Automotive safety standard ISO 26262: Hazard analysis and risk assessment

Hi. Today we will talk about hazard analysis and risk assessment, an important part of ISO 26262, the automotive functional safety standard. In this article, I’m going to give you a brief overview of Chapter 6 of ISO 26262 Part 3, Hazard Analysis and Risk Assessment (HARA), to make it as simple as possible for our lay readers who are interested in automotive safety.


Performing a HARA and the whole process

According to the ISO 26262 standard, Hazard Analysis and Risk Assessment (HARA) is a key procedure for ensuring the functional safety of a vehicle. This content describes how to perform a HARA, how to measure Severity, Exposure, and Controllability, and the process of deriving safety goals and functional safety concepts or measures.

How to perform a HARA

HARA is identifying and assessing potential hazards in a vehicle and setting appropriate safety goals. The process of performing a HARA consists of the following steps:

1. Hazard Analysis: Identify potential hazards that could occur if system functionality deviates from the intended design. This is done by utilizing HAZOP or STPA methodologies.

🔎HAZOP (Hazard and Operability Analysis)
HAZOP is a method of identifying potential risks that may occur if the system’s functionality deviates from its intended design. It focuses on assessing the risks that may arise from deviations in system functionality.

1) System Description: Defines the system to be analyzed and the scope of the analysis.
2) System Functions: Lists the key functions of the system.
3) System Malfunctions: For each function, apply guidelines to identify deviations from the function. For example, assess “loss of functionality”, “over functionality”, “under functionality”, etc.
4) Potential Hazards: Evaluate what hazards the identified anomalies may pose at the vehicle level.


-HAZOP analysis example:
◦ Hazard identification: Identify the hazards that can occur if the ACC system accelerates or decelerates excessively.
◦ Risk assessment: Evaluate the severity, exposure, and controllability of these risks.
  ▪ Severity: High (potential for vehicle crash)
  ▪ Exposure: Medium (frequently used during normal road driving)
  ▪ Controllability: Low (difficulty of driver intervention during high-speed driving)
◦ Derive safety objectives: “Prevent excessive acceleration”, “Prevent excessive deceleration”
◦ Functional safety concept: the system is designed to maintain a precise acceleration and deceleration profile
◦ Safety mechanisms: Includes sensor fault detection and vehicle stop function.

🔎System-Theoretic Process Analysis (STPA)

STPA is an analytical technique based on system theory to ensure the safety of a system. It models the system as a dynamic control problem to evaluate whether proper control and communication will ensure the desired outcome of the system.

1) System Definition (System Description): Define the system to be analyzed and the scope of the analysis. This includes identifying the system controllers and controlling behavior. For example, for an ACC system, identify the system controllers and control behaviors such as acceleration, deceleration, and braking.

2) Define vehicle-level losses (Vehicle-Level Losses): Define the losses to be avoided at the vehicle level. This can include loss of life, property damage, etc.

3) Identify Hazards: Identify potential hazards that could cause losses. For example, a hazard might be “excessive vehicle acceleration” or “brake failure.”

4) Identify Unsafe Control Actions: Identify unsafe control actions (UCAs) that can be issued by the system controller. This is the process of assessing the hazards that can occur in the event of an incorrect control action.

-Example STPA analysis:

– Identify control actions: Identify the control actions of the ACC system. For example, acceleration, deceleration, braking, etc.

-Identify unsafe control behaviors: Identify unsafe control behaviors, such as “issuing an acceleration request when an acceleration request is not required”.

-Risk identification: Assess the risk that the unsafe control behavior may cause. For example, identify the “risk of vehicle crash due to unnecessary acceleration”.

-Cause scenarios: Evaluate the circumstances under which an unsafe control behavior occurs through cause scenarios, such as sensor failure, communication failure, etc.

2.Risk Assessment:

Determine the level of risk by evaluating the Severity, Exposure, and Controllability of the identified hazards. ISO 26262 provides guidelines for quantitatively assessing each factor.

1) Severity (S)

Assess the severity of the potential consequences if the hazard occurs. This considers things like loss of life, property damage, and environmental damage. For example, a failure of a brake system might be rated as high severity.

2)Exposure (E)

Assesses the likelihood of exposure to a given risk situation. This is assessed based on the frequency and context in which the system is used. For example, the frequency of exposure in city traffic may be higher than driving on a motorway.

3)Controllability (C)

Assesses the ability of the driver or system to control the hazardous situation. It considers the level of automatic control of the system and the potential for driver intervention. For example, a steering system failure while driving at high speed would be rated as low controllability.

3. Derive a safety goal

Set a Safety Goal based on the hazards identified as a result of the HARA. A safety goal is a top-level safety requirement to mitigate or prevent the identified hazard.

1) Hazard mitigation: For example, “prevent excessive vehicle acceleration” could be a safety goal for an adaptive cruise control (ACC) system. This goal is to ensure that the system is designed to accelerate only as much as necessary.

2) Improving system reliability: Designing the system to transition to a safe state in case of failure. For example, this could include the ability to safely stop the vehicle if a failure in the brake system is detected.

3) Warn the driver: Ensure that the driver is appropriately alerted and able to react in the event of a system failure or anomaly. For example, an automatic emergency braking system (AEB) will immediately alert the driver in the event of a failure.

This process enables you to perform HARA in compliance with the ISO 26262 standard and derive safety goals to ensure functional safety. By utilizing HAZOP and STPA in conjunction with HARA, you can more comprehensively identify potential hazards in your system and effectively set safety goals.

HARA Template

The HARA (Hazard Analysis and Risk Assessment) template provides a systematic procedure for identifying and assessing potential hazards in vehicle systems according to the ISO 26262 standard. The template below includes each step required for performing HARA and helps in collecting and documenting the necessary information at each stage.

1. Hazard Identification

1)HAZOP Analysis

  • System Function List:
    • Function 1
    • Function 2
    • Function 3
  • HAZOP Guidewords:

    • Loss of function

    • More than intended

    • Less than intended

    • Intermittent

    • Incorrect direction

    • When not requested

    • Locked or stuck function

2) STPA Analysis

Control Actions List:

    • Control Action 1

    • Control Action 2

    • Control Action 3

  • STPA Guidewords:

    • Not provided when needed

    • Provided when not needed

    • Provided incorrectly

    • Stopped too soon

    • Applied too long

    • Incorrect intensity

2. Risk Assessment

3. Safety Goal Derivation

This concludes the explanation of Hazard Analysis and Risk Assessment (HARA) as described in Chapter 6 of Part 3 of ISO 26262. By providing examples, we hope the concepts were easier to understand. This standard outlines important procedures to ensure vehicle safety, helping to create a safer automotive environment. Stay tuned for more informative updates.

Share this article: