Functional Safety and ASIL Ratings: What They Mean and Why They Matter

Get valuable resources straight to your inbox - sent out once per month

We value your privacy

Introduction

Electronics have transformed modern vehicles by allowing designers to use sensors and controllers for an increasingly broad range of functions. However, the growing role of electronics raises an interesting challenge from a safety perspective. Electronics are being used to make cars more efficient, more environmentally-friendly and more comfortable. They also mean more risk, should a critical element fail, because the human driver has less input and decision making ability to control the vehicle in response.

The automotive industry recognizes that safety is critical, and has developed specific standards for electronics-related components in automotive vehicles, known as ISO 26262. ISO 26262, which was originally issued in 2011 and updated in 2018, provides functional safety standards for safety-related systems that include one or more electrical and/or electronics systems and that are installed in series production road vehicles, excluding mopeds.

ISO 26262 contains a structure for classifying possible risks, called the automotive safety integrity level (ASIL). The ASIL rating system reflects a list of safety risks that have been identified and quantified for various automotive functions. Through an ASIL rating, a manufacturer can demonstrate that a particular system or component within an automobile contains built-in safety redundancies that will protect the passengers and vehicle. These safety features are vital if there is a product failure — such as if a sensor is unable to sense that a vehicle is in the next lane, or if a car’s headlights go out at night (see Figure 1). These redundancies are designed to reduce the failure of an individual part — known as a single-point failure. They also include an additional backup in case there is a problem with the mechanism that is supposed to detect the single-point failure. Such a problem is known as a latent failure, and is a good illustration of the multiple layers of redundancy required for a truly robust functional safety approach.

Figure 1: Functional Safety Products Can Back Up Automatic Lighting Systems

An ASIL rating reflects additional safety backup features, and has a different goal from the quality rating system that the automotive sector has developed for ensuring quality management (QM), as a part of ISO 9001 and IATF 16949. The QM standards continue to be relevant; many products used in vehicles do not impact safety if they fail (e.g. the power for the radio), so an ASIL rating is not applicable. However, for products that are central to a vehicle’s essential functions, car manufacturers are increasingly seeking the additional safety guarantees that an ASIL-rated product provides.

Breaking down and ranking the risk levels of each individual component provides designers with specificity in the types of backups required mitigate risk. For example, one such risk could be an output over-voltage, high-frequency failure that for some reason went undetected. Adding a backup detection device to identify this failure is an appropriate functional safety addition.

Using the ASIL ratings to describe how robust these functional safety protections are provides customers with valuable information about the safety of these products. It is a visible demonstration that safety is high priority in any new innovations — such as enhanced autopilot functionality — in a vehicle’s development. It is a safeguard to facilitate learning about potential dangers and adopting suitable interventions before an accident occurs.

How ASIL Ratings Are Developed

ASIL ratings are determined by performing a hazard analysis and risk assessment. Functional safety engineers then use these identified risks as a basis to measure each electronic component in a vehicle and assess the impact of its failure on the vehicle as a whole.

There are four broad ASIL categories: ASIL-A, ASIL-B, ASIL-C and ASIL-D. ASIL-A has the lowest aggregated level of associated risks, and ASIL-D has the highest total risk level.

This assessment uses three specific variables: the potential severity of a failure, the frequency of exposure to a failure scenario, and controllability.

To provide more specificity in the risk quantification, these variables are further broken down into sub-classes. These variables are described below:

Severity (S): Severity describes the type of injuries that the driver and passengers may experience. Severity has four classes, ranging from no injuries (S0) to life-threatening/fatal injuries (S3).
Exposure (E): Exposure describes how often the vehicle is exposed to the hazard. Exposure has five classes ranging from incredibly unlikely (E0) to highly probable (E4).
Controllability (C): Controllability describes how much agency the driver has to prevent injury. Controllability has four classes ranging from controllable in general (C0) to uncontrollable (C3).

All of these variables are then combined to create a numeric score that determines the required ASIL classification (see Figure 2). The highest scores reflect the highest potential hazard, earning an ASIL-D classification, while a lower score confers an ASIL-A or ASIL-B classification.

Figure 2: ASIL Ratings

An important concept for understanding ASIL classifications is that these ratings are not static. An IC does not have a default ASIL rating, because its risk level relates to its role and use within a given system. For example, a cruise control system includes both a software component and an actuator controller. If the defined risk is acceleration above a particular threshold, then the signal from the software element — and the risk it implies — could result in the actuator controller also being categorized at a higher ASIL level.

Because safety is already included in the design of QM parts, adding additional safety features often means providing additional backup solutions in case the first backup system fails. For certain parts, a safety measurement could be a reference voltage (V_REF) to regulate the output. An additional feature for an ASIL-rated product could be a second voltage that ensures the first voltage is within a safe range.

MPS and ASIL-Rated Power Solutions

At MPS, power solutions for the automotive industry can be designed with additional functional safety in two ways. Some of these products are developed as generic parts, based on assumptions of use according to the MPS safety manual. Other products are designed for a specific customer need. In these cases, the design is driven by the safety specifications.

From a design perspective, one of the challenges when introducing a functional safety feature is that the solution focuses strictly on how to return the vehicle and its passengers to a safe state — even if that solution requires disabling the power to the automobile or otherwise disrupting its intended use. The underlying philosophy is simple: functional safety mechanisms prioritize safety above all else. This means that when other mechanisms within a product are not working properly, functional safety backups will immediately respond to reduce or eliminate the possibility of an accident.

MPS’s power solutions do not have independent ASIL ratings; instead, the ASIL certifications depend on the automotive system as a whole, as well as the particular hazards that could arise from a specific application. In addition, an ASIL rating does not guarantee de facto safety; it is the user or system integrator’s responsibility to ensure that a particular product is suitable for the application and complies with the appropriate application standards.

That being said, MPS power solution products are specifically designed to help customers meet designated safety standards — including ASIL certifications — for their automotive systems. Examples of ASIL-B rated systems include smart junction boxes, instrument clusters, heating and cooling, and steering wheel sensors. For example, the MPQ70240FS-AEC1 is designed to provide a power solution for 360° view cameras. It includes two first-stage buck converters that redefine the size and efficiency of high-resolution camera modules. It is an ASIL-certified product that supports applications up to ASIL-B.

As the automotive sector moves towards autonomous vehicles, the demand for products that can meet ASIL-D certifications is growing. MPS has expanded its range of products to meet these safety standards, with many more currently in development. One popular product, the MPQ79700FS-AEC1, is a 12-channel functional safety power sequencer that is designed for autonomous driving platforms (see Figure 3). While the flexibility of its design means that it can be used in a range of applications and systems, it has a built-in self-testing (BIST) function that provides a high diagnostic coverage, regardless of use. This diagnostic testing feature was developed using MPS’s advanced MPSafe^TM functional safety product development process, which has been independently certified to meet ISO 26262 guidelines.

Figure 3: MPQ79700FS-AEC1 – 12-Channel, Functional Safety Power Sequencer

The MPQ79500FS-AEC1 is another example: This 6-channel voltage monitor is ideal for a broad range of advanced driver assistance systems (ADAS), such as adaptive cruise control, which often requires an ASIL-D solution. Its voltage monitor input has configurable over-voltage (OV) and under-voltage (UV) thresholds, with high accuracy for both the high-frequency (HF) and low-frequency (LF) components. The MPQ79500FS-AEC1 can record power-sequencing timestamps and orders. It also has a sync I/O function, which can achieve multi-device sequence synchronization and tagging. Its functional safety features — including BIST, diagnostics, write protections, and more — make it well-suited for ASIL-D applications.

Conclusion

Automotive ASIL ratings were designed to isolate and address specific risks for automotive systems. This helps ensure that a greater number of electrified and automatic systems in a car does not inadvertently make it more dangerous for drivers, passengers, and others on the road. Ranking the relative riskiness of various system failures in terms of the consequence to human life ensures that the priorities are where they should be: in preventing accidents through additional safeguards. MPS recognizes the importance of meeting the automotive industry’s stringent safety focus with power solutions that fully support this demand. To better support the industry, it has released numerous ASIL-rated products — including the MP70240FS-AEC1, the MPQ79700FS-AEC1 and the MPQ79500FS-AEC1 — and is working on developing a broad range of additional functional safety product options. For more information about MPS’s broad range of functional safety automotive products, visit our website.