According to the latest data from the Bureau of Transportation Statistics (BTS), there are approximately 6.8 million motor vehicle crashes reported annually in the United States. This data underscores the ongoing importance of vehicle safety measures and the need for stringent safety standards (BTS.gov).
In 2022, the National Highway Traffic Safety Administration (NHTSA) reported that around 40,000 people died in motor vehicle traffic crashes, a slight decrease from previous years. Additionally, in 2022, there were an estimated 289,310 injuries related to crashes involving distracted drivers, highlighting the persistent issue of driving distractions (NHTSA).
Furthermore, the U.S. Department of Transportation reported that in 2023, there were 42,514 fatalities in motor vehicle crashes, continuing a concerning trend in traffic-related deaths (NHTSA).
Auto recalls remain a significant issue. In 2022, there were several major recalls, though not as high as the record 53.2 million vehicles recalled in 2016.
These stats clearly indicate that the automotive industry has become safer through ISO 26262 implementation. However, there is still a lot to achieve. Hence functional safety remains the fundamental requirement of an automotive application development. And determination of ASIL levels in automotive solutions development is the first step in the journey to functional safety.
Through the Lens of ISO 26262 Paradigm: What is Functional Safety and ASIL
ISO 26262 standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”.
For ISO 26262 compliance; a functional safety consultant identifies and assesses hazards (safety risks).
These hazards are then categorized based as per the Automotive Safety Integrity Level (ASIL) framework.
Such a clear classification of hazards helps to :
- Establish various safety requirements to mitigate the risks to acceptable levels
- Smoothly manage and track these safety requirements
- Ensure that standardized safety procedures have been followed in the delivered product.
Automotive Safety Integrity Level (ASIL) , specified under the ISO 26262 is a risk classification scheme for defining the safety requirements. ASIL values are assigned by performing risk analysis of potential hazard, by evaluating various risk parameters (Severity, Exposure and Controllability).
Safety Life-cycle is a Journey, Safety Goals and ASIL are the Milestones!
The journey of safety life-cycle, of any automotive component, begins with the definition of the system and its safety-criticality at the vehicular level.
This is achieved by conducting Hazard Analysis and Risk Assessment (HARA) for the corresponding automotive component (hardware/ software). HARA is a necessary exercise for the determination of the Automotive Safety Integrity Level (ASIL).
During HARA, all the potential scenarios of hazards and dangers are evaluated for a particular automotive component, the occurrence of which can be critical for vehicle safety.
For example, an unexpected inflation of airbag or failures of brakes are potential safety hazards that should be assessed and managed in advance.
HARA is followed by identifying the safety goals for each component, which are then classified according to either the QM or ASIL levels, under the ISO 26262 standard.
Automobile Safety Issue types. Image credit: MentorFor example, for a car door, the safety goal could be both the importance of having it opened or closed depending on which action is safe under a particular condition. During instances of fire inside the vehicle or a flood, the safety goal would be to have the car door opened as quickly as possible so that the passengers can escape.
On the contrary, while the vehicle is moving fast, the safety goal related to the door will be to remain closed- accidental opening of door of a moving car could lead to greater risks.
How to Determine the ASIL Levels in Automotive Application, as per the ISO 26262 Standard
ISO 26262 standard defines four values of ASIL: ASIL A, ASIL B, ASIL C, ASIL D.
ASIL D represents the highest degree of automotive hazard and ASIL A the lowest. There is another level called QM (for Quality Management level) that represents hazards that do not dictate any safety requirements.
The following figure demonstrates the steps involved in the determination of ASIL for an Anti-Breaking System ( ABS).
Image credit: Whitepaper by CadenceOnce this classification is completed, it helps in identifying the processes and the level of risk reduction needed to achieve a tolerable risk. Safety goal definition as per ASIL is performed for both hardware and software processes within automotive design to ensure highest levels of functional safety.
These safety levels are determined based on 3 important parameters:
Exposure ( E): This is the measure of the possibilities of the vehicle being in a hazardous or risky situation that can cause harm to people and property. Various levels of exposure such as E1: very low probability, E2: low probability, E3: medium probability, E4: high probability are assigned to the automotive component being evaluated.
Controllability (C) : Determines the extent to which the driver of the vehicle can control the vehicle if a safety goal is breached due to failure or malfunctioning of any automotive component being evaluated. The order of controllability is defined as: C1<C2<C3 ( C1 for easy to control while C3 for difficult to control).
Severity ( S): Defines the seriousness or intensity of the damage or consequences to the life of people ( passengers and road users) and property due to safety goal infringement. The order of severity is : S1 for light and moderate injuries; S2 for severe and life-threatening injuries, and S3 for life-threatening incidences.
ASIL Allocation Table as per ISO 26262 Standard
The ASIL levels – ASIL A, B, C ,and D are assigned based on an allocation table defined by the ISO 26262 standard.
Evaluation safety goals of automotive components Image credit: techdesignforums
Let us try to understand the determination of ASIL levels for automotive components based on the E, C and S parameters.
Few observations from the ASIL allocation table,
- A combination of S3, E4 and C3 (the extremes of the 3 parameters) refers to a highly hazardous situation. Hence the component being evaluated is identified to be ASIL D, which means it is prone to severely life-threatening events in case of a malfunction and calls for the most stringent levels of safety measures.
- On the contrary, a combination of S1, E1 and C1 ( the lowest levels of the 3 parameters in terms of safety-criticality) calls for QM levels, which means the component is not hazardous and does not emphasize safety requirements to be managed under the ISO 26262.
- Similarly, combination of the medium levels – S2, E4 and C3 or S2,E3 and C2 defines either an ASIL C or an ASIL A.
The intensity of the hazard thus depends on the ASIL levels of the components , under consideration. Allocation of ASIL helps in identifying how much threat the malfunctioning of a particular component can cause under various situations.
Under the framework of the ISO 26262 ASIL and functional safety; the safety goals are more critical than the functionality of the automotive component. Let us take the example of charging of a vehicle battery to understand this statement.
The safety goals associated with a battery is a more critical consideration to be evaluated as per ASIL, more than the battery itself as shown in the table below. The overcharging of battery at a speed below 10 km/hour is not as serious a situation as overcharging at very high speeds, where the possibilities of overheating and consequent fire could also be high. :
| Vehicle Condition | Cause of malfunction | Possible hazard | ASIL |
| Running Speed< 10 km/h | Charging of battery pack beyond allowable energy storage | Overcharging may lead to thermal event | A |
| Running Speed> 10 – 50 km/h | Charging of battery pack beyond allowable energy storage | Overcharging may lead to thermal event | B |
| Running Speed> 50 km/h | Charging of battery pack beyond allowable energy storage | Overcharging may lead to thermal event | C |
Thus, ASIL determination forms a very critical process in the development of highly reliable and functional safe automotive applications. In today’s time where the car designs have become increasingly complex with huge number of ECUs, sensors and actuators, the need to ensure functional safety at every stage of product development and commission has become even more important.
This is why modern day automotive manufacturers are very particular about meeting the highest automotive safety standards in accordance to the ISO 26262 standard and ASIL Levels.
Impact of ASIL Level on Automotive System Design
ISO 26262 categorizes safety requirements based on the ASIL value assigned through hazard analysis and risk assessment. The ASIL influences not only the design features of a system but also the development process, including requirements management, design, implementation, verification, validation, and configuration.
Safety Requirements and Mechanisms
- ASIL-Dependent Safety Requirements: The higher the ASIL level (ranging from A to D), the stricter the safety requirements. For example, a system with an ASIL D rating would need to incorporate more robust safety mechanisms than an ASIL A system.
- Design Redundancy: Systems with higher ASIL ratings often require redundancy to ensure safety. This can involve dual microcontrollers or redundant sensor inputs to mitigate the risk of a single point of failure.
- Error Detection and Handling: Enhanced error detection capabilities and fail-safe mechanisms are integrated. For example, in ASIL C and D systems, it might be necessary to have automatic detection and response systems that can take control if a primary function fails.
ISO 26262 Compliant Development Process
- Stringent Development: The development process for higher ASIL-rated components is more stringent. This includes comprehensive documentation, more rigorous testing procedures, and extensive validation to ensure that the system meets safety standards.
- Verification and Validation (V&V): For higher ASILs, the V&V processes are intensive. This involves both software and hardware level testing, often including fault injection and stress testing to ensure that the system behaves correctly under failure conditions.
- Software Tool Qualification: The development tools themselves need to be qualified. For systems with high ASIL requirements, the software tools used in the development process must also be certified for safety as per ISO 26262.
Quality Assurance and Compliance
- Traceability: There must be complete traceability from the safety requirements through to the implementation and testing phases. This ensures that every safety requirement is met and can be accounted for in the final product.
- Audit and Assessment: Systems with higher ASIL ratings require regular audits and assessments to ensure compliance with ISO 26262. These audits review the safety lifecycle and the effectiveness of the implemented safety measures.
Practical Implications
- Cost and Complexity: Implementing high ASIL standards increases both the complexity and cost of the development process. High-reliability components, additional safety features, and extensive testing all contribute to increased production and development costs.
- Impact on Design Choices: Sometimes, achieving a lower ASIL for certain components might lead to design changes to limit the system’s functionality or performance to ensure safety. Design teams need to balance functionality, safety, and cost effectively.
Conclusion
The impact of ASIL level on system design is substantial, influencing various aspects of automotive system development from initial design through to final testing and compliance.
Adhering to the rigorous requirements of higher ASIL levels ensures that the automotive systems provide the necessary safety features to protect the occupants and align with industry standards under ISO 26262.
