Skip to main content
Controllability is the third dimension of the ISO 26262 HARA (Hazard Analysis and Risk Assessment) classification framework, assessing the driver’s ability to prevent or mitigate harm when a hazardous event occurs. Combined with Severity (S0-S3) and Exposure (E0-E4), Controllability determines the Automotive Safety Integrity Level (ASIL) rating.

Overview

The HARA Controllability enumeration classifies hazards into four levels (C0 through C3) based on ISO 26262-3 Table B.4, representing the likelihood that an average driver can control or avoid a hazardous situation. This parameter directly influences safety goal decomposition and functional safety requirement allocation in TestAuto2. Key Principle: Higher controllability (C0) means drivers have better ability to prevent harm, resulting in lower ASIL ratings. Lower controllability (C3) means drivers have difficulty preventing harm, escalating ASIL requirements.
Enumeration ValueRisk LevelDriver ControllabilityASIL Impact
C0LowestControllable in general (>99% of drivers)Reduces ASIL
C1LowSimply controllable (>99% drivers, minimal effort)Standard ASIL
C2MediumNormally controllable (>90% drivers)Escalates ASIL
C3HighestDifficult to control or uncontrollable (<90% drivers)Maximum ASIL

Controllability Levels (C0-C3)

C0 — Controllable in General

Definition: Hazards that can be controlled by the average driver through general driving skills, without requiring specific expertise or exceptional reaction speed.
PropertyValue
Enum IDc0
ISO 26262-3 ReferenceTable B.4, Class C0
Driver Controllability Threshold>99% of drivers capable
Assessment CriteriaGeneral driving competence; no specialized skills required
Automotive ExamplesSlight tire pressure loss; gradual power steering fade at highway speeds; minor instrument cluster display glitch
ASIL ImpactReduces ASIL outcome by one level compared to C1
Rationale: C0 represents hazards where the average driver has ample reaction time and requires only standard vehicle control skills to mitigate. These hazards typically do not significantly escalate ASIL classification.

C1 — Simply Controllable

Definition: Hazards controllable with minimal driver effort or attention. Requires simple corrective action but remains within the capability of most drivers.
PropertyValue
Enum IDc1
ISO 26262-3 ReferenceTable B.4, Class C1
Driver Controllability Threshold>99% of drivers capable with minimal effort
Assessment CriteriaSimple steering, braking, or throttle correction; minimal reaction time required
Automotive ExamplesUnintended downshift during acceleration (correctable by upshift); slight AEB false activation (correctable by throttle); minor lane-keeping assist jitter
ASIL ImpactStandard ASIL determination from S×E×C matrix
Rationale: C1 is the baseline controllability for most automotive hazards. Drivers can respond intuitively with standard vehicle control inputs.

C2 — Normally Controllable

Definition: Hazards controllable under normal driving conditions by most drivers, but may challenge some operators due to complexity or required reaction speed.
PropertyValue
Enum IDc2
ISO 26262-3 ReferenceTable B.4, Class C2
Driver Controllability Threshold>90% of drivers (professional drivers: ~95%)
Assessment CriteriaRequires coordinated control inputs; normal reaction time suffices; elevated attention demanded
Automotive ExamplesLoss of adaptive cruise control at highway speed (requires manual throttle + steering); degraded ESP response on low-friction surface; delayed steering response during emergency maneuver
ASIL ImpactEscalates ASIL compared to C1; S3+E4+C2 typically yields ASIL C
Rationale: C2 represents a step-up in challenge. Some drivers—elderly, inexperienced, or distracted—may struggle to respond adequately. This classification escalates safety requirements.

C3 — Difficult to Control or Uncontrollable

Definition: Hazards that are difficult for most drivers to control or completely uncontrollable, regardless of skill level or reaction time.
PropertyValue
Enum IDc3
ISO 26262-3 ReferenceTable B.4, Class C3
Driver Controllability Threshold<90% of drivers capable; many uncontrollable scenarios
Assessment CriteriaRequires extraordinary reaction speed or multiple coordinated inputs; or physically impossible to mitigate
Automotive ExamplesTotal brake failure at highway speed — no reasonable mitigation; Complete steering loss during high-speed turn — physical impossibility to correct; ECU firmware crash resulting in unresponsive vehicle; Fuel system rupture causing fire
ASIL ImpactMaximizes ASIL; S3+E4+C3 always yields ASIL D (highest integrity requirement)
Rationale: C3 hazards demand maximum safety mechanisms because drivers cannot reliably prevent harm. Functional safety requirements must prevent the hazard entirely or detect/mitigate automatically.

HARA Controllability Assessment Workflow

TestAuto2 implements controllability assessment as part of the ISO 26262 HARA process. The assessment sequence follows: diagram

Assessment Decision Tree

diagram

Risksheet Configuration & Integration

HARA Risksheet Column Binding

Controllability is bound to the HARA Risksheet as an enumeration dropdown column: 
{
  "name": "Controllability",
  "fieldId": "customfield_controllability",
  "type": "enumeration",
  "enumId": "hara-controllability",
  "level": 4,
  "width": "120px",
  "editable": true,
  "headerGroup": "headHARA",
  "headerGroupCss": ["orange", "red"],
  "cellDecorator": "asilLevel"
}
Field Properties:
PropertyValueExplanation
fieldIdcustomfield_controllabilityPolarion custom field ID for hazard work items
enumIdhara-controllabilityLinks to enum definition: c0, c1, c2, c3
typeenumerationDropdown selector in Risksheet cells
editabletrueUsers can modify controllability rating
cellDecoratorasilLevelOptional color coding (C0=green, C3=red)

Color-Coded Cell Decorators

Controllability cells can be visually highlighted based on risk level using cell decorators: 
{
  "name": "controllabilityCellDecorator",
  "type": "toggleClass",
  "field": "controllability",
  "mapping": {
    "c0": "ctrl-green",
    "c1": "ctrl-blue",
    "c2": "ctrl-orange",
    "c3": "ctrl-red"
  }
}
CSS Classes Applied:
ControllabilityCSS ClassBackground ColorRationale
C0.ctrl-greenLight greenLow risk; drivers easily control
C1.ctrl-blueLight blueBaseline risk; standard controllability
C2.ctrl-orangeLight orangeElevated risk; challenges some drivers
C3.ctrl-redLight redHighest risk; drivers cannot reliably control
Color should not be the only indicator of controllability level. Always include text labels (C0, C1, C2, C3) alongside colors to support users with color vision deficiency.

ASIL Matrix: S × E × C Determination

Controllability feeds into the three-dimensional ASIL determination matrix as one axis:
SeverityExposureC1 (Simply Controllable)C2 (Normally Controllable)C3 (Difficult to Control)
S1 (Minor)E1 (Incredible)QMQMQM
S1 (Minor)E2 (Very Low)QMQMQM
S1 (Minor)E3 (Low)QMQMASIL A
S1 (Minor)E4 (High)QMASIL AASIL B
S2 (Moderate)E1 (Incredible)QMQMQM
S2 (Moderate)E2 (Very Low)QMQMASIL A
S2 (Moderate)E3 (Low)QMASIL AASIL B
S2 (Moderate)E4 (High)ASIL AASIL BASIL C
S3 (Severe)E1 (Incredible)QMQMASIL A
S3 (Severe)E2 (Very Low)QMASIL AASIL B
S3 (Severe)E3 (Low)ASIL AASIL BASIL C
S3 (Severe)E4 (High)ASIL BASIL CASIL D

ASIL Calculation Formula (Risksheet JavaScript)

TestAuto2 automatically computes ASIL using a lookup function: 
function calcASIL(severity, exposure, controllability) {
  // Extract numeric values from enum IDs
  // s0 → 0, s1 → 1, s2 → 2, s3 → 3
  // e0 → 0, e1 → 1, e2 → 2, e3 → 3, e4 → 4
  // c0 → 0, c1 → 1, c2 → 2, c3 → 3
  
  const s = parseInt(severity.substring(1));
  const e = parseInt(exposure.substring(1));
  const c = parseInt(controllability.substring(1));
  
  // S0 or E0 or C0 → QM (no ASIL requirement)
  if (s === 0 || e === 0 || c === 0) return "QM";
  
  // ISO 26262 ASIL lookup matrix (36 combinations)
  const asilMatrix = {
    "111": "QM", "112": "QM", "113": "A",   "114": "A",
    "121": "QM", "122": "A",  "123": "A",   "124": "B",
    "131": "A",  "132": "B",  "133": "C",   "134": "D",
    "141": "B",  "142": "C",  "143": "D",   "144": "D",
    
    "211": "QM", "212": "A",  "213": "B",   "214": "C",
    "221": "A",  "222": "B",  "223": "C",   "224": "D",
    "231": "B",  "232": "C",  "233": "D",   "234": "D",
    "241": "C",  "242": "D",  "243": "D",   "244": "D",
    
    "311": "A",  "312": "B",  "313": "C",   "314": "D",
    "321": "B",  "322": "C",  "323": "D",   "324": "D",
    "331": "C",  "332": "D",  "333": "D",   "334": "D",
    "341": "D",  "342": "D",  "343": "D",   "344": "D"
  };
  
  const key = "" + s + e + c;
  return asilMatrix[key] || "QM";
}
Each ASIL level triggers specific functional safety requirements:
  • ASIL A: Basic architectural measures, standard design practices
  • ASIL B: Advanced fault detection, redundancy, defensive design
  • ASIL C: High-integrity design, fault tolerance, systematic error avoidance
  • ASIL D: Maximum integrity, diversity, formal verification, extensive testing

Controllability Assessment Examples

Example 1: Unintended Acceleration During Low-Speed Maneuvering

Hazard: Vehicle accelerates unintendedly while driver is executing a parking maneuver at low speed. Controllability Assessment:
FactorAnalysisRating
Reaction Time Available2-3 seconds; driver in active vehicle controlSufficient
Driver Skill RequiredRelease accelerator pedal; intuitive responseMinimal
Physical FeasibilitySimple foot pedal adjustment; no extraordinary effortFeasible
% of Drivers Capable>99% of licensed driversHighly capable
AssessmentNearly all drivers can prevent harm via throttle releaseC1: Simply Controllable
ASIL Outcome: If S2 + E3 + C1 → ASIL B (requires standard safety mechanisms)

Example 2: Loss of Steering Response During Emergency Lane Change

Hazard: Electric power steering fails during high-speed emergency evasion maneuver. Controllability Assessment:
FactorAnalysisRating
Reaction Time Available<1 second; driver executing emergency maneuverMinimal
Driver Skill RequiredExtraordinary effort; manual steering of vehicle at highway speedAdvanced
Physical FeasibilityExtremely difficult; may require superhuman strengthMarginal
% of Drivers Capable~60-70% under ideal conditions; less in emergencyBelow 90%
AssessmentMost drivers cannot reliably regain control without EPSC2: Normally Controllable
ASIL Outcome: If S3 + E4 + C2 → ASIL D (requires highest integrity mechanisms)

Example 3: Complete Brake System Failure at Highway Speed

Hazard: Total hydraulic brake system failure (caliper seizure + master cylinder failure) while vehicle is traveling at highway speed on multi-lane freeway. Controllability Assessment:
FactorAnalysisRating
Reaction Time Available2-5 seconds before collision riskLimited but present
Driver Skill RequiredDownshift + hand brake + steering to safety; multiple coordinated actionsExpert-level
Physical FeasibilityTheoretically possible with exceptional skill; practically uncontrollablePhysically difficult
% of Drivers Capable<10% of drivers (professional drivers only); average driver: 0%Nearly impossible
AssessmentVast majority of drivers cannot prevent collisionC3: Difficult to Control / Uncontrollable
ASIL Outcome: If S3 + E4 + C3 → ASIL D (requires automatic safety mechanisms: regenerative braking, electronic stability, redundant hydraulics)

Progressive HARA Workflow Views

TestAuto2 supports four progressive Risksheet views that guide users through the HARA assessment in stages:

Stage 1: Situation Analysis

Focus: Identify operational context and hazardous events
  • Visible Columns: System Element, Category, Operational Phase, Operational Situation, Hazard Name
  • Hidden Columns: Severity, Exposure, Controllability, ASIL, Safety Goals
  • Purpose: Establish what hazards exist and when they occur

Stage 2: Hazard Identification

Focus: Document hazard details, causes, and consequences
  • Visible Columns: Hazard Name, Description, Cause(s), Consequence(s)
  • Hidden Columns: Severity, Exposure, Controllability, ASIL, Safety Goals
  • Purpose: Define the technical details and root factors

Stage 3: HARA Classification (Controllability Assessment Occurs Here)

Focus: Rate Severity, Exposure, and Controllability per ISO 26262
  • Visible Columns: Severity (S0-S3), Exposure (E0-E4), Controllability (C0-C3), ASIL (auto-calculated)
  • Hidden Columns: Safety Goals
  • Purpose: Quantify risk dimensions and trigger ASIL calculation

Stage 4: Safety Goals

Focus: Define mitigation strategies and link to safety goals
  • Visible Columns: ASIL, Safety Goal ID, Safety Goal Title, Safety Goal ASIL (inherited)
  • Hidden Columns: Technical classification details
  • Purpose: Connect hazard mitigation to functional safety concept

Custom Field Definition (Polarion XML)

The controllability enumeration is defined in Polarion as a custom field bound to the Hazard work item type: 
<customField id="customfield_controllability">
  <title>Controllability</title>
  <description>ISO 26262 HARA Controllability Classification (C0-C3)</description>
  <type>enum</type>
  <enumId>hara-controllability</enumId>
  <required>true</required>
  <appliesTo>
    <workItemType>hazard</workItemType>
  </appliesTo>
  <fieldDefault>null</fieldDefault>
  <editable>true</editable>
</customField>

Enumeration Definition

<enum id="hara-controllability">
  <title>HARA Controllability</title>
  <description>ISO 26262-3 Table B.4 Controllability Classes</description>
  <value id="c0">
    <name>C0 - Controllable</name>
    <description>Controllable in general (>99% of drivers)</description>
  </value>
  <value id="c1">
    <name>C1 - Simply Controllable</name>
    <description>Simply controllable by average driver</description>
  </value>
  <value id="c2">
    <name>C2 - Normally Controllable</name>
    <description>Normally controllable (>90% of drivers)</description>
  </value>
  <value id="c3">
    <name>C3 - Difficult/Uncontrollable</name>
    <description>Difficult to control or uncontrollable (<90% drivers)</description>
  </value>
</enum>

Standards References

StandardSectionTitleRelevance
ISO 26262-3:2018Table B.4Controllability Classes (C0-C3)Normative definition of all four classes
ISO 26262-3:2018Clause 7.4.4.3ASIL DeterminationS×E×C matrix for ASIL assignment
ISO 26262-5:2018Clause 6Functional Safety Concept — Safety GoalsSafety goal derivation from ASIL classification
ISO 26262-1:2018Clause 6.4.2.2Hazard Analysis and Risk AssessmentHARA methodology overview

FAQ

Q: Can controllability be assessed before exposure? A: Technically yes, but ISO 26262 recommends the sequence: Severity → Exposure → Controllability → ASIL. This progression reflects the hazard analysis logic: what could go wrong → when could it occur → can the driver prevent it? Q: What if expert disagreement exists on controllability rating? A: Document the rationale in the HARA Rationale custom field, citing supporting evidence (driver studies, accident data, expert opinion). Use the conservative (higher controllability risk / lower C value) estimate when uncertain. Q: Does C0 mean “never causes harm”? A: No. C0 means drivers can usually prevent harm if they are aware and responsive. A C0 hazard still requires proper design and may need warning systems if drivers might not notice. Q: How does controllability differ from SOTIF “Maneuver”? A: Controllability (ISO 26262) rates driver response to a malfunction/hazard. SOTIF “Maneuver” rates driver response to an intended (non-malfunction) scenario. They use similar assessment logic but apply to different risk frameworks.