Overview
Control Type classifies how risks are being controlled — whether through design-level elimination, protective detection mechanisms, or informational warnings. This classification is critical for:
- ISO 26262 compliance: Documenting adherence to the functional safety control hierarchy
- Risk prioritization: Ensuring design controls are preferred over reactive measures
- Traceability: Linking safety requirements to their underlying control strategy
- Effectiveness assessment: Evaluating whether controls are of appropriate type for the hazard/failure severity
Enumeration Values
| Value | Display Name | Priority | Description |
|---|
inherent-safety-design | Inherent Safety Design | 1 (Highest) | Risk eliminated or minimized through architectural design choices, fault tolerance, redundancy, or fail-safe defaults. Highest confidence control. |
protective-measure | Protective Measure | 2 (Medium) | Risk mitigated through protective mechanisms, detection, or mitigation — watchdogs, error detection codes, plausibility checks, warnings, diagnostic coverage. |
information-for-safety | Information for Safety | 3 (Lowest) | Risk addressed through warnings, procedures, training, operator information, or manual processes. Requires correct human response. |
prevention | Prevention | 2 (Medium) | Control that prevents the failure mode or hazardous condition from occurring — used in FMEA contexts to distinguish prevention controls from detection. Reduces occurrence rating. |
detection | Detection | 3 (Low) | Control that detects failure mode after occurrence but before harm — improves detection rating. Does not prevent failures, only improves discoverability. |
Control Hierarchy
TestAuto2 implements the ISO 26262 three-tier control hierarchy:
ISO 26262 requires functional safety analyses to justify why lower-tier controls are used when hazards have high ASIL ratings. For ASIL D hazards, inherent safety design and protective measures are strongly preferred. Information-for-safety controls alone cannot achieve ASIL C or D.
FMEA vs. HARA Control Types
TestAuto2 supports two complementary control categorization approaches:
ISO 26262 HARA Context (Safety Goals, Risk Controls)
When analyzing hazards in HARA (Hazard Analysis and Risk Assessment):
| Control Type | Use Case | Example |
|---|
| Inherent Safety Design | Safety goal derives from architectural choice to eliminate hazard source | ”Implement redundant brake actuation channels” |
| Protective Measure | Safety goal requires mitigation mechanism for detected faults | ”Implement watchdog timer to detect ECU failure” |
| Information for Safety | Safety goal relies on driver awareness or operational constraints | ”Driver training on AEB system limitations” |
FMEA Context (Failure Modes, Risk Mitigation)
When analyzing failure modes in DFMEA/PFMEA:
| Control Type | Use Case | Example | Effect |
|---|
| Prevention | Design control that reduces failure occurrence rate | Improved component manufacturing process; material upgrade | Lowers Occurrence rating |
| Detection | Inspection/test control that improves failure detectability | 100% pressure transducer calibration test; visual inspection | Lowers Detection rating; does NOT prevent failures |
A single risk control may be classified as:
- Inherent Safety Design in HARA context (architectural decision)
- Prevention in DFMEA context (root cause mitigation)
Example: “Implement ECC (error-correcting code) memory” = inherent design choice that also prevents memory corruption failure modes. Property Reference
| Property | Type | Values | Sort Order | Description |
|---|
id | String | inherent-safety-design, protective-measure, information-for-safety, prevention, detection | N/A | Unique enumeration identifier |
title | String | Inherent Safety Design, Protective Measure, Information for Safety, Prevention, Detection | N/A | Display name in UI |
description | String | Control strategy description | N/A | Detailed explanation of control type |
sortOrder | Integer | 1–5 | 1 = highest priority | Ranking for sorting/reporting (1=inherent safety, 5=information) |
category | String | iso26262, fmea | N/A | Framework: functional safety or failure analysis |
Usage in TestAuto2
Risk Control Work Items
The Control Type field appears on Risk Control work items:
<field>
<name>riskControlType</name>
<enum ref="controlType"/>
<description>Categorizes this risk control by its strategy: inherent design, protective measure, or informational</description>
</field>
- Safety engineer creates Risk Control item linked to Hazard or Risk Record
- Assigns Control Type based on mitigation strategy (e.g., “Inherent Safety Design”)
- Risk Control Type propagates to traceability reports and Safety Readiness Scorecard
- Configuration Manager uses Control Type to verify ASIL adequacy (e.g., ASIL D hazards have sufficient inherent/protective controls)
Risksheet Configuration
Control Type appears as a column in risk analysis sheets:
- HARA Risksheet — “Risk Control Type” column in Risk Controls section
- Grouped with Risk Control ID, title, and effectiveness status
- Cell decorator highlights suboptimal choices (e.g., information-only control for high-ASIL hazard)
- DFMEA/PFMEA Risksheets — “Control Type” column in Prevention/Detection sections
- Distinguishes between prevention controls (reduce occurrence) and detection controls (reduce detection)
- Optional cell styling to visually flag detection-only strategies
PowerSheet Filtering
The Whole RTM PowerSheet and Risk Control Plan may filter requirements by downstream Control Type to verify traceability:
Decision Matrix: When to Use Each Type
| Question | Yes | No |
|---|
| Can we design out the risk? (Architecture, redundancy) | INHERENT SAFETY (Priority 1) | Continue to next |
| Can we detect and mitigate? (Monitoring, watchdogs) | PROTECTIVE MEASURE (Priority 2) | Continue to next |
| Can we warn the user? (Training, procedures) | INFORMATION FOR SAFETY (Priority 3) | Accept Residual Risk |
Use multiple control types for high-ASIL hazards:
- Primary: Inherent Safety Design control
- Secondary: Protective Measure for detection/response
- Tertiary: Information for Safety for operator awareness
This layered approach provides defense-in-depth and increases confidence in residual risk acceptability. Integration Points
Related Concepts:
Work Item Types:
- Risk Control — Primary usage in risk mitigation workflow
- Hazard — Target of risk controls in HARA
- Failure Mode — Target of prevention/detection controls in FMEA
- Safety Goal — Derived from hazards with associated control types
Reports:
Configuration Properties
When configuring Risksheet columns for Control Type:
{
"name": "riskControlType",
"title": "Control Type",
"dataType": "enum",
"enumRef": "controlType",
"width": 180,
"group": "Risk Controls",
"sortOrder": 2,
"formatter": "enumLabel",
"decorator": {
"type": "cellClass",
"function": "riskControlTypeStyle()",
"classes": {
"inherent-safety-design": "control-type-inherent",
"protective-measure": "control-type-protective",
"information-for-safety": "control-type-information",
"prevention": "control-type-prevention",
"detection": "control-type-detection"
}
}
}
riskControlTypeStyle() decorator applies CSS classes for visual priority cues — green for inherent/protective, yellow for information/detection.
