ASIL Explained – ISO 26262 ASIL Levels (A–D)
Why ASIL Exists in Automotive Safety
Not all automotive functions are equally critical.
A seat heater, for example, may fail without causing serious harm. The impact is usually limited to discomfort. But now consider a braking system or steering system. If these systems fail, the consequences can be severe and potentially life-threatening.
This raises an important question:
Should all systems be developed with the same level of safety rigor?
The answer is clearly no.
This is exactly why ASIL exists in ISO 26262.
ASIL provides a structured way to classify how critical a function is and how much safety effort is required during development. It ensures that engineering resources are focused where they matter most.
What Is ASIL?
ASIL stands for Automotive Safety Integrity Level.
It is one of the central concepts in ISO 26262 and defines how much risk reduction is required for a specific function.
However, ASIL is more than just a classification label.
It directly influences:
- System design
- Safety requirements
- Verification and testing activities
When engineers determine an ASIL level, they are effectively deciding how rigorous the entire development process must be.
This makes ASIL a fundamental concept in functional safety engineering.
ASIL Levels Overview (QM to ASIL D)
ISO 26262 defines multiple ASIL levels, ranging from QM to ASIL D.
- QM (Quality Management) → standard processes are sufficient
- ASIL A → lowest safety integrity level
- ASIL B
- ASIL C
- ASIL D → highest safety integrity level
As the ASIL level increases, so does the required development rigor.
Higher ASIL levels require:
- More robust system architectures
- Stronger safety mechanisms
- More extensive verification and validation
ASIL is therefore not just a classification—it defines the level of effort required to ensure safety.
Why ASIL Matters in Real Projects
ASIL has a direct and significant impact on real engineering projects.
Once an ASIL level is assigned, it influences key design decisions. For example, systems may require redundancy, additional monitoring mechanisms, or fail-safe strategies.
Verification and testing activities also become more detailed and extensive as ASIL levels increase.
This has a direct impact on:
- Development effort
- Project cost
- System complexity
Assigning the wrong ASIL level can lead to serious consequences.
If the ASIL is too low, the system may not be safe enough.
If it is too high, the system may become unnecessarily complex and expensive.
This is why correct ASIL determination is critical.
How ASIL Is Determined
ASIL is not based on intuition or guesswork.
Instead, ISO 26262 defines a structured risk assessment process.
For each hazardous event, engineers evaluate three parameters:
- Severity (S)
- Exposure (E)
- Controllability (C)
These parameters are assessed independently and then combined using a defined method.
Instead of asking, “Is this system critical?”, engineers analyze:
- How severe is the potential harm?
- How often can the situation occur?
- Can the driver control the situation?
This structured approach ensures consistent and objective safety classification.
Severity (S)
Severity describes how serious the potential consequence of a failure is.
It focuses purely on the outcome.
For example:
- Minor inconvenience → low severity
- Serious injury or life-threatening situation → high severity
An important point is that severity does not consider how often the event occurs.
Even a rare event can have high severity if the consequences are critical.
Exposure (E)
Exposure describes how frequently a specific operational situation occurs.
In other words, how often is the system exposed to conditions where the hazard could happen?
For example:
- Driving on highways → high exposure
- Rare or unusual driving conditions → low exposure
The more frequently a situation occurs, the higher the exposure and the overall risk.
Controllability (C)
Controllability describes whether the driver can avoid or control the hazardous situation.
If the driver can react easily and safely, controllability is high.
If the situation is sudden and unpredictable, controllability is low.
Lower controllability means higher risk, which leads to higher ASIL requirements.
Combining Severity, Exposure, and Controllability
None of the parameters alone determines the ASIL.
Instead, they are combined to evaluate the overall risk of a hazardous event.
- High severity + high exposure + low controllability → high ASIL
- Lower severity or higher controllability → lower ASIL
ASIL is therefore always the result of a balanced and structured evaluation.
If you want to understand how ASIL is applied in real engineering projects, including HARA, safety goals, and system development, you can explore the full training course.
Example: Airbag System
Let’s revisit the original question:
What ASIL level would you assign to an airbag system?
Consider unintended airbag deployment.
- Severity: High (can cause serious injury)
- Exposure: Medium (depends on driving conditions)
- Controllability: Low (driver cannot prevent deployment)
When these parameters are combined, the result is a high ASIL level.
This is why airbag systems are developed with very strict safety requirements and extensive validation processes.
Common Mistakes About ASIL
There are several common misconceptions about ASIL.
- ASIL is not the same as risk
- ASIL is not assigned to an entire vehicle
- Not every function requires an ASIL (QM is possible)
- A higher ASIL is not always better
The goal is not to maximize ASIL, but to determine it correctly.
Summary
ASIL defines the level of safety rigor required for a specific function.
It is determined based on severity, exposure, and controllability.
ASIL is assigned to hazardous events—not entire systems.
Higher ASIL levels require more rigorous development and verification activities.
Correct ASIL determination is essential for effective and efficient functional safety engineering.
