ISO 26262 Part 7 Production, Operation, Service & Decommissioning: Manufacturing Safety, Field Monitoring, Service & Lifecycle Management Explained

Hello, automotive production engineers, service managers, and safety professionals! Welcome to the seventh deep-dive post in our comprehensive ISO 26262 series at PiEmbSysTech. In this article, we will explore ISO 26262 Part 7 – Production, Operation, Service and Decommissioning, the part that ensures functional safety is maintained throughout the entire lifecycle of the vehicle – long after development is complete.

Many engineers focus exclusively on Parts 3 through 6 (concept, system, hardware, and software development) and overlook Part 7. This is a mistake. A perfectly designed and verified safety-critical system can be rendered unsafe by a manufacturing defect on the production line, an incorrect repair during service, a poorly managed software update during operation, or an unsafe decommissioning procedure. Part 7 closes these gaps by specifying the requirements for maintaining functional safety from the factory floor through to the scrapyard.

Let us explore every aspect of this critical but often underestimated part of the standard.

ISO 26262 Part 7 Table of Contents

1. What is ISO 26262 Part 7 and Why Does It Matter?
2. Structure of Part 7 – The Four Lifecycle Phases
3. Production Planning for Functional Safety (Clause 5)
4. What the Production Plan Must Address
5. Safety-Related Special Characteristics (SRSCs)
6. End-of-Line Testing and Production Verification
7. Production Process Control for Safety-Critical Manufacturing
8. Operation Phase – Maintaining Safety During Vehicle Use
9. Field Monitoring – Detecting Safety Issues in the Field
10. Over-the-Air (OTA) Software Updates and Functional Safety
11. Service and Repair Phase – Safety in the Workshop
12. Service Requirements for Safety-Critical Systems
13. Replacement Parts and Component Substitution
14. Decommissioning – Safe End-of-Life Disposal
15. Post-SOP Modifications and Change Management
16. Recall Management and Incident Response
17. Key Work Products of Part 7
18. How Part 7 Integrates with Other Parts
19. Common Mistakes and How to Avoid Them
20. Frequently Asked Questions
21. Conclusion

1. What is ISO 26262 Part 7 and Why Does It Matter?

ISO 26262 Part 7: Production, Operation, Service and Decommissioning specifies the requirements for maintaining functional safety throughout the post-development lifecycle phases. It addresses the critical reality that development alone is not sufficient – the safety properties designed and verified during Parts 3 through 6 must be preserved during mass manufacturing, maintained during the vehicle’s operational life, restored correctly during service and repair, and safely managed during decommissioning.

Consider this: a safety-critical ECU developed to ASIL D standards with 99%+ SPFM, full MC/DC software coverage, and exhaustive integration testing can be completely undermined by a production process that incorrectly programs the flash memory, a service technician who installs a non-compliant replacement sensor, or a software update that introduces a regression into a safety-critical function. Part 7 exists to prevent exactly these scenarios.

The financial stakes are equally significant. Post-SOP safety issues can lead to field recalls costing hundreds of millions of dollars, regulatory investigations, legal liability, and devastating brand damage. Investing in robust Part 7 processes is not just a compliance requirement – it is a business imperative.

2. Structure of Part 7 – The Four Lifecycle Phases

ISO 26262-7:2018 is organized around four post-development lifecycle phases:

Clause 5: Production – Covers the planning and control of manufacturing processes to ensure that safety-related characteristics established during development are preserved in every produced unit. This includes production planning, specification of safety-related special characteristics, end-of-line testing, and production process controls.

Clause 6: Operation – Covers the vehicle’s operational life, including the information that must be provided to drivers and operators, field monitoring to detect potential safety issues, and the management of changes during the operational phase.

Clause 7: Service (Maintenance and Repair) – Covers the requirements for maintaining functional safety during service, maintenance, and repair activities, including requirements for service information, replacement parts, and repair procedures.

Clause 8: Decommissioning – Covers the safe end-of-life disposal and recycling of safety-related systems, including any hazards that may arise during disassembly.

Additionally, Part 7 addresses post-SOP modifications – changes to the product after the start of production – and the requirements for field monitoring and incident response.

3. Production Planning for Functional Safety (Clause 5)

Production planning is the process of translating the safety-related design specifications from development into concrete manufacturing instructions, quality controls, and verification procedures that ensure every produced unit achieves the required level of functional safety.

The production plan must be developed before the start of production (SOP) and must be based on the outputs of the development phase – particularly the hardware design specification, the software configuration, the system integration test results, and the safety-related special characteristics identified during development. The plan must be reviewed and approved by the safety manager and must be maintained throughout the production lifecycle.

The production plan is not a standalone document created in isolation – it builds upon and integrates with the organization’s existing production quality management processes (typically based on IATF 16949). ISO 26262 Part 7 adds safety-specific requirements on top of the quality baseline, ensuring that safety-critical aspects receive the additional attention they require.

4. What the Production Plan Must Address

ISO 26262-7:2018, Clause 5 specifies that the production plan shall address the following aspects:

Assembly and manufacturing instructions: Detailed procedures for assembling the safety-related item, including specific instructions for processes that affect safety – such as sensor calibration procedures, soldering quality requirements (e.g., IPC standards for safety-critical PCBs), torque specifications for mechanical fasteners in safety-critical assemblies, and correct installation of wiring harnesses.

ECU software programming: Procedures for correctly programming the ECU software, including flash programming sequences, software version verification, and post-programming functional checks. Incorrect software programming is one of the most common production-related safety failures – the wrong software version, a corrupted flash image, or an incomplete programming cycle can all compromise functional safety.

End-of-line calibration: Procedures for calibrating safety-related sensors and actuators at the end of the production line. For example, an inclination sensor in a rollover detection system must be calibrated to the specific vehicle’s orientation on the production line. An uncalibrated or miscalibrated sensor could produce incorrect readings that lead to either false activation or failure to activate the safety function.

Configuration management: Ensuring that the configurations defined during product development (hardware revision, software version, calibration data set, variant coding) are correctly applied to each produced unit and that traceability from each unit to its exact configuration is maintained.

Component selection and tolerances: Ensuring that components used in production meet the specifications defined during development, including tolerance ranges, quality grades, and any special requirements for safety-related components (such as AEC-Q100 qualified semiconductor devices).

Storage and handling: Requirements for the storage and handling of safety-related components and assemblies to prevent degradation – including electrostatic discharge (ESD) protection for electronic components, moisture sensitivity level (MSL) requirements for semiconductor packages, and shelf-life limitations for time-sensitive materials.

Lessons learned: Integration of lessons learned from previously released production plans and from production issues encountered on similar or predecessor products.

5. Safety-Related Special Characteristics (SRSCs)

Safety-Related Special Characteristics (SRSCs) are product or process characteristics whose variation could significantly affect the functional safety of the item. They are identified during development (primarily during Parts 4 and 5) and communicated to the production organization through the production plan.

Examples of SRSCs include critical component parameter values (such as the resistance value of a current-sensing resistor in a motor drive safety mechanism), critical assembly dimensions (such as the air gap in a position sensor), critical soldering joint quality on safety-related circuits, correct torque values for mechanical fasteners in safety-critical structural assemblies, and correct software version and calibration data programming.

SRSCs must receive enhanced process controls during production – including statistical process control (SPC), 100% inspection, or automated verification – to ensure that every produced unit meets the specification. The identification and control of SRSCs is a key bridge between the development phase (where they are identified) and the production phase (where they are controlled). This concept aligns directly with IATF 16949’s requirements for special characteristics and their control plans.

6. End-of-Line Testing and Production Verification

End-of-line (EOL) testing is the final verification step in the production process, performed on every produced unit (or a statistically valid sample) to confirm that the unit meets its safety-related functional specifications before it is shipped. EOL testing verifies that the hardware was correctly assembled and is functioning within specifications, the software was correctly programmed and configured, safety mechanisms are operational (e.g., diagnostic self-tests pass), sensors and actuators are correctly calibrated and producing outputs within the expected range, and communication interfaces are functioning correctly.

EOL test procedures must be derived from the safety requirements and must cover the safety-related special characteristics. The test coverage should be sufficient to detect any production-related defect that could compromise functional safety. Test equipment used for EOL testing must itself be calibrated and maintained to ensure accurate and reliable results.

For complex safety-critical systems (such as ADAS ECUs or EPS controllers), EOL testing may include running built-in self-tests (BIST), performing sensor plausibility checks, executing abbreviated functional test sequences, verifying CAN communication with simulated vehicle network messages, and checking for diagnostic trouble codes (DTCs) that indicate production faults.

7. Production Process Control for Safety-Critical Manufacturing

Beyond the production plan and EOL testing, Part 7 requires ongoing production process control to ensure that the manufacturing process remains stable and capable of consistently producing units that meet safety specifications. This includes statistical process control (SPC) for critical parameters and SRSCs, regular calibration and maintenance of production and test equipment, process capability studies (Cpk analysis) for safety-critical manufacturing steps, operator training and competency verification for safety-related production tasks, and nonconformance handling procedures with specific requirements for safety-related nonconformities (including quarantine, root cause analysis, and disposition by qualified personnel).

The production process control requirements integrate with the organization’s existing quality management system (IATF 16949) but add a safety overlay that ensures safety-critical aspects receive proportionally greater attention and control.

8. Operation Phase – Maintaining Safety During Vehicle Use

The operation phase covers the period during which the vehicle is in use by the customer. During this phase, functional safety is maintained through the item’s built-in diagnostic capabilities (which continuously or periodically monitor safety-related functions during driving), the information provided to the driver (owner’s manual, warning indicators, dashboard messages), and the organization’s field monitoring activities (collecting and analyzing field data to detect potential safety issues).

Part 7 requires that appropriate user information be provided to the driver and vehicle operator, including information about the function and operating conditions of safety-related systems, the meaning of safety-related warning indicators and messages, the actions the driver should take when warnings are presented (such as visiting a service centre promptly), any limitations on vehicle use when safety systems are degraded, and information relevant to rescue services (such as the location of high-voltage battery disconnect points in electric vehicles).

9. Field Monitoring – Detecting Safety Issues in the Field

Field monitoring is the systematic process of collecting, analyzing, and acting on data from vehicles in the field to detect potential functional safety issues that were not identified during development or that emerge over time due to degradation, manufacturing variations, or unforeseen operational conditions.

Field monitoring data sources include warranty claims and repair records for safety-related components, customer complaints and incident reports related to safety functions, data from vehicle diagnostic systems (such as DTCs collected during service visits), data from connected vehicle telematics (for vehicles with connectivity capabilities), information from regulatory agencies (such as NHTSA complaints and recall databases), and data from industry safety databases and information-sharing networks.

The organization must define a field monitoring process that specifies what data is collected, how it is collected, how it is analyzed for safety relevance, what thresholds or criteria trigger an investigation, and how the investigation results feed back into corrective action decisions. If field monitoring reveals a potential violation of a safety goal, the organization must initiate an investigation and, if necessary, implement corrective measures – which may range from a service campaign (proactive repair or update) to a formal safety recall.

Field monitoring is not a passive activity – it requires active, systematic analysis by personnel with both domain expertise and functional safety knowledge. A cluster of seemingly unrelated warranty claims for a specific component may, upon analysis, reveal a systematic safety issue that requires urgent corrective action.

10. Over-the-Air (OTA) Software Updates and Functional Safety

With the rise of software-defined vehicles, over-the-air (OTA) software updates have become an increasingly important topic for functional safety. While the current 2018 edition of ISO 26262 does not extensively address OTA, the implications are clear: any software update that modifies safety-related software must be treated as a post-SOP modification and must go through the appropriate change management and safety impact analysis process.

Key considerations for OTA updates to safety-critical software include ensuring that the OTA update process itself cannot introduce safety hazards (such as an interrupted update leaving the ECU in an inconsistent state), verifying that the updated software has been developed, tested, and verified according to the same ISO 26262 Part 6 requirements as the original software, implementing rollback mechanisms that can restore the previous safe software version if the update fails, verifying the integrity and authenticity of the update package (preventing malicious or corrupted software from being installed), and managing the vehicle state during the update (ensuring that safety-critical functions are not disrupted during the update process).

OTA updates for safety-critical systems are expected to receive significant attention in the upcoming third edition of ISO 26262, as well as in the related cybersecurity standard ISO/SAE 21434 and the UNECE WP.29 regulations on software updates (UN R156).

11. Service and Repair Phase – Safety in the Workshop

The service phase covers all maintenance, repair, and modification activities performed on the vehicle during its operational life – whether at authorized dealer workshops, independent repair facilities, or even by the vehicle owner.

Part 7 requires that the organization provide adequate service information to enable safe and correct service of the safety-related systems. This information must include service and repair procedures for safety-related components, diagnostic procedures for identifying safety-related faults, instructions for replacement of safety-related components (including calibration procedures, software re-programming requirements, and post-repair verification tests), identification of safety-related components that require specific handling, disposal, or recycling procedures, and warnings about the consequences of incorrect repair or unauthorized modifications to safety-related systems.

12. Service Requirements for Safety-Critical Systems

Service activities on safety-critical systems require particular care to ensure that functional safety is maintained or restored after the service intervention. Key requirements include using only approved replacement parts that meet the same safety specifications as the original parts, following the prescribed repair procedures exactly – including any post-repair calibration, configuration, or verification steps, re-programming the ECU software correctly when software updates or recalibration are part of the repair procedure, verifying the correct operation of the repaired system through post-repair functional testing (including verifying that safety mechanisms are operational and that no new diagnostic trouble codes are present), and documenting the repair activity for traceability.

The challenge of ensuring correct service is compounded by the diversity of service environments – from well-equipped OEM dealer workshops with specialized diagnostic equipment and trained technicians to independent repair shops that may lack specific training or tools. The service information provided by the organization must be clear and comprehensive enough to enable correct repair in all these contexts.

13. Replacement Parts and Component Substitution

When a safety-related component is replaced during service, the replacement part must meet the same safety requirements as the original. This means using the same part number from the same approved supplier (or an approved equivalent), ensuring that the replacement part has the correct hardware revision and, where applicable, the correct software version, verifying that any safety-related calibration or configuration data is correctly applied to the replacement part, and performing the required post-installation verification.

Component substitution — replacing a safety-related component with an alternative part that is different from the original — is a particularly sensitive area. Any substitution that changes the hardware characteristics (failure rates, failure modes, performance parameters) can affect the hardware architectural metrics (SPFM, LFM, PMHF) and potentially invalidate the safety analysis. Component substitutions must be managed through a formal change management process with a safety impact analysis before they are approved for field use.

14. Decommissioning – Safe End-of-Life Disposal

The decommissioning phase covers the end-of-life disposal, recycling, and scrapping of the vehicle and its safety-related systems. Part 7 divides decommissioning into three sub-phases: before disassembling (preparation), disassembling (the physical dismantling), and after disassembling (disposal, recycling, and potential reuse).

Decommissioning requirements are particularly relevant for vehicles with high-voltage battery systems (electric and hybrid vehicles), where improper handling during disassembly can create life-threatening electrical shock hazards. For these vehicles, the decommissioning instructions must include procedures for safely disconnecting and discharging high-voltage systems, identification and handling of hazardous materials, and procedures for safe storage and transport of removed battery modules.

Part 7 also addresses the potential reuse of safety-related components from decommissioned vehicles. If a safety-related ECU or sensor is to be deployed in another vehicle, the requirements of Part 8, Clause 14 (qualification of hardware elements) must be followed to ensure that the reused component still meets the required safety specifications after its prior operational life.

15. Post-SOP Modifications and Change Management

Post-SOP modifications – any changes to the product after the release for production – must be carefully managed to ensure that they do not introduce new safety hazards or degrade existing safety properties. Part 7, in conjunction with Part 2 (safety management) and Part 8 (change management), requires that every post-SOP change be subjected to a safety impact analysis.

The safety impact analysis evaluates whether the change affects any safety-related element, function, or property, whether the change could introduce new failure modes or alter existing failure mode distributions, whether the change affects hardware architectural metrics or software safety properties, and whether the existing safety analyses (FMEDA, FMEA, FTA) need to be updated to reflect the change.

Based on the impact analysis, the change is classified and the appropriate level of re-analysis, re-testing, and re-verification is determined. Minor changes with no safety impact may proceed with minimal additional effort. Significant changes that affect safety-related functions may require a full re-execution of relevant safety lifecycle activities, potentially including updated HARA, revised safety requirements, updated FMEDA, and regression testing.

The change management process must maintain complete traceability between the change, the impact analysis, the corrective/verification actions taken, and the updated safety case. This traceability is essential for demonstrating continued compliance and for supporting any future safety assessments or audits.

16. Recall Management and Incident Response

When field monitoring or other sources identify a safety issue that affects vehicles already in the field, the organization must have a defined process for evaluating the severity and scope of the issue, determining the appropriate corrective action (software update, hardware modification, component replacement, or full recall), notifying the relevant regulatory authorities (such as NHTSA, KBA, or equivalent national bodies), communicating with affected vehicle owners, implementing the corrective action through the dealer/service network, and tracking the completion rate and effectiveness of the corrective action.

Recall management is a high-stakes activity that involves legal, regulatory, financial, and reputational dimensions beyond the pure safety engineering scope. However, the technical foundation – the ability to identify the issue, determine its root cause, assess its safety impact, and design an effective corrective action – depends directly on the quality of the safety case and the safety analyses performed during development. Organizations with well-maintained safety cases and comprehensive safety analyses can respond to field issues more quickly and effectively than those with poorly documented safety evidence.

17. Key Work Products of Part 7

Part 7 produces the following essential work products: production plan (including assembly instructions, EOL test procedures, SRSC definitions, and process control requirements), production control plan (SPC parameters, inspection criteria, calibration requirements), user information (owner’s manual content for safety-related systems, warning indicator descriptions, rescue service information), service instructions (repair procedures, diagnostic procedures, calibration procedures, post-repair verification procedures for safety-related systems), decommissioning instructions (safe disassembly procedures, hazardous material handling, component reuse criteria), field monitoring reports (field data collection, analysis, and investigation results), and post-SOP modification records (change requests, safety impact analyses, verification evidence).

18. How Part 7 Integrates with Other Parts

Part 7 does not operate in isolation – it depends on and integrates with several other parts of the standard. Part 2 (Safety Management) provides the safety management framework for post-development phases, including roles and responsibilities for production safety, field monitoring, and post-SOP change management. Parts 4, 5, 6 (Development) provide the design specifications, safety analyses, and verification results that the production plan is based on, and that field monitoring results are compared against. Part 8 (Supporting Processes) provides the change management and configuration management processes that govern post-SOP modifications. Part 9 (ASIL-Oriented Analyses) provides the safety analysis methods used in safety impact analyses for post-SOP changes.

The production plan is developed during the latter stages of product development (typically in parallel with system and hardware integration testing) and must be finalized before the release for production decision (Part 2). The service and decommissioning instructions are also developed during the development phase, based on the evolving understanding of the product’s safety-related characteristics and service needs.

19. Common Mistakes and How to Avoid Them

Mistake 1: Treating Part 7 as an afterthought. Production planning, service information, and decommissioning instructions should be developed in parallel with the product, not hastily assembled at the end. Identifying SRSCs and developing EOL test procedures requires deep understanding of the safety design – this knowledge resides in the development team and should be captured while it is fresh.

Mistake 2: Inadequate EOL testing coverage. EOL tests that only verify basic functionality without specifically testing safety mechanisms provide insufficient evidence that the produced unit is safe. EOL tests should be derived from the safety requirements and should specifically verify the operation of safety mechanisms, the calibration of safety-related sensors, and the correct software programming.

Mistake 3: Insufficient field monitoring. Passive collection of warranty data without active, systematic analysis for safety patterns is inadequate. Field monitoring requires dedicated attention from personnel who understand both the product’s safety architecture and the potential failure modes.

Mistake 4: Uncontrolled post-SOP changes. Making production changes (component substitutions, software updates, process adjustments) without a formal safety impact analysis is one of the most common and most dangerous post-development errors. Every change, no matter how minor it appears, must be evaluated for its potential safety impact before implementation.

Mistake 5: Incomplete service information. Service instructions that omit post-repair verification steps, calibration procedures, or safety warnings can lead to incorrect repairs that compromise functional safety. Service information must be as thorough and precise as the development documentation itself.

Mistake 6: Neglecting decommissioning considerations for EVs. As electric vehicles become more prevalent, the decommissioning requirements for high-voltage battery systems and power electronics become increasingly critical. Failure to provide adequate decommissioning instructions can create serious safety hazards for recycling and scrapyard workers.

20. Frequently Asked Questions

Q1: Who is responsible for Part 7 activities – the development team or the production team?

Responsibility is shared. The development team identifies the safety-related special characteristics, defines the safety-critical production and service requirements, and provides the technical content for the production plan, service instructions, and decommissioning instructions. The production and service organizations implement these requirements and are responsible for maintaining compliance during their respective lifecycle phases. The safety manager has oversight responsibility across all phases.

Q2: Does Part 7 apply to Tier-1 suppliers or only to OEMs?

Part 7 applies to every organization in the supply chain that performs production, service, or decommissioning activities on safety-related items or elements. Tier-1 suppliers who manufacture safety-related ECUs must comply with the production requirements. Organizations that perform service on safety-related systems must follow the service requirements. The scope of each organization’s Part 7 responsibilities is typically defined in the Development Interface Agreement (DIA).

Q3: How does Part 7 relate to IATF 16949?

IATF 16949 provides the quality management foundation for automotive production, including process control, inspection, calibration, and nonconformance management. Part 7 builds upon this foundation by adding safety-specific requirements – such as the identification of SRSCs, safety-specific EOL testing, and safety impact analysis for post-SOP changes. Organizations that are already IATF 16949 compliant have a strong baseline for Part 7 compliance, but additional safety-specific processes and controls are needed.

Q4: Are OTA software updates covered by Part 7?

OTA updates to safety-related software are treated as post-SOP modifications and must go through the same change management and safety impact analysis process as any other product change. The current edition does not have specific OTA-focused clauses, but the general principles of change management, regression testing, and safety verification apply. More specific OTA guidance is expected in the upcoming third edition and in related regulations like UN R156.

Q5: What happens if a field monitoring investigation reveals a safety goal violation?

If field evidence indicates that a safety goal is being violated in vehicles in the field, the organization must take immediate containment action (to prevent further harm), perform a thorough root cause analysis, develop a corrective action plan (which may include a field recall, service campaign, or software update), notify relevant regulatory authorities as required by law, implement the corrective action and track its completion, and update the safety case and safety analyses to reflect the issue and its resolution. This process may also trigger lessons learned that improve the development process for future products.

Q6: How detailed should decommissioning instructions be?

The level of detail depends on the hazards present in the item during decommissioning. For a conventional ECU with no stored energy, minimal instructions may suffice. For systems involving high-voltage batteries, pyrotechnic devices (airbag inflators), or pressurized systems, the decommissioning instructions must be detailed, specific, and clearly communicated to the recycling and scrapyard industry.

21. Conclusion

ISO 26262 Part 7 – Production, Operation, Service and Decommissioning ensures that the functional safety achieved during development is preserved throughout the entire lifecycle of the vehicle. From the precision of end-of-line testing on the factory floor, through the vigilance of field monitoring during vehicle operation, to the thoroughness of service procedures in the workshop and the safety of decommissioning at the scrapyard – every phase matters.

Part 7 is the part that keeps functional safety alive in the real world. The most elegant safety architecture, the most rigorous software verification, and the most comprehensive safety case are all meaningless if the produced unit has a manufacturing defect, if a field issue goes undetected, or if a service repair introduces a new hazard. Investing in robust Part 7 processes – and ensuring close collaboration between development, production, service, and safety management teams – is essential for truly achieving the absence of unreasonable risk that ISO 26262 demands.This article is part of our comprehensive ISO 26262 series at PiEmbSysTech. Next in our series: ISO 26262 Part 8 – Supporting Processes & Tool Qualification. Be sure to review our earlier posts on Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6.

Stay safe. Stay vigilant. Keep engineering the future.

– The PiEmbSysTech Team