Automotive Safety Integrity Level (ASIL) is a risk classification scheme defined by the ISO 26262 - Functional Safety for Road Vehicles standard. This is an adaptation of the Safety Integrity Level (SIL) used in IEC 61508 for the automotive industry. This classification helps defining the safety requirements necessary to be in line with the ISO 26262 standard. The ASIL is established by performing a risk analysis of a potential hazard by looking at the Severity, Exposure and Controllability of the vehicle operating scenario. The safety goal for that hazard in turn carries the ASIL requirements.
There are four ASILs identified by the standard: ASIL A, ASIL B, ASIL C, ASIL D. ASIL D dictates the highest integrity requirements on the product and ASIL A the lowest.[1]Hazards that are identified as QM (see below) do not dictate any safety requirements.
Hazard Analysis and Risk Assessment
Because of the reference to SIL and because the ASIL incorporate 4 levels of hazard with a 5th non-hazardous level, it is common in descriptions of ASIL to compare its levels to the SIL levels and DO-178C Design Assurance Levels, respectively.
The determination of ASIL is the result of hazard analysis and risk assessment.[2]
In the context of ISO 26262, a hazard is assessed based on the relative impact of hazardous effects related to a system, as adjusted for relative likelihoods of the hazard manifesting those effects. That is, each hazard is assessed in terms of severity of possible injuries within the context how much of the time a vehicle is exposed to the possibility of the hazard happening (refer ISO26262 definition of exposure) as well as the relative likelihood that a typical driver can act to prevent the injury (refer ISO26262 definitions of severity and controllability).[3]
In short, ASIL refers both to risk and to risk-dependent requirements (standard minimal risk treatment for a given risk). Whereas risk may be generally expressed as
illustrating the role of Exposure and Controllability in establishing relative probability, which is combined with Severity to form an expression of risk.
Levels
The ASIL range from ASIL D, representing the highest degree of automotive hazard and highest degree of rigor applied in the assurance the resultant safety requirements, to QM, representing application with no automotive hazards and, therefore, no safety requirements to manage under the ISO 26262 safety processes. The intervening levels are simply a range of intermediate degrees of hazard and degrees of assurance required.
ASIL D
ASIL D, an abbreviation of Automotive Safety Integrity Level D, refers to the highest classification of initial hazard (injury risk) defined within ISO 26262 and to that standard's most stringent level of safety measures to apply for avoiding an unreasonable residual risk.[2] In particular, ASIL D represents likely potential for severely life-threatening or fatal injury in the event of a malfunction and requires the highest level of assurance that the dependent safety goals are sufficient and have been achieved.[2] An example of dangerous hazard that warrants the ASIL D level is loss of braking on all wheels.[9]
ASIL D is noteworthy, not only because of the elevated risk it represents and the exceptional rigor required in development, but because automotive electrical, electronic, and software suppliers make claims that their products have been certified or otherwise accredited to ASIL D,[10][11][12][13] ease development to ASIL D,[14] or are otherwise suitable to or supportive of development of items to ASIL D.[15][16][17] Any product able to comply with ASIL D requirements would also comply with any lower level.
ISO 26262 "highly recommends" the use of semi-formal modeling languages for ASIL D designs (Stateflow and SysML provide examples of such languages).[18] Executable validation using either prototyping or simulation is mandatory.[19]
ASIL C
Loss of braking for rear wheels only is less dangerous, this hazard is associated with ASIL C.[20] Another example of a less critical function that warrants the ASIL C rating is cruise control.[21]
For ASIL C designs the use of semi-formal modeling languages is highly recommended.[18] Executable validation using either prototyping or simulation is mandatory.[19]
Modeling of the ASIL B design can rely on an informal languages.[18] This and other differences requirements make the cost difference between C and B to be the largest step across all the ASILs.[22]
ASIL A
ASIL A is the lowest rating of the functional safety. A typical example are tail lights (non-braking).[21] Less strict design walkthroughs can be used during the development (higher levels require more formal design inspections).[19]
QM
Referring to "Quality Management", the QM level means that all assessed risks are tolerable from a safety perspective (even if the manufacturer might want to address them from a customer satisfaction perspective, for example make sure the vehicle starts). So, safety assurance controls are unnecessary and standard quality management processes are sufficient for development.[23][2]
Decomposition
Designing an entire system to the rigorous standards of the higher levels of ASIL can be unwieldy, so ISO 26262 allows "decomposition": redundant subcomponents, each designed to a lower ASIL level, can be combined into a higher ASIL level design using higher-level methodologies. The subcomponents used in this way shall contain features that would allow higher-level integration. The frequently used notation for an ASIL X-level component that can be used as a part of an ASIL Y-level system is X(Y). For example, an A(B) component is designed at the ASIL A level of requirements, but is made to fit into ASIL B designs (this subcomponent is colloquially described as "B-ready"). ISO 26262 contains multiple examples of allowed decomposition scenarios, for example ASIL B = A(B) + A(B), i.e. two redundant B-ready ASIL A subcomponents can be combined into an ASIL B design. Headlights provide a natural example of such decomposition: there are at two of them, so they can be designed at ASIL A and combined into an ASIL B system as long as the combination is done properly (for example, it should not introduce a common point of failure).[24]
Comparison with Other Hazard Level Standards
Given ASIL is a relatively recent development, discussions of ASIL often compare its levels to levels defined in other well-established safety or quality management systems. In particular, the ASIL are compared to the SIL risk reduction levels defined in IEC 61508 and the Design Assurance Levels used in the context of DO-178C and DO-254. While there are some similarities, it is important to also understand the differences.
ISO 26262 is an extension of IEC 61508.[2] IEC 61508 defines a widely referenced Safety Integrity Level (SIL) classification. Unlike other functional safety standards, ISO 26262 does not provide normative nor informative mapping of ASIL to SIL; while the two standards have similar processes for hazard assessment, ASIL and SIL are computed from different perspectives.[25]
An ISO 26262 ASIL is a qualitative statement of assessed risk, assessed in terms of three risk parameters in a qualitative way that leaves room for interpretation.[26][27][28][29][30][31]
On the other hand, the IEC 61508 SIL employ quantitative target probability or frequency measures[27] of dangerous failures depending on the type of safety function.[32]
In the context of IEC 61508, higher risk applications require greater robustness to dangerous failures:
That is, for a given Tolerable Risk, greater Risk requires more risk reduction, i.e., a smaller design target value for greater probability of dangerous failure. For a safety function operating in high demand or continuous mode of operation, SIL 1 is associated with a probability of dangerous failure limit of 10−5 per hour while SIL 4 is associated with a probability of dangerous failure rate limit of 10−9 per hour.
In commercial publications, ASIL D has been illustrated to align with SIL 3 and ASIL A is compared to SIL 1.[33]
SAE ARP4761 and SAE ARP4754 (DAL)
While it is more common to compare the ISO 26262 Levels D through QM to the Design Assurance Levels (DAL) A through E and ascribe those levels to DO-178C; these DAL are actually defined and applied through the definitions of SAE ARP4761 and SAE ARP4754. Especially in terms of the management of vehicular hazards through a Safety Life Cycle, the scope of ISO 26262 is more comparable to the combined scope of SAE ARP4761 and SAE ARP4754. Functional Hazard Assessment (FHA) is defined in ARP4761 and the DAL are defined in ARP4754. DO-178C and DO-254 define the design assurance objectives that must be accomplished for given DAL.
Unlike SIL, it is the case that both ASIL and DAL are statements measuring degree of hazard. DAL E is the ARP4754 equivalent of QM; in both classifications hazards are negligible and safety management is not required. At the other end, DAL A and ASIL D represent the highest levels of risk addressed by the respective standards, but they do not address the same level of hazard. While ASIL D encompasses at most the hazards of a loaded passenger van, DAL A includes the greater hazards of large aircraft loaded with fuel and passengers. Publications might illustrate ASIL D as equivalent to either DAL B, to DAL A, or as an intermediate level.
^Kinney, G. F.; Wiruth, A. D. (June 1976). Practical Risk Analysis for Safety Management. China Lake, California: Naval Weapons Center. The risk score for some potentially hazardous situation is given numerically as the product of three factors: ...
^"A Guide to Automotive Safety Integrity Levels (ASIL)". jamasoftware.com. Retrieved 2022-12-13. The additional level, QM, stands for Quality Management and denotes non-hazardous items that require only standard quality management compliance.
^"IEC 61508 Standard". ldra.com Standards Compliance. LDRA. Retrieved 2022-12-13. Other variations include the use of "ASILs" (Automotive Safety Integrity Levels) which are derived differently, with ASIL being a qualitative measurement of risk.
^Paul Chomicz (August 27–28, 2018). "Controlled Natural Language for Hazard Analysis and Risk Assessment". Proceedings of the Sixth International Workshop, CNL 2018. Controlled Natural Language. Maynooth, Co. Kildare, Ireland. p. 42. Retrieved 2022-12-14. The ISO 26262 standard defines the three risk parameters in a qualitative way that leaves room for interpretation.
^ abPerallos, Asier; Hernandez-Jayo, Unai; Onieva, Enrique; Garcia-Zuazola, Ignacio, eds. (2011). "Cyber Security Risk Analysis for Intelligent Transport Systems and In-vehicle Networks". Intelligent Transport Systems : Technologies and Applications. Wiley. pp. 87, 95. ISBN9781118894767. Retrieved 2022-12-13. The main difference between the ISO ASILs and IEC 61508 SIL is that the latter employ quantitative target probability measures while the ASILs are based on qualitative measures. .... In MISRA guidelines and ISO 262 this possibility is taken into account by means of a qualitative measure known as 'controllability'.
^"IEC 61508 Standard". ldra.com Standards Compliance. LDRA. Retrieved 2022-12-13. The derivation of the SIL is covered in more detail in part 5 of the [61508] standard, "Examples of methods for the determination of safety integrity levels" which explains different quantitative approaches to the derivation of SILs.