ISO 26262 HARA for Vehicle ADAS

This example demonstrates a complete ISO 26262-3 concept phase model for an automotive Level 2 Advanced Driver Assistance System (ADAS). It covers Item Definition (Clause 5), Hazard Analysis and Risk Assessment — HARA (Clause 6), and Functional Safety Concept (Clause 7).

For step-by-step modelling guidance see ISO 26262-3. For library type reference see ISO 26262: Road vehicles - Functional safety.

Model Structure

The example is a single SysML v2 file with one top-level package organized by ISO 26262-3 clause:

package Vehicle_HARA {
    part def ISO26262_3_ItemDefinition { ... }    // Clause 5: Item definition
    part def ISO26262_3_HARA {                    // Clause 6: HARA
        analysis HARA { subject: ADAS }
        part def HARA_Hazards_Identification { ... }
        part def HARA_OpSituations_Identification { ... }
        part def HARA_HazEvents_Combination { ... }
        requirement def VehicleSafetyGoals { ... }
    }
    part def ISO26262_3_FunctionalSafetyConcept { // Clause 7: FSC
        requirement def VehicleFSRs { ... }
    }
}

Scale:

  • 4 ADAS subsystems (ACCS, CSWS, LKAS, FVCMS), 8 service functions

  • ~17 malfunctions covering all MalfunctionType values

  • 6 hazards (ACCS distance-control failures) with causation links

  • 12 operational situations (urban, highway, standstill, wet, icy, pedestrian, tunnel, curve, etc.)

  • 24 hazardous events with full S, E, C ratings and justifications

  • 23 safety goals with derived ASIL and safe states

  • 24 top-level FSRs with ASIL-decomposed sub-requirements

Clause 5: Item Definition

The ADAS item consists of four subsystems. Each subsystem declares service functions with explicit dependency to the basic vehicle functions they rely on:

ADAS subsystems and service functions
part def <ADAS> 'advanced driver assistance system L2' :> FusaSubsystem {
    part accs  : ACCS;   // Adaptive Cruise Control
    part csws  : CSWS;   // Curve Speed Warning
    part lkas  : LKAS;   // Lane Keeping Assistance
    part fvcms : FVCMS;  // Forward Vehicle Collision Mitigation
}

abstract part def <ACCS> 'adaptive cruise control system' :> SystemAnalyses::Subsystem {
    #serviceFunction <F1> maintain_distance {
        dependency requiresFunctions from maintain_distance to vehicle::accelerate, vehicle::brake;
    }
    #serviceFunction <F2> maintain_speed {
        dependency requiresFunctions from maintain_speed to vehicle::accelerate, vehicle::brake;
    }
    #serviceFunction <F3> acc_after_stop {
        dependency requiresFunctions from acc_after_stop to vehicle::accelerate, vehicle::brake;
    }
}
abstract part def <LKAS> 'Lane Keeping Assistance System' :> SystemAnalyses::Subsystem {
    #serviceFunction <F6> keep_center {
        dependency requiresFunctions from keep_center to vehicle::steer;
    }
    #serviceFunction <F7> prevent_drift {
        dependency requiresFunctions from prevent_drift to vehicle::steer;
    }
}
// + CSWS (F4, F5 → indicate) and FVCMS (F8 → brake)

The vehicle part satisfies both the safety goals and FSR sets to close Clause 5–7 traceability:

part def vehicle :> SystemAnalyses::TopLevelSystem {
    satisfy requirement safetyGoals : ISO26262_3_HARA::VehicleSafetyGoals;
    satisfy requirement FSRs        : ISO26262_3_FunctionalSafetyConcept::VehicleFSRs;
    // basic functions: accelerate, brake, steer, indicate, startEngine
}

Clause 6: HARA

Hazards

The example focuses on the ACCS maintain_distance function, which produces the most safety-critical hazard scenarios. Six hazards are identified, each linked to its causative malfunction:

ID

Hazard

Caused by malfunction

H1

Distance allows cut-in in front of ego vehicle

mal_exceed_distance (ExceedingFunction)

H2

Distance not sufficient to avoid front-end collision

mal_narrow_distance (UnderperformingFunction)

H3

Vehicle in front is not detected

mal_no_distance (LackOfFunction)

H4

Inappropriate deceleration without valid cause (phantom braking)

mal_unintended_distance (Unintended)

H5

Vehicle braking response is too late

mal_late_braking (LateFunction)

H6

Insufficient deceleration to maintain distance

mal_insufficient_braking (UnderperformingFunction)

Operational Situations

Twelve situations cover a representative range of real-world driving contexts:

ID

Name

Key attributes

OS1

Urban minor road

Minor road, asphalt, <50 km/h, low traffic

OS2

Highway with obstacle

Highway, <130 km/h, stopped vehicle with hazard lights

OS3

From standstill

Standstill, speed increasing from 0, high traffic density

OS4

Highway normal

Highway, 90–130 km/h, normal traffic

OS5

Highway wet

Highway, wet surface, 90–130 km/h, moderate traffic

OS6

Heavy traffic

Minor road, high pedestrian density, <30 km/h

OS7

Intersection

Distributor road, intersection, <50 km/h

OS8

Rural curve

Radial road, 60–100 km/h, sharp curve ahead

OS9

Slip road

Slip road, 30–80 km/h, merging traffic

OS10

Icy conditions

Highway, icy surface, 30–70 km/h

OS11

Pedestrian area

Shared space, <10 km/h, high pedestrian density

OS12

Tunnel

Highway, tunnel, reduced lighting, 50–110 km/h

Hazardous Events and ASIL Results

24 hazardous events combine the 6 hazards with the applicable subset of operational situations. Examples showing different ASIL outcomes:

Two hazardous events from hazard H1 — different situations, different ASIL
// H1 × OS1 (urban minor road) → ASIL B
#hazardousEvent <HE1> HE1_H1_OS1 {
    ref occurrence redefines hazardRef      = haz_large_distance;
    ref occurrence redefines opSituationRef = os_urban_minor_road;
    attribute redefines harm                = AIS_Stages::AIS3_Severe_NoLifeThreat;
    attribute redefines rating_Severity     = Severity::S2;
    attribute redefines justification_Severity =
        "Front-end collision if lead vehicle brakes suddenly; restricted speed under 50 km/h.";
    attribute redefines rating_Exposure     = Exposure::E4;
    attribute redefines justification_Exposure =
        "Following a vehicle in front on a minor road takes place often";
    attribute redefines rating_Controllability = Controllability::C2;
    attribute redefines justification_Controllability =
        "Avoiding crash while experiencing cut-in is normally controllable.";
    // S2(2) + E4(4) + C2(2) = 8 → ASIL B (derived automatically)
}

// H1 × OS4 (highway normal) → ASIL C
#hazardousEvent <HE4> HE1_H1_OS4 {
    ref occurrence redefines hazardRef      = haz_large_distance;
    ref occurrence redefines opSituationRef = os_highway_normal;
    attribute redefines harm                = AIS_Stages::AIS5_Critical_LifeThreat_SurvivalUncertain;
    attribute redefines rating_Severity     = Severity::S3;
    attribute redefines justification_Severity =
        "High-speed rear collision with stopped vehicle; high fatality risk.";
    attribute redefines rating_Exposure     = Exposure::E4;
    attribute redefines justification_Exposure =
        "Highway driving with ACC following mode is a common scenario";
    attribute redefines rating_Controllability = Controllability::C2;
    attribute redefines justification_Controllability =
        "Driver can react to cut-in but reaction window is reduced at highway speed";
    // S3(3) + E4(4) + C2(2) = 9 → ASIL C (derived automatically)
}

Safety Goals

A safety goal can mitigate multiple hazardous events. When it does, Maximize_ASIL picks the worst-case ASIL from all allocations:

Safety goal mitigating multiple hazardous events
#safetyGoal requirement <SG3> disableACCS {
    require constraint { language "English"
        /* Avoid ACCS operation when safe distance is not maintained or not tracked */
    }
    allocation mitigate_SG3_HE3 : Mitigate allocate self to HE3;
    allocation mitigate_SG3_HE4 : Mitigate allocate self to HE4;
    derived attribute redefines rating_ASIL =
        Maximize_ASIL((mitigate_SG3_HE3, mitigate_SG3_HE4));
    attribute redefines safeStates =
        "ACCS is disabled and ACC status change warning indicated to driver.";
}

Clause 7: Functional Safety Concept

FSRs are derived from safety goals using Derive allocations. Top-level FSRs that require ASIL decomposition per ISO 26262-9 nest #FSR_Decomp sub-requirements:

Top-level FSR with ASIL B decomposed into two ASIL A sub-requirements
#FSR requirement <FSR1> limitAcceleration {
    require constraint { language "English" /* Limit acceleration performance */ }
    allocation derive_SG1_FSR1 : Derive allocate self to SG1;
    derived attribute redefines rating_ASIL = Maximize_ASIL(derive_SG1_FSR1);

    // ASIL B decomposed into two ASIL A requirements (ISO 26262-9)
    #FSR_Decomp requirement <'FSR1.1'> restrictMaxAcceleration {
        require constraint { language "English"
            /* Restrict the maximum acceleration by ACCS */
        }
        attribute redefines rating_ASIL = ASIL_QM_decomp::'A(B)';
    }
    #FSR_Decomp requirement <'FSR1.2'> actuatorPerformanceReq {
        require constraint { language "English"
            /* Establish minimal performance requirements on actuators */
        }
        attribute redefines rating_ASIL = ASIL_QM_decomp::'A(B)';
    }
}

Notable Modelling Patterns

Full Clause 5–7 traceability chain

Malfunctions → Hazards (#causation) → Hazardous Events (S/E/C → ASIL) → Safety Goals (Mitigate) → FSRs (Derive) → Vehicle (satisfy)

ASIL derivation, not assignment

rating_ASIL on HazardousEvent and SafetyGoal is always derived automatically. Never set it manually — the library computes it from the S, E, C inputs or from Maximize_ASIL allocations.

One safety goal mitigating multiple hazardous events

Per ISO 26262-3 §6.4.4.1, similar hazards sharing the same root cause or safe state can be addressed by a single safety goal. Maximize_ASIL correctly propagates the highest ASIL from all allocations.

ASIL decomposition per ISO 26262-9

Decomposed FSRs use #FSR_Decomp with ASIL_QM_decomp values such as 'A(B)', documenting both the sub-requirement ASIL and the original parent ASIL.