The ABCs Of ISO 26262

A glossary of ISO 26262 abbreviations and acronyms can be a great help to understanding functional safety standards.


Over the last one-and-a-half years that I have been elbow-deep working on the FlexNoC Resilience Package, I’ve been keeping a running list of ISO 26262 abbreviations and acronyms that reoccurred in my work, and kept confusing me whenever I performed a “context switch” from working on different projects to working on my functional safety products. I’ve received feedback that my list is helpful, so I’m providing it to Semiconductor Engineering readers in the hope that it helps you, too.

I’ve attempted to explain everything in “plain English” and have referred to the specific “chapter and verse” in the ISO 26262 specification where the term is officially explained (kind of like Bible Study notes!).

Please let me know if there are other terms that should be on this list, or if you have better explanations than the ones I currently use in my “ISO 26262 cheat sheet”.

Abbreviation Meaning Description ISO Reference(s)
ASIL Automotive Safety Integrity Level One of four levels to specify the item’s (1.69) or element’s (1.32) necessary requirements of ISO 26262 and safety measures (1.110) to apply for avoiding an unreasonable residual risk (1.97), with D representing the most stringent and A the least stringent level.

ISO 26262 9 describes ASIL analyses in detail!

ISO 26262-1 1.6ISO 26262-9
ASIL Decomposition Automotive Safety Integrity Level Decomposition Also called, “ASIL Tailoring.” Apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the corresponding elements.

“How to” example chart is in ISO26262-9 5.4.10

ISO 26262-1 1.7ISO 26262-9 5
AUTOSAR AUTomotive Open System Architecture Not in ISO 26262, “is an open and standardized automotive software architecture, jointly developed by automobile manufacturers, suppliers and tool developers.” [Wikipedia]
CCF Common Cause Failures Failure (1.39) of two or more elements (1.32) of an item (1.69) resulting from a single specific event or root cause.

Common cause failures are dependent failures (DF) (1.22) that are not cascading failures (CF) (1.13).

ISO 26262-1 1.14
CF Cascading Failure Failure (1.39) of an element (1.32) of an item (1.69) causing another element or elements of the same item to fail.

Cascading failures are dependent failures (DF) (1.22) that are not common cause failures (CCF) (1.14).

ISO 26262-1 1.13
CMF Common Mode Failure A type of common cause failure (CCF) where multiple items fail in the same mode. Analyze it using fault tree analysis (FTA). ISO 26262-10 B.3.2
DC Diagnostic Coverage Proportion of the hardware element (1.32) failure rate (1.41) that is detected or controlled by the implemented safety mechanisms (1.111). ISO 26262-1 1.25ISO 26262-5 D
DCLS Dual Core Lockstep Processing system that runs the same set of operations at the same time in parallel. [Wikipedia]

For ISO 26262 applications, the second “checker” core usually executes 1 or 2 clock ticks after the primary “reference” core to help ensure that power glitches will not simulataneously effect both cores, resulting in no detection of an error.
DF Dependent Failure Failures (1.39) whose probability of simultaneous or successive occurrence cannot be expressed as the simple product of the unconditional probabilities of each of them.Dependent failures include common cause failures (CCF) (1.14) and cascading failures (CF) (1.13).

ISO 26262-9 7 explains dependent failure analysis (DFA).

ISO 26262-1 1.22ISO 26262-9 7
DFA Dependent Failure Analysis Aims to identify the single events or single causes that could bypass or invalidate a required independence or freedom from interference between given elements and violate a safety requirement or a safety goal. ISO 26262-9 7
DIA Development Interface Agreement Agreement between customer and supplier in which the responsibilities for activities, evidence or work products to be exchanged by each party are specified.

An example DIA is at ISO 26262-5 B.

ISO 26262 1.24ISO 26262-8 5
DTI Diagnostic Test Interval Amount of time between the executions of online diagnostic tests by a safety mechanism.

Use ISO 26262-5 Table D.1 for analysis.

ISO 26262-1 1.26ISO 26262-5 D
E/E/PE Electrical, Electronics, and Programmable Electronic IEC 61508-4 3.2.6 defines this as based on electrical and/or electronic and/or programmable electronic technology (see examples). IEC 61508- 3.2.6
EMI Electromagnetic Interference Disturbance that affects an electrical circuit due to either electromagnetic induction or electromagnetic radiation emitted from an external source. [Wikipedia] ISO 26262-2
EOS Electrical Overstress Electrical overstress failures can be classified as thermally-induced, electromigration-related and electric field-related failures. Can result in a latchup short cirvuit. [Wikipedia]

Example of failure rate resulting from EOS is in ISO 26262-10 A.

Calculation methods are in IEC TR 62380, “Reliability data handbook – Universal model for reliability prediction of electronics components, PCBs and equipment”

ISO 26262-10 A. IEC TR 62380
ESD Electrostatic Discharge A subclass of Electrical Overstress (EOS). The sudden flow of electricity between two electrically charged objects caused by contact, an electrical short, or dielectric breakdown. [Wikipedia]

See ISO 26262-5 E for example of SPFM and LFM calculations with ESD.

ISO 26262-2
FIT Failure In Time The number of failures that can be expected in one billion (1×10^9) device-hours of operation. [Wikipedia]

Mean time between failures (MTBF) = 1,000,000,000 x 1/FIT.

ISO 26262-2
FMEA Failure Mode and Effects Analysis As opposed to fault tree analysis (FTA), failure mode and effects analysis (FMEA) is an inductive (bottom-up, see Figure B.1) approach focusing on the individual parts of the system, how they can fail and the impact of these failures on the system. Analysis starts at faults, which can lead to errors and then failures.

Can be qualitiative or quantitative.

ISO 26262-10 B
FMEDA Failure Mode Effects and Diagnostic Analysis A procedure for the detailed determination of error causes and their impact on the system and can be very efficiently used in the early stages of systems development for the purpose of early identification of weaknesses. [TUV website]
FTA Fault Tree Analysis As opposed to failure mode and effects analysis (FMEA), fault tree analysis (FTA) is a deductive (top down, see Figure B.2) approach starting with the undesired system behaviour and determining the possible causes of this behavior.

Can be qualitiative or quantitative.

ISO 26262-10 B
FTTI Fault Tolerant Time Interval The time between when a fault occurs and the system can transition to a safe state and be ready to experience another possible hazard.

Maximum FTTI = DTI + Fault Reaction Time + Safe State

ISO 26262 1.44
HSI Hardware-Software Interface Use ISO 26262-4 B for a detailed explanation. ISO 26262-2ISO 26262-4 B
LFM Latent Fault Metric Latent faults are multiple-point faults (1.77) whose presence are not detected by a safety mechanism (1.111) nor perceived by the driver within the multiple-point fault detection interval (MPFDI) (1.78). The latent fault metric (LFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from latent faults in the hardware architecture, is sufficient.

Single point fault metric (SPFM) is the other hardware architectural metric.

  • ASIL B (≧60%), C (≧80%) and D (≧90%) coverage requirements are in ISO 26262-5 8.4.6 Table 5.
  • Equations and context are at ISO 26262-5 C.3.
  • Example for calculation is at ISO 26262-5 E.
ISO 26262-1 1.71ISO 26262-4 6.4.3

ISO 26262-5 8

ISO 26262-5 C

ISO 26262-5 E

MBU Multiple Bit Upset When two or more error bits occur in the same word. Cannot be corrected by simple single-bit ECC. JESD89A
MPFDI Multiple Point Fault Detection Interval The time span to detect a multiple-point fault (1.77) before it can contribute to a multiple-point failure (1.76). ISO 26262-1 1.78ISO 26262-4 6.4.4
PMHF Probabilistic Metric for (Random) Hardware Failures Is the sum of the single point, residual and multipoint fault metrics. Is expressed in FITs.

Calculation methods are described in ISO 26262-5 F.

ISO 26262-5 9.2ISO 26262-5 F
SEL Single Event Latch-up A type of single event effect (SEE) caused by a single event upset (SEU) that causes a transient fault. This transient fault is “hard” and can only be corrected by cycling the power. Causes include cosmic rays and electrostatic discharge (ESD). [Wikipedia]
SEooC Safety Element out of Context A safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle. ISO 26262-10 9
SEE Single Event Effect A “soft error” caused by a single, energetic particle, and can take on many forms. Causes “transient faults” like single event upsets (SEU), single event transients (SET) and single event latch-ups (SEL).

Use ISO 26262-5 Table D.1 for analysis.

ISO 26262-5 D
SET Single Event Transient A “glitch” that happens when the charge collected from an ionization event discharges in the form of a spurious signal traveling through the circuit. This is de facto the effect of an electrostatic discharge (ESD). It is a “soft error” transient fault and is a type of single event effect (SEE). If a SET propagates through digital circuitry and results in an incorrect value being latched in a sequential logic unit, it is then considered a single event upset (SEU). [Wikipedia]
SEU Single Event Upset Single Event Upsets (SEUs) are soft errors, and non-destructive. Is a “bit flip” or change of state caused by cosmic rays. It is a type of a type of single event effect (SEE). [Wikipedia]
SPFM Single Point Fault Metric Single point faults are faults (1.42) in an element (1.32) that are not covered by a safety mechanism (1.111) and that lead directly to the violation of a safety goal (1.108). The single point fault metric (SPFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from single point faults in the hardware architecture, is sufficient.

Latent fault metric (LFM) is the other hardware architectural metric.

  • ASIL B (≧90%), C (≧97%) and D (≧99%) coverage requirements are in ISO 26262-5 8.4.5 Table 4.
  • Equations and context are at ISO 26262-5 C.2.
  • Example for calculation is at ISO 26262-5 E.
ISO 26262-1 1.122ISO 26262-5 8

ISO 26262-5 C

ISO 26262-5 E

TCL Tool Confidence Level Use ISO 26262-8 Table 3 to calculate based on tool impact (TI) and tool error detection (TD). Values are TCL1, TCL2 and TCL3. ISO 26262-8
TD Tool Error Detection The confidence in measures that prevent the software tool from malfunctioning and producing corresponding erroneous output, or in measures that detect that the software tool has malfunctioned and has produced corresponding erroneous output.

Values are TD1, TD2 and TD3.

ISO 26262-8
TI Tool Impact The possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed.

Values are TD1, TD2 and TD3.

ISO 26262-8

  • Tapaswi Khamar

    Really very helpful!