Functional Safety in Automotive ISO 26262, ASIL Decomposition, and System Architecture
Functional Safety has become a foundational requirement in modern automotive engineering. As vehicles integrate increasingly complex electronic control systems, sensors, and software, ensuring that these systems behave safely — even in the presence of faults — is a core engineering responsibility. ISO 26262:2018 provides the framework for achieving this.
This article offers a clear, comprehensive introduction to Functional Safety in road vehicles, covering key concepts such as Hazards, Safety Goals, ASILs, Item/System/Component definitions, and advanced topics like ASIL decomposition (ASIL D → ASIL C + QM).
🚗 What Is Functional Safety?
Functional Safety ensures that automotive electrical/electronic systems operate safely even when faults occur. It is concerned with preventing unreasonable risk due to:
- random hardware failures
- systematic software issues
- environmental or operational disturbances
Under ISO 26262, Functional Safety is about:
- identifying hazards
- evaluating risk using HARA
- defining safety requirements
- designing architectures that tolerate faults
- ensuring traceability through the lifecycle
📘 ISO 26262:2018 – Functional Safety Standard for Road Vehicles
ISO 26262 defines a safety lifecycle covering:
- concept & item definition
- system, hardware, and software development
- production & operation
- service & decommissioning
Its goal is to ensure safety is designed into every step of the development process — not added as an afterthought.
🧩 Safety Culture and Management of Functional Safety
A mature safety culture is essential for preventing systematic failures.
Key pillars include:
- clear Functional Safety responsibilities (e.g., Safety Manager)
- independence between development and assessment
- well-documented, repeatable processes
- continuous training and improvement
- an organization-wide mindset that prioritizes safety
Functional Safety is not just technical; it is organizational.
🔍 Item, System, and Component — Clear Definitions (ISO 26262)
ISO 26262 uses a hierarchical structure to define what is being analyzed:
1️⃣ Item — Highest-Level Vehicle Function
Definition:
An Item is a system or combination of systems that provides a vehicle-level function subject to Functional Safety.
Examples:
- Brake‑by‑wire system
- Autonomous emergency braking
- Electric power steering
- Battery management system (BMS)
📌 Items are analyzed in the Concept Phase and used in HARA and Safety Goals.
2️⃣ System — A Group of Interacting Elements
Definition:
A System is a collection of subsystems, components, hardware, software, and interfaces that implements part of the Item’s function.
Examples inside an EPS Item:
- Torque sensor system
- Power electronics system
- Control system (ECU)
- Communication system
📌 Systems transform Safety Goals into Technical Safety Requirements (TSRs).
3️⃣ Component — The Smallest Implementable Element
Definition:
A Component is a hardware or software element that cannot be further divided in terms of safety development.
Examples:
- microcontroller
- power MOSFET
- ADC module
- torque estimation software block
- watchdog timer routine
📌 Components are analyzed using FMEDA, FIT rates, and hardware metrics.
⚠️ Hazards, HARA, and Safety Goals
Hazard Analysis and Risk Assessment (HARA)
HARA determines risk by evaluating:
- Severity (S)
- Exposure (E)
- Controllability (C)
Based on these parameters, each hazardous scenario is assigned an ASIL.
🟦 Automotive Safety Integrity Level (ASIL)
| ASIL | Meaning | Risk Level |
|---|---|---|
| QM | Quality Management | No safety analysis required |
| ASIL A | Low | Lower rigor |
| ASIL B | Medium | Increased diagnostics & process rigor |
| ASIL C | High | Strict architectural requirements |
| ASIL D | Very High | Highest level of safety & redundancy |
ASIL determines:
- architecture
- diagnostics
- development rigor
- hardware reliability targets (PMHF, FIT)
- verification & validation activities
🔧 ASIL Decomposition — Reducing Complexity While Maintaining Safety
ASIL decomposition allows a high ASIL requirement to be satisfied by:
- multiple independent lower ASIL channels
- architectural redundancy
- cross-monitoring strategies
Most common decomposition:
✔︎ ASIL D → ASIL B + ASIL B
Two ASIL B channels, technically independent, can collectively achieve ASIL D safety performance.
🟥 ASIL D → ASIL C + QM (with Independence & Strong Monitoring)
This advanced decomposition is used when:
- full redundancy is not feasible
- cost, packaging, or architectural constraints exist
- strong diagnostics allow a hybrid safety approach
✔ What it means:
- ASIL C = primary safety channel (responsible for safety)
- QM = secondary non-safety channel
- ASIL C implements strong monitoring of QM
- channels are technically independent
Why ISO 26262 allows it:
Because ASIL C alone can guarantee safety, provided it can:
- detect faults in the QM channel
- discard QM data when invalid
- transition the system to a safe state
🧠 Mechanisms Required for Strong Monitoring
ASIL C must implement:
- plausibility checks
- range and saturation checks
- cross-channel comparisons
- timeouts
- stuck-at detection
- rate-of-change checks
- drift detection
📌 Example: Battery Temperature Monitoring (ASIL D)
Safety Goal: Prevent thermal runaway (ASIL D).
Decomposition:
- Channel 1 → ASIL C NTC temp sensor + ADC + safety software
- Channel 2 → QM thermistor through auxiliary module
- ASIL C continuously monitors divergence between channels
If QM fails → system continues safely.
If ASIL C detects out-of-range → safe state (power limitation/shutdown).
🧷 Hierarchy Summary
Item └── System └── Component └── Diagnostics / Monitoring / SW UnitsASIL decomposition and clear architecture definition ensure traceability and robustness across all layers.
📦 Conclusion
Functional Safety is a critical pillar in modern automotive development. ISO 26262 provides a structured safety lifecycle addressing hazards, risks, and architectural requirements. Understanding the relationship between Item, System, and Component, along with advanced strategies such as ASIL decomposition (including ASIL C + QM), is essential for designing safe and reliable systems in increasingly complex vehicles.
As electrification, ADAS, and autonomous systems continue to grow, mastering Functional Safety is more important than ever for engineers, suppliers, and OEMs alike.