Hazard analysis and risk assessment (HARA) in an automotive project

For obvious reasons, it isn’t possible to anticipate every possible risk factor related to driving on a road. Risk analysis methods and techniques aim to systematically approach and identify possible hazards during a vehicle’s journey. The goal is to minimise the risk to an acceptable level by creating a robust design. We chose to follow the HARA methodology described in the automotive safety standard ISO 26262. It is the methodology recommended for formulating top-level safety requirements called Safety Goals (SG). To perform this activity, the behaviour and functionality of the vehicle should be described. Automotive Safety Integrity Levels (ASILs) should be assigned to corresponding functionalities.

Spyrosoft suggested that we should start with the definition of possible states in which vehicles could operate. The anticipation of hazards at this stage of the analysis is crucial, as it affects further analysis results. That is why the engineers decided to support this stage with the HAZOP approach. After the first drafts, a fault tree analysis was conducted to check that the defined goals were consistent and reasonable. Moreover, FTA brought some additional hazards, which were not found initially. This methodology was then followed for every safety goal as it was agreed to be the optimal choice.

As we are dealing with a pre-defined vehicle mission, possible road scenarios were defined. During the mission, road conditions could change in unpredictable ways. As a result, a safe state must always be defined to react to possible hazards which can occur not only by failure in the system but also by unpredictable road conditions. The vehicle is supposed to operate in heavy industrialised environments, which creates the challenge of detecting and classifying many dynamic and static objects. However, it is made easier in case of a vehicle to drive on a defined route.

Because we are analysing potential risks, from the perspective of a passenger bus, the major impact is related to the safety of the people involved in potential malfunctions. That is why assessing one of the most important aspects: severity (S0-S3) level, is based on human injuries. Only hazards associated with the malfunctioning behaviour of the designed vehicle are considered. Other road participants are presumed to be functioning correctly. The risk assessment of hazardous events focuses on the harm to each person potentially at risk, I.e., the driver or the passengers of the vehicle causing the hazardous event. Moreover, other people potentially influenced by the considered vehicle malfunction, like cyclists, pedestrians or even occupants of other vehicles, should be taken into consideration. Another important aspect of the hazardous event risk assessment is the probability of exposure (E0 to E4), which is used to determine the considered risks.

The last parameter is controllability (C0-C3). The evaluation of this parameter is an estimate of the probability that someone or something can gain sufficient control of the hazardous event (when it’s already happened). In the case of a self-driving vehicle, this parameter is rigorously assessed as high and does not go beneath three.

To guarantee proper vehicle behaviour, some safety mechanisms must be defined in order to detect, prevent or mitigate risk. The optimal solution is to handle possible faults relatively fast, to prevent their propagation into the system. That is why safety measures were addressed on both systems (customer) and software (Spyrosoft) levels, which correspond to pre-defined safety goals.

Spyrosoft’s tasks in this project were not only the development of software components responsible for processing data from different sensors to establish a collision-free drivable trajectory but also the support of domain knowledge in terms of software development, toolchain definition, Functional Safety processes and quality assurance.