Automotive Safety Integrity Levels (ASILs) are a risk classification framework based on the ISO 26262 standard for Functional Safety for Road Vehicles. ISO 26262 is the adaptation of the IEC 61508 standards to address the specific needs of electrical or electronic (E/E) systems within road vehicles. This FAQ reviews the current status of the ASIL risk classification system including how ASILs work, challenges when using ASILs and how ASILs are evolving to meet the needs of advanced driver assistance systems (ADAS), electric vehicles, and emerging automated and connected vehicles.
Advances in vehicle technologies have the potential to increase the risk of injury to vehicle occupants and others. For example, electric vehicles have high-voltage power buses and high-energy battery packs that can be inherently dangerous, if not properly managed. At the same time, vehicle electronics is becoming more and more complex with more opportunities to pose risks to human safety.
Various systems and subsystems in a vehicle are classified for expected ASIL performance using a four-level categorization from “A” for low risk to “D” for high risk. For example, the steering control system presents a high risk of injury in the event of failure when the vehicle is in motion and is classified with the highly safety-critical ASIL D. On the other hand, failure of the components of the infotainment system such as the radio or video player do not present serious risk of harming anyone and are classified as ASIL A.
A risk analysis based on the Severity, Exposure and Controllability of a potential hazard is used to determine the ASIL level. The safety goal for the hazard determines the ASIL requirements. ISO 26262 recommends system analysis on a vehicle level to define subsystems and classify them based on criticality.
Each hazard is analyzed in terms of how much of the time a vehicle is exposed to the possibility of the hazard happening, the severity of possible injuries, and the controllability, defined as the relative likelihood that a typical driver can act to prevent injury. The ASIL risk assessment process uses the formula: ASIL = Exposure x Severity x Controllability.
An ASIL analysis always includes a hardware analysis, and increasingly it also includes a software analysis. ISO 26262 includes a section called “Hardware Architectural Metrics” that is a statistical computation of probability of failure. The standard defines methods of how to perform the computations. That only applies to ASIL B, C and D. and, there are more complex requirements needed to validate and verify high-level safety-critical (ASIL C or D) systems.
Software analysis is highly recommended for ASIL D, and optional for other levels. ISO 26262 calls for Modified Condition Decision Coverage (MC/DC) structural testing of the software. Tables in ISO 26262 define how much MC/DC analysis needs to be done for each level of ASIL by listing methods and classifying them as recommended methods or highly-recommended methods based on the ASIL.
ASIL levels, A, B, C, and D, are assigned based on an allocation table in ISO 26262. A combination of S3, E4 and C3 (the extremes of the 3 parameters) corresponds to a highly hazardous situation, and is identified as ASIL D, which means it can result in severely life-threatening events in case of a malfunction and requires the most stringent levels of safety measures. A combination of S1, E1 and C1 (the lowest levels of the 3 parameters in terms of safety-criticality) calls for QM levels, which means the component is not hazardous and does not need to be managed under the ISO 26262. Similarly, combinations of the medium levels, such as S2, E4 and C3 or S2, E3 and C2, identifies either an ASIL C or an ASIL B component.
As an example, the ASIL goals for a battery management system change as the vehicle operating conditions change. Experiencing a fault in the battery management system at a slow speed, below 10 km/hour, is probably not as serious a concern as the same fault at very high speeds, where the safety consequences of overheating and any possible fire would be very severe.
Challenges when using ASILs
Today’s vehicles often have 100 or more electronic control units (ECUs), also known as electronic control modules (ECMs), that control one or more of the electrical systems or subsystems in a vehicle. ECUs control vehicle functions ranging from the engine, transmission and powertrain, to brakes and suspension, various sensors for functions such as ADAS, and the infotainment system. Each of the four ASIL classification levels has different consequences for ECU designers and users.
From an implementation standpoint, building ECUs to be ASIL-compliant requires the addition of verification hardware and safety mechanisms such as redundancy of critical components, error correction codes, built-in self-test (BiST), system watchdogs, or cyclic-redundancy checks. Verifying ECU compliance with ASIL requirements in complex and time-consuming.
Adding to the complexity of ASIL-compliance is that vehicle systems can be highly configurable. In some instances, they can change their operating configuration based on real-time sensor data. The data may be transmitted from the vehicle to a data center, and back to the vehicle. And the volume of the data is growing exponentially with the development of ADAS and automated vehicles. The volume of data and the interconnection of vehicles with the internet can make it difficult to trace the cause of a fault and determine the root cause.
ASILs evolving for automated and connected vehicles
The requirements for using ASILs is evolving in response to the increasing complexity of vehicle architectures. In 2015, SAE issued J2980, “Considerations for ISO 26262 ASIL Hazard Classification,” that provides more explicit guidance for assessing Exposure, Severity, and Controllability for a given hazard. J2980 itself is evolving with a revision published in 2018, and more revisions under development.
The J2980 SAE Recommended Practice presents a method and example results for determining the ASIL for automotive E/E systems. J2980 is intended to be consistent with ISO 26262:2011 [1]. The focus of J2980 is on vehicle motion control systems and collision-related hazards. And it is limited to passenger cars weighing up to 3.5 metric tons. ISO 26262:2011 [1] has a wider scope than SAE J2980, covering other functions and accidents (not just motion control or collisions as in SAE J2980).
In addition, the continued emergence of automated vehicles (AVs), is causing a reconsideration of the definition of “Controllability.” As currently defined, Controllability relates to the human driver. Today, the standard states that Controllability is always C3, the extreme of “uncontrollable,” in the absence of an active driver; there is no consideration provided for assessment of automated or semi-automated systems. The variables of Exposure (probability) and Severity (injury) are also expected to need revisiting and revision as a result of the emergence of electric vehicles with high-voltage and high-energy power systems, as well as the emergence of AVs.
In addition to automation, the connection of vehicles to external networks, the IoT and even the more complex internal networks of vehicles create potential opportunities for hacking and malicious attacks. Violation of vehicle system security is an emerging area of risk. There are efforts underway to develop a security engineering process parallel to the ASIL safety analysis process. These analyses are expected to be done in parallel because each one requires a different set of engineering skills.
“Consequence” of a security breach, and “severity” of an unsafe operation are the common parameters for connecting security and safety. The probability-related parameters for analyzing consequence are very different from the current ASIL analysis for severity and include: addressing the attack potential of the hacker and the attack potential the system is able to withstand: required specialist expertise, available time for an attack, required system knowledge, window of opportunity to access the target of attack, required specialized equipment, and so on. Standards such as SAE J3061 and ISO/SAE 21434 address automotive cybersecurity, which involve potential threats rather than known hazards.
Summary
ASIL analysis is an important activity when designing vehicle E/E systems. ASILs are a risk classification framework based on ISO 26262. More recently, SAE issued J2980, “Considerations for ISO 26262 ASIL Hazard Classification,” that provides additional guidance for ASIL analysis. Both ISO 26262 and J2980 are evolving. One revision to J2980 has already been published and more revisions under development. In response to the increasingly connected nature of vehicles, especially automated vehicles, there are efforts underway to develop a software security engineering process parallel to the ASIL safety analysis process.
References
Considerations for ISO 26262 ASIL Hazard Classification, SAE International
Understanding an ASIL in the Functional Safety Standard ISO 26262, LHP
Understanding How ISO 26262 ASIL is Determined for Automotive Applications, Embitel
What is ASIL?, Synopsys
What Is ASIL-D?, Aptiv
What is the ISO 26262 Functional Safety Standard?, National Instruments
You may also like:
