Quick answer
ISO 26262 is the international standard for functional safety of electrical and electronic systems in road vehicles. ISO 21434 is the corresponding standard for automotive cybersecurity, mandated by ECE R155 for type approval and supported by ECE R156 for over-the-air software updates. Both apply to heavy-duty zero-emission platforms entering the EU market. They share lifecycle structure (concept, development, production, operation, decommissioning) but address different hazards: 26262 covers random hardware failures and systematic faults; 21434 covers deliberate attack. Heavy-duty programs are expected to run them in parallel from concept phase, with shared item definitions, shared HARA / TARA workflows, and an integrated technical file.
This article walks through the two standards as a heavy-duty zero-emission integration partner sees them: what each requires, how they interact in practice, and where co-development adds the most leverage.
ISO 26262 in three lines
ISO 26262 (current edition: 2018, second edition) defines the functional safety lifecycle for E/E systems in road vehicles up to 3.5 tonnes, with explicit extensions to heavy-duty vehicles in Part 1 Clause 1 of the second edition. The lifecycle starts with an item definition, runs through Hazard Analysis and Risk Assessment (HARA), assigns Automotive Safety Integrity Level (ASIL) classifications, derives technical safety requirements, validates them through testing and analysis, and continues into production and operation through a safety case.
ASIL is the central concept. It is not an absolute safety rating; it is a quantification of how rigorous the development process has to be for a given hazard. ASIL A is the lightest, ASIL D the most stringent. Most heavy-duty traction-related functions land at ASIL C or D; HMI functions tend to ASIL A or QM (quality-managed, no ASIL).
ISO 21434 and ECE R155 in three lines
ISO 21434 (2021) defines the cybersecurity engineering lifecycle for road vehicles. It mirrors ISO 26262 in structure: concept, development, production, operation, decommissioning. Where 26262 has HARA, 21434 has TARA (Threat Analysis and Risk Assessment). Where 26262 has ASIL, 21434 has CAL (Cybersecurity Assurance Level).
ISO 21434 is not directly a regulation. The regulation is ECE R155, which mandates a Cybersecurity Management System (CSMS) for any vehicle entering the EU market from July 2024 (new types) or July 2026 (all types in production). Compliance with ISO 21434 is the standard route to demonstrating the CSMS. ECE R156 mirrors this for software-update management, mandating a Software Update Management System (SUMS) for over-the-air updates.
Where the two standards overlap
The two standards were written by different working groups but with conscious cross-references. They share more than they diverge. The overlap is most visible at four points in the lifecycle.
| Lifecycle point | ISO 26262 artifact | ISO 21434 artifact | Shared in practice? |
|---|---|---|---|
| Item definition | Item definition (Part 3-5) | Item definition (Clause 9.3) | Yes, single document with two annotations |
| Risk analysis | HARA | TARA | Parallel, often same workshop |
| Architecture | Functional and technical safety concept | Cybersecurity concept | Same architecture, two annotation layers |
| Verification | Verification of safety requirements | Cybersecurity validation | Mostly different test methods |
| Production | Safety case | Cybersecurity case | Bound together in CSMS evidence |
An OEM that runs the two lifecycles separately will discover, around month 9 of a heavy-duty program, that the two teams have written conflicting requirements on the same ECU. The fix is structural: run a single workshop for HARA and TARA on the same item, in the same week, with both teams in the room.
Where they conflict, and how to resolve
The overlap is genuine, but it is not seamless. Three conflict patterns are common.
Conflict 1: fail-safe versus secure-state
ISO 26262 requires that on detection of a fault, the system enters a defined safe state (often torque cut, isolation open, brakes applied). ISO 21434 requires that on detection of a cybersecurity event, the system enters a secure state, which sometimes means continuing to operate while alerting. The two states can be different, and on a heavy-duty platform the safe state is sometimes risky in cybersecurity terms (shutting down a vehicle on a public road creates a different attack surface).
Resolution: define a unified state machine at architecture phase, with explicit transitions between safe state and secure state, and document the trade-off in both safety and cybersecurity cases.
Conflict 2: update integrity
ISO 26262 requires that any change to safety-relevant software triggers a regression-test cycle proportional to the affected ASIL. ISO 21434 and ECE R156 require that cybersecurity patches reach the fleet within defined timelines. The two requirements pull on opposite ends: thorough re-validation versus rapid deployment.
Resolution: pre-qualified update channels with pre-built regression test packages, so a patch can be released within hours while still meeting 26262 evidence requirements.
Conflict 3: ASIL versus CAL
ASIL and CAL look similar on paper but they grade different things. A function can be ASIL D (highest safety integrity) and CAL 2 (moderate cybersecurity assurance), or ASIL B and CAL 4. Hardware budget allocation to either can pull the architecture in different directions.
Resolution: an integrated risk register that lists every function once, with both ASIL and CAL, and uses the higher of the two as the development discipline driver. This avoids two parallel architectures.
What changes for heavy-duty zero-emission specifically
Heavy-duty zero-emission programs add three concrete differences from passenger-car ISO 26262 / 21434 work.
- HV battery as ASIL D component. Loss of battery isolation is a hazard with potential for fire and electrocution. Most heavy-duty programs classify battery isolation monitoring at ASIL D, which forces redundant sensing and a high-rigor development process.
- Charging interface as cybersecurity attack surface. Any plug-in interface (CCS2, MCS) is a potential entry point. ISO 15118 introduces TLS-secured Plug and Charge, but the certificate management at fleet scale is a CSMS topic, not a charging-protocol topic.
- Off-highway operating modes. Many heavy-duty platforms have non-public-road modes (construction site, mine, port). HARA scoping has to cover both. Some hazards that are negligible on a public road are critical in a port (where a fully laden electric reach stacker can damage a vessel).
The integration partner’s role
Functional safety and cybersecurity work spans concept, development, validation and production. The integration partner adds value at three points specifically.
- Item definition workshop: co-author the document that anchors both HARA and TARA, ensuring it is fit for both purposes.
- HARA + TARA in parallel: facilitate the workshop, document hazards and threats simultaneously, identify shared mitigations.
- Technical safety + cybersecurity case: assemble the evidence in the format both ECE R155 and the WVTA technical file expect.
OEMs that try to do this internally for the first heavy-duty zero-emission program almost always end up with two parallel documentation chains, each with gaps. An integration partner that has run this for prior programs delivers a single chain with cross-references where they belong.
Timeline: where 26262 and 21434 land in a typical heavy-duty program
A 36-month heavy-duty zero-emission program from concept to type approval usually structures the safety and cybersecurity work like this. The dates are illustrative but the sequencing is consistent across programs.
| Month | ISO 26262 milestone | ISO 21434 milestone |
|---|---|---|
| 0-3 | Item definition, HARA, ASIL allocation | Item definition, TARA, CAL allocation |
| 3-9 | Functional safety concept, technical safety concept | Cybersecurity concept |
| 9-18 | Hardware and software development per ASIL | Cybersecurity controls implementation |
| 18-27 | Verification, validation, integration testing | Penetration testing, cybersecurity validation |
| 27-33 | Safety case assembly | Cybersecurity case, CSMS evidence |
| 33-36 | Type approval submission with WVTA | R155 / R156 evidence in WVTA file |
Frequently asked questions
Is ISO 26262 mandatory for heavy-duty vehicles?
The standard itself is voluntary, but in practice it is the route to demonstrating functional safety due diligence required by EU type approval and by most OEM internal processes. The second edition (2018) explicitly extends scope to vehicles above 3.5 tonnes. Heavy-duty zero-emission programs that bypass ISO 26262 typically face questions from approval authorities and from OEM customers requesting evidence of safety integrity.
What is the relationship between ISO 21434 and ECE R155?
ECE R155 is the regulation that mandates a Cybersecurity Management System for vehicles entering the EU market. ISO 21434 is the international standard that defines how to build that CSMS. Compliance with ISO 21434 is the de facto route to compliance with ECE R155, although other routes are theoretically possible. In practice, EU type-approval authorities expect ISO 21434-aligned evidence.
What is the difference between ASIL and CAL?
ASIL (Automotive Safety Integrity Level) is an ISO 26262 grading from QM, A, B, C to D, used to set the rigor of functional safety development for a given hazard. CAL (Cybersecurity Assurance Level) is an ISO 21434 grading from CAL 1 to CAL 4, used to set the rigor of cybersecurity engineering for a given threat. They grade different concepts and are not directly comparable. A function can carry both an ASIL and a CAL, and the development process has to satisfy both.
How long does ISO 26262 / 21434 work add to a heavy-duty program?
For a first-time heavy-duty zero-emission OEM, expect 4-8 months of additional concept-phase work compared to a non-26262 program, plus continuous work through development. Programs that already run 26262 on adjacent products usually absorb the cybersecurity work in 2-4 additional months. The cost of late entry is steep: retrofitting safety and cybersecurity evidence onto a finished design typically costs 3-5 times more than building it in from concept.
Building the safety and cybersecurity case in parallel?
IntegratR’s integration team supports OEMs through HARA, TARA, ASIL and CAL allocation, and assembling the WVTA technical file with R155 / R156 evidence. Get in touch or join us at iVT Expo Cologne.
English 
Dutch