Introduction
Why functional safety matters in software systems
Understand functional safety risks
Apply ISO 26262 and ASIL levels
Implement safety-critical isolation using safety island architecture
Functional safety for automotive software development
How to use Data Distribution Service (DDS)
Deploy OpenAD Kit across multiple cloud instances
Run OpenAD Kit across distributed ROS 2 instances
Next Steps
ISO 26262 is a functional safety standard for automotive electronics and software systems. It defines a structured safety lifecycle aligned with the V-model, spanning everything from initial requirements to final validation and maintenance.
The V-model is a development framework where each design phase is paired with a corresponding test phase. This structure makes it easier to trace safety requirements from early specifications through to system verification.
Automotive Safety Integrity Level (ASIL) ranks the safety criticality of components on a scale from A (lowest) to D (highest). For example, ASIL A might apply to a dashboard indicator failure, while ASIL D applies to a brake system malfunction.
Hazard Analysis and Risk Assessment (HARA) identifies potential hazards and evaluates their risks to define the required safety goals and ASIL levels.
Safety mechanisms include techniques such as real-time fault detection, redundancy, and fallback modes like fail-safe and fail-operational behavior.
ISO 26262 applies to many safety-critical vehicle systems:
Autonomous driving systems must respond safely to sensor errors (such as LiDAR, radar, or camera faults). Functional safety ensures the vehicle can enter a safe state and avoid unsafe decisions.
Powertrain control systems monitor throttle and braking inputs. Safety mechanisms such as redundancy, plausibility checks, and overrides prevent unintended acceleration or loss of braking function.
Battery management systems (BMS) protect electric vehicle batteries from overheating, overcharging, or deep discharge. Built-in safety functions monitor temperature, balance voltage, and isolate faulty circuits to prevent thermal runaway.
These systems require dedicated hardware and software architectures that enforce functional safety guarantees. One common solution is the safety island, which is an isolated compute domain used to run safety-critical control logic independently from the main system.