ISO 26262 and IEC 61508

FuSa Standards


Functional safety features form an integral part of each automotive product development phase, ranging from the specification, to design, implementation, integration, verification, validation, and production release. The standard ISO 26262 is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems. ISO 26262 defines functional safety for automotive equipment applicable throughout the life-cycle of all automotive electronic and electrical safety-related systems.

The first edition, published on 11 November 2011, is intended to be applied to electrical and/or electronic systems installed in “series production passenger cars” with a maximum gross weight of 3500 kg. It aims to address possible hazards caused by the malfunctioning behaviour of electronic and electrical systems.

Although entitled “Road vehicles – Functional safety” the standard relates to the functional safety of Electrical and Electronic systems as well as that of systems as a whole or of their mechanical subsystems.

Like its parent standard, IEC 61508, ISO 26262 is a risk-based safety standard, where the risk of hazardous operational situations is qualitatively assessed and safety measures are defined to avoid or control systematic failures and to detect or control random hardware failures, or mitigate their effects.

Goals of ISO 26262:

  • Provides an automotive safety life-cycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these life-cycle phases.
  • Covers functional safety aspects of the entire development process (including such activities as requirements specification, design, implementation, integration, verification, validation, and configuration).
  • Provides an automotive-specific risk-based approach for determining risk classes Automotive Safety Integrity Levels (ASIL).
  • Uses ASILs for specifying the item’s necessary safety requirements for achieving an acceptable residual risk.
  • Provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety is being achieved


IEC 61508 is an international standard published by the International Electrotechnical Commission of rules applied in industry. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES).

IEC 61508 is intended to be a basic functional safety standard applicable to all kinds of industry. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities.”

The standard covers the complete safety life-cycle, and may need interpretation to develop sector specific standards. It has its origins in the process control industry.

The safety life cycle has 16 phases which roughly can be divided into three groups as follows:

  1. Phases 1–5 address analysis
  2. Phases 6–13 address realisation
  3. Phases 14–16 address operation.

All phases are concerned with the safety function of the system.

The standard has seven parts:

  • Parts 1–3 contain the requirements of the standard (normative)
  • Parts 4–7 are guidelines and examples for development and thus informative.

Central to the standard are the concepts of risk and safety function. The risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity. The risk is reduced to a tolerable level by applying safety functions which may consist of E/E/PES or other technologies. While other technologies may be employed in reducing the risk, only those safety functions relying on E/E/PES are covered by the detailed requirements of IEC 61508.

IEC 61508 has the following views on risks:

  • Zero risk can never be reached
  • Safety must be considered from the beginning
  • Non-tolerable risks must be reduced (ALARP)