Play

Hazard Analysis and Risk Assessment acc. to ISO 26262:2018

The so-called HARA is an important step in ISO 26262 defines how the risk posed by electronics in road vehicles should be estimated and assessed. In particular, it is about the risk of electrical, electronic and software systems malfunctioning. You will hear about the eight most important aspects that you need to consider when conducting a HARA.

Back to funktional safety
HARA at a glance

You can download the comprehensive information on the Hazard Analysis and Risk Assessment in our free whitepaper.

Electrical and electronic systems in vehicles must be safe. To develop safe software and hardware, for example, you must first ask yourself what could happen if the software or hardware fails. In classic risk management, you then assess the probability of certain risks occurring and the severity of the consequences. From this, you derive a risk assessment and an approach to dealing with risks, graded correspondingly.

It has turned out that this classic approach to risk management is not easy to interpret and implement within the context of electronics in road vehicles.

Instead, what is needed is a special approach so that the procedure can be adapted and re-interpreted. This is precisely what is described in ISO 26262 – the standard for the functional safety of road vehicles.

In this paper we will explain this procedure and give you a number of practical hints and useful tips. We will then summarize the most important points for you. These key lessons are what you should take with you for your future work.

We're here for you

Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.

Steffen Herrmann and the sales team

How to perform a HARA in detail

The term hazard analysis and risk assessment refers specifically to the procedure defined in ISO 26262 for the automotive sector. It is abbreviated as HARA and is defined as follows: “Method to identify and categorize hazardous events of items and to specify safety goals and ASILs related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk.”

That is a quite complex definition. It uses a whole lot of special terms. We will go through the terms in this paper. Please note that in the automotive sector you always use exactly this HARA term and this designation because it precisely describes the prescribed procedure. For example, if you used the widely used term ‘hazard and risk analysis’, other people would probably think you mean the requirements contained in IEC 61508, which are not specific to the automotive industry.

First of all, a comment on the term hazard: this refers exclusively to hazards that can lead to physical injury or damage to the health of persons. Damage to reputation or costs for car manufacturers and their suppliers are not included in this analysis.

The definition refers to items to which the HARA is applied. This means that such a HARA is applied to functions on a vehicle level and to the systems that implement these functions. Examples: steering, braking, automatic cruise control, driving lights. Since we have a number of such items in a vehicle, the same number of HARAs must be performed. You can imagine that it is not easy to separate items from one another and that this creates a lot of work. Car manufacturers have to compile lists of items for vehicles and know how they relate to one another. They are therefore responsible for implementing the HARA, not the suppliers.

The definition of HARA also refers to avoiding unreasonable risk. Unreasonable risks, in turn, are to be interpreted as risks judged by society to be morally unacceptable in a certain context according to valid societal moral concepts. This now makes it difficult, since there are no such things as objective assessments in this area, or not in any way that can be used as a benchmark. As we will see, ISO 26262 does contain concrete criteria, but in the case of HARA, these have to be interpreted by car manufacturers, so they will depend on the context. This can lead to different results from a HARA – for example, criteria could depend on what use vehicles are put to, target regions or the skills of average drivers. To a certain extent, ISO 26262 takes this into account by including special interpretation tables for cars, trucks, buses and motorcycles. Ultimately, a HARA depends on the people who carry it out, however, despite the specifically prescribed method. To prevent misinterpretation and cheating, ISO requires HARA reviews and confirmations from an independent body.

How does such a hazard analysis and risk assessment work in practice? To explain this, I divide the HARA into seven logical steps.

You can start with the first step by basing it on an existing item definition. In the first step, you determine relevant operational situations and operating modes. Operational situations could be, for example, driving in the city, on a country road or on the motorway. Operating modes could be, for instance, driving forwards, reversing, or even jacking up a vehicle in a workshop with the engine running. Which subcategory of operating situation or mode needs to be considered depends very much on the respective item.

The second step is to imagine risks to life and limb. You should write down any hazards that could arise either from a fault in the item or from reasonably foreseeable misuse by a driver. Hazards to passengers and other road users have to be determined on a vehicle level. One example of a danger posed by adaptive cruise control is unintentional acceleration. The driving lights present a hazard if they go out unintentionally. How the item was designed or made is not relevant. But if a fault in one item leads to the failure of another item, then you must consider the dangers involved.

A certain hazard occurring in a specific operating situation is now called a hazardous event. For example, if the lights go out while driving in the dark on a winding country road, that would be a hazardous event. In the third step, these hazardous events are then evaluated individually according to three criteria. These are:

  • the severity of any potential injury
  • how frequently an operational situation arises – the exposure 
  • whether a situation can be managed to avert injury – the controllability

The severity of injury is assessed in four stages S0 to S3.
 

Image   Four classes for grading the severity of injuries

ISO 26262 defines the levels by referring to the abbreviated injury scale, or AIS classification. ISO 26262 contains the definition of the AIS. It also contains examples of accidents and their possible severity of injuries.
Five levels E0 to E4 are defined for exposure. There are two approaches to rating these.

Image   Five classes for grading the exposure

One classification – the frequency of an operational situation arising – is a suitable option for errors that may occur in certain situations. This could be something like an airbag failing during a collision. You are not going to notice that an airbag will not trigger during normal driving situations. 

Classification according to duration is always useful if a fault would have an immediate effect. For example, this could be the lights going out during night-time driving. In such cases, you would estimate the typical percentage of vehicle operating time at night compared to overall vehicle operating time. For a passenger car the assumed operating time is often 400 hours per year. But you have to estimate this for the vehicle in each individual case. If the element that may fail is a control unit and it is in permanent use, you do not take the vehicle operating time as a basis for estimating percentages. It is important to understand that exposure is not about estimating the frequency with which a fault can occur. It is about estimating how likely you are to encounter a situation in which an error may have an impact.

Controllability is about assessing to what extent people in danger can still avoid injury by reacting in time in the event of a malfunction. According to ISO 26262, four levels C0 to C3 of controllability are distinguished. Please note that it is usually, but not always, the driver who is expected to react. For example, maybe a pedestrian could jump out of the way to avoid being hit by a vehicle. When we look at the definition of controllability, we are talking about the abilities of average drivers. In concrete terms, this means you actually have to define what average drivers are to assess their abilities.

Image   Four classes to classify controllability

Unfortunately, I cannot give full details of the severity, exposure and controllability criteria in this paper. Part 3 of ISO 26262 provides precise definitions of these, plus a number of examples and tips. In addition, the appendix to part 3 contains special notes on exposure for trucks and buses. With motorcycles, all three criteria have to be interpreted differently, which is why part 12 provides special examples.

You may now ask yourself whether there’s a standard assessment for the three criteria, to make life easier for everyone. Well yes, there are examples of such assessments out there – for example, there is VDA 702. But such documents only ever provide examples. They are not binding. This is for the simple reason that vehicle manufacturers remain responsible for assessing individual circumstances; their obligation cannot be delegated to other parties.

Similarly, there are no binding lists of hazardous events for individual items, even though vehicle manufacturers and their suppliers compiled such lists a long time ago. If you are conducting a HARA for the first time, you will find that you have to approach a sensible number of hazardous events iteratively. As a rule of thumb, you can remember that you can combine several hazardous events if you come to the same assessments of the three criteria.
 

We’ve now reached the fourth step of our HARA. For this step you determine the automotive safety integrity level, or ASIL, for each hazardous event. You can do this quite simply by looking at this table, which has three estimated values for S, E and C and provides you with the ASIL. Worst case scenario, you have a hazardous event that can result in fatal injury S3. Vehicles are often in an operating situation where this can happen E4, and injury can be avoided in less than 90% of cases C3. Such an event will receive ASIL D, which means the strictest ISO 26262 requirements must be applied to prevent the event happening.

Image   Automotive Safety Integrity Level (ASIL) determination

The table highlights an important principle: if one of the three criteria is given a rating that is one level lower, the overall ASIL is reduced by one level. For example, if we assume that more people can still avoid injury by reacting in a certain way, that is rated as C2 and not C3, so the dangerous situation only receives ASIL C. And so on. The QM classification shown in the table allows you to keep developing the item without ISO 26262, based solely on the standards of automotive quality management.

For motorcycle development, apply the same procedure except that the result is called a motorcycle safety integrity level, or MSIL. However, all parts of ISO 26262 specify that any actions taken have to relate to an ASIL, so you will need to use the table on the right side of the figure to convert the MSIL to an ASIL. You will also notice that this will result in reductions, one level at a time. Motorcycles are, at the most, therefore developed using ASIL C. You may wonder why. ISO 26262 does provide a few indications that shed light on this: motorcyclists wear helmets, motorbikes are not likely to be ridden at high speed on unpaved roads, and they require a special driving license. The very fact that some people ride a motorbike is already an indication that they are willing to enter into higher risks.
 

Image   ASIL determination for motorcycles via an MSIL

Once you have your ASILs for dangerous events, the next step is to formulate so-called safety goals. These are functional objectives or top-level safety requirements, and they must be suitable for preventing or mitigating hazardous events. An example of a safety goal: “prevent an electromagnetic steering wheel locking system from being activated while a vehicle is in motion.” In many cases, you can formulate individual safety goals for several hazardous events. Then you end up with a single-digit number of safety goals. Each safety goal is given the highest ASIL of corresponding hazardous events.

The primary output of a HARA is a set of safety goals with corresponding ASILs. These provide a starting point for developing a functional safety concept.

If you’ve carried out and documented the HARA, you must subject it to verification according to the rules of ISO 26262, part 8. A review team must, for example, check whether sufficient and reasonable hazardous events have been considered, whether the safety goals are consistent with that and whether the HARA procedure has been applied correctly.

The seventh and final step is to have each HARA assessed by a person outside development. You need independent confirmation to be sure you have established the correct ASIL and the ISO 26262 criteria for a HARA have been met.

This has taken you through all the steps. Now you know what has to be done and how it all fits together. And maybe now you can see how much work is involved for an inexperienced team going through a HARA for the first time. You have to keep in mind that you will need the input of a variety of people for some topics. Who can provide a list of relevant operational situations? Who can help estimate the severity of injuries linked to different types of accidents at different speeds? What statistics are needed to do this? Does testing have to be carried out with larger groups of people to understand their reactions to certain vehicle failures? If you are conducting a HARA for your company for the first time, it will probably be a highly complex undertaking. But once you have done it for your type of function or product, it will have been a steep learning curve, so you can expect it to involve much less effort the next time round.

I said at the beginning that car manufacturers must carry out the HARA. As a supplier of electronic solutions, however, it can still be extremely useful for you to carry out a HARA yourself in product development. This will involve making assumptions about the items your component will be used in. A HARA will then provide you with safety goals and ASILs, and these allow you to work out meaningful functional safety requirements with ASILs, providing you with a robust starting point for the scope of required development. This also enables you to develop products without having to define specific customers. And it puts you in a much stronger position later on when you’re negotiating with carmakers. To a certain extent, it also solves a problem that often arises – when car manufacturers leave it too late to tell you about safety requirements.

Management of functional safety video

ISO 26262:2018 Part 2

In this tutorial, you'll look at how functional safety management spans the entire safety lifecycle - at the organizational level, in projects, and post-production.

Key learnings

  • That takes us through all the points I wanted to make. Let me conclude by summarising the most important things in eight key lessons.

  • We only consider hazards to life and limb of road users that arise from faults and incorrect behaviour of electrics and electronics in road vehicles.

  • These hazards must be identified and assessed according to the specified hazard analysis and risk assessment (HARA) method.

  • A HARA is typically carried out by the car manufacturer for items on a vehicle level.

  • Relevant hazardous events are identified and assessed, covering the severity of harm, S, exposure, E, and controllability, C.

  • An automotive safety integrity level, or ASIL, is to be determined based on these three parameters – S, E and C.

  • For each hazardous event, appropriate safety goals are set up with the ASILs.

  • The ASILs A to D determine how rigorous development steps and safety mechanisms will need to be.

First-time implementation of a HARA is complex and requires input from many different people. So now you know what it is like conducting a hazard analysis and risk assessment for road vehicles according to ISO 26262, but also what it is needed for and why it is not a simple process.

WE CAN SUPPORT YOU WITH…
  • Improving your processes to keep them up to date with the latest safety standards – also so you can develop and sell reliable, available, maintainable and functional products
  • Designing and rolling out safety management systems
  • Conducting safety audits to confirm that your safety management fulfils relevant requirements
  • Knowing for certain if a supplier really can provide you with the right components
  • Building the capability to assess the functional safety of electronic systems and components 
  • Building the capability to provide staff training on all aspects of functional safety

Download White paper

About Kugler Maag Cie
Subscribe to our Newsletter
To top