The standard process for the development of automotive electronic systems is based on the ”V Model ’97”, a life cycle process model that is the development standard for embedded electronic systems of the Federal Republic of Germany . Originally intended for information and communication systems it was adapted for other domains, including the automotive domain. However the sequences of design and verification steps is neither standardized nor formalized throughout the automotive domain.
Almost every OEM and supplier uses a slightly different design method. In the automotive industry currently large efforts are made to enhance the development of safety critical electronic systems. The aerospace industry (a domain with very standardized and formal development processes) has a lot more experience with safety-critical systems. Aerospace development processes have both function and safety of an aerospace system as the center of focus  (Fig.1).
However, the aerospace processes cannot be used directly in the automotive domain, as the boundary conditions and the requirements for safety and reliability in these two domains are different. For example hazard analysis for an airplane explicitly distinguishes between different flight phases (start, cruise, landing). The according phases for cars (start, accelerate, cruise, braking) generally don’t make sense. For cars different driving situations are more relevant e.g. for a steer-by-wire system: driving straight ahead, driving curve, pass maneuver, reversing etc., in principle distinguish whether or not the steering wheel needs to be turned or not.
Also road conditions should be considered (rain, aquaplaning, ice, off road, gravel, sand, road hole, flange groove). Besides different analysis processes the most important differentiation is the very low production volume of electronic control units in an airplane in comparison to automotive electronic systems (several thousands vs. several millions), therefore, cost for more hardware components in an airplane preponderate much less than laborintensive and protracted development and test of a new concept.
Safety and reliability requirements in airplanes allow for expensive redundancy concepts. Redundancy is necessary in both domains, however, the triple-triple modular hardware redundancy for the primary flight control in a large passenger plane, e.g. the Boeing 777, is by far too expensive in automotive applications, so, double hardware redundancy is common in cars.