--- doc-id: SLM-EPB-HARA-001 version: 1.0 status: Released date: 2026-05-12 --- # Hazard Analysis & Risk Assessment (HARA) | Field | Value | |-----------------|-------------------------------------------------| | Project | demo-epb (Electric Parking Brake) | | Document ID | SLM-EPB-HARA-001 | | Date | 2026-05-12 | | Version | 1.0 | | Status | Released | | Standard | ISO 26262 Part 3 (Concept Phase) | | Author | Stefan Lohmaier | | Reviewer | (Tech Lead, independent in real project) | | Approver | (Safety Manager, independent in real project) | --- ## 1. Purpose Identification and classification of all relevant EPB hazards per ISO 26262-3. From the hazards, safety goals are derived and an Automotive Safety Integrity Level (ASIL) is assigned. ## 2. Item definition The EPB is an electromechanical system that clamps both rear callipers using two small electric motors and releases them. Item boundary (ISO 26262-3 §5): - **Inside:** EPB ECU, both calliper motors, EPB switch, status LED - **Outside:** ESP, engine management, brake system (hydraulic), steering - **Interfaces:** CAN bus, wheel-speed sensors, inclinometer ## 3. Operational situations & hazards The following operational situations and hazards were identified in the concept workshop (2026-05-11): ### 3.1 Hazard list | H-ID | Hazard | Operational situation | |-------|------------------------------------------------------|--------------------------------------| | H-01 | Unintended release of the parking brake at standstill | Vehicle parked on incline, driver out| | H-02 | Unintended clamping during driving | Driving > 10 km/h | | H-03 | No apply reaction to driver request | Standstill, driver actuates switch | | H-04 | Loss of clamping force in hold state | Parking phase longer than 1 h | | H-05 | Motor damage from overcurrent | Actuator mechanics blocked | | H-06 | Incorrect hill-hold handover (roll-away on incline) | Drive-away on incline | | H-07 | No release reaction on drive-away | Standstill, driver wants to drive | | H-08 | LED indicator wrong | any | ### 3.2 Severity / Exposure / Controllability Classification per ISO 26262-3 §6: | Severity | Meaning | |----------|------------------------------------------------------------| | S0 | No injuries | | S1 | Light / moderate injuries | | S2 | Severe injuries (survival likely) | | S3 | Life-threatening injuries (survival uncertain) | | Exposure | Meaning | |----------|------------------------------------------------------------| | E0 | Very unlikely | | E1 | Very rare situation | | E2 | Rare situation | | E3 | Medium likelihood | | E4 | Frequent situation | | Controllability | Meaning | |------------------|----------------------------------------------------| | C0 | Generally controllable | | C1 | Simply controllable (>99% of drivers) | | C2 | Normally controllable (>90% of drivers) | | C3 | Difficult to control or uncontrollable | ### 3.3 ASIL determination | H-ID | Description | S | E | C | ASIL | |-------|------------------------------------------|----|----|----|-------| | H-01 | Unintended release, parking phase | S3 | E4 | C3 | **D** | | H-02 | Unintended clamping during driving | S3 | E4 | C3 | **D** | | H-03 | No apply reaction to request | S2 | E4 | C2 | B | | H-04 | Clamping force loss in hold | S3 | E4 | C3 | **D** | | H-05 | Motor damage from overcurrent | S1 | E3 | C2 | A | | H-06 | Hill-hold failure (roll-away on incline) | S3 | E3 | C3 | C | | H-07 | No release reaction | S1 | E4 | C2 | A | | H-08 | LED indicator wrong | S0 | -- | -- | QM | ASIL matrix per ISO 26262-3 Table 4 applied. H-06 was downgraded from ASIL-D to ASIL-C in review, since hill-hold failure on dry road remains controllable through driver response (C2-C3 borderline, conservatively C3). ## 4. Safety goals From the hazards the following safety goals are derived: | SG-ID | Safety goal | ASIL | Covered hazards | |-------|-------------------------------------------------------------------|-------|----------------------| | SG-01 | The EPB must not unintentionally release while at standstill | D | H-01, H-04 | | SG-02 | The EPB must not unintentionally clamp while driving | D | H-02 | | SG-03 | The EPB must protect against actuator overcurrent | A | H-05 | | SG-04 | Hill-hold must reliably hand over to the apply controller | C | H-06 | | SG-05 | The EPB must respond to driver requests within specified times | B | H-03, H-07 | ## 5. Safe state Definitions per ISO 26262-3 §7.4.2.5: | Item / Function | Safe state | |------------------------|------------------------------------------------------------| | Apply phase | Stop actuator, set status to APPLIED | | Hold phase | Maintain clamping force (passive) | | Release phase | Return to apply, maintain clamping force | | On hardware fault | Force APPLIED state (prevents roll-away) | The conservative safe state across all cases is **APPLIED**: rather over-clamp than under-clamp. ## 6. FTTI (Fault Tolerant Time Interval) | Hazard | FTTI | Rationale | |--------|---------|-----------------------------------------------------------| | H-01 | 5 s | Roll-away on incline starts after ~1-2 s, hand action possible after ~5 s | | H-02 | 100 ms | Shock deceleration at 50 km/h must be detected within 100 ms | | H-04 | 30 s | Clamping force loss accumulates slowly, periodic check every 50 ms suffices | | H-06 | 500 ms | Hill-hold handover must complete before roll-away begins (< 500 ms) | ## 7. Functional Safety Requirements (FSR) From the safety goals the SYS requirements in `reqs/sys/` are derived (see traceability matrix). Mapping: | SG-ID | SYS requirements | |-------|----------------------------------------------------| | SG-01 | SYS-001, SYS-004 | | SG-02 | SYS-002 (apply plausibility), SYS-005 | | SG-03 | SYS-007 | | SG-04 | SYS-005, SYS-006 | | SG-05 | SYS-002, SYS-003 | ## 8. Revision history | Version | Date | Change | Author | |---------|-------------|-------------------------|-----------------| | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier | | 1.0 | 2026-05-12 | First release after review | S. Lohmaier |