Hazard Analysis & Risk Assessment (HARA) - Functional Safety (ISO 26262)

HARA Process: ISO 26262 Part 3 Clause 6

HARA Process Steps

  Step 1: Situational Analysis
  └── Identify operational situations and driving scenarios
      (highway, city, parking, emergency, slippery road, etc.)

  Step 2: Hazard Identification
  └── For each function × each scenario: what can go wrong?
      Systematic enumeration: omission, commission, late, early, stuck-at

  Step 3: Hazardous Event Classification
  └── For each hazard × scenario: classify S, E, C
      S: How severe is the worst-case outcome?
      E: How often is the vehicle in this scenario?
      C: Can the driver avoid the accident if the hazard occurs?

  Step 4: ASIL Determination
  └── ASIL = f(S, E, C) per ISO 26262 Part 3 Table 4
      If S0 or E0 or C0: QM (no ASIL requirement)
      Otherwise: ASIL-A through ASIL-D

  Step 5: Safety Goals
  └── For each hazardous event with ASIL ≥ A:
      Define a safety goal that eliminates or mitigates the hazard
      Safety goal inherits the ASIL of the hazardous event

  Step 6: Safe States
  └── For each safety goal: what is the safe operating mode?
      (engine-off, limp-home, degraded performance, etc.)

Hazard Identification: Systematic Enumeration

Function	Failure Mode	Scenario	Hazardous Event
Emergency Braking	Inadvertent activation	Highway, v=130 km/h, following vehicle	Rear-end collision by following vehicle
Emergency Braking	No activation when needed	Highway, obstacle detected, v=130 km/h	Front collision, driver not warned in time
Emergency Braking	Partial activation (50% of target decel)	Highway, obstacle	Insufficient braking; collision at reduced speed
Emergency Braking	Late activation (>500ms delay)	City, pedestrian crossing	Reduced deceleration time; collision
FCW Warning	No warning when obstacle present	Highway, vehicle cut-in	Driver unaware; late reaction
FCW Warning	Continuous false warning	Any scenario	Driver ignores system (nuisance alarms)
Radar	Loss of object detection	Highway, vehicle ahead slows	AEB does not activate; collision

ASIL Determination: ISO 26262 Part 3 Table 4

ASIL Determination Matrix

  Controllability →  C1 (easy)    C2 (normal)   C3 (difficult)
  ┌─────────────────────────────────────────────────────────────┐
  │  S1 (light injury)                                          │
  │    E1: QM           QM            QM                        │
  │    E2: QM           QM            QM                        │
  │    E3: QM           QM            ASIL-A                    │
  │    E4: QM           ASIL-A        ASIL-B                    │
  ├─────────────────────────────────────────────────────────────┤
  │  S2 (serious/life-threatening injury, survival probable)    │
  │    E1: QM           QM            ASIL-A                    │
  │    E2: QM           ASIL-A        ASIL-B                    │
  │    E3: ASIL-A       ASIL-B        ASIL-C                    │
  │    E4: ASIL-B       ASIL-C        ASIL-D                    │
  ├─────────────────────────────────────────────────────────────┤
  │  S3 (life-threatening/fatal injury, survival uncertain)     │
  │    E1: QM           ASIL-A        ASIL-B                    │
  │    E2: ASIL-A       ASIL-B        ASIL-C                    │
  │    E3: ASIL-B       ASIL-C        ASIL-D                    │
  │    E4: ASIL-C       ASIL-D        ASIL-D                    │
  └─────────────────────────────────────────────────────────────┘

  Example: Inadvertent AEB at highway speed
  S = S3 (rear collision at 130 km/h: multiple fatalities)
  E = E4 (highway driving is frequent/continuous)
  C = C3 (following driver has < 1s to react at 130 km/h)
  → ASIL-D

Summary

HARA is the most influential document in the safety case: every downstream safety requirement traces to a hazardous event identified here. The quality of the HARA depends on the completeness of the hazard identification — a hazard not identified in HARA has no safety goal, no safety requirement, and no safety mechanism. Industry practice for ASIL-D systems requires HARA workshops with at least 5–8 engineers covering different disciplines (systems, hardware, software, testing, field experience), guided by a facilitator, and reviewed independently (I2 minimum). The three parameters S, E, C must be justified with objective evidence — not assumed — and the justification must be traceable in the HARA report.

🔬 HARA Methodology — Step-by-Step Process

The Hazard Analysis and Risk Assessment (HARA) is the most critical safety engineering step in ISO 26262. It translates operational scenarios into ASIL-rated safety goals. The process follows these rigorous steps:

Step 1 — Situation analysis: Define all operational situations (driving on highway, parking in garage, loading passengers) and vehicle operating modes (ignition on, engine running, charging). The combination of situation × mode defines the scenario space.
Step 2 — Hazard identification: For each item functional behaviour, identify what could go wrong: Unintended activation (e.g., unintended acceleration), Loss of function (e.g., loss of steering assist), Degraded function (e.g., partial braking). Use a structured brainstorming method: FMEA-style what-if, FTA-top-down, or HAZOP-style guide words (too much, too little, wrong direction, wrong time).
Step 3 — ASIL determination (S × E × C):
- Severity (S0–S3): Worst-case injury outcome. S3 = life-threatening or fatal injuries. S0 = no injuries.
- Exposure (E0–E4): How often is the vehicle in this situation? E4 = almost always (highway driving). E1 = rare (driving through flood).
- Controllability (C0–C3): Can the average driver react and avoid the hazard? C3 = uncontrollable or very hard to avoid. C0 = easily controllable by most drivers.
The ASIL lookup table maps S×E×C to QM, ASIL A, B, C, or D.
Step 4 — Safety goals: Each hazard with ASIL ≥ A produces a Safety Goal. Safety Goals are top-level safety requirements — they are technology-neutral and must not reference components. Example: "Unintended lateral vehicle movement shall be avoided" (ASIL C).

🏭 HARA in Practice at OEMs

Scope of the item: HARA is performed on an item — a function or set of functions that implements vehicle-level behaviour. For an EPS (Electric Power Steering) item, the HARA considers the entire steering assist chain including sensors, ECU, motor, and mechanical linkage — not just the software.
Disagreements on controllability: C-factor assignment is the most disputed part of HARA. Safety teams at OEMs use controlled driving experiments (driver studies) to validate controllability ratings. A C3 rating typically requires evidence that the average driver cannot react effectively in under 1–2 seconds.
HARA traceability: Every Safety Goal from the HARA must be traceable to Functional Safety Requirements (FSR), then to Technical Safety Requirements (TSR), then to HW/SW safety requirements. SOTIF analysis (ISO 21448) runs in parallel for perception-based functions. A modern ADAS ECU project may have 50–100 safety goals from HARA alone.

⚠️ HARA Common Errors

Combining multiple hazards into one safety goal: A safety goal like 'the system shall not cause any dangerous behaviour' is too vague for ASIL allocation. Each distinct hazardous event must produce its own safety goal with its own ASIL rating.
Confusing severity with likelihood: Severity (S) in HARA is defined as the worst-case outcome assuming the hazard occurs — not the probability of the hazard. Likelihood is captured by Exposure (E). A low-probability but catastrophic hazard can still yield ASIL D.
Ignoring safe states: A safety goal must specify or imply a safe state. 'Loss of engine torque control' requires a safe state definition: is the safe state engine-off? Reduced torque? Without a safe state, the downstream safety requirements cannot be correctly derived.
Item boundary too narrow: Excluding the sensor from the item boundary and then not performing HARA on sensor failure modes. Safety analysis must follow the functional boundary, not the ECU boundary.

📊 Industry Note

ISO 26262-3 requires the HARA to be reviewed by an independent safety assessor. In practice, Tier-1 suppliers present HARA results to OEM safety managers who challenge every C-factor assignment. A rigorous HARA with well-justified S/E/C rationale saves significant rework during functional safety assessments.

🧠 Knowledge Check — Click each question to reveal the answer

❓ A loss of lane-keeping assist on a motorway at 130 km/h is assessed as S3, E4. What controllability rating would likely result in ASIL D?

✅ Looking at the ASIL determination table: S3 + E4 + C3 = ASIL D. C3 means the hazard is difficult or impossible to control by most drivers. At 130 km/h, an unexpected lane departure without any warning and no driver input to correct it would likely be rated C3 — the reaction time is insufficient for the average driver. C2 would give ASIL C; C1 would give ASIL B.

❓ What is the difference between a Hazard and a Safety Goal in ISO 26262 HARA?

✅ A Hazard is a condition of the item that, in combination with a hazardous event, could lead to an accident. Example hazard: 'unintended positive longitudinal acceleration'. A Safety Goal is a top-level safety requirement derived from the hazard that must be satisfied to prevent the accident. Example: 'The unintended acceleration of the vehicle shall be limited to < 2 m/s² for a duration not exceeding 2 s'. Safety Goals are ASIL-rated and drive all downstream safety requirements.

❓ Why must safety goals be technology-neutral?

✅ Safety goals describe what the system must achieve for safety, not how it achieves it. Making them technology-neutral allows the system design (component architecture, hardware platform, software design) to evolve without invalidating the safety goals. A safety goal that references 'the ECU microcontroller shall detect faults' is actually a technical safety requirement — it constrains the design and cannot be traced back to a pure vehicle-level hazard analysis.