Hands-On: Bidirectional Traceability Setup - ASPICE & Process

Exercise Overview & Setup

This hands-on exercise walks through building a complete bidirectional traceability structure for a realistic automotive ECU project. You will create and link requirements, architecture components, design units, and test cases at every level of the V-model - the way ASPICE expects it to be done on a real project.

Bidirectional traceability means every item can be followed in both directions:

Downward (derivation): From OEM stakeholder requirement → system requirement → software requirement → architectural component → design unit → unit test
Upward (verification): From unit test → design unit → software requirement → system requirement → qualification test confirmation

An ASPICE assessor checking traceability performs exactly this exercise - taking a random requirement and following it in both directions. If any link is missing, the chain is broken and a finding is raised at the responsible process.

📋 Exercise Goals

Build a complete 5-level traceability chain from SYS.2 through SWE.6
Understand what information each link must carry (IDs, direction, rationale)
Identify where traceability breaks most often in real projects
Implement the structure in a spreadsheet-based traceability matrix (suitable for small projects)
Understand how to translate this structure to DOORS, Polarion, or Jira

Project Scenario: Battery Management System (BMS) ECU

Our exercise project is the BMS-3 ECU - a Battery Management System ECU for a 400V EV platform. The OEM Technical Specification provides the following stakeholder-level requirements (SYS.1 inputs):

ID	Stakeholder Requirement (OEM TS)	Source
STK-001	The BMS ECU shall monitor individual cell voltages and temperatures in real time.	OEM TS v4.1 §3.2.1
STK-002	The BMS ECU shall protect the battery pack from overcharge, over-discharge, and over-temperature conditions.	OEM TS v4.1 §3.2.2
STK-003	The BMS ECU shall communicate State of Charge (SoC) and State of Health (SoH) to the vehicle CAN network.	OEM TS v4.1 §3.2.4
STK-004	The BMS ECU shall achieve ASIL-D for the overcharge protection function per ISO 26262.	OEM TS v4.1 §3.5 + HARA Report

We will trace one complete chain from STK-002 (protection functions) through all levels of the V-model. This single chain touches every ASPICE SWE process and demonstrates the complete traceability structure.

Step 1 - SYS.2 System Requirements

SYS.2 decomposes STK-002 into specific, measurable system requirements. Each SYS.2 requirement must be testable, have an acceptance criterion, carry an ASIL rating if safety-relevant, and trace back to the STK requirement that motivated it.

ID	System Requirement	ASIL	Acceptance Criterion	Traces To (↑)
SYS-012	The BMS system shall disconnect the battery pack from the HV bus within 10ms of detecting cell voltage > 4.25V on any cell.	ASIL-D	Oscilloscope measurement: HV relay opens within 10ms of cell voltage crossing 4.25V threshold under all operating temperatures.	STK-002, STK-004
SYS-013	The BMS system shall detect over-temperature condition when any cell temperature exceeds 55°C and initiate thermal protection sequence within 100ms.	ASIL-B	Test bench measurement: thermal protection signal asserted within 100ms of temperature sensor reading exceeding 55°C.	STK-002
SYS-014	The BMS system shall disconnect the battery when State of Charge falls below 5%, measured using the Coulomb counting algorithm with ±2% accuracy.	ASIL-A	Battery discharge test: disconnect occurs within 1 second of SoC reaching 5% with Coulomb counter accuracy verified against reference instrument.	STK-002, STK-003

Key practice: Notice that SYS-012 is ASIL-D - this drives significant ASPICE implications downstream. The SWE processes for the software component implementing this function must use ASIL-D-appropriate development methods (formal reviews, MC/DC coverage, no dynamic memory allocation, etc.).

Step 2 - SWE.1 Software Requirements

SWE.1 receives the software-relevant portions of SYS.2 and decomposes them into software-specific requirements. SYS-012 is partially a hardware function (relay switching) and partially a software function (overvoltage detection and relay control signal). The SWE.1 requirements below address the software portion.

ID	Software Requirement	ASIL	Verification Method	Traces To (↑)
SW-045	The BMS software shall monitor cell voltage for each of the 96 cells in the battery stack at a minimum rate of 10ms.	ASIL-D	Test	SYS-012
SW-046	When the BMS software detects any cell voltage ≥ 4.25V, it shall assert the HV_DISCONNECT_REQUEST signal within 5ms of detection.	ASIL-D	Test + Analysis	SYS-012
SW-047	The HV_DISCONNECT_REQUEST signal shall remain asserted until a manual reset is performed via the service diagnostic interface (UDS service 0x27 seed-key + 0x85 control DTC).	ASIL-C	Test	SYS-012
SW-048	Cell temperature monitoring shall sample all 32 temperature sensors at ≥ 10ms intervals and compute maximum temperature.	ASIL-B	Test	SYS-013
SW-049	When maximum cell temperature ≥ 55°C, the BMS software shall assert THERMAL_PROTECTION_REQUEST within 50ms of the temperature threshold crossing.	ASIL-B	Test + Analysis	SYS-013

Traceability note: SW-045 and SW-046 both trace to SYS-012. Neither alone fully realizes SYS-012 - together they do. ASPICE requires that the allocation table shows that SYS-012 is realized by {SW-045, SW-046} plus the hardware relay driver. This multi-to-multi relationship is the normal case; tools like DOORS handle it natively; Excel matrices must explicitly show it.

Step 3 - SWE.2 Architecture Allocation

SWE.2 defines the software architecture and allocates SWE.1 requirements to specific architectural components. For the BMS, the protection functions are allocated to the CellMonitor and ProtectionManager software components.

SW Component	Allocated Requirements	Interface Provides	Interface Requires
`CellMonitor`	SW-045, SW-048	`CellData_t getCellStatus(uint8_t cellIdx)` - returns voltage, temperature, status flags at 10ms period	ADC driver API for voltage/temp sensing; DMA transfer buffer
`ProtectionManager`	SW-046, SW-047, SW-049	`ProtectionState_t getProtectionState(void)`; `bool isDisconnectRequested(void)`	`getCellStatus()` from CellMonitor; GPIO driver for HV_DISCONNECT_REQUEST; UDS interface for reset command

This allocation table is the key SWE.2 traceability artifact. It shows which component realizes which requirements and defines the interface contract between components. An assessor will use this table to verify that every SWE.1 requirement is allocated to at least one component, and that every component has a clear interface specification.

Step 4 - SWE.3 Unit Design Links

SWE.3 provides detailed design for each software unit, traceable to the architectural component it implements. For ASIL-D functions, the detailed design must be at a level of precision that enables independent verification - function-level pseudocode, state machine diagrams, or formal description.

SW Unit	Parent Component	Traces To (SWE.2)	Design Method	Key Design Decision
`CellVoltageAcq`	`CellMonitor`	SW-045 via CellMonitor	State machine diagram + DMA transfer pseudocode	DMA channel selected for zero-CPU-overhead ADC transfer; ring buffer avoids blocking; voltage conversion formula documented
`OvervoltageDetect`	`ProtectionManager`	SW-046 via ProtectionManager	Function flowchart + timing analysis	Maximum scan time for 96 cells calculated: 96 × 50µs ADC conversion = 4.8ms << 5ms requirement; explicit timing margin documented
`DisconnectControl`	`ProtectionManager`	SW-046, SW-047 via ProtectionManager	State machine: NORMAL → DISCONNECT_REQUESTED → LATCHED → RESET_PENDING → NORMAL	Latching behavior explicitly designed; reset condition requires UDS authentication at security level 3 before state transition allowed

ASIL-D detail requirement: For OvervoltageDetect (ASIL-D), the detailed design must document the timing margin analysis explicitly - not just state "meets timing." The design document must show the calculation so an independent reviewer can verify it. This is the SWE.3 evidence for ASIL-D detailed design sufficiency.

Step 5 - SWE.4 Unit Tests & SWE.6 Qualification Tests

SWE.4 Unit Test Cases (traced to SWE.3 design)

Test ID	Test Description	Traces To (SWE.3)	Coverage Target	Expected Result
UT-OverV-001	Inject simulated cell voltage = 4.24V (just below threshold). Verify HV_DISCONNECT_REQUEST remains de-asserted.	OvervoltageDetect / state NORMAL	Branch: below-threshold path	Signal = LOW; state remains NORMAL
UT-OverV-002	Inject simulated cell voltage = 4.25V (at threshold). Verify HV_DISCONNECT_REQUEST asserted within 5ms.	OvervoltageDetect / state DISCONNECT_REQUESTED	Branch: threshold crossing	Signal = HIGH within 5ms; state = DISCONNECT_REQUESTED
UT-OverV-003	Assert HV_DISCONNECT_REQUEST, then restore cell voltage to 4.0V. Verify signal remains asserted (latch behavior).	DisconnectControl / state LATCHED	Branch: latch retention	Signal remains HIGH; state remains LATCHED regardless of voltage
UT-OverV-004	Assert disconnect, perform UDS 0x27 authentication + 0x85 reset command. Verify state transitions to NORMAL and signal de-asserts.	DisconnectControl / RESET_PENDING → NORMAL	Branch: reset path	Signal = LOW; state = NORMAL after valid reset sequence
UT-OverV-005	Perform invalid UDS reset (wrong seed-key). Verify state remains LATCHED.	DisconnectControl / authentication guard	Branch: failed authentication	State remains LATCHED; DEM event DEM_EVENT_RESET_AUTH_FAIL logged

SWE.6 Qualification Test Cases (traced to SWE.1)

Test ID	Test Description	Traces To (SWE.1)	Environment	Pass Criterion
QT-SW-046-001	Using HIL bench, simulate cell #47 voltage ramp from 4.0V to 4.30V at 0.1V/s. Measure time from 4.25V threshold crossing to HV_DISCONNECT_REQUEST assertion via oscilloscope probe on GPIO pin.	SW-046	HIL + target ECU + oscilloscope	GPIO assertion ≤ 5ms from voltage threshold crossing at all temperatures (-40°C, +25°C, +85°C)
QT-SW-047-001	Trigger overcharge disconnect. Verify signal remains asserted after 10 reset attempts without valid UDS authentication. Then perform valid auth + reset. Verify signal de-asserts.	SW-047	HIL + CAPL script for UDS simulation	Signal remains HIGH for 10 invalid resets; de-asserts within 100ms of valid reset sequence completion

Critical distinction: UT-OverV-001 through UT-OverV-005 are SWE.4 unit tests - they test the software unit in isolation using a test harness, verifying the detailed design logic. QT-SW-046-001 is a SWE.6 qualification test - it tests the complete software against the stated software requirement using a realistic (HIL) environment. Both must exist and both must be traceable to their respective test basis (SWE.3 design vs SWE.1 requirement).

Step 6 - Closing the Loop: SYS.5 Qualification

SYS.5 tests the complete integrated system (SW + HW) against SYS.2 system requirements. SYS-012 required the entire system (not just the software) to disconnect within 10ms. The SYS.5 test must measure the full hardware path including relay switching time.

Test ID	Description	Traces To (SYS.2)	Measurement Method	Pass Criterion
SYS-QT-012-001	Vehicle bench test: ramp cell #12 voltage above 4.25V threshold. Measure elapsed time from threshold crossing to HV bus isolation (current sensor reads zero).	SYS-012	Oscilloscope: channel 1 = cell voltage, channel 2 = HV bus current; trigger on voltage threshold crossing	HV bus current = 0 within 10ms at all operating temperatures. Test repeated 20 times for statistical confidence.

The Complete Traceability Chain - Summary

Level	ID	Artifact	Links ↑	Links ↓
SYS.1	STK-002	OEM TS §3.2.2: battery protection requirement	-	SYS-012
SYS.2	SYS-012	System req: disconnect within 10ms of cell ≥ 4.25V (ASIL-D)	STK-002	SW-045, SW-046
SWE.1	SW-046	SW req: assert HV_DISCONNECT_REQUEST within 5ms of detection	SYS-012	ProtectionManager (SWE.2)
SWE.2	ProtectionManager	SW component: handles SW-046, SW-047, SW-049	SW-046	OvervoltageDetect, DisconnectControl (SWE.3)
SWE.3	OvervoltageDetect	SW unit: state machine + timing analysis	ProtectionManager	UT-OverV-001…005 (SWE.4)
SWE.4	UT-OverV-002	Unit test: threshold crossing, 5ms assertion	OvervoltageDetect	-
SWE.6	QT-SW-046-001	Qualification test: HIL measurement of SW requirement SW-046	SW-046	-
SYS.5	SYS-QT-012-001	System qualification test: full HW+SW disconnect timing	SYS-012	-

An ASPICE assessor picking SYS-012 at random and asking "show me the full traceability chain" can now follow this table from top to bottom and bottom to top. Every link is explicit, every ID is present, and the evidence at each level is tangible and verifiable.

Implementing in Real Tools

Excel / Spreadsheet (Small Projects, <300 requirements)

A traceability matrix spreadsheet with columns: ID | Description | Traces_To_Up | Traces_To_Down | Status. One sheet per traceability level (SYS2↔SWE1, SWE1↔SWE2, etc.). Use Excel VLOOKUP or data validation to enforce that "Traces_To" values reference valid IDs in the adjacent sheet. Maintain the matrix in CM alongside the requirements documents - never in someone's local drive.

IBM DOORS / DOORS Next (Large Projects)

DOORS uses Link modules to establish bidirectional links between requirement modules at different levels. Create one link module per traceability relationship (e.g., "SYS2_to_SWE1_Links"). Use DOORS DXL scripts to generate coverage reports. The DOORS view showing a requirement and its upstream/downstream links is your primary assessment evidence - export this as PDF for the document package and demonstrate it live during interviews.

Polarion ALM

Polarion uses "Work Items" with "Links" between them. Define link types: "derives from" (upward), "is realized by" (downward), "is tested by" (test traceability). Configure Polarion reports to generate full traceability matrices across work item types. The Polarion traceability matrix report is directly usable as ASPICE evidence.

Jira + Plugins

Base Jira lacks formal traceability. Use plugins: Xray (for test case traceability), Jira Issues Links (for requirement-to-requirement links), or dedicated ALM tools like Jama Connect integrated with Jira. The risk with Jira is that traceability discipline depends entirely on team practice - there is no enforcement mechanism built in. This requires strong process governance to maintain.

Summary & Key Takeaways

✅ Key Takeaways

Bidirectional traceability means: any item can be followed both upward (to its source) and downward (to what realizes or verifies it).
The complete chain for one function: STK → SYS.2 → SWE.1 → SWE.2 (component) → SWE.3 (unit) → SWE.4 (unit test) + SWE.6 (qualification test) → SYS.5 (system test).
SWE.4 tests trace to SWE.3 (detailed design). SWE.6 tests trace to SWE.1 (software requirements). These are different test bases - never conflate them.
ASIL-D requirements demand that the detailed design (SWE.3) documents timing margins, safety mechanisms, and design rationale explicitly - not just the implementation itself.
For <300 requirements: a controlled Excel matrix is acceptable. For larger projects, use a proper ALM tool (DOORS, Polarion, Jama). Traceability maintained only in documents (not tool links) is fragile and maintenance-intensive.
The single most valuable live demonstration in an assessment interview: navigate to one SYS.2 requirement and walk the complete chain in your tool, live, for a randomly selected requirement.

What's Next

Continue to the Hands-On: Work Product Templates exercise to build the key ASPICE work products - SRS structure, architecture document outline, review record template, and traceability matrix - using the BMS ECU scenario as the reference project.