ASIL C
Understanding ASIL C
ASIL C represents a significant step up in safety rigor. At this level, the RF or radar system directly influences vehicle behavior — it does not merely warn the driver but actively controls braking, acceleration, or steering. The engineering demands reflect the severity of consequences if the system fails.
ASIL C Requirements
Key requirements at ASIL C include:
- SPFM ≥97%: Only 3% of single-point hardware faults may remain undetected — requiring extensive diagnostic monitoring of every critical component.
- Formal safety analysis: FMEA, FTA, and dependent failure analysis must be comprehensive and independently reviewed.
- Fault injection testing: The system must be physically tested under fault conditions to verify that safety mechanisms activate correctly.
- MC/DC coverage: Software test coverage must demonstrate that every condition in every decision independently affects the outcome.
Radar Applications at ASIL C
Adaptive cruise control radar is the canonical ASIL C application. The 77 GHz radar measures range, velocity, and angle of preceding vehicles and directly commands the vehicle's braking and throttle systems. If the radar falsely reports a target, the vehicle may brake unnecessarily; if it fails to detect a target, a rear-end collision may result. The moderate controllability (the driver can override ACC) keeps most ACC implementations at ASIL C rather than ASIL D.
Key Equations
ASIL C is the second-highest Automotive Safety Integrity Level in ISO 26262, applying to functions where failure could result in severe injuries in driving scenarios...
Key specifications:
97 % | 80 % | 3 % | 77 GHz | 32.44 dB
Power: P(dBm) = 10log(PmW), 0dBm = 1mW
Comparison
| Aspect | ASIL C Spec | Typical Range | Impact | Design Note |
|---|---|---|---|---|
| Primary function | ASIL C is the second-highest Automotive... | Application-dep. | Critical | Verify in sim |
| Operating range | Software development requires modified c... | Application-dep. | Critical | Verify in sim |
| Performance | Understanding ASIL C ASIL C represents a... | Application-dep. | Critical | Verify in sim |
| Integration | At this level, the RF or radar system di... | Application-dep. | Critical | Verify in sim |
| Trade-off | The engineering demands reflect the seve... | Application-dep. | Critical | Verify in sim |
Frequently Asked Questions
What is fault injection testing?
Fault injection testing physically introduces faults into the hardware or software and verifies that the safety mechanisms respond correctly. For a radar system, this might include: disabling the transmitter and verifying the system reports a radar failure within the required detection time, injecting a false target into the signal processing chain and verifying the system rejects it, or disconnecting an antenna element and verifying the diagnostic detects the resulting pattern degradation.
Why is ACC typically ASIL C and not ASIL D?
ASIL classification depends on controllability. In ACC, the driver is expected to be attentive and ready to take over — the system explicitly requires driver supervision. This controllability rating of C2 or C3 (rather than the uncontrollable C3 used for fully autonomous driving) reduces the ASIL classification from D to C. As vehicles move toward higher levels of autonomy where the driver is not expected to monitor, the same radar function may be reclassified to ASIL D.
Does ASIL C require hardware redundancy?
Not necessarily. ASIL C can be achieved through a single-channel architecture with sufficient diagnostic coverage (SPFM ≥97%) and appropriate safety mechanisms (safe state transitions on fault detection). Hardware redundancy is one way to achieve ASIL C but is not the only way. The choice between redundant and single-channel architectures is a cost-performance tradeoff that the system designer resolves during the functional safety concept phase.