Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 26262-1:2018 Road Vehicles — Functional Safety — Part 1: Vocabulary
Comprehensive Guide to Automotive Functional Safety Terminology — ASIL, Safety Goals, FTTI, and More
1. Understanding the Scope of ISO 26262-1:2018
ISO 26262-1:2018 serves as the foundational vocabulary standard for the entire ISO 26262 series, which addresses functional safety of electrical and/or electronic (E/E) systems in road vehicles. This second edition, published in December 2018, replaces the first edition from 2011 and introduces significant expansions to reflect the evolving complexity of automotive systems.
The standard is the automotive-sector-specific adaptation of IEC 61508, tailored to address the unique needs of series-production road vehicles including passenger cars, trucks, buses, trailers, and semi-trailers. Notably, mopeds are excluded from its scope. The vocabulary defined in this part is essential for consistent interpretation across all other parts of the ISO 26262 series, ensuring that engineers, managers, and assessors communicate with precision when discussing safety concepts.
When developing safety-related systems, always refer to ISO 26262-1 first to establish a shared terminology across your team. Misunderstandings about terms like “safety goal” or “ASIL decomposition” are a common source of rework in functional safety projects.
Key terms defined include Automotive Safety Integrity Level (ASIL), with four levels from A to D where D represents the most stringent requirements. The standard clarifies that QM (Quality Management) is not an ASIL but represents a baseline level where standard quality processes suffice. The vocabulary also covers critical concepts such as fault-tolerant time interval (FTTI), safe state, safety mechanism, and dependent failure analysis, all of which are fundamental to implementing functional safety in practice.
| Term | Definition | Practical Significance |
|---|---|---|
| ASIL (Automotive Safety Integrity Level) | One of four levels (A-D) specifying necessary ISO 26262 requirements | Determines rigour of safety measures; D requires most stringent validation |
| Safety Goal | Top-level safety requirement for each hazardous event | Basis for all derived safety requirements and validation targets |
| FTTI (Fault Tolerant Time Interval) | Time span between fault occurrence and hazardous event | Determines required reaction speed of safety mechanisms |
| ASIL Decomposition | Apportioning redundant safety requirements with independence | Enables systematic reduction of ASIL for sub-elements |
| Safety Case | Argument-based evidence that safety objectives are achieved | Required for release-for-production decision |
| Systematic Failure | Failure related to a deterministic cause in specification, design, or manufacture | Mitigated through process rigor and verification |
| Random Hardware Failure | Failure occurring at a random time due to physical mechanisms | Mitigated through hardware architectural metrics and safety mechanisms |
2. Key Conceptual Framework
The standard establishes the relationship between faults, errors, and failures as a causal chain: a fault (abnormal condition) can lead to an error (deviation from correctness), which in turn can lead to a failure (loss of ability to perform a required function). Understanding this progression is critical for designing effective safety mechanisms that break the chain before a hazardous event occurs.
A common engineering pitfall is conflating “fault tolerance” with “failure prevention.” Fault tolerance means the system continues to operate correctly despite faults; failure prevention means faults are designed out. ISO 26262-1 makes clear these are distinct concepts requiring different approaches.
The 2018 edition introduced several important new terms reflecting the expanded scope of the standard. “Base vehicle” and “body builder equipment” were added to support the new coverage of trucks, buses, and commercial vehicles. “Safety anomaly” management was formalized, and references to cybersecurity were incorporated to acknowledge the increasing convergence of safety and security in modern vehicle architectures. The standard now defines over 185 terms, a significant expansion from the 2011 edition.
Hardware-related terms received particular attention in the update. “Base failure rate” (BFR), “failure mode coverage,” and “diagnostic coverage” are clearly defined to support quantitative hardware evaluation. The standard also clarifies the relationship between “probabilistic metric for random hardware failures” (PMHF) and the target values specified in ISO 26262-5, enabling engineers to perform rigorous quantitative analysis.
3. Engineering Design Insights and Practical Application
For engineering teams implementing functional safety, the vocabulary in ISO 26262-1 is not merely academic — it has direct practical implications. When conducting a hazard analysis and risk assessment (HARA), the precise definitions of “exposure,” “controllability,” and “severity” directly determine the ASIL rating assigned to each hazardous event. A misunderstanding of “controllability” (the ability of the driver or other persons to avoid harm) could lead to an incorrectly low ASIL rating, potentially resulting in inadequate safety measures.
Best practice: Create a project-specific glossary based on ISO 26262-1 before starting any functional safety work. Distribute it to all team members and include it in supplier contracts. This simple step prevents costly misunderstandings during safety audits and assessments.
The concept of “independence” is particularly important for ASIL decomposition. The standard defines independence as the absence of cascading failures and common cause failures between elements. In practice, achieving independence requires careful consideration of physical separation, electrical isolation, and software diversity. The vocabulary provides the foundation for understanding these complex interactions.
Never assume independence without explicit analysis. The most common finding during functional safety assessments is inadequate independence between redundant elements, often due to shared power supplies, clock sources, or software libraries that were overlooked during design.
Frequently Asked Questions
Q1: What is the difference between ASIL and SIL?
SIL (Safety Integrity Level) is defined in IEC 61508 for general industrial applications, while ASIL is the automotive-specific adaptation defined in ISO 26262. ASIL includes an additional parameter — controllability — that reflects the ability of a driver to avoid harm. ASIL D is equivalent to SIL 3 in terms of rigour, but the decomposition rules and target values differ.
SIL (Safety Integrity Level) is defined in IEC 61508 for general industrial applications, while ASIL is the automotive-specific adaptation defined in ISO 26262. ASIL includes an additional parameter — controllability — that reflects the ability of a driver to avoid harm. ASIL D is equivalent to SIL 3 in terms of rigour, but the decomposition rules and target values differ.
Q2: Can an item have multiple safety goals with different ASILs?
Yes. A single item can have multiple safety goals, each with a different ASIL determined by the severity, exposure, and controllability of the associated hazardous event. The entire item must then be developed to the highest ASIL present, unless ASIL decomposition is applied to separate elements.
Yes. A single item can have multiple safety goals, each with a different ASIL determined by the severity, exposure, and controllability of the associated hazardous event. The entire item must then be developed to the highest ASIL present, unless ASIL decomposition is applied to separate elements.
Q3: Is QM considered an ASIL?
No. QM (Quality Management) is explicitly not an ASIL. When a hazardous event is determined to have sufficiently low risk that no ASIL is required, standard quality management processes are considered sufficient to manage the risk. However, QM-rated functions must still be documented and justified.
No. QM (Quality Management) is explicitly not an ASIL. When a hazardous event is determined to have sufficiently low risk that no ASIL is required, standard quality management processes are considered sufficient to manage the risk. However, QM-rated functions must still be documented and justified.
Q4: How does the 2018 edition differ from 2011 in vocabulary?
The 2018 edition adds approximately 50 new terms, including those related to trucks/buses (base vehicle, body builder equipment), cybersecurity integration, expanded hardware fault classifications, and motorcycle-specific adaptations. The definitions of existing terms were refined for clarity and consistency across all 12 parts.
The 2018 edition adds approximately 50 new terms, including those related to trucks/buses (base vehicle, body builder equipment), cybersecurity integration, expanded hardware fault classifications, and motorcycle-specific adaptations. The definitions of existing terms were refined for clarity and consistency across all 12 parts.
