ASIL decomposition calculator

An interactive picker for ISO 26262-9 §5.4.10 decomposition. Pick a parent ASIL — the calculator lists every permitted way to split the safety requirement into two redundant lower-ASIL requirements, with the independence and diversity preconditions called out.

Parent ASIL

The notation

Decomposed requirements are written ASIL X(Y) where:

X is the ASIL the implementing element must achieve.
(Y) in parentheses is the original parent ASIL — preserved through the work products to keep traceability.

Example: a brake-system safety goal at ASIL D can be implemented by two redundant channels, one at ASIL C(D) and one at ASIL A(D). Both channels still trace to the ASIL-D goal even though their development effort is reduced.

The full decomposition table

Parent	Decomposition
ASIL D	ASIL C(D) + ASIL A(D)
ASIL D	ASIL B(D) + ASIL B(D)
ASIL D	ASIL D(D) + QM(D)
ASIL C	ASIL B(C) + ASIL A(C)
ASIL C	ASIL C(C) + QM(C)
ASIL B	ASIL A(B) + ASIL A(B)
ASIL B	ASIL B(B) + QM(B)
ASIL A	ASIL A(A) + QM(A)

Don't decompose to dodge work Decomposition is only valid if the two decomposed elements are sufficiently independent — independence of HW/SW design, independence of common-cause failure modes, independence of cascading-fault paths. ISO 26262-9 Clause 6 spells out the analysis required to demonstrate this. Without it, any apparent decomposition is invalid and the parent ASIL still applies to both elements.

How it interacts with FTA

The decomposed ASIL of each redundant channel maps directly to the leaves of the system fault tree. Each channel's hardware random failure rate must meet its own ASIL's PMHF target; the joint top event must meet the parent ASIL's target. The fault tree is the natural deductive verification of "does this decomposition actually deliver the parent's safety integrity?".

ASIL decomposition calculator

The notation

The full decomposition table

How it interacts with FTA

Related