Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Technical Assurance in Systems Engineering: An In-Depth Look at CAN/CSA-ISO/IEC 15026-1-15
Mastering the Foundational Concepts and Vocabulary for Systems and Software Assurance
1. Scope and Foundational Principles
The CAN/CSA-ISO/IEC 15026-1-15 standard, technically identical to ISO/IEC 15026-1:2015, serves as the conceptual bedrock for the entire ISO/IEC 15026 series on systems and software assurance. This foundational document explicitly defines the core concepts, overarching vocabulary, and structural framework upon which all assurance cases must be built. Unlike its companion parts, Part 1 is deliberately non-prescriptive regarding specific technical processes. Instead, it provides the lingua franca for assurance, ensuring that systems engineers, software developers, safety assessors, and auditors communicate with absolute clarity and unambiguous terminology.
Context: While ISO/IEC 15026 comprises four parts (Concepts, Assurance Case, Integrity Levels, Life Cycle), Part 1 is the essential prerequisite. It standardizes terms like “dependability,” “trustworthiness,” and “integrity level,” creating a unifying framework that bridges disparate industries such as aerospace (ARP4754A/DO-178C), automotive (ISO 26262), medical devices (IEC 62304), and industrial automation (IEC 61508).
The scope of this document applies across the entire spectrum of safety-related and mission-critical systems, including software-intensive systems, complex hardware-software hybrids, and purely procedural human operations. The key objective of CAN/CSA-ISO/IEC 15026-1-15 is not to define how to achieve safety, but rather how to structure the argument and justification that the required level of safety, security, or reliability assurance has been met through rigorous engineering processes.
2. Core Technical Terminology and Concepts
The heart of CAN/CSA-ISO/IEC 15026-1-15 lies in its precise definitions. Understanding these terms is mandatory for compliance with the subsequent parts of the series. The standard formalizes the Claim-Argument-Evidence (CAE) model, which forms the backbone of every modern assurance case.
- Assurance Case: A structured set of arguments and a body of evidence that demonstrates a system satisfies specific claims (e.g., safety, security, reliability).
- Claim: A statement about a property of the system that is asserted to be true. Claims must be specific, testable, and bounded.
- Argument: The logical reasoning or rationale that links the evidence to the claim. This is often represented visually using Goal Structuring Notation (GSN).
- Evidence: Underlying facts, data, and artifacts (test reports, formal analyses, design reviews) that support the argument. Evidence must be valid, current, and traceable.
- Integrity Level: A set of requirements for achieving a specified degree of trustworthiness in the system.
2.1 Key Terminology Crosswalk
| Term | Definition (per ISO/IEC 15026-1) | Industry Equivalence |
|---|---|---|
| Claim | A statement asserted to be true about the system, requiring justification. | Safety Goal (ISO 26262) / Top-Level System Requirement |
| Argument | The reasoning that links specific evidence to a specific claim. | Safety Argument (Def Stan 00-56) / GSN Strategy |
| Evidence | Facts and artifacts used to support a claim within an argument. | Verification & Validation Data (DO-178C / ISO 26262) |
| Dependability | Collective term for availability, reliability, safety, integrity, and maintainability. | NIST / IEC 60050 definition |
| Trustworthiness | The extent to which a system can be justifiably relied upon to perform as expected. | Assurance Level / Integrity Level in Safety Standards |
2.2 The Role of Integrity Levels
A critical concept introduced in this part of the standard is the notion of an Integrity Level. While the detailed requirements for assigning and managing integrity levels are covered in Part 3, Part 1 provides the fundamental vocabulary. An integrity level represents a set of constraints on system design, development rigor, and verification depth. Higher integrity levels demand greater formality, independence, and diversity of evidence.
Common Misunderstanding: Integrity levels are often conflated with raw risk metrics. CAN/CSA-ISO/IEC 15026-1-15 explicitly clarifies that an integrity level is a design constraint, not a dynamic risk indicator. The hazard analysis determines the necessary integrity level; the integrity level then dictates the specific assurance activities required.
3. Implementing the Assurance Framework
Implementing the framework defined by ISO/IEC 15026-1:2015 involves adopting a top-down, structured methodology for organizing your safety or security case. It is a meta-standard for assurance architecture.
- Define the System and its Context: Delineate the system boundaries, operating conditions, and assumptions (often called the Scope of the Assurance Case).
- Identify Top-Level Claims: For a medical device, this might be “The system does not cause unacceptable patient harm.” For autonomous mining equipment: “The system stops within safe limits if communication is lost.”
- Decompose Claims into Sub-Claims: Create a hierarchy of arguments using the vocabulary of the standard.
- Identify and Structure Evidence: Classify evidence as direct testing, formal analysis, inspection, or historical field data.
- Develop the Living Assurance Case Document: The assurance case should be maintained and updated throughout the system lifecycle.
Best Practice: Notations like Goal Structuring Notation (GSN) or the Claims-Arguments-Evidence (CAE) diagram map perfectly onto the concepts defined in CAN/CSA-ISO/IEC 15026-1-15. Using these graphical notations ensures end-to-end traceability from high-level regulatory requirements down to individual test logs and design artifacts.
This framework is a mandatory prerequisite for effectively implementing ISO/IEC 15026-2 (Assurance Case) and ISO/IEC 15026-3 (Integrity Levels). Without a firm grasp of the vocabulary established in Part 1, teams risk creating assurance arguments that are structurally unsound and difficult to audit.
4. Compliance and Validation Considerations
Conformity with CAN/CSA-ISO/IEC 15026-1-15 is often an implicit or explicit requirement for demonstrating alignment with sector-specific safety standards.
- For System Integrators: Using the standard ensures clear communication across cross-disciplinary teams (mechanical, electrical, software). Everyone understands the strict hierarchy of Claims, Arguments, and Evidence.
- For Auditors: Auditors look for the rigorous application of structured terminology. Is the claim clearly separated from the argument? Is the evidence factual and objective, or are opinions being used to bridge gaps? The standard mandates objective, verifiable evidence.
- For Safety Managers: The standard provides a robust framework for managing “claims confidence.” If an assumption changes (e.g., a software platform is swapped, or an operating environment changes), the assurance case must be re-evaluated. The vocabulary in Part 1 provides the precise language needed to conduct this impact analysis.
Critical Compliance Gotcha: A common failure in assurance cases is the Evidence Gap. An argument is presented, but the cited evidence only partially covers the claim.
Example: Claim (“The software safely controls the motor”) -> Argument (“We tested on a hardware simulator”) -> Evidence (“Simulator pass logs”).
Rigour Check: If the simulator is not representative of the target CPU, the evidence is invalid. ISO/IEC 15026-1 stresses the requirement for validity and coverage of evidence within the stated context of the argument.
Example: Claim (“The software safely controls the motor”) -> Argument (“We tested on a hardware simulator”) -> Evidence (“Simulator pass logs”).
Rigour Check: If the simulator is not representative of the target CPU, the evidence is invalid. ISO/IEC 15026-1 stresses the requirement for validity and coverage of evidence within the stated context of the argument.
Looking Ahead to 2026 and Beyond
As systems become increasingly complex (AI/ML, autonomous driving, cloud infrastructure), the structured assurance framework defined in this standard becomes even more critical. The foundation laid in 2015 remains the premier method for structuring arguments for emergent and complex system behaviors. Organizations adopting CAN/CSA-ISO/IEC 15026-1-15 are effectively future-proofing their assurance engineering processes against evolving regulatory expectations and technological complexity.
Frequently Asked Questions (FAQ)
Q: Is CAN/CSA-ISO/IEC 15026-1-15 directly certifiable on its own?
A: Not typically. It is a vocabulary and concepts standard. Conformity is usually demonstrated by applying its definitions and framework when complying with Part 2 (Assurance Case), Part 3 (Integrity Levels), or a domain-specific standard like ISO 26262. It functions as a prerequisite structural framework rather than a standalone certification target.
A: Not typically. It is a vocabulary and concepts standard. Conformity is usually demonstrated by applying its definitions and framework when complying with Part 2 (Assurance Case), Part 3 (Integrity Levels), or a domain-specific standard like ISO 26262. It functions as a prerequisite structural framework rather than a standalone certification target.
Q: How does this standard relate to IEC 61508?
A: They are highly complementary. ISO/IEC 15026 provides a generic, domain-independent assurance case framework. IEC 61508 provides specific technical requirements for functional safety in E/E/PE systems. The structured assurance case methodology from ISO/IEC 15026-1 can be used to document and justify the safety lifecycle deliverables required by IEC 61508.
A: They are highly complementary. ISO/IEC 15026 provides a generic, domain-independent assurance case framework. IEC 61508 provides specific technical requirements for functional safety in E/E/PE systems. The structured assurance case methodology from ISO/IEC 15026-1 can be used to document and justify the safety lifecycle deliverables required by IEC 61508.
Q: Does the standard cover cybersecurity assurance?
A: Yes. The concepts of “assurance” and “trustworthiness” in the standard are intentionally domain-agnostic. The Claims-Arguments-Evidence framework applies directly to security assurance cases, such as those built for Common Criteria EALs or automotive cybersecurity (ISO/SAE 21434). The standard explicitly defines that an assurance case can cover safety, security, and reliability concurrently.
A: Yes. The concepts of “assurance” and “trustworthiness” in the standard are intentionally domain-agnostic. The Claims-Arguments-Evidence framework applies directly to security assurance cases, such as those built for Common Criteria EALs or automotive cybersecurity (ISO/SAE 21434). The standard explicitly defines that an assurance case can cover safety, security, and reliability concurrently.
© 2026. This article provides a technical summary for educational purposes and does not replace the official standard text published by CSA Group or ISO/IEC.