Overview
ASIL is the primary output of HARA (Hazard Analysis and Risk Assessment) and serves as the foundation for all downstream safety requirements, verification planning, and resource allocation. Each ASIL level prescribes specific development process rigor, verification independence, and architectural constraints per ISO 26262 Part 4 (System Design) through Part 6 (Software Development).
QM (Quality Management) is not an ASIL rating. It indicates that standard automotive quality processes are sufficient—no functional safety requirements apply. Only ISO 26262 Part 8 Section 6 traceability and IATF 16949 process controls are needed.
ASIL Determination Matrix
The ASIL enumeration values result from the ISO 26262-3 ASIL determination matrix, which combines three HARA classification dimensions:
Per ISO 26262-3:2018 Table D.5, all 60 possible S-E-C combinations map to one of five outcomes. S0, E0, or C0 always yield QM.
Enumeration Properties
| Property | Value |
|---|
| Enum ID | hara-asil |
| Type | Dropdown (single-select) |
| Used by | Hazard work items (hazAsil field), Safety Goal work items (sgAsil field) |
| Sort Order | QM (0), A (1), B (2), C (3), D (4) |
| Color Coding | Progressive severity scale (green → orange → red → dark red) |
| Standards | ISO 26262-3:2018, ISO 26262-4:2018, ISO 26262-5:2018, ISO 26262-6:2018 |
ASIL Levels
QM — Quality Management (No ASIL)
| Attribute | Details |
|---|
| Definition | Standard automotive quality processes are sufficient; no functional safety development process required |
| When Assigned | Hazard has S0 (no injury), E0 (incredible), or C0 (general controllability) classification |
| Development Rigor | IATF 16949 / APQP processes only; ISO 26262 safety-specific activities not required |
| Requirements | No safety-specific functional requirements; design requirements follow product specification only |
| Verification | Standard product verification (endurance, environmental, compatibility); no safety-specific test protocols |
| Documentation | Part 8 Section 6 traceability; no formal safety concept or functional safety specifications |
| Color Code | Green (low risk) |
ASIL A — Lowest Functional Safety Requirement
| Attribute | Details |
|---|
| Definition | Minimal functional safety process enhancements; basic hazard mitigation and verification required |
| Development Process | ISO 26262 Part 4 basic enhancements: configuration management, architectural design review, code standards |
| Requirements | Functional safety requirement(s) derived from safety goal; allocation to hardware/software subsystems |
| Verification | Unit and integration testing; code review; no mandatory independence; standard test coverage metrics |
| Tools & Methods | Basic FMEA, requirement traceability, standard V-model verification; no formal methods required |
| Certification | No independent assessor required; manufacturer sign-off sufficient |
| Color Code | Yellow (low-moderate risk) |
ASIL B — Moderate Functional Safety Requirement
| Attribute | Details |
|---|
| Definition | Enhanced safety process with increased independence in verification; moderate architectural constraints |
| Development Process | ISO 26262 Part 4: configuration management, design reviews with independent participation, architecture constraint analysis, FMEA |
| Requirements | Multiple functional safety requirements with explicit failure modes analysis; decomposition to hardware/software |
| Verification | Unit, integration, and system testing with increased independence (different engineer/team than developer); fault injection testing for critical paths; >80% code coverage |
| Architecture | Single-point fault tolerance or monitored redundancy required for critical functions; defined Single Event Upset (SEU) mitigation for hardware |
| Tools & Methods | FMEA mandatory; fault tree analysis (FTA) recommended; traceability matrix with gap analysis; walkthroughs with independent review |
| Certification | Independent functional safety assessor review recommended; formal design review documentation required |
| Color Code | Orange (moderate risk) |
ASIL C — High Functional Safety Requirement
| Attribute | Details |
|---|
| Definition | Rigorous safety process with mandatory independent assessment; architectural redundancy and formal analysis required |
| Development Process | ISO 26262 Part 4-6: strict configuration management, mandatory independent design reviews, formal architecture specification, comprehensive FMEA/FTA, hardware fault analysis |
| Requirements | Exhaustive functional safety requirement set with formal specification; quantitative reliability targets (FMFD — Controllable Failure Detection); allocation matrix with justification |
| Verification | Fully independent verification team; formal test specification with >95% code coverage; hardware safety analysis (HFMEA); fault injection on all critical paths; accelerated life testing |
| Architecture | Dual-channel or triple-modular redundancy (TMR) typically required; fault detection and mitigation time < 10 ms; diagnostic coverage > 90% |
| Tools & Methods | Formal FTA with cutset analysis; FMEA with criticality assessment; proven-in-use analysis for reused components; software metrics (complexity, coupling, maintainability) |
| Certification | Mandatory independent functional safety assessor (TÜV, DEKRA, etc.); formal design review gate; pre-release audit |
| Color Code | Red (high risk) |
ASIL D — Highest Functional Safety Requirement
| Attribute | Details |
|---|
| Definition | Maximum rigor; comprehensive safety process with mandatory independent assessment at all phases; proven-in-use and formal methods required |
| Development Process | ISO 26262 Parts 4-6 with extended rigor: formal safety concept phase, formal methods for critical algorithms, comprehensive architecture with proven-in-use components, safety manager approval gate at each phase milestone |
| Requirements | Comprehensive, formally verified functional safety requirement set with quantitative FMFD targets (>99%); safety integrity level (ASIL) allocation with justification; configuration baseline at each design level |
| Verification | Exhaustively independent verification with formal test specification generation; >99% code coverage; formal proof of critical algorithms; hardware safety analysis with proven-in-use components; accelerated stress testing; fault injection on ALL executable paths; systematic failure injection (FMEA validation) |
| Architecture | Triple-modular redundancy (TMR), N-version programming, or other high-integrity patterns; fault detection time < 1 ms; diagnostic coverage > 99%; fail-safe design with cross-channel comparison; no common-cause failure modes |
| Tools & Methods | Formal FTA with minimal cut sets; exhaustive FMEA + FTA coupling; formal software specifications (B-method, Z notation, Modelica); model checking; static analysis with formal proof; software metrics with strict thresholds |
| Certification | Mandatory independent functional safety assessor at all design reviews and final audit; formal methods independent review; safety manager sign-off required; type approval with certification authority (e.g., NHTSA, Euro NCAP) |
| Color Code | Dark Red / Purple (critical risk) |
ASIL Properties and Field Mapping
Custom Field Binding
The ASIL enumeration is bound to two primary work item types:
| Work Item Type | Field Name | Link Role | Inheritance |
|---|
| Hazard | hazAsil | (direct property) | HARA output |
| Safety Goal | sgAsil | derived-by | Inherits from parent Hazard; may decompose to lower ASIL via architecture |
| Functional Safety Requirement | fsrAsil | allocated-to | Allocated from Safety Goal (same or lower ASIL) |
ASIL Enum Values (Internal IDs)
The sort order (0-4) is critical for Risksheet formulas that use MAX() functions to propagate highest ASIL through traceability chains.
ASIL in Risksheet Configuration
HAZID Risksheet (HARA Analysis)
The HAZID risksheet implements the ASIL determination matrix as a computed column:
{
"column": "ASIL",
"level": "row",
"type": "enum",
"formula": "getASIL(severity, exposure, controllability)",
"enumid": "hara-asil",
"readonly": true,
"displayFormat": "asil-badge",
"colorDecorator": "asil-progressive-scale"
}
getASIL() function:
- Input: Three enum values (S0-S3, E0-E4, C0-C3)
- Lookup: ISO 26262-3 Table D.5 ASIL matrix
- Output: QM, ASIL A, ASIL B, ASIL C, or ASIL D
- Error Handling: Returns “Pending” if any input is empty; highlights row for completion
Column Decorator: Progressive Color Scale
Risksheet applies cell styling based on ASIL value:
cellDecorators:
- field: hazAsil
type: backgroundColor
rules:
- value: "QM"
color: "#d5f4e6" # Light green
textColor: "#27ae60"
- value: "ASIL A"
color: "#fef5e7" # Light yellow
textColor: "#f39c12"
- value: "ASIL B"
color: "#fdebd0" # Light orange
textColor: "#e67e22"
- value: "ASIL C"
color: "#fadbd8" # Light red
textColor: "#e74c3c"
- value: "ASIL D"
color: "#f5b7b1" # Dark red
textColor: "#c0392b"
fontWeight: "bold"
ASIL in PowerSheet Filtering
PowerSheet configurations support ASIL-based view presets:
views:
- name: "ASIL_D_Only"
filters:
- field: sgAsil
operator: equals
values: ["ASIL D"]
description: "Critical Safety Goals requiring maximum rigor"
- name: "ASIL_BC"
filters:
- field: sgAsil
operator: in
values: ["ASIL B", "ASIL C"]
description: "High and moderate integrity requirements"
- name: "All_ASIL"
filters: []
description: "Complete Safety Goal register"
ASIL Inheritance and Decomposition
Hazard → Safety Goal → Functional Requirement
ASIL flows downstream through the traceability chain:
ASIL Decomposition
ASIL decomposition is allowed per ISO 26262-7 (Application Layer) when:
- The higher ASIL function is decomposed into independent subsystems
- Each subsystem targets a lower ASIL with clear failure mode segregation
- Cross-channel monitoring detects any single subsystem failure
Example:
- Hazard: “Total brake failure” → ASIL D
- Architecture: Dual-channel brake actuation (primary ECU + safety co-processor)
- Decomposition: Each channel targets ASIL B + single-point fault detection
- Result: Combined system achieves ASIL D without exhaustive single-channel ASIL D rigor
ASIL in Reports
HARA Report – ASIL Distribution
The ISO 26262 HARA Report aggregates hazards by ASIL:
Hazard Summary by ASIL:
- QM: 3 hazards (17%) - Standard quality management
- ASIL A: 2 hazards (11%) - Minimal safety process
- ASIL B: 8 hazards (44%) - Moderate safety process
- ASIL C: 3 hazards (17%) - High integrity required
- ASIL D: 2 hazards (11%) - Critical integrity required
- Total: 18 hazards (100%)
This summary informs:
- Project complexity assessment: High ASIL-D content → significant verification/certification burden
- Resource planning: ASIL C/D hazards require independent assessor allocation
- Timeline estimation: Formal methods for ASIL D require extended development schedule
- Budget allocation: ASIL D certification typically 20-30% higher than ASIL B
Safety Readiness Scorecard
The scorecard tracks ASIL-based verification status:
| ASIL | Hazards | Safety Goals | FSRs | Verification | Certification |
|---|
| ASIL D | 2 | 2 | 8 | 75% | In Review |
| ASIL C | 3 | 3 | 9 | 100% | Approved |
| ASIL B | 8 | 8 | 24 | 100% | Approved |
| ASIL A | 2 | 2 | 6 | 100% | Approved |
| QM | 3 | — | — | N/A | N/A |
Implementation Notes
The ASIL determination is typically implemented as a compiled formula in Risksheet’s Java expression engine:
public ASIL getASIL(Severity s, Exposure e, Controllability c) {
if (s == S0 || e == E0 || c == C0) return QM;
int[][] matrix = {
// E1 E2 E3 E4
{ QM, A, B, B }, // S1
{ A, B, C, C }, // S2
{ B, C, D, D } // S3
};
return matrix[s.ordinal()-1][e.ordinal()-1][c.ordinal()-1];
}
Enum Ordering Dependency
The sort order (QM=0, A=1, B=2, C=3, D=4) is critical for:
- Dropdown presentation: Values appear in risk order (low → high)
- ASIL inheritance formulas:
MAX(sgAsil) selects highest ASIL when multiple Safety Goals link to same requirement
- PowerSheet filtering: Comparisons like
asil >= "ASIL C" work correctly only if sort order matches risk hierarchy
Do not alter sort order values.
