6.3.1 Reason 1: Requirements Are the Foundation for the Software Development

I’m not an architect, but common sense tells me that when building a house, the foundation is extremely important. If the foundation is made of weak or faulty material, is missing sections, or is not level, the house built upon it will have long-term problems. The same is true in software development. If the requirements (the foundation) are weak, it has long-term effects and leads to indescribable problems and difficulties for everyone involved, including the customer.

Reflecting on the projects I’ve survived over the years, there are some common characteristics that led to the bad requirements. First, the software requirements were developed by inexperienced teams. Second, the teams were pushed to ship something to the customer before they were ready. Third, the system requirements were not validated prior to delivering the software.

These characteristics led to the following common results:

• The customers were not pleased.

• The products suffered from an extremely high number of problem reports.

• The software required at least one complete redesign (in a couple of situations it took two additional iterations).

• The projects were considerably over time and over budget.

• Several leaders were reassigned (right off to other doomed projects) and careers were damaged.

The results of bad requirements lead to what I call the snowball effect. The problems and complexity accumulate until the project becomes a huge, unmanageable snowball. Figure 6.1 illustrates the problem. When development artifacts are not reviewed and matured before going to the next phase of development, it becomes more difficult and expensive to identify and remove the error(s) later. In some instances it may even become impossi ble to identify the error, since the root cause is buried so deeply in the data

(the snowball). All development steps are iterative and subject to change as the project progresses; however, building successive development activities on incomplete and erroneous inputs is one of the most common errors and inefficiencies in software engineering.

Requirements will never be perfect the first time, but the goal is to get at least a portion of the requirements as complete and accurate as possible to proceed with design and implementation at an acceptable level of risk. As time progresses, the requirements are updated to add or modify functionality and to make changes based on design and implementation maturity. This iterative approach is the most common way to obtain quality requirements and meet customer needs at the same time. In Software Requirements Karl Wiegers writes,

Iteration is a key to requirements development success. Plan for multiple cycles of exploring requirements, refining high-level requirements into details, and confirming correctness with users. This takes time and it can be frustrating, but it’s an intrinsic aspect of dealing with the fuzzy uncertainty of defining a new software product [4].

6.3.2 Reason 2: Good Requirements Save Time and Money

Effective requirements engineering is probably the highest return on investment any project can realize. Multiple studies show that the most expensive errors are those that started in the requirements phase and that the biggest reason for software rework is bad requirements. One study even showed that “requirements errors account for 70 to 85 percent of the rework cost” [5].

A study by the Standish Group gave the following reasons for failures in software projects (several of the reasons are requirements related) [6]:

• Incomplete requirements—13.1%

• Lack of user involvement—12.4%

• Insufficient resources/schedule—10.6%

• Unrealistic expectations—9.9%

• Lack of managerial support—9.3%

• Changing requirements—8.7%

• Poor planning—8.1%

• Software no longer needed—7.4%

Although this study is somewhat dated, the results are consistent with what I see in aviation projects year after year. Good requirements are necessary to obtain successful results. I never cease to be amazed at how many projects do not have time to do a project right the first time, but end up having time and money to do the work two or three times.

6.3.3 Reason 3: Good Requirements Are Essential to Safety

The Federal Aviation Administration (FAA) research report entitled Requirements Engineering Management Findings Report states: “Investigators focusing on safety-critical systems have found that requirements errors are most likely to affect the safety of an embedded system than errors introduced during design or implementation” [7]. Without good requirements, it’s impossible to satisfy the regulations. The FAA and other regulatory authorities across the world have legally binding regulations requiring that every system on an aircraft show that it meets its intended function under any foreseeable operating condition. This means that the intended functions must be identified and proven. Requirements are the formal method of communicating the safety considerations and the intended functionality.

6.3.4 Reason 4: Good Requirements Are Necessary to Meet the Customer Needs

Without accurate and complete requirements, the customer’s expectations will not be met. Requirements are used to communicate between the customer and developer. Poor requirements indicate poor communication which normally leads to a poor product.

One level A project that I reviewed years ago had terrible software requirements and no hope of finishing the level A activities in time to support the aircraft schedule. Because of the software shortcomings, the customer had to redesign part of the aircraft to disable the system in safety-critical operations, add hardware to compensate for what the software was supposed to do, and reduce the reliance on the software to level D. After the initial certification, a new supplier was selected and the original supplier fired. The main reasons for this fiasco were as follows: (1) the software requirements did not comply with the customer’s system requirements and (2) when the system requirements were unclear, the software team just improvised rather than asking the customer what they needed. Granted, the system requirements had their issues, but the whole debacle could have been avoided with better communication and requirements development at both companies.

6.3.5 Reason 5: Good Requirements Are Important for Testing

Requirements drive the testing effort. If the requirements are poorly written or incomplete, the following are possible:

• The resulting requirements-based tests may test the wrong thing and/or incompletely test the right thing.

• It may require extensive effort during testing to develop and ferret out the real requirements.

• It will be difficult to prove intended functionality.

• It will be challenging or impossible to prove that there is no unintended functionality (i.e., to show that the software does what it is supposed to do and only what it is supposed to do).

Safety hinges upon the ability to show that intended functions are satisfied and that no unintended functionality will impact safety.

6.6.1 Requirements Gathering Activities

Before ever writing a single requirement, the requirements engineers gather data and knowledge in order to comprehend the product they are specifying. Gathering activities include the following:

1. Review and strive to thoroughly understand the system and safety requirements, in whatever state they exist. The software engineers should become intimately familiar with the system requirements. An understanding of the preliminary safety assessment is also necessary to comprehend the safety drivers.

2. Meet with the customers, systems engineers, and domain experts to answer any questions about the system requirements and to fill in missing information.

3. Determine the maturity and completeness of the systems and safety requirements before developing software requirements.

4. Work with systems engineers to make modifications to the sys tem requirements. Before the software team can refine the system requirements into software requirements, the system requirements need to be relatively mature and stable. Some systems teams are quite responsive and work closely with the software team to update the system requirements. However, in many circumstances, the software team must proactively push the systems engineers for the needed changes.

5. Consider relevant past projects, as well as the problem reports for those projects. Oftentimes, the customer, systems engineers, or the software developers will have some past experience in the domain area. The requirements may not be useable in their previous format, but they can certainly help provide an understanding of what was implemented, what worked, and possibly what did not work.

6. Become fully educated on the requirements standards and certification expectations.

6.6.2 Requirements Analyzing Activities

The analysis process prepares the engineer to write the requirements. Sometimes it is tempting to rush directly into writing the requirements specification. However, without first doing the analysis and considering the problem from multiple views, it may result in significant rework in the future. There will always be some iterations and fine tuning, but the analysis process can help minimize that. Consider the following during requirements analysis:

1. Organize the input gained during the gathering process to be as clear and complete as possible. The requirements engineer must analyze the problem to be solved from multiple views. Oftentimes, use cases^* are utilized to consider the problem from the user’s perspective.

2. Lay out the framework for the requirements specification task. By identifying what will likely become the table of contents, the requirements can be organized into a logical flow. This framework also serves as a measure of completeness. One common strategy for determining the requirements framework is to list the safety and systems functions to be provided, and then determine what software is needed for each function to operate as intended and to protect against unintended effects.

3. Develop models of the software behavior in order to ensure an understanding of the customer needs. Some of these models will be refined and integrated into the software requirements and some will just be a vehicle that assists with the requirements development. Some of the models may also be added to the system requirements when deficiencies are noted.

4. In some cases, a prototype may be used to help with the development of the requirements. The requirements analyst may either help develop the prototype or use the prototype to document requirements. A quick prototype can be very beneficial for demonstrating functionality and maturing the requirements details. The risk of a prototype is that it can look impressive on the surface, despite the poor underlying design and code; therefore, project managers or customers insist on using the code from the working prototype. When faced with cost and schedule pressures, I’ve seen several projects abandon their original (and approved) plans and try to use the prototype code for flight test and certification. I have yet to see it work out well; the cost, schedule, and customer relationship all suffer. Section 6.10 provides additional thoughts about prototyping.

6.7.1 Task 1: Determine the Methodology

There are multiple approaches to documenting requirements—all the way from text-only to all-graphical to a combination of text and graphics. Because of the need for traceability and verifiability, many safety-critical software requirements are primarily textual with graphics used to further illustrate the text. However, graphics do play a significant role in the requirements development effort. “Pictures help bridge language and vocabulary barriers …” [4]. At this phase, the graphics focus on the requirements (what the software will do) and not design (how the software will do it). Many of the graphics may be further elaborated in the design phase, but at the requirements phase they should strive to be implementation-free. Developers may opt to document some design concepts as they write the requirements, but those should be notes for the designer and not part of the software requirements specification.

Just a brief word of caution, be careful to not rely solely on pictures, which are difficult to test. When using graphics to describe the requirements, testability of the requirements should be constantly considered.

Some examples of graphical techniques that enhance the textual descriptions include the following [9]:

• Context or use case diagrams—illustrate interfaces with external entities. The details of the interfaces are typically identified in the interface control specification.

• A high-level data dictionary—defines data that will flow between processes. The data dictionary will be further refined during the design phase.

• Entity-relationship or class diagrams—show logical relationship between entities.

• State-transition diagrams—show the transition between states within the software. Each state is usually described in textual format.

• Sequence diagrams—show the sequence of events during execution, as well as some timing information.

• Logic diagrams and/or decision tables—identify logic decisions of functional elements.

• Flowcharts or activity diagrams—identify step-by-step flow and decisions.

• Graphical user interfaces—clarify relationships that may be difficult to describe in text.

The model-based development approach strives to increase the graphical representation of the requirements through the use of models. However, to date, even models require some textual description. Model-based development is examined in Chapter 14.

The technique selected should address the connection between textual and graphical representations. The textual requirements normally provide the context and reference to the graphical figures. This helps with traceability and completeness, and facilitates testing. Sometimes the graphics are provided as reference only to support the requirements. If this is the case, it should be clearly stated.

Another aspect of methodology to consider before diving into the requirements writing is whether to use computer-aided software engineering (CASE) tools and requirements templates, since these may impact the methodology.

Ideally, the application of the selected methodology is explained and illustrated in the requirements standards. The standards help guide the requirements writers, and ensure that everyone is following the same approach. If there are multiple developers involved in the requirements writing, an example of the methodology and layout should be documented, so that everyone is applying it in the same way. The more examples and details provided, the better.

6.7.2 Task 2: Determine the Software Requirements Document Layout

The end result of the software requirements documentation process is the Software Requirements Document (SWRD). The SWRD

states the functions and capabilities that a software system must provide and the constraints that it must respect. The SWRS [SWRD] is the basis for all subsequent project planning, design, and coding, as well as the foundation for system testing and user documentation. It should describe as completely as necessary the [software] system’s behaviors under various conditions. It should not contain design, construction, testing, or project management details other than known design and implementation constraints [4].^*

The SWRD should comprehensively explain the software functionality and limitations; it should not leave room for assumptions. If some functionality or quality does not appear in the SWRD, no one should expect it to magically appear in the end product [4].

Early in the requirements development process, the general layout of the SWRD should be determined. It may be modified later, but it’s valuable to have a general outline or framework to start with, especially if there are multiple developers involved. The outline or template helps keep everyone focused on their area’s objectives and able to understand what will be covered elsewhere. In order to improve readability and usability of the SWRD, the following suggestions are provided:

• Include a table of contents with subsections.

• Provide an overview of the document layout, including a brief summary of each section and the relationship between sections.

• Define key terms that will be used throughout the requirements and use them consistently. This may include such things as coordinate systems and external feature nomenclature. If the requirements will be implemented or verified by anyone unfamiliar with the language or domain, this is a critical element of the SWRD.

• Provide a complete and accurate list of acronyms.

• Explain the requirements grouping in the document (a graphic, such as a context diagram, might be useful for this).

• Organize the document logically and use section/subsection labels and numbers (typically requirements are organized by features or key functionality).

• Identify the environment in which the software will operate.

• Use white space throughout to help readability.

• Use bold, italics, and underlining for emphasis and use them consistently throughout. Be sure to explain the meaning of any conventions, text styles, etc.

• Identify functional requirements, nonfunctional or nonbehavioral requirements, and external interfaces.

• Include any constraints that will apply (e.g., tool constraints, language constraints, compatibility constraints, hardware limitations, or interface conventions).

• Number and label figures and tables, and clearly reference them from the textual requirements.

• Provide cross-references within the specification and to other data as needed.

6.7.3 Task 3: Divide Software Functionality into Subsystems and/or Features

It is important to decompose the software into manageable groups, which make sense and can be easily integrated. In most cases, a context diagram or use case is used to provide the high-level view of the requirements organization.

For larger systems, the software may be divided into subsystems. For smaller systems and subsystems, the software is often further divided into features, with each feature containing specific functionality.

As noted earlier, one way to organize the functions is to work with the safety and systems engineers to define the safety and systems functions to be provided. This input is then used to determine what software is needed for each function to operate as intended, as well as to determine what protections are needed to prevent unintended effects.

There are other ways to organize the requirements. Regardless of the approach selected, reuse and minimized impact of change are normally important characteristics to consider when dividing the functionality.

6.7.4 Task 4: Determine Requirements Priorities

Because projects are often on a tight schedule and are developed using an iterative or spiral life cycle model, it may be necessary to prioritize which requirements must be defined and implemented first. Priorities should be coordinated with the systems team and the customers. After the enabling software (such as boot, execution, and inputs/outputs), software functions that are critical to system functionality or safety or that are highly complex should have the highest priority. Oftentimes, the priorities are based on the urgency defined by the customer and the importance to the overall system functionality. In order to properly prioritize, it is sometimes helpful to divide the subsystems, features, and/or functions into four groups: (1) urgent/important (high priority), (2) not urgent/important (medium priority), (3) urgent/not important (low priority), and (4) not urgent/not important (may not be necessary to implement). For large and complex projects, there are many factors to assess when determining the priority. In general, it is preferable to keep the prioritization process as simple and politically free as possible. The prioritization of subsystems, features, and/or functions should be identified in the project management plan. Keep in mind that priorities may need to be readjusted as the project progresses, depending on the customer feedback and project needs.

6.7.5 A Brief Detour (Not a Task): Slippery Slopes to Avoid

Before discussing the requirements documenting task, let’s take a quick detour to discuss a few slippery slopes that many unsuccessful projects seem to attempt. These are mentioned here because projects sometimes start down one or more of these slippery slopes instead of focusing on the requirements. Once a project starts down a slope, it’s hard to exit it and refocus on the requirements.

6.7.6 Task 5: Document the Requirements

One of the challenges of writing requirements is determining the level of detail. Sometimes the system requirements are very detailed, so it forces a lower level of detail in the software requirements than preferred. At other times, the system requirements are far too vague and require additional work and decomposition by the software requirements authors. The level of detail is a judgment call; however, the requirements should sufficiently explain what the software will do but not get into the implementation details. When writing the software high-level requirements, it is important to remember that the design layer (which includes the software low-level requirements) is still to occur. The software high-level requirements should provide adequate detail for the design effort, but not get into the design.

6.7.7 Task 6: Provide Feedback on the System Requirements

Writing software requirements involves scrutiny of the system requirements. The software team often finds erroneous, missing, or conflicting system requirements. Any issues found with the system requirements should be documented in a problem report, communicated to the systems team, and followed up to confirm that action is taken. In many programs, the software team assumes that the systems team fixed the system requirements based on verbal or e-mail feedback; however, in the final throes of certification, it is discovered that the system requirements were not updated. To avoid this issue, the software team should proactively ensure that the system requirements are updated by writing problem reports against the system requirements and following up on each problem report. Failure to follow through on issues could lead to an inconsistency between system requirements and software functionality that may stall the certification process, since the requirements disconnect is considered a DO-178C noncompliance.

6.8.1 Peer Review Recommended Practices

Although not required, most projects use a formal peer review process in order to verify their plans, requirements, design, code, verification cases and procedures, verification reports, configuration index, accomplishment summary, and other key life cycle data. A team with the right members can often find errors that an individual might miss. The same peer review process can be used across the multiple life cycle data items (it isn’t limited to requirements). In other words, the review process can be standardized, so that only the checklists, data to be reviewed, and reviewers change for the actual reviews. This section identifies some of the recommended practices to integrate into the peer review process:

• Assign a moderator or technical lead to schedule the review, provide the data, make assignments, gather and consolidate the review comments, moderate the review meeting, ensure that the review checklist is completed, make certain that all review comments are addressed prior to closure of the review, etc.

• Ensure that the data to be reviewed is under configuration management. It may be informal or developmental configuration management, but it should be controlled and the version identified in the peer review records.

• Identify the data to be reviewed and the associated versions in the peer review record.

• Identify the date of the peer review, reviewers invited, reviewers who provided comments, and amount of time each reviewer spent on the review. The reviewer information is important to provide evidence of independence and due diligence.

• Involve the customer, as needed or as required by contract or procedures.

• Use a checklist for the review and ensure that all reviewers have been trained on the checklist and the appropriate standards for the data under review. The checklists are typically included or referenced in the approved plans or standards.

• Provide the review package (including data to be evaluated with line or section numbers, checklist, review form, and any other data needed for the review) to the reviewers, and identify required and optional reviewers.

• Allocate responsibilities for each reviewer (e.g., one person to review traceability, one person to review compliance to standards, and so on). Ensure that required reviewers are covering all aspects of the checklist, reviewers perform their tasks, and reviewers are qualified for the task assigned. If a required reviewer is gone or cannot carry out his or her task, someone else equally qualified may need to perform the review, or the review may need to be rescheduled.

• Provide instructions to the reviewers (e.g., identify comment due dates, meeting dates, roles, focus areas, open issues, file locations, reference documents).

• Give reviewers adequate notice and time to perform the review. If a required reviewer needs more time, reschedule the review.

• Ensure that the proper level of independence is achieved. The DO-178C Annex A tables identify by software level when independence is required. Chapter 10 discusses verification independence.

• Use qualified reviewers. Key technical reviewers include those who will use the data (e.g., tester and designer) and one or more independent developers (when independence is required). As noted earlier, for requirements reviews, it’s recommended that systems and safety personnel be involved. The review will only be as good as the people performing it, so it pays off over the life of a project to use the best and most qualified people for technical roles. Junior engineers can learn by performing support roles.

• Invite software quality assurance and certification liaison personnel, as well as any other support personnel needed.

• Keep the team size to a reasonable number. This is subjective and tends to vary depending on the software level and the significance of the data being reviewed.

• Provide a method for reviewers to document comments (a spreadsheet or comment tool is typical). The following data are normally entered by the reviewer: reviewer name, document identification and version, section or line number of document, comment number, comment, and comment classification (significant, minor, editorial, etc.).

• Schedule a meeting to discuss nontrivial comments or questions. Some companies prefer to limit the number of meetings and only use them for controversial topics. If meetings are not held, ensure there is a way to obtain agreement from all reviewers on the necessary actions. In my experience, a brief meeting to discuss technical issues is far more effective and efficient than ongoing e-mail threads.

• Assuming there is a meeting, give the author of the data time to review and propose a response for each comment prior to the meeting. The meeting time should focus on the nontrivial items that require face-to-face interaction.

• If a team is spread out geographically, use electronic networking features (e.g., WebEx, NetMeeting, or Live Meeting) and teleconferencing to involve the appropriate people.

• Limit the amount of time discussing issues. Some companies impose a 2-minute rule; any discussions that require more than 2 minutes are tabled for future discussion. If an item cannot be resolved in the time allocated, set up a follow-on meeting with the right stakeholders. The moderator helps to keep the discussions on track and on schedule.

• Identify a process to discuss controversial issues, such as an escalation path, a lead arbitrator, or a product control board.

• Complete the review checklist. Several potential approaches may be used: the checklist(s) may be completed by each team member for their part, by the team during the peer review meeting, or by a qualified reviewer. It is typically not possible to successfully complete the checklist until all of the review comments are addressed.

• Ensure that all issues are addressed and closed, before the review is closed. If an issue needs to be addressed but cannot be addressed prior to closing the review, a problem report should be generated. The problem report number should be included in the peer review records to ensure that the issue is eventually addressed or properly dispositioned.

• Break large documents into smaller packages and review high-risk areas first. Once all of the individual packages are reviewed, an experienced engineer or team should perform an integration review to make sure all of the packages are consistent and accurate. That is, look at the data together.

• Have an organized approach to store and retrieve review records and checklists, since they are certification evidence.

Here are some common issues that arise during the actual implementation of a peer review process, which can be avoided by proper management of the peer reviews:

• Considering the activity as a check mark, rather than a tool to work out technical issues early, add value to the end product, and save time and money over the life of the project.

• Not giving reviewers time to thoroughly review the data.

• Having an overly large review team.

• Not using qualified and well-trained reviewers.

• Not closing comments before proceeding to the next phase.

• Not completing the required checklist completely or promptly.

6.9.1 Basics of Requirements Management

A vital part of software development is requirements management. No matter how thorough the planning and the diligence in writing the requirements, change will happen. An organized requirements management process is essential to managing the inevitable change. Requirements management includes “all activities to maintain the integrity, accuracy, and currency of the requirements agreement as the project progresses” [4].

In order to manage the requirements, the following should be done:

• Develop requirements to be modifiable. As previously mentioned, modifiability is a characteristic of good requirements. Modifiable requirements are well organized, at the appropriate level of granularity, implementation-free, clearly identified, and traceable.

• Baseline the requirements. Both the functional and nonfunctional requirements should be baselined. The baseline typically occurs after the requirements have been through the peer review. For large projects, it is useful to have version control of the individual requirements as well as sections of or the entire SWRD.

• Manage all changes to the baseline. This typically occurs through the problem reporting process and change control board. Changes to requirements are identified, approved by the change control board, implemented, and rereviewed.

• Update requirements using approved process. The updates to the requirements should use the same requirements process defined in the plans. That is, follow the standards, implement quality attributes, perform reviews, etc. Some companies diligently follow the process the first time around but get lax during the updates. Because of this tendency, external auditors and quality assurance engineers tend to look closely at the thoroughness of modifications.

• Rereview the requirements. Once changes are implemented, the changes and requirements affected by the changes should be re-reviewed. If multiple requirements are changed, a team review may be appropriate. If the number of requirements changed or impacted is small and straightforward, the review may be performed by an individual. The appropriate level of independence is still needed.

• Track status. The status of each requirement should be tracked. The typical states of the requirements changes are: proposed, approved, implemented, verified, deleted, or rejected [9]. Oftentimes, the status is managed through the problem reporting process in order to avoid having two status systems. The problem reporting process typically includes the following states: open (requirements change has been proposed), in-work (change has been approved), implemented (change has been made), verified (change has been reviewed), cancelled (change not approved), and closed (change fully implemented, reviewed, and under configuration management).

Change management is further discussed in Chapter 10.

6.9.2 Requirements Management Tools

Most companies use a commercially available requirements management tool to document and help manage their requirements; however, some do have their own homegrown tool. Customers may mandate a specific tool in order to promote a consistent requirements management approach at all hierarchical levels. Whatever requirements management tool is selected, it should have the capability to do the following, as a minimum:

• Easily add requirements attributes or fields

• Export to a readable document format

• Accommodate graphics (e.g., tables, flowcharts, user interface graphics)

• Baseline requirements

• Add or delete requirements

• Handle multiple users in multiple geographic locations

• Document comments or rationale for requirements

• Trace up and down

• Generate trace reports

• Protect from unauthorized change (e.g., password)

• Be backed up

• Reorder requirements without renumbering them

• Manage multiple levels of requirements (such as system, high-level software, low-level software)

• Add levels of requirements if needed

• Support multiple development programs

Typical requirements fields or attributes that are included in the requirements management tool are as follows:

• Requirementsidentification—aunique identifier/tag fortherequirement.

• Requirements applicability—if multiple projects are involved, some requirements may or may not apply.

• Requirements description—states the requirement.

• Requirements comment—explains important things about the requirement such as rationale and related requirements. For derived requirements, this includes rationale for why the derived requirement is needed.

• Status—to identify the status of each requirement (such as approved by change control board, in-work, implemented, verified, deleted, or rejected).

• Change authority—identifies the problem report, change request number, etc. used to authorize the requirement implementation or change.

• Trace data—documents trace up to parent requirements, down to child requirements, and out to test cases and/or procedures.

• Special fields—identify safety requirements, derived requirements, robustness requirements, approval status, etc.

A document or spreadsheet can be used for the requirements documentation. However, the more complex the project and larger the development team, the more benefit there is to using a requirements management tool.

If a requirements management tool is used, the following are important to have:

• Technical support and training. The developers should be trained on how to use the tool properly.

• Project-specific instructions to explain how to use the tool properly in the given environment (such information is often included in the standards or a process manual).

• Frequently asked questions and examples to help address common issues that will be encountered.

Requirements management tools can be powerful. They can help manage requirements and versions, support larger teams, facilitate traceabil ity, track status of requirements, support use of requirements on multiple projects, and much more. However, even with a requirements management tool, good requirements change management is needed. The tool will not “compensate for lack of process, discipline, experience, or understanding” [4].

6.11.1 Importance and Benefits of Traceability

Traceability between requirements, design, code, and test data is essential for compliance to DO-178C objectives. There are numerous benefits of good traceability.

Benefit 1: Traceability is needed to pass a certification authority audit. Traceability is vital to a software project and DO-178C compliance. Without good traceability, the entire claim of development assurance falls apart because the certification authority is not assured. Many of the objectives and concepts of DO-178C and good software engineering build upon the concept of traceability.

Benefit 2: Traceability provides confidence that the regulations are satisfied. Traceability is important because, when it is done properly, it ensures that all of the requirements are implemented and verified, and that only the requirements are implemented. This directly supports regulatory compliance, since the regulations require evidence that intended functionality is implemented.

Benefit 3: Traceability is essential to change impact analysis and maintenance. Since changes to requirements, design, and code are essential to software development, engineers must consider how to make the software and its supporting life cycle data changeable. When a change occurs, traceability helps to identify what data are impacted, need to be updated, and require reverification.

Benefit 4: Traceability helps with project management. Up-to-date trace data help project managers know what has been implemented and verified and what remains to be done.

Benefit 5: Traceability helps determine completion. A good bidirectional trace scheme enables engineers to know when they have completed each data item. It also identifies data items that have not yet been implemented or that were implemented without a driver. When a phase (e.g., design or test case development) is completed, the trace data show that the software life cycle data are complete and consistent with the previous phase’s data and are ready to be used as input to the next phase.

6.11.2 Bidirectional Traceability

In order to achieve the all-requirements-and-only-requirements implementation goal, two kinds of traceability are needed: forward traceability (top-down) and backward traceability (bottom-up). Figure 6.3 illustrates the bidirectional traceability concepts required by DO-178C.

Bidirectional traceability doesn’t just happen, it must be considered throughout the development process. The best way to enforce it is to implement and check the bidirectional traceability at each phase of the development effort, as noted here:

• During the review of the software requirements, verify the top-down and bottom-up tracing between the system requirements and highlevel software requirements.

• During the review of the design description, verify the bidirectional tracing between the high-level software requirements and the lowlevel software requirements.

• During the code reviews, verify the bidirectional tracing between the low-level software requirements and the source code.

• During the review of the test cases and procedures, verify the bidirectional tracing between the test cases and requirements (both highlevel and low-level) and between the test cases and test procedures.

• During the review of the test results, verify the bidirectional tracing between the test results and the test procedures.

Both directions should be considered during the reviews. Just because one direction is complete doesn’t necessarily mean the trace is bidirectional. For example, all system requirements allocated to software may trace down to high-level software requirements; however, there may be some high-level software requirements that do not trace up to a system requirement. Derived requirements should be the only requirements that don’t have parents.

The tracing activity shouldn’t just look for the completeness of the tracing but should also evaluate the technical accuracy of the tracing. For example, when evaluating the trace between a system requirement and its children (high-level software requirements), consider these questions:

• Do these high-level software requirements completely implement the system requirement?

• Is there any part of the system requirement not reflected in the highlevel software requirements?

• Is the relationship between these requirements accurate and complete?

• Are there any missing traces?

• If the high-level software requirements trace to multiple system requirements, is the relationship of the requirements group accurate and complete?

• Is the granularity for each level of the requirements appropriate? For example, is the ratio of system to high-level software requirements appropriate? There isn’t a magic number, but a significant number of requirements with a 1:1 or 1:>10 might indicate a granularity issue.

• If there are many-to-many traces, are they appropriate? An overabundance of many-to-many traces (i.e., children tracing to many parents and parents tracing to many children) may indicate a problem (this is discussed in Section 6.11.4).

6.11.3 DO-178C and Traceability

DO-178B identified traceability as a verification activity but was somewhat vague about how that trace information should be documented. Most applicants include trace information as part of their verification report; however, some include it in the developed data itself (i.e., in the requirements, design, code, and test cases and procedures). DO-178C is still flexible regarding where the trace information is documented; however, it does require an artifact called trace data during the development of requirements, design, code, and tests.

DO-178C section 5.5 identifies the trace activities that occur during software development. It explicitly requires bidirectional tracing between (1) system requirements allocated to software and the high-level software requirements, (2) high-level software requirements and low-level software requirements, and (3) low-level software requirements and source code [3]. DO-178C Table A-2 identifies trace data as the evidence of the trace activity and an output of the development process.

Similarly, DO-178C section 6.5 explains the trace activities during the verification process and requires bidirectional tracing between (1) soft ware requirements and test cases, (2) test cases and test procedures, and (3) test procedures and test results. DO-178C Table A-6 identifies trace data as an output of the testing process.

DO-178B did not include the term bidirectional traceability, although it alluded to it and essentially required it. DO-178B section 6 discussed forward traceability (sections 6.3.1.f, 6.3.2.f, 6.3.4.e, and 6.4.4.1), whereas the objectives in DO-178B Tables A-3 (objective 6), A-4 (objective 6), A-5 (objective 5), and A-7 (objectives 3 and 4) alluded to backward traceability. Thus, both have been required by the certification authorities. However, DO-178C is more explicit in this area. DO-178C specifically identifies the need for bidirectional traceability, as well as the development of trace data.

6.11.4 Traceability Challenges

Like everything else in software engineering, implementing good traceability has its challenges. Some of the common challenges are as follows:

Challenge 1: Tracing proactively. Most software engineers love to solve problems and create design or code. However, few of them enjoy the paperwork and record keeping that goes with the job. In order to have accurate and complete traceability, it is essential that traceability be documented as the development takes place. In other words, as the software high-level requirements are written, the tracing to and from the system requirements should be noted; as the design is documented, the tracing to and from high-level requirements should be written down; as the code is being developed, the tracing to and from the low-level requirements should be documented; etc.

If tracing doesn’t occur proactively by the author of the data, it is difficult for someone not as familiar with the data to do it later because he or she may not know the thought-process, context, or decisions of the original developers, and may be forced to make guesses or assumptions (which may be wrong). Additionally, if the tracing is done after the fact, there tend to be holes in the bidirectional traceability. To say it another way, some requirements may only be partially implemented and some functions may be implemented that aren’t in the requirements. Instead of properly fixing the requirements, the after-the-fact, cleanup engineers may partially trace (to make it look complete), call many requirements derived (because they don’t have parents), or trace to general requirements (ending up with a one-to-toomany or many-to-many dilemma). This seems to especially be the case when inexperienced engineers are used to perform the after-the-fact tracing.

Challenge 2: Keeping the trace data current. Some projects do very well at creating the initial trace data; however, they fail to update it when changes are made. Traceability should be evaluated and appropriately updated anytime the data are modified. Current and accurate trace data are critical to requirements management decisions and the change impact assessments (which are discussed in Chapter 10).

Challenge 3: Doing bidirectional tracing. It can be tempting to think everything is complete, when the traceability in one direction is complete. However, as previously noted, just because the forward tracing is complete doesn’t mean the backward trace is, and vice versa. The trace data must be considered from both top-down (forward) and bottom-up (backward) perspectives.

Challenge 4: Many-to-many traces. This occurs when parent requirements trace to multiple children and children requirements trace to multiple parents. While there are definitely situations where many-to-many tracing is accurate and appropriate, an overabundance of many-to-many traces tends to be the symptom of a problem. Oftentimes, the problem is that the requirements are not well organized or that the tracing was done after the fact. While there are no certification guidelines against many-to-many traces, they can be very confusing to the developers and certifying authority, and they are often very difficult to justify and maintain. Many-to-many tracing should be minimized as much as possible.

Challenge 5: Deciding what is derived and what is not. Derived requirements can be a challenge. More than once I’ve evaluated a project where the derived flag was set because there were missing higher level requirements and the project didn’t want to add requirements. Derived requirements should be used cautiously. They are not plugs for missing higher level requirements, but represent design details that aren’t significant at the higher level. Derived requirements should not be added to compensate for missing functionality at the higher level. One technique to help avoid inaccurate classification of derived requirements is to justify why each requirement is needed and why it is classified as derived.^* If the requirement can’t be explained or justified, it may not be needed or a higher level requirement may be missing. Keep in mind that all derived requirements need to be evaluated by the safety team, and all code must be traceable to requirements—there is not a category called derived code.

Challenge 6: Weak links. Oftentimes there will be some requirements that are debatable as to whether they are traced or derived. They may be related to a higher level requirement but not the direct result of the higher level requirement. If one decides to include the trace, it is helpful to include rationale about the relationship between the higher and lower level requirements. For lack of a better description, I call these debatable traces weak links. By providing a brief note about why the weak links are included, it helps all of the users of the requirements better understand the connection and to evaluate the impact of future changes. The notes also help the certification and software maintenance efforts by explaining what may not be obvious relationships. The explanation does not need to be verbose; a short sentence or two is usually quite adequate. Even if the requirement is classified as derived, it’s still recommended to mention the relationship, since it may help change impact analysis and change management later (i.e., it supports modifiability).

Challenge 7: Implicit traceability. Some projects use a concept of implicit traceability. For example, the tracing may be assumed by the naming convention or the document layout. Such approaches have been accepted by the certification authorities. The new challenge is DO-178C’s requirement for trace data. Implicit tracing is built in and doesn’t result in a separate trace artifact. Therefore, implicit tracing should be handled cautiously. Here are a few suggestions:

• Include the trace rules in the standards and plans, so that developers know the expectations.

• Document the reviews of the tracing well to ensure that the implicit tracing is accurate and complete.

• Identify the approach in the software plans and get the certification authority’s buy-in.

• Be consistent. Do not mix implicit and explicit tracing in a section (unless well documented).

Challenge 8: Robustness testing traces. Sometimes developers or testers argue that robustness testing does not need to be traceable to the requirements, since they are trying to break the software rather than prove intended functionality. They contend that by limiting the testers to just the requirements, they might miss some weakness in the software. As will be discussed in Chapter 9, the break-it mentality is important for effective software testing. Testers should not limit themselves to the requirements when they are thinking through their testing effort. Testers should, however, identify when the requirements are incomplete, rather than create robustness tests that don’t trace to requirements. Frequently, the testers identify missing scenarios that should be reflected in the requirements. It’s highly recommended that the testers participate in requirements and design reviews to proactively identify potential requirements weaknesses. Likewise, developers may want to be involved in test reviews to quickly fill any requirements gaps and to ensure that testers understand the requirements.