Skip to main content

Overview

SAL is calculated automatically from a 4×4 matrix combining threat likelihood (how probable the threat is) and threat impact (the consequence if the threat succeeds). This matrix-based approach aligns with DO-326A security assessment methodology and ensures consistent, quantifiable threat prioritization across the system. The four SAL levels are:
SAL LevelRisk ColorDescriptionSecurity Activities Required
SAL-0GreenNegligible threat — unlikely occurrence with negligible consequencesMinimal or no specialized security activities
SAL-1YellowLow threat — possible occurrence or minor consequencesBasic security controls, standard design practices
SAL-2OrangeMedium threat — likely occurrence or major consequencesFormal threat assessment, documented countermeasures
SAL-3RedHigh threat — almost certain or catastrophic consequencesComprehensive security assurance, independent verification
In DO-326A security analysis, “Security Assurance Level” (SAL) is distinct from Design Assurance Level (DAL) used in ARP 4754A safety assessment. SAL rates the severity of a security threat, while DAL rates the criticality of a system function. A single system element may have both a DAL allocation (e.g., DAL B) and security threats at multiple SAL levels (e.g., SAL-2 and SAL-3).

SAL Calculation Matrix

SAL is computed from the Cartesian product of Threat Likelihood (4 levels) and Threat Impact (4 levels), creating a 4×4 evaluation matrix:

Threat Likelihood Scale

LevelIDDescriptionDefinition
UnlikelyunlikelyLow probability of occurrenceExpected less than once per 1000 flight hours
PossiblepossibleModerate probability of occurrenceExpected 1–10 times per 1000 flight hours
LikelylikelyHigh probability of occurrenceExpected 10–100 times per 1000 flight hours
Almost CertainalmostCertainVery high probability of occurrenceExpected more than 100 times per 1000 flight hours

Threat Impact Scale

LevelIDDescriptionConsequence
NegligiblenegligibleMinimal adverse effectSystem continues operation; user may not notice
MinorminorSmall degradation of serviceReduced functionality; user experiences inconvenience
MajormajorSignificant service lossCritical function unavailable; mission impact
CatastrophiccatastrophicComplete loss of safety or mission-critical functionLoss of aircraft or loss of life

SAL Assignment from Likelihood × Impact

The following matrix shows how likelihood and impact combine to determine SAL: 
                    IMPACT
                Negligible  Minor      Major      Catastrophic
LIKELIHOOD
Unlikely        SAL-0       SAL-0      SAL-1      SAL-2
Possible        SAL-0       SAL-1      SAL-2      SAL-3
Likely          SAL-1       SAL-2      SAL-2      SAL-3
Almost Certain  SAL-2       SAL-3      SAL-3      SAL-3
Key observations:
  • SAL-0 (green) results from low likelihood + low impact combinations
  • SAL-1 (yellow) represents low-to-moderate risk requiring standard controls
  • SAL-2 (orange) indicates medium-to-high risk requiring formal documentation and mitigation
  • SAL-3 (red) is reserved for threats that are either very likely or have catastrophic consequences

Initial vs. Residual SAL

Security threat assessment uses a two-phase evaluation: Initial SAL (before countermeasures) and Residual SAL (after countermeasures):

Initial SAL Assessment

Initial SAL is determined based on:
  • Initial Likelihood: Probability of the threat succeeding without any countermeasures
  • Initial Impact: Consequence if the threat succeeds
Initial SAL establishes the baseline threat severity and justifies the need for security controls.

Residual SAL Assessment

After implementing security countermeasures, residual assessment evaluates:
  • Residual Likelihood: Reduced probability with countermeasures in place
  • Residual Impact: Impact remains unchanged (countermeasures do not reduce consequence, only prevent occurrence)
Residual SAL must be acceptable for program certification. SAL-3 threats typically require SAL-3 countermeasures to achieve an acceptable residual SAL (usually SAL-1 or lower).
Critical gotcha: Security countermeasures reduce likelihood, not impact. A countermeasure might prevent a threat from occurring (reducing likelihood from “likely” to “unlikely”), but if the threat were to occur, the consequence remains the same. Therefore, residual impact always equals initial impact.

Work Item Fields

Security threats in the Aerospace Safety Solution track SAL using the following custom fields:

Initial Assessment Fields

Field NameTypeDescriptionEnumeration
initialLikelihoodEnumProbability of threat before countermeasuresunlikely, possible, likely, almostCertain
initialImpactEnumConsequence severity before mitigationnegligible, minor, major, catastrophic
initialSALEnum (read-only)Auto-calculated SAL from likelihood × impactsal0, sal1, sal2, sal3

Residual Assessment Fields

Field NameTypeDescriptionEnumeration
residualLikelihoodEnumProbability of threat after countermeasuresunlikely, possible, likely, almostCertain
residualImpactEnumConsequence severity (unchanged from initial)negligible, minor, major, catastrophic
residualSALEnum (read-only)Auto-calculated SAL from residual likelihood × impactsal0, sal1, sal2, sal3
The initialSAL and residualSAL fields are automatically calculated by the Security Threat Assessment risksheet using a JavaScript formula that applies the 4×4 likelihood/impact matrix. You do not manually assign SAL values — instead, set likelihood and impact, and SAL populates automatically.

SAL in the Aerospace Safety Solution

Security Threat Assessment Risksheet

SAL is the primary risk metric in the DO-326A Security Threat Assessment risksheet: diagram The risksheet is organized as a 3-level hierarchy:
  1. System Element (e.g., Processing Core Module)
  2. Attack Surface (e.g., Network, Physical, Software)
  3. Threat Scenario (e.g., Spoofing attack via network interface)
Each threat row displays both initial and residual SAL, allowing security engineers to track threat reduction across the security control implementation plan.

Security Threat Assessment Dashboard

The Security Threat Assessment dashboard provides project-wide threat aggregation, showing:
  • Count of threats by SAL level (SAL-0, SAL-1, SAL-2, SAL-3)
  • Distribution of threats by attack surface type (Network, Physical, Software, Human, Supply Chain, Wireless)
  • Countermeasure status (Planned, In Progress, Implemented, Verified)
  • Comparison of initial vs. residual SAL distribution
This dashboard helps program managers track security assurance progress and identify where countermeasures are still needed.

Relationship to Other Assessments

Assessment TypeRisk MetricScopeFramework
Functional Safety (FHA/PSSA/SSA)DAL + ProbabilitySystem functions and failure conditionsARP 4761
Failure Mode Analysis (SFMEA/DFMEA)RPN (Severity × Occurrence × Detection)Failure modes and their causesAIAG FMEA
Hazard Analysis (MIL-STD-882E)Severity + ProbabilitySystem hazardsMIL-STD-882E
Security Threat Assessment (DO-326A)SAL (Likelihood × Impact)Security threats via STRIDEDO-326A
Each assessment uses its own risk metric suited to its domain, and the Aerospace Safety Solution integrates all four into a unified risk management system.

SAL Levels and Required Activities

Different SAL levels trigger different security assurance activities, similar to how DAL levels drive certification objectives:
SAL LevelLikelihood + Impact CombinationsRequired ActivitiesCountermeasure Rigor
SAL-0Unlikely + Negligible/MinorBasic design review; standard security practicesStandard design controls
SAL-1Unlikely + Major, Possible + Negligible/Minor, Likely + NegligibleThreat documentation; design countermeasures; peer reviewDocumented security controls
SAL-2Possible + Major, Likely + Minor/Major, Unlikely + CatastrophicFormal threat analysis; design + protective countermeasures; traceability to requirementsFormal security controls with evidence
SAL-3Almost Certain + any, Likely + Catastrophic, Possible + CatastrophicComprehensive threat analysis; multi-layered countermeasures; independent verificationHighest level of assurance; independent review
The specific activities and evidence artifacts required for each SAL level in the Aerospace Safety Solution should be confirmed against your project’s DO-326A security plan and certification authority guidance. SAL levels serve as a framework for organizing security work, but the detailed implementation depends on your program’s risk management strategy.

Cross-Cutting SAL Concepts

SAL vs. DAL

Program managers often ask: “What is the relationship between SAL and DAL?”
  • DAL (Design Assurance Level) applies to safety-critical functions and comes from FHA/PSSA/SSA analysis (ARP 4761)
  • SAL (Security Assurance Level) applies to security threats and comes from DO-326A threat assessment
A single system element can have:
  • A DAL (e.g., DAL B) — indicating its functional safety criticality
  • Multiple SALs (e.g., SAL-2 network threat, SAL-1 physical threat) — indicating different security threat levels
Both must be satisfied for airworthiness; they represent two independent dimensions of system assurance.

Multi-Select Countermeasures

Security countermeasures (riskControl work items) can address multiple threats simultaneously. For example, an authentication system might reduce SAL for both:
  • Spoofing threats (STRIDE: Spoofing) on the network interface
  • Tampering threats (STRIDE: Tampering) on the system module
The countermeasure is linked to each threat via the ‘mitigates’ link role, and residual SAL is re-evaluated for each threat independently.

Security Threat Assessment Workflow

The typical workflow for security threat assessment follows these steps: diagram Each threat appears in the Security Threat Assessment risksheet, which guides users through Initial Assessment → Security Controls → Residual Assessment workflows with dedicated risksheet views.

SAL in Reports and Dashboards

Certification Readiness Scorecard

The Certification Readiness Scorecard includes a row for DO-326A security assessment with:
  • Classification %: Percentage of identified threats with assigned initial likelihood and impact
  • Decomposition %: Percentage of threats linked to system elements (hierarchical organization)
  • Test Coverage %: Percentage of countermeasures with linked verification evidence
  • SAL Coverage %: Percentage of threats with residual SAL assessed (post-mitigation)
  • Doc Inventory: Count of security analysis documents (Security Plan, Threat Assessment report)
Current project statistics for DO-326A security threat analysis may show 0 threats if the project has not yet conducted security threat assessment. The SAL functionality is available and ready to use; activation depends on your certification roadmap.
Page Version: v2
Last Updated: February 2026
Framework: DO-326A / ED-202A Airworthiness Security
Related Standard: ARP 4754A, ARP 4761, MIL-STD-882E
Code: .polarion/tracker/fields/securityThreat-attackSurface-enum.xml, securityThreat-likelihood-enum.xml, securityThreat-impact-enum.xml, securityThreat-sal-enum.xml (0.70) · .polarion/pages/spaces/_default/Safety Assessment Summary/page.xml, Common Cause Analysis Report/page.xml, Security Threat Assessment/page.xml, Hara Risk Matrix Report/page.xml (0.54) · .polarion/nextedy/models/rtm.yaml (0.53) · .polarion/tracker/fields/designRequirement-subType-enum.xml, environmentalCategory-enum.xml, fta-gateType-enum.xml, cca-analysisType-enum.xml, controlType-enum.xml, riskControlType-enum.xml, verificationMethod-enum.xml, testLevel-enum.xml (0.53) · modules/RiskTemplates/SecurityThreatTemplate/attachments/risksheet.json (0.50) · .polarion/tracker/fields/securityThreat-custom-fields.xml (0.50) · .polarion/tracker/fields/complianceObjective-custom-fields.xml (0.49) · datasets/sol-aero-ui-walkthrough/summary.md, navigation.md, dashboards/home-dashboard.md, dashboards/role-dashboards.md, dashboards/standards-compliance.md, risksheet-views/risksheet-views.md, work-item-types/data-model.md (0.48) · .polarion/tracker/fields/workitem-type-enum.xml (0.48) · .polarion/tracker/fields/dal-enum.xml (0.48)