Requirements Traceability: Different Things to Different People

Software development standards applicable to safety- or cybersecurity-critical applications (including ISO 26262, SAE J3061, IEC 62304 and IEC 61508) usually demand bidirectional requirements traceability. DO-178C is typical with its requirement for trace data to: 1.Enable verification that no source code implements an undocumented function. 2.Enable verification of the complete implementation of the low-level requirements. It is essential not only to confirm that all requirements are fulfilled, but also to ensure that there is no surplus code that could suggest feature creep, logical flaws, or even a malicious backdoor method. This paper will explore the implications of bidirectional traceability for a geographically disparate development team. It will discuss the challenge of providing data on a €œneed to know€ basis, providing perspectives according to job function. And it will discuss the project management overhead associated with maintaining that traceability.