ISO 26262 ASIL Levels Explained: A to D

ASIL (Automotive Safety Integrity Level) is the risk classification system defined by ISO 26262 for automotive Functional Safety. There are four levels — ASIL A (lowest risk), ASIL B, ASIL C, and ASIL D (highest risk) — determined by evaluating the severity of potential harm, the probability of exposure, and the controllability of the hazardous situation. Understanding ASIL levels is essential for any engineer working on safety-related automotive E/E systems.

ISO 26262, titled “Road vehicles — Functional Safety,” was first published in 2011 and updated in 2018 (second edition). It applies to all electrical and electronic safety-related systems in production passenger vehicles up to 3,500 kg. The standard adapts the general Functional Safety principles of IEC 61508 specifically for the automotive domain, and the ASIL classification system is its most fundamental concept.

What is ASIL?

ASIL stands for Automotive Safety Integrity Level. It represents the degree of rigor required to ensure a sufficient level of safety for a given automotive function. The higher the ASIL, the more stringent the safety requirements — covering hardware metrics, software development processes, verification and validation activities, and documentation.

ASIL is determined during the Hazard Analysis and Risk Assessment (HARA) phase, which occurs in Part 3 (Concept Phase) of ISO 26262. For each identified hazardous event, the development team evaluates three parameters and combines them to assign an ASIL level.

How ASIL Is Determined: the S/E/C Matrix

The three parameters used to determine ASIL are:

Severity (S): The potential consequence of the hazardous event on the vehicle occupants or other road users. Severity is classified into four levels:

• S0: No injuries
• S1: Light to moderate injuries
• S2: Severe to life-threatening injuries (survival probable)
• S3: Life-threatening to fatal injuries (survival uncertain)

Exposure (E): The probability that the vehicle is in the operational situation where the hazard can occur. Exposure is classified into five levels:

• E0: Incredible (practically impossible)
• E1: Very low probability
• E2: Low probability
• E3: Medium probability
• E4: High probability (could happen in almost every driving situation)

Controllability (C): The ability of the driver or other persons at risk to avoid the harm. Controllability is classified into four levels:

• C0: Controllable in general
• C1: Simply controllable (more than 99% of drivers can manage)
• C2: Normally controllable (more than 90% of drivers can manage)
• C3: Difficult to control or uncontrollable

These three parameters are combined using a lookup table defined in ISO 26262 Part 3, Annex B. The combination produces one of five outcomes: QM (no safety requirements), ASIL A, ASIL B, ASIL C, or ASIL D. For example, a hazardous event with S3 (fatal), E4 (high exposure), and C3 (uncontrollable) yields ASIL D — the highest level of rigor.

ASIL A Through D: What Each Level Means

ASIL A represents the lowest safety integrity requirement. It applies to hazardous events where the combination of severity, exposure, and controllability results in moderate overall risk. A typical example might be a non-critical interior lighting malfunction that causes momentary driver distraction at low speed. ASIL A still requires systematic development processes and documentation, but with less stringent metrics than higher levels.

ASIL B represents a moderate safety integrity requirement. Examples include failures in rear-view camera systems at parking speeds, or non-critical instrument cluster malfunctions. ASIL B requires more rigorous verification and validation than ASIL A, including additional test coverage metrics and design review processes.

ASIL C represents a high safety integrity requirement. Typical examples include failures in headlight systems at highway speeds, or partial brake system degradation. ASIL C demands comprehensive safety analysis at hardware and software levels, rigorous testing, and detailed documentation.

ASIL D is the most stringent level, reserved for hazardous events where a malfunction could directly lead to fatal injuries with high probability and no controllability. Classic examples include unintended acceleration, total loss of steering assist at highway speed, or complete brake failure. ASIL D requires the highest hardware diagnostic coverage, the most rigorous software development processes (including formal methods in some cases), and extensive independence between development and verification teams.

QM vs ASIL: When No Safety Requirement Applies

Not every automotive function requires an ASIL classification. When the HARA determines that a hazardous event has very low severity, very low exposure, or very high controllability — or when the combination of S, E, and C falls below the threshold for ASIL A — the function is classified as QM (Quality Management).

QM means that standard quality management processes (such as those defined in IATF 16949 or ISO 9001) are sufficient. No additional ISO 26262 safety requirements apply. However, this does not mean the system can be developed carelessly — QM still requires proper engineering practices and quality assurance.

Functions like seat memory positioning, ambient lighting color selection, or entertainment system volume control typically fall under QM, as their failure does not create a safety-relevant hazardous event.

ASIL Decomposition

One of the most important concepts in ISO 26262 is ASIL decomposition, defined in Part 9 of the standard. ASIL decomposition allows a high-ASIL safety requirement to be distributed across two or more independent architectural elements, each carrying a lower ASIL classification.

For example, an ASIL D requirement can be decomposed into two independent channels: one at ASIL B(D) and another at ASIL B(D). The notation B(D) indicates that the element is developed to ASIL B rigor but is part of a decomposition from an ASIL D requirement. Alternatively, ASIL D can decompose into ASIL C(D) + ASIL A(D), or ASIL D(D) + QM(D).

Decomposition is powerful because developing a single element to ASIL D is significantly more expensive than developing two independent elements to ASIL B. However, decomposition requires proven independence between the elements — freedom from interference must be demonstrated, covering spatial, temporal, and causal independence.

Implications for the Development Process

The assigned ASIL level fundamentally shapes the entire development process for a safety-related system. Higher ASIL levels require:

• More rigorous software development methods: ASIL D may require semi-formal or formal methods for specification, while ASIL A may rely on informal notations.
• Higher hardware diagnostic coverage: ASIL D requires at least 99% single-point fault metric (SPFM) and 90% latent fault metric (LFM), while ASIL B requires 90% SPFM and 60% LFM.
• Greater independence in verification: ASIL D requires independence between the development team and the verification team, while ASIL A allows the same team to perform both roles.
• More comprehensive testing: Higher ASIL levels require more test case derivation methods (equivalence classes, boundary values, error guessing, fault injection) and higher structural coverage metrics.
• More detailed documentation: Every ASIL level has specific work product requirements, with the volume and detail increasing at higher levels.

For automotive companies, understanding ASIL levels is not just an academic exercise — it directly impacts project cost, timeline, and resource allocation. A correct HARA that accurately assigns ASIL levels prevents both under-engineering (safety risk) and over-engineering (unnecessary cost).

The interplay between Functional Safety (ISO 26262) and Automotive Cybersecurity (ISO/SAE 21434) is also increasingly important. Cybersecurity attacks can violate safety assumptions, making it critical that Functional Safety and Cybersecurity Engineering are coordinated throughout the development lifecycle.

Agnile Technologies provides Functional Safety and Cybersecurity Engineering services for automotive OEMs and suppliers. Learn more about our Functional Safety services.