Skip to main content

Overview

HAZID risksheet modules in TestAuto2 organize hazard analysis data across four hierarchical levels, enabling systematic hazard identification, situational analysis, ASIL determination, and safety goal derivation. The configuration supports progressive disclosure through workflow-based views, dynamic data queries, and automated ASIL classification formulas aligned with ISO 26262-3 methodology. diagram

Hierarchy and Levels

The HAZID risksheet uses a 4-level hierarchy to structure hazard analysis data from system scope down to individual safety goals:
LevelWork Item TypePurposeExample
1systemElementScoping the analysis to specific system components or subsystemsAEB System, Sensor Housing Subsystem
2operationalSituationDefining the use case context where hazards can occurNormal driving, Adverse weather, Sensor degradation
3hazardDocumenting unsafe events, root causes, and consequencesDelayed braking response, False obstacle detection
4safetyGoalSpecifying mitigation objectives and ASIL allocationEnsure timely braking activation with ASIL B
Levels 1–3 form the analysis structure; Level 4 (safetyGoal) appears as a row in Level 3 representing the mitigation outcome for each hazard. Safety goals are also created as separate work items linked via ‘mitigates’ relationship.

Column Organization

HAZID columns are organized into four color-coded semantic groups that reflect the ISO 26262-3 analysis workflow:

Group 1: Situation Analysis (Blue #2196F3)

Defines the operational context in which hazards can occur.
Property NameTypeDefaultDescription
systemElementlinkHierarchical reference to the system element (component/subsystem) being analyzed. Links to systemElement work items. Required for scoping analysis to specific architecture nodes.
operationalPhaseenumThe vehicle operational state (startup, normal operation, shutdown, degraded mode, etc.). Constrains hazard analysis to specific system states per ISO 26262-3. Values: startup, normal-operation, shutdown, degraded-mode, emergency-operation.
operationalSituationtextNatural language description of the driving scenario or use case context (e.g., “highway driving in rain with pedestrian crossing ahead”). Provides scenario context for hazard occurrence probability and controllability assessment.
environmentalConditionenumExternal environmental factors affecting hazard probability (weather, road conditions, temperature, etc.). Values: dry-weather, wet-weather, snow-ice, high-altitude, extreme-temperature.

Group 2: Hazard Identification (Purple #9C27B0)

Documents the hazard event, its root causes, and consequences.
Property NameTypeDefaultDescription
hazardDescriptiontextNatural language description of the unsafe event in observable terms (e.g., “AEB system fails to activate braking when obstacle detected”). Must describe the event, not the failure mechanism. ISO 26262-3 requires clear distinction between hazard and failure cause.
hazardCausetextRoot cause analysis explaining why the hazard can occur (e.g., “Sensor fusion algorithm timeout; communication failure between sensor and ECU”). Multiple causes are common; separate with semicolons for query filtering.
consequencetextThe harm or injury resulting from the hazard (e.g., “Collision with obstacle; injury to vehicle occupants or pedestrians”). Must describe actual physical harm, not secondary effects.
hazardCategoryenumClassification of the hazard type per ISO 26262 taxonomy (systematic fault, random hardware failure, sensor failure, algorithmic error, etc.). Values: systematic-fault, random-hw-failure, sensor-failure, algorithm-error, communication-failure, power-failure, thermal-failure.

Group 3: HARA Classification (Orange #FF9800)

Assigns severity, exposure, and controllability ratings and computes ASIL per ISO 26262-3 matrix.
Property NameTypeDefaultDescription
severityenumSeverity of the hazard consequence on a 4-point ISO 26262 scale. Values: S0 (no injury), S1 (minor injury), S2 (serious injury), S3 (fatal injury or multiple fatalities). See HARA Severity (S0-S3).
exposureenumProbability of the operational situation occurring where the hazard is possible, on a 5-point scale representing frequency. Values: E0 (impossible/never), E1 (very-low), E2 (low), E3 (medium), E4 (high). See HARA Exposure (E0-E4).
controllabilityenumAbility of the driver or system to react and control the hazard consequence, on a 4-point scale. Values: C0 (easily controlled), C1 (normally controlled), C2 (poorly controlled), C3 (not controllable). See HARA Controllability (C0-C3).
asilenum (computed)Automotive Safety Integrity Level (QM, A, B, C, D) computed automatically using ISO 26262 matrix algorithm from severity, exposure, and controllability. Read-only; formula-generated. See ASIL Classification (QM, A-D).

ASIL Determination Matrix

The ASIL is computed using the ISO 26262-3 risk matrix algorithm: diagram Formula logic (Velocity template): 
#set( $severityIndex = { "S0": 0, "S1": 1, "S2": 2, "S3": 3 } )
#set( $exposureIndex = { "E0": 0, "E1": 1, "E2": 2, "E3": 3, "E4": 4 } )
#set( $controlIndex = { "C0": 0, "C1": 1, "C2": 2, "C3": 3 } )

#set( $matrix = [
  [ "QM", "QM", "QM", "QM", "QM" ],
  [ "QM", "QM", "QM", "A", "B" ],
  [ "QM", "QM", "A", "B", "C" ],
  [ "QM", "A", "B", "C", "D" ]
] )

#set( $baseAsil = $matrix[$severityIndex.get($severity)][$exposureIndex.get($exposure)] )

## Apply controllability adjustment
#if( $controllability == "C0" && $baseAsil != "QM" )
  #set( $asil = $sibling($baseAsil, -1) )
#else
  #set( $asil = $baseAsil )
#end

Group 4: Safety Goal (Green #4CAF50)

Defines the mitigation objective and derives safety goals from hazard analysis.
Property NameTypeDefaultDescription
safetyGoalIdtextUnique identifier for the safety goal (e.g., SG-001, SG-AEB-02). Used for traceability to downstream design requirements and verification. Must be unique within the project.
safetyGoalTitletextNatural language statement of the mitigation objective (e.g., “Ensure AEB system activates within 500ms of obstacle detection”). Must be observable and measurable.
safetyGoalAsilenumASIL target for the safety goal, typically equal to or greater than the hazard ASIL. Determines verification/validation rigor required. Values: QM, A, B, C, D. Usually matches computed hazard ASIL or reflects architecture-level allocation decisions.
linkedSafetyGoallinkLink to the safetyGoal work item created in Polarion for this analysis. Enables bidirectional traceability to design requirements, failure modes, and verification test cases. Auto-populated or manually linked.
Each hazard row should result in at least one safetyGoal work item. The linkedSafetyGoal field records this relationship. Safety goals are typically created during or immediately after HARA completion and must be linked to downstream design requirements and validation test cases.

Views and Workflow Phases

HAZID risksheet defines multiple views to support progressive disclosure and workflow stages:
View NamePhaseVisible ColumnsUse Case
IdentificationDiscoverysystemElement, operationalSituation, hazardDescription, hazardCause, consequenceInitial hazard brainstorming; focus on discovery without premature ASIL assignment
AnalysisRatingAll columnsFull HARA analysis after hazard identification complete; S/E/C rating entry and ASIL computation
ReviewApprovalsystemElement, hazardDescription, severity, exposure, controllability, asil, safetyGoalTitleManagement review of ASIL allocations and safety goal adequacy
TraceabilityDownstreamsafetyGoalId, safetyGoalTitle, safetyGoalAsil, linkedSafetyGoalLinking safety goals to design requirements, SIL requirements, and verification strategies

Data Queries and Dynamic Filtering

HAZID uses Lucene queries to populate picker fields and filter related work items:

System Element Picker

type:systemElement AND backlinkedWorkItems:analyzedBy=TA*
Returns only system elements that have associated hazards, preventing orphaned elements from appearing in scope selection. 
type:safetyGoal AND linkedWorkItems:analyzedFrom=TA*
Filters safety goal candidates to those already linked from HARA analysis, ensuring bidirectional consistency.

Design Requirement Traceability Query

type:designRequirement AND linkedWorkItems:implementsSG=TA*
Used in downstream PowerSheets to show which design requirements implement specific safety goals from HARA.

Formulas and Computed Properties

ASIL Computation Formula

The ASIL formula implements ISO 26262-3 severity-exposure-controllability matrix with optional controllability adjustment: 
Property: asil
Type: enum (read-only, computed)
Formula: ISO_26262_ASIL_Matrix(severity, exposure, controllability)
Dependencies: severity, exposure, controllability
Recalculation: On severity/exposure/controllability change

Safety Goal Derivation

Each hazard row generates one or more safety goals: 
Pattern: For each hazard with S≥S1, E≥E1:
  Create safetyGoal work item with:
    - title: "Mitigate [hazardDescription]"
    - asil: [computed_asil]
    - linkedHazard: [backlink]

Cell Decorators and Visual Styling

HAZID applies conditional formatting to highlight critical analysis findings:
DecoratorConditionEffectExample
ASIL Badgeasil != “QM”Colored badge (A=teal, B=orange, C=red, D=dark-red)ASIL D shown in red
Severity Colorseverity == “S3”Row background light-red (#ffcdd2)Fatal hazards highlighted
Action Indicatorasil >= “C”Yellow warning icon in safetyGoalTitleHigh-integrity goals flagged
Traceability GaplinkedSafetyGoal == nullGray background on rowUnlinked safety goals detected

Integration with Other Components

Safety goals derived from HARA link to design requirements via ‘implementsSG’ relationship:
  • HARA Safety Goal → Design Requirement (n:m mapping; one SG may require multiple design requirements)
  • Design Requirements display ASIL inheritance from linked safety goal
  • Design Requirement status cascades to HARA completion status
System FMEA failure modes are cross-referenced to HARA hazards for bidirectional traceability:
  • Failure Mode can link to Hazard via ‘contributesTo’ relationship
  • FMEA Risk Controls tied to hazard mitigation objectives
  • System FMEA documents reference HARA Safety Goals in their scope definition
Validation test cases verify achievement of safety goals:
  • Test Case links to Safety Goal via ‘validatesGoal’ relationship
  • Test Case displays ASIL inheritance from linked safety goal
  • Verification/Validation PowerSheets show coverage of safety goals by test cases

Cross-Reference to System Elements

Hazard analysis is scoped to system elements; all hazards inherit system context:
  • Hazard shows related functions and characteristics from systemElement
  • System FMEA documents reference HARA hazards for their corresponding element
  • System Structure Navigator includes HARA coverage metrics

Configuration Properties

Risksheet.json Structure for HAZID

{
  "documentType": "riskSpecification",
  "risksheetType": "hazid",
  "title": "HAZID - AEB System",
  "description": "ISO 26262-3 Hazard Identification and Risk Assessment",
  
  "hierarchy": {
    "levels": 4,
    "levelDefinitions": [
      { "level": 1, "workItemType": "systemElement", "columnName": "System Element" },
      { "level": 2, "workItemType": "operationalSituation", "columnName": "Operational Situation" },
      { "level": 3, "workItemType": "hazard", "columnName": "Hazard" },
      { "level": 4, "workItemType": "safetyGoal", "columnName": "Safety Goal" }
    ]
  },
  
  "columnGroups": [
    {
      "groupName": "Situation Analysis",
      "groupColor": "#2196F3",
      "columns": [
        { "fieldName": "systemElement", "type": "link", "displayName": "System Element" },
        { "fieldName": "operationalPhase", "type": "enum", "displayName": "Operational Phase" },
        { "fieldName": "operationalSituation", "type": "text", "displayName": "Operational Situation" },
        { "fieldName": "environmentalCondition", "type": "enum", "displayName": "Environmental Condition" }
      ]
    },
    {
      "groupName": "Hazard Identification",
      "groupColor": "#9C27B0",
      "columns": [
        { "fieldName": "hazardDescription", "type": "text", "displayName": "Hazard Description" },
        { "fieldName": "hazardCause", "type": "text", "displayName": "Root Cause(s)" },
        { "fieldName": "consequence", "type": "text", "displayName": "Consequence(s)" },
        { "fieldName": "hazardCategory", "type": "enum", "displayName": "Hazard Category" }
      ]
    },
    {
      "groupName": "HARA Classification",
      "groupColor": "#FF9800",
      "columns": [
        { "fieldName": "severity", "type": "enum", "displayName": "Severity (S)" },
        { "fieldName": "exposure", "type": "enum", "displayName": "Exposure (E)" },
        { "fieldName": "controllability", "type": "enum", "displayName": "Controllability (C)" },
        { "fieldName": "asil", "type": "enum", "computed": true, "displayName": "ASIL" }
      ]
    },
    {
      "groupName": "Safety Goal",
      "groupColor": "#4CAF50",
      "columns": [
        { "fieldName": "safetyGoalId", "type": "text", "displayName": "SG ID" },
        { "fieldName": "safetyGoalTitle", "type": "text", "displayName": "Safety Goal" },
        { "fieldName": "safetyGoalAsil", "type": "enum", "displayName": "SG ASIL" },
        { "fieldName": "linkedSafetyGoal", "type": "link", "displayName": "Work Item" }
      ]
    }
  ],
  
  "views": [
    {
      "viewName": "Identification",
      "visibleColumns": ["systemElement", "operationalSituation", "hazardDescription", "hazardCause", "consequence"],
      "purpose": "Initial hazard brainstorming"
    },
    {
      "viewName": "Analysis",
      "visibleColumns": "all",
      "purpose": "Full HARA with S/E/C/ASIL assignment"
    },
    {
      "viewName": "Review",
      "visibleColumns": ["systemElement", "hazardDescription", "severity", "exposure", "controllability", "asil", "safetyGoalTitle"],
      "purpose": "Management review of ASIL allocations"
    }
  ],
  
  "formulas": {
    "asil": {
      "type": "ISO26262ASILMatrix",
      "inputs": ["severity", "exposure", "controllability"],
      "description": "Compute ASIL from S/E/C per ISO 26262-3 matrix with controllability adjustment"
    }
  },
  
  "decorators": [
    {
      "field": "asil",
      "condition": "asil != 'QM'",
      "style": "badge",
      "colorMap": { "A": "#009688", "B": "#FF9800", "C": "#F44336", "D": "#8B0000" }
    },
    {
      "field": "severity",
      "condition": "severity == 'S3'",
      "style": "rowBackground",
      "color": "#ffcdd2"
    }
  ]
}

Example: AEB System HAZID Analysis

Hazard Row 1: Delayed Braking Response

SituationHazardHARA RatingSafety Goal
System: AEB System Operational Phase: Normal operation Situation: Highway driving at 60 km/h with pedestrian crossing aheadHazard: AEB system fails to activate braking within 500ms of obstacle detection Cause: Sensor fusion timeout; ECU processing delay Consequence: Collision with pedestrian; injury or fatalityS: S3 (fatal) E: E3 (medium frequency) C: C3 (not controllable) ASIL: DSG-001 Ensure AEB activation ≤500ms ASIL: D

Hazard Row 2: False Obstacle Detection

SituationHazardHARA RatingSafety Goal
System: AEB System Operational Phase: Normal operation Situation: Highway driving in rain with road reflectionsHazard: AEB system activates braking for non-existent obstacle Cause: Sensor noise; camera/radar fusion error; reflection misclassification Consequence: Unintended braking; rear-end collisionS: S2 (serious injury) E: E2 (low frequency) C: C2 (poorly controlled) ASIL: CSG-002 Ensure false activation rate ≤0.1/hour ASIL: C