FUNCTIONAL SAFETY · ISO 26262 · ASIL A–D

Functional Safety Engineering for Systems That Must Fail Safely.

Agnile supports functional safety and system-safety activities for automotive and safety-critical systems, from item definition and HARA through safety goals, functional and technical safety concepts, safety analysis, verification, validation, and safety case preparation.

Schedule a 60-minute callContact Us
Certified PractitionersISO 9001ISO 27001ASIL A–D EXPERIENCE

CAPABILITY AREAS

How we engineer functional safety.

Concept Phase

Item definition, impact analysis, HARA, ASIL determination, safety goals, functional safety concept, and safety planning.

System and Software Safety

Technical safety concept, hardware-software interface, safety requirements allocation, safety mechanisms, monitoring concepts, and diagnostic coverage strategy.

Safety Analysis

FMEDA, FTA, DFA, dependent failure analysis, common-cause considerations, and safety mechanism effectiveness analysis.

Verification, Validation & Safety Case

Safety verification planning, requirements-based testing, safety validation support, confirmation review support, and safety case evidence preparation.

SAFETY × CYBERSECURITY

Where safety and cybersecurity must align.

Where safety and cybersecurity interact — BMS, braking, EPS, ADAS, gateways, and connected ECUs — Agnile helps teams build one coherent engineering evidence chain.

ENGAGEMENT MODELS

How we engage on Functional Safety programmes.

A complete item-to-ASIL programme, a focused concept-phase acceleration, or an independent Safety Case review. We scope the actual work on the call.

  • FS-01·12–16 weeks

    Item-to-ASIL Programme

    ISO 26262 lifecycle support for one item — Item Definition through Functional Safety Validation. HARA workshops, Functional / Technical / Hardware-Software Safety Concepts, FMEDA on production silicon, and the Safety Case ready for concept review and series.

    ENGAGEMENT FLOW

    Item Definition + HARA
    3w
    FSC + TSC
    4w
    HSI + FMEDA
    5w
    Safety Validation + Case
    4w

    DELIVERABLES

    • HARA report (ASIL determination)
    • Safety Concept set (FSC + TSC + HSI)
    • FMEDA + DFA on production silicon
    • Safety Case (item-level)
  • FS-02·6–10 weeks

    Concept Phase Acceleration

    Item Definition workshop, Hazard Analysis, ASIL determination, Functional Safety Concept and Technical Safety Concept — delivered as a focused engagement to unblock concept-phase reviews. Useful when the programme is downstream of system definition but ahead of HW/SW partitioning.

    ENGAGEMENT FLOW

    Item Definition
    2w
    HARA
    2w
    FSC + TSC
    4w

    DELIVERABLES

    • Item Definition (clause 6.4.4)
    • HARA report with ASIL ratings
    • FSC + TSC ready for concept review
  • FS-03·2–3 weeks

    Safety Case Review

    Independent assessment of an existing Safety Case — methodology pressure-test, traceability audit, gap identification against ISO 26262 Part 4. Useful before a third-party assessment or when inheriting a Safety Case from a previous supplier.

    ENGAGEMENT FLOW

    Document Review
    1w
    Workshop + Q&A
    0.5w
    Assessment Write-up
    0.5w

    DELIVERABLES

    • Independent Safety Case assessment
    • Prioritised gap list
    • Remediation plan with effort estimates

WHY AGNILE

What we do differently.

  • 01

    Engagements are led by certified functional safety specialists with production-programme and audit experience.

  • 02

    FMEDA on production silicon. We work with the actual hardware metrics from your AURIX, RH850, or S32G — measured numbers, not approximations.

  • 03

    Joint HARA-TARA workshops where Functional Safety and Cybersecurity meet. The same engineering team handles both — one continuous safety-and-security argument.

  • 04

    ASIL D programmes carried through to series. We have closed Safety Cases on powertrain, BMS, EPS, and braking systems on production vehicles.

  • 05

    Methodology that survives audit. Every safety claim traces to its evidence — designed to hold up at concept review, FSC review, and final ISO 26262 assessment.

STANDARDS DEPTH

Standards we work to.

The ISO 26262 parts we work in, and what each looks like on a programme.

  • ISO 26262 Part 3

    Concept phase — Item Definition + HARA

    We facilitate Item Definition workshops, derive Safety Goals from S/E/C parameters via Annex B Table B.1, and draft Functional Safety Concepts traceable to the Item Definition.

  • ISO 26262 Part 4

    System-level development

    Technical Safety Concept derived from FSC. ASIL decomposition logged with freedom-from-interference arguments per Part 9 Cl. 5. System architecture validated against quantitative metrics.

  • ISO 26262 Part 5

    Hardware development — FMEDA

    FMEDA on production silicon — SPFM ≥ 99% at ASIL D, LFM ≥ 90% at ASIL D, PMHF ≤ 10⁻⁸/h target. Failure-mode catalogue with safety mechanisms credited per Annex D.

  • ISO 26262 Part 6

    Software development

    Software requirements, architecture, unit design, implementation, and unit-level + integration-level test — with structural coverage tuned to the ASIL (Statement at A, Branch at B/C, MC/DC at D).

  • ISO 26262 Part 9

    ASIL-oriented + safety-oriented analyses

    ASIL decomposition (D → B(D)+B(D), D → C(D)+A(D), D → D(D)+QM(D)). Dependent Failure Analysis per Annex E. Freedom-from-interference per Annex D for shared resources.

  • ISO 21448 (SOTIF)

    Safety of the Intended Functionality

    For ADAS / autonomous-driving features, we extend ISO 26262 functional safety with SOTIF analysis — known-known, known-unknown, and unknown-known scenario classes per ISO 21448 Cl. 6.

INTERACTIVE — HARA WORKSHEET

Pick S, E, C — see the ASIL.

ISO 26262-3:2018 Annex B in three sliders. Move severity, exposure, and controllability — the ASIL output and decomposition options update live, per ISO 26262-9 Clause 5.

Severity (S)

Potential consequence of the hazardous event

Life-threatening (survival uncertain) to fatal

Exposure (E)

Probability of the operational situation

High probability — > 10%, common driving

Controllability (C)

Ability of driver to avoid the harm

Difficult to control or uncontrollable

SOURCE — ISO 26262-3:2018 ANNEX B TABLE B.1 · DECOMPOSITION PER ISO 26262-9:2018 CL.5

ASIL OUTPUT

ASIL D

ASIL D. Highest rigour. SPFM ≥ 99%, LFM ≥ 90%, PMHF ≤ 10⁻⁸/h target. Mandatory independence. Often requires architectural decomposition.

DECOMPOSITION OPTIONS

  • ASIL D(D)+ASIL QM(D)
  • ASIL C(D)+ASIL A(D)
  • ASIL B(D)+ASIL B(D)

  • Each option preserves the original ASIL on the item; the channel allocations require demonstrated freedom from interference per Part 9 Annex E.

S3 · E4 · C3D

CASE STUDY

What this looks like in practice.

Anonymised by request. References available on qualified enquiry.

Anonymised engagement summary. Customer identity and programme details withheld under NDA. Metrics reflect internally documented delivery outcomes.

INDIAN BMS PROGRAMME · CONNECTED MOBILITY

HARA + ASIL decomposition for an ASIL D battery management system.

CONTEXT

An Indian engineering team developing a high-voltage Battery Management System for a connected-mobility vehicle programme had inherited a HARA with ASIL D ratings on every safety goal — driving development cost beyond budget. The team needed independent re-rating with defensible decomposition before the programme's Functional Safety Concept review.

APPROACH

Agnile ran fresh HARA workshops on the BMS item definition, decomposed top-level safety goals via ASIL B(D) + ASIL B(D) where defensible, validated the decomposition with FTA, and produced the FSC + TSC ready for review. Five weeks, three workshops, full traceability.

WHAT WE DELIVERED

  • Re-rated HARA with decomposed ASIL ratings
  • FTA validation of decomposition independence
  • FSC + TSC + HSI for cell + pack levels
  • Safety Case structure populated through clause 6

WHAT THE CUSTOMER GOT

  • Passed FSC review on first submission
  • Hardware metrics target reduced from ASIL D to ASIL B(D)+B(D)
  • ~30% reduction in HW redundancy cost

ASIL D → B(D)+B(D) · 5 weeks · cell + pack

FAQ

Talk to a Functional Safety engineer.

A 60-minute call: scope your HARA, review your existing Safety Concept, or pressure-test your FMEDA before a Confirmation Review. We respond to qualified enquiries within one business day.