• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Electrical Engineering News and Products

Electronics Engineering Resources, Articles, Forums, Tear Down Videos and Technical Electronics How-To's

  • Products / Components
    • Analog ICs
    • Connectors
    • Microcontrollers
    • Power Electronics
    • Sensors
    • Test and Measurement
    • Wire / Cable
  • Applications
    • Automotive/Transportation
    • Industrial
    • IoT
    • Medical
    • Telecommunications
    • Wearables
    • Wireless
  • Resources
    • DesignFast
    • Digital Issues
    • Engineering Week
    • Oscilloscope Product Finder
    • Podcasts
    • Webinars / Digital Events
    • White Papers
    • Women in Engineering
  • Videos
    • Teschler’s Teardown Videos
    • EE Videos and Interviews
  • Learning Center
    • EE Classrooms
    • Design Guides
      • WiFi & the IOT Design Guide
      • Microcontrollers Design Guide
      • State of the Art Inductors Design Guide
    • FAQs
    • Ebooks / Tech Tips
  • EE Forums
    • EDABoard.com
    • Electro-Tech-Online.com
  • 5G

What are ASILs and how do they work?

July 16, 2021 By Jeff Shepard

Automotive Safety Integrity Levels (ASILs) are a risk classification framework based on the ISO 26262 standard for Functional Safety for Road Vehicles. ISO 26262 is the adaptation of the IEC 61508 standards to address the specific needs of electrical or electronic (E/E) systems within road vehicles. This FAQ reviews the current status of the ASIL risk classification system including how ASILs work, challenges when using ASILs and how ASILs are evolving to meet the needs of advanced driver assistance systems (ADAS), electric vehicles, and emerging automated and connected vehicles.

Advances in vehicle technologies have the potential to increase the risk of injury to vehicle occupants and others. For example, electric vehicles have high-voltage power buses and high-energy battery packs that can be inherently dangerous, if not properly managed. At the same time, vehicle electronics is becoming more and more complex with more opportunities to pose risks to human safety.

Various systems and subsystems in a vehicle are classified for expected ASIL performance using a four-level categorization from “A” for low risk to “D” for high risk. For example, the steering control system presents a high risk of injury in the event of failure when the vehicle is in motion and is classified with the highly safety-critical ASIL D. On the other hand, failure of the components of the infotainment system such as the radio or video player do not present serious risk of harming anyone and are classified as ASIL A.

Automotive systems and ASIL levels. (Image: Synopsys)

A risk analysis based on the Severity, Exposure and Controllability of a potential hazard is used to determine the ASIL level. The safety goal for the hazard determines the ASIL requirements. ISO 26262 recommends system analysis on a vehicle level to define subsystems and classify them based on criticality.

Each hazard is analyzed in terms of how much of the time a vehicle is exposed to the possibility of the hazard happening, the severity of possible injuries, and the controllability, defined as the relative likelihood that a typical driver can act to prevent injury. The ASIL risk assessment process uses the formula: ASIL = Exposure x Severity x Controllability.

ASIL estimation of risk
ASIL estimation of risk is based on three factors, Exposure, Controllability and Severity. (Image: National Instruments)

An ASIL analysis always includes a hardware analysis, and increasingly it also includes a software analysis. ISO 26262 includes a section called “Hardware Architectural Metrics” that is a statistical computation of probability of failure. The standard defines methods of how to perform the computations. That only applies to ASIL B, C and D. and, there are more complex requirements needed to validate and verify high-level safety-critical (ASIL C or D) systems.

Software analysis is highly recommended for ASIL D, and optional for other levels. ISO 26262 calls for Modified Condition Decision Coverage (MC/DC) structural testing of the software. Tables in ISO 26262 define how much MC/DC analysis needs to be done for each level of ASIL by listing methods and classifying them as recommended methods or highly-recommended methods based on the ASIL.

ASIL levels, A, B, C, and D, are assigned based on an allocation table in ISO 26262. A combination of S3, E4 and C3 (the extremes of the 3 parameters) corresponds to a highly hazardous situation, and is identified as ASIL D, which means it can result in severely life-threatening events in case of a malfunction and requires the most stringent levels of safety measures. A combination of S1, E1 and C1 (the lowest levels of the 3 parameters in terms of safety-criticality) calls for QM levels, which means the component is not hazardous and does not need to be managed under the ISO 26262. Similarly, combinations of the medium levels, such as S2, E4 and C3 or S2, E3 and C2, identifies either an ASIL C or an ASIL B component.

Vehicle operating conditions can be important factors in determination of ASILs. (Table: Embitel)

As an example, the ASIL goals for a battery management system change as the vehicle operating conditions change. Experiencing a fault in the battery management system at a slow speed, below 10 km/hour, is probably not as serious a concern as the same fault at very high speeds, where the safety consequences of overheating and any possible fire would be very severe.

Vehicle operating conditions can be important factors in determination of ASILs. (Table: Embitel)

Challenges when using ASILs

Today’s vehicles often have 100 or more electronic control units (ECUs), also known as electronic control modules (ECMs), that control one or more of the electrical systems or subsystems in a vehicle. ECUs control vehicle functions ranging from the engine, transmission and powertrain, to brakes and suspension, various sensors for functions such as ADAS, and the infotainment system. Each of the four ASIL classification levels has different consequences for ECU designers and users.

From an implementation standpoint, building ECUs to be ASIL-compliant requires the addition of verification hardware and safety mechanisms such as redundancy of critical components, error correction codes, built-in self-test (BiST), system watchdogs, or cyclic-redundancy checks. Verifying ECU compliance with ASIL requirements in complex and time-consuming.

Qualifying the ASIL compliance of ECUs is a complex process. (Table: Aptiv)

Adding to the complexity of ASIL-compliance is that vehicle systems can be highly configurable. In some instances, they can change their operating configuration based on real-time sensor data. The data may be transmitted from the vehicle to a data center, and back to the vehicle. And the volume of the data is growing exponentially with the development of ADAS and automated vehicles. The volume of data and the interconnection of vehicles with the internet can make it difficult to trace the cause of a fault and determine the root cause.

ASILs evolving for automated and connected vehicles

The requirements for using ASILs is evolving in response to the increasing complexity of vehicle architectures. In 2015, SAE issued J2980, “Considerations for ISO 26262 ASIL Hazard Classification,” that provides more explicit guidance for assessing Exposure, Severity, and Controllability for a given hazard. J2980 itself is evolving with a revision published in 2018, and more revisions under development.

The J2980 SAE Recommended Practice presents a method and example results for determining the ASIL for automotive E/E systems. J2980 is intended to be consistent with ISO 26262:2011 [1]. The focus of J2980 is on vehicle motion control systems and collision-related hazards. And it is limited to passenger cars weighing up to 3.5 metric tons. ISO 26262:2011 [1] has a wider scope than SAE J2980, covering other functions and accidents (not just motion control or collisions as in SAE J2980).

In addition, the continued emergence of automated vehicles (AVs), is causing a reconsideration of the definition of “Controllability.” As currently defined, Controllability relates to the human driver. Today, the standard states that Controllability is always C3, the extreme of “uncontrollable,” in the absence of an active driver; there is no consideration provided for assessment of automated or semi-automated systems. The variables of Exposure (probability) and Severity (injury) are also expected to need revisiting and revision as a result of the emergence of electric vehicles with high-voltage and high-energy power systems, as well as the emergence of AVs.

In addition to automation, the connection of vehicles to external networks, the IoT and even the more complex internal networks of vehicles create potential opportunities for hacking and malicious attacks. Violation of vehicle system security is an emerging area of risk. There are efforts underway to develop a security engineering process parallel to the ASIL safety analysis process. These analyses are expected to be done in parallel because each one requires a different set of engineering skills.

“Consequence” of a security breach, and “severity” of an unsafe operation are the common parameters for connecting security and safety. The probability-related parameters for analyzing consequence are very different from the current ASIL analysis for severity and include: addressing the attack potential of the hacker and the attack potential the system is able to withstand: required specialist expertise, available time for an attack, required system knowledge, window of opportunity to access the target of attack, required specialized equipment, and so on. Standards such as SAE J3061 and ISO/SAE 21434 address automotive cybersecurity, which involve potential threats rather than known hazards.

Summary

ASIL analysis is an important activity when designing vehicle E/E systems. ASILs are a risk classification framework based on ISO 26262. More recently, SAE issued J2980, “Considerations for ISO 26262 ASIL Hazard Classification,” that provides additional guidance for ASIL analysis. Both ISO 26262 and J2980 are evolving. One revision to J2980 has already been published and more revisions under development. In response to the increasingly connected nature of vehicles, especially automated vehicles, there are efforts underway to develop a software security engineering process parallel to the ASIL safety analysis process.

References

Considerations for ISO 26262 ASIL Hazard Classification, SAE International
Understanding an ASIL in the Functional Safety Standard ISO 26262, LHP
Understanding How ISO 26262 ASIL is Determined for Automotive Applications, Embitel
What is ASIL?, Synopsys
What Is ASIL-D?, Aptiv
What is the ISO 26262 Functional Safety Standard?, National Instruments

You may also like:

  • automotive qualification
    What does automotive qualification mean?

  • Technology trends for increased PoL power densities

  • CAN communication via Wi-Fi or Bluetooth

  • Safety and cyber security for the connected car

  • Embedded basics Part 1: IEC 61508 functional safety for MCUs
DesignFast Banner version: 641873d7

Filed Under: Applications, Automotive/Transportation, FAQ, Featured, Microcontroller Tips Tagged With: FAQ

Primary Sidebar

EE Training Center Classrooms

EE Classrooms

Featured Resources

  • EE World Online Learning Center
  • CUI Devices – CUI Insights Blog
  • EE Classroom: Power Delivery
  • EE Classroom: Building Automation
  • EE Classroom: Aerospace & Defense
  • EE Classroom: Grid Infrastructure
Search Millions of Parts from Thousands of Suppliers.

Search Now!
design fast globle

R&D World Podcasts

R&D 100 Episode 7
See More >

Current Digital Issue

April 2022 Special Edition: Internet of Things Handbook

How to turn off a smart meter the hard way Potential cyber attacks have a lot of people worried thanks to the recent conflict in Ukraine. So it might be appropriate to review what happened when cybersecurity fi rm FireEye’s Mandiant team demonstrated how to infiltrate the network of a North American utility. During this…

Digital Edition Back Issues

Sponsored Content

Positioning in 5G NR – A look at the technology and related test aspects

Radar, NFC, UV Sensors, and Weather Kits are Some of the New RAKwireless Products for IoT

5G Connectors: Enabling the global 5G vision

Control EMI with I-PEX ZenShield™ Connectors

Speed-up time-to-tapeout with the Aprisa digital place-and-route system and Solido Characterization Suite

Siemens Analogue IC Design Simulation Flow

More Sponsored Content >>

RSS Current EDABoard.com discussions

  • Help with Verilog replicate operator
  • ESP Serial Communication Problem with RS232
  • How to mark layer comments in CAP of spef file using StarRC
  • MAX5389 resetting by noise
  • Simulation of resonator in HFSS

RSS Current Electro-Tech-Online.com Discussions

  • Will Header and socket hold this PCB OK?
  • Relaxation oscillator with neon or...
  • software PWM
  • MPlab8 remove page breaks in list file
  • ATOM Diy module

Oscilloscopes Product Finder

Footer

EE World Online

EE WORLD ONLINE NETWORK

  • 5G Technology World
  • Analog IC Tips
  • Battery Power Tips
  • Connector Tips
  • DesignFast
  • EDABoard Forums
  • Electro-Tech-Online Forums
  • Engineer's Garage
  • Microcontroller Tips
  • Power Electronic Tips
  • Sensor Tips
  • Test and Measurement Tips
  • Wire & Cable Tips

EE WORLD ONLINE

  • Subscribe to our newsletter
  • Lee's teardown videos
  • Advertise with us
  • Contact us
  • About Us
Follow us on TwitterAdd us on FacebookConnect with us on LinkedIn Follow us on YouTube Add us on Instagram

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy