ISO INTERNATIONAL STANDARD 26262-10 Secondedition 2018-12 Road vehicles Functional safety - Part 10: Guidelines on IS0 26262 Véhicules routiers - Sécurité fonctionnelle - Partie 10: Lignes directrices relatives a I'lS0 26262 Reference number ISO 26262-10:2018(E) so @IS0 2018 Not for Resale, 12/20/2018 05:13:05 MST IS0 26262-10:2018(E) COPYRIGHTPROTECTEDDOCUMENT @IS02018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or Iso's member body in the country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Fax: +41 22 749 09 47 Email: [email protected] Website: www.iso.org Published in Switzerland @ IS0 2018 - All rights reserved or networking permited without license from IHS Not for Resale, 12/20/2018 05:13:05 MST IS0 26262-10:2018(E) Contents Page Foreword ..vi Introduction. ..viii 1 Scope. 2 Normative references .... 3 Terms and definitions 4 Key concepts of IS0 26262 ..2 4.1 Functional safety for automotive systems (relationship with IEC 61508[1]) .2 4.2 Item, system, element, component, hardware part and software unit. ..4 4.3 Relationship between faults, errors and failures.. ..5 4.3.1 Progression of faults to errors to failures. 4.4 FTTI and emergency operation tolerant time interval .6 4.4.1 Introduction 4.4.2 Timing model - Example control system. 1 5 Selected topics regarding safety management .9 5.1 Work product. .9 5.2 Confirmation measures .9 5.2.1 General .9 5.2.2 Functionalsafetyassessment ..10 5.3 Understanding of safety cases. .12 5.3.1 Interpretationofsafetycases 5.3.2 Safety case development lifecycle .13 6 Concept phase and system development .13 6.1 General .. 13 6.2 Example of hazard analysis and risk assessment ..13 6.2.1 General. ..13 6.2.2 HARA example 1 .13 6.2.3 HARA example 2 ..14 6.3 An observation regarding controllability classification ..14 6.4 External measures ..15 ..15 6.4.1 General. 6.4.2 Example of vehicle dependent external measures 1 .15 6.4.3 Example of vehicle dependent external measures 2. .15 6.5 Example of combining safety goals. .16 6.5.1 Introduction ..16 6.5.2 General. .16 6.5.3 Function definition. 6.5.4 Safety goals applied to the same hazard in different situations 16 7 8 Concerning hardware development .19 8.1 The classification of random hardware faults. .19 8.1.1 General. ..19 8.1.2 Single-point fault ..19 8.1.3 Residualfault .20 8.1.4 Detected dual-point fault 20 8.1.5 Perceived dual-point fault 20 8.1.6 Latent dual-point fault. 21 8.1.7 Safe fault.. 21 8.1.8 Flow diagram for fault classification and fault class contribution calculation.... 21 8.1.9 How to consider the failure rate of multiple-point faults related to software-based safety mechanisms addressing random hardware failures. 8.2 Example of residual failure rate and local single-point fault metric evaluation.. ..25 Copyrintntematonal O rights reserved ii nitted without license from IHS Not for Resale, 12/20/2018 05:13:05 MST IS0 26262-10:2018(E) 8.2.1 General. 25 8.2.2 Technical safety requirement for sensor A_Master. 25 8.2.3 Description of the safety mechanism. 26 8.2.4 Evaluation of example 1 described in Figure 12 29 8.3 Further explanation concerning hardware .37 8.3.1 How to deal with microcontrollers in the context of an IS0 26262 series of standards application. 37 8.3.2 Safety analysis methods .37 8.4 PMHF units - Average probability per hour 44 9 Safety Element out of Context .47 9.1 Safety Element out of Context development 47 9.2 Use cases 48 9.2.1 General. 48 9.2.2 Development of a system as a Safety Element out of Context example. 49 9.2.3 Development of a hardware component as a Safety Element out of Con