The demands on vehicle development are constantly evolving. This is particularly true when it comes to passenger cars and the way safety and security are handled. Thus, the nuanced consideration of the relationship between Function Safety (ISO 26262) and Cybersecurity Engineering (ISO/SAE 21434) is attracting a tremendous amount of attention throughout the industry. It is not only about the safety, reliability and integrity of modern vehicles, but also about process efficiency and the wise use of resources. So let us look at the interplay between Functional Safety and Cybersecurity in vehicle development.
Manuel Sandler
These two industry standards are now an integral part of the development of electronic and electrical (E/E) systems in vehicles, but they address fundamentally different issues.
ISO 26262 was introduced to the automotive industry about fifteen years ago. It is based on the cross-industry standard IEC 61508, which has existed since the late 1990s and defines general principles for functional safety in various industries.
The aim of ISO 26262 is to minimise risk and systematically avoid hazards caused by random hardware and systematic faults in the development of systems, software, hardware and other vehicle components.
ISO/SAE 21434 was only officially published a few years ago as a specific standard for the automotive industry. It focuses on systematic protection against cyber threats that can exploit system vulnerabilities, holistically along the product lifecycle, and includes the underlying structures, processes and more.
Although these goals may seem quite different, functional safety and cybersecurity share the same fundamental focus on E/E systems at all levels of abstraction – from the entire vehicle down to the lowest level of hardware and software – and are therefore critical to the holistic safety of modern vehicles. It is important to understand that both standards not only consider the actual products, but also place specific requirements on the organisation and projects.
A closer look at ISO 26262 and ISO/SAE 21434
As mentioned at the beginning, the starting point of ISO 26262 and the purpose of the functional safety domain is to systematically avoid all hazards to life and limb in the event of an E/E system malfunction. From this perspective of physical integrity, the standard defines a process for how systems can ensure this. For example, by avoiding failures through redundant systems, or by detecting failures and initiating appropriate countermeasures, e.g. by displaying a warning message in the cockpit, or by degrading functions, e.g. by deactivating driver assistance functions in the event of a sensor failure.
Ultimately, this should be achieved through systematic hazard analysis, risk assessment and implementation of safety mechanisms throughout the vehicle lifecycle.
ISO/SAE 21434, which was only published in its ‘First Edition’ in 2021 (see also our first insight into ISO/SAE 21434 Second Edition), arose from the growing realisation that, even in the changing environment of the vehicle, cybersecurity threats can pose a significant risk to the safety and functionality of vehicles and beyond. The more connected and software-based vehicles become, the greater the potential for cyber-attacks. At the same time, the dimensions of cybersecurity go far beyond mere physical integrity, considering cyber criminal activities, data security and potential financial and reputational damage.
Tip: For a more in-depth introduction to the requirements of ISO/SAE 21434, don’t miss our 10-minute learning course Overview ISO/SAE 21434 (Video Course)
- Learning Advice
ISO/SAE 21434 – considered the successor to SAE J3061, which was a simple practical guide to vehicle cybersecurity – has been developed to address these concerns. It is designed to provide a comprehensive approach to managing cybersecurity risks throughout the vehicle lifecycle. The focus is on identifying and reducing vulnerabilities that could be exploited by malicious actors to protect not only the integrity of vehicle systems, but also the safety of occupants and beyond. (See also the risk dimensions of ISO/SAE 21434 below).
Methodological differences between Functional Safety and Cybersecurity
Both standards begin their development with the so-called Item Definition, the compilation of all relevant information as a systematically established starting point for subsequent risk analyses. It is important to note that although the two work products have the same name, the elaborations in terms of functional safety and cybersecurity differ significantly. For example, information or personal/confidential data – these may be of paramount importance from a cybersecurity perspective, but not from a functional safety perspective. On the other hand, information about the temporal behaviour of functions may be essential for calculating the time available to reach the so-called safe state, but may have a different priority from a cybersecurity perspective.
Tip: For the ISO/SAE 21434 Item Definition work product, see our ISO/SAE 21434 Item Definition Template.
Understanding Functional Safety and ASILs
At the heart of ISO 26262 is the concept of safety integrity levels, known as Automotive Safety Integrity Levels (ASILs).
They allow risks to be classified according to the severity of the potential harm to life and limb, the probability of occurrence in the driving situation (here called ‘Exposure’) and the controllability in case of a failure. These factors are used to classify risks in order to determine the appropriate handling and further measures to minimise the risk.
This classification serves as a basis for the definition of safety goals and the technical safety requirements derived from them. The methodology is deeply rooted in the principles of redundancy, fault tolerance and fail-safe design, which ensures that the vehicle can be returned to a safe state in the event of a system failure.
On this basis, safety goals can be derived, i.e. measures and methods to reduce risks to an acceptable level or to eliminate them altogether.
Understanding ISO/SAE 21434, Cybersecurity Goals, CAL and more
ISO/SAE 21434 takes a different approach, following the principles of threat modelling and risk assessment and applying them not only early in the development project, but also at a higher level in the processes and organisation.
Put simply, engineers must anticipate potential attack vectors and assess the likelihood and impact of various cyber threats. Cybersecurity goals are derived from this threat analysis and risk assessment – the associated work product Threat Analysis and Risk Assessment is one of the core work products in the ISO/SAE 21434 standard. These cybersecurity goals can be seen as the counterpart to the safety goals, as they define the top-level requirements for ensuring cybersecurity. (For the sake of completeness, it should be mentioned that there are also so-called cybersecurity claims, which are defined as a specific statement about how an implemented measure fulfils a defined cybersecurity goal or what the relationship is between identified risks, defined goals and implementation).
The standard, which remains the world’s main reference for cybersecurity engineering in vehicle development, advocates a defence-in-depth strategy in which multiple layers of security controls are implemented to protect critical assets.
Unlike the deterministic nature of functional safety, cybersecurity engineering must deal with the unpredictability of human attackers, requiring constant vigilance and adaptability.
As this young field continues to evolve, it is already apparent that the Cybersecurity Assurance Levels proposed in ISO/SAE 21434, which can be seen as the counterpart to the ASIL Levels, will be further professionalised. The forthcoming publication of ISO/SAE PAS 8475 Cybersecurity Assurance Levels (expected in the second half of 2025) will provide further specifications in this regard.
A comparison of the risk dimensions between Functional Safety and Security
In principle, the two domains consider different risk dimensions. ISO 26262 focuses purely on the functional safety of the systems concerned, with the aim of covering the protection of life and limb as the central risk dimension, as described at the beginning.
In principle, the two domains consider different risk dimensions. ISO 26262 focuses purely on the functional safety of the systems concerned, with the aim of covering the protection of life and limb as the central risk dimension, as described at the beginning.
ISO/SAE 21434 takes a different approach and extends the risk assessment to four dimensions:
- Safety: This is an obvious one, since cyber incidents can have a direct impact on the functional safety of systems.
- Operational: Although not necessarily relevant from a safety perspective, avoiding adverse effects on operational processes within vehicle functions is a protection objective. For example, a failure of the navigation system may not be safety-related, but it may cause inconvenience.
- Privacy: Cybersecurity always has the protection of (personal) data against unauthorised access as a central risk dimension. Data protection and privacy are relevant to cybersecurity.
- Financial: Financial losses, which may also include reputational damage, are another relevant risk dimension, either as a consequence of cybersecurity or in some other way (e.g. through cybercrime in the form of extortion, etc.).
This makes it clear that since cybersecurity encompasses the safety risk dimension, any system that is functionally safety-relevant is automatically important from a cybersecurity engineering perspective.
The lifecycle from the perspective of ISO 26262 and ISO/SAE 21434
Both standards consider the entire product lifecycle, but they differ in their specific focus.
According to ISO 26262, the lifecycle extends from the initial concept phase, in which a Hazard Analysis and Risk Assessment (HARA) is carried out, through the design and implementation phase, in which the safety of the system is assessed, to the operational phase, in which continuous monitoring and maintenance of the system must be ensured with the help of data.
And, of course, the operational phase, in which data from the field must be used to ensure continuous monitoring and maintenance of the system for possible malfunctions.
Potential safety risks also need to be considered during the decommissioning phase. For example, when disposing of end-of-life vehicles, deactivating airbags is one measure that can be taken to prevent unintentional explosions and possible personal injury.
ISO/SAE 21434 also addresses the entire lifecycle, but places a greater emphasis on the ever-evolving nature of cybersecurity threats.
The aforementioned TARA identifies potential vulnerabilities in the concept phase. In the development phase, the focus is on implementing cybersecurity measures that are robust enough to withstand attacks throughout the vehicle’s operational life.
As no system is completely invulnerable, the standard also requires the development of incident response and recovery procedures.
This forward-looking approach ensures that the vehicle’s cybersecurity can be adapted as new threats emerge.
This aspect is also particularly important in terms of differentiation from ISO 26262. In cybersecurity, measures that are considered cybersecure today may not be sufficient tomorrow. Accordingly, from a cybersecurity perspective, the post-development phase within the lifecycle is of immense importance. (Subsequently, UN Regulation No. 156 Software Update Management System and the associated ISO standard ISO 24089 have created a dedicated field of action around proper software update management and engineering, which is likely to require even more attention in the future).
- Different objectives, shared focus: While ISO 26262 focuses on functional safety, risk minimisation and systematic avoidance of hazards caused by faults, ISO/SAE 21434 focuses on protection against cyber threats. Both standards cover E/E systems and together are critical to safety/security in vehicle development.
- ISO 26262 focuses on the physical safety of vehicle occupants, while ISO/SAE 21434 assesses cybersecurity risks more broadly, including operational, privacy and financial risks in addition to safety.
- Complementary lifecycle approaches: Both standards cover the entire lifecycle of a vehicle, but with different emphases. ISO 26262 focuses on maintaining safety integrity, while ISO/SAE 21434 includes responding to changing cyber threats and adaptation.
- Application of safety and cybersecurity goals: ISO 26262 classifies safety goals using ASILs to establish technical requirements for safe design. ISO/SAE 21434 derives cybersecurity goals from risk assessments and relies on a layered defence approach.
- Synergies and limitations: Although functional safety and cybersecurity in vehicles are synergistic, it is important to separate specific competencies and methodologies in development. A balanced approach will be crucial for the quality and reliability of modern vehicles in the future.
- Key Learnings
Functional Safety vs. Cybersecurity – Conclusion
In summary, although ISO 26262 and ISO/SAE 21434 deal with different aspects of vehicle safety and security, the relationship is crucial. (Note: In German-speaking countries, additional confusion is often caused by the fact that ‘Safety’ is translated as ‘Sicherheit’ in German, and ‘Security’ is also translated as ‘Sicherheit’).
Even though there are strong parallels between the two standards, it is important not to make the mistake of confusing the two in the development of modern vehicles. Both require specific skills and procedures.
ISO 26262 ensures that systems operate safely under fault conditions, while ISO/SAE 21434 protects these systems from the growing threat of cyber attacks.
Together, they provide a comprehensive framework for managing the complex risks associated with today’s automotive technologies.
As the industry, its structures and processes continue to evolve – driven by increasing competitive and cost pressures, as well as regulatory adjustments in the markets (such as the recent US ban on technologies from China and Russia) – the ability to combine Functional Safety and Cybersecurity in well-designed synergies will be a key success factor. A balanced approach will be crucial: synergies should be exploited where they make sense, but a “blind mixing” of competencies must be avoided to prevent negative effects on quality.
Finding the right balance in the organisation, processes and development projects will be the metric for business success and the reliability of the vehicles of the future.