ASIL Definition

The Automotive Safety Integrity Level (ASIL) is a risk classification system defined by the ISO 26262 standard for the functional safety of road vehicles. The standard defines functional safety as “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical or electronic systems.” ASILs establish safety requirements based on the probability and acceptability of harm for automotive components to be compliant with ISO 26262.

In general, there are four levels of ASILs specified by ISO 26262 – A, B, C, and D – where ASIL-A represents the lowest degree and ASIL-D represents the highest degree of automotive hazard.

For EV powertrains, the highest safety criticality is assigned to the electric motor drive and the battery management system. In addition to the powertrain, airbags, anti-lock brakes, and power steering each require an ASIL-D grade – the highest rigor applied to safety assurance – because the risks associated with their failure are the highest. On the other end of the safety spectrum, components like rear lights require only an ASIL-A grade. Headlights and brake lights generally would be ASIL-B, while cruise control would generally be ASIL-C.

ASIL EV Powertrain
Figure 1. An example of ASILs for different parts of an electric vehicle.

How do we determine the ASIL for each powertrain ECU?

ASILs are determined by performing hazard analysis and risk assessment. For each electronic component in a vehicle, engineers assess three key parameters:

  • Severity (the type of potential injuries to the driver and passengers);
  • Exposure (how often the vehicle is exposed to the hazard);
  • Controllability (how much the driver can do to prevent the injury).

Each of these variables is broken down into sub-classes. Severity has four classes ranging from “no injuries” (S0) to “life-threatening/fatal injuries” (S3). Exposure has five classes, from “incredibly unlikely” (E0) to “highly probable” (E4). Controllability has four classes, ranging from “controllable in general” (C0) to “uncontrollable” (C3).

All variables and sub-classifications are analyzed and combined to determine the required ASIL. For example, a combination of the highest hazards (S3 + E4 + C3) would result in an ASIL-D classification. 

Can the ASIL be uniquely determined?

Determining an ASIL depends strongly on the engineer’s interpretation. ASIL definitions are often qualitative as opposed to quantitative and hence can be interpreted ambiguously.

For example, if a component is characterized as “uncontrollable” (C3) and could cause “life-threatening/fatal injuries” (S3) if it fails, it could potentially be classified as ASIL-A (low risk) if there is a low probability of vehicle being in the described situation (E1).

How are ASILs changing?

In order to remove the guesswork from the ISO26262, SAE published J2980 Considerations for ISO 26262 ASIL Hazard Classification, with its latest revision J2980_201804. This SAE Recommended Practice document presents a method and example results for determining the ASIL for automotive motion control electrical and electronic (E/E) systems. J2980 is focused on motion control systems, since the hazards they can create generally have higher ASIL ratings compared to the hazards non-motion control systems can create.

How does Typhoon HIL help you meet ASIL requirements?

Typhoon HIL’s ultra-high fidelity Hardware-in-the-Loop (HIL) solution for EV drivetrains provides a perfect environment for designing tests, executing tests, and automating tests for powertrain controllers.

We also provide test packages that comprise sets of ASIL-relevant tests that can accelerate your test definition, test deployment, and reaching your target ASILs. We also provide help and guidance with failure mode effects and diagnostics analysis (FMEDA), safety manuals, and certification reports to accelerate safety assessments.

Using Typhoon HIL solutions accelerates the entire process of achieving Powertrain ECU functional safety requirements, from requirements specification to test design, test implementation, software integration, verification, validation, and configuration.

Credits

Disclaimer | Parts of this text were originally published on the Synopsys blog, available here, and are republished with permission.
Text | Florian Rohde, Ivan Celanovic
Visuals | Karl Mickei
Editors | Debora Santo, Sergio Costa