Skip to main content
The Aerospace Safety Solution uses 16 primary link roles organized into four functional categories:
  1. Requirements Traceability — Decomposition from customer needs through system and design levels
  2. Safety Assessment — Connections between failure analysis and system elements
  3. Change Management — Impact tracking across work items
  4. Allocation and Validation — System decomposition and verification mapping
diagram Requirements traceability links form the backbone of the V-Model, connecting customer specifications through system and design levels to verification test cases.

parent

PropertyValue
Nameparent
DirectionBidirectional (hierarchical)
PurposeCreates same-type hierarchy within a requirement level
Valid Source TypescustomerRequirement, sysReq, desReq, heading
Valid Target TypescustomerRequirement, sysReq, desReq, heading
CardinalityOne parent, many children
Use CaseOrganize requirements into outline structure (e.g., parent requirement with sub-requirements)
Notes: The parent role enforces same-type hierarchy. A customerRequirement can only have a customerRequirement parent (or heading for organizational structure). This differs from the refines role, which crosses requirement levels.

refines

PropertyValue
Namerefines
DirectionUnidirectional (decomposition)
PurposeDecomposes a requirement into a lower-level requirement
Valid Source TypessysReq, desReq, characteristic
Valid Target TypesdesReq, sysReq, customerRequirement
CardinalityMany children refining one parent
BidirectionalYes — both forward (sysReq refines into desReq) and reverse (characteristic refines sysReq)
Notes: The refines role is the primary decomposition link across requirement levels. A system requirement refines a customer requirement. A design requirement refines a system requirement. A characteristic refines a design requirement. This creates the 4-level decomposition chain: customerRequirement → sysReq → desReq → characteristic. Example: System Requirement SR-001 “System shall provide real-time monitoring” refines Customer Requirement CR-001 “Monitoring system shall meet user expectations.”

implements

PropertyValue
Nameimplements
DirectionUnidirectional (realization)
PurposeLinks a design/implementation item to the requirement it fulfills
Valid Source Typestask, riskControl
Valid Target TypessysReq, desReq, riskControl
CardinalityMultiple implementations per requirement
Common PatternTask or Risk Control → Design Requirement
Notes: Use implements to show how a mitigation task or risk control addresses a safety or design requirement. This is distinct from refinesimplements represents actual design/code artifacts, while refines represents requirement-level decomposition.

verifies

PropertyValue
Nameverifies
DirectionUnidirectional (test to requirement)
PurposeLinks a test case to the requirement it verifies
Valid Source TypestestCase
Valid Target TypessysReq, desReq, riskControl, customerRequirement
CardinalityMultiple test cases per requirement
V-Model MappingRight-side (verification) of the V-Model
Notes: Test cases verify technical requirements (system, design) and validate customer requirements. The verifies link is essential for traceability matrix reports showing which tests cover which requirements. A single test case may verify multiple requirements; conversely, a single requirement may be verified by multiple test cases. Example: Test Case TC-DES-001 “Verify real-time update latency < 100ms” verifies Design Requirement DR-001 “Real-time monitoring shall update at least every 100ms.” Safety assessment links connect failure analysis (FHA, FMEA) to system elements, functions, and risk controls, forming the foundation of ARP 4761 hazard analysis.

assesses

PropertyValue
Nameassesses
DirectionUnidirectional (analysis to subject)
PurposeLinks a failure/hazard analysis to the system element or function being analyzed
Valid Source TypesfailureMode, failureCondition, securityThreat, hazard
Valid Target Typesfunction, systemElement
CardinalityMultiple analyses per system element/function
Most Versatile LinkConnects 4 analysis types to 5 target types
Notes: The assesses link is the most versatile in the system, enabling failure modes, failure conditions, and security threats to be analyzed against both functions (for functional analysis) and system elements (for component analysis). This supports both SFMEA (system-level) and DFMEA (component-level) workflows. Example: Failure Mode FM-001 “Sensor processing timeout” assesses Function F-001 “Acquire sensor data.”

causeOf

PropertyValue
NamecauseOf
DirectionUnidirectional (FMEA to FHA)
PurposeLinks a failure mode to the failure condition it contributes to
Valid Source TypesfailureMode
Valid Target TypesfailureCondition
CardinalityMultiple failure modes contribute to one failure condition
Cross-Analysis BridgeConnects FMEA (bottom-up) to FHA (top-down)
Notes: The causeOf link bridges FMEA and FHA analysis. A failure mode is the root cause of a failure condition. Multiple failure modes may contribute to a single failure condition (e.g., three different component failures leading to the same safety condition). This link is critical for traceability between top-down hazard analysis and bottom-up fault tree analysis. Example: Failure Mode FM-001 “Power supply voltage drops” is causeOf Failure Condition FC-001 “Loss of primary power.”

mitigates

PropertyValue
Namemitigates
DirectionUnidirectional (control to risk)
PurposeLinks a risk control to the failure or risk record it mitigates
Valid Source TypesriskControl, task
Valid Target TypesriskRecord, failureMode
CardinalityMultiple controls per risk; multiple risks per control
Post-MitigationConnected items contribute to residual risk (post-mitigation RPN)
Notes: Every failure mode or risk record should be addressed by at least one mitigation control. The mitigates link is used to calculate post-mitigation RPN values. Risk controls include Inherent Safety improvements, Protective Devices, and Information for Safety measures (per DO-178C). Example: Risk Control RC-001 “Redundant power supply monitor” mitigates Failure Mode FM-001 “Power supply voltage drops.”

causes (cascade)

PropertyValue
Namecauses
DirectionUnidirectional (upstream to downstream)
PurposeLinks a failure mode to downstream failure modes in the FMEA hierarchy
Valid Source TypesfailureMode
Valid Target TypesfailureMode
CardinalityOne failure mode may cause multiple downstream modes
DirectionUpstream FMEA → Downstream FMEA
Notes: The causes link enables vertical traceability in FMEA workflows. A failure mode in a system-level SFMEA may cause failure modes in a subsystem SFMEA, which in turn cause component-level DFMEA failure modes. This creates a failure propagation chain essential for understanding how component failures escalate to system-level failures. Example: System-level Failure Mode FM-SYS-001 “Processing unit failure” causes Subsystem Failure Mode FM-SUB-001 “Data validation error,” which causes Component Failure Mode FM-COMP-001 “Memory corruption.” Change management links track how proposed changes, defects, and follow-up actions impact requirements, designs, and risk items.

tracks

PropertyValue
Nametracks
DirectionUnidirectional (change request to affected item)
PurposeLinks a change request to the work items it affects
Valid Source TypeschangeRequest
Valid Target TypessysReq, desReq, riskRecord, failureMode, task, defect
CardinalityOne change request may track multiple affected items
Broadest CoverageHighest-cardinality single link role in the system
Notes: The tracks link is the primary change impact traceability mechanism. When a design change is proposed, link it to all affected requirements, risk items, and tasks. This enables impact analysis reports showing which work items would be affected by a proposed change. A single change request typically tracks 5–10+ work items. Example: Change Request CHG-001 “Increase sensor update frequency” tracks System Requirement SR-002, Design Requirement DR-005, Failure Mode FM-010, and Task TSK-023.

followsUp

PropertyValue
NamefollowsUp
DirectionUnidirectional (action item to tracked item)
PurposeLinks a follow-up task to the defect, issue, or previous task it addresses
Valid Source Typestask
Valid Target Typesdefect, task, changeRequest
CardinalityOne task may follow up on multiple items
Workflow PatternDefect resolution and action item tracking
Notes: Use followsUp to create chains of related tasks and defects. For example, a defect detected during testing may generate a follow-up task to implement a fix, which may in turn be tracked by a follow-up code review task. This creates an audit trail of resolution activities.

detectedBy

PropertyValue
NamedetectedBy
DirectionUnidirectional (defect to test case)
PurposeLinks a defect to the test case that detected it
Valid Source Typesdefect
Valid Target TypesverifTestCase, validTestCase
CardinalityOne defect detected by one or more test cases
Quality MetricEnables defect-detection-rate analysis per test case
Notes: The detectedBy link creates traceability from discovered defects back to the test activities that uncovered them. This metric is useful for evaluating test effectiveness and planning test expansion. It also supports DO-178C §6.4.1 (test coverage evaluation) and DO-254 §8.3.1 (design verification). Allocation links assign work items to system elements and link validation activities to customer-facing requirements.

allocatedTo

PropertyValue
NameallocatedTo
DirectionUnidirectional (item to system element)
PurposeAssigns a function, failure mode, or requirement to a specific system element
Valid Source Typesfunction, failureMode, riskRecord, processStep
Valid Target TypessystemElement
CardinalityMultiple items per system element; typically one allocation per item
System DecompositionCritical for per-component analysis views and reports
Notes: The allocatedTo link is essential for system decomposition views. By allocating functions, failure modes, and requirements to specific system elements (subsystems, components, LRUs), you enable filtering and analysis at any level of the system hierarchy. The Risksheet DFMEA template uses this link to organize failure modes by component. Example: Function F-001 “Acquire sensor data” allocatedTo System Element SE-001 “Sensor Module”; Failure Mode FM-001 “Sensor timeout” allocatedTo System Element SE-001.

validates

PropertyValue
Namevalidates
DirectionUnidirectional (test case to customer requirement)
PurposeLinks a validation test case to the customer requirement it validates
Valid Source TypestestCase
Valid Target TypescustomerRequirement
CardinalityMultiple test cases may validate one requirement
V-Model Right SideValidation arm of the V-Model (customer satisfaction)
Notes: The validates link differs from verifies — validation test cases confirm that the system meets customer expectations (customer requirements), while verification test cases confirm that the system meets technical specifications (system and design requirements). This distinction is important for traceability matrix reports and DAL allocation decisions. Example: Validation Test Case VTC-001 “User acceptance test: monitoring dashboard displays real-time data” validates Customer Requirement CR-001 “System shall provide real-time visibility.”

Traceability Coverage and Gap Analysis

The Aerospace Safety Solution provides automated traceability coverage reports that measure:
  • Requirements Decomposition Coverage: What % of customer requirements decompose to system requirements? What % of system requirements decompose to design requirements?
  • Verification Coverage: What % of design requirements are verified by test cases?
  • Allocation Coverage: What % of requirements are allocated to system elements?
  • Mitigation Coverage: What % of failure modes have associated risk controls?
These reports use the link roles (refines, verifies, allocatedTo, mitigates) to count forward and backward link coverage. A requirement with no forward links (no verification) or no backward links (not traced to higher level) indicates a gap.
PracticeBenefit
Link in both directionsEnables traceability matrix reports and coverage analysis from both ends
Use consistent link rolesEnsures automated reports capture all traceability relationships
Allocate all requirementsEnables system decomposition views and per-component risk analysis
Link all failure modes to mitigationsEnsures no unaddressed risks; enables RPN calculation
Verify all design requirementsAchieves closure on V-Model right side; supports certification evidence
Track all changesEnables impact analysis and change control audits per DO-178C/DO-254
  • Missing refines links: If you create a design requirement without linking it to a system requirement, it appears “orphaned” in coverage reports
  • Indirect verification: Linking a test case to a system requirement via intermediate work items instead of using verifies makes gap detection harder
  • No allocation: Risk controls and failure modes without allocatedTo system elements are invisible in component-level dashboards
  • Bidirectional mismatch: A forward link without a corresponding back-link (or vice versa) suggests incomplete analysis
Link RoleSourceTargetPurpose
parentReq type AReq type AHierarchical outline structure
refinessysReq, desReq, characteristiccustomerReq, sysReq, desReqDecomposition across levels
implementstask, riskControlsysReq, desReq, riskControlDesign/mitigation artifacts
verifiestestCasesysReq, desReq, riskControl, customerReqTechnical verification
assessesfailureMode, failureCondition, threat, hazardfunction, systemElementFailure analysis subjects
causeOffailureModefailureConditionFMEA-to-FHA bridge
mitigatesriskControl, taskriskRecord, failureModeRisk mitigation
causesfailureModefailureModeFailure propagation (FMEA hierarchy)
trackschangeRequestsysReq, desReq, riskRecord, failureMode, task, defectChange impact
followsUptaskdefect, task, changeRequestAction item chains
detectedBydefectverifTestCase, validTestCaseTest effectiveness
allocatedTofunction, failureMode, riskRecord, processStepsystemElementSystem decomposition
validatestestCasecustomerRequirementUser acceptance
For detailed information on configuring traceability views in Risksheet and PowerSheet, see the related references on FHA Risksheet Configuration, DFMEA Risksheet Configuration, and PowerSheet Configuration.
Code: .polarion/tracker/fields/workitem-link-role-enum.xml (0.70) · .polarion/nextedy/models/rtm.yaml (0.51) · modules/RiskTemplates/SubSystem-FMEATemplate/attachments/risksheet.json (0.48) · modules/RiskTemplates/DFMEATemplate/attachments/risksheet.json (0.48) · .polarion/nextedy/sheet-configurations/Whole RTM Config.yaml (0.47) · .polarion/pages/spaces/_default/Requirements Traceability Summary/page.xml, Verification Validation Summary/page.xml, Risk Control Effectiveness Report/page.xml, System Decomposition Report/page.xml, FMEA Coverage Report/page.xml, Classification Consistency Report/page.xml, System FMEA Report/page.xml, System Structure Navigator/page.xml (0.44) · modules/RiskTemplates/System-FMEATemplate/attachments/risksheet.json (0.44) · .polarion/nextedy/sheet-configurations/DO-160G Environmental Qualification.yaml, Component RTM.yaml, Configuration Index.yaml, Design Verification Sheet.yaml, Interface Control Matrix.yaml, Problem Report Tracker.yaml, Process Steps.yaml, Review Action Item Tracker.yaml, SOI Stage Gate Dashboard.yaml, Use Steps Specification.yaml, User Need Validation Sheet.yaml, characteristics.yaml, component-characteristics.yaml, customer-requirements.yaml, design-requirements.yaml, subsystem-functions.yaml, subsystem-verification.yaml, system-elements.yaml, test-verification.yaml (0.44) · modules/RiskTemplates/PSSATemplate/attachments/risksheet.json (0.42) · .polarion/pages/spaces/_default/Data Model/attachments/diagram_1771111587_documents.mxg.svg, diagram_1771111587_risk.mxg.svg, diagram_1771111587_traceability.mxg.svg, modules/Requirements/SYSTEM-ELEMENTS/attachments/diagram_20260215-0024.44000.mxg.svg (0.41)