SIL / ASIL (Safety Integrity Levels)

A consumer smartwatch failing and corrupting its step-counter data is an annoyance. A medical infusion pump failing and delivering a lethal dose of medication, or a car’s electronic braking system failing on a highway, is a catastrophe.

To bridge this massive disparity in risk, the engineering world relies on formal safety standards. The two most prominent are SIL (Safety Integrity Level), derived from the general functional safety standard IEC 61508, and ASIL (Automotive Safety Integrity Level), derived from the automotive-specific ISO 26262.

Understanding and designing a product to meet these levels is one of the most intellectually demanding (and expensive) challenges in hardware engineering.

What are SIL and ASIL?

SIL and ASIL are not physical hardware certifications; they are classifications of risk reduction. They answer the question: “If this specific hardware or software component fails, how likely is it to kill someone, and therefore, how much mathematical rigor must we apply to ensure it never fails?”

The ASIL Classification (A to D)

In the automotive standard (ISO 26262), risk is evaluated based on three factors:

1. Severity (S): If an accident occurs due to the failure, how bad are the injuries?
2. Exposure (E): How often is the vehicle in a situation where this failure could happen?
3. Controllability (C): Can the driver reasonably prevent the accident if the failure occurs?

Combining these creates a matrix that assigns an ASIL level:

• QM (Quality Management): No safety risk (e.g., the car radio breaks). Standard engineering practices apply.
• ASIL A: Very low risk (e.g., rear taillights stop working).
• ASIL B / C: Medium-to-high risk (e.g., instrument cluster freezes, advanced driver assistance systems).
• ASIL D: Extreme, life-threatening risk (e.g., electronic power steering locks up, ABS brakes fail).

Similarly, the industrial standard (IEC 61508) uses SIL 1 through SIL 4, where SIL 4 is the most rigorous (commonly used in railway signaling or nuclear power).

Engineering for ASIL-D / SIL 3

If an Inovasense architect determines a control board must meet ASIL-D, the entire V-Model development process changes drastically compared to consumer electronics.

1. Redundancy (Lockstep Processing): An ASIL-D system cannot rely on a single MCU core. We typically mandate Dual-Core Lockstep (DCLS) microcontrollers (like the NXP S32 or TI Hercules). These chips physically possess two identical CPU cores running the exact same code, staggered by a clock cycle. A localized hardware comparator instantly checks the output of both cores. If a cosmic ray flips a bit in one core and the outputs diverge, the hardware immediately triggers a safe shutdown (e.g., releasing the electronic parking brake).
2. ECC Memory: Every byte of RAM and Flash must be guarded by Error-Correcting Code (ECC) to detect and mathematically fix memory corruption on the fly.
3. Traceability: Every single line of C/C++ code must trace back to a specific, reviewable software requirement, which traces back to a system requirement.
4. Failure Mode and Effects Analysis (FMEA/FMEDA): Engineers mathematical model every individual resistor, capacitor, and silicon trace on the PCB to calculate its exact probability of failure over 10 years, ensuring the total FIT (Failures In Time) rate of the entire board remains below the standard’s strict limits.

The Inovasense Guarantee

Designing to SIL or ASIL standards is not something an engineering firm can just “bolt on” at the end of a project. If a client requires an ASIL-B motor controller, the rigorous documentation, component selection, and RTOS architecture must begin on day one. At Inovasense, our deep expertise in high-reliability architectures ensures that products not only function perfectly but sail through external safety audits without costly redesigns.