ASIL, Explained Properly

Khizer Hammad KhanFounder & Chief Engineer, Voltguard · 12 June 2026 · 7 min read

Ask ten engineers what ASIL means and you'll get ten correct-but-incomplete answers. It's "the safety level." It's "how dangerous the thing is." Both are close enough to pass a meeting and wrong enough to misclassify a system. ASIL is not a measure of danger — it's a measure of how much rigour a given hazard demands. Here is what it actually is, and where teams get it wrong.

ASIL is an output, not an input

The single most common mistake is treating ASIL as something you assign based on gut feel. You don't. ASIL is computed — it falls out of three independent ratings made during Hazard Analysis and Risk Assessment (HARA). You assess each hazardous event on three axes, and the combination determines the ASIL. Get the three inputs right and the ASIL is simply the answer the table gives you.

Those three axes are Severity (S), Exposure (E), and Controllability (C). Every one of them is about a specific hazardous event in a specific driving situation — never about the component "in general."

Severity — how badly could it hurt someone?

Severity rates the harm to people if the hazard occurs and goes uncontrolled. It runs from S0 to S3:

S0 — no injuries. (Often falls out of scope entirely.)
S1 — light to moderate injuries.
S2 — severe injuries, survival probable.
S3 — life-threatening or fatal injuries, survival uncertain.

Note what severity is not: it isn't about how the part fails, only about the consequence to humans. A spectacular electronic failure that can't hurt anyone is S0. A quiet loss of braking assist on a motorway is S3.

Exposure — how often are you in the situation?

Exposure rates how frequently the vehicle is in the operational situation where the hazard could cause harm — not how often the part fails. It runs E0 to E4:

E0 — incredibly unlikely situation.
E1 — very low probability (situations only in rare circumstances).
E2 — low probability.
E3 — medium probability (a situation encountered often).
E4 — high probability (something that happens during almost every drive).

This is the axis teams most often get backwards. "Loss of power steering" sounds rare — but the situation "driving at speed and needing to steer" is E4, because it's nearly constant. The failure being rare doesn't lower exposure; exposure is about the situation, and the situation is everywhere.

Controllability — can the driver save it?

Controllability rates whether a typical driver (or other people at risk) can act to avoid the harm once the hazard manifests. C0 to C3:

C0 — controllable in general; essentially no action needed.
C1 — simply controllable; 99%+ of drivers can manage it.
C2 — normally controllable; 90%+ can manage it.
C3 — difficult to control or uncontrollable; fewer than 90% can.

The mental shortcut

Severity asks "how bad is the outcome?" Exposure asks "how often am I in harm's way?" Controllability asks "can a normal driver rescue the situation?" Rate all three honestly for the specific hazardous event — and the ASIL is no longer a judgement call, it's a lookup.

The table that turns S, E, C into ASIL

Here's the heart of it. For S3 hazards (life-threatening), the standard maps the Exposure and Controllability combinations like this:

S3 Severity	C1	C2	C3
E1	QM	QM	A
E2	QM	A	B
E3	A	B	C
E4	B	C	D

The ISO 26262 ASIL determination table for S3 hazards. Higher exposure × harder control = higher ASIL. The top is ASIL D; below QM, it's "quality managed."

The pattern is the whole intuition: the more often you're exposed to a life-threatening situation that's hard to control, the more rigour the system demands. An S3 / E4 / C3 hazard — frequent, severe, and uncontrollable — is the only combination that yields ASIL D, the most stringent level in the standard. At the other end sits QM (Quality Managed): real hazards, but ones that ordinary quality processes handle without the full ISO 26262 apparatus.

ASIL D doesn't mean "the most dangerous part." It means "the combination of frequent, severe, and uncontrollable" — and therefore the part that has to be engineered with the most evidence.

Where teams get it wrong

Across the projects I've seen, the misclassifications cluster into a few repeat offenders:

Rating the component, not the hazardous event. ASIL attaches to a specific hazard in a specific situation, not to "the BMS." One component can sit behind several hazards at different ASILs.
Confusing failure rate with exposure. As above — exposure is about the operational situation, never the probability of the fault. This single error both over- and under-classifies constantly.
Optimism on controllability. Engineers who know the system imagine they could handle a fault, and rate C too low. The standard asks about a typical driver, surprised, in traffic — not an expert who designed the thing.
Forgetting ASIL decomposition. A high ASIL can sometimes be met by combining independent lower-ASIL elements — a powerful tool, but only when the independence is real and documented.

None of this is academic. An over-classified system burns budget proving rigour it never needed. An under-classified one ships without the evidence a life depends on — and an assessor will find it. Getting S, E, and C right is the difference, and it's exactly the judgement a functional-safety specialist exists to provide.

Questions on classifying your system?

I read every message — reach me directly.

Email me at khizerhammad845@gmail.com · Call or message +90 533 884 0871
Or use the enquiry form on the Voltguard site for project work.

Need a defensible HARA and ASIL classification for your EV system? That's exactly what we do.

Book a Discovery Call