Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 26262-2:2018 Road Vehicles — Functional Safety — Part 2: Management of Functional Safety
Safety Management Framework for Automotive Development — Safety Culture, Confirmation Measures, Safety Case
1. The Role of Safety Management in the Automotive Lifecycle
ISO 26262-2:2018 establishes the requirements for functional safety management throughout the entire safety lifecycle of automotive E/E systems. This part of the standard is the management backbone of the ISO 26262 series, defining the organizational responsibilities, planning activities, and confirmation measures that ensure functional safety is systematically achieved and maintained.
The 2018 second edition represents a significant evolution from the 2011 version, introducing more detailed objectives, a stronger emphasis on safety culture, explicit management of safety anomalies, and integration with cybersecurity concerns. The standard applies to all organizations involved in the development, production, operation, service, and decommissioning of safety-related E/E systems in road vehicles including passenger cars, trucks, buses, trailers, and motorcycles.
Organizations should establish a clear safety management framework before beginning any project-specific functional safety work. The project-independent safety management activities defined in Clause 5 provide the foundation upon which all project-specific activities are built.
The standard structures safety management into three main categories: overall safety management (project-independent), project-dependent safety management, and safety management regarding production, operation, service, and decommissioning. Each category has specific objectives, inputs, requirements, and work products that must be addressed.
| Management Category | Key Requirements | Work Products |
|---|---|---|
| Overall Safety Management (Clause 5) | Safety culture, competence management, QMS, anomaly management, lifecycle tailoring | Safety culture policy, competence register, tailored safety lifecycle |
| Project-Dependent Management (Clause 6) | Roles & responsibilities, impact analysis, planning, safety case, confirmation measures | Safety plan, safety case, confirmation measure reports, release-for-production report |
| Production/Operation/Service (Clause 7) | Production safety planning, service instructions, decommissioning | Production safety plan, service documentation, decommissioning concept |
2. Safety Culture and Competence Management
A key addition in the 2018 edition is the explicit requirement for a safety culture within the organization. Clause 5.4.2 requires that organizations establish, implement, and maintain a safety culture that supports the achievement of functional safety. This includes management commitment, open communication about safety issues, and a “just culture” where employees are encouraged to report safety concerns without fear of reprisal.
Safety culture cannot be established through documentation alone. It requires demonstrated leadership commitment, regular safety communication, and a track record of acting on safety findings. Assessors will interview staff and review meeting minutes to verify culture, not just policy documents.
Competence management (Clause 5.4.4) requires that all personnel involved in functional safety activities have the appropriate education, training, and experience for their assigned roles. The standard does not mandate specific certifications but requires that competence be documented and maintained. This includes awareness of the specific functional safety requirements relevant to each person’s role.
Quality management system integration (Clause 5.4.5) is another critical requirement. Organizations must demonstrate that their QMS (e.g., ISO 9001 or IATF 16949) is capable of supporting the functional safety activities. The QMS provides the foundation for configuration management, change management, document control, and supplier management that are essential for functional safety.
3. Project-Dependent Safety Management and Confirmation Measures
Project-dependent safety management (Clause 6) addresses the specific safety activities for each development project. The safety manager must be appointed with clear responsibility and authority. A safety plan must be created that defines all safety activities, their timing, and the resources assigned. The standard requires a safety case to be developed incrementally throughout the project, culminating in a release-for-production decision.
Practical insight: Build your safety case incrementally, not as a end-of-project exercise. Each development milestone should generate evidence that contributes to the safety case. This approach identifies gaps early and avoids the common problem of scrambling for evidence before release.
Confirmation measures (Clause 6.4.9) are a cornerstone of the ISO 26262-2 approach to independent oversight. Three types of confirmation measures are defined: confirmation reviews, functional safety audits, and functional safety assessments. The independence of the personnel performing these measures must be commensurate with the ASIL of the item being assessed, ranging from independent persons for ASIL A/B to independent departments for ASIL D.
A critical requirement often overlooked: the independence level for confirmation measures is determined by the highest ASIL of any safety goal assigned to the item, not the ASIL after decomposition. Always check ISO 26262-2 Table 1 for the correct independence requirements.
Impact analysis (Clause 6.4.3) is required when a change is made to an existing item. The analysis must evaluate the impact of the change on safety requirements, architecture, and assumptions. For reuse of existing elements (Clause 6.4.4), the standard requires a dedicated analysis to demonstrate that the element is suitable for its intended use in the new context, considering its operational history and the completeness of its safety case.
Frequently Asked Questions
Q1: Who can perform confirmation measures?
The independence requirements vary by ASIL. For ASIL A and B, an independent person from the same team may suffice. For ASIL C, an independent person from a different team is required. For ASIL D, an independent department or organization is required. The key is that the person performing the confirmation measure must not have been involved in the activity being reviewed.
The independence requirements vary by ASIL. For ASIL A and B, an independent person from the same team may suffice. For ASIL C, an independent person from a different team is required. For ASIL D, an independent department or organization is required. The key is that the person performing the confirmation measure must not have been involved in the activity being reviewed.
Q2: What is the difference between a safety audit and a safety assessment?
A functional safety audit (Clause 6.4.11) examines processes — whether the planned safety activities are being followed. A functional safety assessment (Clause 6.4.12) examines the product — whether the item achieves its functional safety objectives. Both are required for ASIL C and D; for ASIL A and B, only confirmation reviews are mandatory.
A functional safety audit (Clause 6.4.11) examines processes — whether the planned safety activities are being followed. A functional safety assessment (Clause 6.4.12) examines the product — whether the item achieves its functional safety objectives. Both are required for ASIL C and D; for ASIL A and B, only confirmation reviews are mandatory.
Q3: How should safety anomalies be managed?
Safety anomalies (deviations from expected safety behavior) must be systematically captured, analyzed, and resolved. The process includes: identification, classification by severity, root cause analysis, development of corrective actions, verification of effectiveness, and closure. Safety anomalies must be tracked separately from general quality issues.
Safety anomalies (deviations from expected safety behavior) must be systematically captured, analyzed, and resolved. The process includes: identification, classification by severity, root cause analysis, development of corrective actions, verification of effectiveness, and closure. Safety anomalies must be tracked separately from general quality issues.
Q4: What triggers an update to the safety case?
Any change that affects safety — including design changes, requirement changes, new hazard identifications, safety anomaly resolutions, and changes to assumptions — should trigger an update to the safety case. The safety case should be treated as a living document that evolves with the project.
Any change that affects safety — including design changes, requirement changes, new hazard identifications, safety anomaly resolutions, and changes to assumptions — should trigger an update to the safety case. The safety case should be treated as a living document that evolves with the project.
