Understanding the Scope of ISO 26262:2018 in Ensuring Vehicle Safety
Introduction:
There is a common misunderstanding that meeting ISO 26262:2018 is enough to make the vehicles electrical and electronic systems safe.
ISO 26262:2018 addresses only a subset of potential hazards that may arise.
In this article, we will classify different types of vehicle hazards and clarify the specific scope of ISO 26262:2018.
Classification of Vehicle Hazards:
Hazards related to vehicles can be categorised into four distinct groups:
Hazards resulting from the vehicle's intended behaviours:
Harm can occur even when the vehicle is functioning according to its design. For example, an airbag deployment can potentially cause harm. Additionally, hazards may arise due to inherent limitations of the system. For instance, the Tesla incident in May 2016, where the vehicle's autopilot failed to avoid a crossing truck, while the Tesla driver was not paying attention, resulting in a collision.
Such hazards, stemming from intended behaviours and limitations of the technology employed, fall outside the scope of ISO 26262:2018.
2. Hazards resulting from the nature of substances or objects on the vehicle:
Certain materials or systems present inherent risks, such as battery chemicals or high voltage components. These hazards exist regardless of whether the substances or objects are functioning or experiencing faults. They are considered intrinsic risks and are not addressed by ISO 26262:2018.
3. Hazards resulting from faults occurring on the vehicle.
A fault can propagate to a failure to perform a function (a malfunction) that has a vehicle effect that is hazardous.
ISO 26262:2018 is specifically developed to reduce the risk of such faults leading to harm. But only faults originating from what it calls an item. An item is a electronic controller containing software that, takes sensor input to regulate at least one actuator. Developed for a specific application. So for example, a s/w fault in the control algorithm causes the airbag to deploy when a deployment is not required is in scope of ISO 26262:2018.
But malfunctions that do not originate from an item are out of scope of ISO 26262:2018. So for example the mechanical disconnection of a battery cable to the battery, is out of scope.
4. Hazards resulting from the actions of a malicious attack by a bad actor:
A malicious attack of an vehicle electrical or electronic systems, is usually referred to as a cyber security attack.
ISO 26262:2018 acknowledges the overlap between functional safety and cybersecurity and expects collaboration with cybersecurity personnel to identify and address potential threats.
Therefore, this can be seen as a cause of malfunctioning behaviour. However, identifying cybersecurity weaknesses and addressing them requires the application of the relevant cybersecurity practices and standards. Ensuring that the item is safe from a cybersecurity perspective is mostly out of the scope of ISO 26262:2018.
Conclusion:
ISO 26262:2018 plays a crucial role in reducing hazards caused by faults originating from 'items'. However, it does not guarantee the overall safety of the vehicle. Hazards arising from intended behaviours, intrinsic risks, faults outside the designated items, and malicious attacks fall outside the scope of ISO 26262:2018. Collaboration with cybersecurity personnel is necessary to address cybersecurity threats effectively.
We hope this article has provided useful insights into the scope of ISO 26262:2018. For more detailed information, read our other articles or visit our online shop. We appreciate your feedback, which will help us improve our offerings and prioritise future topics for discussion. If you have any further questions or require assistance, please do not hesitate to contact us.