The Ultimate Guide to Automotive Functional Safety

Concept image of functional safety in a modern vehicle.

What Is Functional Safety

The Growing Need for Safety in Modern Vehicles

The automotive industry has seen significant transformation in recent decades, evolving from simple mechanical systems to a complex network of ECUs, integrated sensors, communication networks, and real-time data processing. With this increased complexity comes the critical need to ensure that systems are safe, reliable, and resilient.

This is where functional safety in automotive systems plays a crucial role. It provides the backbone for designing systems that prevent hazards and mitigate risks, ensuring that in the event of a failure, the system will respond in a way that keeps the vehicle and its occupants safe. As vehicles adopt more autonomous functions, advanced driver-assistance systems (ADAS), and electrified powertrains, robust functional safety frameworks are essential for ensuring compliance, performance, and user safety.

What Is Functional Safety in Automotive Systems?

Functional safety refers to the systems and measures put in place to ensure that automotive systems behave in a predictable, safe manner, especially when failure occurs. This encompasses both hardware and software components, which must be designed, tested, and verified to meet stringent safety standards.

One of the most prominent frameworks for functional safety in the automotive sector is ISO 26262, an international standard that specifies the requirements for the safety lifecycle of electrical and electronic systems in vehicles. These systems include critical applications like braking systems, steering systems, airbags, and advanced driver-assistance systems (ADAS).

How Does Functional Safety Work in Automotive Systems

The operation of functional safety systems in modern vehicles is multi-faceted and built upon redundancy, fail-safe mechanisms, and real-time diagnostics. For example, modern vehicles contain multiple ECUs that control functions like braking, steering, collision avoidance, and autonomous driving. Each of these components is designed with built-in checks to ensure that, should one system fail, another can take over or trigger a safe shutdown.

ISO 26262: Standard Driving Functional Safety in Automotive Systems

ISO 26262 is the international standard governing functional safety in electrical and electronic (E/E) systems within road vehicles. It adapts concepts from IEC 61508, the general standard for functional safety across industries, and refines them to meet the unique demands of automotive design and mass production.

The standard helps manufacturers and suppliers ensure that automotive systems remain safe under both normal and fault conditions, minimizing the risk of life-threatening failures.

Structure and Scope

ISO 26262 is structured into 10 parts, covering the full safety lifecycle—from early concept and risk assessment to software, hardware development, and post-production operation. These parts include:

Part 1: Vocabulary & Terminology

Part 2: Management of Functional Safety

Part 3: Concept Phase (including Hazard Analysis & Risk Assessment)

Part 4-6: Product Development at System, Hardware, and Software Levels

Part 7: Production, Operation, and Decommissioning

Part 8: Supporting Processes

Part 9: ASIL-Oriented Analysis

Part 10: Informative Guidelines

Functional safety development lifecycle based on ISO 26262 V-model, aligned with Acsia's practices

ISO 26262 vehicle life cycle

Hazard Analysis and Risk Assessment (HARA)

Key Concepts in ISO 26262

Hazard Analysis and Risk Assessment (HARA)

HARA is a foundational step in the ISO 26262 safety lifecycle. It identifies potential hazards associated with an automotive function and evaluates the risk each one poses under specific operating conditions. The goal is to determine the Automotive Safety Integrity Level (ASIL) for each hazard, which then guides the safety requirements throughout system development.

Why Does HARA Matter?

Modern vehicles rely heavily on electronics and software. Any malfunction, whether in steering, braking, or ADAS features can lead to unsafe situations. HARA ensures that potential hazards are recognized early and mitigated through systematic design measures.

Key steps of the HARA process in automotive functional safety workflow

The HARA Process – Key Steps

  1. Item Definition
    The process begins by clearly describing the system or function under consideration (the “item”)—its purpose, operating modes, user interactions, and environmental constraints.
  2. Hazard Identification
    Possible malfunctioning behaviours of the item are analyzed. This includes abnormal operations, unintended activations, and missing functions that could result in harm.
  3. Operational Scenarios
    Each hazard is examined under realistic usage conditions—urban driving, highway cruising, or parking—to understand when and how it might occur.
  4. Risk Evaluation
    For each identified hazardous event, three key factors are assessed:
    • Severity (S)
    • Exposure (E)
    • Controllability (C)
  5. ASIL Assignment
    These three factors are combined using a standardized risk matrix to assign an ASIL (QM, A, B, C, or D). Higher ASILs demand more stringent safety measures during development.

Techniques Used in HARA

  • FMEA (Failure Modes and Effects Analysis): Helps identify potential failure points and their consequences.
  • HAZOP (Hazard and Operability Analysis): Evaluates deviations from normal function and their safety implications.
  • Both are useful for structuring the analysis and uncovering edge-case risks.

Automotive Safety Integrity Level (ASIL):

ASIL (A to D) quantifies the safety criticality of a system based on:

  • Severity (S): Potential harm to human life
    • S1: Light to Moderate injuries
    • S2: Severe to Life threatening injuries
    • S3: Life threatening to fatal injuries
  • Exposure (E): Probability of the condition occurring
    • E1: Very low probability
    • E2: Low probability
    • E3: Medium probability
    • E4: High probability
  • Controllability (C): Likelihood the driver can avoid harm
    • C1: Simply controllable
    • C2: Normally controllable
    • C3: Difficulty to control or uncontrollable

The higher the ASIL, the more rigorous the development and validation processes must be.

Besides ASIL levels A to D, ISO 26262 includes QM (Quality Management) for components with no significant safety risk.

Table showing ASIL level determination as per ISO 26262 standard

ISO 26262 – Determination of an ASIL level

The combination of S3 severity with E4 probability and C3 controllability gives ASIL D representing the highest level of risk.

ISO 26262 Safety Requirements Flow:

  • Safety Goals (SGs)
    • Defined in the concept phase through item definition and hazard analysis (HARA).
    • Assigned ASIL ratings based on Severity, Exposure, and Controllability.
  • Functional Safety Requirements (FSRs)
    • Derived from SGs to define what the system must achieve to remain safe.
    • Include safe state definitions, fault handling, and external mitigation strategies.
    • Influenced by architecture, timing, and degradation concepts.
  • Technical Safety Requirements (TSRs)
    • Translate FSRs into system-level specifications for hardware/software.
    • Detail safety mechanisms, diagnostics, emergency actions, and HSIs.
    • Refine architecture to allocate safety functions to system elements.
  • Software Requirements
    • Derived from TSRs and hardware-software interfaces.
    • Include:
      • Software Architecture Requirements (structure, modularity, performance)
      • Software Safety Requirements (fault detection, safe operation)
      • Non-Safety Requirements (QM-rated functions)
  • ASIL Decomposition & Traceability
    • Each layer inherits or decomposes ASIL from its parent.
    • Influences the safety rigor in design, implementation, and testing.
  • Risk Assessment & Decomposition

The ASIL Determination process assigns safety levels using a defined risk matrix. To manage complexity, safety goals can be decomposed across redundant systems with lower individual ASILs—an efficient yet compliant design strategy.

In addition to ISO 26262, the industry also adheres to other safety-related standards like IEC 61508 and SAE J3061, which offer guidelines for implementing safety systems across different stages of product development and deployment.

Model-Based Design (MBD) for Functional Safety

Role of MBD in ISO 26262 Compliance

Model-Based Design (MBD) is a development methodology that enables engineers to design, simulate, and verify embedded systems using high-level graphical models rather than writing code line by line. In the context of ISO 26262, MBD plays a critical role in reducing development time, enhancing traceability, and ensuring safety compliance from early design through production.

By integrating functional safety requirements directly into the system model, MBD allows teams to detect and correct issues much earlier in the development lifecycle. The visual nature of MBD also promotes better cross-domain collaboration, making it easier to validate system behaviour against safety goals and technical safety requirements.

Simulation, Code Generation, and Verification

  1. Simulation and Rapid Prototyping
    Engineers can simulate system behaviour under normal and fault conditions using real-world scenarios, enabling early-stage validation of functional safety mechanisms such as diagnostics, fail-operational behaviour, or graceful degradation.
  2. Automatic Code Generation
    Tools like MATLAB/Simulink or dSPACE TargetLink allow verified models to be converted into production-grade C/C++ code. This reduces manual coding errors and ensures consistency between design and implementation.
  3. Verification and Back-to-Back Testing
    MBD supports formal verification techniques including:
    • Model-in-the-loop (MIL)
    • Software-in-the-loop (SIL)
    • Hardware-in-the-loop (HIL)

These steps ensure the implemented software matches safety requirements across development stages, and that every change is traceable—an essential requirement under ISO 26262 Part 6 and Part 8.

Real-World Use Case: Battery Management System (BMS)

Problem: A leading OEM required an ISO 26262-compliant BMS for an electric vehicle platform, with real-time thermal monitoring and voltage balancing.

How MBD Helped:

  • Developed control algorithms in Simulink with embedded safety goals (e.g., overvoltage detection, thermal cut-off)
  • Used MIL/SIL simulations to test performance under fault injection scenarios (e.g., sensor drift, loss of cell communication)
  • Automatically generated ANSI-C code and integrated it with Acsia’s embedded software stack
  • Performed HIL testing to validate hardware-software behavior under extreme driving conditions

Result: Accelerated certification timeline and reduced rework during integration, while maintaining compliance with ASIL C safety requirements.

Infographic showing the 5 stages of automotive software development using Model-Based Design

Use Case: Functional Safety in Electric Vehicle Battery Management Systems (BMS)

As EVs have become more prevalent, ensuring the safety of high-voltage battery systems is critical. The Battery Management System (BMS) is central to monitoring and controlling battery performance, maintaining safe operation, preventing failures, and enhancing vehicle reliability. Functional safety standards, particularly ISO 26262, are applied to ensure these critical systems operate within safe limits, protecting both the vehicle and its occupants.

Application of Functional Safety in BMS

  1. Monitoring and Diagnostics

The BMS continuously monitors parameters such as temperature, voltage, current, and state of charge (SOC) of individual cells within the battery pack. Functional safety mechanisms ensure that if anomalies like overheating or overcharging occur, the system can trigger safety protocols, such as battery shutdown or activation of thermal management systems.

  1. Failure Prevention

Functional safety helps identify potential failure modes within the BMS, such as short circuits, battery degradation, or cell imbalance. It ensures that the system can respond by taking corrective actions, such as rebalancing cells, limiting power output, or isolating faulty components to prevent further damage.

  1. Emergency Handling

In the event of critical faults or failure scenarios (e.g., short circuits, thermal runaway, or voltage irregularities), the BMS triggers safety mechanisms, such as disconnecting the battery from the powertrain or engaging cooling systems, to mitigate risks like fires or vehicle damage.

Importance of Functional Safety for BMS

  • Hazard Mitigation: Functional safety ensures that potential hazards from battery failures, such as fires or electric shocks, are minimized.
  • Compliance: Automakers must comply with industry safety standards (e.g., ISO 26262) when designing and integrating BMS in EVs and HEVs.
  • Reliability: A well-designed BMS is crucial for the long-term reliability and performance of electric vehicles, maintaining both vehicle uptime and customer trust.
  • Autonomous Integration: As autonomous driving technology advances, reliable and safe EV systems, including BMS, must interface seamlessly with other Advanced Driver-Assistance Systems (ADAS), necessitating robust functional safety measures.

Other use cases:

Automatic Emergency Braking (AEB)

Automatic Emergency Braking systems are designed to detect imminent collisions and apply the brakes automatically if the driver fails to react in time. If this system malfunctions—either by not activating when needed or by braking unexpectedly—it can cause serious accidents or unnecessary panic on the road.

Functional safety ensures the AEB system undergoes hazard analysis and is assigned a high ASIL (often ASIL D). This leads to the implementation of redundant sensors (e.g., radar and camera), real-time diagnostics, and fail-safe logic to ensure the brakes are only triggered under verified conditions. If a fault is detected in one sensor or processing unit, the system either falls back to a safer mode or alerts the driver for manual intervention.

Electric Power Steering (EPS)

Electric Power Steering systems assist the driver in turning the wheels with minimal effort. A failure in the EPS system like the loss of torque feedback or a stuck motor can compromise vehicle controllability, especially at higher speeds.

To mitigate this, the EPS system incorporates multiple torque sensors and motor controllers with built-in diagnostics. Functional safety measures like watchdog timers, power redundancy, and real-time fault monitoring ensure that even if a critical component fails, the driver can maintain at least limited control, often via mechanical fallback or a warning alert. This system typically falls under ASIL C or D, depending on vehicle configuration.

Adaptive Cruise Control (ACC)

Adaptive Cruise Control automatically adjusts the vehicle’s speed to maintain a safe distance from the vehicle ahead. A malfunction such as failing to detect a slow-moving vehicle could lead to a rear-end collision.

Functional safety in ACC involves continuous sensor validation, plausibility checks, and fallback protocols. If the radar fails or communication is lost, the system may deactivate itself while alerting the driver. Critical decision-making logic is implemented across redundant processors to meet the ASIL B or C safety level required.

Lane Keeping Assist (LKA)

Lane Keeping Assist systems help prevent unintentional lane departures by adjusting steering inputs. A faulty LKA could either fail to correct the lane deviation or, worse, apply unnecessary steering input.

The system is evaluated through HARA, and safety goals are derived to ensure its behaviour under normal and fault conditions. Functional safety measures include dual camera inputs, steering torque limits, and system disengagement if environmental confidence (e.g., faded lane markings) drops. These systems are generally assigned ASIL B due to their indirect but essential role in driver assistance.

Tools, Techniques, and Compliance

As functional safety becomes more embedded in automotive development lifecycles, the ability to select the right tools and apply robust techniques is critical to achieving ISO 26262 compliance efficiently and effectively. At Acsia, we integrate industry-leading platforms and best practices into our workflows to ensure that safety is not just a checkbox, but a built-in characteristic of every project we deliver.

Common Tools Used in Functional Safety Engineering

Modern functional safety projects rely on a combination of modeling environments, requirement management platforms, and safety analysis tools. Some of the widely adopted solutions include:

  • Simulink (MathWorks): Model-based design and simulation of control algorithms, integrated with MIL/SIL/HIL validation workflows.
  • ANSYS Medini Analyze: Comprehensive tool for safety analysis including FMEA, FTA, and safety goal tracing.
  • CodeBeamer (Intland Software): ALM tool supporting requirements engineering, traceability, risk assessment, and audit readiness.
  • Vector Tools (e.g., CANoe, DaVinci): System-level simulation, testing, and ECU communication validation.
  • IBM DOORS: Requirements and change management aligned with ISO 26262 Part 8.
  • dSPACE TargetLink: Production code generation from Simulink models with ASIL-aware calibration and verification support.

By using an ecosystem of interconnected tools, Acsia ensures full traceability from safety goals to code, making audits and compliance reporting faster and more accurate.

Key Functional Safety Techniques

Functional safety isn’t just about tools—it’s about applying the right engineering techniques at the right stages. The following methods help identify, assess, and mitigate risks across system and software layers:

  • FMEA (Failure Modes and Effects Analysis): Identifies potential failure points and their consequences to prioritize design improvements.
  • FTA (Fault Tree Analysis): A top-down deductive method to analyze the causes of system-level failures.
  • DFA (Design for Assembly/Analysis): Ensures safety and efficiency are built into the product from a manufacturability and reliability standpoint.
  • Fault Injection Testing: Intentionally introduces faults (e.g., sensor loss, memory corruption) into simulation or HIL environments to verify system resilience.

At Acsia, these techniques are embedded within our ISO 26262-aligned process frameworks, particularly during the concept, development, and validation phases.

Compliance Checklists and Audit Readiness

ISO 26262 certification is built on documentation, traceability, and demonstrable rigor. To ensure audit readiness, organizations must maintain:

  • Safety Plans for software, hardware, and system levels
  • Requirement Traceability Matrices (RTMs) linking SGs → FSRs → TSRs → Test Cases
  • Verification and Validation Reports covering static/dynamic analysis, coverage metrics, and tool qualification
  • Change Management Logs with impact assessments on safety
  • ASIL Decomposition Rationales for modular system safety

Partner with Acsia to Enable Safer and Efficient Mobility

Acsia’s Functional Safety capabilities help OEMs build safer, more reliable vehicles while reducing the risk of recalls and regulatory penalties. With deep expertise in ISO 26262, ADAS, and safety-critical software, Acsia ensures that next-gen automotive systems meet the highest safety and compliance standards.

  • Safety management systems, safety plans, and compliance documentation
  • System-level hazard analysis, risk assessment, and safety concept development
  • ISO 26262 and ASPICE-compliant software design, testing, and model-based verification
  • Safety integration, validation, and fault-injection testing for real-time systems

Learn more

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.