ISO 26262-10:2018
(Main)Road vehicles — Functional safety — Part 10: Guidelines on ISO 26262
Road vehicles — Functional safety — Part 10: Guidelines on ISO 26262
This document is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production road vehicles, excluding mopeds. This document does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with disabilities. NOTE Other dedicated application-specific safety standards exist and can complement the ISO 26262 series of standards or vice versa. Systems and their components released for production, or systems and their components already under development prior to the publication date of this document, are exempted from the scope of this edition. This document addresses alterations to existing systems and their components released for production prior to the publication of this document by tailoring the safety lifecycle depending on the alteration. This document addresses integration of existing systems not developed according to this document and systems developed according to this document by tailoring the safety lifecycle. This document addresses possible hazards caused by malfunctioning behaviour of safety-related E/E systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of safety-related E/E systems. This document describes a framework for functional safety to assist the development of safety-related E/E systems. This framework is intended to be used to integrate functional safety activities into a company-specific development framework. Some requirements have a clear technical focus to implement functional safety into a product; others address the development process and can therefore be seen as process requirements in order to demonstrate the capability of an organization with respect to functional safety. This document does not address the nominal performance of E/E systems. This document provides an overview of the ISO 26262 series of standards, as well as giving additional explanations, and is intended to enhance the understanding of the other parts of the ISO 26262 series of standards. It has an informative character only and describes the general concepts of the ISO 26262 series of standards in order to facilitate comprehension. The explanation expands from general concepts to specific contents. In the case of inconsistencies between this document and another part of the ISO 26262 series of standards, the requirements, recommendations and information specified in the other part of the ISO 26262 series of standards apply.
Véhicules routiers — Sécurité fonctionnelle — Partie 10: Lignes directrices relatives à l'ISO 26262
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 26262-10
Second edition
2018-12
Road vehicles — Functional safety —
Part 10:
Guidelines on ISO 26262
Véhicules routiers — Sécurité fonctionnelle —
Partie 10: Lignes directrices relatives à l'ISO 26262
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
Contents Page
Foreword .vi
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Key concepts of ISO 26262 . 2
4.1 Functional safety for automotive systems (relationship with IEC 61508[1]) . 2
4.2 Item, system, element, component, hardware part and software unit . 4
4.3 Relationship between faults, errors and failures . 5
4.3.1 Progression of faults to errors to failures. 5
4.4 FTTI and emergency operation tolerant time interval . 6
4.4.1 Introduction . 6
4.4.2 Timing model — Example control system . 7
5 Selected topics regarding safety management. 9
5.1 Work product . 9
5.2 Confirmation measures . 9
5.2.1 General. 9
5.2.2 Functional safety assessment .10
5.3 Understanding of safety cases .12
5.3.1 Interpretation of safety cases .12
5.3.2 Safety case development lifecycle .13
6 Concept phase and system development .13
6.1 General .13
6.2 Example of hazard analysis and risk assessment .13
6.2.1 General.13
6.2.2 HARA example 1 .13
6.2.3 HARA example 2 .14
6.3 An observation regarding controllability classification .14
6.4 External measures .15
6.4.1 General.15
6.4.2 Example of vehicle dependent external measures 1.15
6.4.3 Example of vehicle dependent external measures 2.15
6.5 Example of combining safety goals .16
6.5.1 Introduction .16
6.5.2 General.16
6.5.3 Function definition.16
6.5.4 Safety goals applied to the same hazard in different situations .16
7 Safety process requirement structure — Flow and sequence of the safety requirements .17
8 Concerning hardware development .19
8.1 The classification of random hardware faults .19
8.1.1 General.19
8.1.2 Single-point fault .19
8.1.3 Residual fault .20
8.1.4 Detected dual-point fault .20
8.1.5 Perceived dual-point fault .20
8.1.6 Latent dual-point fault .21
8.1.7 Safe fault .21
8.1.8 Flow diagram for fault classification and fault class contribution calculation .21
8.1.9 How to consider the failure rate of multiple-point faults related to
software-based safety mechanisms addressing random hardware failures .25
8.2 Example of residual failure rate and local single-point fault metric evaluation .25
8.2.1 General.25
8.2.2 Technical safety requirement for sensor A_Master .25
8.2.3 Description of the safety mechanism .26
8.2.4 Evaluation of example 1 described in Figure 12 .29
8.3 Further explanation concerning hardware .37
8.3.1 How to deal with microcontrollers in the context of an ISO 26262 series
of standards application .37
8.3.2 Safety analysis methods .37
8.4 PMHF units — Average probability per hour .44
9 Safety Element out of Context .47
9.1 Safety Element out of Context development .47
9.2 Use cases .48
9.2.1 General.48
9.2.2 Development of a system as a Safety Element out of Context example .49
9.2.3 Development of a hardware component as a Safety Element out of Context
example .51
9.2.4 Development of a software component as a Safety Element out of Context
example .53
10 An example of proven in use argument .55
10.1 General .55
10.2 Item definition and definition of the proven in use candidate .56
10.3 Change analysis .56
10.4 Target values for proven in use .56
11 Concerning ASIL decomposition .57
11.1 Objective of ASIL decomposition .57
11.2 Description of ASIL decomposition .57
11.3 An example of ASIL decomposition . .57
11.3.1 General.57
11.3.2 Item definition .57
11.3.3 Hazard analysis and risk assessment .58
11.3.4 Associated safety goal .58
11.3.5 System architectural design .
...
INTERNATIONAL ISO
STANDARD 26262-10
Second edition
2018-12
Road vehicles — Functional safety —
Part 10:
Guidelines on ISO 26262
Véhicules routiers — Sécurité fonctionnelle —
Partie 10: Lignes directrices relatives à l'ISO 26262
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
Contents Page
Foreword .vi
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Key concepts of ISO 26262 . 2
4.1 Functional safety for automotive systems (relationship with IEC 61508[1]) . 2
4.2 Item, system, element, component, hardware part and software unit . 4
4.3 Relationship between faults, errors and failures . 5
4.3.1 Progression of faults to errors to failures. 5
4.4 FTTI and emergency operation tolerant time interval . 6
4.4.1 Introduction . 6
4.4.2 Timing model — Example control system . 7
5 Selected topics regarding safety management. 9
5.1 Work product . 9
5.2 Confirmation measures . 9
5.2.1 General. 9
5.2.2 Functional safety assessment .10
5.3 Understanding of safety cases .12
5.3.1 Interpretation of safety cases .12
5.3.2 Safety case development lifecycle .13
6 Concept phase and system development .13
6.1 General .13
6.2 Example of hazard analysis and risk assessment .13
6.2.1 General.13
6.2.2 HARA example 1 .13
6.2.3 HARA example 2 .14
6.3 An observation regarding controllability classification .14
6.4 External measures .15
6.4.1 General.15
6.4.2 Example of vehicle dependent external measures 1.15
6.4.3 Example of vehicle dependent external measures 2.15
6.5 Example of combining safety goals .16
6.5.1 Introduction .16
6.5.2 General.16
6.5.3 Function definition.16
6.5.4 Safety goals applied to the same hazard in different situations .16
7 Safety process requirement structure — Flow and sequence of the safety requirements .17
8 Concerning hardware development .19
8.1 The classification of random hardware faults .19
8.1.1 General.19
8.1.2 Single-point fault .19
8.1.3 Residual fault .20
8.1.4 Detected dual-point fault .20
8.1.5 Perceived dual-point fault .20
8.1.6 Latent dual-point fault .21
8.1.7 Safe fault .21
8.1.8 Flow diagram for fault classification and fault class contribution calculation .21
8.1.9 How to consider the failure rate of multiple-point faults related to
software-based safety mechanisms addressing random hardware failures .25
8.2 Example of residual failure rate and local single-point fault metric evaluation .25
8.2.1 General.25
8.2.2 Technical safety requirement for sensor A_Master .25
8.2.3 Description of the safety mechanism .26
8.2.4 Evaluation of example 1 described in Figure 12 .29
8.3 Further explanation concerning hardware .37
8.3.1 How to deal with microcontrollers in the context of an ISO 26262 series
of standards application .37
8.3.2 Safety analysis methods .37
8.4 PMHF units — Average probability per hour .44
9 Safety Element out of Context .47
9.1 Safety Element out of Context development .47
9.2 Use cases .48
9.2.1 General.48
9.2.2 Development of a system as a Safety Element out of Context example .49
9.2.3 Development of a hardware component as a Safety Element out of Context
example .51
9.2.4 Development of a software component as a Safety Element out of Context
example .53
10 An example of proven in use argument .55
10.1 General .55
10.2 Item definition and definition of the proven in use candidate .56
10.3 Change analysis .56
10.4 Target values for proven in use .56
11 Concerning ASIL decomposition .57
11.1 Objective of ASIL decomposition .57
11.2 Description of ASIL decomposition .57
11.3 An example of ASIL decomposition . .57
11.3.1 General.57
11.3.2 Item definition .57
11.3.3 Hazard analysis and risk assessment .58
11.3.4 Associated safety goal .58
11.3.5 System architectural design .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.