Demo page details

Page source code: hara.rst

  1{% set page="hara.rst" %}
  2{% include "demo_page_header.rst" with context %}
  3
  4πŸ” HARA - Hazard Analysis & Risk Assessment
  5============================================
  6
  7This page documents the Hazard Analysis and Risk Assessment for vehicle
  8actuation systems of automated vehicles, identifying potential hazardous events
  9and their associated ASIL ratings.
 10
 11Methodology
 12-----------
 13
 14The hazard analysis follows ISO 26262-3 and uses the following assessment criteria:
 15
 16**Severity (S)** - Potential harm to persons:
 17  - S0: No injuries
 18  - S1: Light and moderate injuries
 19  - S2: Severe and life-threatening injuries (survival probable)
 20  - S3: Life-threatening injuries (survival uncertain), fatal injuries
 21
 22**Exposure (E)** - Probability of operational scenario:
 23  - E0: Incredible
 24  - E1: Very low probability
 25  - E2: Low probability
 26  - E3: Medium probability
 27  - E4: High probability
 28
 29**Controllability (C)** - Ability to avoid harm through driver intervention:
 30  - C0: Controllable in general
 31  - C1: Simply controllable
 32  - C2: Normally controllable
 33  - C3: Difficult to control or uncontrollable
 34
 35These ratings determine the ASIL assignment per ISO 26262-3:2018 Table 4.
 36
 37Top-Level Hazard
 38----------------
 39
 40.. hazard:: Vehicle Not Following Intended Trajectory
 41   :id: HAZ_TRAJ_DEV
 42   :asil: D
 43   :status: open
 44   :scenario: Automated driving on public roads (all operational scenarios)
 45
 46   The vehicle deviates from its intended trajectory, potentially resulting in
 47   collision with other traffic participants or stationary objects.
 48
 49   This is the fundamental hazard for vehicle actuation systems in automated
 50   driving. When the actuation system fails to execute the trajectory commands
 51   correctly, the vehicle may:
 52
 53   - Depart from the intended lane
 54   - Collide with obstacles or other vehicles
 55   - Fail to maintain safe following distance
 56   - Execute unintended maneuvers
 57
 58   **ASIL Rationale:** This hazard is assigned **ASIL D** as the highest safety
 59   integrity level because trajectory deviation during automated driving can lead
 60   to severe accidents with life-threatening consequences. The assessment considers:
 61
 62   - **Severity (S3):** Life-threatening injuries or fatalities are likely outcomes
 63     of trajectory deviation, especially at highway speeds
 64   - **Exposure (E4):** Trajectory control is continuously active during all automated
 65     driving operations
 66   - **Controllability (C2-C3):** Limited ability for intervention in SAE Level 4/5
 67     automation where no human driver is monitoring or ready to take over
 68
 69   According to ISO 26262-3 Table 4, the combination of S3 + E4 + C2/C3 results
 70   in ASIL D classification.
 71
 72.. note::
 73
 74   While specific operational scenarios may have different S/E/C ratings and lower
 75   ASIL levels, this example uses ASIL D to demonstrate the most safety-critical case
 76   for actuation systems in fully automated vehicles.
 77
 78Hazard Context
 79--------------
 80
 81The hazard analysis is performed in the context of the **STPA (System-Theoretic Process
 82Analysis)** methodology, which models the vehicle actuation system as a hierarchical
 83control structure:
 84
 851. **Trajectory Input**: Commanded trajectory from vehicle automation controller
 862. **Vehicle Dynamics Controller (VDC)**: Translates trajectory to wheel torques and steering angles
 873. **Wheel Rotational Dynamics Controller (WRDC)**: Controls individual wheel dynamics
 884. **Low-level Controllers**: Steering, brake, and drive controllers
 895. **Physical Processes**: Actual vehicle dynamics
 90
 91The hazard ``HAZ_TRAJ_DEV`` occurs when any component in this control chain fails,
 92resulting in the vehicle not following its intended trajectory.
 93
 94Safety Analysis Scope
 95---------------------
 96
 97**In Scope:**
 98  - Failures of actuation system components (controllers, actuators, sensors)
 99  - Control algorithm malfunctions
100  - Communication failures within the actuation system
101  - Mechanical/electrical component failures
102
103**Out of Scope:**
104  - Trajectory planning errors (assumed correct in this analysis per ISO 26262-3:7.4.2.2.2)
105  - Environment perception failures
106  - Vehicle-to-vehicle communication failures
107  - Cybersecurity attacks (covered by ISO/SAE 21434)
108
109Next Steps
110----------
111
112From this top-level hazard, **20 safety goals** are systematically derived using
113STPA analysis of unsafe control actions. See :doc:`safety_goals` for the complete
114set of safety goals that mitigate this hazard.
115
116.. seealso::
117
118   **ISO 26262-3:2018** - Road vehicles β€” Functional safety β€” Part 3: Concept phase
119
120   **STPA Handbook** - N.G. Leveson and J.P. Thomas, "STPA Handbook," 2018

πŸ” HARA - Hazard Analysis & Risk AssessmentΒΆ

This page documents the Hazard Analysis and Risk Assessment for vehicle actuation systems of automated vehicles, identifying potential hazardous events and their associated ASIL ratings.

MethodologyΒΆ

The hazard analysis follows ISO 26262-3 and uses the following assessment criteria:

Severity (S) - Potential harm to persons:

  • S0: No injuries

  • S1: Light and moderate injuries

  • S2: Severe and life-threatening injuries (survival probable)

  • S3: Life-threatening injuries (survival uncertain), fatal injuries

Exposure (E) - Probability of operational scenario:

  • E0: Incredible

  • E1: Very low probability

  • E2: Low probability

  • E3: Medium probability

  • E4: High probability

Controllability (C) - Ability to avoid harm through driver intervention:

  • C0: Controllable in general

  • C1: Simply controllable

  • C2: Normally controllable

  • C3: Difficult to control or uncontrollable

These ratings determine the ASIL assignment per ISO 26262-3:2018 Table 4.

Top-Level HazardΒΆ

Note

While specific operational scenarios may have different S/E/C ratings and lower ASIL levels, this example uses ASIL D to demonstrate the most safety-critical case for actuation systems in fully automated vehicles.

Hazard ContextΒΆ

The hazard analysis is performed in the context of the STPA (System-Theoretic Process Analysis) methodology, which models the vehicle actuation system as a hierarchical control structure:

  1. Trajectory Input: Commanded trajectory from vehicle automation controller

  2. Vehicle Dynamics Controller (VDC): Translates trajectory to wheel torques and steering angles

  3. Wheel Rotational Dynamics Controller (WRDC): Controls individual wheel dynamics

  4. Low-level Controllers: Steering, brake, and drive controllers

  5. Physical Processes: Actual vehicle dynamics

The hazard HAZ_TRAJ_DEV occurs when any component in this control chain fails, resulting in the vehicle not following its intended trajectory.

Safety Analysis ScopeΒΆ

In Scope:

  • Failures of actuation system components (controllers, actuators, sensors)

  • Control algorithm malfunctions

  • Communication failures within the actuation system

  • Mechanical/electrical component failures

Out of Scope:

  • Trajectory planning errors (assumed correct in this analysis per ISO 26262-3:7.4.2.2.2)

  • Environment perception failures

  • Vehicle-to-vehicle communication failures

  • Cybersecurity attacks (covered by ISO/SAE 21434)

Next StepsΒΆ

From this top-level hazard, 20 safety goals are systematically derived using STPA analysis of unsafe control actions. See 🎯 Safety Goals for the complete set of safety goals that mitigate this hazard.

See also

ISO 26262-3:2018 - Road vehicles β€” Functional safety β€” Part 3: Concept phase

STPA Handbook - N.G. Leveson and J.P. Thomas, β€œSTPA Handbook,” 2018