ISO 26262-7:2018 — Production, Operation, Service, and Decommissioning for Automotive Functional Safety

Safety-Critical Production Planning, Field Monitoring, Maintenance, and End-of-Life Management for Road Vehicles

Introduction to ISO 26262-7:2018

ISO 26262-7:2018 addresses the often-overlooked but critical phases of the automotive safety lifecycle: production, operation, service (maintenance and repair), and decommissioning. While much of the functional safety focus in industry is on the development phases, this part recognizes that safety defects can be introduced — or existing safety features can be compromised — during manufacturing, field service, and even vehicle disposal.

The standard ensures that the functional safety achieved through the design and development phases (ISO 26262-3 through ISO 26262-6) is preserved throughout the vehicle’s entire lifecycle. It bridges the gap between product development and real-world usage, providing requirements for production process control, field monitoring, service documentation, and decommissioning instructions.

ISO 26262-7 is the smallest part of the core safety lifecycle but has enormous practical impact. Many safety recalls can be traced back to production process deviations or inadequate service procedures that compromised the original safety design.

Planning for Production, Operation, Service, and Decommissioning

Clause 5 requires systematic planning across all post-development lifecycle phases. This planning must begin during product development, not after. The key elements include:

Lifecycle Phase Planning Requirements Key Deliverables
Production Production process flow, tools, equipment, traceability measures, software programming verification Production plan, production control plan, PFMEA
Operation User manual, warning and degradation strategy, safety-related user information Owner’s manual safety section, warning labels
Service Maintenance procedures, repair instructions, service intervals, special tool requirements Service manual, repair instructions, service bulletins
Decommissioning End-of-life procedures, component disposal, data erasure, environmental considerations Decommissioning instructions, recycling guidelines

A critical concept introduced in this clause is safety-related special characteristics (SRSCs). These are specific attributes of the item or element that must be controlled during production to maintain functional safety. Examples include:

  • Torque values for safety-critical fasteners
  • Reflow soldering temperature profiles for safety-related components
  • Calibration parameters for sensors (e.g., steering angle sensor zero-point calibration)
  • End-of-line programming verification for ECU software
Safety-related special characteristics must be identified during the development phase (ISO 26262-4, Clause 6 and ISO 26262-5, Clause 7) and clearly communicated to production planning. If a torque specification for a brake system fastener is identified as an SRSC, the production control plan must include 100% inspection or process control with SPC (Statistical Process Control) for that parameter.

Production Requirements and Process Control

Clause 6 specifies the requirements for the production phase itself. The key requirements include:

  • Process execution according to the production plan, with particular attention to SRSCs
  • Traceability of safety-related elements through the production process, typically via serial numbers, barcodes, or RFID tags
  • Software and calibration data verification — ensuring the correct software version and calibration data are loaded onto each ECU during production
  • Non-conformance management — handling production deviations through a defined process that evaluates the impact on functional safety
  • Personnel competence — ensuring production staff are trained on safety-related aspects of their work

The standard specifically requires that the correct version of embedded software and calibration data is programmed onto ECUs. This is typically achieved through checksum verification or read-back comparison against the bill of materials for each specific vehicle configuration.

The most effective production safety measure is often the simplest: poka-yoke (mistake-proofing) design. For example, using keyed connectors that physically cannot be inserted incorrectly, or using color-coded components that make visual inspection obvious. These are far more reliable than inspection-based quality control.

Operation, Service, and Decommissioning

Clause 7 addresses the operation, service, and decommissioning phase, ensuring that functional safety is maintained throughout the vehicle’s service life and even at end of life.

Operation requirements focus on providing vehicle users with sufficient information to operate the vehicle safely, including:

  • Warning and degradation strategy information (what warning lights mean, how to respond)
  • Instructions for safe operation of safety-related systems (e.g., ADAS limitations)
  • Information about required maintenance intervals that affect safety systems

Service requirements ensure that maintenance and repair activities do not compromise safety:

  • Service procedures must specify which safety functions need recalibration or re-verification after repair
  • Replacement parts must meet the original safety requirements (including ASIL-rated electronic components)
  • Service personnel must have access to safety-related technical information
  • Post-service validation (e.g., test drive, diagnostic scan) must be specified

Decommissioning requirements address vehicle end-of-life:

  • Instructions for proper disposal of safety-related components
  • Data erasure from ECUs containing safety-relevant configuration data
  • Handling of components with hazardous materials (e.g., airbag initiators, HV battery systems)
A frequently overlooked safety risk: aftermarket modifications. When a vehicle owner or service shop installs non-approved components (e.g., aftermarket suspension, wheels, or lighting), they can fundamentally alter the vehicle’s safety characteristics. ISO 26262-7 does not directly regulate aftermarket, but the service documentation must clearly identify which modifications would invalidate the safety case.

Engineering Insights and Best Practices

Based on practical experience implementing ISO 26262-7, here are key engineering insights:

  • Start early: Production and service requirements should be considered during the concept phase, not after design completion. This allows for design-for-manufacturing (DFM) and design-for-service (DFS) that preserve safety.
  • PFMEA is your friend: Process FMEA during production planning identifies failure modes in the manufacturing process itself. This is often more valuable than product FMEA because manufacturing defects can affect 100% of production units.
  • Field monitoring feedback loop: Establish a process for feeding field failure data back into the development process. ISO 26262-2018 introduced improved requirements for safety anomaly management (ISO 26262-2) that directly interact with Part 7 field monitoring activities.
  • Software updates: With the increasing prevalence of OTA (over-the-air) software updates, the service phase now has significant overlap with cybersecurity requirements (UN R155, ISO 21434). Organizations should coordinate safety and security processes for software updates.

Frequently Asked Questions

Q: Is ISO 26262-7 applicable to tier-1 suppliers who only manufacture components?
A: Yes. If a tier-1 supplier produces safety-related elements (ECUs, sensors, actuators), they must provide their customer (the OEM or integrator) with the necessary production, operation, service, and decommissioning information. This includes safety-related special characteristics that the OEM needs to manage in their vehicle production process.
Q: How does ISO 26262-7 handle software updates during the service phase?
A: The standard requires that software updates follow the change management process defined in ISO 26262-8. Any software update affecting safety functions requires re-verification of the affected safety requirements. The standard also requires that the correct software version and calibration data are verifiable after the update. With the rise of OTA updates, organizations should also consider ISO 21434 cybersecurity requirements.
Q: What is the relationship between ISO 26262-7 and IATF 16949?
A: ISO 26262-7 references IATF 16949 (the automotive quality management standard) as a foundation for production process control. However, IATF 16949 alone is not sufficient — additional safety-specific controls are needed for SRSCs (safety-related special characteristics), traceability of safety elements, and software programming verification. Think of IATF 16949 as the baseline and ISO 26262-7 as the safety overlay.
Q: Do decommissioning requirements apply to the vehicle manufacturer or the end user?
A: The standard requires the vehicle manufacturer (or their authorized representative) to provide decommissioning instructions. These are typically provided to authorized service centers and recycling facilities, not to individual vehicle owners. However, certain information (e.g., high-voltage system safety procedures) may need to be communicated to first responders and rescue services.
© 2026 TNLab — This article is for educational and technical reference purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

IEC 60300-3-7: Reliability Stress Screening — Exposing Hidden Defects Before They Reach Your Customer
IEC 60309-4: Industrial Plugs and Sockets — How Colour Coding and Keying Prevent Fatal Wiring Errors
IEC 60310: Traction Transformers — The Heartbeat Device Powering High-Speed Trains and Metros
IEC 60318-2: Acoustic Couplers — The “Artificial Ear” Calibrating Hearing Aids and Headphones