What is ISO 26262 and what are ASIL levels?

ISO 26262 is the international standard for functional safety of electrical and electronic systems in road vehicles. It is an adaptation of the broader IEC 61508 standard, tailored specifically for the automotive domain. ISO 26262 defines a safety lifecycle that spans the entire product development process — from concept and system-level design through hardware and software development, production, operation, and decommissioning. The standard requires a systematic identification of hazards through Hazard Analysis and Risk Assessment (HARA), decomposition of safety requirements, verification and validation at every stage, and documented evidence that the system achieves an acceptable level of residual risk.

ASIL (Automotive Safety Integrity Level) is the risk classification scheme defined by ISO 26262, with levels from QM (Quality Management — no special safety requirements) through ASIL A (lowest safety criticality) to ASIL D (highest, most stringent). The ASIL level is determined by three factors evaluated during HARA: Severity (how bad is the harm if the hazard occurs — S0 to S3), Exposure (how likely is the operational situation where the hazard can occur — E0 to E4), and Controllability (how likely is the driver to avoid the harm — C0 to C3). For example, an electric power steering failure at highway speed would be rated S3 (life-threatening), E4 (highly probable scenario), C3 (difficult to control), resulting in ASIL D. A heated seat malfunction might be S1, E4, C3, resulting in ASIL A or B.

Each ASIL level imposes progressively stricter requirements on development processes, design techniques, and verification methods. ASIL D requires the most rigorous techniques: formal verification, comprehensive code coverage (MC/DC — Modified Condition/Decision Coverage), redundant hardware architectures, extensive safety analysis (FMEA, FTA, FMEDA), and independent assessment by a third party. ASIL A might only require basic testing and code review. A crucial concept is ASIL decomposition: a safety requirement at ASIL D can be decomposed into two independent requirements at ASIL B(D) implemented on separate hardware, reducing the development cost while maintaining the overall safety integrity. Interviewers often ask about ASIL to test whether you understand not just what the levels mean, but how they drive architectural decisions — redundancy, independence, and the cost tradeoff between a single ASIL D component versus two ASIL B(D) components.