Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 15026-3:2016 – System Integrity Levels and Assurance Requirements
A technical overview of the international standard for determining integrity levels in systems and software engineering
Introduction
ISO/IEC 15026-3:2016 (adopted as CAN/CSA-ISO/IEC 15026-3:16) is the third part of the ISO/IEC 15026 series, which addresses systems and software assurance. This standard provides requirements and guidance for the definition and use of system integrity levels (SILs) to manage risk in engineered systems. It is applicable to a wide range of domains, including automotive (ISO 26262), aerospace (DO-178C), industrial process (IEC 61511), and medical devices (IEC 62304). The standard establishes a framework for linking the degree of risk reduction required for a system to the rigour of assurance activities needed to justify that reduction.
Scope
ISO/IEC 15026-3:2016 specifies:
- Concepts and definitions related to integrity levels.
- Requirements for determining the necessary integrity level for a system, product, or software item based on the severity and likelihood of harm.
- Requirements for establishing integrity level requirements that drive the selection of assurance measures.
- Guidance on the relationship between integrity levels and the confidence needed in the assurance argument.
The standard is intended for use by systems engineers, software engineers, safety engineers, and assurance practitioners. It is independent of any specific application domain and can be tailored to fit domain-specific practices.
Technical Requirements
Definition of Integrity Levels
The standard defines a generic integrity level scheme typically comprising four levels (1 through 4), where Level 1 corresponds to the lowest risk reduction and Level 4 the highest. Each integrity level is associated with a target risk reduction factor and corresponding assurance requirements. The standard requires that the assignment of an integrity level be based on a systematic risk analysis considering the consequences of failure and the likelihood of exposure.
Tip: When performing risk analysis, always document the context (use cases, environmental conditions, human factors) that influence the severity and exposure assumptions. This traceability is critical for consistency.
Integrity Level Selection Process
The standard prescribes a process that includes:
- Identify hazards and failure modes.
- Analyse risk by combining severity and probability (with and without risk reduction measures).
- Determine the required risk reduction necessary to achieve an acceptable residual risk.
- Map the required risk reduction to an integrity level using the table provided or a domain-specific scheme.
- Define the assurance activities that are mandatory for that integrity level.
| Integrity Level | Required Risk Reduction Factor | Assurance Rigour | Typical Application |
|---|---|---|---|
| 1 | <10 | Low | Minor injury or equipment damage |
| 2 | 10–100 | Medium | Serious injury |
| 3 | 100–1000 | High | Fatality or severe environmental harm |
| 4 | >1000 | Very high | Catastrophic (multiple fatalities, major ecological damage) |
Assurance Requirements Mapping
Each integrity level triggers a specific set of assurance activities, such as design reviews, testing, formal methods, verification depth, and independence of review. The standard requires that the assurance activities be proportional to the integrity level and that the assurance argument (or assurance case) demonstrates compliance with all applicable requirements.
| Activity | SIL1 | SIL2 | SIL3 | SIL4 |
|---|---|---|---|---|
| Hazard analysis | Yes | Yes | Yes | Yes |
| Requirements traceability | Informal | Informal | Formal | Formal |
| Code review | Peer | Independent | Independent | Independent + formal |
| Unit testing coverage | Statement | Branch | MC/DC | MC/DC + condition |
| Integration testing | Yes | Yes | Yes + formal | Formal methods |
Implementation Highlights
Deploying ISO/IEC 15026-3:2016 in an organisation requires careful integration with existing development and safety processes. Key steps include:
- Tailoring the generic integrity level definitions to align with domain standards (e.g., using ASIL in automotive or SIL in process safety).
- Defining an integrity level assignment policy that includes risk acceptance thresholds and review authorities.
- Building an assurance case structure that captures the evidence produced for each integrity level requirement.
- Training teams on the relationship between integrity levels and the depth of verification/validation activities.
Warning: A common pitfall is to assign integrity levels without a proper hazard and risk analysis. This can lead to either over-engineering (costly) or under-engineering (unsafe). Always base the assignment on a documented risk assessment.
The standard does not mandate a specific lifecycle model, but it recommends that integrity level requirements be established early and maintained throughout the system lifecycle. Any change in the operational context or design may trigger a reassessment of the integrity level.
Compliance Notes
Organisations seeking to demonstrate compliance with ISO/IEC 15026-3:2016 should consider the following:
- Auditability: All integrity level assignments must be traceable to risk analysis results. Maintain a safety/assurance plan that documents the approach.
- Consistency: The set of assurance activities for each level must be applied uniformly across subsystems. Discrepancies can weaken the overall assurance argument.
- Independence: The standard usually requires independent assessment for higher integrity levels (e.g., SIL3 and SIL4).
- Documentation: Maintain an assurance case that includes the integrity level assignment rationale, the assurance activities performed, and the evidence collected.
Success: Companies that align their processes with ISO/IEC 15026-3:2016 often find that it not only improves safety but also enhances overall system quality and reduces rework by enforcing rigour early in development.
For organisations working in regulated markets (e.g., medical devices, railways, defence), compliance with this standard may be an intermediate step to meeting national or regional regulations. The standard is designed to coexist with domain-specific standards; it provides the overarching integrity level framework that can be instantiated by other norms.
Tip: When benchmarking against domain standards such as ISO 26262 (automotive) or IEC 61508 (general), map the integrity levels using the risk reduction factor matrix provided in Annex A of ISO/IEC 15026-3. This helps in achieving equivalence.
Q: What is the difference between ISO/IEC 15026-3 and IEC 61508?
A: IEC 61508 is a domain-generic standard for functional safety and uses Safety Integrity Levels (SILs). ISO/IEC 15026-3 provides a higher-level integrity level framework that is not limited to electrical/electronic/programmable systems but applies to any system including software-only items. The two are aligned; many of the concepts in ISO/IEC 15026-3 are drawn from IEC 61508 but generalised.
A: IEC 61508 is a domain-generic standard for functional safety and uses Safety Integrity Levels (SILs). ISO/IEC 15026-3 provides a higher-level integrity level framework that is not limited to electrical/electronic/programmable systems but applies to any system including software-only items. The two are aligned; many of the concepts in ISO/IEC 15026-3 are drawn from IEC 61508 but generalised.
Q: Is ISO/IEC 15026-3 applicable only to safety-critical systems?
A: No. While it originated from safety considerations, the concept of integrity levels can be applied to security, reliability, or any property where a graded assurance is required. The standard does not prescribe a specific attribute; it only defines the mechanism of level-based assurance.
A: No. While it originated from safety considerations, the concept of integrity levels can be applied to security, reliability, or any property where a graded assurance is required. The standard does not prescribe a specific attribute; it only defines the mechanism of level-based assurance.
Q: How does the standard handle multiple integrity levels in one system?
A: The standard allows different parts of a system to have different integrity levels, provided that the risks are independently analysed and that the assurance activities are applied accordingly. Interfaces between parts must be analysed to ensure that a fault in a lower integrity part does not propagate to a higher integrity part.
A: The standard allows different parts of a system to have different integrity levels, provided that the risks are independently analysed and that the assurance activities are applied accordingly. Interfaces between parts must be analysed to ensure that a fault in a lower integrity part does not propagate to a higher integrity part.
Document reference: ISO/IEC 15026-3:2016, also adopted as CAN/CSA-ISO/IEC 15026-3:16. This article is for informational purposes and does not replace the full standard text. Last updated: 2026.