Automotive Safety Integrity Level
The Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the international standard ISO 26262 for ensuring functional safety in electrical and/or electronic (E/E) systems within road vehicles, aiming to mitigate hazards arising from system malfunctions throughout the product lifecycle.[1][2] ASIL categorizes safety requirements into four levels—A (lowest rigor), B, C, and D (highest rigor)—plus a quality management (QM) level for non-safety-related functions, with assignments determined through hazard analysis and risk assessment (HARA) evaluating three factors: severity of potential injury (S0–S3, from no injury to life-threatening), exposure probability (E0–E4, from incredibly low to high), and controllability by the driver (C0–C3, from simply controllable to uncontrollable).[3][2] ISO 26262, first published in 2011 and revised in 2018, adapts principles from the broader IEC 61508 standard to the automotive domain, specifying ASIL-oriented and safety-oriented analyses to establish rigorous development processes, verification methods, and fault tolerance measures proportional to the assigned level.[1][4] For instance, ASIL D applies to critical systems like airbags or anti-lock braking, requiring the highest probabilistic targets for fault avoidance (e.g., random hardware failure rates below 10⁻⁸ per hour), while ASIL A suffices for less critical features such as rear lighting.[2][3] The framework supports the entire automotive safety lifecycle—from concept and system design to production, operation, and decommissioning—by enabling decomposition of safety goals across components, ensuring compliance through certification bodies like TÜV SÜD, and facilitating supply chain coordination among original equipment manufacturers (OEMs) and suppliers.[5][6] ASIL promotes a goal-based approach to functional safety, reducing unreasonable risks without mandating specific technologies, though it demands extensive documentation, testing, and independence in reviews for higher levels.[2] This classification has become essential in modern vehicle development, particularly for advanced driver-assistance systems (ADAS) and autonomous vehicles, where increasing E/E complexity heightens potential hazards.[3]Background and Definition
Definition and Purpose
The Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 standard for functional safety in road vehicles, serving as a measure of the risk reduction required for safety-related items to achieve an acceptable level of residual risk due to malfunctions in electrical/electronic (E/E) systems.[2][7] It quantifies the integrity needed to mitigate hazards arising from system failures, ensuring that the probability of harm is sufficiently low.[8] Functional safety, as outlined in ISO 26262, is defined as the absence of unreasonable risk due to such malfunctions, with ASIL providing a structured approach to enforce this across the vehicle's lifecycle.[2][9] The primary purpose of ASIL is to classify potential hazards from E/E system malfunctions and derive corresponding safety goals, safety requirements, and the level of development rigor necessary to address them based on the potential for harm.[7][10] This classification guides the allocation of safety measures during system design, implementation, and verification, tailoring the effort proportionally to the assessed risk while promoting cost-effective safety assurance.[8] By linking hazard severity to required integrity, ASIL ensures that higher-risk items receive more stringent controls, ultimately contributing to overall vehicle safety without over-engineering lower-risk components.[2] Key principles of ASIL center on addressing both systematic faults—those resulting from errors in specification, design, or implementation processes—and random hardware faults, which occur unpredictably due to physical degradation or external factors.[8][11] It ties directly to functional safety by defining four integrity levels from ASIL A (lowest rigor) to ASIL D (highest rigor), with an additional Quality Management (QM) category for non-safety-critical items that do not require ASIL-compliant measures.[10][7] These levels specify the extent of fault avoidance, detection, and control needed, often determined through hazard analysis processes that inform safety requirement derivation.[2] ASIL was introduced in the first edition of ISO 26262 published in 2011, which established the framework for functional safety in passenger vehicles up to 3,500 kg, and was refined in the second edition of 2018 to extend applicability to all road vehicles except mopeds while enhancing clarity on ASIL decomposition and supporting processes.[8][10][12] This evolution reflects adaptations from broader industrial standards like IEC 61508, tailored specifically for automotive E/E systems to address increasing complexity from advanced driver assistance and electrification.[7][9]Scope and Applicability
The Automotive Safety Integrity Level (ASIL) applies to electrical and/or electronic (E/E) systems within safety-related functions of series production road vehicles, focusing on mitigating risks from E/E malfunctions rather than nominal performance or non-E/E hazards. In its initial scope under the first edition of ISO 26262 (2011), ASIL targeted passenger cars with a maximum gross vehicle mass of up to 3,500 kg, encompassing domains such as powertrain, chassis, body, and human-machine interfaces, while excluding purely mechanical systems or software without E/E integration. This applicability ensures that ASIL classifications guide the rigor of safety measures for E/E components that could contribute to hazardous events.[12][13] The second edition of ISO 26262, released in 2018, expanded the scope to all series production road vehicles excluding mopeds, introducing dedicated provisions for motorcycles via a new Motorcycle Safety Integrity Level (MSIL) in Part 12 and adaptations for trucks, buses, trailers, and semi-trailers in Part 8, with item definitions applicable to heavy-duty vehicles. ASIL assignment begins in the concept phase, deriving from safety goals established through hazard analysis and risk assessment for the defined items. This evolution accommodates diverse vehicle categories while maintaining focus on production-intent E/E systems.[14][4] Key exclusions limit ASIL's applicability to production vehicles only, omitting aftermarket modifications, non-road vehicles such as off-road machinery, and special-purpose vehicles like those adapted for drivers with disabilities. Additionally, hazards stemming from non-E/E sources, such as mechanical tire failure or external environmental factors unrelated to E/E malfunctions, fall outside the standard's purview, as does electric shock, fire, or toxicity unless directly attributable to E/E system failures. These boundaries ensure ASIL addresses verifiable E/E-related risks without overextending to unrelated domains.[9][15] The 2018 edition further refined ASIL by extending quantitative targets for ASIL D to encompass probabilistic metrics for random hardware failures (PMHF) as low as $10^{-8} per hour, enhancing precision for high-integrity applications. As of November 2025, an anticipated third edition is under development, expected around 2027, and will likely incorporate updates for software-defined vehicles, addressing centralized architectures, over-the-air updates, and evolving E/E integration challenges.[16][17]Functional Safety Framework
ISO 26262 Overview
ISO 26262 is an international standard for functional safety in road vehicles, specifically addressing electrical and/or electronic (E/E) systems to ensure the absence of unreasonable risk due to malfunctions.[15] Its core objective is to provide a framework for managing safety throughout the lifecycle of automotive E/E systems, mitigating hazards that could lead to harm while considering societal thresholds for acceptable risk.[18] The standard originated from the general functional safety principles of IEC 61508 but is tailored to automotive applications, excluding mopeds, with the 2018 edition expanding applicability to all road vehicles including trucks, buses, and motorcycles.[5] First published in 2011, it was revised in the second edition of 2018 to incorporate expanded scope, including semiconductors and motorcycles, along with enhancements for cybersecurity integration and elevated assurance levels.[19] A third edition is currently in development; as of November 2025, working drafts for various parts are under development, with full release expected in 2027, focusing on adaptations for agile development methods and zonal architectures.[17] The standard is organized into 12 parts that cover the full spectrum of functional safety processes. Part 1 defines key vocabulary and terms, while Part 2 outlines management of functional safety, including planning and organizational responsibilities. Part 3 addresses the concept phase, where safety goals are established. Product development is detailed in Parts 4 through 6 and 8, spanning system-level, hardware-level, software-level, and supporting processes such as configuration management. Parts 7 and 9 handle production, operation, service, decommissioning, and ASIL-oriented analyses. Additionally, Part 10 provides guidelines on the standard's application, Part 11 offers semiconductor-specific guidance (introduced in 2018), and Part 12 adapts the framework for motorcycles.[1] This modular structure ensures comprehensive coverage without overlap, allowing stakeholders to reference relevant sections based on their role in the safety lifecycle. At its foundation, ISO 26262 employs a V-model as the reference process model, guiding activities from concept and system design on the left side (requirements and architecture) through implementation and integration on the right, culminating in verification, validation, and decommissioning. The Automotive Safety Integrity Level (ASIL) plays a pivotal role within this framework, serving as the primary metric for classifying safety requirements derived from hazard analysis; higher ASIL designations impose greater rigor in development assurance, tailoring processes, methods, and techniques to achieve the necessary risk reduction across all phases.[10] By integrating ASIL into safety requirement allocation and confirmation measures, the standard ensures that E/E system malfunctions do not result in unacceptable residual risks, thereby supporting overall vehicle safety.[20]Safety Lifecycle Phases
The safety lifecycle in ISO 26262 is structured around a V-model development process that integrates functional safety activities throughout the lifecycle of electrical and electronic (E/E) systems in road vehicles, ensuring risks are managed from initial conception to decommissioning. This lifecycle divides into the concept phase, product development at various levels (system, hardware, and software), supporting processes, and production through decommissioning, with ASIL guiding the stringency of methods applied in each phase to achieve safety goals. The V-model emphasizes iterative verification and validation, where requirements defined on the left side (decomposition) are tested on the right side (integration) to confirm compliance with assigned ASIL levels.[21][13] In the concept phase, the process begins with item definition, which outlines the system's scope, functions, and operational constraints to establish a foundation for safety analysis. Following this, hazard analysis and risk assessment (HARA) identifies potential hazards and assigns ASIL to safety goals based on severity, exposure, and controllability parameters. The functional safety concept then elaborates on these safety goals, specifying top-level safety requirements and architectural strategies to mitigate risks, with ASIL inheritance ensuring that derived requirements maintain or exceed the goal's integrity level. This phase concludes with the specification of safety requirements, propagating ASIL downward to inform subsequent development.[13][21] The product development phase applies the V-model across system, subsystem, hardware, and software levels, where ASIL-assigned safety requirements are refined into detailed specifications, designs, and implementations. At the system level, functional safety requirements are allocated to elements, and architectural design incorporates fault tolerance measures, such as redundancy, to meet ASIL targets; verification occurs through analysis and simulation at phase end. Hardware development evaluates metrics like failure rates and diagnostic coverage to confirm ASIL compliance, while software development specifies units, integration, and testing with increasing rigor—for instance, formal methods and extensive reviews are mandated for ASIL D to avoid systematic failures in software. Integration and testing at each level validate that propagated ASIL requirements are fulfilled, using techniques scaled by the assigned level, such as unit testing for lower ASIL and fault injection for higher ones.[13][21] Supporting processes run parallel to the main lifecycle phases, encompassing configuration management to track changes, quality assurance to maintain process integrity, and verification activities like reviews and audits tailored to ASIL—for example, independent assessments are required for ASIL C and D to build confidence in safety measures. These processes ensure traceability of ASIL propagation from safety goals through all requirements and artifacts. Production and operation phases focus on safe manufacturing, field monitoring, and service, including validation of released systems and updates to address emerging risks, while decommissioning handles end-of-life disposal to prevent hazards.[13][21] ASIL propagation occurs by assigning levels at the safety goal stage in the concept phase and flowing them down to subordinate requirements and elements, requiring that lower-level implementations achieve at least the parent's ASIL through inherited or decomposed targets. Higher ASIL levels demand progressively rigorous methods, such as mandatory formal verification and diverse redundancy for ASIL D, to address systematic and random failures effectively. ASIL decomposition enables splitting a high-level ASIL requirement into multiple lower-level ones across independent elements—provided the overall confidence interval (e.g., 90% or 99%) is documented to justify the reduction in rigor. This technique facilitates practical implementation while upholding the target safety integrity.[3][22]Hazard Analysis and Risk Assessment
HARA Process
The Hazard Analysis and Risk Assessment (HARA) is a systematic methodology outlined in ISO 26262 Part 3 for the concept phase of automotive electrical/electronic (E/E) system development, aimed at identifying potential hazards arising from system malfunctions and evaluating associated risks to determine appropriate safety measures.[23] This process ensures that safety goals are established early to mitigate risks to vehicle occupants and other road users, serving as the foundation for the functional safety concept. Inputs to HARA typically include the item definition, which delineates the system boundaries and functions (e.g., an anti-lock braking system), along with operational situations such as driving modes or environmental conditions. Outputs comprise a set of safety goals assigned initial Automotive Safety Integrity Levels (ASILs) and an initial functional safety concept outlining high-level mitigation strategies.[24][25] The HARA process begins with item definition, where the scope of the E/E item—such as its functions, interfaces, and boundaries within the vehicle—is clearly specified to focus the analysis.[23] Next, hazards are identified by considering malfunction scenarios in various operational contexts; for instance, in a hypothetical case of power steering loss during high-speed highway driving, potential hazards might include loss of vehicle control leading to collisions. Common methods for hazard identification include brainstorming sessions among multidisciplinary teams, Failure Mode and Effects Analysis (FMEA) to examine component failures, and Fault Tree Analysis (FTA) to model event combinations, often supplemented by Hazard and Operability Study (HAZOP) techniques using guide words like "no" or "reverse" to probe deviations.[25][26] These tools help generate a comprehensive list of hazardous events, which is iteratively refined during the concept phase based on stakeholder feedback and updated system knowledge.[23] Following identification, risk assessment evaluates each hazard using classification parameters of severity (potential harm), exposure (likelihood of occurrence in operational situations), and controllability (driver's ability to mitigate).[24] This step determines the risk level, leading directly to the formulation of safety goals—top-level requirements to avoid or mitigate the hazards, such as "the system shall avoid unintended acceleration beyond driver command" for a throttle control malfunction. ASIL assignment then occurs based on the assessed risk, prioritizing the highest classification to guide subsequent development rigor. The entire HARA is documented for traceability, often using specialized tools like ENCO SOX or standardized templates, ensuring it integrates with the broader safety lifecycle.[25][23]Classification Parameters
The classification of Automotive Safety Integrity Levels (ASIL) in ISO 26262 relies on three key parameters evaluated during Hazard Analysis and Risk Assessment (HARA): Severity (S), Exposure (E), and Controllability (C). These parameters assess the risk associated with a hazardous event stemming from a potential malfunction in electrical/electronic systems, enabling a qualitative determination of the required safety integrity without relying on probabilistic failure rates.[27] Severity classifies the potential harm to individuals exposed to the hazardous situation, focusing on the extent of injury rather than likelihood. It ranges from S0, indicating no injuries, to S1 for light to moderate injuries (e.g., superficial wounds or reversible health impacts); S2 for severe to life-threatening injuries where survival is probable (e.g., permanent impairment or hospitalization); and S3 for life-threatening or fatal injuries where survival is uncertain or impossible (e.g., unsurvivable trauma). This parameter is derived from established injury classification systems like the Abbreviated Injury Scale, emphasizing the worst-case outcome for any exposed person.[27][3][28] Exposure evaluates the probability of occurrence of the operational situation in which the hazardous event could arise, based on the average driving profile over the vehicle's lifetime (typically assuming 10,000 to 30,000 hours or 100,000 to 300,000 km). Levels include E0 for incredibly low probability (practically impossible); E1 for very low probability (rare conditions); E2 for low probability (occasional); E3 for medium probability (e.g., urban driving scenarios); and E4 for high probability (e.g., sustained highway driving). This assessment considers vehicle usage patterns but excludes driver behavior or system failures.[27][3][29] Controllability assesses the driver's ability to avoid or mitigate the harm through timely and effective actions, assuming an average skilled driver and considering factors like warning time, vehicle dynamics, and environmental conditions. It is graded as C1 (simply controllable, e.g., ample time and space to react); C2 (normally controllable, where most drivers can intervene successfully under typical conditions); or C3 (difficult to control or uncontrollable, e.g., due to short reaction time or high-speed scenarios). C0 is occasionally noted for cases where controllability is irrelevant (e.g., S0 severity), but it does not influence ASIL assignment.[27][3][30] The ASIL is determined by combining these parameters via a risk matrix, where higher values of S, E, and C escalate the level from QM (Quality Management, no safety requirements) to ASIL A (lowest integrity) through D (highest). For instance, S3 with E4 and C3 yields ASIL D, indicating stringent safety measures are needed, while lower combinations like S1 with E2 and C1 result in QM. The matrix ensures systematic risk reduction without quantitative formulas, prioritizing qualitative thresholds for practical application in automotive development.[31]| Severity (S) | Exposure (E) / Controllability (C) | C1 | C2 | C3 |
|---|---|---|---|---|
| S0 | E0, E1, E2, E3, E4 | QM | QM | QM |
| S1 | E0, E1 | QM | QM | QM |
| E2 | QM | QM | A | |
| E3 | QM | A | B | |
| E4 | A | B | B | |
| S2 | E0, E1 | QM | QM | A |
| E2 | QM | A | B | |
| E3 | A | B | C | |
| E4 | B | C | C | |
| S3 | E0, E1 | QM | A | B |
| E2 | A | B | C | |
| E3 | B | C | D | |
| E4 | C | D | D |
ASIL Levels
ASIL A
ASIL A represents the lowest Automotive Safety Integrity Level (ASIL) in the ISO 26262 standard, assigned to safety-related functions where the risk of harm from failure is minimal. It is determined through the Hazard Analysis and Risk Assessment (HARA) process by evaluating low combinations of severity (S), exposure (E), and controllability (C) parameters. For instance, combinations such as S1 (light or moderate injury) with E3 (medium exposure probability of 1-10%) and C1 (simply controllable by >99% of drivers), or S3 (life-threatening or fatal injury) with E1 (very low exposure <1%) and C3 (difficult to control by <90% of drivers), result in ASIL A classification.[32] These criteria ensure that only functions with negligible potential for serious harm receive this level, targeting basic fault tolerance for simple, detectable faults without requiring advanced redundancy.[33] The requirements for ASIL A emphasize fundamental development processes tailored to low-risk items, as outlined in ISO 26262 Parts 4 through 8. Development follows a simplified V-model with basic documentation, reviews, and testing, without the stringent traceability or confirmation measures mandated for higher ASILs. For hardware, while there are no mandatory architectural metrics such as single-point fault metric (SPFM) or latent fault metric (LFM), quantitative analysis may focus on probabilistic metric for random hardware failures (PMHF) under 10^{-6} per hour to meet the safety goal violation probability where applied. Verification involves minimal independence, such as self-review by the development team, rather than separate assessor involvement, allowing efficient processes while ensuring adequate coverage for low-risk scenarios.[2][27] Examples of ASIL A functions include non-critical infotainment systems, such as audio controls that, if failing, cause only minor inconvenience like loss of entertainment without impacting vehicle operation or safety. Low-exposure sensors, for instance, those monitoring cabin temperature or basic parking aids in scenarios with very low hazard probability, also typically fall under ASIL A. This level of rigor is appropriate for applications where a malfunction leads to discomfort or slight operational disruption but no foreseeable harm to occupants or other road users, enabling cost-effective implementation without over-engineering.[33]ASIL B
ASIL B represents a moderate level of automotive safety integrity, applicable to safety-related functions where a malfunction could lead to light to severe injuries under certain conditions, but with lower overall risk compared to higher ASIL levels. It is determined through the Hazard Analysis and Risk Assessment (HARA) process in ISO 26262, based on combinations of severity (S), exposure (E), and controllability (C) parameters. Severity classifies potential harm from S1 (light/moderate injury) to S3 (life-threatening or fatal without survival expectancy), exposure estimates operational probability from E1 (very low) to E4 (high), and controllability assesses driver mitigation from C1 (simply controllable) to C3 (difficult to control). Specific combinations yielding ASIL B include S3 with E4 and C1, S3 with E3 and C2, S3 with E2 and C3, S2 with E4 and C2, S2 with E4 and C3, S2 with E3 and C3, S1 with E4 and C3.[32] For ASIL B, development assurance requires enhanced processes to achieve fault avoidance and control, including recommended hardware architectural metrics such as a single-point fault metric (SPFM) of at least 90% and a latent fault metric (LFM) of at least 60%, alongside a probabilistic metric for random hardware failures (PMHF) not exceeding 10^{-7} failures per hour. These metrics ensure that single-point faults (those directly violating a safety goal without detection) are minimized below 10^{-7}/hour, while latent faults (undetected multi-point faults) are controlled below 10^{-6}/hour through diagnostic coverage. Tool qualification is required for development tools that could insert or fail to detect safety-related faults, typically at Tool Confidence Level 2 (TCL2) if impacting ASIL B items. Diverse development practices, such as using multiple techniques for verification, may be applied to introduce fault tolerance without full redundancy. Independence is introduced at a basic level (e.g., I0), where reviews are conducted by individuals not directly involved in creating the reviewed work products.[34] Examples of ASIL B functions include adaptive cruise control systems in urban driving scenarios, where exposure is moderate due to frequent operation but controllability remains feasible; brake lights and headlights, which if failing could contribute to collisions with potential for severe injury; rear-view cameras and instrument clusters, aiding driver awareness without direct life-critical control; and steering wheel sensors or heating/cooling systems that support safety indirectly. These applications balance moderate risk with practical implementation, focusing on reliable fault detection rather than exhaustive validation.[3][33]ASIL C
ASIL C represents a high level of automotive safety integrity within the ISO 26262 framework, assigned to safety goals where the hazard analysis reveals significant risk of severe injury or worse, but not the utmost extreme scenarios requiring maximal assurance. It arises from combinations of high severity (S3, indicating life-threatening or fatal injuries), high exposure (E3 or E4, denoting frequent or probable operational scenarios), and moderate controllability (C1 or C2, where driver intervention is possible but challenging). For instance, the combination of S3 + E3 + C3 typically results in ASIL C classification, reflecting near-highest integrity needs without necessitating the full stringency of ASIL D.[3][27] Requirements for ASIL C emphasize rigorous fault tolerance through advanced error detection mechanisms, diverse redundancy architectures, and independent verification processes to achieve probabilistic targets for random hardware failures. Specifically, the single-point fault rate must be below 10^{-8} failures per hour, while the latent fault rate is limited to under 10^{-7} failures per hour, ensuring the overall probability of safety goal violation remains acceptably low. Hardware architectural metrics include a single-point fault metric (SPFM) of at least 97% and a latent fault metric (LFM) of at least 80%, often implemented via techniques like cyclic redundancy checks and watchdog timers. These measures demand independent confirmation reviews and functional safety assessments to validate compliance.[35][36] Examples of ASIL C applications include lane departure warning systems, where failure could lead to loss of awareness and severe harm during high-exposure highway driving. Similarly, certain advanced driver assistance systems, such as adaptive cruise control with potential for severe collision risks, fall under ASIL C when hazards involve high severity but allow some driver controllability. These systems balance enhanced safety features with practical implementation, avoiding the exhaustive redundancy of higher levels.[37][33] To ensure integrity, ASIL C mandates comprehensive safety analyses, including dependent failure analysis (DFA) to identify common-cause faults across redundant elements and fault tree analysis (FTA) for quantitative evaluation of failure propagation paths. These methods bridge toward ASIL D requirements by providing high assurance without the extreme validation overhead, focusing on robust yet efficient risk mitigation.[38][39]ASIL D
ASIL D represents the highest Automotive Safety Integrity Level (ASIL) defined in ISO 26262, assigned to safety goals involving the most severe hazards where failure could result in life-threatening or fatal injuries without adequate mitigation.[32] This level is triggered by the worst-case combination of classification parameters: Severity class S3 (life-threatening or fatal injury), Exposure class E4 (high probability of exposure, greater than 10%), and Controllability class C3 (exposure is difficult to control or evade, with less than 90% of drivers able to respond effectively).[32] Without achieving ASIL D integrity, the associated risk remains unacceptable, necessitating the most stringent safety measures to reduce it to tolerable levels.[40] The requirements for ASIL D demand the highest level of rigor across the safety lifecycle, including full redundancy in hardware and software architectures to tolerate faults, application of formal and semiformal verification methods for critical components, and qualification of development tools to Tool Confidence Level 3 (TCL3) to ensure they do not introduce systematic errors.[41][42] To address random hardware failures, systems must meet quantitative targets such as a single-point fault rate below 10^{-9} per hour and a latent fault rate below 10^{-8} per hour, often verified through metrics like Single Point Fault Metric (SPFM) ≥99% and Latent Fault Metric (LFM) ≥90%, alongside a Probabilistic Metric for random Hardware Failures (PMHF) ≤10^{-8} per hour.[43] Additionally, confirmation and assessment activities require full independence (Independence Level I3), performed by personnel or organizations separate from development management and resources.[44] Typical examples of ASIL D applications include core braking systems (e.g., anti-lock braking), electronic power steering, and airbag deployment mechanisms, where a malfunction could directly lead to catastrophic vehicle loss of control or occupant harm.[37] Achieving ASIL D involves extensive documentation of all safety requirements, processes, and evidence; probabilistic failure analysis using techniques like Failure Modes and Effects Analysis (FMEA) or Fault Tree Analysis (FTA); and often the application of ASIL decomposition to distribute integrity requirements across redundant elements, making implementation feasible while maintaining overall safety.[40][22]QM
In the context of ISO 26262, Quality Management (QM) refers to the classification assigned to automotive items or elements that present no unreasonable risk due to potential malfunctions, resulting in no Automotive Safety Integrity Level (ASIL) being required.[3][33] This designation arises during the hazard analysis and risk assessment process when the combination of severity (S), exposure (E), and controllability (C) parameters yields a risk profile below the threshold for ASIL assignment, such as severity S0 (no injuries) or very low E and C values.[31] QM thus serves as the baseline category for non-safety-critical functions, ensuring that standard quality practices suffice without invoking the functional safety rigor of ASIL A through D.[45] For QM-classified items, development adheres to established automotive quality management systems, such as IATF 16949, which emphasize coordinated activities for directing and controlling quality without the need for safety-specific fault metrics, independence levels, or verification methods beyond routine processes.[46][47] These requirements focus on eliminating unreasonable risks through general production and process controls, rather than the probabilistic failure rate targets or architectural constraints applied to higher integrity levels.[31] Compliance with QM does not mandate adherence to the full ISO 26262 lifecycle phases, as the associated hazards do not necessitate safety goal derivation or advanced mitigation strategies.[48] Typical examples of QM-classified systems include infotainment features like satellite or digital radio, connectivity interfaces such as USB, HDMI, or Bluetooth, and navigation/GPS modules, where malfunctions might inconvenience users but pose no harm to vehicle occupants or other road users.[3] Comfort-oriented components, such as power seat adjustments, also fall under QM, as their failure modes do not contribute to hazardous events requiring safety intervention.[16] QM elements provide a foundational layer in vehicle architectures, often interfacing with ASIL-rated components through mechanisms like freedom from interference to prevent any impact on safety-critical operations, while themselves operating under conventional quality assurance without deriving safety requirements.[49] This integration supports overall system efficiency by applying proportional rigor, reserving ISO 26262's stringent measures for elements where risks could lead to injury or worse.[48]ASIL Decomposition
Decomposition Principles
ASIL decomposition is a technique defined in ISO 26262 for apportioning a high Automotive Safety Integrity Level (ASIL) safety requirement into multiple lower-ASIL redundant sub-requirements allocated to independent elements, thereby achieving the overall target ASIL without altering the original safety goal.[50] This approach allows the distribution of safety responsibilities across system components, such as in dual-channel architectures where one channel handles primary functions at a reduced ASIL while another provides redundancy.[22] The fundamental principles of ASIL decomposition emphasize sufficient independence between the redundant elements to prevent common cause failures or cascading faults that could compromise the system's safety integrity.[51] This independence must be demonstrated through Dependent Failure Analysis (DFA), which identifies and mitigates potential shared vulnerabilities, such as electrical power supplies or environmental factors.[22] The method applies across various levels, including system architecture, hardware development, and software partitioning, enabling tailored safety measures at each stage.[50] By facilitating the use of lower-ASIL components in redundant setups, ASIL decomposition enhances feasibility for complex automotive systems, avoiding excessive over-design and optimizing resource allocation while preserving overall safety integrity.[52] For instance, it supports the integration of cost-effective elements in safety-critical applications like electronic steering systems.[50] However, ASIL decomposition has limitations, as it primarily addresses systematic faults and does not justify reduced ASIL assignments for random hardware failures, where original ASIL requirements still govern hardware fault metrics.[51] It is unsuitable for scenarios lacking verifiable independence, such as homogeneous redundancy without adequate separation, and relies on DFA to account for dependent failure probabilities in random fault scenarios.[22]Application Rules
In ASIL decomposition, specific architectural rules govern the apportionment of safety requirements to redundant elements while ensuring freedom from interference between them. According to ISO 26262-9:2018, Clause 5, allowable decompositions are limited to predefined combinations that maintain the original ASIL through redundancy and independence; for instance, an ASIL D requirement can be decomposed into C(D) + A(D), B(D) + B(D), or D(D) + QM(D), where the notation indicates the assigned ASIL followed by the original in parentheses.[22] These rules require that lower-level elements depend on demonstrated independence, achieved via dependent failure analysis (DFA) to mitigate common cause or cascading failures, preventing interference that could compromise the higher ASIL.[22] Architectural configurations, such as 1-out-of-2 diagnostic (1oo2D) setups for ASIL C, exemplify this by using redundant channels with diagnostic coverage to detect faults, but only if DFA confirms no shared failure modes like power supply issues. Methods for applying decomposition distinguish between random hardware failures and systematic faults. For random faults, decomposition relies on probabilistic independence, often modeled using beta-factors in fault tree analysis to quantify common cause failures; the original ASIL hardware metrics (e.g., single-point fault metric, SPFM; latent fault metric, LFM) must still be met by the overall architecture, accounting for dependencies via DFA.[51] This approach requires fault injection analysis or fault tree evaluation to confirm that the combined elements meet hardware architectural metrics at the original ASIL level, despite lower assignments. For systematic faults, decomposition employs design separation techniques, such as allocating redundant requirements to elements developed under distinct processes (e.g., different verification rigor), ensuring no shared systematic errors propagate.[53] Additionally, for interfaces between decomposed elements of differing ASILs, delta-ASIL rules apply per ISO 26262-4:2018, Clause 7.4.5, imposing extra safety measures on the lower-ASIL side (e.g., enhanced error detection) to protect the higher-ASIL element from interference, documented in a development interface agreement.[54] Documentation and verification are integral to practical application, ensuring traceability and compliance. Safety manuals for components involved in decomposition must detail assumptions on independence, fault coverage targets, and integration constraints, as required by ISO 26262-8:2018 for supporting processes.[51] Verification involves analyses like failure mode and effects analysis (FMEA) or DFA to prove the decomposed architecture achieves the original ASIL, with evidence such as fault coverage reports confirming metrics like separation for systematic faults; functional safety assessors review this during confirmation measures.[22] A representative example is the decomposition of an ASIL C engine control safety requirement for fuel injection timing, apportioned to an ASIL B sensor (e.g., crankshaft position) and an ASIL A electronic control unit (ECU), assuming independence via separate power domains and DFA-proven lack of cascading faults. This allows cost-effective development while maintaining overall integrity, with the sensor handling higher diagnostic needs and the ECU focusing on basic computation, verified through combined fault tree analysis showing equivalent risk reduction to undivided ASIL C.[53]| Original ASIL | Allowed Decompositions |
|---|---|
| ASIL D | C(D) + A(D), B(D) + B(D), D(D) + QM(D) |
| ASIL C | B(C) + A(C), C(C) + QM(C) |
| ASIL B | A(B) + A(B), B(B) + QM(B) |
| ASIL A | A(A) + QM(A) |
Comparisons with Other Standards
SIL in IEC 61508
The Safety Integrity Level (SIL) is a measure defined in the IEC 61508 standard for functional safety of electrical/electronic/programmable electronic safety-related systems, representing the relative level of risk reduction provided by a safety function.[55] IEC 61508 establishes four discrete SIL levels (SIL 1 to SIL 4), with higher levels indicating greater integrity and lower probability of failure; SIL 4 offers the highest risk reduction, while SIL 1 provides the lowest.[56] These levels are quantified using either the average probability of a dangerous failure on demand (PFD_{\text{avg}}) for low-demand mode operations or the probability of a dangerous failure per hour (PFH) for high-demand or continuous mode operations.[55]| SIL Level | Low Demand Mode: PFD_{\text{avg}} | High Demand Mode: PFH (/hour) |
|---|---|---|
| SIL 1 | \geq 10^{-2} to < 10^{-1} | \geq 10^{-6} to < 10^{-5} |
| SIL 2 | \geq 10^{-3} to < 10^{-2} | \geq 10^{-7} to < 10^{-6} |
| SIL 3 | \geq 10^{-4} to < 10^{-3} | \geq 10^{-8} to < 10^{-7} |
| SIL 4 | \geq 10^{-5} to < 10^{-4} | \geq 10^{-9} to < 10^{-8} |