of the functionality of a braking system (ESC) can lead to the simultaneous unavailability of
driver assistance functions.
EXAMPLE 2 Failure of the vehicle's electrical power supply system can lead to a simultaneous loss of a number
of functions including "engine torque", "power assisted steering" and "forward illumination".
6.4.2.7 It shall be ensured that the chosen level of detail of the list of operational situations does not
lead to an inappropriate lowering of the ASIL.
NOTE A very detailed list of operational situations (see 6.4.2.1) for one hazard, with regard to the
vehicle state, road conditions and environmental conditions, can lead to a fine granularity of situations for
the classification of hazardous events. This can make it easier to rate controllability and severity. However, a
larger number of different operational situations can lead to a consequential reduction of the respective classes
of exposure, and thus to an inappropriate lowering of the ASIL. This can be avoided by aggregating similar
situations.
6.4.3 Classification of hazardous events
6.4.3.1 All hazardous events identified in 6.4.2 shall be classified, except those that are outside the
scope of ISO 26262.
NOTE If classification of a given hazard with respect to severity (S), probability of exposure (E) or
controllability (C) is difficult to make, it is classified conservatively, i.e. whenever there is a reasonable doubt, a
higher S, E or C classification is chosen.
6.4.3.2 The severity of potential harm shall be estimated based on a defined rationale for each
hazardous event. The severity shall be assigned to one of the severity classes S0, S1, S2 or S3 in accordance
with Table 1.
NOTE 1 The risk assessment of hazardous events focuses on the harm to each person potentially at risk –
including the driver or the passengers of the vehicle causing the hazardous event, and other persons potentially
at risk such as cyclists, pedestrians or occupants of other vehicles. The description of the Abbreviated Injury
Scale (AIS) can be used for characterising the severity and can be found in Annex B, along with informative
examples of different types of severity and accidents.
NOTE 2 The severity class can be based on a combination of injuries, and this can lead to a higher classification
of the severity than would result from just looking at a single injury.
NOTE 3 The estimate considers reasonable sequences of events for the operational situation being evaluated.
NOTE 4 The severity classification is based on a representative sample of persons at risk.
Table 1 — Classes of severity
Class
S0 S1 S2 S3
Severe and life-threatening Life-threatening injuries
Light and moderate
Description No injuries injuries (survival uncertain),
injuries
(survival probable) fatal injuries
6.4.3.3 There are operational situations that result in harm (e.g. an accident). A subsequent
malfunctioning behaviour of the item in such an operational situation can increase, or fail to decrease, the
resulting harm. In this case the classification of the severity may be limited to the difference between the
severity caused by the initial operational situation (e.g. the accident) and the malfunctioning behaviour
of the item.
EXAMPLE 1 If an accident occurs which is not caused by the malfunctioning behaviour of an item, the resulting
harm from the accident is not considered for the classification of the severity.
EXAMPLE 2 The item under consideration includes an airbag functionality to reduce harm caused by the
crash. For an accident in which the airbag fails to deploy, the harm caused by the crash can be determined. If a
correctly operating airbag would have reduced the harm of the same accident to a lower severity class, then only
the difference is considered for the severity classification.
6.4.3.4 The severity class S0 may be assigned if the hazard analysis and risk assessment determines
that the consequences of a malfunctioning behaviour of the item are clearly limited to material damage.
If a hazardous event is assigned severity class S0, no ASIL assignment is required.
6.4.3.5 The probability of exposure of each operational situation shall be estimated based on a defined
rationale for each hazardous event. The probability of exposure shall be assigned to one of the probability
classes, E0, E1, E2, E3 or E4 in accordance with Table 2.
NOTE 1 For classes E1 to E4, the difference in probability from one E class to the next is an order of magnitude.
NOTE 2 The exposure determination is based on a representative sample of operational situations for the
target markets.
NOTE 3 For further information and examples related to the probability of exposure see Annex B.
Table 2 — Classes of probability of exposure regarding operational situations
Class
E0 E1 E2 E3 E4
Very low Medium
Description Incredible Low probability High probability
probability probability
6.4.3.6 The number of vehicles equipped with the item shall not be considered when estimating the
probability of exposure.
NOTE The evaluation of the probability of exposure is performed assuming each vehicle is equipped with
the item. This means that the argument “the probability of exposure can be reduced, because the item is not
present in every vehicle (as only some vehicles are equipped with the item)” is not valid.
6.4.3.7 Class E0 may be used for those operational situations that are suggested during hazard analysis
and risk assessment, but that are considered incredible, and therefore not explored further. A rationale
shall be recorded for the exclusion of these situations. If a hazardous event is assigned exposure class E0,
no ASIL assignment is required.
EXAMPLE E0 can be used in the case of “force majeure” risk (see B.3).
8 © ISO 2018 – All rights reserved

6.4.3.8 The controllability of each hazardous event, by the driver or other persons involved in the
operational situation shall be estimated based on a defined rationale for each hazardous event. The
controllability shall be assigned to one of the controllability classes C0, C1, C2 or C3 in accordance with
Table 3.
NOTE 1 For classes C1 to C3, the difference in probability from one C class to the next is an order of magnitude.
NOTE 2 The evaluation of the controllability is an estimate of the probability that someone is able to gain
sufficient control of the hazardous event, such that they are able to avoid the specific harm. For this purpose,
the parameter C is used, with the classes C0, C1, C2 and C3, to classify the potential of avoiding harm. It is
assumed that the driver is in an appropriate condition to drive (e.g. they are not tired), has the appropriate driver
training (they have a driver's licence) and is complying with the applicable legal regulations, including due care
requirements to avoid risks to other traffic participants. Some examples, which serve as an interpretation of
these classes, are listed in Table B.6.
NOTE 3 Reasonably foreseeable misuse is considered, e.g. “not keeping the required distance to the vehicle in
front as a common behaviour”.
NOTE 4 Where the hazardous event is not related to the control of the vehicle direction and speed, e.g.
potential limb entrapment in moving parts, the controllability can be an estimate of the probability that the
person at risk is able to remove themselves, or to be removed by others from the hazardous situation. When
considering controllability, note that the person at risk might not be familiar with the operation of the item or
may not be aware that a potentially hazardous situation evolves.
NOTE 5 When controllability involves the actions of multiple traffic participants, the controllability
assessment can be based on the controllability of the vehicle with the malfunctioning item and the assumed
action of other participants.
Table 3 — Classes of controllability
Class
C0 C1 C2 C3
Controllable in Simply Normally Difficult to control or
Description
general controllable controllable uncontrollable
6.4.3.9 Class C0 may be used for hazards addressing the unavailability of the item if they do not affect
the safe operation of the vehicle (e.g. some driver assistance systems) or if an accident can be avoided
by routine driver actions. If a hazardous event is assigned controllability class C0, no ASIL assignment is
required.
EXAMPLE 1 If loss of propulsion occurs in the garage when attempting to drive away from the house, C0 can
be chosen as any driver can put the car back in park.
NOTE Dedicated regulations that specify a functional performance with regard to the applicable hazardous
event can be used as part of a rationale when selecting a suitable controllability class, if applicable, and supported
by evidence, e.g. real usage experience.
EXAMPLE 2 A dedicated regulation that covers the requirements for the certification of a vehicle system with
a precise definition of forces or acceleration values in the case of a failure.
6.4.3.10 An ASIL shall be determined for each hazardous event based on the classification of severity,
probability of exposure and controllability, in accordance with Table 4.
NOTE 1 Four ASILs are defined: ASIL A, ASIL B, ASIL C and ASIL D, where ASIL A is the lowest safety integrity
level and ASIL D the highest one.
NOTE 2 In addition to these four ASILs, the class QM (quality management) denotes no requirement to comply
with ISO 26262. Nevertheless, the corresponding hazardous event can have consequences with regards to safety
and safety requirements can be formulated in this case. The classification QM indicates that quality processes
are sufficient to manage the identified risk.
...