Skip to main content

Overview

The HARA custom field set implements the three-dimensional risk assessment matrix defined in ISO 26262-3. Each hazard work item uses these fields to:
  • Describe the hazardous event and operational context
  • Classify risk dimensions (Severity, Exposure, Controllability)
  • Determine ASIL (Automotive Safety Integrity Level)
  • Document the derived safety goal and analysis rationale
The Risksheet configuration provides an interactive assessment interface with automatic ASIL calculation from S-E-C combinations.

Hazard Identification Fields

Field NameTypeDefaultDescription
hazardousEventTextEmptyCombination of hazard and operational situation that could lead to harm. This is the foundation of HARA analysis and must reference ISO 26262-3 hazardous event definition. Example: “Complete loss of AEB braking capability during highway driving”
operationalSituationTextEmptyDriving scenario context in which the hazard could occur (highway, parking, urban traffic, etc.). Directly influences Exposure classification—more frequent situations increase E-rating. Examples: highway driving at >50 km/h, parking maneuvers in lot, urban stop-and-go traffic

ISO 26262 Risk Classification Fields

Severity (S0–S3)

Field NameTypeDefaultDescription
haraSeverityEnum (S0, S1, S2, S3)UnratedPotential harm severity to occupants or other road users based on injury severity and number of persons affected per ISO 26262-3 Table B.2
Severity Scale:
RatingInjury SeverityDefinition
S0No injuriesHazardous event does not result in any injury or harm
S1Light/moderate injuriesInjuries that can be treated without medical intervention or with minor treatment
S2Serious injuriesInjuries requiring hospitalization or long-term medical care; permanent disability possible
S3Death or catastrophic injuryOne or more fatalities; severe injuries affecting multiple persons
Severity is typically not modified by mitigation—it represents the inherent consequence of the hazard. Risk controls may reduce Occurrence or improve Detection, but they do not change the severity rating. Document the basis for each severity classification using injury severity definitions from your automotive safety standards or design guidelines.

Exposure (E0–E4)

Field NameTypeDefaultDescription
haraExposureEnum (E0, E1, E2, E3, E4)UnratedProbability or frequency of operational situation occurrence per ISO 26262-3 Table B.3. Reflects how often the hazard could be encountered during vehicle lifetime
Exposure Scale:
RatingFrequency / ProbabilityDefinition
E0<1% of operation timeExtremely rare operational situation; hazardous event virtually impossible
E11–10% of operation timeRare operational situation; hazardous event unlikely but possible
E210–30% of operation timeOccasional operational situation; hazardous event could occur multiple times
E330–70% of operation timeFrequent operational situation; hazardous event likely to occur
E4>70% of operation timeContinuous operational situation; hazardous event expected to occur regularly
Exposure classification directly depends on the operationalSituation field. Document duration and frequency of each situation. Example: “Highway driving at >50 km/h occurs ~40% of vehicle lifetime, so E3” vs. “Parking maneuvers occur ~5% of lifetime, so E1.”

Controllability (C0–C3)

Field NameTypeDefaultDescription
haraControllabilityEnum (C0, C1, C2, C3)UnratedDriver’s ability to prevent or mitigate harm when hazardous event occurs per ISO 26262-3 Table B.4. Considers available reaction time, required skill, and physical effort
Controllability Scale:
RatingDriver ControlDefinition
C0Controllable in generalHazard is controllable by average driver under all conditions; >99% driver population can respond effectively
C1Simply controllableHazard requires minimal effort or attention; easy for most drivers; >99% controllability
C2Normally controllableHazard is controllable by most drivers under normal conditions; challenging for some; >90% driver controllability
C3Difficult to control or uncontrollableHazard is difficult to control or completely uncontrollable by most drivers; <90% controllability or physically impossible to control
Examples of C3 (uncontrollable) hazards: total brake failure at highway speed, complete loss of steering at speed, dual-engine flameout in aircraft, sudden vehicle immobilization in traffic. These hazards typically require electronic controls (fail-safes, redundancy) rather than relying on driver response.

ASIL Determination

Field NameTypeDefaultDescription
haraASILEnum (QM, ASIL A, ASIL B, ASIL C, ASIL D)UnratedAutomotive Safety Integrity Level determined from S×E×C matrix per ISO 26262-3. Drives requirements allocation and verification rigor. Output of HARA process, not input
ASIL Determination Matrix (ISO 26262 Table 4): 
            S1              S2              S3
       E0  E1  E2  E3  E4  E0  E1  E2  E3  E4  E0  E1  E2  E3  E4
C0     QM  QM  QM  A   A   QM  A   A   B   B   A   A   B   C   C
C1     QM  QM  A   A   B   A   A   B   B   C   A   B   B   C   D
C2     QM  A   A   B   C   A   B   B   C   D   B   B   C   D   D
C3     QM  A   B   C   D   A   B   C   D   D   B   C   D   D   D
The risksheet automatically calculates ASIL from S, E, and C using a lookup formula. If manually assigning ASIL, use the matrix above and document your reasoning in the haraRationale field. ASIL rating drives traceability requirements—ASIL A requires basic traceability; ASIL D requires enhanced documentation and verification.

Safety Goal Derivation

Field NameTypeDefaultDescription
safetyGoalTextTextEmptyTop-level safety goal derived from the hazard—the safe state requirement that prevents or mitigates the hazardous event. Each ASIL B-D hazard must have at least one safety goal. Example: “Ensure obstacle detection confidence >99% during AEB operation”
safetyGoalReferenceString (work item ID)EmptyReference ID of the formal Safety Goal work item created from this HARA analysis. Enables traceability to functional safety requirements. Example: “SG-02” or “SG_AEB_OBSTACLE_DETECTION”
Safety goals inherit the ASIL of their parent hazard. An ASIL D hazard produces ASIL D safety goals, which decompose into ASIL D functional safety requirements. Use the safetyGoalReference field to link the derived Safety Goal work item for bidirectional traceability.
Example Safety Goals by Hazard:
HazardASILSafety Goal
Delayed braking activationASIL BEnsure AEB system initiates braking within 200 ms of obstacle detection
Excessive braking forceASIL BLimit braking force application to vehicle manufacturer specifications ±5%
Failure to detect obstacleASIL DAchieve obstacle detection sensitivity and reliability of ≥99.5% in specified operational scenarios

Analysis Documentation

Field NameTypeDefaultDescription
haraRationaleTextEmptyCritical audit trail documenting reasoning behind Severity, Exposure, Controllability classifications and any assumptions made during assessment. Required for ISO 26262 compliance. Include references to design data, standards, expert judgement, or historical field data used to justify S/E/C ratings
Rationale Documentation Template: 
SEVERITY (S2): Serious injuries expected
  Basis: Uncontrolled braking force at highway speed (>100 km/h) causes loss of vehicle control, 
         potential collision with other vehicles. Per FMEA industry data, collision at highway speed 
         results in serious injuries to vehicle occupants and potential multi-vehicle pileup.
  
EXPOSURE (E3): Frequent condition
  Basis: AEB system operates during 35–50% of vehicle lifetime (highway driving >50 km/h is typical 
         use case). Sensor degradation can occur intermittently. Operational situation frequency 
         estimated from fleet driving data and climate studies.
  
CONTROLLABILITY (C2): Normally controllable
  Basis: Driver can detect excessive braking and release brake pedal within 100–200 ms under normal 
         conditions. However, in emergency braking scenario or adverse weather (reduced visibility), 
         reaction time may exceed safe response window. Driver skill and age variation affect controllability.
  
ASIL DETERMINATION: S2 × E3 × C2 → ASIL B (per ISO 26262-3 Table 4)
  Mitigation strategy: Design controls on braking ECU, redundant pressure sensors, functional safety 
  software validation. Safety goal: "Limit braking force application to spec ±5%."

Field Relationships and Workflows

HARA Assessment Workflow

The risksheet can be configured with progressive workflow views that guide users through the assessment sequence: diagram

Custom Field Binding

These fields bind to the Hazard work item type in Polarion. The risksheet configuration maps each field to a column with specific formatting: 
# Example risksheet column group (HAZID HARA Analysis)
- groupName: "HARA Classification"
  columns:
    - fieldId: haraSeverity
      title: "S (Severity)"
      renderer: enumDropdown
      cellDecorator: colorCode  # S0=green, S1=yellow, S2=orange, S3=red
    - fieldId: haraExposure
      title: "E (Exposure)"
      renderer: enumDropdown
    - fieldId: haraControllability
      title: "C (Controllability)"
      renderer: enumDropdown
    - fieldId: haraASIL
      title: "ASIL"
      formula: "getASIL(haraSeverity, haraExposure, haraControllability)"
      editable: false
    - fieldId: safetyGoalText
      title: "Safety Goal"
      renderer: richText

Cross-References

Related PagePurpose
HARA Severity (S0-S3)Severity enumeration definitions and examples
HARA Exposure (E0-E4)Exposure enumeration with frequency criteria
HARA Controllability (C0-C3)Controllability enumeration with driver control scenarios
ASIL Classification (QM, A-D)ASIL enum and risk matrix lookup
Safety GoalSafety Goal work item type reference
HazardHazard work item type (contains these fields)
HARA Risksheet ConfigurationRisksheet layout, columns, formulas, and workflow views
ISO 26262 Functional SafetyISO 26262 standard overview and compliance model

Field Value Validation

The risksheet includes traffic lights validation to enforce completion:
ConditionStatusAction Required
All fields (hazardousEvent, S, E, C, ASIL, safetyGoalText) complete and rationale documented✅ GreenReady for review
One or more fields missing or ASIL inconsistent with S-E-C combinationRedFill missing field; verify ASIL vs. matrix
haraRationale empty or insufficientRedAdd S/E/C justification and assumptions

Tips for HARA Assessment

  • Severity: Base on injury severity definitions from ISO 26262 or your automotive safety standards. When in doubt, consult medical literature or historical field data for the failure mode.
  • Exposure: Quantify operational situation frequency using fleet driving data, climate studies, or expert consensus. Document the basis for each E-rating.
  • Controllability: Consider driver reaction time (~200 ms), required skill level (novice vs. experienced), and physical effort. Test with typical user population if possible.
  • ASIL: Verify calculated ASIL against ISO 26262-3 Table 4. If manual override needed, document the exception and get management approval.
  • Safety Goals: Write from a safe state perspective (“ensure X is maintained”) rather than a mitigation perspective. One safety goal per ASIL B-D hazard minimum; ASIL D typically has multiple SGs covering different failure scenarios.