Home Learning Paths ECU Lab Assessments Interview Preparation Arena Pricing Log In Sign Up
Back to ASPICE & Process
Learning Paths ASPICE & Process Module 3
MODULE 3 - System & Support Processes

SUP.8 - Configuration Management

66 min read
7 sections
Chapter 4 of 6

SUP.8 Purpose & Why It Matters

Official Purpose Statement: "The purpose of the Configuration Management Process is to establish and maintain the integrity of all the work products of a process or project and make them available to concerned parties."

SUP.8 is the infrastructure process that makes every other ASPICE process auditable. Without configuration management, you cannot prove: which version of the SRS was reviewed, what source code was compiled into the delivered binary, whether a defect fix was actually applied to the release build, or when a change was made and by whom. CL2 for every engineering process depends on SUP.8 being functional, because GP 2.2.2 and GP 2.2.3 require work products to be CM-controlled.

📋 Learning Objectives

  • Define the CM plan contents required by ASPICE SUP.8
  • Establish a CM system covering both code and non-code work products (documents, models, test specifications)
  • Define and enforce baselines at project milestones
  • Demonstrate build reproducibility as required by ASPICE
  • Operate a CM audit procedure and report findings

SUP.8 Base Practices

BPNameWhat It RequiresEvidenceCommon Failure
BP1Develop a CM strategyConfiguration Management Plan (CMP) defining: which items are under CM (Configuration Items / CIs - all work products, source code, tools, and their versions), the CM system used (Git, SVN, SharePoint, PLM), naming conventions, versioning scheme, baseline policy (when, who, how), access control, backup policy.Configuration Management Plan documentCMP either absent or covers only source code; document artifacts stored on unversioned shared drives
BP2Identify configuration itemsEvery work product produced in the project is assigned a CI identifier. CIs include: source code, SRS, SAD, SDDD, test specifications, test reports, AUTOSAR ARXML files, calibration files, tool configurations, BSW deliverables from suppliers. Each CI has: a unique ID, a current version, a responsible custodian.Configuration Item list / CI registrySource code in Git, everything else "managed" by email and file sharing; ARXML not under formal CM; calibration files overwritten without history
BP3Control modifications and releasesChanges to baselined CIs follow a controlled process: change request (SUP.10 interface) → approval → implementation → verification → CM update. No CI is modified post-baseline without a CR. Releases are tagged builds - a delivery binary can be traced to an exact tagged commit and configuration state.Version control history showing change references; release tags; build configuration recordsHotfixes applied directly to the release branch without a CR; "we'll document it later" - later never comes
BP4Establish baselinesBaselines are established at defined project milestones (e.g., SRS baseline after M2 review, SW baseline at each prototype delivery, release baseline for production delivery). A baseline is a snapshot of a defined set of CIs at a known state - immutable after creation. Baseline records show: baseline ID, date, CI list with version per CI, authorizing role.Baseline records: one per milestone; CI version matrix per baselineBaselines defined in the CMP but never created in practice; or "the last tagged version" is treated as a baseline without a formal baseline record
BP5Control CM systemThe CM tool is configured to enforce access control (who can commit, who can create tags, who can baseline), prevent deletion of history, and send notifications on changes to protected branches. CM system availability is ensured (backup, access during power outage / remote work). CM system version itself is documented.Git configuration (branch protection rules, required reviews); backup records; CM tool version documentedGit used but no branch protection; force-push to main allowed; no backup policy; repository could be accidentally deleted
BP6Perform CM auditsPeriodic audits verify that: the CI registry is current (all active CIs listed), baselines are intact (no post-baseline changes without a CR), work products can be retrieved in their baseline state, the build can be reproduced from the baseline. CM audit results are documented and discrepancies resolved.CM audit records (periodic, at least once per project phase); audit findings and resolution evidenceCM audits never performed; first CM audit is the ASPICE assessment itself - at which point discrepancies are found but cannot be retroactively resolved

Practical CM Setup: Code + Documents

What Must Be in Git (Beyond Source Code)

Most engineering teams use Git for source code. ASPICE requires CM for all project CIs. For an ECU software project, the following must be version-controlled:

CI CategoryExamplesCM Tool Recommendation
Source Code.c, .h, .cpp files, BSW source if customizedGit (mandatory)
AUTOSAR Configuration.arxml files (EB Tresos / DaVinci project files)Git (treat ARXML as code - diff-able XML)
Build SystemMakefiles, CMakeLists.txt, linker scripts, compiler flagsGit
RequirementsSRS (.docx, .xlsx, or requirements tool export)Requirements tool with versioning (DOORS, Polarion) or Git for exported artifacts
ArchitectureSAD (.docx, .pptx, .mdj, .pu UML files)Git (PlantUML or Mermaid source preferred - text-based, diff-able)
Test SpecificationsSQTS, ITS (.xlsx, .docx, TestRail exports)Git for document exports; test management tool for active test management
Calibration Files.a2l (CAN calibration description), .hex parameter filesGit or dedicated calibration tool (INCA-MIP, CANape project files)
Tool VersionsCompiler version, static analysis tool version, CANoe versionDocumented in a "tool list" file in Git; Docker image if toolchain is containerized

Baseline Definition Per Milestone

MilestoneBaseline Name (example)CIs IncludedAuthority to Baseline
SRS Review PassedBL-SRS-M2-v1.0SRS document + traceability matrix + review recordProject lead + QA sign-off
Architecture Review PassedBL-SAD-M3-v1.0SAD + ICD + resource budget + SRS baseline referenceChief Architect + QA
Proto Delivery (HW bring-up)BL-SW-PROTO1-v0.5.2Source code + ARXML + build scripts + SRS v1.0 + SAD v1.0Project lead
Integration Test PassedBL-SW-SIT-v1.2.0All above + ITS + integration test resultsTest lead + QA
Qualification Test Passed (Release)BL-SW-REL-v1.3.0All above + SQTS + SQTR + SQTR sign-offProject lead + QA + Safety Manager (ASIL items)

✅ SUP.8 CL2 Readiness Checklist

  • ✅ Configuration Management Plan: CI scope (code + documents), versioning scheme, baseline policy, access control
  • ✅ CI registry: all project CIs listed with current version and custodian
  • ✅ Source code in Git with branch protection on main; force-push disabled; meaningful commit messages with CR references
  • ✅ Documents in version control: no "SRS_FINAL_v3_corrected_really_final.docx"
  • ✅ Baselines created at each milestone: immutable snapshots with CI version matrix and authorization record
  • ✅ Build reproducibility: from any baseline tag, the exact delivery binary can be rebuilt and byte-for-byte compared
  • ✅ CM audit: at least one documented CM audit per project phase with findings and resolution

What's Next

Continue to SUP.10 - Change Request Management, which controls how changes to baselined work products are initiated, approved, implemented, and verified - the process that keeps SUP.8 baselines meaningful.

← PreviousSUP.1 - Quality Assurance Next →SUP.10 - Change Request Management