Through the Lens of ISO 26262 Paradigm: What is Functional Safety and ASIL

Through the Lens of ISO 26262 Paradigm: What is Functional Safety and ASIL

12 years and 2 versions later, ISO 26262 standard is now established as the de facto functional safety standard for road vehicles. Every moving part in this automotive ecosystem is now aligned to this standard in some way or the other. And every innovation in the automotive industry has to go through the rigors of ISO 26262 standard. But there is a is a delicate balance between innovation and safety.

At the heart of ISO 26262 standard lies the Automotive Safety Integrity Level (ASIL), a strategic metric that gauges the safety criticality of various automotive functions. ASIL determination is pivotal in driving innovation while ensuring that every leap forward is tethered to the principles of safety. Determining ASIL isn’t just a tick-box exercise; it’s an indispensable step in the ISO 26262 safety lifecycle. The reason is simple: to achieve true vehicular safety, we must first understand the gravity of potential hazards and align our countermeasures accordingly.

Let’s look at some statistics that necessitate the importance of safety!

According to the Motor vehicle safety data, by the BTS (Bureau of Transportation Statistics), more than 6 million crashes involving motor vehicles are reported every year on an average.

As per the U.S. Transportation Department data, United States automakers had to make a record safety recall of 53.2 million vehicles in 2016. This increase in auto safety recalls was caused by the rise in road traffic deaths/road traffic fatalities in U.S.

An auto recall, according to National Highway Traffic Safety Administration (NHTSA, US), is said to be issued when a manufacturer or NHTSA determines that a vehicle, equipment, car seat, or tire can create an unreasonable safety risk or fails to meet minimum safety standards”.

Through the Lens of ISO 26262 Paradigm: What is Functional Safety and ASIL

ISO 26262 standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”.

For ISO 26262 compliance; a functional safety consultant identifies and assesses hazards (safety risks).

These hazards are then categorized based as per the Automotive Safety Integrity Level (ASIL) framework.

Such a clear classification of hazards helps to :

  • Establish various safety requirements to mitigate the risks to acceptable levels
  • Smoothly manage and track these safety requirements
  • Ensure that standardized safety procedures have been followed in the delivered product.

Automotive Safety Integrity Level (ASIL) , specified under the ISO 26262 is a risk classification scheme for defining the safety requirements. ASIL values are assigned by performing risk analysis of potential hazard, by evaluating various risk parameters (Severity, Exposure and Controllability).

A change in ASIL ranking can pivot the course of a project entirely. A higher ASIL rating might necessitate more rigorous safety measures, potentially altering design choices, software architecture, or even testing methodologies. On the other hand, a lower ASIL rating might streamline certain processes, allowing for more flexibility. This dynamic and its repercussions highlight why ASIL determination is not just procedural but foundational.

It becomes pivotal to understand its practical implications on automotive systems. Each vehicle is a set of interconnected systems, and the ASIL designation of each can profoundly influence safety measures and mitigation strategies.

A critical system like an Anti-lock Braking System (ABS) might be assigned an ASIL-D, the highest safety integrity level. Any malfunction in the ABS can directly result in loss of vehicle control, potentially leading to catastrophic outcomes. Thus, the ASIL-D designation would necessitate the most stringent safety measures, rigorous testing protocols, and might even influence the redundancy built into the system to ensure failsafe operation.

While the primary purpose of infotainment systems is to provide entertainment and information, their malfunctioning can still pose a distraction risk to the driver. They might be assigned a lower ASIL, like ASIL-A or ASIL-B. Here, the safety measures are less stringent compared to ASIL-D systems. However, it’s still imperative to ensure, for instance, if the certain info displayed on the infotainment system can directly impact the safety of vehicle’s occupants.

Safety Life-cycle is a Journey, Safety Goals and ASIL are the Milestones!

The journey of safety life-cycle, of any automotive component, begins with the definition of the system and its safety-criticality at the vehicular level.

This is achieved by conducting Hazard Analysis and Risk Assessment (HARA) for the corresponding automotive component (hardware/ software). HARA is a necessary exercise for the determination of the Automotive Safety Integrity Level (ASIL).

During HARA, all the potential scenarios of hazards and dangers are evaluated for a particular automotive component, the occurrence of which can be critical for vehicle safety.

For example, an unexpected inflation of airbag or failures of brakes are potential safety hazards that should be assessed and managed in advance.

HARA is followed by identifying the safety goals for each component, which are then classified according to either the QM or ASIL levels, under the ISO 26262 standard.

ISO 26262 Standard

Automobile Safety Issue types. Image credit: Mentor

Safety goals are basically the level of safety required by an automotive component to function normally without posing any threats to the vehicle.

For example, for a car door, the safety goal could be both the importance of having it opened or closed depending on which action is safe under a particular condition. During instances of fire inside the vehicle or a flood, the safety goal would be to have the car door opened as quickly as possible so that the passengers can escape.

On the contrary, while the vehicle is moving fast, the safety goal related to the door will be to remain closed- accidental opening of door of a moving car could lead to greater risks.

How to Determine the ASIL Value for an Automotive Application, as per the ISO 26262 Standard

ISO 26262 standard defines four values of ASIL: ASIL A, ASIL B, ASIL C, ASIL D.

ASIL D represents the highest degree of automotive hazard and ASIL A the lowest. There is another level called QM (for Quality Management level) that represents hazards that do not dictate any safety requirements.

The following figure demonstrates the steps involved in the determination of ASIL for an Anti-Breaking System ( ABS).

ASIL for an Anti-Breaking System ( ABS)

Image credit: Whitepaper by Cadence

For any particular failure of a defined function at the vehicle level, a hazard and risk analysis (HARA) helps to identify the intensity of risk of harm to people and property.

Once this classification is completed, it helps in identifying the processes and the level of risk reduction needed to achieve a tolerable risk. Safety goal definition as per ASIL is performed for both hardware and software processes within automotive design to ensure highest levels of functional safety.

These safety levels are determined based on 3 important parameters:

Exposure ( E): This is the measure of the possibilities of the vehicle being in a hazardous or risky situation that can cause harm to people and property. Various levels of exposure such as E1: very low probability, E2: low probability, E3: medium probability, E4: high probability are assigned to the automotive component being evaluated.

Controllability (C) : Determines the extent to which the driver of the vehicle can control the vehicle if a  safety goal is breached due to  failure or malfunctioning of any automotive component  being evaluated. The order of controllability is defined as: C1<C2<C3 ( C1 for easy to control while C3 for difficult to control).

Severity ( S): Defines the seriousness or intensity of the damage or consequences to the life of people ( passengers and road users) and property due to safety goal infringement. The order of severity is : S1 for light and moderate injuries; S2 for severe and life-threatening injuries, and  S3 for life-threatening incidences.

The ISO 26262 ASIL Allocation table

The ASIL levels – ASIL A, B, C ,and D are assigned based on an allocation table defined by the ISO 26262 standard.

ASIL Levels

Evaluation safety goals of automotive components Image credit: techdesignforums

Let us try to understand the determination of ASIL values for various components based on the E,C and S parameters.

Few observations from the ASIL allocation table,

  1. A combination of S3, E4 and C3 (the extremes of the 3 parameters) refers to a highly hazardous situation. Hence the component being evaluated is identified to be ASIL D, which means it is prone to severely life-threatening events in case of a malfunction and calls for the most stringent levels of safety measures.
  2. On the contrary, a combination of S1, E1 and C1 ( the lowest levels of the 3 parameters in terms of safety-criticality) calls for QM levels, which means the component is not hazardous and does not emphasize safety requirements to be managed under the ISO 26262.
  3. Similarly, combination of the medium levels – S2, E4 and C3 or S2,E3 and C2 defines either an ASIL C or an ASIL A.

The intensity of the hazard thus depends on the ASIL levels of the components , under consideration. Allocation of ASIL helps in identifying how much threat the malfunctioning of a particular component can cause under various situations.

Under the framework of the ISO 26262 ASIL and functional safety; the safety goals are more critical than the functionality of the automotive component. Let us take the example of charging of a vehicle battery to understand this statement.

The safety goals associated with a battery is a more critical consideration to be evaluated as per ASIL, more than the battery itself as shown in the table below. The overcharging of battery at a speed below 10 km/hour is not as serious a situation as overcharging at very high speeds, where the possibilities of overheating and consequent fire could also be high. :

Vehicle Condition Cause of malfunction Possible hazard ASIL
Running Speed< 10 km/h Charging of battery pack beyond allowable energy storage Overcharging may lead to thermal event A
Running Speed> 10 – 50 km/h Charging of battery pack beyond allowable energy storage Overcharging may lead to thermal event B
Running Speed>  50 km/h Charging of battery pack beyond allowable energy storage Overcharging may lead to thermal event C

Thus, ASIL determination forms a very critical process in the development of highly reliable and functional safe automotive applications. In today’s time where the car designs have become increasingly complex with huge number of ECUs, sensors and actuators, the need to ensure functional safety at every stage of product development and commission has become even more important.

This is why modern day automotive manufacturers are very particular about meeting the highest automotive safety standards in accordance to the ISO 26262 standard and ASIL Levels.


to Help!