ISO 26262: Road vehicles - Functional safety
This section is the library reference for the Derisker ISO 26262-3 SysML v2 library. It covers the ISO 26262-3:2018 (Road vehicles — Functional safety — Part 3: Concept phase) standard, mapping its entities to SysML v2 model elements.
The library supports three concept-phase activities:
Item Definition (Clause 5): Vehicle, item, basic and service functions.
Hazard Analysis and Risk Assessment — HARA (Clause 6): Malfunctions, hazards, operational situations, hazardous events, ASIL rating.
Functional Safety Concept (Clause 7): Safety goals, functional safety requirements (FSRs), ASIL decomposition.
For step-by-step modelling guidance, see ISO 26262-3. For a complete worked example, see ISO 26262 HARA for Vehicle ADAS.
File Layout
models/iso26262-3/
├── lib/
│ └── Derisker_ISO26262-3.sysml # library (item/HARA/FSC types, S/E/C/ASIL calc, allocations)
└── examples/
└── vehicle-HARA/
└── Vehicle_HARA.sysml # example vehicle HARA model
Importing
public import Derisker_ISO26262_3::*;
ScalarValues is imported privately for numeric attribute formats. CauseAndEffect
is imported publicly to enable #causation connections linking malfunctions to
hazards.
Quick Reference
Metadata Shortcuts
The library provides metadata shortcuts to declare elements without verbose specialization syntax.
Shortcut |
Underlying Type |
Usage |
|---|---|---|
|
|
Basic vehicle function; declared inside the top-level vehicle part |
|
|
Item service function; declared inside a subsystem part |
|
|
Malfunction; nested inside a |
|
|
Hazard occurrence; typically in a dedicated hazard identification part |
|
|
Operational situation; in a dedicated identification part |
|
|
Hazardous event (hazard + situation + S/E/C); in HARA combination part |
|
|
Safety goal requirement; in a safety goals requirement def |
|
|
Top-level functional safety requirement, derived from a safety goal |
|
|
Decomposed FSR (ASIL decomposition per ISO 26262-9) |
System Architecture Elements
Element |
Usage |
|---|---|
|
Top-level vehicle part (highest hierarchy level) |
|
Major subsystem (e.g., ADAS, ACCS) |
|
Lowest-level item; has |
|
Marks an item part as the functional safety analysis scope |
Item Definition Types (Clause 5)
BasicFunction
A basic vehicle-level action such as accelerating, braking, or steering. Declared inside
the top-level vehicle part using #basicFunction. Service functions can declare
dependencies on basic functions to document what vehicle-level capabilities they rely
on.
ServiceFunction
An item-level function provided by the subsystem under analysis. Declared inside a
subsystem part using #serviceFunction. Malfunctions are nested directly inside
service functions.
FusaSubsystem
Marks the item part definition as the scope of functional safety analysis. The subsystem
under analysis (e.g., ADAS) should specialize FusaSubsystem. Carries a fusaItem
boolean attribute.
HARA Types (Clause 6)
MalfunctioningBehaviour
Represents how a service function can fail. Nested inside the service function using
#malfunction.
Attribute |
Description |
|---|---|
|
Text formulation of what the malfunction is |
|
Operating mode(s) of the subsystem in which this malfunction can occur. Not the
same as |
|
Category from |
MalfunctionType
Value |
Description |
|---|---|
|
Function performs beyond its intended range |
|
Function performs below its intended range |
|
Function operates inconsistently |
|
Function activates or responds too late |
|
Function activates without a valid trigger |
|
Function activates before conditions are met |
|
Function produces the opposite effect to intended |
|
Function does not activate at all |
|
Placeholder |
Hazard
A potential source of harm at the vehicle level caused by a malfunction. Declared using
#hazard. Link the causative malfunction using a #causation connection :
HazardCausationDef. The physical injury classification is captured on the
HazardousEvent, not on the hazard itself.
Attribute |
Description |
|---|---|
|
Description of the hazard (potential harm source) |
HazardCausationDef
Typed connection linking a malfunction (cause end) to a hazard (effect end). Use with
#causation connection : HazardCausationDef connect <malfunction> to <hazard>.
Note
Causation direction: The malfunction is the cause end and the hazard is the
effect end. Malfunctions cause hazards — connect <malfunction> to <hazard>.
OperationalSituation
Describes a driving context in which the item is expected to behave safely. Declared
using #operationalSituation. All attributes are optional and can be tailored to
project needs.
Attribute |
Description |
|---|---|
|
Driving activity or use case |
|
Weather or environmental conditions |
|
Road type from |
|
Surface material from |
|
Surface features from |
|
Surface conditions from |
|
Speed range description |
|
Traffic density and presence of other road users |
|
Driver state or behaviour description |
|
Any other relevant properties |
|
Trucks and buses only |
DrivableAreaType (ISO 34504 §4.4.5.1): Highway, 'Radial road',
'Distributor road', 'Minor road', 'Slip road', 'Parking space',
'Shared space', TBD
DrivableAreaSurfaceType (ISO 34503 §9.3.7): Asphalt, 'Cement concrete',
Pavers, Cobblestone, 'Granite setts', Gravel, TBD
DrivableAreaSurfaceFeatures (ISO 34503 §9.3.7): Cracks, Potholes, Ruts,
Swells, 'Speed bumps', TBD
DrivableAreaSurfaceConditions (ISO 34503 §9.3.7): Icy, Flooded, 'Standing
Water', 'Snow on surface', Wet, 'Surface contamination', Dry, TBD
HazardousEvent
The combination of one hazard and one operational situation. Declared using
#hazardousEvent. Set S, E, C ratings and justifications manually; rating_ASIL is
derived automatically by ASIL_Calc.
Attribute |
Description |
|---|---|
|
Reference to the |
|
Reference to the |
|
Physical injury classification using |
|
S0–S3 severity rating (set manually) |
|
Rationale for the severity rating |
|
E0–E4 exposure rating (set manually) |
|
Rationale for the exposure rating |
|
C0–C3 controllability rating (set manually) |
|
Rationale for the controllability rating |
|
Derived automatically from S × E × C — do not set manually |
Functional Safety Concept Types (Clause 7)
SafetyGoal
Top-level requirement preventing or mitigating a hazardous event with ASIL A–D rating.
Declared using #safetyGoal. Link to hazardous events via Mitigate allocations;
derive rating_ASIL using Maximize_ASIL over those allocations.
Attribute |
Description |
|---|---|
|
Describes the safe state(s) of the system when the safety goal is violated |
|
Derived as the maximum ASIL of all linked hazardous events via |
Mitigate
Allocation linking a safety goal to the hazardous event(s) it mitigates. A safety goal
can carry multiple Mitigate allocations — one per hazardous event it addresses. When
a goal mitigates multiple events, use Maximize_ASIL over all allocations to derive
the goal’s ASIL.
FsrTopLevel (#FSR)
Top-level functional safety requirement directly derived from one or more safety goals.
Use #FSR shortcut. Derive rating_ASIL using Maximize_ASIL over the
Derive allocation(s) linking this FSR to its parent safety goals.
FsrDecomp (#FSR_Decomp)
Decomposed functional safety requirement per ISO 26262-9 ASIL decomposition. Use
#FSR_Decomp shortcut. Set rating_ASIL to an ASIL_QM_decomp value such as
'A(B)' (ASIL A requirement from decomposition of an ASIL B parent).
Derive
Allocation linking a top-level FSR to the safety goal(s) it derives from. An FSR can
carry multiple Derive allocations if it addresses more than one safety goal.
Rating Tables
Severity (S)
Severity rates the potential harm consequence of a hazardous event.
Class |
Description |
AIS Reference |
|---|---|---|
|
Life-threatening or fatal injuries |
>10 % probability of AIS 5–6 |
|
Severe, life-threatening, survival probable |
>10 % probability of AIS 3–6 (and not S3) |
|
Light to moderate injuries |
>10 % probability of AIS 1–6 (and not S2 or S3) |
|
No injuries; no ASIL required |
AIS 0 |
|
Placeholder |
— |
AIS_Stages (Abbreviated Injury Scale)
Used on HazardousEvent.harm to classify the type of potential physical injury.
Value |
Description |
|---|---|
|
No injuries (AIS 0) |
|
Light injuries (e.g., whiplash, skin-deep wounds) |
|
Moderate injuries (e.g., concussion <15 min, uncomplicated fractures) |
|
Severe but not life-threatening (e.g., skull fractures without brain injury) |
|
Severe, life-threatening, survival probable |
|
Critical, life-threatening, survival uncertain |
|
Extremely critical or fatal |
|
Placeholder |
Exposure (E)
Exposure rates the probability that the operational situation occurs.
Class |
Description |
Frequency |
|---|---|---|
|
High probability |
>10 % of operating time; occurs in almost every drive |
|
Medium probability |
1–10 % of operating time; once a month or more |
|
Low probability |
<1 % of operating time; a few times a year |
|
Very low probability |
Less than once a year for most drivers |
|
Incredible; no ASIL required |
— |
|
Placeholder |
— |
Controllability (C)
Controllability rates the ability of drivers or other road users to avoid harm.
Class |
Description |
Driver population |
|---|---|---|
|
Difficult to control or uncontrollable |
<90 % of drivers can avoid harm |
|
Normally controllable |
90–99 % of drivers can avoid harm |
|
Simply controllable |
>99 % of drivers can avoid harm |
|
Controllable in general; no ASIL required |
— |
|
Placeholder |
— |
ASIL_QM
Value |
Meaning |
|---|---|
|
Highest safety integrity level |
|
Upper intermediate |
|
Lower intermediate |
|
Lowest safety integrity level |
|
Quality Management — no ISO 26262 compliance required |
|
Placeholder |
ASIL Determination
ASIL is computed automatically by ASIL_Calc from the S, E, C ratings on a
HazardousEvent, per ISO 26262-3 Table 4. Do not set rating_ASIL on hazardous
events manually — it is a derived attribute.
Safety goal and FSR ASILs are derived as the maximum (worst-case) ASIL across all
linked hazardous events via Maximize_ASIL.
ASIL Decomposition
Decomposed FSRs use ASIL_QM_decomp values per ISO 26262-9 §5.4.9. The format is
'<result>(<source>)', where result is the ASIL of the decomposed requirement and
source is the ASIL of the parent.
Value |
Meaning |
|---|---|
|
ASIL D (no decomposition) |
|
ASIL C from decomposition of ASIL D |
|
ASIL B from decomposition of ASIL D |
|
ASIL A from decomposition of ASIL D |
|
QM from decomposition of ASIL D |
|
ASIL C (no decomposition) |
|
ASIL B from decomposition of ASIL C |
|
ASIL A from decomposition of ASIL C |
|
QM from decomposition of ASIL C |
|
ASIL B (no decomposition) |
|
ASIL A from decomposition of ASIL B |
|
QM from decomposition of ASIL B |
|
ASIL A (no decomposition) |
|
QM from decomposition of ASIL A |
|
Placeholder |
References
ISO 26262-3:2018 — Road vehicles — Functional safety — Part 3: Concept phase (Clause 5 Item definition, Clause 6 HARA, Clause 7 Functional safety concept; Table 4 ASIL determination; Annex B HARA guidance)
ISO 26262-9:2018 — Road vehicles — Functional safety — Part 9: ASIL-oriented and safety-oriented analyses (Clause 5 Requirements decomposition, ASIL decomposition schemas)
ISO 34503 / ISO 34504 — Referenced for operational situation attributes (drivable area types, surface conditions)