A certain hazard occurring in a specific operating situation is now called a hazardous event. For example, if the lights go out while driving in the dark on a winding country road, that would be a hazardous event. In the third step, these hazardous events are then evaluated individually according to three criteria. These are:

• the severity of any potential injury
• how frequently an operational situation arises – the exposure 
• whether a situation can be managed to avert injury – the controllability

The severity of injury is assessed in four stages S0 to S3.
 

ISO 26262 defines the levels by referring to the abbreviated injury scale, or AIS classification. ISO 26262 contains the definition of the AIS. It also contains examples of accidents and their possible severity of injuries.
Five levels E0 to E4 are defined for exposure. There are two approaches to rating these.

One classification – the frequency of an operational situation arising – is a suitable option for errors that may occur in certain situations. This could be something like an airbag failing during a collision. You are not going to notice that an airbag will not trigger during normal driving situations. 

Classification according to duration is always useful if a fault would have an immediate effect. For example, this could be the lights going out during night-time driving. In such cases, you would estimate the typical percentage of vehicle operating time at night compared to overall vehicle operating time. For a passenger car the assumed operating time is often 400 hours per year. But you have to estimate this for the vehicle in each individual case. If the element that may fail is a control unit and it is in permanent use, you do not take the vehicle operating time as a basis for estimating percentages. It is important to understand that exposure is not about estimating the frequency with which a fault can occur. It is about estimating how likely you are to encounter a situation in which an error may have an impact.

Controllability is about assessing to what extent people in danger can still avoid injury by reacting in time in the event of a malfunction. According to ISO 26262, four levels C0 to C3 of controllability are distinguished. Please note that it is usually, but not always, the driver who is expected to react. For example, maybe a pedestrian could jump out of the way to avoid being hit by a vehicle. When we look at the definition of controllability, we are talking about the abilities of average drivers. In concrete terms, this means you actually have to define what average drivers are to assess their abilities.

Unfortunately, I cannot give full details of the severity, exposure and controllability criteria in this paper. Part 3 of ISO 26262 provides precise definitions of these, plus a number of examples and tips. In addition, the appendix to part 3 contains special notes on exposure for trucks and buses. With motorcycles, all three criteria have to be interpreted differently, which is why part 12 provides special examples.

You may now ask yourself whether there’s a standard assessment for the three criteria, to make life easier for everyone. Well yes, there are examples of such assessments out there – for example, there is VDA 702. But such documents only ever provide examples. They are not binding. This is for the simple reason that vehicle manufacturers remain responsible for assessing individual circumstances; their obligation cannot be delegated to other parties.

Similarly, there are no binding lists of hazardous events for individual items, even though vehicle manufacturers and their suppliers compiled such lists a long time ago. If you are conducting a HARA for the first time, you will find that you have to approach a sensible number of hazardous events iteratively. As a rule of thumb, you can remember that you can combine several hazardous events if you come to the same assessments of the three criteria.
 

The table highlights an important principle: if one of the three criteria is given a rating that is one level lower, the overall ASIL is reduced by one level. For example, if we assume that more people can still avoid injury by reacting in a certain way, that is rated as C2 and not C3, so the dangerous situation only receives ASIL C. And so on. The QM classification shown in the table allows you to keep developing the item without ISO 26262, based solely on the standards of automotive quality management.
 
For motorcycle development, apply the same procedure except that the result is called a motorcycle safety integrity level, or MSIL. However, all parts of ISO 26262 specify that any actions taken have to relate to an ASIL, so you will need to use the table on the right side of the figure to convert the MSIL to an ASIL. You will also notice that this will result in reductions, one level at a time. Motorcycles are, at the most, therefore developed using ASIL C. You may wonder why. ISO 26262 does provide a few indications that shed light on this: motorcyclists wear helmets, motorbikes are not likely to be ridden at high speed on unpaved roads, and they require a special driving license. The very fact that some people ride a motorbike is already an indication that they are willing to enter into higher risks.
 

We’ve now reached the fourth step of our HARA. For this step you determine the automotive safety integrity level, or ASIL, for each hazardous event. You can do this quite simply by looking at this table, which has three estimated values for S, E and C and provides you with the ASIL. Worst case scenario, you have a hazardous event that can result in fatal injury S3. Vehicles are often in an operating situation where this can happen E4, and injury can be avoided in less than 90% of cases C3. Such an event will receive ASIL D, which means the strictest ISO 26262 requirements must be applied to prevent the event happening.

The term hazard analysis and risk assessment refers specifically to the procedure defined in ISO 26262 for the automotive sector. It is abbreviated as HARA and is defined as follows: “Method to identify and categorize hazardous events of items and to specify safety goals and ASILs related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk.”

That is a quite complex definition. It uses a whole lot of special terms. We will go through the terms in this paper. Please note that in the automotive sector you always use exactly this HARA term and this designation because it precisely describes the prescribed procedure. For example, if you used the widely used term ‘hazard and risk analysis’, other people would probably think you mean the requirements contained in IEC 61508, which are not specific to the automotive industry.

First of all, a comment on the term hazard: this refers exclusively to hazards that can lead to physical injury or damage to the health of persons. Damage to reputation or costs for car manufacturers and their suppliers are not included in this analysis.

The definition refers to items to which the HARA is applied. This means that such a HARA is applied to functions on a vehicle level and to the systems that implement these functions. Examples: steering, braking, automatic cruise control, driving lights. Since we have a number of such items in a vehicle, the same number of HARAs must be performed. You can imagine that it is not easy to separate items from one another and that this creates a lot of work. Car manufacturers have to compile lists of items for vehicles and know how they relate to one another. They are therefore responsible for implementing the HARA, not the suppliers.

The definition of HARA also refers to avoiding unreasonable risk. Unreasonable risks, in turn, are to be interpreted as risks judged by society to be morally unacceptable in a certain context according to valid societal moral concepts. This now makes it difficult, since there are no such things as objective assessments in this area, or not in any way that can be used as a benchmark. As we will see, ISO 26262 does contain concrete criteria, but in the case of HARA, these have to be interpreted by car manufacturers, so they will depend on the context. This can lead to different results from a HARA – for example, criteria could depend on what use vehicles are put to, target regions or the skills of average drivers. To a certain extent, ISO 26262 takes this into account by including special interpretation tables for cars, trucks, buses and motorcycles. Ultimately, a HARA depends on the people who carry it out, however, despite the specifically prescribed method. To prevent misinterpretation and cheating, ISO requires HARA reviews and confirmations from an independent body.

How does such a hazard analysis and risk assessment work in practice? To explain this, I divide the HARA into seven logical steps.

You can start with the first step by basing it on an existing item definition. In the first step, you determine relevant operational situations and operating modes. Operational situations could be, for example, driving in the city, on a country road or on the motorway. Operating modes could be, for instance, driving forwards, reversing, or even jacking up a vehicle in a workshop with the engine running. Which subcategory of operating situation or mode needs to be considered depends very much on the respective item.

The second step is to imagine risks to life and limb. You should write down any hazards that could arise either from a fault in the item or from reasonably foreseeable misuse by a driver. Hazards to passengers and other road users have to be determined on a vehicle level. One example of a danger posed by adaptive cruise control is unintentional acceleration. The driving lights present a hazard if they go out unintentionally. How the item was designed or made is not relevant. But if a fault in one item leads to the failure of another item, then you must consider the dangers involved.

A certain hazard occurring in a specific operating situation is now called a hazardous event. For example, if the lights go out while driving in the dark on a winding country road, that would be a hazardous event.

In the third step, these hazardous events are then evaluated individually according to three criteria. These are:

• the severity of any potential injury
• how frequently an operational situation arises – the exposure
• whether a situation can be managed to avert injury – the controllability

The severity of injury is assessed in four stages S0 to S3.