Traceability

Traceability is the systematic capability to establish and maintain bi-directional links among all artifacts throughout the product development lifecycle. These artifacts include customer needs, regulatory requirements, system design, software architecture, code, and test cases. Its core purpose is to ensure every high-level requirement can be traced to its corresponding low-level implementation and verification activities, and vice versa. In automotive cybersecurity, the ISO/SAE 21434:2021 standard explicitly mandates traceability between cybersecurity requirements, architecture, implementation, and testing activities (e.g., in Clauses 9, 10, 11). This is not only for passing type approval under regulations like UN R156 but also a key risk management practice. It aids in impact analysis for changes, ensures complete requirements coverage, and enables rapid root cause analysis in case of a security incident. Compared to simple logging, traceability provides a more structured and comprehensive view of causal relationships.

In enterprise risk management, applying traceability is a concrete, process-driven activity, especially for complying with automotive cybersecurity regulation UN R156. The implementation steps are: 1. Establish a Traceability Information Model to define artifact types (e.g., cybersecurity goals, requirements, software components, test specs) and their link relationships (e.g., 'satisfies', 'verifies'). 2. Implement an Application Lifecycle Management (ALM) or Product Lifecycle Management (PLM) tool, such as JAMA Connect or IBM DOORS, to digitize this model, allowing engineers to create links during development. 3. Configure automated reports and dashboards to generate a Traceability Matrix, visualizing requirement coverage. For example, a Taiwanese Tier-1 supplier implemented this for their Telematics Control Unit (TCU). During an audit by a European OEM, they instantly generated reports proving all 70+ cybersecurity requirements from UN R156 were implemented and tested, reducing their audit preparation time by approximately 40% and achieving a first-pass audit success.

Taiwanese enterprises face three main challenges when implementing traceability: 1. Toolchain Silos: Different departments use disparate tools (e.g., Word for requirements, Visio for architecture, Excel for tests), creating information gaps that hinder end-to-end traceability. 2. Expertise and Cost Barriers: The licensing fees and consulting services for professional ALM/PLM tools are significant, and internal teams often lack expertise in relevant standards (like ISO/SAE 21434) and tool operation. 3. Cultural Inertia: Engineers are accustomed to existing workflows and may perceive creating trace links as an extra burden, resisting new processes and tools. Solutions include: for tool silos, prioritize a central requirements management platform and gradually integrate other tools via APIs, starting with a pilot project. For cost/expertise, engage external experts like Winners Consulting for phased implementation and training. For cultural issues, management must clearly communicate the value of traceability (e.g., reduced compliance risk) and mandate it as a standard process, aiming for a 6-month pilot and a 12-18 month rollout to key product lines.

Winners Consulting specializes in Traceability for Taiwan enterprises, delivering compliant management systems based on standards like ISO/SAE 21434 within 90 days. We have successfully assisted over 100 local companies. Request a free consultation: https://winners.com.tw/contact