ASIL Levels Explained: A, B, C, D & QM in ISO 26262
Hello, automotive engineers and functional safety professionals! If you are working in the automotive electronics industry, ASIL (Automotive Safety Integrity Level) is one of the most fundamental concepts you need to master. Whether you are an ECU hardware designer, an embedded software developer, a system architect, a safety engineer, or a project manager – understanding how ASIL levels are determined and what they mean for your development process is essential.
In this comprehensive guide at PiEmbSysTech, we will explain everything you need to know about ASIL levels A, B, C, D, and QM – from the basic concept through the detailed determination process using Severity, Exposure, and Controllability, to the complete ASIL lookup table, real-world automotive examples for every level, and the practical implications of each ASIL for your development work. Let us begin.
ASIL Levels Explained Table of Contents
1. What is ASIL? – Automotive Safety Integrity Level Defined
ASIL (Automotive Safety Integrity Level) is a risk classification system defined by the ISO 26262 standard for functional safety of road vehicles. It classifies the level of risk reduction required for a specific automotive function to prevent hazardous events caused by E/E system malfunctions from causing harm to vehicle occupants and other road users.
In simpler terms, ASIL answers the question: “How much safety engineering effort must we invest in this function to make it acceptably safe?” The answer ranges from “none beyond standard quality management” (QM) to “the most rigorous safety development methods known to the automotive industry” (ASIL D).
The ASIL is determined during the Hazard Analysis and Risk Assessment (HARA) process – part of the ISO 26262 concept phase (Part 3) – by evaluating three parameters for each identified hazardous event: Severity (S) of potential injuries, Exposure (E) – the probability of the operational situation occurring, and Controllability (C) – the probability that the driver can prevent the harm. The combination of these three parameters determines whether the hazardous event is classified as QM, ASIL A, ASIL B, ASIL C, or ASIL D.
2. Why ASIL Matters – The Business and Safety Impact
The ASIL assigned to a safety goal is not just a label – it has profound, concrete consequences for every aspect of the development process:
Development methods and rigor: Higher ASILs require more formal design notations, more rigorous analysis methods, and more comprehensive documentation. ASIL D software requires MC/DC structural coverage, while ASIL A may require only statement coverage.
Hardware metrics targets: The SPFM, LFM, and PMHF targets defined in Part 5 become progressively more stringent from ASIL B through ASIL D. ASIL D requires 99% SPFM, 90% LFM, and PMHF below 10 FIT.
Testing effort and cost: Verification and testing effort increases dramatically with ASIL level. ASIL D testing (with MC/DC coverage, fault injection, and formal verification) can cost 3 to 5 times more than ASIL A testing.
Confirmation measure independence: The required level of independence for reviews, audits, and assessments increases with ASIL – from no specific requirement at ASIL A to external third-party assessment recommended at ASIL D.
Supply chain requirements: OEMs communicate ASIL requirements to suppliers through Development Interface Agreements. A supplier’s ability to deliver at a specific ASIL level determines their eligibility for safety-critical contracts.
Correctly determining the ASIL is therefore one of the highest-impact decisions in the entire safety lifecycle. Overestimating the ASIL wastes development resources. Underestimating the ASIL compromises safety and creates compliance risk.
3. The Five ASIL Classifications – QM, A, B, C, D
ISO 26262 defines five levels of safety classification, arranged from lowest to highest required risk reduction:
QM (Quality Management): No automotive safety hazard identified. Standard quality management processes are sufficient. No specific ISO 26262 safety requirements apply.
ASIL A: Lowest automotive safety integrity level. Basic safety measures are required, with the least stringent development methods.
ASIL B: Moderate automotive safety integrity level. Increased rigor in development, testing, and documentation compared to ASIL A.
ASIL C: High automotive safety integrity level. Significantly more rigorous development methods, testing, and verification required.
ASIL D: Highest automotive safety integrity level. The most stringent safety measures, the most exhaustive testing, and the most comprehensive documentation required by the standard. ASIL D represents likely potential for severely life-threatening or fatal injuries in the event of a malfunction.
Each level builds upon the previous – achieving ASIL D compliance inherently satisfies all lower ASIL requirements. This progression ensures that development effort is proportional to actual safety risk.
4. The Three Parameters: Severity, Exposure, and Controllability
The ASIL for each hazardous event is determined by combining three independent risk parameters. Each parameter is classified on its own scale during the HARA process.
5. Severity (S) – S0, S1, S2, S3 Explained with Examples
Severity classifies the worst-case potential harm to vehicle occupants and other road users if the hazardous event leads to an accident.
| Level | Description | Real-World Example |
|---|---|---|
| S0 | No injuries | Interior courtesy light fails – no physical harm possible |
| S1 | Light and moderate injuries | Minor low-speed contact with curb due to gradual steering assist loss; whiplash, bruises |
| S2 | Severe and life-threatening injuries (survival probable) | Vehicle departs lane at moderate speed striking barrier; bone fractures, hospitalization required |
| S3 | Life-threatening injuries (survival uncertain) or fatal | Vehicle crosses into oncoming traffic at highway speed; head-on collision, fatal outcomes likely |
Severity is assessed based on the worst-case realistic outcome – not the best-case or average-case. If a hazardous event could realistically result in fatal injuries under certain conditions, it is classified as S3 even if most instances might result in lesser harm.
6. Exposure (E) – E0, E1, E2, E3, E4 Explained with Examples
Exposure classifies how frequently the vehicle will be operating in the specific driving situation where the hazardous event could occur.
| Level | Description | Real-World Example |
|---|---|---|
| E0 | Incredible (essentially never) | Driving through an active volcanic eruption zone |
| E1 | Very low probability | Deep water crossing; driving on an unpaved mountain trail |
| E2 | Low probability | Driving on icy roads (in temperate climates); driving in dense fog |
| E3 | Medium probability | Driving in heavy city traffic; driving in rain; nighttime driving |
| E4 | High probability | Normal highway driving; urban driving; any situation encountered in almost every trip |
Exposure is assessed for the general driver population – not for a specific individual. It represents the probability for a typical vehicle over its expected operational lifetime.
7. Controllability (C) – C0, C1, C2, C3 Explained with Examples
Controllability classifies the probability that the driver (or other road users) can take timely action to prevent the harm once the hazardous event occurs.
| Level | Description | Real-World Example |
|---|---|---|
| C0 | Controllable in general | Almost everyone can handle the situation without difficulty |
| C1 | Simply controllable (>99% of drivers) | Gradual loss of power steering – driver applies more force to compensate |
| C2 | Normally controllable (most drivers) | Sudden partial loss of braking force – most alert drivers can pump brakes or steer to avoid collision |
| C3 | Difficult to control or uncontrollable | Sudden unintended full steering torque at highway speed – even expert drivers may not prevent lane departure |
Controllability must be assessed realistically – considering distracted, fatigued, elderly, or inexperienced drivers, not just expert test drivers.
8. The Complete ASIL Determination Lookup Table
Once S, E, and C are determined for a hazardous event, the ASIL is looked up from the following table:
| Severity | Exposure | C1 | C2 | C3 |
|---|---|---|---|---|
| S1 | E1 | QM | QM | QM |
| E2 | QM | QM | QM | |
| E3 | QM | QM | A | |
| E4 | QM | A | B | |
| S2 | E1 | QM | QM | QM |
| E2 | QM | QM | A | |
| E3 | QM | A | B | |
| E4 | A | B | C | |
| S3 | E1 | QM | QM | A |
| E2 | QM | A | B | |
| E3 | A | B | C | |
| E4 | B | C | D |
Key insight: ASIL D can only be reached with the highest combination: S3 + E4 + C3. Reducing any single parameter by one level drops the ASIL. S0 and E0 always result in QM regardless of other parameters.
9. Step-by-Step: How to Determine the ASIL for a Hazardous Event
Step 1 – Define the Item: Describe the system or function being analyzed, its interfaces, operating conditions, and boundaries. (See Part 3 – Item Definition.)
Step 2 – Identify operational situations: List all relevant driving scenarios (highway, urban, parking, mountain road, rain, ice, etc.).
Step 3 – Identify malfunctioning behaviors: For each function, identify how it could fail (loss of function, unintended activation, incorrect output, etc.).
Step 4 – Form hazardous events: Combine each relevant malfunction with each relevant operational situation to create hazardous event entries.
Step 5 – Classify Severity (S): For each hazardous event, assess the worst-case realistic injury potential: S0, S1, S2, or S3.
Step 6 – Classify Exposure (E): Assess how frequently the operational situation occurs: E0, E1, E2, E3, or E4.
Step 7 – Classify Controllability (C): Assess the probability that the driver can prevent the harm: C0, C1, C2, or C3.
Step 8 – Look up the ASIL: Use the lookup table (above) to determine the ASIL from the combination of S, E, and C.
Step 9 – Assign to safety goal: The ASIL is inherited by the safety goal that addresses the hazardous event. If multiple hazardous events map to the same safety goal, the safety goal inherits the highest ASIL.
10. QM (Quality Management) – What It Means in Practice
QM means that the hazardous event does not require specific ISO 26262 safety requirements. Standard quality management processes (such as those defined by IATF 16949 and ISO 9001) are sufficient. There is no automotive safety hazard, or the risk is acceptably low without dedicated safety measures. Examples: GPS navigation display, satellite radio, interior courtesy lighting, USB charging port, infotainment system display brightness. QM functions still require good engineering practice and quality processes – they simply do not require the additional safety-specific rigor mandated by ISO 26262.
11. ASIL A – Lowest Safety Integrity Level
ASIL A represents the lowest level of safety risk that still requires ISO 26262 measures. The development requirements are the least stringent among the four ASIL levels. Typical methods: Informal design notations, statement code coverage recommended, requirements-based testing, basic static analysis. Examples: Rear tail lights (non-brake), horn activation, interior dome light control, windshield washer system, seat heater control. The cost impact of ASIL A compliance is relatively modest – it adds structured documentation, basic safety analysis, and formal requirements traceability beyond standard QM processes.
12. ASIL B – Moderate Safety Integrity Level
ASIL B represents a moderate safety risk requiring increased development rigor. Typical methods: Semi-formal notations recommended, branch coverage highly recommended, MISRA C compliance highly recommended, SPFM ≥90%, LFM ≥60%, PMHF <10⁻⁷/h. Examples: Headlight systems, brake lights, rear-view camera display, tire pressure monitoring system (TPMS), power window anti-pinch. The step from ASIL A to ASIL B is significant – it introduces hardware metric requirements and increases the rigor of software testing. The cost step between ASIL B and ASIL C is often cited as the largest single cost increment across all ASIL levels.
13. ASIL C – High Safety Integrity Level
ASIL C represents a high safety risk requiring substantially more rigorous development. Typical methods: Semi-formal notations highly recommended, MC/DC coverage highly recommended, comprehensive fault injection testing, SPFM ≥97%, LFM ≥80%, PMHF <10⁻⁷/h. Examples: Cruise control system, rear-wheel ABS, some airbag deployment scenarios, adaptive headlight leveling, some engine management functions. ASIL C represents a significant investment in safety engineering – the MC/DC coverage requirement alone can substantially increase testing effort and cost.
14. ASIL D – Highest Safety Integrity Level
ASIL D represents the highest possible automotive hazard classification and demands the most stringent safety measures. It indicates likely potential for severely life-threatening or fatal injuries if the function malfunctions. Typical methods: Formal notations recommended for critical elements, MC/DC coverage highly recommended, SPFM ≥99%, LFM ≥90%, PMHF <10⁻⁸/h (10 FIT), external (I3) functional safety assessment recommended, comprehensive fault injection, formal verification methods. Examples: Electric power steering (EPS), full braking system (all-wheel ABS/ESC), automatic emergency braking (AEB), steer-by-wire, brake-by-wire, autonomous driving control functions. ASIL D development represents the highest investment in automotive safety engineering. The combination of 99% SPFM, MC/DC coverage, and I3-level assessment creates a development effort that can be 3 to 5 times the cost of ASIL A for the same functional scope.
15. Comprehensive ASIL Examples for Common Automotive Systems
| Automotive System | Typical ASIL | Rationale |
|---|---|---|
| Electric Power Steering (EPS) | ASIL D | Unintended torque at highway speed: S3, E4, C3 |
| Automatic Emergency Braking (AEB) | ASIL D | Unintended full braking at highway speed: S3, E4, C3 |
| Anti-Lock Braking System (ABS) | ASIL C/D | Loss of all braking: ASIL D; rear-only loss: ASIL C |
| Airbag System | ASIL C/D | Inadvertent deployment at speed: ASIL D; non-deployment in crash: ASIL C |
| Cruise Control | ASIL C | Unintended acceleration: S3, E4, C2 |
| Headlight System | ASIL B | Loss of headlights at night: S2, E3, C2 |
| Brake Lights | ASIL B | Failure to illuminate during braking: rear-end collision risk |
| Rear-View Camera | ASIL B | Loss of image during reversing: S2, E3, C2 |
| Rear Tail Lights | ASIL A | Reduced visibility to following vehicles: lower severity |
| Horn | ASIL A | Loss of warning capability: low direct harm potential |
| Infotainment System | QM | No direct safety hazard from malfunction |
| Interior Lighting | QM | No injury risk from malfunction |
Note: Actual ASIL classifications depend on the specific item definition and HARA for each vehicle platform. The examples above represent typical classifications for general guidance only.
16. What Each ASIL Means for Development – Methods, Testing, and Metrics
| Requirement Area | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| SW Coverage | Statement | Branch | MC/DC (HR) | MC/DC (HR) |
| SPFM | – | ≥90% | ≥97% | ≥99% |
| LFM | – | ≥60% | ≥80% | ≥90% |
| PMHF | – | <100 FIT | <100 FIT | <10 FIT |
| Arch. Notation | Informal | Semi-formal (R) | Semi-formal (HR) | Formal (R) |
| Confirmation Review | No req. | I1 | I2 | I2/I3 |
| Assessment | No req. | Recommended | Required (I2) | Required (I2/I3) |
HR = Highly Recommended, R = Recommended. I1/I2/I3 = Independence levels.
17. ASIL vs SIL vs DAL – Cross-Industry Comparison
Engineers moving between industries often ask how ASIL compares to other safety integrity classifications. While direct mapping is not officially provided by the standards (and each classification has its own determination methodology), the following approximate comparison is commonly referenced:
| ISO 26262 (Automotive) | IEC 61508 (Industrial) | DO-178C/ARP4754 (Aerospace) |
|---|---|---|
| QM | – | DAL E |
| ASIL A | ~SIL 1 | ~DAL D |
| ASIL B | ~SIL 2 | ~DAL C |
| ASIL C | ~SIL 2/3 | ~DAL B |
| ASIL D | ~SIL 3 | ~DAL A |
Note: These are approximate, unofficial comparisons. Each standard has its own determination methodology, and direct one-to-one mapping is not formally defined.
18. ASIL Decomposition – Reducing Development Rigor Through Redundancy
When the ASIL assigned to a safety goal is high (especially ASIL D), the development cost can be substantial. ASIL decomposition (defined in Part 9) allows an ASIL D requirement to be distributed across two or more sufficiently independent architectural elements, each developed to a lower ASIL. The most common decomposition is ASIL D → ASIL B(D) + ASIL B(D), where two independent channels each developed to ASIL B methods collectively achieve ASIL D safety. Confirmation measures remain at ASIL D independence levels, and hardware metrics remain at ASIL D targets. Sufficient independence between channels must be demonstrated through Dependent Failure Analysis.
19. Common ASIL Misconceptions and How to Avoid Them
“ASIL level” is redundant. ASIL stands for Automotive Safety Integrity Level. Saying “ASIL level” means “Automotive Safety Integrity Level level.” Correct: “ASIL D” or “an ASIL of D.”
ASIL is not assigned to components directly. ASIL is assigned to hazardous events during HARA, inherited by safety goals, and propagated through safety requirements to elements. A component inherits the ASIL of the highest safety requirement allocated to it.
ASIL does not measure probability of failure. ASIL is a qualitative risk classification based on S, E, C. It determines the required development rigor. The quantitative probability of failure is addressed through the hardware metrics (PMHF).
Higher ASIL does not mean “more likely to fail.” Higher ASIL means the consequences of failure are more severe, or the situation is more common, or the failure is harder to control. An ASIL D system may actually have a lower failure rate than an ASIL A system because it has been developed with more rigorous methods.
QM does not mean “no quality required.” QM means standard quality management processes are sufficient — not that no quality processes apply. QM components are still expected to meet IATF 16949 quality standards.
ASIL classification can change. As the design evolves and more information becomes available, the ASIL may need to be re-evaluated — for example, if the system architecture changes or if new operational scenarios are identified.
20. Frequently Asked Questions
Q1: Can a single system have multiple ASILs?
Yes. A system may implement multiple safety goals with different ASILs. For example, an EPS system might have one safety goal at ASIL D (prevent unintended torque) and another at ASIL C (prevent sudden loss of assist). Different elements within the system may be allocated different safety requirements with different ASILs.
Q2: Who decides the ASIL?
The ASIL is determined by the safety engineering team during HARA, typically at the OEM or system-level Tier-1 supplier. The HARA team should include system engineers with deep domain knowledge, safety engineers who understand the ISO 26262 methodology, and ideally, human factors specialists for controllability assessment.
Q3: What if I disagree with the ASIL assigned by my customer?
ASIL classification involves judgment, and disagreements are common. The HARA should document the rationale for each S, E, C classification. If a supplier believes the customer’s ASIL is too high or too low, they should present their technical argument with supporting evidence. The Development Interface Agreement (DIA) typically includes the agreed ASIL classification.
Q4: Does the ASIL apply to hardware and software equally?
Yes. The ASIL of the safety requirement propagates to both hardware and software elements that implement it. However, the specific development methods differ – hardware focuses on quantitative metrics (SPFM, LFM, PMHF) while software focuses on systematic failure avoidance (coding standards, structural coverage, testing rigor).
Q5: How does ASIL affect autonomous vehicles?
For fully autonomous vehicles (no human driver), the Controllability parameter is effectively C3 for all hazardous events because there is no driver to intervene. This means that many functions that might be ASIL B or C in a conventional vehicle become ASIL C or D in an autonomous vehicle. This is one of the key challenges driving the development of the anticipated third edition of ISO 26262.
21. Conclusion
ASIL (Automotive Safety Integrity Level) is the cornerstone of ISO 26262 functional safety. It provides the risk-based framework that ensures development effort is proportional to actual safety risk – directing the most rigorous methods toward the functions that pose the greatest danger, while avoiding unnecessary over-engineering of lower-risk functions. From the initial HARA where Severity, Exposure, and Controllability are assessed, through the ASIL determination that drives every downstream development decision, to the hardware metrics and software coverage targets that must be met – ASIL classification touches every aspect of automotive safety engineering.
This article is part of our comprehensive ISO 26262 series at PiEmbSysTech. For detailed coverage of each part of the standard, visit our complete series covering Part 1 through Part 12.
Stay safe. Stay ASIL-aware. Keep engineering the future.
– The PiEmbSysTech Team
Discover more from PiEmbSysTech - Embedded Systems & VLSI Lab
Subscribe to get the latest posts sent to your email.
