In the world of automotive safety, ensuring that vehicles are free from risks that could harm the driver, passengers, or other road users is paramount. This responsibility has given rise to the development of strict safety standards, such as ISO 26262, which outlines the functional safety requirements for vehicles. Among its core processes, Hazard Analysis and Risk Assessment (HARA), alongside ASIL (Automotive Safety Integrity Level) determination, play crucial roles in identifying, evaluating, and mitigating safety risks in automotive systems.
In this blog, we’ll explore these processes in detail, how they are intertwined within ISO 26262, and why they are vital for ensuring the safety and reliability of automotive systems.
What is ISO 26262?
ISO 26262 is an international standard that provides guidelines for the functional safety of electrical and electronic systems within vehicles. It is primarily focused on systems that have the potential to cause harm to people, such as those in advanced driver assistance systems (ADAS), braking, steering, and powertrain control. The standard defines processes and methodologies for identifying safety risks, mitigating them, and verifying that the safety measures are effective.
Hazard Analysis and Risk Assessment in ISO 26262
What is Hazard Analysis and Risk Assessment?
Hazard analysis and risk assessment are systematic processes used to identify and assess potential hazards in a vehicle's systems that could result in unsafe situations. These processes are intended to ensure that safety risks are understood and appropriately mitigated.
The goal of hazard analysis is to:
Identify hazards: Recognizing all possible hazards that could lead to a malfunction or failure in the system
Evaluate risks: Assessing the severity of these hazards, the probability of their occurrence, and the potential consequences
Mitigate risks: Applying safety measures that reduce or eliminate the risk of these hazards from causing harm
The Hazard Analysis Process
The hazard analysis process in ISO 26262 generally follows these steps:
Hazard Identification: The first step is to identify potential hazards in the system. A hazard can be any event or condition that could lead to unsafe situations. These hazards might arise from both system malfunctions or external influences (e.g., environmental factors).
Risk Assessment: Once the hazards are identified, they must be assessed in terms of the potential harm they could cause. The risk assessment involves:
Severity (S): the potential severity of harm caused by the hazard. For example, a system failure that could result in a fatal accident would be highly severe
Exposure (E): how likely it is for the hazard to occur in normal use conditions
Controllability (C): the ability of the system or driver to mitigate or control the hazard once it occurs
ASIL Determination in ISO 26262
What is ASIL?
ASIL, or Automotive Safety Integrity Level, is a classification system defined in ISO 26262 that quantifies the level of safety required for a specific automotive system or component. It categorizes the safety integrity of a system into four levels: ASIL A, ASIL B, ASIL C, and ASIL D, where ASIL D represents the highest level of risk mitigation required and ASIL A represents the lowest.
ASIL is determined based on the results of the hazard analysis and risk assessment, considering the following three factors:
Severity (S): the potential severity of the consequence if the hazard occurs (ranging from minor injuries to fatalities)
Exposure (E): the likelihood of the hazard occurring, typically defined as how often the system is exposed to conditions where the hazard could be triggered
Controllability (C): the extent to which the hazard can be controlled by the system or driver if it occurs
The ASIL determination process involves calculating these factors and using them to determine the appropriate safety level for each hazard. The calculation uses the following matrix:
Image credit: ISO 26262 standard
How ASIL is Determined
Severity (S): This factor evaluates how catastrophic the hazard's consequences could be. For example:
S0: No injuries
S1: Light and moderate injuries
S2: Severe injuries, possibly life- threatening, survival probable
S3: Life-threatening injuries (survival uncertain) or fatal injuries
Exposure (E): This factor measures the likelihood of the hazardous situation occurring during normal operation of the system. For example:
E0: Incredible
E1: Very low probability
E2: Low probability
E3: Medium probability
E4: High probability
Controllability (C): This factor assesses how much control a driver or system has in preventing the hazard or mitigating its effects. For example:
C0: Controllable in general
C1: Simply Controllable
C2: Normally Controllable
C3: Difficult to Control or Uncontrollable
Once the severity, exposure, and controllability of each hazard have been assessed, the corresponding ASIL level is assigned using the matrix above. This ASIL level indicates the safety requirements that must be implemented in the system to mitigate the identified risks.
For instance:
A hazard with high severity (S3), high exposure (E4), and low controllability (C3) would be classified as ASIL D, requiring the highest level of safety measures.
A hazard with high severity (S2), high exposure (E4), and high controllability (C1) might be classified as ASIL A, allowing for less stringent safety measures.
Why ASIL Determination is Essential
ASIL determination plays a critical role in ensuring that automotive systems meet safety requirements appropriate for the risk levels associated with their failure modes. By categorizing risks and assigning appropriate ASIL levels, manufacturers can:
Focus their efforts on addressing the most critical hazards first, ensuring that safety-critical systems are built to the highest standards.
Reduce the likelihood of catastrophic accidents by implementing rigorous risk controls for high-ASIL systems (e.g., advanced braking, steering, or autonomous driving systems).
Minimize overall risk exposure by applying the appropriate level of resources to each safety-critical component of the system.
Conclusion
Hazard analysis and risk assessment, combined with ASIL determination, form the backbone of ISO 26262's safety-critical processes for automotive systems. These processes ensure that vehicles are designed and manufactured with the highest regard for safety, protecting both the occupants and the wider community. Through systematic hazard identification, risk evaluation, and appropriate safety measures, automotive manufacturers can meet the stringent requirements of ISO 26262 and contribute to the development of safer, more reliable vehicles.
Comments