09. Automotive Safety Integrity Levels (ASIL)

ASIL

Now, we can evaluate the risk of our lane keeping assistance function's hazardous situation. We combine the severity, exposure and controllability to find the ASIL.

Combining S3, E2 and C3 from the lane keeping assistance example gives ASIL B.

ASIL shows how high the risk is above acceptable levels so that you know how much work needs to be done to lower risk. Coming up, we will examine ASIL in more detail and discuss the differences between ASIL A, B, C, and D.

Quiz: Calculating ASIL

Examples of How Driving Situations Affect ASIL

To reinforce how severity, exposure, and controllability relate to ASIL, let's look at the lane departure warning example one more time. In the original situational analysis, we said that the vehicle was driving on the highway in the rain at high speed, which led to ASIL C.

What about driving on a wet road on a city street at low speed? A low speed collision implies severity of S1. Exposure remains E3 because of the wet road. Controllability would could still remain C3 because the steering wheel jerking back and forth violently would be difficult to control even at lower speeds. S1, E3 and C3 result in ASIL A. The ASIL went down to A whereas originally we had ASIL C. Intuitively, this makes sense; the driver is driving more slowly with all other conditions remaining the same, so the risk has gone down.

What about driving on a dry road on a city street at low speed? Severity would stay at S1. Exposure now increases to E4 and controllability remains at C3. ASIL now increases to B. Perhaps counterintuitively, if we consider driving on a dry road instead of a wet road, risk increases. The increased risk comes from the exposure. A driver is more likely to be driving on a dry road than a wet road, so there is a higher probability that a random malfunction will occur on a dry road; hence risk increases for the dry road scenario.

What if we had considered high speed highway driving on a dry road? Exposure would go up to E4, severity would be S3, and controllability C3. The ASIL would then increase to ASIL D.

When more than one situation maps to the same hazard, you will be conservative and choose the highest ASIL level for the hazard. If we were considering the possibility that the lane departure warning system vibrates too much on wet highways and also dry highways, we would assign ASIL D.

Analysis and Testing for Different ASILs

Higher ASIL levels require more analysis, requirements and testing to reduce risk to acceptable levels. So in the lane assistance example, the first hazardous situation with ASIL C will require more work than the second hazardous situation with ASIL B.

Here are a few examples of extra measures that may need to be taken for higher ASILs:

• Deductive analysis, an example of which is Fault Tree Analysis is recommended for ASIL C and ASIL D
• ASIL D suggests a target for the PMHF metric failure rate of no greater than 10 dangerous, undetected failures per billion hours of operation whereas ASIL B only suggests a failure rate of no more than 100 failures per billion hours
• For Software units with ASIL D more rigorous testing such as MC/DC coverage are highly recommended whereas ASIL B only mandates DC coverage.

Compensatory measures like Fault Tree Analysis, and MC/DC coverage are beyond the scope of this module, but you can learn more about them at the links.

Quiz: Severity, Exposure and Controllability

QUIZ QUESTION: :

Match the term on the left with the definition on the right

ANSWER CHOICES: